Network device onboarding

HPE Aruba AOS-Switch

2530 / 2930 / 3810 (legacy 'ProCurve')

Applies to: AOS-Switch on the 2530/2930/3810 lines (formerly ProCurve, sometimes still called that in field documentation). This is a very large SME install base in EMEA; the syntax here is K.15+ / WC.16+.

Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.

For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.

Wired: RADIUS server, 802.1X and MAB

RADIUS servers, AAA, then per-port authenticator settings.

radius-server host 10.10.10.10 key ARBITER_PSK
radius-server host 10.10.10.11 key ARBITER_PSK
radius-server timeout 2
radius-server retransmit 1
radius-server dead-time 5
radius-server host 10.10.10.10 time-window 0
radius-server host 10.10.10.11 time-window 0

aaa authentication port-access eap-radius
aaa port-access authenticator 1-48
aaa port-access authenticator active
aaa port-access authenticator 1-48 client-limit 4
aaa port-access mac-based 1-48
aaa port-access mac-based addr-format no-delimiter

radius-server cppm identity arbiter-probe
radius-server tracking

aaa server-group radius "Arbiter" host 10.10.10.10 host 10.10.10.11

Wireless: 802.1X SSID

AOS-Switch is wired-only. For Aruba wireless on this estate, refer to the Aruba Instant guide.

(see Aruba Instant / Instant On guide)

Guest SSID: open with captive portal redirect

Guest VLAN with redirect role.

vlan 999 name "Guest-Holding"
aaa port-access mac-based 1-48 unauth-vid 999

! Arbiter returns Aruba-User-Role on MAB Accept; AOS-Switch maps the
! role to the captive portal URL via the role profile:
aaa authorization user-role name "GUEST-REDIRECT"
  captive-portal-profile "acme-7f3-guest.arbiter.ie"

DHCP relay to Edge

Per-VLAN ip helper-address.

vlan 10
  ip helper-address 10.0.0.5
  ip helper-address 10.10.10.10
  ip helper-address 10.10.10.11

AAA dead-server detection

Optional but recommended. 'radius-server tracking' enables active probing; without it, AOS-Switch is reactive only. The RADIUS servers are local Edge appliances on your LAN, so keep the per-attempt timeout and retransmit count low: the dead-criteria is hit in a few seconds, then hold the dead flag briefly before retrying.

! ~5s across a couple of attempts (1 initial + 1 retransmit, 2-3s each)
radius-server timeout 2
radius-server retransmit 1

! Hold the dead flag for 1 minute before retrying
radius-server dead-time 1

! Active probe instead of reactive failover
radius-server tracking

CoA listener

Enabled globally. AOS-Switch listens on UDP/3799 from the configured RADIUS servers automatically.

radius-server host 10.10.10.10 dyn-authorization
radius-server host 10.10.10.11 dyn-authorization

Notes

  • Older firmware (K.14 and earlier) does not support 'radius-server tracking' and dead-server detection is purely reactive. Failover is slower; upgrade where possible.
  • addr-format no-delimiter sends MACs as aabbccddeeff (matches Arbiter's normalisation).

Verify the integration

Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.

Need help?

Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.

All network device guidesAll guides