ArubaOS 6.4 CRG - Support Aruba Networks

Reference Guide
ArubaOS 6.4
Command-Line Interface
Copyright Information
© 2014 Aruba Networks, Inc. Aruba Networks trademarks include
, Aruba Networks®, Aruba
®
Wireless Networks , the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®,
Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved.
All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code
subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open
Source Licenses. Includes software fro Litech Systems Design. The IF-MAP client library copyright 2011 Infoblox,
Inc. All rights reserved.This product includes software developed by Lars Fenneberg et al. The Open Source code
used can be found at this site
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate
other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it
with respect to infringement of copyright on behalf of those vendors.
Warranty
This hardware product is protected by an Aruba warranty. For more information, refer to the ArubaCare service and
support terms and conditions.
0511528-00v2 | February 2014
ArubaOS 6.4 | Reference Guide
The ArubaOS Command-Line Interface
The ArubaOS 6.4 command-line interface (CLI) allows you to configure and manage your controllers. The CLI is
accessible from a local console connected to the serial port on the controllers or through a Telnet or Secure Shell
(SSH) session from a remote management console or workstation.
Telnet access is disabled by default. To enable Telnet access, enter the telnet CLI command from a serial connection or
an SSH session, or in the WebUI navigate to the Configuration > Management > General page.
What’s New In ArubaOS 6.4
New Commands
The following commands are introduced in the ArubaOS 6.4 command line interface.
Command
Description
airgroup static mdnsrecord
Using this command, an administrator can add the mDNS static
records to cache in the following methods:
l
l
Group mDNS static records
Individual mDNS static records
app lync traffic-control
This command creates a traffic control profile that allows the controller
to recognize and prioritize a specific type of Lync traffic in order to
apply QoS through the Lync Application Layer Gateway (ALG).
dpi
This command configures Deep-Packet Inspection and the global
bandwidth contract for an application or application category for the
AppRF feature.
iap trusted-branch-db
This command configures an IAP-VPN branch as trusted.
pan active-profile
This command activates a configured PAN profile.
pan profile
This command is used to configure a PAN profile.
show aaa load-balance statistics
This command displays the load balancing statistics for RADIUS servers.
show lldp interface
This command displays the LLDP interfaces information.
show lldp neighbor
This command displays information about LLDP peers.
show lldp statistics
This command displays the LLDP statistics information.
show iap detailed-table
This command displays the details of all the branches terminating at
the controller.
show pan active-profile
This command displays the currently active PAN profile.
ArubaOS 6.4| Reference Guide
The ArubaOS Command-Line Interface | 3
Command
Description
show pan profile
This command displays all configured PAN profiles.
show pan state
This command displays the current status of associated PAN firewalls.
show pan statistics
This command displays PAN profile statistics.
show sso idp-profile
This command displays the configured SSO IDP profiles.
show ucc call-info cdrs
This command displays the Call Detailed Report (CDR) statistics for
Unified Communication and Collaboration (UCC).
show ucc client-info
This command displays the UCC client status and CDR statistics.
show ucc configuration
This command displays the UCC configuration in the controller.
show ucc statistics
This command displays the UCC call statistics in the controller.
show ucc trace-buffer
This command displays the UCC call message trace buffer for Lync,
SCCP, and SIP ALGs. Events such as establishing voice, video,
desktop sharing, and file transfer are recorded.
sso idp-profile
This command creates an SSO profile.
wlan hotspot advertisement-profile
This command configures a WLAN advertisement profile for an
802.11u public access service provider.
wlan hotspot anqp-3gppnwk-profile
This profile defines information for a 3rd Generation Partnership
Project (3GPP) Cellular Network for hotspots that have roaming
relationships with cellular operators.
wlan hotspot anqp-domainname-profile
This command defines the domain name to be sent in an Access
Network Query Protocol (ANQP) information element in a Generic
Advertisement Service (GAS) query response.
wlan hotspot anqp-ip-addravail-profile
This command defines available IP address types to be sent in a
Access network Query Protocol (ANQP) information element in a
Generic Advertisement Service (GAS) query response.
wlan hotspot anqp-nairealm-profile
This command defines a Network Access Identifier (NAI) realm whose
information can be sent as an Access network Query Protocol (ANQP)
information element in a Generic Advertisement Service (GAS) query
response.
wlan hotspot anqp-nwkauth-profile
This command configures an ANQP Network Authentication profile to
define authentication type being used by the hotspot network.
wlan hotspot anqp-roamcons-profile
This command configures the Roaming Consortium OI information to
be sent in an Access network Query Protocol (ANQP) information element in a Generic Advertisement Service (GAS) query response.
wlan hotspot anqp-venuename-profile
This command defines venue information be sent in an Access network Query Protocol (ANQP) information element in a Generic Advertisement Service (GAS) query response.
wlan hotspot h2qp-conn-capability-profile
This command defines a Hotspot 2.0 Query Protocol (H2QP) profile
that advertises hotspot protocol and port capabilities.
4 | The ArubaOS Command-Line Interface
ArubaOS 6.4| Reference Guide
Command
Description
wlan hotspot h2qp-op-clprofile
This command defines a Hotspot 2.0 Query Protocol (H2QP) profile
that defines the Operating Class to be sent in the ANQP IE.
wlan hotspot h2qp-operator-friendly-name-profile
This command defines a Hotspot 2.0 Query Protocol (H2QP) operatorfriendly name profile. The operator-friendly name configured in this
profile is a free-form text field that can identify the operator and also
something about the location.
wlan hotspot h2qp-wan-metrics-profile
This command creates a Hotspot 2.0 Query Protocol (H2QP) profile
that specifies the hotspot WAN status and link metrics.
wlan hotspot hs2-profile
This command configures a hotspot profile for an 802.11u public
access service provider.
Modified Commands
The following commands are modified in ArubaOS 6.4.
Command
Description
airgroup
The dlna and mdns parameters are introduced.
aaa authentication captiveportal
The url-hash-key parameter is introduced.
aaa authentication via
auth-profile
The pan-integration parameter is introduced.
aaa authentication vpn
The pan-integration parameter is introduced.
aaa profile
The multiple-server-accounting and download-role parameters are
introduced.
The pan-integration parameter is introduced.
aaa server-group
The load-balance parameter is introduced.
clear
The lldp parameter is introduced.
The Server and User options are introduced under airgroup parameter.
crypto dynamic-map
The disable/enable parameters are introduced.
crypto isakmp policy
The disable/enable and no parameters are introduced.
firewall
The following parameters are added:
allow-stun
l dpi
l stall-crash
l
ha
ArubaOS 6.4| Reference Guide
The following parameters are introduced to support the high
availability inter-controller heartbeat, controller oversubscription and
state synchronization features.
l heartbeat:
l heartbeat-interval
The ArubaOS Command-Line Interface | 5
Command
Description
l
l
l
l
heartbeat-threshold
over-subscription
pre-shared-key
state-sync
interface fastethernet |
gigabitethernet
The lldp parameter is introduced.
interface vlan
The dhcp parameter for configuring dynamic host configuration protocol for IPv6 is introduced.
interface tunnel
Tunnel destination ipv6, tunnel mode gre ipv6, tunnel source ipv6,
parameters are introduced.
ip access-list session
The redirect parameter is introduced under action. The app, and
appcategory parameters are introduced under service.
ip igmp
The ssm-range parameter is introduced.
ipv6 mld
The ssm-range parameter is introduced.
ipv6 route
The vlan parameter is introduced.
ntp server
The IPv6 parameter is introduced.
phonehome
The https parameter is introduced, allowing controllers to send
PhoneHome reports to an Activate server using HTTPS.
show airgroup
The dlna and mdns parameters were introduced in the following commands:
l
l
l
show airgroup blocked-queries
show airgroup blocked-service-id
show airgroup internal-state statistics
The dlna, mdns , and verbose parameters were introduced in the following commands:
l
l
l
show airgroupservice
show airgroup servers
show airgroup users
The dlna, mdns , and static parameters were introduced in the following command:
l
show airgroup cache entries
show airgroupservice
The dlna, mdns, and verbose parameters were introduced.
show app lync traffic-control
The profile-name parameter is introduced.
show datapath
The following parameters are introduced:
dpi
l session dpi
l session ipv6 dpi
l session session-id dpi
l
6 | The ArubaOS Command-Line Interface
ArubaOS 6.4| Reference Guide
Command
Description
show ipv6 interface
The tunnel parameter is introduced in the output.
show ipv6 mld config
The ssm-range parameter is introduced.
show ipv6 mld group
The mode and age parameters are introduced.
show ntp peer
The IPv6 parameter is introduced.
show ntp servers
Flags indicating the status of the server, are introduced.
show ntp status
The following parameters are introduced:
time since restart
l packets received
l packets processed
l current version
l previous version
l declined
l access denied
l bad length or format
l bad authentication
l rate exceeded
l
show vrrp
The ipv6, stats, and summary parameters are introduced.
snmp-server
The IPv6 parameter is introduced.
user-role
The following parameters are introduced:
bandwidth-contract app
l bandwidth-contract appcategory
l bandwidth-contract exclude
l traffic-control-profile
l sso
l
vrrp
The IPv6 parameter is introduced.
web-server
The idp-certificate parameter is introduced.
wlan ssid-profile
The mfp-capable and mfp-required parameters are introduced.
Deprecated Commands
The following commands were deprecated in ArubaOS 6.4:
Command
Description
interface tunnel
The checksum parameter is deprecated.
app lync traffic-control
(deprecated)
This command is deprecated and replaced by app lync traffic-control
<profile-name>.
About this Guide
This guide describes the ArubaOS 6.4 command syntax. The commands in this guide are listed alphabetically.
The following information is provided for each command:
ArubaOS 6.4| Reference Guide
The ArubaOS Command-Line Interface | 7
l
Command Syntax—The complete syntax of the command.
l
Description—A brief description of the command.
l
Syntax—A description of the command parameters, including license requirements for specific parameters if
needed. The applicable ranges and default values, if any, are also included.
l
Usage Guidelines—Information to help you use the command, including: prerequisites, prohibitions, and related
commands.
l
Example—An example of how to use the command.
l
Command History—The version of ArubaOS in which the command was first introduced. Modifications and
changes to the command are also noted.
l
Command Information—This table describes any licensing requirements, command modes and platforms for
which this command is applicable. For more information about available licenses, see the Licenses chapter of the
ArubaOS 6.4 User Guide.
Connecting to the Controller
This section describes how to connect to the controller to use the CLI.
Serial Port Connection
The serial port is located on the front panel of the controller. Connect a terminal or PC/workstation running a terminal
emulation program to the serial port on the controller to use the CLI. Configure your terminal or terminal emulation
program to use the following communication settings.
Baud Rate
Data Bits
Parity
Stop Bits
Flow Control
9600
8
None
1
None
The Aruba 7200 Series controller supports baud rates between 9600 and 115200.
Telnet or SSH Connection
Telnet or SSH access requires that you configure an IP address and a default gateway on the controller and connect
the controller to your network. This is typically performed when you run the Initial Setup on the controller, as
described in the ArubaOS 6.4 Quick Start Guide. In certain deployments, you can also configure a loopback address
for the controller; see interface loopback on page 377 for more information.
Configuration changes on Master Controllers
Some commands can only be issued when connected to a master controller. If you make a configuration change on
a master controller, all connected local controllers will subsequently update their configurations as well. You can
manually synchronize all of the controllers at any time by saving the configuration on the master controller.
CLI Access
When you connect to the controller using the CLI, the system displays its host name followed by the login prompt.
Log in using the admin user account and the password you entered during the Initial Setup on the controller (the
password displays as asterisks). For example:
(host)
User: admin
Password: *****
8 | The ArubaOS Command-Line Interface
ArubaOS 6.4| Reference Guide
When you are logged in, the user mode CLI prompt displays. For example:
(host) >
User mode provides only limited access for basic operational testing such as running ping and traceroute.
Certain management functions are available in enable (also called “privileged”) mode. To move from user mode to
enable mode requires you to enter an additional password that you entered during the Initial Setup (the password
displays as asterisks). For example:
(host) > enable
Password: ******
When you are in enable mode, the > prompt changes to a pound sign (#):
(host) #
Configuration commands are available in config mode. Move from enable mode to config mode by entering configure
terminal at the # prompt:
(host) # configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
When you are in basic config mode, (config) appears before the # prompt:
(host) (config) #
There are several other sub- command modes that allow users to configure individual interfaces, subinterfaces,
loopback addresses, GRE tunnels and cellular profiles. For details on the prompts and the available commands for each
of these modes, see Appendix A: Command Modes on page 1968.
Command Help
You can use the question mark (?) to view various types of command help.
When typed at the beginning of a line, the question mark lists all the commands available in your current mode or
sub-mode. A brief explanation follows each command. For example:
(host) > ?
enable
logout
ping
traceroute
Turn on Privileged commands
Exit this session. Any unsaved changes are lost.
Send ICMP echo packets to a specified IP address.
Trace route to specified IP address.
When typed at the end of a possible command or abbreviation, the question mark lists the commands that match (if
any). For example:
(host) > c?
clear
clock
configure
copy
Clear configuration
Configure the system clock
Configuration Commands
Copy Files
If more than one item is shown, type more of the keyword characters to distinguish your choice. However, if only one
item is listed, the keyword or abbreviation is valid and you can press tab or the spacebar to advance to the next
keyword.
When typed in place of a parameter, the question mark lists the available options. For example:
(host) # write ?
erase
file
memory
ArubaOS 6.4| Reference Guide
Erase and start from scratch
Write to a file in the file system
Write to memory
The ArubaOS Command-Line Interface | 9
terminal
<cr>
Write to terminal
The <cr> indicates that the command can be entered without additional parameters. Any other parameters are
optional.
Command Completion
To make command input easier, you can usually abbreviate each key word in the command. You need type only
enough of each keyword to distinguish it from similar commands. For example:
(host) # configure terminal
could also be entered as:
(host) # con t
Three characters (con) represent the shortest abbreviation allowed for configure. Typing only c or co would not
work because there are other commands (like copy) which also begin with those letters. The configure command is
the only one that begins with con.
As you type, you can press the spacebar or tab to move to the next keyword. The system then attempts to expand
the abbreviation for you. If there is only one command keyword that matches the abbreviation, it is filled in for you
automatically. If the abbreviation is too vague (too few characters), the cursor does not advance and you must type
more characters or use the help feature to list the matching commands.
Deleting Configuration Settings
Use the no command to delete or negate previously-entered configurations or parameters.
l
To view a list of no commands, type no at the enable or config prompt followed by the question mark. For
example:
(host) (config) # no?
l
To delete a configuration, use the no form of a configuration command. For example, the following command
removes a configured user role:
(host) (config) # no user-role <name>
l
To negate a specific configured parameter, use the no parameter within the command. For example, the following
commands delete the DSCP priority map for a priority map configuration:
(host) (config) # priority-map <name>
(host) (config-priority-map) # no dscp priority high
Saving Configuration Changes
Each Aruba controller contains two different types of configuration images.
l
The running-config holds the current controller configuration, including all pending changes which have yet to be
saved. To view the running-config, use the following command:
(host) # show running-config
l
The startup config holds the configuration which will be used the next time the controller is rebooted. It contains
all the options last saved using the write memory command. To view the startup-config, use the following
command:
(host) # show startup-config
When you make configuration changes via the CLI, those changes affect the current running configuration only. If
the changes are not saved, they will be lost after the controller reboots. To save your configuration changes so they
are retained in the startup configuration after the controller reboots, use the following command in enable mode:
(host) # write memory
Saving Configuration...
10 | The ArubaOS Command-Line Interface
ArubaOS 6.4| Reference Guide
Saved Configuration
Both the startup and running configurations can also be saved to a file or sent to a TFTP server for backup or transfer
to another system.
Commands That Reset the Controller or AP
If you use the CLI to modify a currently provisioned and running radio profile, those changes take place immediately;
you do not reboot the controller or the AP for the changes to affect the current running configuration. Certain
commands, however, automatically force the controller or AP to reboot. You may want to consider current network
loads and conditions before issuing these commands, as they may cause a momentary disruption in service as the
unit resets. Note also that changing the lms-ip parameter in an AP system profile associated with an AP group will
cause all APs in that AP group to reboot.
Table 1: Reset Commands
Commands that Reset an AP
l
l
l
l
l
l
l
l
l
Commands that Reset a Controller
ap-regroup
ap-rename
apboot
provision-ap
ap wired-ap-profile <profile> forward-mode {bridge|splittunnel|tunnel}
wlan virtual-ap <profile-name> {aaa-profile <profile-name>
|forward-mode {tunnel|bridge|split-tunnel|decrypt-tunnel}
|ssid-profile <profile-name>|vlan <vlan>...}
ap system-profile <profile> {bootstrap-threshold <number>
|lms-ip <ipaddr> |}
wlan ssid-profile <profile-name> {battery-boost|denybcast|essid|opmode|strict-svp |wepkey1 <key> |wepkey2
<key>|wepkey3 <key>|wepkey4 <key>|weptxkey <index>
|wmm |wmm-be-dscp <best-effort>|wmm-bk-dscp
<background>|wmm-ts-min-inact-int <milliseconds>|wmmvi-dscp <video>|wmm-vo-dscp <voice>|wpa-hexkey <psk>
|wpa-passphrase <string> }
wlan dotllk <profile-name> {bcn-measurementmode|dot11k-enable|force-dissasoc
l
reload
Typographic Conventions
The following conventions are used throughout this manual to emphasize important concepts:
Table 2: Text Conventions
Type Style
Description
Italics
This style is used to emphasize important terms and to mark
the titles of books.
Boldface
This style is used to emphasize command names and
parameter options when mentioned in the text.
Commands
This fixed-width font depicts command syntax and
examples of commands and command output.
ArubaOS 6.4| Reference Guide
The ArubaOS Command-Line Interface | 11
Type Style
Description
<angle brackets>
In the command syntax, text within angle brackets
represents items that you should replace with information
appropriate to your specific situation. For example:
ping <ipaddr>
In this example, you would type “ping” at the system prompt
exactly as shown, followed by the IP address of the system
to which ICMP echo packets are to be sent. Do not type the
angle brackets.
[square brackets]
In the command syntax, items enclosed in brackets are
optional. Do not type the brackets.
{Item_A|Item_B}
In the command examples, single items within curled
braces and separated by a vertical bar represent the
available choices. Enter only one choice. Do not type the
braces or bars.
{ap-name <ap-name>}|{ipaddr <ip-ad
dr>}
Two items within curled braces indicate that both
parameters must be entered together. If two or more sets of
curled braces are separated by a vertical bar, like in the
example to the left, enter only one choice Do not type the
braces or bars.
Command Line Editing
The system records your most recently entered commands. You can review the history of your actions, or reissue a
recent command easily, without having to retype it.
To view items in the command history, use the up arrow key to move back through the list and the down arrow key to
move forward. To reissue a specific command, press Enter when the command appears in the command history.
You can even use the command line editing feature to make changes to the command prior to entering it. The
command line editing feature allows you to make corrections or changes to a command without retyping. Table 1
lists the editing controls. To use key shortcuts, press and hold the Ctrl button while you press a letter key.
Table 3: Line Editing Keys
Key
Effect
Description
Ctrl A
Home
Move the cursor to the beginning of the line.
Ctrl B or the
left arrow
Back
Move the cursor one character left.
Ctrl D
Delete Right
Delete the character to the right of the cursor.
Ctrl E
End
Move the cursor to the end of the line.
Ctrl F or the
right arrow
Forward
Move the cursor one character right.
Ctrl K
Delete Right
Delete all characters to the right of the cursor.
Ctrl N or the
down arrow
Next
Display the next command in the command
history.
12 | The ArubaOS Command-Line Interface
ArubaOS 6.4| Reference Guide
Key
Effect
Description
Ctrl P or
up arrow
Previous
Display the previous command in the command
history.
Ctrl T
Transpose
Swap the character to the left of the cursor with
the character to the right of the cursor.
Ctrl U
Clear
Clear the line.
Ctrl W
Delete Word
Delete the characters from the cursor up to and
including the first space encountered.
Ctrl X
Delete Left
Delete all characters to the left of the cursor.
Specifying Addresses and Identifiers in Commands
This section describes addresses and other identifiers that you can reference in CLI commands.
Table 4: Addresses and Identifiers
Address/Identifier
Description
IP address
For any command that requires entry of an IP address to specify a network entity,
use IPv4 network address format in the conventional dotted decimal notation (for
example, 10.4.1.258).
Netmask address
For subnet addresses, specify a netmask in dotted decimal notation (for example,
255.255.255.0).
Media Access Control
(MAC) address
For any command that requires entry of a device’s hardware address, use the
hexadecimal format (for example, 00:05:4e:50:14:aa).
Service Set Identifier
(SSID)
A unique character string (sometimes referred to as a network name), consisting
of no more than 32 characters. The SSID is case-sensitive (for example, WLAN01).
Basic Service Set
Identifier (BSSID)
This entry is the unique hard-wireless MAC address of the AP. A unique BSSID
applies to each frequency— 802.11a and 802.11g—used from the AP. Use the
same format as for a MAC address.
Extended Service Set
Identifier (ESSID)
Typically the unique logical name of a wireless network. If the ESSID includes
spaces, you must enclose the name in quotation marks.
Fast Ethernet or
Gigabit Ethernet
interface
Any command that references a Fast Ethernet or Gigabit Ethernet interface
requires that you specify the corresponding port on the controller in the format
<slot>/<port>:
<slot> is always 1, except when referring to interfaces on the 6000 controller.For
the 6000controller, the four slots are allocated as follows:
l Slot 0: Contains an Aruba Multi-Service Mobility Module Mark I.
l Slot 1: Contains an Aruba Multi-Service Mobility Module Mark I.
l Slot 2: Contains an Aruba Multi-Service Mobility Module Mark I.
l Slot 3: Can contain either a Aruba Multi-Service Mobility Module Mark I or a
line card.
<port> refers to the network interfaces that are embedded in the front panel of the
3000 Series controller, Aruba Multi-Service Mobility Module Mark I, or a line card
installed in the 6000 controller. Port numbers start at 0 from the left-most position.
Use the show port status command to obtain the interface information currently
available from a controller.
ArubaOS 6.4| Reference Guide
The ArubaOS Command-Line Interface | 13
Contacting Aruba Networks
Table 5: Contact Information
Website Support
Main Site
http://www.arubanetworks.com
Support Site
https://support.arubanetworks.com
Airheads Social Forums and Knowledge
Base
http://community.arubanetworks.com
North American Telephone
1-800-943-4526 (Toll Free)
1-408-754-1200
International Telephone
http://www.arubanetworks.com/support-services/support-program/contact-support/
Support Email Addresses
Americas and APAC
support@arubanetworks.com
EMEA
emea_support@arubanetworks.com
Wireless Security Incident Response
Team (WSIRT)
wsirt@arubanetworks.com
.
14 | The ArubaOS Command-Line Interface
ArubaOS 6.4| Reference Guide
aaa alias-group (deprecated)
aaa alias-group
clone <group>
no ...
set vlan condition essid|location equals <operand> set-value <set-value-string>
Description
This command configured an aaa alias with set of VLAN derivation rules that could speed up user rule derivation
processing for deployments with a very large number of user derivation rules.
Command History
Version
Description
ArubaOS 6.3
Command introduced.
ArubaOS 6.4
Command deprecated.
