We recently migrated to AOS10 and new central and realized we no longer had our public network throttled. I am not seeing any settings for this in the WLAN profile and was wondering if anyone knows where this was moved to, or if its even still available. I looked through the Aruba documentation but didn't really see anything.
Thanks
I have client that has multiple CX switches in population. For some reason they are utilizing Aruba Central. I have the switches in a monitor only group and I can configure them fully via the CLI but I don't have any configuration options via the Web UI. Is this normal behavior or is there a way to enable full functionality via the web? Firmware version is ML.10.11.1021. Thanks for any assistance.
My HPE portal was discontinued some time ago and now have a predicament.
My office network contains 11 Aruba IAP-205-US with firmware 6.5.4.14_72510. Appearently, 2 additional nodes there were in an unsed part of the building were disconnected and ended up being left behind when the last firmware updates were install years back.
Now that the building is being fully used, I need to get these last 2 APs to join the others in their cluster newtork.
My problems is that when they EOL took place, they also killed the ability of the cluster to update the firmware in newly added APs. The 2 nodes being added are firmware 6.4.2.6-4.1.1.6_50009. Looking for help finding firmware 6.5.4.14_72510 to any newer version of 6.5.X to resolve. DM me if you are able to help.
I was wondering since HPE has made Aruba Central such an unfriendly user experience with their convoluted New Central and unintuitive interface (the Classic left side menu was MUCH better), has anyone had any experience switching platforms with a much more friendly user interface?
Hey all,
I am currently running AOS 8.10.x and the GUI has just been horrible. Our stack is dual 7210 HA Mobility Masters with 7008 MCs connected via VPN.
On the MM GUI, it appears the entire monitoring section is just plain broken. The AP list doesn't load unless I refresh the page 5x, the clients list just doesn't load, deleted MCs stay in the GUI for weeks, etc etc. I've tested Firefox, Chrome, and Safari, and all just seem to bug out in similar ways.
So, what is the most bulletproof 8.x version? We have a mix of 325, 205 RAP, and 535, so it must be 8.10 or lower. We do not have 6ghz and are holding off on that for a while for various reasons. So far I have tried 8.10.0.7, 8.10.0.21, 8.10.0.22, and all just don't work well. I'm at a complete loss and I'm willing to go far back as 8.5 just to be able to monitor everything from the MM again and have the GUI not take a minute to load a basic page.
Hi All,
Currently, our Mobility Controller Hardware is managed on our Mobility Master VM.
We intend to convert the Mobility Controller into a standalone unit without being managed by the Mobility Master. And our AP Licenses are on Mobility Master.
My questions:
- Wanted to check what the steps to convert our Mobility controller to a standalone. Do I need to factory reset the Mobility Controller and re-configure from scratch?
- For the licensing, how can i move from Mobility Master to Mobility Controller?
- If i maintain the same controller ip, will my AP seamlessly reconnect back to my Mobility Controller after i reconfigure from scratch?
Have been forcing myself to familiarize myself with it. Realizing there is not a pane anywhere that shows a list of active APs and also has the number of clients connected to each of those APs next to it. This was always a common sense thing that was included with classic Central as well as 8.x and going back further.
It is truly unbelievable. Impossible to access any instant OS release notes.
Look at links on left side of https://arubanetworking.hpe.com/techdocs/ArubaDocPortal/content/new-portal/instant.html or try to access https://arubanetworking.hpe.com/techdocs/ArubaOS/Consolidated_8.x_RN/Content/Home.htm or similar.
> Request Error > The access request cannot be completed due to an administrative issue identified with your account. To resolve this issue submit a support request.
What is going on? I've seen other posts about this almost a year ago now...does the company simply just not care? I am constantly astounded by how poorly this company has started to function.
Hello!
We’re experiencing a strange problem after migrating our core to Aruba 6400 running VSX. Both switches are presenting themself as querier for IGMP groups on vlans resulting in downstream switches not receiving a querier for the vlan. If we disable Igmp on the vlan the downstream switches get the querier but when it times out it’s gone.
Anyone else’s experiences this with Aruba vsx? Running 10.16 and have been in contact with TAC who also can’t explain it which is my usual experience with Aruba TAC.
Our customer wanted to integrate the Aruba mobility controller AOS8 (8.10.0.20) with Grafana.
Has anyone ever tried to export SSID Clients historical data to Grafana? Is it possible to do it?
