Cloud Managed Networks

I'm testing moving a wireless setup to New Central, but a critical issue is I cannot get 802.1x on the Accesspoints uplink to work.

When I create a "AP Uplink" profile for E0 port and set everything up - including 802.1x authentication with PEAP-Mschapv2 common credential, the profile seems to sync to the AP (Success in Audit Log). On the AP I can also see a new wired profile used for ENET0 with the settings I created in the profile - EXCEPT: the profile says: "no dot1x" in its config.

EDIT: The 802.1x settings actually does work and gets set in the config like before as "ap1x peap" - The credentials are in the pre boot environment, not the AP config.
But the problem is it only effectively works if I create a new locale profile on each AP, because there I can choose not the fill in the "management VLAN" settings as either Native or Tagged VLAN. On a Library profile that setting is forced, and it will cause the AP no longer to use its 802.1x since the Management VLAN gets set and locked to the Native VLAN (which is not 1 in my setup).
Is this a bug or is there some explanation/prerequisite I'm missing in order for it to deploy?

-------------------------------------------

Using a different (tagged) management VLAN on AOS10 or Instant APs is strongly deprecated.

Keep the AP management in it's native VLAN. If your AP management VLAN is for example 100, put that as the native/untagged VLAN on your switch port. Also use DHCP for IP address allocation in that native management VLAN.

Also, if you have bridged SSIDs, make sure that the switch port for the AP after authentication switches to device mode, or the equivalent mode for your switch that stops authenticating any additional MAC addresses coming through the AP.

In addition, as you have noticed the 802.1X settings don't go in the normal configuration. Also, in the past it was required to reboot the AP in order to enable/disable the 802.1X uplink authentication; I don't see a message when I apply that config, but it's probably needed to activate the changed setting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 03, 2026 06:45 AM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

I'm testing moving a wireless setup to New Central, but a critical issue is I cannot get 802.1x on the Accesspoints uplink to work.

When I create a "AP Uplink" profile for E0 port and set everything up - including 802.1x authentication with PEAP-Mschapv2 common credential, the profile seems to sync to the AP (Success in Audit Log). On the AP I can also see a new wired profile used for ENET0 with the settings I created in the profile - EXCEPT: the profile says: "no dot1x" in its config.

EDIT: The 802.1x settings actually does work and gets set in the config like before as "ap1x peap" - The credentials are in the pre boot environment, not the AP config.
But the problem is it only effectively works if I create a new locale profile on each AP, because there I can choose not the fill in the "management VLAN" settings as either Native or Tagged VLAN. On a Library profile that setting is forced, and it will cause the AP no longer to use its 802.1x since the Management VLAN gets set and locked to the Native VLAN (which is not 1 in my setup).
Is this a bug or is there some explanation/prerequisite I'm missing in order for it to deploy?

-------------------------------------------

Yes that's what I thought to: 

My switches has VLAN 100 (AP MGMT) as the native VLAN on the port trunk in the switch role that is applied when an AP completes Auth's using PEAP-MSchapv2. Have been using that for years without problems.

But now, If i create library profile for "AP Uplink" with port 0 in Trunk mode with VLAN 100 as Native, and all allowed, i'm forced to select a Management VLAN (Which should logically then be the Native VLAN). But if that is set to NATIVE, then the AP will initially auth fine and have the switch profile applied to the port, but then very shortly after something I have not yet identified happens and the switchport instead goes into unauthenticated fallback mode.

Whereas: If I make the profile locally on the devicelevel, I can avoid selecting a management VLAN setting (Native or tagged), and the is works completely as expected with 802.1x auth which applies the AP uplink role om my switch to the switchport. 

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Using a different (tagged) management VLAN on AOS10 or Instant APs is strongly deprecated.

Keep the AP management in it's native VLAN. If your AP management VLAN is for example 100, put that as the native/untagged VLAN on your switch port. Also use DHCP for IP address allocation in that native management VLAN.

Also, if you have bridged SSIDs, make sure that the switch port for the AP after authentication switches to device mode, or the equivalent mode for your switch that stops authenticating any additional MAC addresses coming through the AP.

