Aruba Instant Captive Portal and EAP

Evan Sharp at
Thu Sep 15 00:05:31 UTC 2022


I am trying to configure FreeRADIUS to authenticate users on a guest SSID
with Aruba's Instant virtual controller captive portal.

The FreeRADIUS server is currently configured only to perform an
EAP-TTLS/GTC 802.1X authentication for supplicants on the Aruba IAPs (as
client) using a LDAPS lookup.

What I have found comparing debug outputs from successful 802.1X binds with
unsuccessful captive portal client requests is that the Aruba Instant
controller does not specify an EAP type (EAP-message attribute) in the
request; credentials are sent in plaintext. The server immediately rejects
the bind because no other auth method than EAP-TTLS is configured. The
Aruba Instant apparently cannot be configured to encrypt the captive portal

My thought is that if I configured a secondary non-EAP authorization
method, the FreeRADIUS could use it to process the captive portal requests.
What auth method could work? How can I secure this so that FreeRADIUS only
uses it for the captive portal requests?


More information about the Freeradius-Users mailing list