HPE Aruba AOS-Switch
2530 / 2930 / 3810 (legacy 'ProCurve')
Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.
For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.
Wired: RADIUS server, 802.1X and MAB
RADIUS servers, AAA, then per-port authenticator settings.
radius-server host 10.10.10.10 key ARBITER_PSK
radius-server host 10.10.10.11 key ARBITER_PSK
radius-server timeout 2
radius-server retransmit 1
radius-server dead-time 5
radius-server host 10.10.10.10 time-window 0
radius-server host 10.10.10.11 time-window 0
aaa authentication port-access eap-radius
aaa port-access authenticator 1-48
aaa port-access authenticator active
aaa port-access authenticator 1-48 client-limit 4
aaa port-access mac-based 1-48
aaa port-access mac-based addr-format no-delimiter
radius-server cppm identity arbiter-probe
radius-server tracking
aaa server-group radius "Arbiter" host 10.10.10.10 host 10.10.10.11Wireless: 802.1X SSID
AOS-Switch is wired-only. For Aruba wireless on this estate, refer to the Aruba Instant guide.
(see Aruba Instant / Instant On guide)Guest SSID: open with captive portal redirect
Guest VLAN with redirect role.
vlan 999 name "Guest-Holding"
aaa port-access mac-based 1-48 unauth-vid 999
! Arbiter returns Aruba-User-Role on MAB Accept; AOS-Switch maps the
! role to the captive portal URL via the role profile:
aaa authorization user-role name "GUEST-REDIRECT"
captive-portal-profile "acme-7f3-guest.arbiter.ie"DHCP relay to Edge
Per-VLAN ip helper-address.
vlan 10
ip helper-address 10.0.0.5
ip helper-address 10.10.10.10
ip helper-address 10.10.10.11AAA dead-server detection
Optional but recommended. 'radius-server tracking' enables active probing; without it, AOS-Switch is reactive only. The RADIUS servers are local Edge appliances on your LAN, so keep the per-attempt timeout and retransmit count low: the dead-criteria is hit in a few seconds, then hold the dead flag briefly before retrying.
! ~5s across a couple of attempts (1 initial + 1 retransmit, 2-3s each)
radius-server timeout 2
radius-server retransmit 1
! Hold the dead flag for 1 minute before retrying
radius-server dead-time 1
! Active probe instead of reactive failover
radius-server trackingCoA listener
Enabled globally. AOS-Switch listens on UDP/3799 from the configured RADIUS servers automatically.
radius-server host 10.10.10.10 dyn-authorization
radius-server host 10.10.10.11 dyn-authorizationNotes
- Older firmware (K.14 and earlier) does not support 'radius-server tracking' and dead-server detection is purely reactive. Failover is slower; upgrade where possible.
- addr-format no-delimiter sends MACs as aabbccddeeff (matches Arbiter's normalisation).
Verify the integration
Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.
Need help?
Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.