Aruba

Aruba Instant AP Integration

Configure Aruba Instant Access Points (IAP) in standalone or cluster mode to authenticate users with NetKey RADIUS for PSK and iPSK authentication.

Aruba Instant vs Controller

This guide is for Aruba Instant APs operating in standalone or virtual controller mode. For controller-based deployments, see Aruba Mobility Controller.

Prerequisites

  • Aruba Instant APs running Instant 8.x firmware or later
  • Network connectivity between IAP and NetKey RADIUS
  • Access to IAP web interface or CLI
  • NetKey Group configured with RADIUS secret
Finding Your RADIUS Server Details

Log in to app.netkey.noSettings → RADIUS Clients to find your RADIUS server IP/hostname and create a shared secret for your IAPs.

Web GUI Configuration

Step 1: Access the IAP Interface

1

Connect to the IAP web interface at https://[IAP-IP]:4343

Log in with administrator credentials.

Step 2: Configure RADIUS Server

2

Navigate to Security → Authentication Servers

Click + to add a new server.

3

Configure the RADIUS server:

Name netkey-radius
IP Address your-radius-server
Auth Port 1812
Accounting Port 1813
Shared Secret Your NetKey RADIUS secret

Click OK to save.

Step 3: Create SSID with PSK

4

Navigate to Networks

Click + to create a new network.

5

Configure Basic settings:

Name Corporate-PSK
Primary Usage Employee
6

Configure VLAN settings:

Client IP Assignment Network assigned
Client VLAN Assignment Static (or Dynamic for RADIUS)
7

Configure Security settings:

Security Level Personal
Key Management WPA-2 Personal
Passphrase Placeholder PSK
8

Enable MAC Authentication:

MAC Authentication Enabled
Authentication Server 1 netkey-radius
Delimiter Colon
Uppercase Enabled
9

Click Next through remaining steps and Finish.

CLI Configuration

Configure via SSH to the virtual controller IP.

Configure RADIUS Server

CLI 
# Configure RADIUS authentication server
wlan auth-server netkey-radius
 ip your-radius-server
 port 1812
 acctport 1813
 key YourSecretHere
 exit

Create SSID with MAC Auth

CLI 
# Create network profile
wlan ssid-profile Corporate-PSK
 essid Corporate-PSK
 type employee
 opmode wpa2-psk-aes
 wpa-passphrase placeholder123
 mac-authentication
 mac-authentication-delimiter colon
 mac-authentication-upper-case
 auth-server netkey-radius
 vlan 100
 exit

# Commit changes
commit apply

iPSK (MPSK) Configuration

Aruba Instant supports Multi-PSK (MPSK) via RADIUS lookup.

How MPSK Works

  1. Client connects with their unique PSK
  2. IAP sends MAC to NetKey for authentication
  3. NetKey returns the expected PSK for that MAC
  4. IAP validates the client-provided PSK

Enable MPSK

CLI 
# Configure SSID for MPSK
wlan ssid-profile IoT-Devices
 essid IoT-Devices
 type employee
 opmode wpa2-psk-aes
 wpa-passphrase placeholder123
 mac-authentication
 mac-authentication-delimiter colon
 mac-authentication-upper-case
 auth-server netkey-radius
 mpsk
 exit

commit apply
MPSK Attribute

NetKey returns the PSK using the Aruba-MPSK-Passphrase vendor-specific attribute for MPSK authentication.

Dynamic VLAN

NetKey can dynamically assign VLANs based on the endpoint or user.

Enable Dynamic VLAN

CLI 
# Configure SSID for dynamic VLAN
wlan ssid-profile Corporate-PSK
 vlan 100
 set-vlan-by-role
 exit

commit apply

RADIUS Attributes

NetKey returns VLAN using:

RADIUS Response 
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = "100"

Or Aruba-specific attribute:

RADIUS Response 
Aruba-User-Vlan = 100

User Roles

Assign access control using Aruba roles returned from RADIUS.

Create Roles

CLI 
# Create guest role
wlan access-rule guest-role
 rule any any match any any any permit
 exit

# Create IoT role with restrictions
wlan access-rule iot-role
 rule any any match any any 53 permit
 rule any any match any any 443 permit
 rule any any match any any any deny
 exit

RADIUS Role Assignment

NetKey returns the role using:

RADIUS Response 
Aruba-User-Role = "iot-role"

Verification

Check RADIUS Server

CLI 
show auth-server

Test Authentication

CLI 
aaa test-server ip your-radius-server user AABBCCDDEEFF password AABBCCDDEEFF

View Connected Clients

CLI 
show clients

show client status aa:bb:cc:dd:ee:ff

Debug Output

CLI 
# Enable debugging
logging level debug auth-server

# View logs
show log auth-server

# Disable debugging
logging level warning auth-server

Troubleshooting

  • Verify IP address is correct: show auth-server
  • Test connectivity: ping your-radius-server
  • Check firewall allows UDP 1812/1813
  • Verify shared secret matches exactly
  • Verify MAC format matches NetKey (delimiter, case)
  • Check endpoint exists in NetKey
  • Verify endpoint group has PSK configured
  • Check NetKey Auth Logs for rejection reason
  • Ensure mpsk is enabled on SSID
  • Verify NetKey returns Aruba-MPSK-Passphrase
  • Check endpoint or group has PSK configured
  • PSK must be 8-63 characters
  • Verify set-vlan-by-role is enabled
  • Check role exists: show access-rule
  • Verify NetKey returns correct attributes
  • Check client status: show client status [mac]