Aruba Central setup for RadSec

Setting up Aruba equipment to work with Foxpass RadSec

Foxpass RadSec allows a RADIUS connection via TLS for an additional layer of security. This setup guide will help you configure Aruba equipment with Foxpass RadSec.

Configure Aruba

  1. Download the Foxpass RadSec Server CA from the Foxpass RadSec page.
Download RadSec Server CA

Download RadSec Server CA

  1. Download the RadSec Client Certificate and Key from the same page.
Download RadSec Server CA

Download RadSec Client Certificate

  1. Combine the contents of the certificate and key into a new file with a .pem extension, with a newline between them. The resulting file should look something like this:

-----BEGIN RSA PRIVATE KEY-----

...

-----END RSA PRIVATE KEY-----


-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----


  1. In Aruba Central navigate to Global | Organization | Network Structure | Certificates
Download RadSec Server CA

Click Certificates

  1. Under Device Certificates > Certificate Store click the plus. Name the certificate and ensure that the type is set to CA Certificate and the format is set to PEM. Upload the CA .crt file downloaded in Step 1.
Download RadSec Server CA

Upload the CA

  1. Click the plus once more. Name the certificate and ensure that the type is set to Server Certificate and the format is set to PEM. Upload the Cert+Key file created in Step 3.
Download RadSec Server CA

Upload the Cert + Key

Configure SSID for RadSec

  1. In Aruba Central navigate to <any access point/controller> | Devices | WLANs. Click Add SSID. Name the SSID and click Next.
Download RadSec Server CA

SSID General Configuration

  1. Leave the Traffic forwarding mode and Client VLAN Assignment on Bridge and Static respectively. Add whichever VLAN you would like the network to pull IP address from, most likely 1, and click Next.
Download RadSec Server CA

SSID VLAN Configuration

  1. Set the Security Level to Enterprise and click the + next to Primary Server. Name the new server, set the Server Type to RADIUS, enable Radsec, ensure the Radsec Port is 2083, the Radsec Keepalive Type is TCP Keepalive, and the IP Address/FQDN is radius.foxpass.com, then click OK.
Download RadSec Server CA

SSID Authentication Server Configuration

  1. Make sure that the Security Level is Enterprise, the Key Management is WPA2-Enterprise, the Server Group is Primary and backup only and the Primary server is the authentication server you just created in Step 3, and click Next.
Download RadSec Server CA

SSID Security Configuration

  1. Configure the Roles and Rules as you see fit and click Next to reach the Summary confirmation page. Then click Finish to create the SSID.
Download RadSec Server CA

SSID Access Configuration

  1. Click Show Advanced to reveal the rest of the tabs in the Device menu. Navigate to the Security tab. Expand Certificate Usage and the expand the sub category also named Certificate Usage. Set the Certificate Authority and RadSec CA fields to the certificate authority entry you created in Step 5 of the previous section. Set the Authentication Server and RadSec Client Certs to the server certificate entry you created in Step 6 of the previous section. Click Save Settings to publish your changes.
Download RadSec Server CA

Certificate Assignment

  1. Now connect to your SSID.
Connected to SSID

Connected to SSID

  1. You can see successful/unsuccessful logs on the radius logs page.
RADIUS logs

RADIUS logs