Aruba Mobility Controller Integration
Configure your Aruba Mobility Controller (AOS) to authenticate users with NetKey RADIUS for EasyPSK, iPSK, and 802.1X authentication.
This guide applies to Aruba Mobility Controllers running ArubaOS 8.x. For Instant AP (IAP), see the Aruba Instant guide.
Prerequisites
- Aruba Mobility Controller running ArubaOS 8.x or later
- Network connectivity between controller and NetKey RADIUS
- Administrative access to controller
- NetKey Group configured with RADIUS secret
Log in to app.netkey.no → Settings → RADIUS Clients to find your RADIUS server IP/hostname and create a shared secret for your controller.
GUI Configuration
Follow these steps using the Aruba WebUI.
Step 1: Add RADIUS Server
Navigate to Configuration → Security → Authentication → Servers → RADIUS Server
Click + to add a new server.
Configure the RADIUS server:
| Name | netkey-radius |
| Host | your-radius-server |
| Auth Port | 1812 |
| Acct Port | 1813 |
| Shared Secret | Your NetKey RADIUS secret |
Step 2: Create Server Group
Navigate to Configuration → Security → Authentication → Servers → Server Group
Click + and configure:
| Name | netkey-server-group |
| Servers | Add netkey-radius |
Step 3: Create AAA Profile
Navigate to Configuration → Security → Authentication → AAA Profiles
Click + to create a new profile:
| Name | netkey-aaa-profile |
| Initial Role | authenticated |
| MAC Authentication | Enable (for iPSK) |
| MAC Auth Server Group | netkey-server-group |
| RADIUS Accounting | Enable |
| Acct Server Group | netkey-server-group |
Step 4: Create SSID Profile
Navigate to Configuration → WLANs → SSID Profile
Click + to create a new SSID:
| Name | Corporate-PSK |
| ESSID | Corporate-PSK |
| WPA2 Key Management | WPA2-PSK-AES |
| WPA Passphrase | Placeholder PSK |
Step 5: Create Virtual AP
Navigate to Configuration → WLANs → Virtual AP
Click + and configure:
| Name | vap-corporate-psk |
| AAA Profile | netkey-aaa-profile |
| SSID Profile | Corporate-PSK |
| VLAN | Default VLAN |
Assign the Virtual AP to an AP Group and commit the configuration.
CLI Configuration
Complete configuration via SSH command line.
Configure RADIUS Server
! Configure RADIUS server
aaa authentication-server radius "netkey-radius"
host your-radius-server
key YourSecretHere
authport 1812
acctport 1813
enable
!Create Server Group
! Create server group
aaa server-group "netkey-server-group"
auth-server netkey-radius position 1
!Create AAA Profile
! Create AAA profile
aaa profile "netkey-aaa-profile"
initial-role "authenticated"
authentication-mac
mac-server-group "netkey-server-group"
radius-accounting "netkey-server-group"
!Create SSID and Virtual AP
! Create SSID profile
wlan ssid-profile "Corporate-PSK"
essid "Corporate-PSK"
wpa-passphrase "placeholder123"
opmode wpa2-psk-aes
!
! Create Virtual AP
wlan virtual-ap "vap-corporate-psk"
aaa-profile "netkey-aaa-profile"
ssid-profile "Corporate-PSK"
vlan 100
!
! Add to AP group
ap-group "default"
virtual-ap "vap-corporate-psk"
!
! Commit changes
write memoryiPSK Configuration
Identity PSK uses MAC authentication to return a unique PSK per device.
Key Concepts
When MAC authentication is enabled, Aruba sends the client's MAC address
to NetKey. NetKey responds with the device-specific PSK in the
Aruba-MPSK-Passphrase attribute.
Configure MAC Authentication
! Configure AAA profile for iPSK
aaa profile "netkey-ipsk-profile"
initial-role "authenticated"
authentication-mac
mac-server-group "netkey-server-group"
mac-default-role "authenticated"
radius-accounting "netkey-server-group"
!
! Configure MAC auth with password style
aaa authentication mac "default"
delimiter none
case upper
password-style shared-secret
!Update Virtual AP
! Update Virtual AP for iPSK
wlan virtual-ap "vap-ipsk"
aaa-profile "netkey-ipsk-profile"
ssid-profile "Corporate-PSK"
vlan 100
!Dynamic VLAN Assignment
NetKey can dynamically assign VLANs based on user or device attributes.
VLAN Configuration
Ensure VLANs are configured on the controller:
! Configure VLANs
vlan 100
description "Guest VLAN"
!
vlan 200
description "Employee VLAN"
!
vlan 300
description "Contractor VLAN"
!User Roles with VLAN
! Create roles for dynamic VLAN
user-role "guest-role"
vlan 100
access-list session global-sacl
!
user-role "employee-role"
vlan 200
access-list session global-sacl
!
user-role "contractor-role"
vlan 300
access-list session global-sacl
!NetKey returns the Aruba-User-Role attribute to assign clients
to specific roles, enabling role-based VLAN and policy assignment.
User Roles
Aruba uses roles for access control. NetKey can push roles via RADIUS.
Configure Role Derivation Rules
! Server derivation rules (optional)
aaa derivation-rules user "netkey-derivation"
set role condition Aruba-User-Role value-of
!RADIUS Attributes Used
| Attribute | Purpose |
|---|---|
Aruba-User-Role |
Assigns user to specific role |
Aruba-MPSK-Passphrase |
Returns per-device PSK for iPSK |
Tunnel-Private-Group-ID |
Dynamic VLAN assignment |
Aruba-User-VLAN |
Alternative VLAN assignment |
Verification & Testing
Check RADIUS Server Status
show aaa authentication-server radius netkey-radiusTest RADIUS Authentication
aaa test-server netkey-radius username AABBCCDDEEFF password AABBCCDDEEFFView Connected Clients
show user-table
show user-table verbose | include aa:bb:cc:dd:ee:ffDebug Authentication
! Enable debugging
debug aaa
debug auth
! View debug log
show log all | tail
! Disable debugging
no debug allTroubleshooting
- Verify connectivity:
ping your-radius-server - Check firewall allows UDP 1812/1813
- Ensure RADIUS secret matches exactly
- Check:
show aaa authentication-server radius
- Verify MAC format matches NetKey (upper/lower case, delimiter)
- Check MAC auth config:
show aaa authentication mac - Ensure endpoint exists in NetKey
- Test with:
aaa test-server netkey-radius username [MAC] password [MAC]
- Verify endpoint group has PSK configured in NetKey
- Check AAA profile has MAC authentication enabled
- Ensure
Aruba-MPSK-Passphraseis being returned - View debug:
debug aaa
- Check role assignment:
show user-table verbose - Verify VLAN exists:
show vlan - Check derivation rules:
show aaa derivation-rules - Verify NetKey is returning correct VLAN ID