Hi!
I have the following configuration on my Aruba 2540 for access point. How I can configure similar configuration for my Access point on Aruba 6100. VLAN 120 is my management VLAN.
interface 1
name Access point
tagged vlan 13,20-21,300-301
untagged vlan 120
Thanks
Has anyone got this to work if you tried?
Insight:
Anything work for anyone on here if you have the same setup?
TIA
**EAP-TLS certificate-based Wi-Fi with Microsoft Intune + Aruba Central NAC — Windows, macOS and iOS/iPadOS**
I couldn't find much documentation covering all three platforms together, so I put together a full lab write-up with step-by-step screenshots.
**The setup:**
- Aruba Central NAC as the RADIUS/NAC engine (OAuth2-connected to Intune/Entra ID)
- SCEP certificates issued directly by Central NAC's built-in CA (no NDES/connector needed)
- Intune pushing 3 profiles per platform: Trusted Certificate + SCEP + Wi-Fi
- Automatic EAP-TLS connection to WPA2-Enterprise SSID once profiles are deployed
**Per-platform specifics:**
*Windows* — straightforward, same flow as the HPE TechNote. Validate with certmgr.msc.
*macOS* — requires APNs certificate first (one-time setup). SCEP profile uses Device Channel. Validate in Keychain Access (System + login keychains).
*iOS/iPadOS* — enrollment via Company Portal is very guided. **Important:** use Certificate type **User** with `CN={{UserPrincipalName}}` in the SCEP profile. Device type causes NAC authorization to fail (Deny All) because Central NAC can't resolve the device cert to an Entra ID user or group.
**Docs split into two GitHub repos:**
- Aruba Central NAC config (identity store, roles, policies, SSID): https://github.com/Luconik/hpe-aruba-guides/tree/main/central-nac-intune
- Intune profiles + enrollment per platform: https://github.com/Luconik/microsoft-intune/tree/main/eap-tls
Each README has EN + FR versions and full screenshots for every step.
So, I'm doing a total renovation on my house, and was set on using a full unifi setup like all my friends. My network is mainly for smart home, and of course tv and wifi.
I don't know if I will regret this, but I endene up with a budget options with used Aruba gear. I though to my self that the one pan of glass looks amazing and is very easy and user friendly, but then again, as a private person in my own home how often will I actually use it to anything useful? So my newoek now looks like this: EdgeRouter 4, Aruba 2540 (Core), 2x Aruba 2530-24G-PoE+, 1x Aruba 2530-48G and Unifi AP. I have a NOC that gives my much of the information that I would get on the Unifi user interface.
Do you guys think I will regret this route?
I'm a bit anxious if I went the right way on this one..
It's only a small network in my own home, it should ok I think
Does the amber PoE say everything or should I look into this more?
Does the amber PoE say everything or should I look into this more?
Pacific office set this up like 4 years ago and we've been bitching about the wifi being intermittent. They say they cant figure it out. Of course they arent giving me the login to any web UI to figure it out myself.....All I can do is take a close inspection of the equipment and I notice the PoE light isn't green. This is definitely a problem right?
Tested on: Aruba 6000 48G and 6300 24G, firmware 10.13.1161, 10.13.1170, 10.16.1010, 10.16.1040, 10.17.1001, 10.17.1010. I am testing everything below in a single switch lab environment, with nothing else on the switch but two test devices.
Very basic example config:
ip igmp snooping drop-unknown vlan-shared
ip igmp snooping filter-unknown-mcast
vlan 1
name av-general
ip igmp snooping enable
ip igmp snooping version 2
client track ip
interface vlan 1
ip address 10.119.24.11/22
ip igmp enable
ip igmp querier
ip igmp querier-wait-time 1
ip igmp version 2
ip igmp querier interval 125
ip igmp query-max-response-time 10
!
ip route 0.0.0.0/0 10.119.24.1
!
!Switchport config starts here
!
interface 1/1/1-1/1/52
no shutdown
mtu 9198
vlan access 1
ip igmp snooping fastleave vlan 1
Basic Problem: When the switch boots, devices connect and immediately send IGMP group membership messages. These IGMP join messages are not supposed to be seen by other devices. However, the switch is broadcasting them to all ports on the vlan. Once the switch is fully up and running, it properly filters these messages.
