Aruba CX
AOS-CX 10.x
Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.
For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.
Wired: RADIUS server, 802.1X and MAB
Global RADIUS, AAA, and per-port 802.1X + MAC-auth (Aruba's term for MAB).
radius-server host 10.10.10.10 key plaintext ARBITER_PSK
radius-server host 10.10.10.11 key plaintext ARBITER_PSK
radius-server tracking
user-name arbiter-probe
interval 30
retries 1
radius-server timeout 2
radius-server retransmit 1
radius-server deadtime 1
!
aaa group server radius ARBITER
server 10.10.10.10
server 10.10.10.11
!
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
!
radius dyn-authorization enable
radius dyn-authorization client 10.10.10.10 secret-key plaintext ARBITER_PSK
radius dyn-authorization client 10.10.10.11 secret-key plaintext ARBITER_PSK
!
interface 1/1/1-1/1/48
no shutdown
no routing
vlan access 10
aaa authentication port-access auth-precedence dot1x mac-auth
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enableWireless: 802.1X SSID
Aruba CX is wired-only. For Aruba wireless on this estate, see the Aruba Instant guide.
(see Aruba Instant / Instant On guide)Guest SSID: open with captive portal redirect
Guest port profile with MAC-auth and a captive-portal-style role downloaded by RADIUS.
port-access role GUEST-REDIRECT
vlan access 999
captive-portal-profile ARBITER-GUEST
!
captive-portal-profile ARBITER-GUEST
url https://acme-7f3-guest.arbiter.ie/
Arbiter returns on the MAB Access-Accept:
Aruba-User-Role = GUEST-REDIRECT
After T&C acceptance, Arbiter issues CoA -> re-MAB -> production role/VLAN.DHCP relay to Edge
Per-VLAN ip-helper.
vlan 10
interface vlan 10
ip address 10.0.10.1/24
ip helper-address 10.0.0.5
ip helper-address 10.10.10.10
ip helper-address 10.10.10.11AAA dead-server detection
Optional but recommended. The switch only talks to the local Edge appliances on your LAN, so use a short tracking interval and let failover happen fast. AOS-CX exposes per-server tracking as a first-class feature: probe every 5 seconds across a couple of attempts before declaring the server dead, then hold the dead flag briefly before retrying. The Edge handles cloud failover and offline auth itself, so the switch only needs to switch quickly between the two on-LAN Edges. Use it.
! 1. Probe every 5s, 2 attempts before declaring dead
radius-server tracking
user-name arbiter-probe
interval 5
retries 2
! 2. Hold the dead flag for 1 minute before retrying
radius-server deadtime 1
radius-server timeout 2
radius-server retransmit 1CoA listener
UDP/3799 by default.
radius dyn-authorization enable
radius dyn-authorization client 10.10.10.10 secret-key plaintext ARBITER_PSK
radius dyn-authorization client 10.10.10.11 secret-key plaintext ARBITER_PSKNotes
- AOS-CX uses 'mac-auth' for what other vendors call MAB. The on-the-wire behaviour is identical.
- auth-precedence dot1x mac-auth runs 802.1X first, then falls back to MAB after the dot1x timeout. Tune the dot1x tx-period and max-eapol-requests if MAB fallback is too slow for IoT.
Verify the integration
Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.
Need help?
Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.