Aruba Instant / Instant On setup guide

Controller-less APs + SMB cloud line

Applies to: Aruba Instant (controller-less APs managed by a virtual controller on one of the APs themselves) and Aruba Instant On (cloud-managed SMB line) both expose RADIUS configuration through the SSID/network definition. Examples below use the Instant CLI; the Instant On dashboard exposes the same fields under Network -> Security -> Authentication.

Wired — RADIUS server, 802.1X and MAB

Instant On switches use the cloud dashboard. RADIUS server configuration lives at Site -> Network security -> RADIUS authentication.

Server name:    Edge1
Server IP:      10.10.10.10
Shared secret:  ARBITER_PSK
Auth port:      1812
Accounting port: 1813
(Repeat for Edge2 -> 10.10.10.11)

Wireless — 802.1X SSID

Aruba Instant CLI. Corporate 802.1X SSID.

wlan auth-server Edge1
 ip 10.10.10.10
 port 1812
 acctport 1813
 key ARBITER_PSK
 rfc3576
!
wlan auth-server Edge2
 ip 10.10.10.11
 port 1812
 acctport 1813
 key ARBITER_PSK
 rfc3576
!
wlan ssid-profile Corp
 essid Corp
 opmode wpa2-aes
 type employee
 auth-server Edge1
 auth-server Edge2
 radius-accounting
 set-vlan Tunnel-Private-Group-Id

Guest SSID — open with captive portal redirect

Open SSID with external captive portal. Arbiter's portal serves the splash; the AP enforces the walled garden until CoA.

wlan external-captive-portal ArbiterGuest
 server acme-7f3-guest.arbiter.ie
 port 443
 url "/"
 auth-text "Welcome"
 https
!
wlan ssid-profile Guest
 essid Guest
 opmode opensystem
 type guest
 captive-portal external profile ArbiterGuest exclude-uplink
 auth-server Edge1
 auth-server Edge2
 mac-authentication
 radius-accounting

DHCP relay to Edge

Instant APs do not relay DHCP themselves. The upstream layer-3 device must include the Edge IPs in its helper-address list.

(configured on the upstream router/switch, see Cisco or Aruba CX guides)

AAA dead-server detection

Optional but recommended. Aruba Instant retry / deadtime is per-auth-server. Set the retry interval and max-retries so a server is declared dead after roughly 30 seconds across four attempts, then hold the dead flag for 3 minutes before retrying.

wlan auth-server Edge1
 ! Hold the dead flag for 3 minutes before retrying
 radius-deadtime 3
 ! ~30s across 4 attempts (per-attempt timeout * retries)
 radius-retry-interval 8
 radius-max-retries 4

CoA listener

The 'rfc3576' keyword on each auth-server entry enables CoA listening on UDP/3799.

(see rfc3576 under each auth-server above)