ArubaOS 6.4| Reference Guide
aaa alias-group (deprecated) | 15
aaa authentication captive-portal
aaa authentication captive-portal <profile>
apple-cna-bypass
auth-protocol mschapv2|pap|chap
black-list <black-list>
clone <source-profile>
default-guest-role <role>
default-role <role>
enable-welcome-page
guest-logon
ip-addr-in-redirection <ipaddr>
login-page <url>
logon-wait {cpu-threshold <percent>}|{maximum-delay <seconds>}|{minimum-delay <seconds>}
logout-popup-window
max-authentication-failures <number>
no ...
protocol-http
redirect-pause <seconds>
redirect-url <url>
server-group <group-name>
show-acceptable-use-policy
show-fqdn
single-session
switchip-in-redirection-url <ipaddr>
url-hash-key <key>
user-idle-timeout
user-logon
user-vlan-in-redirection-url <vlan>
welcome-page <url>
white-list <white-list>
Description
This command configures a Captive Portal authentication profile.
Syntax
Parameter
Description
Range
Default
apple-cna-bypass
Enable this knob to bypass Apple CNA
on iOS devices such as iPad, iPhone,
and iPod. You need to perform Captive
Portal authentication from browser.
—
<profile>
Name that identifies an instance of the
profile. The name must be 1-63
characters.
—
“default”
authentication-protocol
mschapv2|pap|chap
This parameter specifies the type of
authentication required by this profile,
PAP is the default authentication type
mschapv2
pap
pap
chap
16 | aaa authentication captive-portal
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
black-list
Name of an existing black list on an
IPv4 or IPv6 network destination. The
black list contains websites
(unauthenticated) that a guest cannot
access.
Specify a netdestination host or subnet
to add that netdestination to the captive
portal blacklist.
If you have not yet defined a
netdestination, use the CLI command
netdestination to define a destination
host or subnet before you add it to the
blacklist.
—
—
clone
Name of an existing Captive Portal
profile from which parameter values are
copied.
—
—
default-guest-role
Role assigned to guest.
—
guest
default-role <role>
Role assigned to the Captive Portal
user when that user logs in. When both
user and guest logons are enabled, the
default role applies to the user logon;
users logging in using the guest
interface are assigned the guest role.
—
guest
enable-welcomepage
Displays the configured welcome page
before the user is redirected to their
original URL. If this option is disabled,
redirection to the web URL happens
immediately after the user logs in.
enabled/
disabled
enabled
guest-logon
Enables Captive Portal logon without
authentication.
enabled/
disabled
disabled
ipaddr-in-redirection-url <i
paddr>
Sends the controller’s interface IP
address in the redirection URL when
external captive portal servers are used.
An external captive portal server can
determine the controller from which a
request originated by parsing the
‘switchip’ variable in the URL. This
parameter requires the Public Access
license.
—
—
login-page <url>
URL of the page that appears for the
user logon. This can be set to any URL.
—
/auth/index.
html
logon-wait
Configure parameters for the logon wait
interval.
1-100
60%
CPU utilization percentage above
which the logon wait interval is applied
when presenting the user with the logon
page.
1-100
60%
cpu-threshold <percent>
ArubaOS 6.4| Reference Guide
aaa authentication captive-portal | 17
Parameter
Description
Range
Default
maximum-delay <seconds>
Maximum time, in seconds, the user will
have to wait for the logon page to pop
up if the CPU load is high. This works in
conjunction with the Logon wait CPU
utilization threshold parameter.
1-10
10 seconds
minimum-delay <seconds>
Minimum time, in seconds, the user will
have to wait for the logon page to pop
up if the CPU load is high. This works in
conjunction with the Logon wait CPU
utilization threshold parameter.
1-10
5 seconds
logout-popupwindow
Enables a pop-up window with the
Logout link that allows the user to log
out. If this option is disabled, the user
remains logged in until the user timeout
period has elapsed or the station
reloads.
enabled/
disabled
enabled
max-authentication-failures
<number>
Maximum number of authentication
failures before the user is blacklisted.
0-10
0
no
Negates any configured parameter.
—
—
protocol-http
Use HTTP protocol on redirection to the
Captive Portal page. If you use this
option, modify the captive portal policy
to allow HTTP traffic.
enabled/
disabled
disabled
(HTTPS is
used)
redirect-pause <secs>
Time, in seconds, that the system
remains in the initial welcome page
before redirecting the user to the final
web URL. If set to 0, the welcome page
displays until the user clicks on the
indicated link.
1-60
10 seconds
redirect-url <url>
URL to which an authenticated user will
be directed. This parameter must be an
absolute URL that begins with either
http:// or https://.
—
—
server-group <group-name>
Name of the group of servers used to
authenticate Captive Portal users. See
aaa server-group on page 89.
—
—
show-fqdn
Allows the user to see and select the
fully-qualified domain name (FQDN) on
the login page. The FQDNs shown are
specified when configuring individual
servers for the server group used with
captive portal authentication.
enabled/
disabled
disabled
show-acceptable-use-policy
Show the acceptable use policy page
before the logon page.
enabled/
disabled
disabled
single-session
Allows only one active user session at a
time.
—
disabled
18 | aaa authentication captive-portal
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
switchip-in-redirection-url
Sends the controller’s IP address in the
redirection URL when external captive
portal servers are used. An external
captive portal server can determine the
controller from which a request
originated by parsing the ‘switchip’
variable in the URL.
enabled/
disabled
disabled
url-hash-key <key>
Issue this command to hash the
redirection URL using the specified key.
—
disabled
user-idle-timeout
The user idle timeout for this profile.
Specify the idle timeout value for the
client in seconds. Valid range is 3015300 in multiples of 30 seconds.
Enabling this option overrides the
global settings configured in the AAA
timers. If this is disabled, the global
settings are used.
—
disabled
user-logon
Enables Captive Portal with
authentication of user credentials.
enabled/
disabled
enabled
user-vlan-in-redirection-url
<ipaddr>
Add the user VLAN in the redirection
URL. This parameter requires the
Public Access license.
enabled
disabled
disabled
user-vlan-redirection-url
Sends the user’s VLAN ID in the
redirection URL when external captive
portal servers are used.
—
—
welcome-page <url>
URL of the page that appears after
logon and before redirection to the web
URL. This can be set to any URL.
—
/auth/welcome
.html
white-list <white-list>
Name of an existing white list on an
IPv4 or IPv6 network destination. The
white list contains authenticated
websites that a guest can access. If you
have not yet defined a netdestination,
use the CLI command netdestination to
define a destination host or subnet
before you add it to the whitelist
—
—
Usage Guidelines
You can configure the Captive Portal authentication profile in the base operating system or with the Next Generation
Policy Enforcement Firewall (PEFNG) license installed. When you configure the profile in the base operating
system, the name of the profile must be entered for the initial role in the AAA profile. Also, when you configure the
profile in the base operating system, you cannot define the default-role.
Example
The following example configures a Captive Portal authentication profile that authenticates users against the
controller’s internal database. Users who are successfully authenticated are assigned the auth-guest role.
To create the auth-guest user role shown in this example, the PEFNG license must be installed in the controller.
aaa authentication captive-portal guestnet
default-role auth-guest
user-logon
ArubaOS 6.4| Reference Guide
aaa authentication captive-portal | 19
no guest-logon
server-group internal
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 6.0
The max-authentication-failures parameter no longer requires a license.
ArubaOS 6.1
The sygate-on-demand, black-list and white-list parameters were added.
ArubaOS 6.2
the auth-protocol parameter was added, and the user-chap parameter was
deprecated.
ArubaOS 6.3
The user-idle-timeout parameter was introduced.
ArubaOS 6.4
The url-hash-key parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system, except
for noted parameters
Config mode on master controllers
20 | aaa authentication captive-portal
ArubaOS 6.4| Reference Guide
aaa authentication dot1x
aaa authentication dot1x {<profile>|countermeasures}
ca-cert <certificate>
cert-cn-lookup
clear
clone <profile>
delete-keycache
eapol-logoff
enforce-suite-b-128
enforce-suite-b-192
framed-mtu <mtu>
heldstate-bypass-counter <number>
ignore-eap-id-match
ignore-eapolstart-afterauthentication
machine-authentication blacklist-on-failure|{cache-timeout <hours>}|enable|
{machine-default-role <role>}|{user-default-role <role>}
max-authentication-failures <number>
max-requests <number>
multicast-keyrotation
no ...
opp-key-caching
reauth-max <number>
reauth-server-termination-action
reauthentication
server {server-retry <number>|server-retry-period <seconds>}
server-cert <certificate>
termination {eap-type <type>}|enable|enable-token-caching|{inner-eap-type (eap- gtc|eap-ms
chapv2)}|{token-caching-period <hours>}
timer {idrequest_period <seconds>}|{mkey-rotation-period <seconds>}|{quiet-period <second
s>}|{reauth-period <seconds>}|{ukey-rotation-period <seconds>}|{wpa- groupkey-delay <secon
ds>}|{wpa-key-period <milliseconds>}|wpa2-key-delay <milliseconds>
tls-guest-access
tls-guest-role <role>
unicast-keyrotation
use-session-key
use-static-key
validate-pmkid
voice-aware
wep-key-retries <number>
wep-key-size {40|128}
wpa-fast-handover
wpa-key-retries <number>
xSec-mtu <mtu>
Description
This command configures the 802.1X authentication profile.
Syntax
Parameter
Description
Range
Default
<profile>
Name that identifies an instance of the profile.
The name must be 1-63 characters.
—
“default”
ArubaOS 6.4| Reference Guide
aaa authentication dot1x | 21
Parameter
Description
Range
Default
clear
Clear the Cached PMK, Role and VLAN
entries. This command is available in enable
mode only.
—
—
countermeasures
Scans for message integrity code (MIC)
failures in traffic received from clients. If there
are more than 2 MIC failures within 60
seconds, the AP is shut down for 60 seconds.
This option is intended to slow down an
attacker who is making a large number of
forgery attempts in a short time.
—
disabled
ca-cert <certificate>
CA certificate for client authentication. The CA
certificate needs to be loaded in the controller.
—
—
cert-cn-lookup
If you use client certificates for user
authentication, enable this option to verify that
the certificate's common name exists in the
server. This parameter is disabled by default.
—
—
delete-keycache
Delete the key cache entry when the user
entry is deleted.
—
disabled
eapol-logoff
Enables handling of EAPOL-LOGOFF
messages.
—
disabled
enforce-suite-b-128
Configure Suite-B 128 bit or more security
level
authentication enforcement
disabled
enforce-suite-b-192
Configure Suite-B 192 bit or more security
level
authentication enforcement
disabled
framed-mtu <MTU>
Sets the framed MTU attribute sent to the
authentication server.
5001500
1100
heldstate-bypass-counter <numb
er>
(This parameter is applicable when 802.1X
authentication is terminated on the controller,
also known as AAA FastConnect.) Number of
consecutive authentication failures which,
when reached, causes the controller to not
respond to authentication requests from a
client while the controller is in a held state
after the authentication failure. Until this
number is reached, the controller responds to
authentication requests from the client even
while the controller is in its held state.
0-3
0
ignore-eap-idmatch
Ignore EAP ID during negotiation.
—
disabled
ignore-eapol
start-afterauthentication
Ignores EAPOL-START messages after
authentication.
—
disabled
machine-authentication
(For Windows environments only) These
parameters set machine authentication:
NOTE: This parameter requires the PEFNG
license.
22 | aaa authentication dot1x
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
blacklist-on-failure
Blacklists the client if machine authentication
fails.
—
disabled
cache-timeout <hours>
The timeout, in hours, for machine
authentication.
1-1000
24 hours
(1 day)
enable
Select this option to enforce machine
authentication before user authentication. If
selected, either the machine-default-role or
the user-default-role is assigned to the user,
depending on which authentication is
successful.
—
disabled
machine-default-role <role>
Default role assigned to the user after
completing only machine authentication.
—
guest
user-default-role <role>
Default role assigned to the user after 802.1X
authentication.
—
guest
max-authentication-failures <n
umber>
Number of times a user can try to login with
wrong credentials after which the user is
blacklisted as a security threat. Set to 0 to
disable blacklisting, otherwise enter a nonzero integer to blacklist the user after the
specified number of failures.
0-5
0
(disable
d)
max-requests <number>
Maximum number of times ID requests are
sent to the client.
1-10
3
multicast-key
rotation
Enables multicast key rotation
—
disabled
no
Negates any configured parameter.
—
—
opp-key-caching
Enables a cached pairwise master key (PMK)
derived with a client and an associated AP to
be used when the client roams to a new AP.
This allows clients faster roaming without a full
802.1X authentication.
NOTE: Make sure that the wireless client (the
802.1X supplicant) supports this feature. If the
client does not support this feature, the client
will attempt to renegotiate the key whenever it
roams to a new AP. As a result, the key
cached on the controller can be out of sync
with the key used by the client.
—
enabled
reauth-max <number>
Maximum number of reauthentication
attempts.
1-10
3
reauth-server-terminationaction
Specifies the termination-action attribute from
the server.
reauthentication
Select this option to force the client to do a
802.1X reauthentication after the expiration of
the default timer for reauthentication. (The
default value of the timer is 24 hours.) If the
user fails to reauthenticate with valid
credentials, the state of the user is cleared.
—
disabled
ArubaOS 6.4| Reference Guide
aaa authentication dot1x | 23
Parameter
Description
Range
Default
—
—
If derivation rules are used to classify 802.1Xauthenticated users, then the reauthentication
timer per role overrides this setting.
reload-cert
Reload Certificate for 802.1X termination. This
command is available in enable mode only.
server
Sets options for sending authentication
requests to the authentication server group.
server-retry <number>
Maximum number of authentication requests
that are sent to server group.
0-3
2
server-retry-period <seconds>
Server group retry interval, in seconds.
565535
30
seconds
server-cert <certificate>
Server certificate used by the controller to
authenticate itself to the client.
—
—
termination
Sets options for terminating 802.1X
authentication on the controller.
eap-type <type>
The Extensible Authentication Protocol (EAP)
method, either EAP-PEAP or EAP-TLS.
eappeap/
eap-tls
eappeap
enable
Enables 802.1X termination on the controller.
—
disabled
enable-token
-caching
If you select EAP-GTC as the inner EAP
method, you can enable the controller to
cache the username and password of each
authenticated user. The controller continues to
reauthenticate users with the remote
authentication server, however, if the
authentication server is not available, the
controller will inspect its cached credentials to
reauthenticate users.
—
disabled
inner-eap-type eap-gtc|eapmschapv2
When EAP-PEAP is the EAP method, one of
the following inner EAP types is used:
EAP-Generic Token Card (GTC): Described
in RFC 2284, this EAP method permits the
transfer of unencrypted usernames and
passwords from client to server. The main
uses for EAP-GTC are one-time token cards
such as SecureID and the use of LDAP or
RADIUS as the user authentication server.
You can also enable caching of user
credentials on the controller as a backup to an
external authentication server.
EAP-Microsoft Challenge Authentication
Protocol version 2 (MS-CHAPv2): Described
in RFC 2759, this EAP method is widely
supported by Microsoft clients.
eapgtc/ea
pmscha
pv2
eapmschap
v2
token-caching-period <hour
s>
If you select EAP-GTC as the inner EAP
method, you can specify the timeout period, in
hours, for the cached information.
(any)
24 hours
24 | aaa authentication dot1x
ArubaOS 6.4| Reference Guide
Parameter
Description
timer
Sets timer options for 802.1X authentication:
Range
Default
idrequestperiod <seconds>
Interval, in seconds, between identity request
retries.
165535
30
seconds
mkey-rotation-period <secon
ds>
Interval, in seconds, between multicast key
rotation.
60864000
1800
seconds
quiet-period <seconds>
Interval, in seconds, following failed
authentication.
165535
30
seconds
reauth-period <seconds>
Interval, in seconds, between reauthentication
attempts, or specify server to use the serverprovided reauthentication period.
60864000
86400
seconds
(1 day)
ukey-rotation-period <secon
ds>
Interval, in seconds, between unicast key
rotation.
60864000
900
seconds
wpa-groupkey
-delay <milliseconds>
Interval, in milliseconds, between unicast and
multicast key exchanges.
0-2000
0 ms
(no
delay)
wpa-key-period <millisecond
s>
Interval, in milliseconds, between each WPA
key exchange.
10005000
1000 ms
wpa2-key-delay <millisecond
s>
Set the delay between EAP-Success and
unicast key exchange.
1-2000
0 ms
(no
delay)
tls-guest-access
Enables guest access for EAP-TLS users with
valid certificates.
—
disabled
tls-guest-role <role>
User role assigned to EAP-TLS guest.
NOTE: This parameter requires the PEFNG
license.
—
guest
unicast-keyrotation
Enables unicast key rotation.
—
disabled
use-session-key
Use RADIUS session key as the unicast WEP
key.
—
disabled
use-static-key
Use static key as the unicast/multicast WEP
key.
—
disabled
validate-pmkid
This parameter instructs the controller to check
the pairwise master key (PMK) ID sent by the
client. When this option is enabled, the client
must send a PMKID in the associate or
reassociate frame to indicate that it supports
OKC or PMK caching; otherwise, full 802.1X
authentication takes place. (This feature is
optional, since most clients that support OKC
and PMK caching do not send the PMKID in
their association request.)
—
disabled
voice-aware
Enables rekey and reauthentication for
VoWLAN clients.
NOTE: The Next Generation Policy Enforced
Firewall license must be installed.
—
enabled
ArubaOS 6.4| Reference Guide
aaa authentication dot1x | 25
Parameter
Description
Range
Default
wep-key-retries <number>
Number of times WPA/WPA2 key messages
are retried.
1-5
3
wep-key-size
Dynamic WEP key size, either 40 or 128 bits.
40 or
128
128 bits
wpa-fast-handover
Enables WPA-fast-handover. This is only
applicable for phones that support WPA and
fast handover.
—
disabled
wpa-key-retries
Set the number of times WPA/WPA2 Key
Messages are retried. The supported range is
1-10 retries, and the default value is 3.
1-10
3
xSec-mtu <mtu>
Sets the size of the MTU for xSec.
10241500
1300
bytes
Usage Guidelines
The 802.1X authentication profile allows you to enable and configure machine authentication and 802.1X termination
on the controller (also called “AAA FastConnect”).
In the AAA profile, specify the 802.1X authentication profile, the default role for authenticated users, and the server
group for the authentication.
Examples
The following example enables authentication of the user’s client device before user authentication. If machine
authentication fails but user authentication succeeds, the user is assigned the restricted “guest” role:
aaa authentication dot1x dot1x
machine-authentication enable
machine-authentication machine-default-role computer
machine-authentication user-default-role guest
The following example configures an 802.1X profile that terminates authentication on the controller, where the user
authentication is performed with the controller’s internal database or to a “backend” non-802.1X server:
aaa authentication dot1x dot1x
termination enable
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The cert-cn-lookup, enforce-suite-b-128 and enforce-suite-b-192 parameters
were introduced.
ArubaOS 6.3.1.2
The delete-keycache parameter was introduced.
26 | aaa authentication dot1x
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system. The
voice-aware parameter requires
the PEFNG license
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa authentication dot1x | 27
aaa authentication mac
aaa authentication mac <profile>
case upper|lower
clone <profile>
delimiter {colon|dash|none}
max-authentication-failures <number>
no ...
reauthentication
timer reauth period {<ra-period>|server}
Description
This command configures the MAC authentication profile.
Syntax
Parameter
Description
Range
Default
<profile>
Name that identifies an instance of the profile.
The name must be 1-63 characters.
—
“default”
case
The case (upper or lower) used in the MAC
string sent in the authentication request. If
there is no delimiter configured, the MAC
address in lower case is sent in the format
xxxxxxxxxxxx, while the MAC address in
upper case is sent in the format
XXXXXXXXXXXX.
upper|lo
wer
lower
clone <profile>
Name of an existing MAC profile from which
parameter values are copied.
—
—
delimiter
Delimiter (colon, dash, or none) used in the
MAC string.
colon|da
sh|
none
none
max-authentication-failures <
number>
Number of times a client can fail to
authenticate before it is blacklisted. A value of
0 disables blacklisting.
0-10
0
(disabled)
no
Negates any configured parameter.
—
—
reauthentication
Use this parameter to enable or disable reauthentication.
timer reauth period
<ra-period> - Specifies the period between
reauthentication attempts in seconds.
server - Specifies the server provided reauthentication interval.
Disabled
60864000
seconds
86400
seconds
(1 day)
Usage Guidelines
MAC authentication profile configures authentication of devices based on their physical MAC address. MAC-based
authentication is often used to authenticate and allow network access through certain devices while denying access
to all other devices. Users may be required to authenticate themselves using other methods, depending upon the
network privileges.
28 | aaa authentication mac
ArubaOS 6.4| Reference Guide
Example
The following example configures a MAC authentication profile to blacklist client devices that fail to authenticate.
aaa authentication mac mac-blacklist
max-authentication-failures 3
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3.1.8
The max-authentication-failures parameter was allowed in the base operating
system. In earlier versions of ArubaOS, the max-authentication-failures
parameter required the Wireless Intrusion Protection license
ArubaOS 6.3
The reauthentication and timer reauth period parameters were introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa authentication mac | 29
aaa authentication mgmt
aaa authentication mgmt
default-role {guest-provisioning|location-api-mgmt|network-operations|no-access|read-only|r
oot}
enable
no ...
server-group <group>
Description
This command configures authentication for administrative users.
Syntax
Parameter
Description
Range
Default
default-role
Select a predefined management role to
assign to authenticated administrative
users:
—
default
default
Default superuser role
—
—
guest-provisioning
Guest provisioning role
—
—
location-api-mgmt
Location API role
—
—
network-operations
Network operations role
—
—
no-access
No commands are accessible for this role
—
—
read-only
Read-only role
—
—
enable
Enables authentication for administrative
users.
enabled|
disabled
disabled
mchapv2
Enable MSCHAPv2
enabled|
disabled
disabled
no
Negates any configured parameter.
—
—
server-group <group>
Name of the group of servers used to
authenticate administrative users. See aaa
server-group on page 89.
—
default
Usage Guidelines
If you enable authentication with this command, users configured with the mgmt-user command must be
authenticated using the specified server-group.
You can configure the management authentication profile in the base operating system or with the PEFNG license
installed.
Example
The following example configures a management authentication profile that authenticates users against the
controller’s internal database. Users who are successfully authenticated are assigned the read-only role.
30 | aaa authentication mgmt
ArubaOS 6.4| Reference Guide
aaa authentication mgmt
default-role read-only
server-group internal
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.2
The network-operations role was introduced.
ArubaOS 3.3
The location-api-mgmt role was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa authentication mgmt | 31
aaa authentication-server internal
aaa authentication-server internal use-local-switch
Description
This command specifies that the internal database on a local controller be used for authenticating clients.
Usage Guidelines
By default, the internal database in the master controller is used for authentication. This command directs
authentication to the internal database on the local controller where you run the command.
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master or local
controllers
32 | aaa authentication-server internal
ArubaOS 6.4| Reference Guide
aaa authentication-server ldap
aaa authentication-server ldap <server>
admin-dn <name>
admin-passwd <string>
allow-cleartext
authport <port>
base-dn <name>
clone <server>
enable
filter <filter>
host <ipaddr>
key-attribute <string>
max-connection <number>
no ...
preferred-conn-type ldap-s|start-tls|clear-text
timeout <seconds>
Description
This command configures an LDAP server.
Starting from ArubaOS 6.4, a maximum of 128 LDAP servers can be configured on the controller.