Extra detail: IGMPv2 group membership messages are sent to the multicast address for the group. I am using 239.255.255.255 (SDP announcement), for example. I have filter-unknown-mcast enabled and drop-unknown enabled as well, in an attempt to prevent oddities at boot up. However, I am still seeing these group membership messages at boot in Wireshark on my laptop on another interface port. It behaves normally once the querier is actually running. This means I don't see any IGMP group membership messages at all in Wireshark except from my own computer. Technically, even if you are subscribed to that multicast group, you still shouldn't see the IGMP join messages from other devices. This is how the Aruba works - once it is running fully.
Why this is problematic: I have devices that stop sending multicast data to a group if they see multicast join messages for that group. I believe this is to prevent flooding on switches that aren't working properly or don't support IGMP snooping. So if I reboot my Aruba switch, these devices see a rogue IGMP membership message to their group, stop sending, and require a reboot to start working again. I am working with the device manufacturer, but they are also going to point to the Aruba behavior as problematic.
Possible solutions? On the 6300, I think I could set up ACLs to block IGMP membership back to the devices. However, I am using 6000 series heavily. I don't see any solution to this on 6000 series. Is there a way to change the boot behavior or config to prevent this?
Hoping for a quick fix before entering TAC hell...we have a pair of 7210s running 8.10.0.22, and for a little while we've had a somewhat reproducible issue where some clients' download speeds max out between 10 and 30 Mbps. I am now about 90% sure that this is happening only to clients where their anchor controller is different from their AP's anchor controller. e.g.:
AP01 is anchored to controller A
Client X on AP01 is anchored to controller A, speeds are great
Client Y on AP01 is anchored to controller B, speeds are asymmetrically poor
Clients with the same anchor as their AP can reliably get 700Mbps symmetrical on 6GHz, but when the anchors are separate it'll be something like 20Mbps down and 400Mbps up.
I'm not sure exactly when this started, though a likely start was a few weeks ago when we went from 8.10.0.19 to 8.10.0.22.
This happens on any kind of SSID (enterprise, open, SAE), though all are tunneled. I do not really want to convert the entire campus to bridged SSIDs as a workaround.
We have jumbo frames (9198) enabled everywhere involved (APs, switch uplinks, controller LAGs). The controllers each have an MCLAG to our CX6400 cores, which have a VSX ISL with MTU 9500.
No wired ports involved show any drops or errors, each controller has a port-channel of two 10GbE links. We see jumbos incrementing on the switches, and giants incrementing on the controllers. Controller port-channels and interfaces all confirm jumbo/9198 is enabled.
When I look at the datapath tunnel list, it seems like the AP tunnels are all MTU 9000, but the tunnel between the controllers is 1500. Not sure what's expected here.
Rebooting APs does not resolve, and a phased reboot of the controllers last night did not resolve. I'm considering going to 8.13.2.0 tonight as a last resort before starting the TAC journey. Any advice is welcome!
**EAP-TLS with Aruba Central NAC + Microsoft Intune — Windows, macOS and iOS/iPadOS lab documentation**
I've been working on getting certificate-based Wi-Fi authentication (EAP-TLS) working across all three major Intune-managed platforms using Aruba Central NAC as the RADIUS/NAC engine.
The setup uses:
- Aruba Central NAC with Microsoft Intune as the UEM (OAuth2 identity store)
- SCEP certificates issued directly by Central NAC CA
- Intune pushing Trusted Certificate + SCEP + Wi-Fi profiles to each platform
- EAP-TLS authentication validated by Central NAC against Entra ID group membership
**What's covered in the docs:**
- Entra ID App Registration + API permissions
- Aruba Central Intune extension configuration
- NAC identity store, roles, authorization policies, SSID and auth profile setup
- SCEP URL + root CA retrieval
- Platform-specific Intune profiles and enrollment for Windows, macOS and iOS/iPadOS
- End-to-end validation (certmgr, Keychain, Central NAC client detail)
**One gotcha for iOS:** the SCEP profile must use Certificate type **User** with `CN={{UserPrincipalName}}`. Using Device type causes Central NAC authorization to fail with Deny All — the NAC can't map a device cert to an Entra ID user/group.
Full step-by-step docs with screenshots on GitHub:
- Central NAC config: https://github.com/Luconik/hpe-aruba-guides/tree/main/central-nac-intune
- Intune profiles + enrollment: https://github.com/Luconik/microsoft-intune/tree/main/eap-tls