In addition, as you have noticed the 802.1X settings don't go in the normal configuration. Also, in the past it was required to reboot the AP in order to enable/disable the 802.1X uplink authentication; I don't see a message when I apply that config, but it's probably needed to activate the changed setting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 03, 2026 06:45 AM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

I'm testing moving a wireless setup to New Central, but a critical issue is I cannot get 802.1x on the Accesspoints uplink to work.

When I create a "AP Uplink" profile for E0 port and set everything up - including 802.1x authentication with PEAP-Mschapv2 common credential, the profile seems to sync to the AP (Success in Audit Log). On the AP I can also see a new wired profile used for ENET0 with the settings I created in the profile - EXCEPT: the profile says: "no dot1x" in its config.

EDIT: The 802.1x settings actually does work and gets set in the config like before as "ap1x peap" - The credentials are in the pre boot environment, not the AP config.
But the problem is it only effectively works if I create a new locale profile on each AP, because there I can choose not the fill in the "management VLAN" settings as either Native or Tagged VLAN. On a Library profile that setting is forced, and it will cause the AP no longer to use its 802.1x since the Management VLAN gets set and locked to the Native VLAN (which is not 1 in my setup).
Is this a bug or is there some explanation/prerequisite I'm missing in order for it to deploy?

-------------------------------------------

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Yes; that's it.. the AP doesn't care about the VLAN ID and VLAN 1 is the default and no management VLAN in the AP is needed. The UI could be more clear on this topic.

Yes that's what I thought to: 

My switches has VLAN 100 (AP MGMT) as the native VLAN on the port trunk in the switch role that is applied when an AP completes Auth's using PEAP-MSchapv2. Have been using that for years without problems.

But now, If i create library profile for "AP Uplink" with port 0 in Trunk mode with VLAN 100 as Native, and all allowed, i'm forced to select a Management VLAN (Which should logically then be the Native VLAN). But if that is set to NATIVE, then the AP will initially auth fine and have the switch profile applied to the port, but then very shortly after something I have not yet identified happens and the switchport instead goes into unauthenticated fallback mode.

Whereas: If I make the profile locally on the devicelevel, I can avoid selecting a management VLAN setting (Native or tagged), and the is works completely as expected with 802.1x auth which applies the AP uplink role om my switch to the switchport. 

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Using a different (tagged) management VLAN on AOS10 or Instant APs is strongly deprecated.

Keep the AP management in it's native VLAN. If your AP management VLAN is for example 100, put that as the native/untagged VLAN on your switch port. Also use DHCP for IP address allocation in that native management VLAN.

Also, if you have bridged SSIDs, make sure that the switch port for the AP after authentication switches to device mode, or the equivalent mode for your switch that stops authenticating any additional MAC addresses coming through the AP.

In addition, as you have noticed the 802.1X settings don't go in the normal configuration. Also, in the past it was required to reboot the AP in order to enable/disable the 802.1X uplink authentication; I don't see a message when I apply that config, but it's probably needed to activate the changed setting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 03, 2026 06:45 AM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

I'm testing moving a wireless setup to New Central, but a critical issue is I cannot get 802.1x on the Accesspoints uplink to work.

When I create a "AP Uplink" profile for E0 port and set everything up - including 802.1x authentication with PEAP-Mschapv2 common credential, the profile seems to sync to the AP (Success in Audit Log). On the AP I can also see a new wired profile used for ENET0 with the settings I created in the profile - EXCEPT: the profile says: "no dot1x" in its config.

EDIT: The 802.1x settings actually does work and gets set in the config like before as "ap1x peap" - The credentials are in the pre boot environment, not the AP config.
But the problem is it only effectively works if I create a new locale profile on each AP, because there I can choose not the fill in the "management VLAN" settings as either Native or Tagged VLAN. On a Library profile that setting is forced, and it will cause the AP no longer to use its 802.1x since the Management VLAN gets set and locked to the Native VLAN (which is not 1 in my setup).
Is this a bug or is there some explanation/prerequisite I'm missing in order for it to deploy?

-------------------------------------------

Sure could… What is even the point of being able to select a different Native VLAN than 1 then? Especially since it will prevent the AP from working/being managed if "Native VLAN" i selected for management VLAN

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Yes; that's it.. the AP doesn't care about the VLAN ID and VLAN 1 is the default and no management VLAN in the AP is needed. The UI could be more clear on this topic.