Syntax
Parameter
Description
Range
Default
<server>
Name that identifies the server.
—
—
admin-dn <name>
Distinguished name for the admin user who has
read/search privileges across all of the entries in
the LDAP database (the user does not need write
privileges but should be able to search the
database and read attributes of other users in the
database).
—
—
admin-passwd <strin
g>
Password for the admin user.
—
—
allow-cleartext
Allows clear-text (unencrypted) communication with
the LDAP server.
enabled
|
disabled
disabled
authport <port>
Port number used for authentication. Port 636 will
be attempted for LDAP over SSL, while port 389 will
be attempted for SSL over LDAP, Start TLS
operation and clear text.
1-65535
389
base-dn <name>
Distinguished Name of the node which contains the
entire user database to use.
—
—
clone <server>
Name of an existing LDAP server configuration
from which parameter values are copied.
—
—
enable
Enables the LDAP server.
—
ArubaOS 6.4| Reference Guide
aaa authentication-server ldap | 33
Parameter
Description
Range
Default
filter <filter>
Filter that should be applied to search of the user in
the LDAP database. The default filter string is
(objectclass=*).
—
(objectclass=*)
host <ip-addr>
IP address of the LDAP server, in dotted-decimal
format.
—
—
key-attribute <stri
ng>
Attribute that should be used as a key in search for
the LDAP server. For Active Directory, the value is
sAMAccountName.
—
sAMAccountNa
me
max-connection
Maximum number of simultaneous non-admin connections to an LDAP server.
—
—
no
Negates any configured parameter.
—
—
preferred-conn-type
Preferred connection type. The default order of
connection type is:
1. ldap-s
2. start-tls
3. clear-text
The controller will first try to contact the LDAP
server using the preferred connection type, and will
only attempt to use a lower-priority connection type
if the first attempt is not successful.
NOTE: You enable the allow-cleartext option
before you select clear-text as the preferred
connection type. If you set clear-text as the
preferred connection type but do not allow cleartext, the controller will only use ldap-s or start-tls to
contact the LDAP server.
ldap-s
start-tls
cleartext
ldap-s
timeout <seconds>
Timeout period of a LDAP request, in seconds.
1-30
20 seconds
Usage Guidelines
You configure a server before you can add it to one or more server groups. You create a server group for a specific
type of authentication (see aaa server-group on page 89).
Example
The following command configures and enables an LDAP server:
aaa authentication-server ldap ldap1
host 10.1.1.243
base-dn cn=Users,dc=1m,dc=corp,dc=com
admin-dn cn=corp,cn=Users,dc=1m,dc=corp,dc=com
admin-passwd abc10
key-attribute sAMAccountName
filter (objectclass=*)
enable
Command History
This command was available in ArubaOS 3.0.
34 | aaa authentication-server ldap
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa authentication-server ldap | 35
aaa authentication-server radius
aaa authentication-server radius <rad_server_name>
acctport <port>
authport <port>
clone <server>
enable
host <ipaddr>|<FQDN>
key <psk>
mac-delimiter [colon | dash | none | oui-nic]
mac-lowercase
nas-identifier <string>
nas-ip <ipaddr>
nas-ip6 <ipv6-adrress>
no ...
retransmit <number>
service-type-framed-user
source-interface vlan <vlan> ip6addr <ipv6addr>
timeout <seconds>
use-ip-for-calling-station
use-md5
Description
This command configures a RADIUS server.
Starting from ArubaOS 6.4, a maximum of 128 RADIUS servers can be configured on the controller.
Syntax
Parameter
Description
Range
Default
<rad_server_name>
Name that identifies the server.
—
—
acctport <port>
Accounting port on the server.
1-65535
1813
authport <port>
Authentication port on the server
1-65535
1812
clone <server>
Name of an existing RADIUS server
configuration from which parameter
values are copied.
—
—
enable
Enables the RADIUS server.
—
—
host
Identify the RADIUS server either by its
IP address or fully qualified domain
name.
—
—
<ipaddr>
IPv4 of the RADIUS server.
—
—
<FQDN>
Fully qualified domain name (FQDN) of
the RADIUS server. The maximum
supported length is 63 characters.
—
—
36 | aaa authentication-server radius
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
key <psk>
Shared secret between the controller
and the authentication server. The
maximum length is 128 characters.
—
—
mac-delimiter [colon | dash | none
| oui-nic]
Send MAC address with user-defined
delimiter.
—
none
mac-lowercase
Send MAC addresses as lowercase.
—
—
nas-identifier <string>
Network Access Server (NAS) identifier
to use in RADIUS packets.
—
—
nas-ip <ip-addr>
NAS IP address to send in RADIUS
packets.
You can configure a “global” NAS IP
address that the controller uses for
communications with all RADIUS
servers. If you do not configure a serverspecific NAS IP, the global NAS IP is
used. To set the global NAS IP, enter
the ip radius nas-ip <ipaddr> command.
—
—
nas-ip6 <ipv6-address>
NAS IPv6 address to send in RADIUS
packets.
You can configure a “global” NAS IPv6
address that the controller uses for
communications with all RADIUS
servers. If you do not configure a serverspecific NAS IPv6, the global NAS IPv6
is used. To set the global NAS IPv6,
enter the ipv6 radius nas-ip6
<ipv6-address> command.
no
Negates any configured parameter.
—
—
retransmit <number>
Maximum number of retries sent to the
server by the controller before the
server is marked as down.
0-3
3
service-type-framed-user
Send the service-type as FRAMEDUSER instead of LOGIN-USER. This
option is disabled by default
—
disabled
source-interface vlan <vlan> ip6ad
dr <ipv6addr>
This option associates a VLAN interface
with the RADIUS server to allow the
server-specific source interface to
override the global configuration.
l If you associate a Source Interface
(by entering a VLAN number) with a
configured server, then the source
IP address of the packet will be that
interface’s IP address.
l If you do not associate the Source
Interface with a configured server
(leave the field blank), then the IP
address of the global Source
Interface will be used.
l If you want to configure an IPv6
address for the Source Interface,
—
—
ArubaOS 6.4| Reference Guide
aaa authentication-server radius | 37
Parameter
Description
Range
Default
specify the IPv6 address for the
ip6addr parameter.
timeout <seconds>
Maximum time, in seconds, that the
controller waits before timing out the
request and resending it.
1-30
5
second
s
use-ip-for-calling-station
Use an IP address instead of a MAC
address for calling station IDs. This
option is disabled by default.
—
disable
d
use-md5
Use MD5 hash of cleartext password.
—
disable
d
Usage Guidelines
You configure a server before you can add it to one or more server groups. You create a server group for a specific
type of authentication (see aaa server-group on page 89).
Example
The following command configures and enables a RADIUS server:
aaa authentication-server radius radius1
host 10.1.1.244
key qwERtyuIOp
enable
Command History
Version
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.0
RADIUS server can be identified by its qualified domain name (FQDN).
ArubaOS 6.1
The source-interface parameter was added.
ArubaOS 6.3
l
l
l
The mac-delimiter parameter was introduced.
The enable-ipv6 and nas-ip6 parameters were introduced. An IPv6 host
address can be specified for the host parameter.
The ipv6 addr parameter was added.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
38 | aaa authentication-server radius
ArubaOS 6.4| Reference Guide
aaa authentication-server tacacs
aaa authentication-server tacacs <server>
clone <server>
enable
host <host>
key <psk>
no ...
retransmit <number>
session-authorization
tcp-port <port>
timeout <seconds>
Description
This command configures a TACACS+ server.
Starting from ArubaOS 6.4, a maximum of 128 TACACS servers can be configured on the controller.
Syntax
Parameter
Description
Range
Default
<server>
Name that identifies the server.
—
—
clone <server>
Name of an existing TACACS server configuration
from which parameter values are copied.
—
—
enable
Enables the TACACS server.
—
host <host>
IPv4 of the TACACS server.
—
—
key
Shared secret to authenticate communication
between the TACACS+ client and server.
—
—
no
Negates any configured parameter.
—
—
retransmit <number>
Maximum number of times a request is retried.
0-3
3
session-authorizati
on
Enables TACACS+ authorization.Sessionauthorization turns on the optional authorization
session for admin users.
—
disabled
tcp-port <port>
TCP port used by the server.
1-65535
49
timeout <timeout>
Timeout period of a TACACS request, in seconds.
1-30
20 seconds
Usage Guidelines
You configure a server before you can add it to one or more server groups. You create a server group for a specific
type of authentication (see aaa server-group on page 89).
Example
The following command configures, enables a TACACS+ server and enables session authorization:
ArubaOS 6.4| Reference Guide
aaa authentication-server tacacs | 39
aaa authentication-server tacacs tacacs1
clone default
host 10.1.1.245
key qwERtyuIOp
enable
session-authorization
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 6.0
session-authorization parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
40 | aaa authentication-server tacacs
ArubaOS 6.4| Reference Guide
aaa authentication-server windows
aaa authentication-server windows <windows_server_name>
clone <source>
domain <domain>
enable
host <ipaddr>
no
Description
This command configures a windows server for stateful-NTLM authentication.
Syntax
Parameter
Description
<windows_server_name>
Name of the windows server. You will use this name when you add the
windows server to a server group.
clone <source>
Name of a Windows Server from which you want to make a copy.
domain <domain>
The Windows domain for the authentication server.
enable
Enables the Windows server.
host <ipaddr>
IP address of the Windows server.
no
Delete command.
Usage Guidelines
You must define a Windows server before you can add it to one or more server groups. You create a server group for
a specific type of authentication (see aaa server-group on page 89). Windows servers are used for stateful-NTLM
authentication.
Example
The following command configures and enables a windows server:
aaa authentication-server windows IAS_1
host 10.1.1.245
enable
Command History
This command was available in ArubaOS 3.4.1
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa authentication-server windows | 41
aaa authentication stateful-dot1x
aaa authentication stateful-dot1x
default-role <role>
enable
no ...
server-group <group>
timeout <seconds>
Description
This command configures 802.1X authentication for clients on non-Aruba APs.
Syntax
Parameter
Description
Range
Default
default-role <role>
Role assigned to the 802.1X user upon login.
NOTE: The PEFNG license must be installed.
—
guest
enable
Enables 802.1X authentication for clients on nonAruba APs. Use no enable to disable stateful
8021.X authentication.
—
enabled
no
Negates any configured parameter.
—
—
server-group <grou
p>
Name of the group of RADIUS servers used to
authenticate the 802.1X users. See aaa servergroup on page 89.
—
—
timeout <seconds>
Timeout period, in seconds.
1-20
10 seconds
Usage Guidelines
This command configures 802.1X authentication for clients on non-Aruba APs. The controller maintains user session
state information for these clients.
Example
The following command assigns the employee user role to clients who successfully authenticate with the server
group corp-rad:
aaa authentication stateful-dot1x
default-role employee
server-group corp-rad
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
42 | aaa authentication stateful-dot1x
ArubaOS 6.4| Reference Guide
aaa authentication stateful-dot1x clear
aaa authentication stateful-dot1x clear
Description
This command clears automatically-created control path entries for 802.1X users on non-Aruba APs.
Syntax
No parameters.
Usage Guidelines
Run this command after changing the configuration of a RADIUS server in the server group configured with the aaa
authentication stateful-dot1x command. This causes entries for the users to be created in the control path with the
updated configuration information.
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
aaa authentication stateful-dot1x clear | 43
aaa authentication stateful-ntlm
aaa authentication stateful-ntlm <profile-name>
clone
default-role <role>
enable
server-group <server-group>
timeout <timeout>
Description
This command configures stateful NT LAN Manager (NTLM) authentication.
Syntax
Parameter
Description
Range
Default
clone
Create a copy of an existing stateful NTLM profile
—
—
default-role
Select an existing role to assign to authenticated
users.
—
guest
no
Negates any configured parameter.
—
—
server-group <server-gr
oup>
Name of a server group.
—
default
timeout <timeout>
Amount of time, in seconds, before the request
times out.
1-20
seconds
10
seconds
Usage Guidelines
NT LAN Manager (NTLM) is a suite of Microsoft authentication and session security protocols. You can use a
stateful NTLM authentication profile to configure a controller to monitor the NTLM authentication messages between
clients and an authentication server. The controller can then use the information in the Server Message Block (SMB)
headers to determine the client's username and IP address, the server IP address and the client's current
authentication status. If the client successfully authenticates via an NTLM authentication server, the controller can
recognize that the client has been authenticated and assign that client a specified user role. When the user logs off or
shuts down the client machine, the user will remain in the authenticated role until the user’s authentication is aged
out.
The Stateful NTLM Authentication profile requires that you specify a server group which includes the servers
performing NTLM authentication, and a default role to be assigned to authenticated users. For details on defining a
windows server used for NTLM authentication, see aaa authentication-server windows.
Example
The following example configures a stateful NTLM authentication profile that authenticates clients via the server
group “Windows1.” Users who are successfully authenticated are assigned the “guest2” role.
aaa authentication stateful-ntlm
default-role guest2
server-group Windows1
Command History
Command introduced in ArubaOS 3.4.1
44 | aaa authentication stateful-ntlm
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa authentication stateful-ntlm | 45
aaa authentication via auth-profile
aaa authentication via auth-profile <profile>
auth-protocol {mschapv2|pap}
cert-cn-lookup
clone <source>
default-role <default-role>
desc <description>
max-authentication-failures <max-authentication-failures>
no
pan-integration
radius-accounting <server_group_name>
rfc-3576-server <rfc-server>
server-group <server-group>
Description
This command configures the VIA authentication profile.
Syntax
Defau
lt
Parameter
Description
auth-protocol {mschapv2|pap}
Authentication protocol support
for VIA
authentication;
MSCHAPv2
or PAP
PAP
cert-cn-lookup
Check certificate common name
against AAA
server.
Enabled
clone <source>
Name of an
existing
profile from
which
configuration
values are
copied.
-
default-role <default-role>
Name of the
default VIA
authenticatio
n profile.
-
desc <description>
Description
of this profile
for
reference.
-
46 | aaa authentication via auth-profile
ArubaOS 6.4| Reference Guide
Defau
lt
Parameter
Description
max-authentication-failures <max-authentication-failures>
Number of
times VIA
will prompt
user to login
due to
incorrect
credentials.
After the
maximum
authenticatio
n attempts
failures VIA
will exit.
3
pan-integration
Requires IP
mapping at
Palo Alto
Network.
-
radius-accounting <server_group_name>
Server group
for RADIUS
accounting.
-
rfc-3576-server <rfc-server>
Configures
the RFC
3576 server.
-
server-group <server-group>
Server group
against
which the
user is
authenticate
d.
-
Usage Guidelines
Use this command to create VIA authentication profiles and associate user roles to the authentication profile.
Example
(host)
(host)
(host)
(host)
(host)
(config) #aaa authentication via auth-profile default
(VIA Authentication Profile "default") #auth-protocol mschapv2
(VIA Authentication Profile "default") #default-role example-via-role
(VIA Authentication Profile "default") #desc "Default VIA Authentication Profile"
(VIA Authentication Profile "default") #server-group "via-server-group"
Command History
Version
Description
ArubaOS 5.0
Command introduced.
ArubaOS 6.3
The auth-protocol parameter was added.
ArubaOS 6.4| Reference Guide
aaa authentication via auth-profile | 47
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master or local
controllers
48 | aaa authentication via auth-profile
ArubaOS 6.4| Reference Guide
aaa authentication via connection-profile
aaa authentication via connection-profile <profile>
admin-logoff-script
admin-logon-script
allow-user-disconnect
allow-whitelist-traffic
auth_domain_suffix
auth-profile <auth-profile>
auth_doman_suffix
auto-launch-supplicant
auto-login
auto-upgrade
banner-message-reappear-timeout <mins>
client-logging
client-netmask <client-netmask>
client-wlan-profile <client-wlan-profile> position <position>
clone
controllers-load-balance
csec-gateway-url <URL>
csec-http-ports <comma separated port numbers>
dns-suffix-list <dns-suffix-list>
domain-pre-connect
enable-csec
enable-fips
enable-supplicant
ext-download-url <ext-download-url>
ike-policy <ike-policy>
ikev2-policy
ikev2-proto
ikev2auth
ipsec-cryptomap map <map> number <number>
ipsecv2-cryptomap
lockdown-all-settings
max-reconnect-attempts <max-reconnect-attempts>
minimized
max-timeout <value>
minimized
no
save-passwords
server
split-tunneling
suiteb-crypto
support-email
tunnel
user-idle-timeout
validate-server-cert
whitelist
windows-credentials
Description
This command configures the VIA connection profile.
ArubaOS 6.4| Reference Guide
aaa authentication via connection-profile | 49
Syntax
Parameter
Description
Default
admin-logoff-script
Enables VIA logoff script.
Disabled
admin-logon-script
Enables VIA logon script.
Disabled
allow-user-disconnect
Enable or disable users to disconnect their
VIA sessions.
Enabled
allow-whitelist-traffic
If enabled, this feature will block network
access until the VIA VPN connection is
established.
Disabled
auth_domain_suffix
Enables a domain suffix on VIA Authentication, so client credentials are sent as
domainname\username instead of just username.
—
auto-launch-supplicant
Allows you to connect automatically to a
configured WLAN network.
Disabled
auth-profile <auth-profile>
This is the list of VIA authentication profiles
that will be displayed to users in the VIA
client.
—
admin-logoff-script
Specify the name of the script that must be
executed when the VIA connection is
disconnected. The script must reside on the
user / client system.
—
admin-logon-script
Specify the name of the script that must be
executed when the VIA connection is
established. The script must reside on the
user / client system.
—
auto-login
Enable or disable VIA client to auto login
and establish a secure connection to the
controller.
Enabled
auto-upgrade
Enable or disable VIA client to
automatically upgrade when an updated
version of the client is available on the
controller.
Enabled
banner-message-reappear-timeout
Timeout value, in minutes, after which the
user session will end and the VIA Login
banner message reappears.
1440
minutes
client-logging
Enable or disable VIA client to auto login
and establish a secure connection to the
controller.
Enabled
client-netmask <client-netmask>
The network mask that has to be set on the
client after the VPN connection is
established.
255.255.255.
255
50 | aaa authentication via connection-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Default
client-wlan-profile <client-wlan-prof
ile>
A list of VIA client WLAN profiles that needs
to be pushed to the client machines that
use Windows Zero Config (WZC) to
configure or manage their wireless
networks.
—
clone
Create a copy of connection profile from an
another VIA connection profile.
—
controllers-load-balance
Enable this option to allow the VIA client to
failover to the next available selected randomly from the list as configured in the VIA
Servers option. If disabled, VIA will failover
to the next in the sequence of ordered list of
VIA Servers.
Disabled
server
l
position <position>
addr <addr>
l
<internal-ip <internal-ip>
desc <description>
l
Address: This is the public IP address or
the DNS hostname of the VIA controller.
Users will connect to remote server
using this IP address or the hostname.
Internal IP Address: This is the IP
address of any of the VLAN interface IP
addresses belongs to this controller.
Description: This is a human-readable
description of the controller.
—
—
—
—
—
csec-gateway-url
Specify the content security service
providers URL here. You must provide a
fully qualified domain name.
—
csec-http-ports
Specify the ports (separated by comma)
that will be monitored by the content
security service provider.
Do not add space before or after the
comma.
—
domain-preconnect
Enable this option to allow users with lost or
expired passwords to establish a VIA connection to corporate network. This option
authenticates the user’s device and establishes a VIA connection that allows users to
reset credentials and continue with corporate access.
Enabled
dns-suffix-list <dns-suffix-list>
The DNS suffix list (comma separated) that
has be set on the client once the VPN
connection is established.
.
None
enable-csec
Use this option to enable the content
security service.
—
enable-fips
Enable the VIA (Federal Information Processing Standard) FIPS module so VIA
checks for FIPS compliance during startup.
Disabled
enable-supplicant
If enabled, VIA starts in bSec mode using
L2 suite-b cryptography. This option is disabled by default.
Disabled
ArubaOS 6.4| Reference Guide
aaa authentication via connection-profile | 51
Parameter
Description
Default
ext-download-url <ext-download-url>
End users will use this URL to download
VIA on their computers.
—
ike-policy <ike-policy>
List of IKE policies that the VIA Client has to
use to connect to the controller.
—
ikev2-policy
List of IKE V2 policies that the VIA Client
has to use to connect to the controller
—
ikev2-proto
Enable this to use IKEv2 protocol to
establish VIA sessions.
Disabled
ikev2auth
Use this option to set the IKEv2
authentication method. By default user
certificate is used for authentication. The
other supported methods are EAPMSCHAPv2, EAP-TLS. The EAP
authentication is done on an external
RADIUS server.
User
Certificates
ipsec-cryptomap
List of IPsec crypto maps that the VIA client
uses to connect to the controller. These
IPsec Crypto Maps are configured in the
CLI using the crypto-local ipsec-map
<ipsec-map-name> command.
—
ipsecv2-cryptomap
List of IPSec V2 crypto maps that the VIA
client uses to connect to the controller.
—
lockdown-all-settings
Allows you to lockdown all user configured
settings.
Disabled.
max-reconnect-attempts <max-reconnec
t-attempts>
The maximum number of re-connection
attempts by the VIA client due to
authentication failures.
3
max-timeout value <value>
The maximum time (minutes) allowed
before the VIA session is disconnected.
1440 min
minimized
Use this option to keep the VIA client on a
Microsoft WIndows operating system
minimized to system tray.
—
save-passwords
Enable or disable users to save passwords
entered in VIA.
Enabled
server
Configure VIA servers.
split-tunneling
Enable or disable split tunneling.
l If enabled, all traffic to the VIA tunneled
networks will go through the controller
and the rest is just bridged directly on
the client.
l If disabled, all traffic will flow through the
controller.
map <map>
number <number>
52 | aaa authentication via connection-profile
—
—
off
ArubaOS 6.4| Reference Guide
Parameter
Description
Default
suiteb-crypto
Use this option to enable Suite-B
cryptography. See RFC 4869 for more
information about Suite-B cryptography.
Disabled
support-email
The support e-mail address to which VIA
users will send client logs.
None
tunnel address <address>
A list of network destination (IP address and
netmask) that the VIA client will tunnel
through the controller. All other network
destinations will be reachable directly by
the VIA client. Enter tunneled IP address
and its netmask.
—
user-idle-timeout
The user idle timeout for this profile. Specify
the idle timeout value for the client in
seconds. Valid range is 30-15300 in
multiples of 30 seconds. Enabling this
option overrides the global settings
configured in the AAA timers. If this is
disabled, the global settings are used.
disabled
validate-server-cert
Enable or disable VIA from validating the
server certificate presented by the
controller.
Enabled
whitelist addr
Specify a hostname or IP address and network mask to define a whitelist of users
allowed to access the networkif the allowwhitelist-traffic option is enabled
—
addr <addr>
Host name of IP address of a client
—
netmask <netmask>
Netmask, in dotted decimal format
—
description <description>
(Optional) description of the client
—
Enable or disable the use of the Windows
credentials to login to VIA. If enabled, the
SSO (Single Sign-on) feature can be
utilized by remote users to connect to
internal resources.
Enabled
address <address>
netmask <netmask>
windows-credentials
—
—
Usage Guidelines
Issue this command to create a VIA connection profile. A VIA connection profile contains settings required by VIA to
establish a secure connection to the controller. You can configure multiple VIA connection profiles. A VIA connection
profile is always associated to a user role and all users belonging to that role will use the configured settings. If you
do not assign a VIA connection profile to a user role, the default connection profile is used.
