How to Set Up EAP-TLS with Aruba Instant Access Points

How to Set Up EAP-TLS with Aruba Instant Access Points

Costly data breaches and credential theft has prompted many organizations to re-evaluate their wireless security systems and look for improves that can be made. Many that utilize credential-based authentication discover that this network type is highly susceptible to over-the-air theft from MITM and Evil Twin attacks. Certificate-based networks, such as WPA2-Enterprise with EAP-TLS authentication, have proven time and again that they protect against these types of attacks, but in the past were too difficult to configure. SecureW2’s onboarding solution simplifies the process considerably, reducing the configuration time from days to only a couple hours. The following is a guide that lays out the process of configuring SecureW2’s onboarding solution with Aruba Instant Access Points.

To complete this setup, you will need the following:

  • A SecureW2 Network Profile configured for EAP-TLS
  • An Identity Provider
  • A functioning IAP


Setting up the Onboarding SSID

In the SecureW2 Management Portal:

  1. Click Network Profiles under Device Management
  2. Click View in the function section on the network profile you created
    • Copy the URL of the page that opens for use in the IAP configuration

The link to add to the IAP

  1. Navigate to the Aruba Management Portal
  2. Under the Networks section, click New
  3. In Step 1, enter the same SSID name as you have configured in your Network Profile, set Primary usage to Guest, and click Next

Configuring the Onboarding SSID

  1. Leave Step 2 as Default and click Next
  2. In Step 3, set Splash page type to External and create a New Captive Portal Profile and enter the following information:
    • In the Name Section, enter any name
    • Set Type as RADIUS Authenticator
    • The IP or hostname should be
    • In the URL section, paste the path of the URL that was copied earlier (the path is everything that comes after .com in the URL)
    • Enter 443 in the Port Section
    • Leave everything else default, click Ok, and click Next

Connecting the SecureW2 RADIUS with the Onboarding SSID

  1. Set the Access Rules to Role-based
  2. Create a new role by clicking New in the Roles section
  3. To get the necessary information to populate the role, go back to the SecureW2 Management Portal and click Documentation in the General section
  4. Select the SecureW2 JoinNow Deployment Guide
  5. Scroll to the Firewall Rules section and you can find the IPs that need to be entered into the Role Policy

The IP addresses that need to be entered into the new role

There are other resources in Section 2.3 Adding the DNS List that should be added to ensure that the onboarding process operates smoothly. This section in the Deployment Guide will walk you through which sections to add

  1. Once you have added the IPs to your Role Policy, go to the Assign pre-authentication role dropdown menu and select the new Role Policy, and click Finish
  2. The network should appear in the Networks section after a few seconds, and you have set up the Onboarding SSID for testing purposes

The new onboarding SSID


Setting up the Secure SSID

Now that we’ve configured the Onboarding SSID that will enroll users for a certificate, we need to setup the Secure SSID. This SSID needs to be configured for EAP-TLS WPA2-Enterprise Authentication. It also needs to be integrated with a RADIUS server, which in this case will be the SecureW2 Cloud RADIUS.

  1. Under AAA Management, click AAA Configuration
    • Here you will see your RADIUS information
  2. Navigate to the Aruba Homepage and click New under Networks
  3. Enter a name for the SSID and keep the primary usage set to Employee, then click Next
  4. Keep VLAN settings as default and click Next
  5. Adjust the Security Level to Enterprise
  6. Select New in the dialog box for Authentication Server 1

Configuring the Secure SSID

  1. Enter a Name for the SSID
  2. Copy the Primary IP Address from the SecureW2 Management Portal and Paste it in the IP Address box
  3. Copy the Port number from the SecureW2 Management Portal and paste it in the Auth port box
  4. Copy the Shared Secret from the SecureW2 Management Portal and paste it in the Shared key box and the Retype key box
  5. Click Ok

Connecting the SecureW2 Cloud RADIUS

  1. Repeat the above steps for Authentication Server 2, but copy the Secondary IP Address from the SecureW2 Management Portal and paste it in the IP Address box
    • Enter the same Port and Shared Secret for Authentication Server 2 and click Ok
  2. Click Next, set the Access Rules as Unrestricted, and click Finish
  3. The new SSID will appear in the Networks section in the Aruba Homepage


Concluding Thoughts

You have successfully configured the Onboarding SSID and Secure SSID to begin enrolling users for certificates. If you have any questions, general feedback, or would like to try a free trial of SecureW2’s onboarding software, contact us with the form below.

Aruba is either registered trademarks or trademarks of Aruba Networks in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.