Yes that's what I thought to: 

My switches has VLAN 100 (AP MGMT) as the native VLAN on the port trunk in the switch role that is applied when an AP completes Auth's using PEAP-MSchapv2. Have been using that for years without problems.

But now, If i create library profile for "AP Uplink" with port 0 in Trunk mode with VLAN 100 as Native, and all allowed, i'm forced to select a Management VLAN (Which should logically then be the Native VLAN). But if that is set to NATIVE, then the AP will initially auth fine and have the switch profile applied to the port, but then very shortly after something I have not yet identified happens and the switchport instead goes into unauthenticated fallback mode.

Whereas: If I make the profile locally on the devicelevel, I can avoid selecting a management VLAN setting (Native or tagged), and the is works completely as expected with 802.1x auth which applies the AP uplink role om my switch to the switchport. 

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Using a different (tagged) management VLAN on AOS10 or Instant APs is strongly deprecated.

Keep the AP management in it's native VLAN. If your AP management VLAN is for example 100, put that as the native/untagged VLAN on your switch port. Also use DHCP for IP address allocation in that native management VLAN.

Also, if you have bridged SSIDs, make sure that the switch port for the AP after authentication switches to device mode, or the equivalent mode for your switch that stops authenticating any additional MAC addresses coming through the AP.

In addition, as you have noticed the 802.1X settings don't go in the normal configuration. Also, in the past it was required to reboot the AP in order to enable/disable the 802.1X uplink authentication; I don't see a message when I apply that config, but it's probably needed to activate the changed setting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 03, 2026 06:45 AM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

I'm testing moving a wireless setup to New Central, but a critical issue is I cannot get 802.1x on the Accesspoints uplink to work.

When I create a "AP Uplink" profile for E0 port and set everything up - including 802.1x authentication with PEAP-Mschapv2 common credential, the profile seems to sync to the AP (Success in Audit Log). On the AP I can also see a new wired profile used for ENET0 with the settings I created in the profile - EXCEPT: the profile says: "no dot1x" in its config.

EDIT: The 802.1x settings actually does work and gets set in the config like before as "ap1x peap" - The credentials are in the pre boot environment, not the AP config.
But the problem is it only effectively works if I create a new locale profile on each AP, because there I can choose not the fill in the "management VLAN" settings as either Native or Tagged VLAN. On a Library profile that setting is forced, and it will cause the AP no longer to use its 802.1x since the Management VLAN gets set and locked to the Native VLAN (which is not 1 in my setup).
Is this a bug or is there some explanation/prerequisite I'm missing in order for it to deploy?

-------------------------------------------

There may be some corner-cases where someone would use a tagged management VLAN. I agree that the UI may not be fully intuitive, but that has to do with the point that someone may explicitly want to configure this. You may report this through TAC or your local HPE Networking SE/contact.

Sure could… What is even the point of being able to select a different Native VLAN than 1 then? Especially since it will prevent the AP from working/being managed if "Native VLAN" i selected for management VLAN

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Yes; that's it.. the AP doesn't care about the VLAN ID and VLAN 1 is the default and no management VLAN in the AP is needed. The UI could be more clear on this topic.

Yes that's what I thought to: 

My switches has VLAN 100 (AP MGMT) as the native VLAN on the port trunk in the switch role that is applied when an AP completes Auth's using PEAP-MSchapv2. Have been using that for years without problems.

But now, If i create library profile for "AP Uplink" with port 0 in Trunk mode with VLAN 100 as Native, and all allowed, i'm forced to select a Management VLAN (Which should logically then be the Native VLAN). But if that is set to NATIVE, then the AP will initially auth fine and have the switch profile applied to the port, but then very shortly after something I have not yet identified happens and the switchport instead goes into unauthenticated fallback mode.

Whereas: If I make the profile locally on the devicelevel, I can avoid selecting a management VLAN setting (Native or tagged), and the is works completely as expected with 802.1x auth which applies the AP uplink role om my switch to the switchport. 

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Using a different (tagged) management VLAN on AOS10 or Instant APs is strongly deprecated.

Keep the AP management in it's native VLAN. If your AP management VLAN is for example 100, put that as the native/untagged VLAN on your switch port. Also use DHCP for IP address allocation in that native management VLAN.

