RADIUS Authentication with Aruba Instant AP

Introduction

Organizations are increasingly implementing certificate-based authentication to improve security and avoid credential theft. Certificates improve the authenticated user experience by removing the need for passwords and may be set to last the lifetime of a device. Switching to EAP-TLS with Aruba IAPs is simple: link our PKI Services into your infrastructure and configure an onboarding SSID for user self-registration. Managed Device Gateways handles automated certificate enrollment for managed devices.

Here’s an overview of configuring your Aruba IAPs for EAP-TLS using SecureW2, followed by step-by-step guidance.

Tech Overview

1. Configure SecureW2 PKI Services
   • While it’s possible, setting up and maintaining your own PKI is an arduous task. SecureW2’s PKI services can be deployed and integrated into your existing network infrastructure quickly and efficiently to fill any gaps you might have (Management Software, CAs, CRL, etc.)
2. Integrate with your Identity Provider
   • SecureW2 seamlessly connects with every significant SAML and LDAP IDP to authenticate users and enroll them for certificates. Below are a few of our popular integration guides:
     • Active Directory / LDAP
     • Google Apps
     • Active Directory Federation Services
     • Okta
3. Enroll Users for Certificates
   • Set up Onboarding SSID for BYOD Self-Service Certificate Enrollment
     • The SecureW2 JoinNow suite is the industry’s best solution for configuring devices for self-enrollment of certificates. They are guided through a fool-proof enrollment process using an Open SSID for onboarding.
   • Using Gateway APIs to Auto-Enroll Managed Devices for Certificates
     • Rather than manually enrolling every managed device for a certificate, use our Managed Device Gateway APIs to automatically enroll all your managed devices for machine and/or user certificates through any major MDM software.
4. Configuring the RADIUS (AAA) Server
   • Integrating SecureW2 PKI Services with a RADIUS Server
     • Our PKI services integrate cleanly with all central RADIUS servers. We can work with your existing infrastructure to make implementation painless. No RADIUS infrastructure? No problem. SecureW2 comes built with our Cloud RADIUS. Click here to read more about our RADIUS Solutions.
   • Integrating an Aruba IAP with a RADIUS Server
     • SecureW2 can integrate your RADIUS server with your Aruba IAP if it’s not already set up. Below are the steps you’ll take.

Configuring Aruba IAP for Certificate Enrollment Onboarding SSID

Configure your Aruba IAP for certificate enrollment with an onboarding SSID, which entails integrating SecureW2’s powerful management portal with your Aruba environment. This procedure offers users safe and easy certificate self-enrollment by utilizing Aruba RADIUS, Aruba AP RADIUS, Aruba cloud RADIUS setup, and Aruba Radsec. To set up the onboarding SSID, first configure network profiles in the SecureW2 Management Portal, then set up the SSID and captive portal in the Aruba Management Portal. This tutorial offers information on defining access rules and roles for a pleasant onboarding experience.

In the SecureW2 Management Portal:

1. Click Network Profiles under Device Management
2. Click View in the function section on the network profile you created
   • Copy the URL of the page that opens for use in the IAP configuration

1. Navigate to the Aruba Management Portal
2. Under the Networks section, click New.
3. In Step 1, enter the SSID name you have configured in your Network Profile, set Primary usage to Guest, and click Next.

1. Leave Step 2 as Default and click Next.
2. In Step 3, set the Splash page type to External, create a New Captive Portal Profile, and enter the following information:
   • In the Name Section, enter any name
   • Set Type as RADIUS Authenticator
   • The IP or hostname should be securew2.net
   • In the URL section, paste the path of the URL that was copied earlier (the path is everything that comes after .com in the URL)
   • Enter 443 in the Port Section
   • Leave everything else default, click OK, and click Next

1. Set the Access Rules to Role-based
2. Create a new role by clicking New in the Roles section
3. To get the necessary information to populate the role, go back to the SecureW2 Management Portal and click Documentation in the General section
4. Select the SecureW2 JoinNow Deployment Guide
5. Scroll to the Firewall Rules section to find the IPs that need to be entered into the Role Policy.

Other resources in Section 2.3, Adding the DNS List, should be added to ensure that the onboarding process operates smoothly. This section in the Deployment Guide will walk you through which sections to add.

