Aruba Controller Authentication Part 2 WPA/WPA2 and 802.1X

This part is about configuring WPA or WPA2 and 802.1x on Aruba Controllers.
1. Configure the external auth-server or internal-db
2. Create a server group and assign the configured auth-server to it.
3. Create a dot1x profile and configure the required dot1x parameters (EAP-Offload, Key rotation, re-auth, etc)
4. Create a AAA profile and assign the dot1x profile and dot1x server-groups created in Step 2 and 3.
5. Create an AP Group and Virtual AP
6. Assign the AAA to the Virtual AP
7. Configure the SSID profile with the SSID and required operations mode and authentication (etc.) to use with dot1x... and other parameters.

 802.1x Configuration Example WPA2-AES

Step 1 - Configure a Server :

 

 Step 2 - Configure the Server Group : Create a Server Group and assign the server to it.

 NOTE: Multiple servers are allowed. When "Fail Through" box is unchecked, if one server denied the auth, then no request sent to rest servers. When "Fail Through" box is checked, if one server denied the auth, the auth request will keep sending to rest servers. Furthermore, when using 802.1x authentication, Fail Through only works with AAA FastConnect enabled.

 Step 3 - Configure the AAA Profile to use dot1x

 Step 4 - Configure L2 dot1x Profile:

 Step 5 Create an AP Group and Virtual AP:

 Step 6 Assign the AAA Profile to the VAP

Step 7 Configure SSID to WPA2-AES

 Note: 802.11i supports both TKIP and AES-CCM. 802.11i intends for users to ultimately take advantage of AES-CCM as it is better than other existing options. However, as mentioned in earlier slides, it generally requires a hardware upgrade for the wireless clients. Therefore, TKIP is available as an alternative to basic WEP to improve security without the neeed for a full-fledged hardware upgrade.

A better solution than PSK is to use dynamic keys. Here, dynamic keys are used to provide te greatest level of security.