Also, if you have bridged SSIDs, make sure that the switch port for the AP after authentication switches to device mode, or the equivalent mode for your switch that stops authenticating any additional MAC addresses coming through the AP.

In addition, as you have noticed the 802.1X settings don't go in the normal configuration. Also, in the past it was required to reboot the AP in order to enable/disable the 802.1X uplink authentication; I don't see a message when I apply that config, but it's probably needed to activate the changed setting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 03, 2026 06:45 AM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

I'm testing moving a wireless setup to New Central, but a critical issue is I cannot get 802.1x on the Accesspoints uplink to work.

When I create a "AP Uplink" profile for E0 port and set everything up - including 802.1x authentication with PEAP-Mschapv2 common credential, the profile seems to sync to the AP (Success in Audit Log). On the AP I can also see a new wired profile used for ENET0 with the settings I created in the profile - EXCEPT: the profile says: "no dot1x" in its config.

EDIT: The 802.1x settings actually does work and gets set in the config like before as "ap1x peap" - The credentials are in the pre boot environment, not the AP config.
But the problem is it only effectively works if I create a new locale profile on each AP, because there I can choose not the fill in the "management VLAN" settings as either Native or Tagged VLAN. On a Library profile that setting is forced, and it will cause the AP no longer to use its 802.1x since the Management VLAN gets set and locked to the Native VLAN (which is not 1 in my setup).
Is this a bug or is there some explanation/prerequisite I'm missing in order for it to deploy?

-------------------------------------------

The point of setting the management VLAN is usually to get the management and native VLANs to match.  Calling this functionality "deprecated" is overstating things a bit.  Using a tagged management VLAN is usually more of a challenge than most people want to deal with and typically not useful, but setting the proper native VLAN and having the AP use that VLAN as the management VLAN is good practice.

Quick couple of reasons for doing this:

1. Some switches complain about a mismatch in the VID when the native setting on the AP and switch aren't matching.
2. When you're bridging through the AP, having the correct native VID on the uplink is a requirement so that you can be assured of always using the proper VLAN for received traffic, this is especially important in a mesh deployment.

@Keyser can you please share your problematic switch and AP configuration?  Just the interface and port-profiles.

There may be some corner-cases where someone would use a tagged management VLAN. I agree that the UI may not be fully intuitive, but that has to do with the point that someone may explicitly want to configure this. You may report this through TAC or your local HPE Networking SE/contact.

Sure could… What is even the point of being able to select a different Native VLAN than 1 then? Especially since it will prevent the AP from working/being managed if "Native VLAN" i selected for management VLAN

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Yes; that's it.. the AP doesn't care about the VLAN ID and VLAN 1 is the default and no management VLAN in the AP is needed. The UI could be more clear on this topic.

Yes that's what I thought to: 

My switches has VLAN 100 (AP MGMT) as the native VLAN on the port trunk in the switch role that is applied when an AP completes Auth's using PEAP-MSchapv2. Have been using that for years without problems.

But now, If i create library profile for "AP Uplink" with port 0 in Trunk mode with VLAN 100 as Native, and all allowed, i'm forced to select a Management VLAN (Which should logically then be the Native VLAN). But if that is set to NATIVE, then the AP will initially auth fine and have the switch profile applied to the port, but then very shortly after something I have not yet identified happens and the switchport instead goes into unauthenticated fallback mode.

Whereas: If I make the profile locally on the devicelevel, I can avoid selecting a management VLAN setting (Native or tagged), and the is works completely as expected with 802.1x auth which applies the AP uplink role om my switch to the switchport. 

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Using a different (tagged) management VLAN on AOS10 or Instant APs is strongly deprecated.

Keep the AP management in it's native VLAN. If your AP management VLAN is for example 100, put that as the native/untagged VLAN on your switch port. Also use DHCP for IP address allocation in that native management VLAN.

Also, if you have bridged SSIDs, make sure that the switch port for the AP after authentication switches to device mode, or the equivalent mode for your switch that stops authenticating any additional MAC addresses coming through the AP.

In addition, as you have noticed the 802.1X settings don't go in the normal configuration. Also, in the past it was required to reboot the AP in order to enable/disable the 802.1X uplink authentication; I don't see a message when I apply that config, but it's probably needed to activate the changed setting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 03, 2026 06:45 AM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

I'm testing moving a wireless setup to New Central, but a critical issue is I cannot get 802.1x on the Accesspoints uplink to work.