Example
The following example shows a simple VIA connection profile:
(host) (config) #aaa authentication via connection-profile "via"
(host) (VIA Connection Profile "via") #server addr 202.100.10.100 internal-ip 10.11.12.13 desc
"VIA Primary" position 0
(host) (VIA Connection Profile "via") #auth-profile "default" position 0
(host) (VIA Connection Profile "via") #tunnel address 10.0.0.0 netmask 255.255.255.0
(host) (VIA Connection Profile "via") #split-tunneling
ArubaOS 6.4| Reference Guide
aaa authentication via connection-profile | 53
(host)
(host)
(host)
(host)
(host)
(VIA
(VIA
(VIA
(VIA
(VIA
Connection
Connection
Connection
Connection
Connection
Profile
Profile
Profile
Profile
Profile
"via")
"via")
"via")
"via")
"via")
#windows-credentials
#client-netmask 255.0.0.0
#dns-suffix-list mycorp.com
#dns-suffix-list example.com
#support-email via-support@example.com
Command History
Release
Modification
ArubaOS 5.0
Command introduced
ArubaOS 6.1
The following commands were introduced:
l admin-logon-script
l admin-logoff-script
l ikev2-policy
l ikev2-proto
l ikev2-auth
l ipsecv2-crypto
l minimized
l suiteb-crypto
ArubaOS 6.1.3.2
The auth_domain_suffix parameter was introduced.
ArubaOS 6.2
The following commands were introduced:
l allow-whitelist-traffic
l banner-message-reappear-timeout
l controllers-load-balancing
l enable-fips
l enable-supplicant
l whitelist
ArubaOS 6.3
The user-idle-timeout parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master or local
controllers
54 | aaa authentication via connection-profile
ArubaOS 6.4| Reference Guide
aaa authentication via global-config
aaa authentication via global-config
no
ssl-fallback-enable
Description
The global config option allows to you to enable SSL fallback mode. If the SSL fallback mode is enabled the VIA
client will use SSL to create a secure connection.
Syntax
Parameter
Description
Default
no
Disable SSL fallback option
—
ssl-fallback-enable
Use this option to enable an SSL fallback connection.
Disabled
Example
(host) (config) #aaa authentication via global-config
Command History
Command introduced in 5.0
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
aaa authentication via global-config | 55
aaa authentication via web-auth
aaa authentication via web-auth default
auth-profile <auth-profile> position <position>
clone <source>
no
Description
A VIA web authentication profile contains an ordered list of VIA authentication profiles. The web authentication
profile is used by end users to login to the VIA download page (https://<server-IP-address>/via) for downloading the
VIA client. Only one VIA web authentication profile is available. If more than one VIA authentication profile is
configured, users can view this list and select one during the client login.
Syntax
Parameter
Description
Default
auth-profile <auth-profile>
The name of the VIA authentication profile
—
The position of the profile to specify the order of
selection.
—
Duplicate an existing authentication profile.
—
position <position>
clone <source>
Example
(host) (config) #aaa authentication via web-auth default
(host) (VIA Web Authentication "default") #auth-profile default position 0
Command History
Command introduced in 5.0
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master or local
controllers
56 | aaa authentication via web-auth
ArubaOS 6.4| Reference Guide
aaa authentication vpn
aaa authentication vpn <profile-name>
cert-cn-lookup
clone <source>
default-role <guest>
export-route
max-authentication-failures <number>
no ...
pan-integration
radius-accounting
server-group <group>
user-idle-timeout
Description
This command configures VPN authentication settings.
Syntax
Parameter
Description
Default
<profile-name>
There are three VPN profiles: default, default-rap or
default-cap.
This allows users to use different AAA servers for
VPN, RAP and CAP clients.
NOTE: The default and default-rap profiles are
configurable. The default-cap profile is not
configurable and is predefined with the default
settings.
—
cert-cn-lookup
If you use client certificates for user authentication,
enable this option to verify that the certificate's
common name exists in the server. This parameter is
enabled by default in the default-cap and default-rap
VPN profiles, and disabled by default on all other
VPN profiles.
—
clone <source>
Copies data from another VPN authentication profile.
Source is the profile name from which the data is
copied.
—
default-role <role>
Role assigned to the VPN user upon login.
NOTE: This parameter requires the Policy
Enforcement Firewall for VPN Users (PEFV) license.
guest
export-route
Exports a VPN IP address as a route to the external
world. See the show ip ospf command to view the
link-state advertisement (LSA) types that are generated.
enabled
max-authentication-failures <n
umber>
Maximum number of authentication failures before
the user is blacklisted. The supported range is 1-10
failures. A value of 0 disables blacklisting.
NOTE: This parameter requires the RFProtect
license.
0 (disabled)
no
Negates any configured parameter.
—
ArubaOS 6.4| Reference Guide
aaa authentication vpn | 57
Parameter
Description
Default
pan-integration
Require IP mapping at Palo Alto Networks firewalls.
disabled
radius-accounting <
Configure server group for RADIUS accounting
—
server-group <group>
Name of the group of servers used to authenticate
VPN users. See aaa server-group on page 89.
internal
user-idle-timeout
The user idle timeout for this profile. Specify the idle
timeout value for the client in seconds. Valid range is
30-15300 in multiples of 30 seconds. Enabling this
option overrides the global settings configured in the
AAA timers. If this is disabled, the global settings are
used.
—
Usage Guidelines
This command configures VPN authentication settings for VPN, RAP and CAP clients.Use the vpdn group
command to configure Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) or a Point-to-Point
Tunneling Protocol (PPTP) VPN connection. (See vpdn group l2tp on page 1840.)
Example
The following command configures VPN authentication settings for the default-rap profile:
aaa authentication vpn default-rap
default-role guest
clone default
max-authentication-failures 0
server-group vpn-server-group
The following message appears when a user tries to configure the non-configurable default-cap profile:
(host) (config) #aaa authentication vpn default-cap
Predefined VPN Authentication Profile "default-cap" is not editable
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 5.0
The default-cap and default-rap profiles were introduced.
ArubaOS 6.1
The cert-cn-lookup parameter was introduced.
ArubaOS 6.3
The user-idle-timeout parameter was introduced.
ArubaOS 6.3.1
The export-route parameter was introduced.
58 | aaa authentication vpn
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system, except
for noted parameters.
The default-role parameter
requires the Policy Enforcement
Firewall for VPN Users (PEFV)
license.
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa authentication vpn | 59
aaa authentication wired
aaa authentication wired
no ...
profile <aaa-profile>
Description
This command configures authentication for a client device that is directly connected to a port on the controller.
Syntax
Parameter
Description
no
Negates any configured parameter.
profile <aaa-profil
e>
Name of the AAA profile that applies to wired authentication. This profile must be
configured for a Layer-2 authentication, either 802.1X or MAC. See aaa profile on
page 80.
Usage Guidelines
This command references an AAA profile that is configured for MAC or 802.1X authentication. The port on the
controller to which the device is connected must be configured as untrusted.
Example
The following commands configure an AAA profile for dot1x authentication and a wired profile that references the
AAA profile:
aaa profile sec-wired
dot1x-default-role employee
dot1x-server-group sec-svrs
aaa authentication wired
profile sec-wired
Related Commands
Command
Description
vlan
Assign an AAA profile to an individual VLAN to enable role-based access for
wired clients connected to an untrusted VLAN or port on the controller.
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
60 | aaa authentication wired
ArubaOS 6.4| Reference Guide
aaa authentication wispr
aaa authentication wispr
agent string
clone
default-role <role>
logon-wait {cpu-threshold <cpu-threshold>}|{maximum-delay <maximum-delay>}|{minimum-delay <
minimum-delay>}
no ...
max-authentication-failures
server-group <server-group>
wispr-location-id-ac <wispr-location-id-ac>
wispr-location-id-cc <wispr-location-id-cc>
wispr-location-id-isocc <wispr-location-id-isocc>
wispr-location-id-network <wispr-location-id-network>
wispr-location-name-location <wispr-location-name-location>
wispr-location-name-operator-name <wispr-location-name-operator>
Description
This command configures WISPr authentication with an ISP’s WISPr RADIUS server.
Syntax
Parameter
Description
agent string
User Agent String to be registered for use in WISPR
Profile. Max User Agent String len: 32 characters.Max number of User Agent string: 32.
clone
Copy data from another WISPr Authentication Profile.
default-role
Default role assigned to users that complete WISPr
authentication.
logon-wait
Configure the CPU utilization threshold that will
trigger logon wait maximum and minimum times
CPU-threshold <cpu-threshold>
max-authentication-failures
Percentage of CPU utilization at which the maximum
and minimum login wait times are enforced. Range:
1-100%.Default: 60%.
Maximum auth failures before user is blacklisted.
Range: 0-10. Default: 0.
maximum-delay <maximum-delay>
If the controller’s CPU utilization has surpassed the
CPU-threshold value, the maximum-delay parameter
defines the minimum number of seconds a user will
have to wait to retry a login attempt. Range: 1-10
seconds. Default: 10 seconds.
minimum-delay <minimum-delay>
If the controller’s CPU utilization has surpassed the
CPU-threshold value, the minimum-delay parameter
defines the minimum number of seconds a user will
have to wait to retry a login attempt. Range: 1-10
seconds. Default: 5 seconds.
ArubaOS 6.4| Reference Guide
aaa authentication wispr | 61
Parameter
Description
wispr-location-id-ac
<wispr-location-id-ac>
The E.164 Area Code in the WISPr Location ID.
wispr-location-id-cc
<wispr-location-id-cc>
The 1-3 digit E.164 Country Code in the WISPr
Location ID.
wispr-location-id-isocc <wispr-location-idisocc>
The ISO Country Code in the WISPr Location ID.
wispr-location-id-network <wispr-location-i
d-network>
The SSID/network name in the WISPr Location ID.
wispr-location-name-location <wispr-locatio
n-name-location>
A name identifying the hotspot location. If no name is
defined, the default ap-name is used.
wispr-location-name-operator-name
<wispr-location-name-operator>
A name identifying the hotspot operator.
Usage Guidelines
WISPr authentication allows a “smart client” to remain authenticated on the network when they roam between
Wireless Internet Service Providers, even if the wireless hotspot uses an ISP for which the client may not have an
account.
If you are hotstpot operator using WISPr authentication, and a client that has an account with your ISP attempts to
access the Internet at your hotspot, then your ISP’s WISPr AAA server authenticates that client directly, and allows
the client access on the network. If, however, the client only has an account with a partner ISP, then your ISP’s
WISPr AAA server will forward that client’s credentials to the partner ISP’s WISPr AAA server for authentication.
Once the client has been authenticated on the partner ISP, it will be authenticated on your hotspot’s own ISP, as per
their service agreements. Once your ISP sends an authentication message to the controller, the controller assigns
the default WISPr user role to that client.
ArubaOS supports the following smart clients, which enable client authentication and roaming between hotspots by
embedding iPass Generic Interface Specification (GIS) redirect, proxy, authentication and logoff messages within
HTLM messages to the controller.
l
iPass
l
Bongo
l
Trustive
l
weRoam
l
AT&T
A WISPr authentication profile includes parameters to define RADIUS attributes, the default role for authenticated
WISPr users, maximum numbers of authenticated failures and logon wait times. The WISPr-Location-ID sent from
the controller to the WISPr RADIUS server will be the concatenation of the ISO Country Code, E.164 Country Code,
E.164 Area Code and SSID/Zone parameters configured in this profile.
The parameters to define WISPr RADIUS attributes are specific to the RADIUS server your ISP uses for WISPr
authentication; contact your ISP to determine these values. You can find a list of ISO and ITU country and area
codes at the ISO and ITU websites www.iso.org and http://www.itu.int.
A Boingo smart client uses a NAS identifier in the format <CarrierID>_<VenueID> for location identification. To support
Boingo clients, you must also configure the NAS identifier parameter in the Radius server profile for the WISPr server
62 | aaa authentication wispr
ArubaOS 6.4| Reference Guide
Example
The following commands configure an WISPr authentication profile:
aaa authentication wispr
default-role authuser
max-authentication-failures 5
server-group wispr1
wispr-location-id-ac 408
wispr-location-id-cc 1
wispr-location-id-isocc us
wispr-location-id-network <wispr-location-id-network>
wispr-location-name-location <wispr-location-name-location>
wispr-location-name-operator-name <wispr-location-name-location>
Command History
This command was available in ArubaOS 3.4.1.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master or local controllers
ArubaOS 6.4| Reference Guide
aaa authentication wispr | 63
aaa bandwidth-contract
aaa bandwidth-contract <name> {kbits <kbits>|mbits <mbits>}
Description
This command configures a bandwidth contract.
Syntax
Parameter
Description
Range
<name>
Name that identifies this bandwidth contract.
—
kbits <bits>
Limit the traffic rate for this bandwidth contract to a
specified number of kilobits per second.
256-2000000
mbits <bits>
Limit the traffic rate for this bandwidth contract to a
specified number of megabits per second.
1-2000
Usage Guidelines
You can apply a configured bandwidth contract to a user role or to a VLAN. When you apply a bandwidth contract to
a user role (see user-role on page 1821), you specify whether the contract applies to upstream traffic (from the client
to the controller) or downstream traffic (from the controller to the client). You can also specify whether the contract
applies to all users in a specified user role or per-user in a user role.
When you apply a bandwidth contract to a VLAN (see interface vlan on page 392), the contract limits multicast traffic
and does not affect other data. This is useful because an AP can only send multicast traffic at the rate of the slowest
associated client. Thus excessive multicast traffic will fill the buffers of the AP, causing frame loss and poor voice
quality. Generally, every system should have a bandwidth contract of 1 Mbps or even 700 Kbps and it should be
applied to all VLANs with which users are associated, especially those VLANs that pass through the upstream
router. The exception are VLANs that are used for high speed multicasts, where the SSID is configured without low
data rates.
Example
The following command creates a bandwidth contract that limits the traffic rate to 1 Mbps:
aaa bandwidth-contract mbits 1
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
64 | aaa bandwidth-contract
ArubaOS 6.4| Reference Guide
aaa derivation-rules
aaa derivation-rules user <name>
no ...
set {aaa-profile|role|vlan} condition <rule-type> <attribute> <value> set-value {<role>|<vl
an>} [description <rule description>][position <number>]
Description
This command configures rules which assigns a AAA profile, user role or VLAN to a client based upon the client’s
association with an AP.
A user role cannot be assigned by an AAA derivation rule unless the controller has an installed PEFNG license.
Syntax
Parameter
Description
<name>
Name that identifies this set of user derivation rules.
no
Negates a configured rule.
set {role|vlan}
Specify whether the action of the rule is to set the role or the VLAN.
condition
Condition that should be checked to derive role/VLAN
<rule-type>
For a rule that sets an AAA profile, use the user-vlan rule type.
For a role or VLAN user derivation rule, select one of the following rules:
l bssid: BSSID of access point.
l dhcp-option: Use DHCP signature matching to assign a role or VLAN.
l dhcp-option-77: Enable DHCP packet processing.
l encryption-type: Encryption method used by station.
l essid: ESSID of access point.
l location: user location (ap name).
l macaddr: MAC address of user.
NOTE: If you use the dhcp-option rule type, best practices are to enable the
enforce-dhcp option in the AAA profile referenced by AP group’s Virtual AP
profile.
<attribute><value>
Specify one of the following conditions:
l contains: Check if attribute contains the string in the <value> parameter.
l ends-with: Check if attribute ends with the string in the <value> parameter.
l equals: Check if attribute equals the string in the <value> parameter.
l not-equals: Check if attribute is not equal to the string in the <value>
parameter.
l starts-with: Check if attribute starts with the string in the <value> parameter.
set-value <role>|<vla
n>
Specify the user role or VLAN ID to be assigned to the client if the above
condition is met.
description
Describes the user derivation rule. This parameter is optional and has a 128
character maximum.
position
Position of this rule relative to other rules that are configured.
ArubaOS 6.4| Reference Guide
aaa derivation-rules | 65
Usage Guidelines
The user role can be derived from attributes from the client’s association with an AP. User-derivation rules are
executed before the client is authenticated.
You configure the user role to be derived by specifying condition rules; when a condition is met, the specified user
role is assigned to the client. You can specify more than one condition rule; the order of rules is important as the first
matching condition is applied. You can also add a description of the rule.
The table below describes the conditions for which you can specify a user role or VLAN.
Rule Type
Condition
Value
bssid: Assign client to a role or VLAN based
upon the BSSID of AP to which client is
associating.
One of the following:
contains
l ends with
l equals
l does not equal
l starts with
MAC address (xx:xx:xx:xx:xx:xx)
l
l
One of the following:
equals
l starts with
DHCP signature ID.
Note: This string is not case sensitive.
equals
string
One of the following:
equals
l does not equal
l
dhcp-option: Assign client to a role or VLAN
based upon the DHCP signature ID.
dhcp-option-77: Assign client to a role or
VLAN based upon the user class identifier
returned by DHCP server.
encryption-type: Assign client to a role or
VLAN based upon the encryption type used
by the client.
l
l
l
l
l
l
l
essid: Assign client to a role or VLAN based
upon the ESSID to which the client is
associated
l
location: Assign client to a role or VLAN
based upon the ESSID to which the client is
associated
l
macaddr: MAC address of the client
Open (no encryption)
WPA/WPA2 AES
WPA-TKIP (static or dynamic)
Dynamic WEP
WPA/WPA2 AES PSK
Static WEP
xSec
One of the following:
contains
l ends with
l equals
l does not equal
l starts with
l value of (does not
take string;
attribute value is
used as role)
string
One of the following:
equals
l does not equal
string
One of the following:
contains
l ends with
l equals
l does not equal
l starts with
MAC address (xx:xx:xx:xx:xx:xx)
l
66 | aaa derivation-rules
ArubaOS 6.4| Reference Guide
The device identification feature allows you to assign a user role or VLAN to a specific device type by identifying a
DHCP option and signature for that device. If you create a user rule with the DHCP-Option rule type, the first two
characters in the Value field must represent the hexadecimal value of the DHCP option that this rule should match,
while the rest of the characters in the Value field indicate the DHCP signature the rule should match. To create a rule
that matches DHCP option 12 (host name), the first two characters of the in the Value field must be the hexadecimal
value of 12, which is 0C. To create a rule that matches DHCP option 55, the first two characters in the Value field
must be the hexadecimal value of 55, which is 37.
The following table describes some of the DHCP options that are useful for assigning a user role or VLAN.
DHCP Option
Description
Hexidecimal Equivalent
12
Host name
0C
55
Parameter Request List
37
60
Vendor Class Identifier
3C
81
Client FQDN
51
To identify DHCP strings used by an individual device, access the command-line interface in config mode and issue
the following command to include DHCP option values for DHCP-DISCOVER and DHCP-REQUEST frames in the
controller’s log files:
logging level debugging network process dhcpd
Now, connect the device you want to identify to the network, and issue the CLI command show log network. The
sample below is an example of the output that may be generated by this command.
Be aware that each device type may not have a unique DHCP fingerprint signature. For example, devices from different
manufacturers may use vendor class identifiers that begin with similar strings. If you create a DHCP-Option rule that uses
the starts-with condition instead of the equals condition, the rule may assign a role or VLAN to more than one device
type.
(host) (config) #show log network all | include DISCOVER
Feb 26 02:50:34 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84
Options 74:01 3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f0
3062c2e2f1f21f92b
Feb 26 02:50:42 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84
Options 74:01 3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f0
3062c2e2f1f21f92b
Feb 26 02:50:42 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: DISCOVER 00:19:d2:01:0b:84
Options 74:01 3d:010019d2010b84 0c:736861626172657368612d39393730 3c:4d53465420352e30 37:010f0
3062c2e2f1f21f92b
Feb 26 02:53:03 :202534: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: DISCOVER 00:26:c6:52:6b:7
c Options 74:01 3d:010026c6526b7c 0c:41525542412d46416c73653232 3c:4d53465420352e30 37:010f030
62c2e2f1f21f92b 2b:dc00
...
(host) (config) #show log network all| include REQUEST
Feb 26 02:53:04 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c
reqIP=10.10.10.254 Options 3d:010026c6526b7c 36:0a0a0a02 0c:41525542412d46416c73653232 51:0000
0041525542412d46416c736532322e73757279612e636f6d 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b
2b:dc0100
Feb 26 02:53:04 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c
reqIP=10.10.10.254 Options 3d:010026c6526b7c 36:0a0a0a02 0c:41525542412d46416c73653232 51:0000
0041525542412d46416c736532322e73757279612e636f6d 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b
2b:dc0100
ArubaOS 6.4| Reference Guide
aaa derivation-rules | 67
Feb 26 02:56:02 :202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST 00:26:c6:52:6b:7c
reqIP=10.10.10.254 Options 3d:010026c6526b7c 0c:41525542412d46416c73653232 51:0000004152554241
2d46416c736532322e73757279612e636f6d 3c:4d53465420352e30 37:010f03062c2e2f1f21f92b 2b:dc0100
Examples
The following command sets the client’s user role to “guest” if the client associates to the “Guest” ESSID. The rule
description indicates that is was created for special customers.
aaa derivation-rules user derive1
set role condition essid equals Guest set-value guest description createdforspecialcustomer
s
The example rule shown below sets a user role for clients whose host name (DHCP option 12) has a value of
6C6170746F70, which is the hexadecimal equivalent of the ASCII string “laptop”. The first two digits in the Value
field are thehexadecimal value of 12 (which is 0C), followed by the specific signature to be matched
aaa derivation-rules user device-role
set role condition dhcp-option equals 0C6C6170746F70 set-value laptop_role
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 6.0
Description parameter was introduced.
ArubaOS 6.1
DHCP-Option rule type was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system. The
PEFNG license must be installed
for a user role to be assigned.
Config mode on master controllers
68 | aaa derivation-rules
ArubaOS 6.4| Reference Guide
aaa dns-query-interval
aaa dns-query-interval <minutes>
Description
Configure how often the controller should generate a DNS request to cache the IP address for a RADIUS server
identified via its fully qualified domain name (FQDN).
Syntax
Parameter
Description
<minutes>
Specify, in minutes, the interval between DNS requests sent from the controller
to the DNS server. By default, DNS requests are sent every 15 minutes.
Range: 1-1440 minutes
Usage Guidelines
If you define a RADIUS server using the FQDN of the server rather than its IP address, the controller will periodically
generate a DNS request and cache the IP address returned in the DNS response. Issue this command to configure
the frequency of these requests.
Example
This command configures a DNS query interval of 30 minutes.
(host) # aaa dns-query-interval 30
Related Commands
To view the current DNS query interval, issue the command show aaa dns-query-interval.
Command History
This command was available in ArubaOS 6.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on local and master
controllers
ArubaOS 6.4| Reference Guide
aaa dns-query-interval | 69
aaa inservice
aaa inservice <server-group> <server>
Description
This command designates an “out of service” authentication server to be “in service”.
Syntax
Parameter
Description
<server-group>
Server group to which this server is assigned.
<server>
Name of the configured authentication server.
Usage Guidelines
By default, the controller marks an unresponsive authentication server as “out of service” for a period of 10 minutes
(you can set a different time limit with the aaa timers dead-time command). The aaa inservice command is useful
when you become aware that an “out of service” authentication server is again available before the dead-time period
has elapsed. You can use the aaa test-server command to test the availability and response of a configured
authentication server.
