HPE Aruba AOS-Switch setup guide

2530 / 2930 / 3810 (legacy 'ProCurve')

Applies to: AOS-Switch on the 2530/2930/3810 lines (formerly ProCurve, sometimes still called that in field documentation). This is a very large SME install base in EMEA; the syntax here is K.15+ / WC.16+.

Wired — RADIUS server, 802.1X and MAB

RADIUS servers, AAA, then per-port authenticator settings.

radius-server host 10.10.10.10 key ARBITER_PSK
radius-server host 10.10.10.11 key ARBITER_PSK
radius-server timeout 2
radius-server retransmit 1
radius-server dead-time 5
radius-server host 10.10.10.10 time-window 0
radius-server host 10.10.10.11 time-window 0

aaa authentication port-access eap-radius
aaa port-access authenticator 1-48
aaa port-access authenticator active
aaa port-access authenticator 1-48 client-limit 4
aaa port-access mac-based 1-48
aaa port-access mac-based addr-format no-delimiter

radius-server cppm identity arbiter-probe
radius-server tracking

aaa server-group radius "Arbiter" host 10.10.10.10 host 10.10.10.11

Wireless — 802.1X SSID

AOS-Switch is wired-only. For Aruba wireless on this estate, refer to the Aruba Instant guide.

(see Aruba Instant / Instant On guide)

Guest SSID — open with captive portal redirect

Guest VLAN with redirect role.

vlan 999 name "Guest-Holding"
aaa port-access mac-based 1-48 unauth-vid 999

! Arbiter returns Aruba-User-Role on MAB Accept; AOS-Switch maps the
! role to the captive portal URL via the role profile:
aaa authorization user-role name "GUEST-REDIRECT"
  captive-portal-profile "acme-7f3-guest.arbiter.ie"

DHCP relay to Edge

Per-VLAN ip helper-address.

vlan 10
  ip helper-address 10.0.0.5
  ip helper-address 10.10.10.10
  ip helper-address 10.10.10.11

AAA dead-server detection

Optional but recommended. 'radius-server tracking' enables active probing; without it, AOS-Switch is reactive only. Configure a per-attempt timeout and retransmit count so the dead-criteria is hit after roughly 30 seconds across four attempts, then hold the dead flag for 3 minutes before retrying.

! ~30s across 4 attempts (1 initial + 3 retransmits, 7-8s each)
radius-server timeout 7
radius-server retransmit 3

! Hold the dead flag for 3 minutes before retrying
radius-server dead-time 3

! Active probe instead of reactive failover
radius-server tracking

CoA listener

Enabled globally. AOS-Switch listens on UDP/3799 from the configured RADIUS servers automatically.

radius-server host 10.10.10.10 dyn-authorization
radius-server host 10.10.10.11 dyn-authorization