When I create a "AP Uplink" profile for E0 port and set everything up - including 802.1x authentication with PEAP-Mschapv2 common credential, the profile seems to sync to the AP (Success in Audit Log). On the AP I can also see a new wired profile used for ENET0 with the settings I created in the profile - EXCEPT: the profile says: "no dot1x" in its config.

EDIT: The 802.1x settings actually does work and gets set in the config like before as "ap1x peap" - The credentials are in the pre boot environment, not the AP config.
But the problem is it only effectively works if I create a new locale profile on each AP, because there I can choose not the fill in the "management VLAN" settings as either Native or Tagged VLAN. On a Library profile that setting is forced, and it will cause the AP no longer to use its 802.1x since the Management VLAN gets set and locked to the Native VLAN (which is not 1 in my setup).
Is this a bug or is there some explanation/prerequisite I'm missing in order for it to deploy?

-------------------------------------------

Well it works if I set the AP Uplink profile in CNX as TRUNK with VLAN 1 Native and "all" allowed on the trunk. The switch logs - as@chulcher indicated - a PVID mismatch since the Switch is running Native 100 in its trunk setting. But if I set the AP Uplink Profile to Native 100 instead of 1, then it will stop working as the AP's AAA authentication is only "successfull" for a short while during boot, and then the switchport drops the authentication settings, and goes into my configured port-security fallback mode.

CX Config:

port-access role MGMT_AP 
description Aruba 802.1x AP ROLE
auth-mode device-mode
poe-priority high
trust-mode dscp
vlan trunk native 100
vlan trunk allowed 4,8,20,24,32,100,151,157

interface 1/1/1
no shutdown
vlan access 1
apply policy policy-denyipv6 in
port-access fallback-role role-guest
aaa authentication port-access client-limit 3
aaa authentication port-access critical-role role-guest
aaa authentication port-access reject-role role-guest
aaa authentication port-access auth-role role-guest
aaa authentication port-access dot1x authenticator
    max-eapol-requests 1
    max-retries 1
    enable

Original Message:
Sent: Mar 09, 2026 11:58 AM
From: chulcher
Subject: Accesspoint Uplink 802.1x in CNX not working

The point of setting the management VLAN is usually to get the management and native VLANs to match.  Calling this functionality "deprecated" is overstating things a bit.  Using a tagged management VLAN is usually more of a challenge than most people want to deal with and typically not useful, but setting the proper native VLAN and having the AP use that VLAN as the management VLAN is good practice.

Quick couple of reasons for doing this:

1. Some switches complain about a mismatch in the VID when the native setting on the AP and switch aren't matching.
2. When you're bridging through the AP, having the correct native VID on the uplink is a requirement so that you can be assured of always using the proper VLAN for received traffic, this is especially important in a mesh deployment.

@Keyser can you please share your problematic switch and AP configuration?  Just the interface and port-profiles.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 09, 2026 07:27 AM
From: Herman Robers
Subject: Accesspoint Uplink 802.1x in CNX not working

There may be some corner-cases where someone would use a tagged management VLAN. I agree that the UI may not be fully intuitive, but that has to do with the point that someone may explicitly want to configure this. You may report this through TAC or your local HPE Networking SE/contact.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 07, 2026 07:10 AM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

Sure could… What is even the point of being able to select a different Native VLAN than 1 then? Especially since it will prevent the AP from working/being managed if "Native VLAN" i selected for management VLAN

Original Message:
Sent: Mar 06, 2026 09:25 AM
From: Herman Robers
Subject: Accesspoint Uplink 802.1x in CNX not working

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Yes; that's it.. the AP doesn't care about the VLAN ID and VLAN 1 is the default and no management VLAN in the AP is needed. The UI could be more clear on this topic.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 03, 2026 12:26 PM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

Yes that's what I thought to: 

My switches has VLAN 100 (AP MGMT) as the native VLAN on the port trunk in the switch role that is applied when an AP completes Auth's using PEAP-MSchapv2. Have been using that for years without problems.