Example
The following command sets an authentication server to be in service:
aaa inservice corp-rad rad1
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
70 | aaa inservice
ArubaOS 6.4| Reference Guide
aaa ipv6 user add
aaa ipv6 user add <ipv6addr>
authentication-method {dot1x|stateful-dot1x}
mac <macaddr>
name <username>
profile <aaa-profile>
role <role>
Description
This command manually assigns a user role or other values to a specified IPv6 client.
Syntax
Parameter
Description
<ipv6addr>
IPv6 address of the user to be added.
authentication-method
Authentication method for the client.
dot1x
802.1X authentication.
stateful-dot1x
Stateful 802.1X authentication.
mac <macaddr>
MAC address of the client.
name <username>
Name of the client.
profile <aaa-profile>
AAA profile for the client.
role <role>
User role for the client.
Usage Guidelines
This command should only be used for troubleshooting issues with a specific IPv6 client. This command allows you
to manually assign a client to a role. For example, you can create a role “debugging” that includes a policy to mirror
session packets to a specified destination for further examination, then use this command to assign the “debugging”
role to a specific client. Use the aaa ipv6 user delete command to remove the client or device from the role.
Note that issuing this command does not affect ongoing sessions that the client may already have. For example, if a
client is in the “employee” role when you assign them to the “debugging” role, the client continues any sessions
allowed with the “employee” role. Use the aaa ipv6 user clear-sessions command to clear ongoing sessions.
Example
The following commands create a role that logs HTTPS traffic, then assign the role to a specific IPv6 client:
ip access-list session ipv6-log-https
any any svc-https permit log
user-role ipv6-web-debug
session-acl ipv6-log-https
In enable mode:
aaa ipv6 user add 2002:d81f:f9f0:1000:e409:9331:1d27:ef44 role ipv6-web-debug
ArubaOS 6.4| Reference Guide
aaa ipv6 user add | 71
Command History
This command was available in ArubaOS 3.3.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
72 | aaa ipv6 user add
ArubaOS 6.4| Reference Guide
aaa ipv6 user clear-sessions
aaa ipv6 user clear-sessions <ipaddr>
Description
This command clears ongoing sessions for the specified IPv6 client.
Syntax
Parameter
Description
<ipaddr>
IPv6 address of the client.
Usage Guidelines
This command clears any ongoing sessions that the client already had before being assigned a role with the aaa
ipv6 user add command.
Example
The following command clears ongoing sessions for an IPv6 client:
aaa user clear-sessions 2002:d81f:f9f0:1000:e409:9331:1d27:ef44
Command History
This command was available in ArubaOS 3.3.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
aaa ipv6 user clear-sessions | 73
aaa ipv6 user delete
aaa ipv6 user delete {<ipaddr>|all|mac <macaddr>|name <username>|role <role>}
Description
This command deletes IPv6 clients, users, or roles.
Syntax
Parameter
Description
<ipv6addr>
IPv6 address of the client to be deleted.
all
Deletes all connected IPv6 clients.
mac
MAC address of the IPv6 client to be deleted.
name
Name of the IPv6 client to be deleted.
role
Role of the IPv6 client to be deleted.
Usage Guidelines
This command allows you to manually delete clients, users, or roles. For example, if you used to the aaa ipv6 user
add command to assign a user role to an IPv6 client, you can use this command to remove the role assignment.
Example
The following command a role:
aaa ipv6 user delete role web-debug
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
74 | aaa ipv6 user delete
ArubaOS 6.4| Reference Guide
aaa ipv6 user logout
aaa ipv6 user logout <ipaddr>
Description
This command logs out an IPv6 client.
Syntax
Parameter
Description
<ipv6addr>
IPv6 address of the client to be logged out.
Usage Guidelines
This command logs out an authenticated IPv6 client. The client must reauthenticate.
Example
The following command logs out an IPv6 client:
aaa user logout 2002:d81f:f9f0:1000:e409:9331:1d27:ef44
Command History
This command was available in ArubaOS 3.3.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
aaa ipv6 user logout | 75
aaa log
[no] aaa log
Description
Enable per-user log files for AAA events.
Syntax
No parameters
Usage Guidelines
By default, logging is always enabled. Issue the no aaa log command to disable per-user logging and reenable it
again using the command aaa log. The 7200 Series controllerssupport 1KB of log files per user for up to 32,000
users, and 6000and 3600 controllers support 1KB of log files per user for up to 16,000 users.
Example
The example below enables per-user AAA log files.
(host)(config) #aaa log
Command History
This command was introduced in ArubaOS 6.3.
Command Information
76 | aaa log
Platforms
Licensing
Command Mode
6000, 3600 and 7200 Series
controllers
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
aaa password-policy mgmt
aaa password-policy mgmt
enable
no
password-lock-out
password-lock-out-time
password-max-character-repeat.
password-min-digit
password-min-length
password-min-lowercase-characters
password-min-special-character
password-min-special-character
password-min-uppercase-characters
password-not-username
Description
Define a policy for creating management user passwords.
Syntax
Parameter
Description
enable
enable the password management policy
password-lock-out
The number of failed attempts within a 3 minute window that causes the user to
be locked out for the period of time specified by the password-lock-out-time
parameter.
Range: 0-10 attempts. By default, the password lockout feature is disabled, and
the default value of this parameter is 0 attempts.
password-lock-out-time
The number of minutes a user who has exceeded the maximum number of
failed password attempts is locked out of the network. After this period has
passed, the lockout is cleared without administrator intervention.
Range: 1 min to 1440 min (24 hrs). Default: 3.
NOTE: When a management user gets locked out, that event is logged in the
controller log file. The management user lockout warning message can have
any one of the following warning IDs.
l 125060 = Password policy locked out a management user created via the
mgmt-user command in the serial console CLI.
l 125061 = Password policy locked out a management user created via the
WebUI or the mgmt-user command in the Telnet/SSH CLI.
l 133109 = Password policy locked out a management user created via the
local-userdb command in the CLI.
password-maxcharacter-repeat
The maximum number of consecutive repeating characters allowed in a
management user password.
Range: 0-10 characters. By default, there is no limitation on the numbers of
character that can repeat within a password, and the parameter has a default
value of 0 characters.
password-min-digit
The minimum number of numeric digits required in a management user
password.
Range: 0-10 digits. By default, there is no requirement for numerical digits in a
password, and the parameter has a default value of 0.
password-min-length
The minimum number of characters required for a management user password
ArubaOS 6.4| Reference Guide
aaa password-policy mgmt | 77
Parameter
Description
Range: 6-64 characters. Default: 6.
password-minlowercase-characters
The minimum number of lowercase characters required in a management user
password.
Range: 0-10 characters. By default, there is no requirement for lowercase
letters in a password, and the parameter has a default value of 0.
password-min-specialcharacters
The minimum number of special characters (!, @, #, $, %, ^, &, *, <, >, {, }, [, ], :, .,
comma, |, +, ~, ` ) in password. Range: 0-10 special characters.
Default: 0 (minimum number of special character required is disabled by
default, The following ( ')', '(' ;, -, space, =, /, ?) are dis-allowed).
password-min-specialcharacter
The minimum number of special characters required in a management user
password.
Range: 0-10 characters. By default, there is no requirement for special
characters in a password, and the parameter has a default value of 0. See
Usage Guidelines below for a list of allowed and disallowed special characters
password-minuppercase-characters
The minimum number of uppercase characters required in a management user
password.
Range: 0-10 characters. By default, there is no requirement for uppercase
letters in a password, and the parameter has a default value of 0.
password-not-usernam
e
Password cannot be the management users’ current username or the
username spelled backwards.
Usage Guidelines
By default, the password for a management user has no requirements other than a minimum length of 6
alphanumeric or special characters.You do not need to configure a different management user password policy
unless your company enforces a best practices password policy for management users with root access to network
equipment.
The table below lists the special characters allowed and not allowed in any management
Example
The following command sets a management password policy that requires the password to have a minimum of nine
characters, including one numerical digit and one special character:
aaa password-policy mgmt
enable
password-min-digit 1
password-min-length 9
password-min-special-characters 1
Related Commands
Command
Description
Mode
show aaa password-policy mg
mt
Use show aaa password-policy mgmt to show the
current management password policy
Enable mode
Command History
This command was available in ArubaOS 5.0.
78 | aaa password-policy mgmt
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
aaa password-policy mgmt | 79
aaa profile
aaa profile <profile>
authentication-dot1x <dot1x-profile>
authentication-mac <mac-profile>
clone <profile>
devtype-classification
dot1x-default-role <role>
dot1x-server-group <group>
download-role
enforce-dhcp
initial-role <role>
l2-auth-fail-through
mac-default-role <role>
mac-server-group <group>
multiple-server-accounting
no ...
pan-integration
radius-accounting <group>
radius-interim-accounting
rfc-3576-server <ipaddr>
sip-authentication-role <role>
user-derivation-rules <profile>
user-idle-timeout
wired-to-wireless-roam
xml-api-server <ipaddr>
Description
This command configures the authentication for a WLAN.
Syntax
Parameter
Description
Default
<profile>
Name that identifies this instance of the profile. The
name must be 1-63 characters.
“default”
authentication-dot1x <dot1x-prof
ile>
Name of the 802.1X authentication profile
associated with the WLAN. See aaa authentication
dot1x on page 21.
—
authentication-mac <mac-profile>
Name of the MAC authentication profile associated
with the WLAN. See aaa authentication mac on
page 28.
—
clone <profile>
Name of an existing AAA profile configuration from
which parameter values are copied.
—
devtype-classification
The device identification feature can automatically
identify different client device types and operating
systems by parsing the User-Agent strings in a
client’s HTTP packets. When the devtypeclassification parameter is enabled, the output of the
show user and show user-table commands shows
each client’s device type, if that client device can be
identified.
enabled
80 | aaa profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Default
dot1x-default-role <role>
Configured role assigned to the client after 802.1X
authentication. If derivation rules are present, the
role assigned to the client through these rules take
precedence over the default role.
NOTE: This parameter requires the PEFNG license.
guest
dot1x-server-group <group>
Name of the server group used for 802.1X
authentication. See aaa server-group on page 89.
—
enforce-dhcp
When you enable this option, clients must complete
a DHCP exchange to obtain an IP address. Best
practices are to enable this option, when you use
the aaa derivation-rules command to create a rule
with the DHCP-Option rule type. This parameter is
disabled by default.
disabled
download-role
Enables role download from ClearPass Policy Manager (CPPM) if not defined.
disabled
initial-role <role>
Role for unauthenticated users.
logon
l2-auth-fail-through
To select different authentication method if one fails
disabled
mac-default-role <role>
Configured role assigned to the user when the
device is MAC authenticated. If derivation rules are
present, the role assigned to the client through these
rules take precedence over the default role.
NOTE: This parameter requires the PEFNG license.
guest
mac-server-group group
Name of the server group used for MAC
authentication. See aaa server-group on page 89.
—
multiple-server-accounting
Enables RADIUS accounting on multiple servers
functionality.
disabled
no
Negates any configured parameter.
—
pan-integration
The profile requires mapping at a Palo Alto Networks (PAN) firewall
disabled
radius-accounting <group>
Name of the server group used for RADIUS
accounting. See aaa server-group on page 89.
—
radius-interim-accounting
By default, the RADIUS accounting feature sends
only start and stop messages to the RADIUS
accounting server. Issue the interim-radiusaccounting command to allow the controller to send
Interim-Update messages with current user statistics
to the server at regular intervals.
disabled
rfc-3576-server <ip-addr>
IP address of a RADIUS server that can send user
disconnect and change-of-authorization messages,
as described in RFC 3576, “Dynamic Authorization
Extensions to Remote Dial In User Service
(RADIUS)”. See aaa rfc-3576-server on page 87.
NOTE: This parameter requires the PEFNG license.
—
sip-authentication-role <role>
Configured role assigned to a session initiation
protocol (SIP) client upon registration.
guest
ArubaOS 6.4| Reference Guide
aaa profile | 81
Parameter
Description
Default
NOTE: This parameter requires the PEFNG license.
user-derivation-rules <profile>
User attribute profile from which the user role or
VLAN is derived.
—
user-idle-timeout
The user idle timeout for this profile. Specify the idle
timeout value for the client in seconds. Valid range
is 30-15300 in multiples of 30 seconds. Enabling
this option overrides the global settings configured
in the AAA timers. If this is disabled, the global
settings are used.
disabled
wired-to-wireless-roam
Keeps user authenticated when roaming from the
wired side of the network.
enabled
xml-api-server <ip-addr>
IP address of a configured XML API server. See aaa
xml-api on page 107.
NOTE: This parameter requires the PEFNG license.
—
Usage Guidelines
The AAA profile defines the user role for unauthenticated users, the default user role for MAC or 802.1X
authentication, and user derivation rules. The AAA profile contains the authentication profile and authentication
server group.
There are predefined AAA profiles available, default-dot1x, default-mac-auth, and default-open. These profiles have
the parameter values shown in the following table.
Parameter
default-dot1x
default-macauth
default-open
authentication-dot1x
default
N/A
N/A
authentication-mac
N/A
default
N/A
dot1x-default-role
authenticated
guest
guest
dot1x-server-group
N/A
N/A
N/A
initial-role
logon
logon
logon
mac-default-role
guest
authenticated
guest
mac-server-group
default
default
default
radius-accounting
N/A
N/A
N/A
rfc-3576-server
N/A
N/A
N/A
user-derivation-rules
N/A
N/A
N/A
wired-to-wireless roam
enabled
enabled
enabled
82 | aaa profile
ArubaOS 6.4| Reference Guide
Example
The following command configures an AAA profile that assigns the “employee” role to clients after they are
authenticated using the 802.1X server group “radiusnet”.
aaa profile corpnet
dot1x-default-role employee
dot1x-server-group zachjennings
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 3.4.1
License requirements changed in ArubaOS 3.4.1, so the sip-authenticationrole parameter required the Policy Enforcement Firewall license instead of the
Voice Services Module license required in earlier versions.
ArubaOS 6.1
The radius-interim-accounting, devtype-classification and enforce-dhcp
parameters were introduced.
ArubaOS 6.3
The user-idle-timeout parameter was introduced.
ArubaOS 6.4
The multiple-server-accounting and download-role parameters were introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system, except
for noted parameters
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa profile | 83
aaa query-user
aaa query-user <ldap-server-name> <user-name>
Description
Troubleshoot an LDAP authentication failure by verifying that the user exists in the ldap server database.
Syntax
Parameter
Description
<ldap-server-name>
Name of an LDAP server.
<user-name>
Name of a user whose LDAP record you want to view.
Usage Guidelines
If the Admin-DN binds successfully but the wireless user fails to authenticate, issue this command to troubleshoot
whether the problem is with the wireless network, the controller, or the ldap server. The aaa query-user <ldap_
server_name> <username> command to makes the controller send a search query to find the user. If that search
fails in spite of the user being in the LDAP database, it is most probable that the base DN where the search was
started was not correct. In such case, it is advisable to make the base DN at the root of the ldap tree.
Example
The example below shows part of the output for an LDAP record for the username JDOE.
(host) #aaa query-user eng JDOE
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: John Doe
sn: Doe
userCertificate: 0\202\005\2240\202\004|\240\003\002\001\002\002\012H\011\333K
userCertificate: 0\202\005\2240\202\004|\240\003\002\001\002\002\012]\350\346F
userCertificate: 0\202\005\2240\202\004|\240\003\002\001\002\002\012\023\001\017\240
userCertificate: 0\202\005\2240\202\004|\240\003\002\001\002\002\012\031\224/\030
userCertificate: 0\202\005~0\202\004f\240\003\002\001\002\002\012\031\223\246\022
userCertificate: 0\202\005\2240\202\004|\240\003\002\001\002\002\012\037\177\374\305
givenName: JDE
distinguishedName: CN=John Doe,CN=Users,DC=eng,DC=net
instanceType: 4
whenCreated: 20060516232817.0Z
whenChanged: 20081216223053.0Z
displayName: John Doe
uSNCreated: 24599
memberOf: CN=Cert_Admins,CN=Users,DC=eng,DC=net
memberOf: CN=ATAC,CN=Users,DC=eng,DC=net
uSNChanged: 377560
department: eng
name: John Doe
...
Command History
This command was available in ArubaOS 3.0.
84 | aaa query-user
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
aaa query-user | 85
aaa radius-attributes
aaa radius-attributes add <attribute> <attribute-id> {date|integer|ipaddr|string} [vendor <nam
e> <vendor-id>]
Description
This command configures RADIUS attributes for use with server derivation rules.
Syntax
Parameter
Description
add <attribute> <attribut
e-id>
Adds the specified attribute name (alphanumeric string), associated
attribute ID (integer), and type (date, integer, IP address, or string).
date
Adds a date attribute.
integer
Adds a integer attribute.
ipaddr
Adds a IP address attribute.
string
Adds a string attribute.
vendor
(Optional) Display attributes for a specific vendor name and vendor ID.
Usage Guidelines
Add RADIUS attributes for use in server derivation rules. Use the show aaa radius-attributes command to display
a list of the current RADIUS attributes recognized by the controller. To add a RADIUS attribute to the list, use the
aaa radius-attributes command.
Example
The following command adds the VSA “Aruba-User-Role”:
aaa radius-attributes add Aruba-User-Role 1 string vendor Arubas 14823
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
86 | aaa radius-attributes
ArubaOS 6.4| Reference Guide
aaa rfc-3576-server
aaa rfc-3576-server <ipaddr>
clone <source>
key <psk>
no ...
Description
This command configures a RADIUS server that can send user disconnect and change-of-authorization (CoA)
messages, as described in RFC 3576, “Dynamic Authorization Extensions to Remote Dial In User Service
(RADIUS)”.
Syntax
Parameter
Description
<ipaddr>
IP address of the server.
clone <source>
Name of an existing RFC 3576 server configuration from which parameter values
are copied.
key <psk>
Shared secret to authenticate communication between the RADIUS client and
server.
no
Negates any configured parameter.
Usage Guidelines
The disconnect and change-of-authorization messages sent from the server to the controller contains information to
identify the user for which the message is sent. The controller supports the following attributes for identifying the
users who authenticate with a RFC 3576 server:
l
user-name: Name of the user to be authenticated
l
framed-ip-address: User’s IP address
l
calling-station-id: Phone number of a station that originated a call
l
accounting-session-id: Unique accounting ID for the user session.
If the authentication server sends both supported and unsupported attributes to the controller, the unknown or
unsupported attributes will be ignored. If no matching user is found the controller will send a 503: Session Not Found
error message back to the RFC 3576 server.
Example
The following command configures an RFC 3576 server:
aaa rfc-3576-server 10.1.1.245
clone default
key P@$$w0rD;
ArubaOS 6.4| Reference Guide
aaa rfc-3576-server | 87
Related Commands
Command
Description
aaa profilerfc-3576-server <i
p-addr>
Associate an RFC-3576 server to a AAA profile.
show aaa state user
View information for a user whose session timeout is altered by a
RFC 3576 server.
Command History
Version
Description
ArubaOS 3.0
Command introduced
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
88 | aaa rfc-3576-server
ArubaOS 6.4| Reference Guide
aaa server-group
aaa server-group <group>
allow-fail-through
auth-server <name> [match-authstring contains|equals|starts-with <string>] [match- fqdn
<string>] [position <number>] [trim-fqdn]
clone <group>
load-balance
no ...
set role|vlan condition <attribute> contains|ends-with|equals|not-equals|starts-with <st
ring> set-value <set-value-str> [position <number>]
Description
This command allows you to add a configured authentication server to an ordered list in a server group, and configure
server rules to derive a user role, VLAN ID or VLAN name from attributes returned by the server during
authentication.
Syntax
Parameter
Description
Default
<group>
Name that identifies the server group. The name must be 32
characters or less.
—
allow-fail-through
When this option is configured, an authentication failure with
the first server in the group causes the controller to attempt
authentication with the next server in the list. The controller
attempts authentication with each server in the ordered list
until either there is a successful authentication or the list of
servers in the group is exhausted.
disabled
auth-server <name>
Name of a configured authentication server.
—
match-authstring
This option associates the authentication server with a match
rule that the controller can compare with the user/client
information in the authentication request. With this option, the
user/client information in the authentication request can be in
any of the following formats:
<domain>\<user>
<user>@<domain>
host/<pc-name>.<domain>
An authentication request is sent to the server only if there is
a match between the specified match rule and the user/client
information.You can configure multiple match rules for an
authentication server.
—
contains
contains: The rule matches if the user/client information
contains the specified string.
—
equals
The rule matches if the user/client information exactly
matches the specified string.
—
starts-with
The rule matches if the user/client information starts with the
specified string.
—
ArubaOS 6.4| Reference Guide
aaa server-group | 89
Parameter
Description
Default
match-fqdn <string>
This option associates the authentication server with a
specified domain. An authentication request is sent to the
server only if there is an exact match between the specified
domain and the <domain> portion of the user information
sent in the authentication request. With this option, the user
information must be in one of the following formats:
<domain>\<user>
<user>@<domain>
—
position <number>
Position of the server in the server list. 1 is the top.
(last)
trim-fqdn
This option causes the user information in an authentication
request to be edited before the request is sent to the server.
Specifically, this option:
removes the <domain>\ portion for user information in the
<domain>\<user> format
removes the @<domain> portion for user information in the
<user>@<domain> format
—
clone
Name of an existing server group from which parameter
values are copied.
—
load-balance
Enables load-balancing functionality.
—
no
Negates any configured parameter.
—
set role|vlan
Assigns the client a user role, VLAN ID or VLAN name based
on attributes returned for the client by the authentication
server. Rules are ordered: the first rule that matches the
configured condition is applied.
VLAN IDs and VLAN names cannot be listed together.
—
condition
Attribute returned by the authentication server.
—
contains
The rule is applied if and only if the attribute value contains
the specified string.
—
ends-with
The rule is applied if and only if the attribute value ends with
the specified string.
—
equals
The rule is applied if and only if the attribute value equals the
specified string.
—
not-equals
The rule is applied if and only if the attribute value is not
equal to the specified string.
—
starts-with
The rule is applied if and only if the attribute value begins
with the specified string.
—
set-value
User role or VLAN applied to the client when the rule is
matched.
—
value-of
Sets the user role or VLAN to the value of the attribute
returned. The user role or VLAN ID returned as the value of
the attribute must already be configured on the controller
when the rule is applied.
—
90 | aaa server-group
ArubaOS 6.4| Reference Guide
Usage Guidelines
You create a server group for a specific type of authentication or for accounting. The list of servers in a server group
is an ordered list, which means that the first server in the group is always used unless it is unavailable (in which
case, the next server in the list is used). You can configure servers of different types in a server group, for example,
you can include the internal database as a backup to a RADIUS server. You can add the same server to multiple
server groups. There is a predefined server group “internal” that contains the internal database.
Example
The following command configures a server group “corp-servers” with a RADIUS server as the main authentication
server and the internal database as the backup. The command also sets the client’s user role to the value of the
returned “Class” attribute.
aaa server-group corp-servers
auth-server radius1 position 1
auth-server internal position 2
set role condition Class value-of
load-balance
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.4
The load-balance parameter was added.
.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa server-group | 91
aaa sygate-on-demand (deprecated)
aaa sygate-on-demand remediation-failure-role <role>
Description
This command configures the user role assigned to clients that fail Sygate On-Demand Agent (SODA) remediation.
Command History
Version
Description
ArubaOS 3.0
Command introduced
ArubaOS 3.4
Command deprecated
92 | aaa sygate-on-demand (deprecated)
ArubaOS 6.4| Reference Guide
aaa tacacs-accounting
aaa tacacs-accounting server-group <group>
command {action|all|configuration|show}
mode {enable|disable}
Description
This command configures reporting of commands issued on the controller to a TACACS+ server group.