1. Once you have added the IPs to your Role Policy, go to the Assign pre-authentication role dropdown menu, select the new Role Policy, and click Finish.
2. After a few seconds, the network should appear in the Networks section, and you have set up the Onboarding SSID for testing purposes.

Set Up Aruba IAP Secure SSID (RADIUS)

After you configure the Onboarding SSID for user certificate enrollment, we can establish the Secure SSID for EAP-TLS WPA2-Enterprise Authentication and integrate it with the SecureW2 Cloud RADIUS server. This method entails configuring AAA and inputting the relevant RADIUS server information from the SecureW2 Management Portal into your Aruba infrastructure, resulting in safe and efficient network access for employees. Follow these steps to complete the setting and combine your Secure SSID with SecureW2 Cloud RADIUS.

1. Under AAA Management, click AAA Configuration.
   • Here, you will see your RADIUS information
2. Navigate to the Aruba Homepage and click New under Networks
3. Enter a name for the SSID and keep the primary usage set to Employee, then click Next
4. Keep VLAN settings as default and click Next
5. Adjust the Security Level to Enterprise
6. Select New in the dialog box for Authentication Server 1

1. Enter a Name for the SSID
2. Copy the Primary IP Address from the SecureW2 Management Portal and Paste it in the IP Address box
3. Copy the Port number from the SecureW2 Management Portal and paste it in the Auth port box
4. Copy the Shared Secret from the SecureW2 Management Portal and paste it in the Shared key box and the Retype key box
5. Click Ok

1. Repeat the above steps for Authentication Server 2, but copy the Secondary IP Address from the SecureW2 Management Portal and paste it into the IP Address box.
   • Enter the same Port and Shared Secret for Authentication Server 2 and click Ok.
2. Click Next, set the Access Rules as Unrestricted, and click Finish
3. The new SSID will appear in the Networks section on the Aruba Homepage

Enhance Your RADIUS Authentication with SecureW2

Switching to certificate-based authentication using Aruba Instant APs and SecureW2 Cloud RADIUS can significantly enhance network security and streamline the user experience. SecureW2’s top-notch PKI services include controlled device gateways, robust onboarding procedures, and quick and easy certificate enrollment, all blending in smoothly with your current infrastructure. Our extensive support for WPA2-Enterprise Authentication via EAP-TLS guarantees that your network will always be simple and safe. Are you prepared to improve network security? Solutions from SecureW2 are reasonably priced and suitable for businesses of all sizes.

Contact us now for personalized assistance and additional information about how SecureW2 helps improve network security.

FAQs

How Do You Configure RADIUS Authentication on Aruba Switch?

The reason you configure RADIUS authentication on an Aruba switch is to connect to a RADIUS server for wireless authentication. RADIUS servers greatly enhance the security of your wired and wireless networks by authenticating individual users and devices as they request network access.

To configure RADIUS authentication on your Aruba switch, you’ll need to follow a few general steps. On the switch, specify the IP address, serial port, and shared secret for the RADIUS server. You typically find these options in the switch’s interface under authentication settings.

After designating the RADIUS server, define which network protocols and interfaces will utilize RADIUS for authentication. Configuring this will ensure that network access requests are verified by the RADIUS server, improving security and provided centralized control.

Which Port Does RADIUS Authentication Use By Default?

RADIUS authentication typically utilizes UDP ports 1812 and 1813 as default. Port 1812 is used for authentication and authorization, and port 1813 is used for accounting. In rare cases, older implementations may utilize UDP ports 1645 and 1646 for these functions.

When configuring your RADIUS server and RADIUS client devices, such as Aruba IAPs or switches, ensure the ports are open and that any firewalls or network security devices are appropriately configured to enable RADIUS communication. These ports are required for Aruba cloud RADIUS setup and Aruba AP RADIUS communication. You can view Aruba’s documentation on ports here for more information.

How Do You Integrate an Aruba IAP (Instant AP) with the Cloud RADIUS Server?

To integrate an Aruba IAP with a Cloud RADIUS server, first set up the IAP to connect with the new RADIUS server for authentication. This entails going to the Aruba Management Portal, establishing a new network, and configuring its primary use for employees. Set the security level to Enterprise and use EAP-TLS as the authentication mechanism. Enter the RADIUS server’s information, including primary and secondary IP addresses, port numbers, and shared secrets, as acquired from the SecureW2 Management Portal. Once established, this solution enables the IAP to authenticate users securely via the Cloud RADIUS server. This integration is critical for configurations of Aruba RADIUS, Aruba AP RADIUS, and Aruba Cloud RADIUS.