But now, If i create library profile for "AP Uplink" with port 0 in Trunk mode with VLAN 100 as Native, and all allowed, i'm forced to select a Management VLAN (Which should logically then be the Native VLAN). But if that is set to NATIVE, then the AP will initially auth fine and have the switch profile applied to the port, but then very shortly after something I have not yet identified happens and the switchport instead goes into unauthenticated fallback mode.

Whereas: If I make the profile locally on the devicelevel, I can avoid selecting a management VLAN setting (Native or tagged), and the is works completely as expected with 802.1x auth which applies the AP uplink role om my switch to the switchport. 

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Original Message:
Sent: Mar 03, 2026 10:37 AM
From: Herman Robers
Subject: Accesspoint Uplink 802.1x in CNX not working

Using a different (tagged) management VLAN on AOS10 or Instant APs is strongly deprecated.

Keep the AP management in it's native VLAN. If your AP management VLAN is for example 100, put that as the native/untagged VLAN on your switch port. Also use DHCP for IP address allocation in that native management VLAN.

Also, if you have bridged SSIDs, make sure that the switch port for the AP after authentication switches to device mode, or the equivalent mode for your switch that stops authenticating any additional MAC addresses coming through the AP.

In addition, as you have noticed the 802.1X settings don't go in the normal configuration. Also, in the past it was required to reboot the AP in order to enable/disable the 802.1X uplink authentication; I don't see a message when I apply that config, but it's probably needed to activate the changed setting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 03, 2026 06:45 AM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

I'm testing moving a wireless setup to New Central, but a critical issue is I cannot get 802.1x on the Accesspoints uplink to work.

When I create a "AP Uplink" profile for E0 port and set everything up - including 802.1x authentication with PEAP-Mschapv2 common credential, the profile seems to sync to the AP (Success in Audit Log). On the AP I can also see a new wired profile used for ENET0 with the settings I created in the profile - EXCEPT: the profile says: "no dot1x" in its config.

EDIT: The 802.1x settings actually does work and gets set in the config like before as "ap1x peap" - The credentials are in the pre boot environment, not the AP config.
But the problem is it only effectively works if I create a new locale profile on each AP, because there I can choose not the fill in the "management VLAN" settings as either Native or Tagged VLAN. On a Library profile that setting is forced, and it will cause the AP no longer to use its 802.1x since the Management VLAN gets set and locked to the Native VLAN (which is not 1 in my setup).
Is this a bug or is there some explanation/prerequisite I'm missing in order for it to deploy?

-------------------------------------------

And the uplink wired-port configuration on the AP?  No useful logging on the switch?

We've run 802.1X for the AP uplink multiple times for events without the issue that you're reporting, but we've also not used anything but tunneled WLANs.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 09, 2026 12:22 PM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

Well it works if I set the AP Uplink profile in CNX as TRUNK with VLAN 1 Native and "all" allowed on the trunk. The switch logs - as@chulcher indicated - a PVID mismatch since the Switch is running Native 100 in its trunk setting. But if I set the AP Uplink Profile to Native 100 instead of 1, then it will stop working as the AP's AAA authentication is only "successfull" for a short while during boot, and then the switchport drops the authentication settings, and goes into my configured port-security fallback mode.

CX Config:

port-access role MGMT_AP 
description Aruba 802.1x AP ROLE
auth-mode device-mode
poe-priority high
trust-mode dscp
vlan trunk native 100
vlan trunk allowed 4,8,20,24,32,100,151,157

interface 1/1/1
no shutdown
vlan access 1
apply policy policy-denyipv6 in
port-access fallback-role role-guest
aaa authentication port-access client-limit 3
aaa authentication port-access critical-role role-guest
aaa authentication port-access reject-role role-guest
aaa authentication port-access auth-role role-guest
aaa authentication port-access dot1x authenticator
    max-eapol-requests 1
    max-retries 1
    enable

Original Message:
Sent: Mar 09, 2026 11:58 AM
From: chulcher
Subject: Accesspoint Uplink 802.1x in CNX not working

The point of setting the management VLAN is usually to get the management and native VLANs to match.  Calling this functionality "deprecated" is overstating things a bit.  Using a tagged management VLAN is usually more of a challenge than most people want to deal with and typically not useful, but setting the proper native VLAN and having the AP use that VLAN as the management VLAN is good practice.