Syntax
Parameter
Description
Range
Default
server-group <group>
The TACACS server group to which the reporting is
sent.
—
—
command
The types of commands that are reported to the
TACACS server group.
—
—
action
Reports action commands only.
—
—
all
Reports all commands.
—
—
configuration
Reports configuration commands only
—
—
show
Reports show commands only
—
—
Enables accounting for the server group.
enable/
disable
disabled
mode
Usage Guidelines
You must have previously configured the TACACS+ server and server group (see aaa authentication-server tacacs
on page 39 and aaa server-group on page 89).
Example
The following command enables accounting and reporting of configuration commands to the server-group “tacacs1”:
aaa tacacs-accounting server-group tacacs1 mode enable command configuration
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa tacacs-accounting | 93
aaa test-server
aaa test-server {mschapv2|pap} <server> <username> <passwd>
Description
This command tests a configured authentication server.
Syntax
Parameter
Description
mschapv2
Use MSCHAPv2 authentication protocol.
pap
Use PAP authentication protocol.
<server>
Name of the configured authentication server.
<username>
Username to use to test the authentication server.
<passwd>
Password to use to test the authentication server.
Usage Guidelines
This command allows you to check a configured RADIUS authentication server or the internal database. You can
use this command to check for an “out of service” RADIUS server.
Example
The following commands adds a user in the internal database and verifies the configuration:
local-userdb add kgreen lkjHGfds
aaa test-server pap internal kgreen lkjHGfds
Authentication successful
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
94 | aaa test-server
ArubaOS 6.4| Reference Guide
aaa timers
aaa timers
dead-time <minutes>
idle-timeout <time> [seconds]
logon-lifetime <0-255>
stats-timeout <time> [seconds]
Description
This command configures the timers that you can apply to clients and servers.
Syntax
Parameter
Description
Range
Default
dead-time <minutes>
Maximum period, in minutes, that the controller
considers an unresponsive authentication server to
be “out of service”.
This timer is only applicable if there are two or
more authentication servers configured on the
controller. If there is only one authentication server
configured, the server is never considered out of
service and all requests are sent to the server.
If one or more backup servers are configured and a
server is unresponsive, it is marked as out of
service for the dead time; subsequent requests are
sent to the next server on the priority list for the
duration of the dead time. If the server is
responsive after the dead time has elapsed, it can
take over servicing requests from a lower-priority
server; if the server continues to be unresponsive, it
is marked as down for the dead time.
0-50
10 minutes
idle-timeout
<1-15300>
Maximum number of minutes after which a client is
considered idle if there is no user traffic from the
client.
The timeout period is reset if there is a user traffic. If
there is no IP traffic in the timeout period or there is
no 802.11 traffic as indicated in the station ageout
time that is set in the wlan ssid profile, the client is
aged out. Once the timeout period has expired, the
user is removed immediately and no ping request
is sent. If the seconds parameter is not specified,
the value defaults to minutes.
1 to 255
minutes
(30 to
15300
seconds)
5 minutes
(300 seconds)
logon-lifetime
Maximum time, in minutes, that unauthenticated
clients are allowed to remain logged on.
0-255
5 minutes
stats-timeout
User Interim stats timeout value. If the
secondssparameter is not specified, the value
defaults to minutes.
5-10
minutes(
300 to
600
seconds)
10 minutes
(600 seconds)
Usage Guidelines
These parameters can be left at their default values for most implementations.
ArubaOS 6.4| Reference Guide
aaa timers | 95
Example
The following command changes the idle time to 10 minutes:
aaa timers idle-timeout 10
Related Commands
(host) (config) #show aaa timers
(host) (config) #show datapath user table
Command History
Version
Description
ArubaOS 3.0
Command introduced
ArubaOS 3.4
Idle timeout values and defaults changed
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
96 | aaa timers
ArubaOS 6.4| Reference Guide
aaa trusted-ap
aaa trusted-ap <macaddr>
Description
This command configures a trusted non-Aruba AP.
Syntax
Parameter
Description
<macaddr>
MAC address of the AP
Usage Guidelines
This command configures a non-Aruba AP as a trusted AP.
Example
The following command configures a trusted non-Aruba AP:
aaa trusted-ap 00:40:96:4d:07:6e
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa trusted-ap | 97
aaa user add
aaa user add <ipaddr> [<nusers>] [authentication-method {dot1x|mac|stateful-dot1x|vpn|
web}] [mac-addr <macaddr>] [name <username>] [profile <aaa_profile>] [role <role>]
Description
This command manually assigns a user role or other values to a specified client or device.
Syntax
Parameter
Description
<ipaddr>
IP address of the user to be added.
<nusers>
Number of users to create starting with <ipaddr>.
authentication-method
Authentication method for the user.
dot1x
802.1X authentication.
mac-addr
MAC authentication.
stateful-dot1x
Stateful 802.1X authentication.
vpn
VPN authentication.
web
Captive portal authentication.
mac <macaddr>
MAC address of the user.
name <username>
Name for the user.
profile <aaa_profile>
AAA profile for the user.
role <role>
Role for the user.
Usage Guidelines
This command should only be used for troubleshooting issues with a specific client or device. This command allows
you to manually assign a client or device to a role. For example, you can create a role “debugging” that includes a
policy to mirror session packets to a specified destination for further examination, then use this command to assign
the “debugging” role to a specific client. Use the aaa user delete command to remove the client or device from the
role.
Note that issuing this command does not affect ongoing sessions that the client may already have. For example, if a
client is in the “employee” role when you assign them to the “debugging” role, the client continues any sessions
allowed with the “employee” role. Use the aaa user clear-sessions command to clear ongoing sessions.
Example
The following commands create a role that logs HTTPS traffic, then assign the role to a specific client:
ip access-list session log-https
any any svc-https permit log
user-role web-debug
session-acl log-https
98 | aaa user add
ArubaOS 6.4| Reference Guide
In enable mode:
aaa user add 10.1.1.236 role web-debug
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
aaa user add | 99
aaa user clear-sessions
aaa user clear-sessions <ipaddr>
Description
This command clears ongoing sessions for the specified client.
Syntax
Parameter
Description
<ip-addr>
IP address of the user.
Usage Guidelines
This command clears any ongoing sessions that the client already had before being assigned a role with the aaa
user add command.
Example
The following command clears ongoing sessions for a client:
aaa user clear-sessions 10.1.1.236
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
100 | aaa user clear-sessions
ArubaOS 6.4| Reference Guide
aaa user delete
aaa user delete {<ipaddr>|all|mac <macaddr>|name <username>|role <role>}
Description
This command deletes clients, users, or roles.
Syntax
Parameter
Description
<ipaddr>
IP address of the client to be deleted.
all
Deletes all connected clients.
mac
MAC address of the client to be deleted.
name
Name of the client to be deleted.
role
Role of the client to be deleted.
Usage Guidelines
This command allows you to manually delete clients, users, or roles. For example, if you used to the aaa user add
command to assign a user role to a client, you can use this command to remove the role assignment.
Example
The following command a role:
aaa user delete role web-debug
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
aaa user delete | 101
aaa user fast-age
aaa user fast-age
Description
This command enables fast aging of user table entries.
Syntax
No parameters.
Usage Guidelines
When this feature is enabled, the controller actively sends probe packets to all users with the same MAC address
but different IP addresses. The users that fail to respond are purged from the system. This command enables quick
detection of multiple instances of the same MAC address in the user table and removal of an “old” IP address. This
can occur when a client (or an AP connected to an untrusted port on the controller) changes its IP address.
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
102 | aaa user fast-age
ArubaOS 6.4| Reference Guide
aaa user logout
aaa user logout <ipaddr>
Description
This command logs out a client.
Syntax
Parameter
Description
<ipaddr>
IP address of the client to be logged out.
Usage Guidelines
This command logs out an authenticated client. The client must reauthenticate.
Example
The following command logs out a client:
aaa user logout 10.1.1.236
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
aaa user logout | 103
aaa user monitor
aaa user monitor <ipaddr>|off
Description
This command checks to see whether an authenticated user's attributes differ from those in the SOS.
Syntax
Parameter
Description
<ipaddr>
IP address of the user whose attributes are being checked.
off
Disable aaa user monitoring
Usage Guidelines
This command installs a timer that polls the SOS every 60 seconds and checks the following:
l
L3 ACLs
l
Upstream bandwidth contract
l
Downstream bandwidth contract
Example
The following command checks user SOS attributes:
aaa user monitor 10.1.1.236
Command History
This command was introduced in ArubaOS 6.2.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
104 | aaa user monitor
ArubaOS 6.4| Reference Guide
aaa user purge-log
aaa user purge-log
Description
This clear aaa user log files
Syntax
No parameters
Usage Guidelines
Per-user log files for AAA events can be used for troubleshooting issues with a specific client or device. This
command clears log information for deleted users.
Example
aaa user purge log
Command History
This command was available in ArubaOS 6.3
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
aaa user purge-log | 105
aaa user stats-poll
aaa user stats-poll <secs>
Description
This command enables user statistics polling. If enabled, ArubaOS will poll user data verify that user information in
the controller datapath is in synchronization with the data in the controller's authentication module.
Syntax
Parameter
Description
<secs>
This command enables user statistics polling, and defines the time interval
between polls. The supported range is 60-600 seconds.
Example
The following command enables user statistics polling with an interval of 10 minutes:
aaa user stats-poll 600
Command History
This command was introduced in ArubaOS 6.2.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
106 | aaa user stats-poll
ArubaOS 6.4| Reference Guide
aaa xml-api
aaa xml-api server <ipaddr>
clone <server>
default-authentication-role <role>
key <key>
no ...
Description
This command configures an external XML API server.
Syntax
Parameter
Description
server
IP address of the external XML API server.
clone
Name of an existing XML API server configuration from which
parameter values are copied.
key
Preshared key to authenticate communication between the controller
and the XML API server.
default-authentication-role <
role>
Name of the role to be assigned to users after completing XML server
authorization.
no
Negates any configured parameter.
Usage Guidelines
XML API is used for authentication and subscriber management from external agents. This command configures an
external XML API server. For example, an XML API server can send a blacklist request for a client to the controller.
The server configured with this command is referenced in the AAA profile for the WLAN (see aaa profile on page 80).
Contact your Aruba representative for more information about using the XML API.
Example
The following configures an XML API server:
aaa xml-api server 10.210.1.245
key qwerTYuiOP
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
PEFNG license
Config mode on master controllers
ArubaOS 6.4| Reference Guide
aaa xml-api | 107
activate whitelist download
activate whitelist download
Description
This command synchronizes the remote AP whitelist on the controller with the Activate whitelist database.
Syntax
No parameters
Usage Guidelines
Use this command to synchronize the controller's remote AP whitelist with the cloud-based Activate service. The
controller and the Activate server must have layer-3 connectivity to communicate.
Example
The following example synchronizes the Activate whitelist with the remote AP whitelist on the controller:
(host)(config)# activate whitelist download
Related Commands
Parameter
Description
activate-servicewhitelist
This command configures the profile that allows the controller to synchronize its
remote AP whitelist from the cloud-based Activate service.
Command History
This command was introduced in ArubaOS 6.3
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master or local
controllers
108 | activate whitelist download
ArubaOS 6.4| Reference Guide
activate-service-whitelist
activate-service-whitelist
add-only
interval <days>
no ...
password <password
username <username>
whitelist-enable
Description
This command configures the profile that allows the controller to integrate with the Aruba Activate cloud-based
services to track, provision and update your remote APs.
Syntax
Parameter
Description
add-only
Allow only addition or modification of entries to the Activate remote AP whitelist
database. This parameter is enabled by default. If this setting is disabled, the
activate-whitelist-download command can both add and remove entries from the
Activate database.
interval <days>
Number of days between the automatic synchronization of the controller remote
AP whitelist entries with the Activate whitelist.
The supported range is 1-7 days, and the default value is 1 day.
no
Removes or disables an existing parameter.
password <password>
Activate user password
username <username>
Activate username
whitelist-enable
Issue this command to enable secure AP whitelist synchronization with the Activate service. This feature is disabled by default.
Usage Guidelines
Use this command to configure the credentials to synchronize the remote AP whitelist with an Activate server. The
controller and the Activate server must have layer-3 connectivity to communicate.
Example
The following example enables the Activate whitelist service on the controller:
(host)(config)# activate-service-whitelist
(host)(activate-service-whitelist) #username user2 password pA$$w0rd whitelist-enable
Related Commands
Parameter
Description
activate whitelist
download
This command synchronizes the remote AP whitelist on the controller from the
cloud-based Activate service.
ArubaOS 6.4| Reference Guide
activate-service-whitelist | 109
Command History
This command was introduced in ArubaOS 6.3
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master or local
controllers
110 | activate-service-whitelist
ArubaOS 6.4| Reference Guide
adp
adp discovery {disable|enable} igmp-join {disable|enable} igmp-vlan <vlan>
Description
This command configures the Aruba Discovery Protocol (ADP).
Syntax
Parameter
Description
Range
Default
discovery
Enables or disables ADP on the controller.
enabled/
disabled
enabled
igmp-join
Enables or disables sending of Internet
Group Management Protocol (IGMP) join
requests from the controllers.
enabled/
disabled
enabled
igmp-vlan
VLAN to which IGMP reports are sent.
—
0 (default route
VLAN used)
Usage Guidelines
Aruba APs send out periodic multicast and broadcast queries to locate the master controller. If the APs are in the
same broadcast domain as the master controller and ADP is enabled on the controller, the controller automatically
responds to the APs’ queries with its IP address. If the APs are not in the same broadcast domain as the master
controller, you need to enable multicast on the network. You also need to make sure that all routers are configured to
listen for IGMP join requests from the controller and can route the multicast packets. Use the show adp config
command to verify that ADP and IGMP join options are enabled on the controller.
Example
The following example enables ADP and the sending of IGMP join requests on the controller:
adp discovery enable igmp-join enable
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
adp | 111
airgroup
airgroup
server-refresh <mac> MAC-address
test-server <name> <mac> MAC-address
active-domain <STRING>
active-wireless-discovery {disable | enable}
cppm-server aaa
no
rfc-3576-server <rfc3576_server>
rfc3576_udp_port <rfc3576_udp_port>
server-dead-time <server-dead-time>
server-group <server-group>
cppm-server {enforce-registration | query-interval <1..24>}
disable
dlna {disable | enable}
domain <STRING>
enable
global-credits <query packets> <response packets>
ipv6
location-discovery {disable | enable}
mdns {disable | enable}
service <STRING> {disable | enable}
static <mdns-record>
vlan <NUMBER>
Description
This command configures AirGroup global settings, domain, and active-domain parameters.
Syntax
Parameter
Description
Range
Default
server-refresh
Sends Refresh packet to refresh
cache for a device.
NOTE: This parameter is available
only in Enable mode.
—
—
<mac> MAC-address
MAC address of the AirGroup
server.
NOTE: This parameter is available
only in Enable mode.
—
—
test-server
Tests the AirGroup RADIUS server.
NOTE: This parameter is available
only in Enable mode.
—
—
<name>
Name of RADIUS server.
NOTE: This parameter is available
only in Enable mode.
—
—
active-domain <STRING>
This command configures an
AirGroup active-domain for an
AirGroup cluster.
—
—
112 | airgroup
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
active-wirelessdiscovery
{disable | enable}
If enabled, controller actively sends
refresh requests to discover
wireless servers. If disabled, the
controller sends refresh requests to
wired AirGroup servers only.
This parameter is available on the
master controller only. The master
controller pushes this AirGroup
configuration to all the applicable
local controllers.
—
disabled
cppm-server aaa
no
rfc-3576-server
rfc3576_udp_port
server-dead-time
server-group
Configure the following settings in
the AirGroup AAA profile:
no: Delete command.
rfc-3576-server <rfc3576_server>:
Configure RFC 3576 server IP
address.
rfc3576_udp_port <rfc3576_udp_
port>: Configure the UDP port
number.
server-dead-time <server-deadtime>: Server dead time in minutes.
server-group <server-group>:
Name of the server group.
This parameter is available on the
master controller only. The master
controller pushes this AirGroup
configuration to all the applicable
local controllers.
—
server-dead-time: 0
cppm-server
enforce-registration
query-interval <1..24>
enforce-registration: Use this
parameter to force AirGroup servers
to register with CPPM.
query-interval: Configures the
CPPM query interval in the
controller.
This parameter is available on the
master controller only. The master
controller pushes this AirGroup
configuration to all the applicable
local controllers.
queryinterval: 1
— 24
hours.
—
disable
Disable AirGroup on the controller.
—
—
dlna {disable | enable}
Enable AirGroup dlna support on
the controller.
—
disabled
domain <STRING>
Configure AirGroup domain.
This parameter is available on the
master controller only. The master
controller pushes this AirGroup
configuration to all the applicable
local controllers.
—
—
enable
Enable AirGroup on the controller.
—
—
ArubaOS 6.4| Reference Guide
airgroup | 113
Parameter
Description
Range
Default
global-credits
<query packets>
<response packets>
In an AirGroup network, AirGroup
devices generate excess mDNS
query and response packets. Using
this command, the controller
restricts these packets by assigning
tokens. The controller processes
these mDNS packets based on this
token value. The controller rejects
any packets beyond this token limit.
The token renews every 15
seconds. The renewal time is not a
configurable parameter.
15 —
15000
150
ipv6
This command enables or disables
AirGroup IPv6 support on the
controller.
—
disabled
location-discovery
{disable | enable}
If enabled, AirGroup user can see
shared devices based on the user’s
proximity.
This parameter is available on the
master controller only. The master
controller pushes this AirGroup
configuration to all the applicable
local controllers.
—
enabled
mdns {disable | enable}
Enable AirGroup mdns support on
the controller.
—
disabled
service <STRING>
{disable | enable}
Enable or disable an AirGroup
service on the controller.
—
Services enabled by
default:
l AirPlay
l AirPrint
l Chromecast
Services disabled by
default:
l iTunes
l RemoteMgmt
l Sharing
l Chat
l allowall
l DLNA Media
l DLNA Print
static <mdns-record>
Configure the static mDNS record.
For more information, see airgroup
static mdns-record on page 118
—
—
vlan <NUMBER>
Configure disallowed VLAN ID.
1 — 4049
—
Usage Guidelines
Starting from ArubaOS 6.4, AirGroup is disabled by default. For the remaining global parameters, see the command
syntax.
Example
Access the controller’s command-line interface and use the following command to enable the AirGroup Global
Setting:
114 | airgroup
ArubaOS 6.4| Reference Guide
(host)
(host)
(host)
(host)
(host)
(host)
(host)
(host)
(host)
(config)
(config)
(config)
(config)
(config)
(config)
(config)
(config)
(config)
#
#
#
#
#
#
#
#
#
airgroup
airgroup
airgroup
airgroup
airgroup
airgroup
airgroup
airgroup
airgroup
server-refresh <mac> MAC-address
test-server <name> <mac> MAC-address
enable
dlna enable
mdns enable
cppm-server enforce-registration
query-interval 10
location-discovery enable
active-wireless-discovery enable
Use the following command to enable the allowall service:
(host) (config) #airgroup service allowall enable
Use the following command to enable AirGroup access to devices in a specific VLAN:
(host) (config) #airgroup vlan 5 disallow
Related Commands
Command
Description
show airgroup
This command displays AirGroup global settings, domain, active-domain, and
more AirGroup configuration information on the controller.
Command History
Release
Modification
ArubaOS 6.3
Command introduced.
ArubaOS 6.4
The static <mdns-record> parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
The following commands are available
only in Enable mode:
l (config) # airgroup server-refresh
<mac> MAC-address
l (config) # airgroup test-server
<name> <mac> MAC-address
Configuration mode on master and local
controllers
NOTE: Few configuration parameters are
available on the master controller only.
For more information, see Syntax table
description.
ArubaOS 6.4| Reference Guide
airgroup | 115
airgroupservice
airgroupservice <STRING>
description <STRING>
disallow-role <STRING>
disallow-vlan <1..4094>
id <STRING>
no
Description
This command defines an AirGroup service on the master controller. The master controller pushes this AirGroup
configuration to all the applicable local controllers.
Syntax
Parameter
Description
Range
Default
airgroupservice <STRING>
Name of the AirGroup service.
—
—
description <STRING>
Description of the AirGroup service.
—
—
disallow-role <STRING>
User Role restricted from accessing the service.
—
—
disallow-vlan <1..4094>
User VLAN restricted from accessing the service.
1—
4094
—
id
An AirGroup service ID is the name of a Bonjour
service offered by a Bonjour-enabled device or
application. Bonjour defines service ID strings using
the following format:
_<servicename>._<protocol>.local
Example: _airplay._tcp.local
The service ID string is case sensitive and should be
entered without any modification, with the exception
of the .local portion of the service ID which is
optional.
—
—
no
Use this command to delete or negate previouslyentered configurations or parameters.
—
—
Example
The following example configures the iPhoto service with access to the _dpap._tcp service ID to share photos
across MacBooks:
(host) (config) #airgroupservice iPhoto
(host) (config-airgroupservice) #description "Share Photos"
(host) (config-airgroupservice) #id _dpap._tcp
116 | airgroupservice
ArubaOS 6.4| Reference Guide
Related Commands
Command
Description
show airgroupservice
This command displays the service details of all AirGroup services in the
controller.
Command History:
Release
Modification
ArubaOS 6.3
Command introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Configuration mode on master controllers
ArubaOS 6.4| Reference Guide
airgroupservice | 117
airgroup static mdns-record
airgroup static mdns-record
ptr <mac_addr> <mdns_id> <domain_name> [server_ipaddr]
srv <port> <priority> <weight> <host_name>
a <ipv4addr>
aaaa <ipv6addr>
txt <text>
no…
Description
This command configures group static mDNS records.
Syntax
Parameter
Description
Range
Default
ptr
Specifies the PTR (Pointer) record
that is used for DNS-Service Discovery
—
—
Mac_addr
MAC address of the server.
—
—
mdns_id <STRING>
Specify the AirGroup mDNS service ID, that is the name of a Bonjour service offered by a Bonjourenabled device or application.
Bonjour defines mDNS service ID
strings using the following format:
String can
include the following characters:
—
0-9, a-z, A-Z, and
'-'
_<sevicename>._ protocol.local
Example: _airplay._tcp.local
Domain_name <STRING>
Specify the name of the domain.
1 to 128 characters
—
Server_ipaddr <STRING>
IP address of the server.
—
—
srv
Specifies the SRV (Service)
record that is used for mapping a
DNS domain name to a specified
list of DNS host servers.
—
—
port
Port value of the static mDNS
record
0 to 65535
—
priority
Priority of the static mDNS record
0 to 65535
—
weight
Weight of the static mDNS record
0 to 65535
—
host_name <STRING>
Host name of the mDNS static
record.
1 to 63 characters.
—
a
Specifies the A (Address) record
that is used for mapping a
Domain Name System (DNS)
domain name to an IP address
—
—
118 | airgroup static mdns-record
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
that is used by a host.
ipv4addr
IPv4 address of the server.
—
—
aaaa
Specifies the AAAA (IPv6
address) record. This is used for
mapping host names to an IP
address of the host.
—
—
ipv6addr
IPv6 address of the server.
—
—
text
Specifies the TEXT record for
human-readable text in a DNS
record
1-255 characters.
—
server_ipaddr
Specifies the IP address of the
AirGroup server.
