Aruba Instant / Instant On
Controller-less APs + SMB cloud line
Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.
For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.
Wired: RADIUS server, 802.1X and MAB
Instant On switches use the cloud dashboard. RADIUS server configuration lives at Site -> Network security -> RADIUS authentication.
Server name: Edge1
Server IP: 10.10.10.10
Shared secret: ARBITER_PSK
Auth port: 1812
Accounting port: 1813
(Repeat for Edge2 -> 10.10.10.11)Wireless: 802.1X SSID
Aruba Instant CLI. Corporate 802.1X SSID.
wlan auth-server Edge1
ip 10.10.10.10
port 1812
acctport 1813
key ARBITER_PSK
rfc3576
!
wlan auth-server Edge2
ip 10.10.10.11
port 1812
acctport 1813
key ARBITER_PSK
rfc3576
!
wlan ssid-profile Corp
essid Corp
opmode wpa2-aes
type employee
auth-server Edge1
auth-server Edge2
radius-accounting
set-vlan Tunnel-Private-Group-IdGuest SSID: open with captive portal redirect
Open SSID with external captive portal. Arbiter's portal serves the splash; the AP enforces the walled garden until CoA.
wlan external-captive-portal ArbiterGuest
server acme-7f3-guest.arbiter.ie
port 443
url "/"
auth-text "Welcome"
https
!
wlan ssid-profile Guest
essid Guest
opmode opensystem
type guest
captive-portal external profile ArbiterGuest exclude-uplink
auth-server Edge1
auth-server Edge2
mac-authentication
radius-accountingDHCP relay to Edge
Instant APs do not relay DHCP themselves. The upstream layer-3 device must include the Edge IPs in its helper-address list.
(configured on the upstream router/switch, see Cisco or Aruba CX guides)AAA dead-server detection
Optional but recommended. Aruba Instant retry / deadtime is per-auth-server. The auth server is a local Edge appliance on your LAN, so keep the values tight: declare a server dead after roughly 5 seconds across a couple of attempts, then hold the dead flag briefly before retrying.
wlan auth-server Edge1
! Hold the dead flag for 1 minute before retrying
radius-deadtime 1
! ~5s across a couple of attempts (per-attempt timeout * retries)
radius-retry-interval 2
radius-max-retries 2CoA listener
The 'rfc3576' keyword on each auth-server entry enables CoA listening on UDP/3799.
(see rfc3576 under each auth-server above)Notes
- Instant On (SMB cloud line) does not expose every CLI knob. Defaults are reasonable for SME deployments. Use Aruba CX or full Instant if granular RADIUS tuning matters.
Verify the integration
Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.
Need help?
Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.