Which Authentication Protocol Should Be Used to Integrate Cloud RADIUS with Aruba Access Points?

EAP-TLS is the suggested authentication mechanism for integrating Aruba access points with Cloud RADIUS. EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is a certificate-based authentication technique that offers robust security. This protocol guarantees secure communication between the client device and the authentication server. EAP-TLS also gives consumers a smoother authentication experience while removing the concerns related to credential theft.

Certificate-based authentication works well with WPA2-Enterprise networks as a more secure alternative. It necessitates configuring the Aruba access points to enable EAP-TLS and installing certificates on client devices.

What RADIUS Attributes are Supported?

Aruba IAP supports a range of RADIUS attributes in 802.1X authentication. Here is a list of supported attributes:

SecureW2 Cloud RADIUS also supports its own range of attributes. Here are some of the pre-configured attributes available:

• Framed-Protocol
• Framed-IP-Address
• Framed-IP-NetMask
• Framed-Routing
• Filter-Id
• Framed-MTU
• Framed-Compression
• Reply-Message
• Framed-Route
• Framed-IPX-Network
• State
• Class
• Session-Timeout
• Tunnel-Type
• Tunnel-Medium-Type
• Tunnel-Private-Group-ID
• Framed-Pool

Does Aruba Have a Default RADIUS Server?

An Aruba Networks AP integrates with external RADIUS servers rather than a built-in RADIUS server for authentication. Some even support multiple RADIUS servers at once, which you can view in the RADIUS server list and server group list. Businesses have two options for RADIUS: cloud-based RADIUS solutions, such as SecureW2’s Cloud RADIUS, or building their own on-premise RADIUS infrastructure.

During this integration, the selected RADIUS server’s IP addresses, port, and shared secrets must be entered into the Aruba Management Portal to configure the Aruba IAPs to interact with it. Centralized authentication, authorization, and accounting are made possible using an external RADIUS server, improving network security and administration capabilities. The integration of Aruba AP RADIUS with Aruba RADIUS depends on this procedure.

What is RadSec, and How Does it Work to Improve the Security of Aruba IAP (Instant AP)?

By enclosing RADIUS packets inside a TLS (Transport Layer Security) tunnel, the RadSec (RADIUS over TLS) protocol improves the security of RADIUS communication. This added layer of encryption ensures that RADIUS communications are secured from eavesdropping and alteration during transit. RadSec is most often used in situations where users are roaming and using networks aside from those secured by your enterprise.

To deploy RadSec for Aruba IAPs, set up the RADIUS configuration and access points to allow TLS encryption. Organizations may significantly increase the security of their authentication procedures using RadSec, protecting confidential data and lowering the possibility of credential theft or network intrusions. An essential component of the setting of Aruba RADIUS, Aruba AP RADIUS, and Aruba cloud RADIUS is RadSec.

How Do You Configure Mac Authentication with Cloud RADIUS and Aruba APs?

Configuring MAC address authentication with Cloud RADIUS and Aruba APs entails creating a MAC authentication profile to provide safe network access using device MAC addresses. Here’s how to establish a MAC authentication profile in Aruba IAP:

Navigate to the configuration:

• On the left pane, navigate to Configuration > Authentication > L2 Authentication.

Create a MAC authentication profile:

• Click on MAC Authentication.
• To create a new MAC profile, navigate to the MAC Authentication Profile: New Profile section and click +.
• In the Profile name area, type a name for the profile.
• Select Submit.

Create a new AAA profile:

• Choose the AAA Profiles tab.
• Expand AAA and, under the AAA Profile: New Profile area, click + to create a new account.
• In the Profile name area, type a name for the profile.
• Select Submit.

Integrate with cloud RADIUS:

• Ensure your new MAC authentication and AAA profiles are correctly set up to connect with the Cloud RADIUS server.
• To use MAC authentication, enter the MAC addresses of the devices granted access and specify the authentication type.

By following these instructions, you can enable MAC authentication on your Aruba IAPs and use Cloud RADIUS for safe and efficient network access management.

Configuring MAC authentication improves network security by guaranteeing that only devices with authorized MAC addresses are permitted access. SecureW2’s Cloud RADIUS supports MAC authentication, making it a dependable and scalable solution for managing network access based on device MAC addresses.