Network device onboarding

Aruba CX

AOS-CX 10.x

Applies to: CX 6100/6200/6300/6400 switches running AOS-CX 10.x. The radius-server tracking and dynamic-authorization commands are first-class in CX and produce clean Arbiter integration.

Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.

For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.

Wired: RADIUS server, 802.1X and MAB

Global RADIUS, AAA, and per-port 802.1X + MAC-auth (Aruba's term for MAB).

radius-server host 10.10.10.10 key plaintext ARBITER_PSK
radius-server host 10.10.10.11 key plaintext ARBITER_PSK
radius-server tracking
 user-name arbiter-probe
 interval 30
 retries 1
radius-server timeout 2
radius-server retransmit 1
radius-server deadtime 1
!
aaa group server radius ARBITER
 server 10.10.10.10
 server 10.10.10.11
!
aaa authentication port-access dot1x authenticator
 enable
aaa authentication port-access mac-auth
 enable
!
radius dyn-authorization enable
radius dyn-authorization client 10.10.10.10 secret-key plaintext ARBITER_PSK
radius dyn-authorization client 10.10.10.11 secret-key plaintext ARBITER_PSK
!
interface 1/1/1-1/1/48
 no shutdown
 no routing
 vlan access 10
 aaa authentication port-access auth-precedence dot1x mac-auth
 aaa authentication port-access dot1x authenticator
  enable
 aaa authentication port-access mac-auth
  enable

Wireless: 802.1X SSID

Aruba CX is wired-only. For Aruba wireless on this estate, see the Aruba Instant guide.

(see Aruba Instant / Instant On guide)

Guest SSID: open with captive portal redirect

Guest port profile with MAC-auth and a captive-portal-style role downloaded by RADIUS.

port-access role GUEST-REDIRECT
 vlan access 999
 captive-portal-profile ARBITER-GUEST
!
captive-portal-profile ARBITER-GUEST
 url https://acme-7f3-guest.arbiter.ie/

Arbiter returns on the MAB Access-Accept:
  Aruba-User-Role = GUEST-REDIRECT
After T&C acceptance, Arbiter issues CoA -> re-MAB -> production role/VLAN.

DHCP relay to Edge

Per-VLAN ip-helper.

vlan 10
interface vlan 10
 ip address 10.0.10.1/24
 ip helper-address 10.0.0.5
 ip helper-address 10.10.10.10
 ip helper-address 10.10.10.11

AAA dead-server detection

Optional but recommended. The switch only talks to the local Edge appliances on your LAN, so use a short tracking interval and let failover happen fast. AOS-CX exposes per-server tracking as a first-class feature: probe every 5 seconds across a couple of attempts before declaring the server dead, then hold the dead flag briefly before retrying. The Edge handles cloud failover and offline auth itself, so the switch only needs to switch quickly between the two on-LAN Edges. Use it.

! 1. Probe every 5s, 2 attempts before declaring dead
radius-server tracking
 user-name arbiter-probe
 interval 5
 retries 2

! 2. Hold the dead flag for 1 minute before retrying
radius-server deadtime 1
radius-server timeout 2
radius-server retransmit 1

CoA listener

UDP/3799 by default.

radius dyn-authorization enable
radius dyn-authorization client 10.10.10.10 secret-key plaintext ARBITER_PSK
radius dyn-authorization client 10.10.10.11 secret-key plaintext ARBITER_PSK

Notes

  • AOS-CX uses 'mac-auth' for what other vendors call MAB. The on-the-wire behaviour is identical.
  • auth-precedence dot1x mac-auth runs 802.1X first, then falls back to MAB after the dot1x timeout. Tune the dot1x tx-period and max-eapol-requests if MAB fallback is too slow for IoT.

Verify the integration

Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.

Need help?

Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.

All network device guidesAll guides