Setup for RadSec Clients with RadSec capability

Summary

This document provides scripts to complete the installation of RADIUS NAC connect Aruba Wireless Controller.

Note: We use hostname nac-b.opswat.com for Cloud resources. If your device doesn't support hostname, please resolve the IP from that hostname.

Prepare Certificates

From your account, download the RadSec Client certificate.


Upon extraction, a sample Certificate folder should looks like:


Aruba Configuration

Import certificates:

  1. Import the root certificate of the CA that has issued your RADIUS NAC with the type CA certificate


  1. Import your Aruba Client certificate with the type Server certificate


  1. Setup Radius over TLS and Role

conf t aaa rfc-3576-server <NAC-IP> key radsec enable-radsec ! aaa authentication-server radius "MetaAccess_NAC_RBE" host <NAC-IP> enable-radsec radsec-trusted-cacert-name "RadiusCA" radsec-client-cert "RadSec" ! aaa authentication-server radius "MetaAccess_NAC_Acct" host <NAC-IP> enable-radsec radsec-trusted-cacert-name "RadiusCA" radsec-client-cert "RadSec" ! aaa authentication dot1x "MetaAccess_NAC-dot1x_prof" end ! write memory
  1. Create OpenWireless Example

conf t aaa server-group "MetaAccess_NAC_RBE_svrgrp" auth-server "MetaAccess_NAC_RBE" position 1 ! aaa server-group "MetaAccess_NAC_Acct_svrgrp" auth-server "MetaAccess_NAC_Acct" position 1 ! aaa authentication mac "SC_Open_RBE_Mac_Auth" delimiter none case upper ! aaa profile "MetaAccess_NAC-Open_SSID" authentication-mac "SC_Open_RBE_Mac_Auth" mac-server-group "MetaAccess_NAC_RBE_svrgrp" radius-accounting "MetaAccess_NAC_Acct_svrgrp" radius-interim-accounting rfc-3576-server <NAC-IP> ! wlan ht-ssid-profile "MetaAccess_NAC-Open-htssid_prof" ! wlan ssid-profile "MetaAccess_NAC-Open-ssid_prof" essid "MetaAccess_NAC-Open" ht-ssid-profile "MetaAccess_NAC-Open-htssid_prof" ! wlan virtual-ap "MetaAccess_NAC-Open-vap_prof" aaa-profile "MetaAccess_NAC-Open_SSID" ssid-profile "MetaAccess_NAC-Open-ssid_prof" vlan <VLAN-ID> ! ap-group "MetaAccess_NAC" virtual-ap "MetaAccess_NAC-Open-vap_prof" ! end ! write memory