Quick couple of reasons for doing this:

1. Some switches complain about a mismatch in the VID when the native setting on the AP and switch aren't matching.
2. When you're bridging through the AP, having the correct native VID on the uplink is a requirement so that you can be assured of always using the proper VLAN for received traffic, this is especially important in a mesh deployment.

@Keyser can you please share your problematic switch and AP configuration?  Just the interface and port-profiles.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 09, 2026 07:27 AM
From: Herman Robers
Subject: Accesspoint Uplink 802.1x in CNX not working

There may be some corner-cases where someone would use a tagged management VLAN. I agree that the UI may not be fully intuitive, but that has to do with the point that someone may explicitly want to configure this. You may report this through TAC or your local HPE Networking SE/contact.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 07, 2026 07:10 AM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

Sure could… What is even the point of being able to select a different Native VLAN than 1 then? Especially since it will prevent the AP from working/being managed if "Native VLAN" i selected for management VLAN

Original Message:
Sent: Mar 06, 2026 09:25 AM
From: Herman Robers
Subject: Accesspoint Uplink 802.1x in CNX not working

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Yes; that's it.. the AP doesn't care about the VLAN ID and VLAN 1 is the default and no management VLAN in the AP is needed. The UI could be more clear on this topic.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 03, 2026 12:26 PM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

Yes that's what I thought to: 

My switches has VLAN 100 (AP MGMT) as the native VLAN on the port trunk in the switch role that is applied when an AP completes Auth's using PEAP-MSchapv2. Have been using that for years without problems.

But now, If i create library profile for "AP Uplink" with port 0 in Trunk mode with VLAN 100 as Native, and all allowed, i'm forced to select a Management VLAN (Which should logically then be the Native VLAN). But if that is set to NATIVE, then the AP will initially auth fine and have the switch profile applied to the port, but then very shortly after something I have not yet identified happens and the switchport instead goes into unauthenticated fallback mode.

Whereas: If I make the profile locally on the devicelevel, I can avoid selecting a management VLAN setting (Native or tagged), and the is works completely as expected with 802.1x auth which applies the AP uplink role om my switch to the switchport. 

So it must be something related to the managment VLAN Native setting in the profile. Are you saying I should put VLAN 1 as the Native VLAN in my AP profile even though the Switch has VLAN 100 native on the port?

Original Message:
Sent: Mar 03, 2026 10:37 AM
From: Herman Robers
Subject: Accesspoint Uplink 802.1x in CNX not working

Using a different (tagged) management VLAN on AOS10 or Instant APs is strongly deprecated.

Keep the AP management in it's native VLAN. If your AP management VLAN is for example 100, put that as the native/untagged VLAN on your switch port. Also use DHCP for IP address allocation in that native management VLAN.

Also, if you have bridged SSIDs, make sure that the switch port for the AP after authentication switches to device mode, or the equivalent mode for your switch that stops authenticating any additional MAC addresses coming through the AP.

In addition, as you have noticed the 802.1X settings don't go in the normal configuration. Also, in the past it was required to reboot the AP in order to enable/disable the 802.1X uplink authentication; I don't see a message when I apply that config, but it's probably needed to activate the changed setting.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 03, 2026 06:45 AM
From: Keyser
Subject: Accesspoint Uplink 802.1x in CNX not working

I'm testing moving a wireless setup to New Central, but a critical issue is I cannot get 802.1x on the Accesspoints uplink to work.

When I create a "AP Uplink" profile for E0 port and set everything up - including 802.1x authentication with PEAP-Mschapv2 common credential, the profile seems to sync to the AP (Success in Audit Log). On the AP I can also see a new wired profile used for ENET0 with the settings I created in the profile - EXCEPT: the profile says: "no dot1x" in its config.

EDIT: The 802.1x settings actually does work and gets set in the config like before as "ap1x peap" - The credentials are in the pre boot environment, not the AP config.
But the problem is it only effectively works if I create a new locale profile on each AP, because there I can choose not the fill in the "management VLAN" settings as either Native or Tagged VLAN. On a Library profile that setting is forced, and it will cause the AP no longer to use its 802.1x since the Management VLAN gets set and locked to the Native VLAN (which is not 1 in my setup).
Is this a bug or is there some explanation/prerequisite I'm missing in order for it to deploy?

-------------------------------------------