—
—
no
Negates any configured parameter.
—
—
Usage Guidelines
The Administrator can create the static records using the following methodsArubaOS 6.4:
l
Group mDNS static records
l
Individual mDNS static records
After creating a PTR record, the controller enters into the AirGroup record configuration mode, allowing you to add
SRV, A, AAAA, and TXT) records. After creating a PTR, SRV, TXT, A, and AAAA static record, use the show
airgroup cache entries command to view and verify the records created. You can view only the static records in
the output of the show airgroup cache entries static command.
Example
Group mDNS Static Records
You can create a group of mDNS records for a device. This section describes how to create static records of a
server as a group using the CLI.
Creating a PTR Record
Use the following command to create a PTR record:
(config) # airgroup static mdns-record ptr <mac_addr> <mdns_id> <domain_name> [server_ipaddr]
(config-airgroup-record) #
After creating a PTR record, controller displays the (config-airgroup-record) # prompt and you can create SRV, A, AAAA,
and TXT records under this prompt.
After creating a PTR, SRV, TXT, A, and AAAA static record, you can use the show airgroup cache entries command to
view and verify the records created. You can view only the static records in the output of the show airgroup cache
entries static command.
The following example creates a PTR record:
(host) (config) #airgroup static mdns-record ptr 9c:20:7b:cd:ec:41 "_airplay._tcp" "Apple TV (
ArubaOS 6.4| Reference Guide
airgroup static mdns-record | 119
9)._airplay._tcp.local" 10.15.121.240
The following example shows the PTR record was created:
(host) (config-airgroup-record) #show airgroup cache entries
Cache Entries
------------Name Type Class TTL Origin Expiry Last Update
---- ---- ----- --- ------ ------ ----------_airplay._tcp.local PTR IN 4500 10.15.121.240 static N/A
Num Cache Entries:1
Creating an SRV Record
Use the following command to create an SRV record:
(config-airgroup-record) # srv <port> <priority> <weight> <host_name>
The following example creates an SRV record:
(host) (config-airgroup-record) #srv 7000 0 0 Apple-TV-mbabu-9.local
The following example shows the SRV record was created:
(host) (config-airgroup-record) #show airgroup cache entries
Cache Entries
------------Name Type Class TTL Origin Expiry
---- ---- ----- --- ------ -----_airplay._tcp.local PTR IN 4500 10.15.121.240 static
Apple TV (9)._airplay._tcp.local SRV/NBSTAT IN 120 10.15.121.240 static
Num Cache Entries:2
Creating an A Record
Use the following command to create an A record:
(config-airgroup-record) #a <ipv4addr>
You can create/delete an A record if a corresponding SRV record is available.
The following example creates an A record:
(host) (config-airgroup-record) #a 10.15.121.240
The following example shows the A record was created:
(host) (config-airgroup-record) #show airgroup cache entries
Cache Entries
------------Name Type Class TTL Origin Expiry Last Update
---- ---- ----- --- ------ ------ ----------_airplay._tcp.local PTR IN 4500 10.15.121.240 static N/A
Apple TV (9)._airplay._tcp.local SRV/NBSTAT IN 120 10.15.121.240 static N/A
Apple-TV-mbabu-9.local A IN 120 10.15.121.240 static N/A
Num Cache Entries:3
Creating an AAAA Record
Use the following command to create an AAAA record:
(config-airgroup-record) #aaaa <ipv6addr>
You can create/delete an AAAA record if a corresponding SRV record is available.
The following example creates an AAAA record:
120 | airgroup static mdns-record
ArubaOS 6.4| Reference Guide
(host) (config-airgroup-record) #aaaa fe80::9e20:7bff:fecd:ec41
The following example shows the AAAA record was created:
(host) (config-airgroup-record) #show airgroup cache entries static
Cache Entries
------------Name Type Data Origin
---- ---- ---- -----_airplay._tcp.local PTR Apple\032TV\032\0409\041._airplay._tcp.local 10.15.121.240
Apple TV (9)._airplay._tcp.local SRV/NBSTAT Apple-TV-mbabu-9.local port:7000 10.15.121.240
Apple-TV-mbabu-9.local A 10.15.121.240 10.15.121.240
Apple-TV-mbabu-9.local AAAA fe80::9e20:7bff:fecd:ec41 10.15.121.240
Num Cache Entries:4
Creating a Text Record
Use the following command to create a text record:
(config-airgroup-record) #txt <text>
The following example creates a text record:
(host) (config-airgroup-record) #txt "deviceid=9C:20:7B:CD:EC:41"
The following example shows the text record was created:
(host) (config-airgroup-record) #show airgroup cache entries static
Cache Entries
------------Name Type Data Origin
---- ---- ---- -----_airplay._tcp.local PTR Apple\032TV\032\0409\041._airplay._tcp.local 10.15.121.240
Apple TV (9)._airplay._tcp.local SRV/NBSTAT Apple-TV-mbabu-9.local port:7000 10.15.121.240
Apple-TV-mbabu-9.local A 10.15.121.240 10.15.121.240
Apple-TV-mbabu-9.local AAAA fe80::9e20:7bff:fecd:ec41 10.15.121.240
Apple TV (9)._airplay._tcp.local TXT deviceid=9C:20:7B:CD:EC:41 10.15.121.240
Num Cache Entries:5
Individual Static mDNS Records
You can create individual static records independently for each record type.
Creating an Individual SRV Record
Use the following command to configure an individual SRV record:
airgroup static mdns-record srv <mac_addr> <domain_name> <port> <priority> <weight> <host_nam
e> [ server_ipaddr]
The following example creates an SRV record:
(host) (config) #airgroup static mdns-record srv 9c:20:7b:cd:ec:41 "9C207BCDEC41@Apple TV mbab
u._raop._tcp.local" 5000 0 0 Apple-TV-mbabu-4.local 10.15.121.240
The following example shows the SRV record created:
(host) (config) #show airgroup cache entries
Cache Entries
------------Name Type Class TTL Origin Expiry Last Update
---- ---- ----- --- ------ ------ ----------_airplay._tcp.local PTR IN 4500 10.15.121.240 static N/A
9C207BCDEC41@Apple TV mbabu._raop._tcp.local SRV/NBSTAT IN 120 10.15.121.240 static N/A
Num Cache Entries:2
Creating an Individual Text Record
Use the following command to configure an individual TEXT record:
ArubaOS 6.4| Reference Guide
airgroup static mdns-record | 121
airgroup static mdns-record txt <mac_addr> <domain_name> <text> [server_ipaddr]
The following example creates a TEXT record:
(host) (config) #airgroup static mdns-record txt 9c:20:7b:cd:ec:41 "Apple TV mbabu (4)._airpla
y._tcp.local" "features=0x5a7ffff7" 10.15.121.240
The following example shows the TEXT record was created:
Cache Entries
------------Name Type Class TTL Origin Expiry Last Update
---- ---- ----- --- ------ ------ ----------_airplay._tcp.local PTR IN 4500 10.15.121.240 static N/A
9C207BCDEC41@Apple TV mbabu._raop._tcp.local SRV/NBSTAT IN 120 10.15.121.240 static N/A
Apple TV mbabu (4)._airplay._tcp.local TXT IN 4500 10.15.121.240 static N/A
Num Cache Entries:3
Creating an Individual A Record
Use the following command to configure an individual A record:
airgroup static mdns-record a <mac_addr> <host_name> <ipv4addr> [server_ipaddr]
The following example creates an A record:
(host) (config) #airgroup static mdns-record a 9c:20:7b:cd:ec:41 Apple-TV-mbabu-4.local 10.15.
121.240
The following example shows the A record was created:
Cache Entries
------------Name Type Class TTL Origin Expiry Last Update
---- ---- ----- --- ------ ------ ----------_airplay._tcp.local PTR IN 4500 10.15.121.240 static N/A
9C207BCDEC41@Apple TV mbabu._raop._tcp.local SRV/NBSTAT IN 120 10.15.121.240 static N/A
Apple TV mbabu (4)._airplay._tcp.local TXT IN 4500 10.15.121.240 static N/A
Apple-TV-mbabu-4.local A IN 120 10.15.121.240 static N/A
Num Cache Entries:4
Creating an Individual AAAA Record
Use the following command to configure an individual AAAA record:
airgroup static mdns-record aaaa <mac_addr> < host_name> <ipv6addr> [server_ipaddr]
The following example creates an individual AAAA record:
(host) (config) #airgroup static mdns-record aaaa 9c:20:7b:cd:ec:41 Apple-TV-mbabu-4.local fe8
0::9e20:7bff:fecd:ec41
The following example shows the AAAA record created:
Cache Entries
------------Name Type Class TTL Origin Expiry Last Update
---- ---- ----- --- ------ ------ ----------_airplay._tcp.local PTR IN 4500 10.15.121.240 static N/A
9C207BCDEC41@Apple TV mbabu._raop._tcp.local SRV/NBSTAT IN 120 10.15.121.240 static N/A
Apple TV mbabu (4)._airplay._tcp.local TXT IN 4500 10.15.121.240 static N/A
Apple-TV-mbabu-4.local A IN 120 10.15.121.240 static N/A
Apple-TV-mbabu-4.local AAAA IN 120 10.15.121.240 static N/A
Num Cache Entries:5
You can delete the mDNS records by appending no at the beginning of the command. Ensure that the [server_ipaddr]
parameter is not added while deleting mDNS records.
122 | airgroup static mdns-record
ArubaOS 6.4| Reference Guide
Command History
Release
Modification
ArubaOS 6.4
Command introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode
ArubaOS 6.4| Reference Guide
airgroup static mdns-record | 123
am
am scan <ipaddr> <channel> [bssid <bssid>]
am test <ipaddr> {suspect-rap bssid <bssid> match-type <match-type> match-method <method>|wire
d-mac {add|remove {bssid <bssid>|enet-mac <enet-mac>} mac <mac>}
Description
These commands enable channel scanning or testing for the specified air monitor.
Syntax
Parameter
Description
Range
scan
IP address of the air monitor to be scanned.
—
<channel>
Channel to which the scanning is tuned. Set to 0 to
enable scanning of all channels.
—
bssid
BSSID of the air monitor.
—
test
IP address of the air monitor to be tested.
—
suspect-rap
Tests suspect-rap feature.
—
match-type
Match type.
eth-wm | ap-wm | eth-gwwm
match-method
Match method.
equal | plus-one | minusone
wired-mac
Tests the rogue AP classification feature.
Specifies the Wired MAC table.
—
enet-mac
Specifies the Ethernet MAC table.
—
mac
Specifies the MAC entry to add/remove from either
the Wired MAC table or the Ethernet MAC table.
—
Usage Guidelines
These commands are intended to be used with an Aruba AP that is configured as an air monitor. You should not use
the am test command unless instructed to do so by an Aruba representative.
Example
The following command sets the air monitor to scan all channels:
(host) (config) #am scan 10.1.1.244 0
Command History:
124 | am
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3.1
Support for the wired-mac and associated parameters was introduced.
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config mode on master
controllers
ArubaOS 6.4| Reference Guide
am | 125
ap authorization-profile
ap authorization-profile <profile>
authorization-group <profile>
Description
This command defines a temporary configuration profile for remote APs that are not yet authorized on the network.
Syntax
Parameter
Description
Range
Default
authorization-profile <pr
ofile>
Name of this instance of the profile. The
name must be 1-63 characters.
—
“default”
authorization-group <prof
ile>
Name of a configuration profile to be
assigned to the group unauthorized
remote APs.
—
“NoAuthApGr
oup”
Usage Guidelines
The AP authorization-profile specifies which configuration should be assigned to a remote AP that has been
provisioned but not yet authenticated at the remote site. By default, these yet-unauthorized APs are put into the
temporary AP group authorization-group and assigned the predefined profile NoAuthApGroup. This configuration
allows a user to connect to an unauthorized remote AP via a wired port then enter a corporate username and
password. Once a valid user has authorized the remote AP, the AP will be permanently marked as authorized on the
network and will will then download the configuration assigned to that AP by it's permanent AP group.
Example
The following command creates a new authorization profile with a non-default configuration for unauthorized remote
APs:
ap authorization-profile default2
authorization-group NoAuthApGroup2
Command History
Release
Modification
ArubaOS 5.0
Command introduced
Command Information
Platforms
Licensing
Command Mode
Available on all platforms
Base operating system
Config mode on master or local
controllers
126 | ap authorization-profile
ArubaOS 6.4| Reference Guide
ap debug advanced-stats
ap debug advanced-stats {ap-name <ap-name>}|{ ip-addr <ip-addr>}|{ ip6-addr <ip-addr>}
{net80211}|{radio 1|0} enable|disable
Description
Issue this command under the supervision of Aruba technical support to enable the collection and display of
advanced AP debugging information.
Syntax
Parameter
Description
ap-name <ap-name>
Name of the AP for which you want to record advanced debugging
information.
ip-addr <ip-addr>
IP address of the AP for which you want to record advanced debugging
information.
ip6-addr <ip6-addr>
IPv6 address of the AP for which you want to record advanced debugging information.
net80211
Include this parameter to enable or disable the collection of advanced
statistics for transmitted and received frames, and information about
packets per second statistics for different frame types.
radio 1|0
Include this parameter to enable or disable the collection of advanced
radio driver statistics for the specified radio.
enable
Enable the collection of advanced radio troubleshooting statistics.
disable
Disable the collection of advanced radio troubleshooting statistics.
Usage Guidelines
The additional information collected when advanced net80211 or radio statistics are enabled on an AP appears in the
output of the show ap debug radio-stats command.
Command History
Release
Modification
ArubaOS 6.3
Command introduced
Command Information
Platforms
Licensing
Command Mode
Available on all platforms
Base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
ap debug advanced-stats | 127
ap debug client-trace start
ap debug client-trace start
{ap-name <ap-name>}|{ip-addr <ip>}|{ip6-addr <ip6>} mac <client-mac>
[length-range <max>|[length-range <min>}
Description
Use this command to trace management packets from a client MAC address.
Syntax
Parameter
Description
ap-name <ap-name>
Name of the AP.
ip-addr <ip-addr>
IPv4 address of the AP.
ip6-addr <ip6-add
r>
IPv6 address of the AP.
mac <client-mac>
MAC address of the client..
length-range <max>
data packet max length.
length-range <min>
data packet min length.
Usage Guidelines
This command should only be used under the guidance of Aruba technical support.
.
Related Commands
Command
Description
ap debug client-trace
stop
Use this command to stop tracing management packets from a client MAC address.
Command History
Introduced in ArubaOS 6.3.
Command Information
Platforms
Licensing
Command Mode
M3 controllers
Base operating system
Enable mode on master or local
controllers
128 | ap debug client-trace start
ArubaOS 6.4| Reference Guide
ap debug client-trace stop
ap debug client-trace stop
{ap-name <ap-name>}|{ip-addr <ip>}|{ip6-addr <ip6>} mac <client-mac>
Description
Use this command to stop tracing management packets from a client MAC address.
Syntax
Parameter
Description
ap-name <ap-name>
Name of the AP.
ip-addr <ip-addr>
IPv4 address of the AP.
ip6-addr <ip6-add
r>
IPv6 address of the AP.
mac <client-mac>
MAC address of the client..
Usage Guidelines
This command should only be used under the guidance of Aruba technical support.
Related Commands
Command
Description
ap debug client-trace
start
Use this command to trace management packets from a client MAC address.
show ap debug clienttrace
Use this command to show counts of different types of management data frames
traced from a client MAC address
Command History
Introduced in ArubaOS 6.3.
Command Information
Platforms
Licensing
Command Mode
M3 controllers
Base operating system
Enable mode on master or local
controllers
ArubaOS 6.4| Reference Guide
ap debug client-trace stop | 129
ap debug dot 11r remove-key
ap debug dot 11r remove-key <sta-mac>
[ap-name <ap-name> | ip-addr <ip-addr>]
Description
This command removes the r1 key from an AP.
Syntax
Parameter
Description
<sta-mac>
MAC address of the client.
ap-name <ap-name>
Name of the AP.
ip-addr <ip-addr>
IP address of the AP.
Usage Guidelines
Use this command to remove an r1 key from an AP when the AP does not have a cached r1 key during Fast BSS
Transition roaming.
Examples
You can use the following command to remove an r1 key from an AP when the AP does not have a cached r1 key
during Fast BSS Transition roaming.
(host) #ap debug dot11r remove-key <sta-mac> ap-name <ap-name> | ip-addr <ip-addr>
(host) #ap debug dot11r remove-key 00:50:43:21:01:b8 ap-name MAcage-105-GL
Execute the following command to check if the r1 key is removed from the AP:
(host) #show ap debug dot11r state ap-name MAcage-105-GL
Stored R1 Keys
-------------Station MAC Mobility Domain ID Validity Duration R1 Key
----------- ------------------ ----------------- ------
Related Commands
To check if the r1 key is removed from an AP, use the show ap debug dot11r state command:
Command History
Introduced in ArubaOS 6.3.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
130 | ap debug dot 11r remove-key
ArubaOS 6.4| Reference Guide
ap debug radio-event-log
ap debug radio-event log [start|stop] [ap-name <name>|ip-addr <ip-addr>|ip6-addr <ip6-addr>] r
adio <0|1> size <size-of-log> events [all|ani|rcfind|rcupdate|rx|size|text|tx] [hex <hexforma
t>]
Description
Start and stops packet log capture of radio events for debugging purposes, and sends a log file of the events to a
dump server when logging stops.
Syntax
Parameter
Description
start
Start Wi-Fi packet log capture
stop
Stop Wi-Fi packet log capture and send a log file of the events to a dump server.
ap-name <ap-name>
Name of the AP for which you want to capture packet log events.
ip-addr <ip-addr>
IPv4 address of the AP for which you want to capture packet log events.
ip6-addr <ip6-addr>
IPv6 address of the for which you want to capture packet log events.
radio 1|0
Include this parameter to start or stop packet log capture for the specified radio.
size <size-of-log>
Specify the maximum radio log size, in bytes. The supported range is 102410485760 bytes (1KB-10MB), and the default log size is 3145728 bytes (3MB).
events
Specify the type of radio events you want to capture in the log file.
l
l
l
l
l
l
l
hex <hexformat)
all: Capture all of the following types of radio events.
ani Adaptive Noise Immunity control events
rcfind: Transmission (Tx) control event
rcupdate: Transmission (Tx) rate update event
rx: Received (Rx) status register event
text: Text record event
tx: Transmission (Tx) control and Tx status register event
(Optional) Specify the radio event type in hexadecimal format
0x10: Adaptive Noise Immunity control events
l 0x4: Transmission (Tx) control event
l 0x8: Transmission (Tx) rate update event
l 0x2: Received (Rx) status register event
l 0X20: Text record event
l 0x1: Transmission (Tx) control and Tx status register event
l
hex
Specify the radio event type in hex format.
all: Capture all of the following types of radio events.
l ani Adaptive Noise Immunity control events
l rcfind: Transmission (Tx) control event
l rcupdate Transmission (Tx) rate update event in radio
l rx: Received (Rx) status register event in radio
l tx: Transmission (Tx) control and Tx status register event in radio
l
ArubaOS 6.4| Reference Guide
ap debug radio-event-log | 131
Example
The following commands starts and stops a Wi-Fi radio event log:
(host)(config)#ap debug radio-event-log start ap-name 6c:f3:7f:c6:71:90 radio 0 events all
(host)(config)#ap debug radio-event-log stop ap-name 6c:f3:7f:c6:71:90 radio 0
Related Commands
show ap debug radio-event-log status
Command History
Release
Modification
ArubaOS 6.2
Command introduced
Command Information
Platforms
Licensing
Command Mode
Available on all platforms
Base operating system
Enable mode on master controllers
132 | ap debug radio-event-log
ArubaOS 6.4| Reference Guide
ap debug radio-registers dump
ap debug radio-registers dump [ap-name <name>|ip-addr <ip-addr>|ip6-addr <ip6-addr>] [filename
<filename> {all|interrupt|qcu |radio}]
Description
This command allows you to collect all or specific radio register information into a separate file.
Syntax
Parameter
Description
ap-name
Name of Access Point
ip-addr
Collect radio register information for this specific AP radio.
ip6-addr
Collect radio register information for the AP assigned to this ipv6 address.
filename
Name of file where information is collected.
all
All registers interrupted.
interrupt
Interrupt related registers.
qcu
Collect QCU information.
radio
Radio ID (0 or 1)
Usage Guidelines
This command collects specified radio-register information for debugging purposes, dumps the registers into a local
file, and will automatically transfer the file to the dump-server that is configured in 'ap-system-profile.'
Example
The following command collects all radio registers from myap1 into a file called myradioregfile.:
#ap debug radio-registers dump ap-name myap1 filename myradioregfile all
Command History
Introduced in ArubaOS6.2.
Command Information
Platforms
Licensing
Command Mode
802.11n-capable APs
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
ap debug radio-registers dump | 133
ap enet-link-profile
ap enet-link-profile <profile>
clone <profile>
dot3az
duplex {auto|full|half}
no ...
speed {10|100|1000|auto}
Description
This command configures an AP Ethernet link profile.
Syntax
Defaul
t
Parameter
Description
Range
<profile>
Name of this instance of the profile. The name
must be 1-63 characters.
—
“defaul
t”
clone
Name of an existing Ethernet Link profile from
which parameter values are copied.
—
—
dot3az
Enable support for the 803.az Energy Efficient
Ethernet (EEE) standard, which allows the APs to
consume less power during periods of low data
activity.
Only AP-130 Series APs support this feature. If
this feature is enabled for an APs group, any APs
in the group that do not support 803.az will
ignore this setting.
duplex
The duplex mode of the Ethernet interface, either
full, half, or auto-negotiated.
full/half/auto
auto
no
Negates any configured parameter.
—
—
speed
The speed of the Ethernet interface, either 10
Mbps, 100 Mbps, 1000 Mbps (1 Gbps), or autonegotiated.
10/100/1000/auto
auto
disable
d
Usage Guidelines
This command configures the duplex and speed of the Ethernet port on the AP. The configurable speed is dependent
on the port type.
Example
The following command configures the Ethernet link profile for full-duplex and 100 Mbps:
ap enet-link-profile enet
duplex full
speed 100
134 | ap enet-link-profile
ArubaOS 6.4| Reference Guide
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3
Support for 1000 Mbps (1 Gbps) Ethernet port speed was introduced.
ArubaOS 6.2
Support for the dot3az parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
Available on all platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ap enet-link-profile | 135
ap ​flush-​r1-​o n-​n ew-​r0
ap·​flush-​
r1-​on-​new-​r0 {enable|disable}
Description
Use this command to enable or disable flushing of R1 keys, when R0 is updated for d-tunnel or bridge mode.
Syntax
Parameter
Description
enable
Enable flushing of R1 keys.
disable
Disable flushing of R1 keys.
Example
The following example enables flushing of R1 keys.
(host) (config) #ap flush-r1-on-new-r0 enable
The following command displays the status of flushing of R1 keys.
(host) (config) #show flush-r1-on-new-r0
Fast Roaming flush-r1-on-new-r0:enable
Command History
Release
Modification
ArubaOS 6.3
Command introduced
Command Information
Platforms
Licensing
Command Mode
Available on all platforms
Base operating system
Enable mode or Config mode.
