Network device onboarding

Aruba Instant / Instant On

Controller-less APs + SMB cloud line

Applies to: Aruba Instant (controller-less APs managed by a virtual controller on one of the APs themselves) and Aruba Instant On (cloud-managed SMB line) both expose RADIUS configuration through the SSID/network definition. Examples below use the Instant CLI; the Instant On dashboard exposes the same fields under Network -> Security -> Authentication.

Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.

For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.

Wired: RADIUS server, 802.1X and MAB

Instant On switches use the cloud dashboard. RADIUS server configuration lives at Site -> Network security -> RADIUS authentication.

Server name:    Edge1
Server IP:      10.10.10.10
Shared secret:  ARBITER_PSK
Auth port:      1812
Accounting port: 1813
(Repeat for Edge2 -> 10.10.10.11)

Wireless: 802.1X SSID

Aruba Instant CLI. Corporate 802.1X SSID.

wlan auth-server Edge1
 ip 10.10.10.10
 port 1812
 acctport 1813
 key ARBITER_PSK
 rfc3576
!
wlan auth-server Edge2
 ip 10.10.10.11
 port 1812
 acctport 1813
 key ARBITER_PSK
 rfc3576
!
wlan ssid-profile Corp
 essid Corp
 opmode wpa2-aes
 type employee
 auth-server Edge1
 auth-server Edge2
 radius-accounting
 set-vlan Tunnel-Private-Group-Id

Guest SSID: open with captive portal redirect

Open SSID with external captive portal. Arbiter's portal serves the splash; the AP enforces the walled garden until CoA.

wlan external-captive-portal ArbiterGuest
 server acme-7f3-guest.arbiter.ie
 port 443
 url "/"
 auth-text "Welcome"
 https
!
wlan ssid-profile Guest
 essid Guest
 opmode opensystem
 type guest
 captive-portal external profile ArbiterGuest exclude-uplink
 auth-server Edge1
 auth-server Edge2
 mac-authentication
 radius-accounting

DHCP relay to Edge

Instant APs do not relay DHCP themselves. The upstream layer-3 device must include the Edge IPs in its helper-address list.

(configured on the upstream router/switch, see Cisco or Aruba CX guides)

AAA dead-server detection

Optional but recommended. Aruba Instant retry / deadtime is per-auth-server. The auth server is a local Edge appliance on your LAN, so keep the values tight: declare a server dead after roughly 5 seconds across a couple of attempts, then hold the dead flag briefly before retrying.

wlan auth-server Edge1
 ! Hold the dead flag for 1 minute before retrying
 radius-deadtime 1
 ! ~5s across a couple of attempts (per-attempt timeout * retries)
 radius-retry-interval 2
 radius-max-retries 2

CoA listener

The 'rfc3576' keyword on each auth-server entry enables CoA listening on UDP/3799.

(see rfc3576 under each auth-server above)

Notes

  • Instant On (SMB cloud line) does not expose every CLI knob. Defaults are reasonable for SME deployments. Use Aruba CX or full Instant if granular RADIUS tuning matters.

Verify the integration

Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.

Need help?

Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.

All network device guidesAll guides