HPE Aruba

Aruba Central Integration

Configure Aruba Central cloud-managed Instant APs to authenticate with NetKey RADIUS for MPSK, WPA2-Enterprise, and dynamic VLAN assignment.

Cloud Connectivity

Aruba Central-managed APs need network access to reach the NetKey RADIUS server. Ensure firewall rules allow RADIUS traffic from AP subnets.

Prerequisites

  • Aruba Central account with Instant AP management license
  • Instant APs onboarded to Aruba Central
  • Network connectivity from APs to NetKey RADIUS (UDP 1812/1813)
  • NetKey Group configured with RADIUS secret
Finding Your RADIUS Server Details

Log in to app.netkey.noSettings → RADIUS Clients to find your RADIUS server IP/hostname and create a shared secret for your APs.

Aruba Central Configuration

Step 1: Configure Authentication Server

1

Log in to Aruba Central portal

Navigate to your Site/Group

2

Go to Configuration → Security → Authentication Servers

3

Click + Add and configure:

Name NetKey-RADIUS
Type RADIUS
IP/Hostname your-radius-server
Auth Port 1812
Shared Key Your NetKey RADIUS secret
4

Configure Accounting (optional):

Enable Accounting On
Accounting Port 1813
5

Click Save

Step 2: Create Server Group

6

Go to Configuration → Security → Server Groups

7

Click + Add:

Name NetKey-Group
Servers NetKey-RADIUS

WPA2/WPA3-Enterprise WLAN

1

Navigate to Configuration → WLANs

Click + Add WLAN

2

Configure WLAN settings:

Name Corporate-Enterprise
SSID Corporate-WiFi
Type Employee
3

Configure Security:

Security Level Enterprise
Key Management WPA2-Enterprise (or WPA3)
Authentication Server NetKey-Group
4

Configure VLAN (if needed):

Client IP Assignment Virtual Controller Managed
Client VLAN Assignment Static or Dynamic
5

Click Save

MPSK Configuration

Configure Multiple Pre-Shared Keys (MPSK) via RADIUS.

1

Create or edit a WLAN

Configure security settings:

Security Level Personal
Key Management WPA2-Personal (or WPA3-Personal)
Passphrase Fallback PSK (8+ chars)
2

Enable MAC Authentication:

MAC Authentication Enabled
Authentication Server NetKey-Group
Delimiter Colon (or configure in NetKey)
Uppercase Off (lowercase)
MPSK Attribute

NetKey returns the per-device passphrase via Aruba-MPSK-Passphrase VSA. The AP uses this instead of the fallback PSK.

RADIUS Response for MPSK

Access-Accept 
Aruba-MPSK-Passphrase = "UniqueDevicePass123"
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = "100"

Dynamic VLAN Assignment

Configure VLANs to be assigned dynamically from RADIUS.

1

In WLAN settings, configure:

Client VLAN Assignment Dynamic
Default VLAN Fallback VLAN ID
Allowed VLANs 100,200,300,400
VLAN Infrastructure

Ensure VLANs are configured on your switch infrastructure and allowed on trunk ports connecting to Instant APs.

User Roles

Assign user roles via RADIUS for differentiated access.

Create User Role

1

Navigate to Configuration → Roles

Click + Add Role

2

Configure role:

Name employee-role
VLAN 100
3

Add access rules as needed (firewall policies)

RADIUS Response for Role

Access-Accept 
Aruba-User-Role = "employee-role"

The role name in NetKey must match exactly the role configured in Aruba Central.

Testing & Verification

View AP Status

1

Navigate to Monitor → Access Points

Verify APs show as "Up" and have the WLAN configured

View Client Connections

2

Navigate to Monitor → Clients

Check for connected clients showing:

  • Authentication status
  • Assigned VLAN
  • User role (if applicable)

View Logs

3

Navigate to Monitor → Alerts & Events

Look for authentication events and RADIUS messages

Verify in NetKey

4

Check NetKey Auth Logs for:

  • Incoming authentication requests
  • Access-Accept or Access-Reject responses
  • Returned attributes (VLAN, role, passphrase)

Troubleshooting

  • Verify APs can reach NetKey RADIUS server IP
  • Check firewall rules allow UDP 1812/1813 from AP subnet
  • Confirm authentication server is correctly configured
  • Verify server group is assigned to WLAN
  • Verify MAC authentication is enabled on WLAN
  • Check MAC format matches between Central and NetKey
  • Confirm endpoint exists in NetKey with correct MAC
  • Verify NetKey returns Aruba-MPSK-Passphrase
  • Verify VLAN is in "Allowed VLANs" list
  • Check Client VLAN Assignment is set to "Dynamic"
  • Ensure VLAN exists on switch infrastructure
  • Verify NetKey returns Tunnel-Private-Group-ID
  • Shared secrets are case-sensitive
  • Re-enter secret on both Aruba Central and NetKey
  • Avoid special characters that may be interpreted differently
  • Check for trailing spaces

Best Practices

  • Use RadSec for WAN deployments - Consider RadSec (RADIUS over TLS) for sites connected via WAN for encrypted RADIUS traffic
  • Configure redundant RADIUS - Add a secondary NetKey RADIUS server for high availability
  • Monitor authentication logs - Regularly review NetKey Auth Logs for failed attempts
  • Test in staging - Test configuration on a staging group before deploying to production
  • Document MAC formats - Keep a record of the MAC format configured for consistency