Using Aruba MPSK with FreeRADIUS

A few months ago Aruba introduced the MPSK authentication feature for their WiFi systems. With MPSK it is possible to have a PSK protected SSID but with a per device/MAC password. Unfortunately it is only officially supported to work with the Clearpass Policy Manager from Aruba. However, we figured out how to use it with the FreeRADIUS RADIUS Server.

From the WebUI, create a new SSID with MPSK authentication. It is not possible to select an existing RADIUS server, just create a new dummy server. Now, edit the SSID profile and now change the dummy server to your (previously configured) FreeRADIUS server.

When a client connects the controller will send a RADIUS request to the server. In the response you have to include the vendor-specific attribute Aruba-MPSK-Passphrase. FreeRADIUS already includes this with correct encoding and encryption (check if your version already includes this VSA, otherwise place the linked file at /usr/share/freeRADIUS/dictionary.aruba (this applies to Debian)). Here is an configuration example, please note that “ClearTextPassphrase” is the clear text password for the requesting device: Aruba-MPSK-Passphrase := “ClearTextPassphrase”.

If you operate a proxying RADIUS, like we do, your config could look like this:

post-proxy {
     update proxy-reply {
          Aruba-MPSK-Passphrase := "%{proxy-reply:Tunnel-Password}"

Using MPSK without Clearpass is not officially supported and TAC probably won't help if any problem occurs. The controller will cache the password for a period of time (seems to be a couple of hours).

Most of the work explained here was done by Jennifer Graul at FeM, thanks!

If you have any feedback to this article, please let me know!

  • blog/aruba-mpsk-freeradius.txt
  • Last modified: 2024/02/08 10:31
  • by v0tti