136 | ap ​flush-​r 1-​on-​new-​r 0
ArubaOS 6.4| Reference Guide
ap image-preload
ap image-preload
activate all-aps|specific-aps
add {ap-group <ap-group> | ap-name <ap-name>}
cancel
clear-all
delete {ap-group <ap-group> | ap-name <ap-name>}
[partition <part-num>]
[max-downloads <max-downloads>]
Description
Configure APs to preload a new software image from a 3400, 3600 or M3 controller before the controller starts
actively running the new image.
Syntax
Parameter
Description
activate
Issue the ap image-preload activate command to activate this feature,
allowing APs in the preload list to start downloading their new image from
the controller.
all-aps
All APs will be allowed to pre download the image.
specific-aps
Only APs in the preload list will be allowed to preload the image.
add
Add individual APs or AP groups to the list of APs allowed to preload the
image.
ap-group <group>
Add a group of APs to the preload list.
ap-name <name>
Add an individual AP to the preload list.
cancel
Cancel the AP preload and clear the preload list. Any APs downloading a
new image at the time this command is issued will continue to download
the file.
clear-all
Clear all APs from the preload list.
delete
Delete an individual AP or AP group from the preload list.
NOTE: This command may be issued before or after preloading is
activated. If it is executed after preloading has already been activated, any
APs downloading a new image at the time this command is issued will
continue to download the file. APs that are still waiting to preload will be
removed from the preload list.
ap-group <group>
Remove the specified group of APs from the preload list
ap-name <name>
Remove an individual AP from the preload list
partition <partition-num>
Specify the partition from which the APs should download their images. By
default, the APs will preload images from the controller’s default boot
partition.
max-downloads <max-downloa
ds>
Specify the maximum number of APs that can simultaneously download
their image from the controller. The default value is ten APs.
ArubaOS 6.4| Reference Guide
ap image-preload | 137
Usage Guidelines
The AP image preload feature minimizes the downtime required for a controller upgrade by allowing the APs
associated to a 3400, 3600 or M3 controller to download the new images before the controller actually starts running
the new version.
This feature allows you to select the maximum number of APs that are allowed to preload the new software image at
any one time, thereby reducing the possibility that the controller may get overloaded or that network traffic may be
impacted by all APs on the controller attempting to download a new image at once.
APs can continue normal operation while they are downloading their new software version. When the download
completes, the AP sends a message to the controller, informing it that the AP has either successfully downloaded
the new software version, or that the preload has failed for some reason. If the download fails, the AP will retry the
download after a brief waiting period.
You can allow every AP on a controller to preload a new software version, or also create a custom list of AP groups
or individual APs that can use this feature. If a new AP associates to the controller while the AP image download
feature is active, the controller will check that AP’s name and group to see if it appears in the preload list. If an AP is
on the list, (and does not already have the specified image in its Flash memory) that AP will start preloading its
image.
Example
The following command enables the image preload feature and adds the APs in the AP groups corp1 and corp2 to
the preload list.
ap image-preload activate specific-aps
add ap-group corp1
add ap-group corp2
Command History
This command was introduced in ArubaOS 6.3.
Command Information
Platforms
Licensing
Command Mode
Available on all platforms
Base operating system
Enable mode on master controllers
138 | ap image-preload
ArubaOS 6.4| Reference Guide
ap lldp med-network-policy-profile
ap lldp med-network-policy-profile <profile>
application-type guest-voice|guest-voice-signaling|softphone-voice|streaming-video|video-co
nferencing|video-signaling|voice|voice-signaling
clone <profile>
dscp <dscp>
l2-priority <l2-priority>
no ...
tagged
vlan <vlan>
Description
Define an LLDP MED network policy profile that defines DSCP values and L2 priority levels for a voice or video
application.
Syntax
Parameter
Description
Range
application-type
Specify the type of application that this profile manages.
-
guest-voice
Use this application type if the AP services a separate
voice network for guest users and visitors.
-
guest-voice-signaling
Use this application type if the AP is part of a network
that requires a different policy for guest voice signaling
than for guest voice media. Do not use this application
type if both the same network policies apply to both
guest voice and guest voice signaling traffic.
-
softphone-voice
Use this application type if the AP supports voice
services using softphone software applications on
devices such as PCs or laptops.
-
streaming-video
Use this application type if the AP supports broadcast or
multicast video or other streaming video services that
require specific network policy treatment. This
application type is not recommended for video
applications that rely on TCP with buffering.
-
video-conferencing
Use this application type of the AP supports video
conferencing equipment that provides real-time,
interactive video/audio services.
-
video-signaling
Use this application type if the AP is part of a network
that requires a different policy for video signaling than
for the video media. Do not use this application type if
both the same network policies apply to both video and
video signaling traffic.
-
voice
Use this application type if the AP services IP
telephones and other appliances that support interactive
voice services.
NOTE: This is the default application type.
-
ArubaOS 6.4| Reference Guide
ap lldp med-network-policy-profile | 139
Parameter
Description
Range
Use this application type if the AP is part of a network
that requires a different policy for voice signaling than for
the voice media. Do not use this application type if both
the same network policies apply to both voice and voice
signaling traffic.
-
clone <profile>
Make a copy of an existing profile by specifying that
profile name.
-
dscp
Select a Differentiated Services Code Point (DSCP)
priority value for the specified application type by
specifying a value from 0-63, where 0 is the lowest
priority level and 63 is the highest priority.
0-63
Default is 0
l2-priority <L2-priorit
y>
Select a 802.1p priority level for the specified application
type, by specifying a value from 0-7, where 0 is the
lowest priority level and 7 is the highest priority.
0-7
Default is 0
no ...
Issue this command to negate any setting or return a
configured parameter it to its default value.
-
tagged
Specifies if the policy applies to a to a VLAN that is
tagged with a VLAN ID or untagged. The default value is
untagged.
NOTE: When an LLDP-MED network policy is defined
for use with an untagged VLAN, then the L2 priority field
is ignored and only the DSCP value is used.
Default is
untagged
vlan <vlan>
Specify a VLAN by VLAN ID (0-4094) or VLAN name.
Default is 0
voice-signaling
Usage Guidelines
LLDP-MED (media endpoint devices) is an extension to LLDP that supports interoperability between VoIP devices
and other networking clients. LLDP-MED network policy discovery lets end-points and network devices advertise
their VLAN IDs (e.g. voice VLAN), priority levels, and DSCP values. ArubaOS supports a maximum of eight LLDP MED Network Policy profiles.
Creating an LLDP MED network policy profile does not apply the configuration to any AP or AP interface or interface
group. To apply the LLDP-MED network policy profile, you must associate it to an LLDP profile, then apply that
LLDP profile to an AP wired port profile.
Example
The following commands create a LLDP MED network policy profile for streaming video applications and marks
streaming video as high-priority traffic.
(host)
(host)
(host)
(host)
(host)
(host)
(config) ap lldp med-network-policy-profile vid-stream
(AP LLDP-MED Network Policy Profile "vid-stream") dscp 48
(AP LLDP-MED Network Policy Profile "vid-stream")l2-priority 6
(AP LLDP-MED Network Policy Profile "vid-stream")tagged
(AP LLDP-MED Network Policy Profile "vid-stream")vlan 10
(AP LLDP-MED Network Policy Profile "vid-stream")!
Next, the LLDP MED network policy profile is assigned to an LLDP profile, and the LLDP profile is associated with
an AP wired-port profile.
(host)
(host)
(host)
(host)
(config) ap lldp profile video1
(AP LLDP Profile "video1")lldp-med-network-policy-profile vid-stream
(AP LLDP Profile "video1")!
(config)ap wired-port-profile corp2
140 | ap lldp med-network-policy-profile
ArubaOS 6.4| Reference Guide
(host) (AP wired port profile "corp2")lldp-profile video1
Command History
This command was introduced in ArubaOS 6.2.
Command Information
Platforms
Licensing
Command Mode
Available on all platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ap lldp med-network-policy-profile | 141
ap lldp profile
ap lldp profile <profile>
clone <profile>
dot1-tlvs port-vlan|vlan-name
dot3-tlvs link-aggregation|mac|mfs|power
lldp-med-network-policy-profile <profile>
lldp-med-tlvs capabilities|inventory|network-policy
no ...
optional-tlvs capabilities|management-address|port-description|system-description|system-na
me
receive
transmit
transmit-hold <transmit-hold>
transmit-interval <transmit-interval>
Description
Define an LLDP profile that specifies the type-length-value (TLV) elements to be sent in LLDP PDUs.
Syntax
Parameter
Description
clone <profile>
Make a copy of an existing LLDP profile.
dot1-tlvs
Specify which of the following 802.1 TLVs the AP will send in
LLDP PDUs. By default, the AP will send all 802.1 TLVs.
port-vlan
Transmit the LLDP 802.1 port VLAN TLV. If the native VLAN is
configured on the port, the port-vlan TLV will send that value,
otherwise it will send a value of “0”.
vlan-name
Transmit the LLDP 802.1 VLAN name TLV. The AP sends a
value of "Unknown" for VLAN 0, or "VLAN <number>" for nonzero VLAN numbers.
dot3-tlvs
Specify which of the following 802.3 TLVs the AP will send in
LLDP PDUs. By default, the AP will send all 802.3 TLVs.
link-aggregation
Transmit the 802.3 link aggregation TLV to indicate that link
aggregation is not supported.
mac
Transmit the 802.3 MAC/PHY Configuration/Status TLV to
indicate the AP interface’s duplex and bit rate capacity and
current duplex and bit rate settings.
mfs
Transmit the 802.3 Maximum Frame Size (MFS) TLV to show the
AP’s maximum frame size capability.
power
Transmit the 802.3 Power Via media dependent interface (MDI)
TLV to show the power support capabilities of the AP interface.
NOTE: This parameter is supported by the RAP-3WNP and
AP-130 Series only.
142 | ap lldp profile
ArubaOS 6.4| Reference Guide
Parameter
Description
lldp-med-network-policy-profile <
profile>
Specify the LLDP MED Network Policy profile to be associated
with this LLDP profile.
lldp-med-tlvs
Specify which of the following LLDP-MED TLVs the AP will send
in LLDP PDUs. The AP will not send any LLDP-MED TLVs by
default.
capabilities
Transmit the LLDP-MED capabilities TLV. The AP will
automatically send this TLV if any of the other LLDP-MED TLVs
are enabled.
inventory
Transmit the LLDP-MED inventory TLV.
NOTE: An AP can’t send this TLV unless it also sends the LLDPMED capabilities TLV.
network-policy
Transmit the LLDP-MED network-policy TLV.
NOTE: An AP can’t send this TLV unless it also sends the LLDPMED capabilities TLV.
optional-tlvs
Specify which of the following optional TLVs the AP will send in
LLDP PDUs.
capabilities
Transmit the system capabilities TLV to indicate which
capabilities are supported by the AP.
management-address
Transmit a TLV that indicates the AP’s management IP address,
in either IPv4 or IPV6 format.
port-description
Transmit a TLV that gives a description of the AP’s wired port in
an alphanumeric format.
system-description
Transmit a TLV that describes the AP’s model number and
software version
system-name
Transmit a TLV that sends the AP name or wired MAC address.
receive
Issue this command to enable LLDP PDU reception. This
parameter is enabled by default.
transmit
Issue this command to enable LLDP PDU transmission. This
parameter is enabled by default.
transmit-hold <transmit-hold>
Enter a value from 1-100. This value is multiplied by the transmit
interval to determine the number of seconds to cache learned
LLDP information before that information is cleared.
If the transmit-hold value is at the default value of 4, and the
transmit interval is at its default value of 30 seconds, then
learned LLDP information will be cached for 4 x 30 seconds, or
120 seconds.
transmit-interval <transmit-inter
val>
The interval between LLDP TLV transmission seconds. The
supported range is 1-3600 seconds and the default value is 30
seconds.
Usage Guidelines
Link Layer Discovery Protocol (LLDP), is a Layer-2 protocol that allows network devices to advertise their identity
and capabilities on a LAN. Wired interfaces on Aruba APs support LLDP by periodically transmitting LLDP Protocol
ArubaOS 6.4| Reference Guide
ap lldp profile | 143
Data Units (PDUs) comprised of type-length-value (TLV) elements. Use this command to specify which TLVs
should be sent by the AP interface associated with the LLDP profile.
Example
The following command configures an LLDP profile allows the AP interface to send the port-vlan and vlan-name
TLVs.
ap lldp profile 8021TLVs
dot1-tlvs port-vlan
dot1-tlvs vlan-name
Command History
This command was introduced in ArubaOS 6.2.
Command Information
Platforms
Licensing
Command Mode
Available on all platforms
Base operating system
Config mode on master controllers
144 | ap lldp profile
ArubaOS 6.4| Reference Guide
ap mesh-cluster-profile
ap mesh-cluster-profile <profile>
clone <profile>
cluster <name>
no ...
opmode [opensystem | wpa2-psk-aes]
rf-band {a | g}
wpa-hexkey <wpa-hexkey>
wpa-passphrase <wpa-passphrase>
Description
This command configures a mesh cluster profile used by mesh nodes.
Syntax
Parameter
Description
Range
Default
<profile>
Name of this instance of the profile. The name must
be 1-63 characters.
—
“default”
clone
Name of an existing mesh cluster profile from
which parameter values are copied.
—
—
cluster
Indicates the mesh cluster name. The name can
have a maximum of 32 characters, and is used as
the MSSID for the mesh cluster. When you first
create a new mesh cluster profile, the profile uses
the default cluster name “Aruba-mesh”. Use the
cluster parameter to define a new, unique MSSID
before you assign APs or AP groups to the mesh
cluster profile.
NOTE: If you want a mesh cluster to use WPA2PSK-AES encryption, do not use spaces in the
mesh cluster name, as this may cause errors in
mesh points associated with that mesh cluster.
To view existing mesh cluster profiles, use the CLI
command show ap mesh-cluster-profile.
—
“Aruba-mesh”
no
Negates any configured parameter.
—
—
opmode
Configures one of the following types of data
encryption.
l opensystem—No authentication or encryption.
l wpa2-psk-aes—WPA2 with AES encryption
using a pershared key.
Best practices are to select wpa2-psk-aes and use
the wpa-passphrase parameter to select a
passphrase. Keep the passphrase in a safe place.
opensystem
wpa2-psk-aes
opensystem
rf-band
Configures the RF band in which multiband mesh
nodes should operate:
a = 5 GHz
g = 2.4 GHz
Best practices are to use 802.11a radios for mesh
deployments.
a
g
a
ArubaOS 6.4| Reference Guide
ap mesh-cluster-profile | 145
Parameter
Description
Range
Default
wpa-hexkey
Configures a WPA pre-shared key.
—
—
wpa-passphrase
Sets the WPA password that generates the PSK.
—
—
Usage Guidelines
Mesh cluster profiles are specific to mesh nodes (APs configured for mesh) and provide the framework of the mesh
network. You must define and configure the mesh cluster profile before configuring an AP to operate as a mesh node.
You can configure multiple mesh cluster profiles to be used within a mesh cluster. You must configure different
priority levels for each mesh cluster profile. See ap-group or ap-name for more information about priorities.
Cluster profiles, including the “default” profile, are not applied until you provision your APs for mesh.
Example
The following command configures a mesh cluster profile named “cluster1” for the mesh cluster “headquarters:”
ap mesh-cluster-profile cluster1
cluster headquarters
Related Commands
To view a complete list of mesh cluster profiles and their status, use the following command:
show ap mesh-cluster-profile
To view the settings of a specific mesh cluster profile, use the following command:
show ap mesh-cluster-profile <name>
Command History
This command was introduced in ArubaOS 3.2.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system.
Config mode on master controllers
146 | ap mesh-cluster-profile
ArubaOS 6.4| Reference Guide
ap mesh-ht-ssid-profile
ap mesh-ht-ssid-profile <profile-name>
40MHz-enableba-amsdu-enable
clone <source>
high-throughput-enable
ldpc
legacy-stations
max-rx-a-mpdu-size
max-tx-a-mpdu-size
min-mpdu-start-spacing
mpdu-agg
no
short-guard-intvl-20Mhz
short-guard-intvl-40Mhz
stbc-rx-streams
stbc-tx-streams
supported-mcs-set
temporal-diversity
Description
This command configures a mesh high-throughput SSID profile used by mesh nodes.
Syntax
Parameter
Description
<profile-name>
Enter the name of an existing mesh highthroughput SSID profile to modify that profile, or
enter a new name or create a new mesh highthroughput profile. The mesh high-throughput
profile can have a maximum of 32 characters.
To view existing high-throughput SSID radio
profiles, use the command show ap mesh-radioprofile.
default
40MHz-enable
Enable or disable the use of 40 MHz channels.
This parameter is enabled by default.
enabled
ba-amsdu-enable
Enable/Disable Receive AMSDU in BA
negotiation.
disabled
clone <source>
Copy configuration information from a source
profile into the currently selected profile
high-throughput-enabl
e
Enable or disable high-throughput (802.11n)
features
on this SSID. This parameter is enabled by
default.
enabled
ldpc
If enabled, the AP will advertise Low-density
Parity Check (LDPC) support. LDPC improves
data transmission over radio channels with high
levels of background noise.
enabled
ArubaOS 6.4| Reference Guide
Range
Default
ap mesh-ht-ssid-profile | 147
Parameter
Description
legacy-stations
Allow or disallow associations from legacy (nonHT) stations. By default, this parameter is
enabled (legacy stations are allowed).
max-tx-a-mpdu-size
Maximum size of a transmitted aggregate MPDU,
in bytes.
1576 -65535
max-rx-a-mpdu-size
Maximum size of a received aggregate MPDU, in
bytes.
8191, 16383,
32767,
65535
min-mpdu-start-spacin
g
Minimum time between the start of adjacent
MPDUs within an aggregate MPDU, in
microseconds.
0 (No
restriction on
MDPU start
spacing), .25
µsec, .5 µsec,
1 µsec, 2
µsec, 4 µsec
mpdu-agg
Enable or disable MAC protocol data unit
(MPDU) aggregation.
High-throughput mesh APs are able to send
aggregated MAC protocol data units (MDPUs),
which allow an AP to receive a single block
acknowledgment instead of multiple ACK
signals. This option, which is enabled by default,
reduces network traffic overhead by effectively
eliminating the need to initiate a new transfer for
every MPDU.
enabled
short-guard-intvl-20M
hz
Enable or disable use of short (400ns) guard
interval for AP-130 Series APs in 20 MHz mode.
A guard interval is a period of time between
transmissions that allows reflections from the
previous data transmission to settle before an AP
transmits data again. An AP identifies any signal
content received inside this interval as unwanted
inter-symbol interference, and rejects that data.
The 802.11n standard specifies two guard
intervals: 400ns (short) and 800ns (long).
Enabling a short guard interval can decrease
network overhead by reducing unnecessary idle
time on each AP. Some outdoor deployments,
may, however require a longer guard interval. If
the short guard interval does not allow enough
time for reflections to settle in your mesh
deployment, inter-symbol interference values
may increase and degrade throughput.
This parameter is enabled by default.
enabled
short-guard-intvl-40M
hz
Enable or disable use of short (400ns) guard
interval in 40 MHz mode.
A guard interval is a period of time between
transmissions that allows reflections from the
previous data transmission to settle before an AP
transmits data again. An AP identifies any signal
content received inside this interval as unwanted
inter-symbol interference, and rejects that data.
enabled
148 | ap mesh-ht-ssid-profile
Range
Default
enabled
0 µsec
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
The 802.11n standard specifies two guard
intervals: 400ns (short) and 800ns (long).
Enabling a short guard interval can decrease
network overhead by reducing unnecessary idle
time on each AP. Some outdoor deployments,
may, however require a longer guard interval. If
the short guard interval does not allow enough
time for reflections to settle in your mesh
deployment, inter-symbol interference values
may increase and degrade throughput.
This parameter is enabled by default.
stbc-rx-streams
Controls the maximum number of spatial streams
usable for STBC reception. 0 disables STBC
reception, 1 uses STBC for MCS 0-7. Higher
MCS values are not supported. (Supported on
the AP-90 series, AP-130 Series, AP-68, AP-175
and AP-105 only. The configured value will be
adjusted based on AP capabilities.)
0-1
1
stbc-tx-streams
Controls the maximum number of spatial streams
usable for STBC transmission. 0 disables STBC
transmission, 1 uses STBC for MCS 0-7. Higher
MCS values are not supported. (Supported on
AP-90 series, AP-175, AP-130 Series and
AP-105 only. The configured value will be
adjusted based on AP capabilities.)
0-1
1
supported-mcs-set
A list of Modulation Coding Scheme (MCS)
values or ranges of values to be supported on
this SSID. The MCS you choose determines the
channel width (20MHz vs. 40MHz) and the
number of spatial streams used by the mesh
node.
The default value is 1-15; the complete set of
supported values. To specify a smaller range of
values, enter a hyphen between the lower and
upper values. To specify a series of different
values, separate each value with a comma.
Examples:
2-10
1,3,6,9,12
Range: 0-15.
1-15
1-15
temporal-diversity
Shows if temporal diversity has been enabled or
disabled. When this feature is enabled and the
client is not responding to 802.11 packets, the
AP will launch two hardware retries; if the hardware retries are not successful then it attempts
software retries.
disabled
Guidelines
The mesh high-throughput profile defines settings unique to 802.11n-capable, high-throughput APs. If none of the
APs in your mesh deployment are 802.11n-capable APs, you do not need to configure a high-throughput SSID
profile.
If you modify a currently provisioned and running high-throughput SSID profile, your changes take effect
immediately. You do not reboot the controller or the AP.
ArubaOS 6.4| Reference Guide
ap mesh-ht-ssid-profile | 149
Example
The following command configures a mesh high-throughput SSID profile named “HT1” and sets some non-default
settings for MAC protocol data unit (MPDU) aggregation:
(host) (config) #ap mesh-ht-ssid-profile HT1
max-rx-a-mpdu-size 32767
max-tx-a-mpdu-size 32767
min-mpdu-start-spacing .25
Related Commands
To view a complete list of mesh high-throughput SSID profiles and their status, use the following command:
(host) (config) #show ap mesh-ht-ssid-profile
To view the settings of a specific mesh radio profile, use the following command:
(host) (config) #show ap mesh-ht-ssid-profile <name>
Command History
Version
Description
ArubaOS 3.4
Command introduced
ArubaOS 6.1
The short-guard-intvl-20Mhz, ldpc, stbc-rx-streams and stbc-rx-streams
parameters were introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
150 | ap mesh-ht-ssid-profile
ArubaOS 6.4| Reference Guide
ap mesh-radio-profile
ap mesh-radio-profile <profile>
a-tx rates [6|9|12|18|24|36|48|54]
allowed-vlans <vlan-list>
children <children>
clone <profile>
eapol-rate-opt
g-tx rates [1|2|5|6|9|11|12|18|24|36|48|54]
heartbeat-threshold <count>
hop-count <hop-count>
link-threshold <count>
max-retries <max-retries>
mesh-ht-ssid-profile
mesh-mcast-opt
mesh-survivability
metric-algorithm {best-link-rssi|distributed-tree-rssi}
mpv <vlan-id>
no ...
reselection-mode {reselect-anytime|reselect-never|startup-subthreshold|
subthreshold-only}
rts-threshold <rts-threshold>
Description
This command configures a mesh radio profile used by mesh nodes.
Syntax
Parameter
Description
Range
Default
<profile>
Name of this instance of the profile. The name
must be 1-63 characters.
—
“default”
allowed-vlans
Specify a list of VLAN IDs that can be used by a
mesh link on APs associated with this mesh
radio profile
<vlan-list>
A comma-separated list of VLAN IDs. You can
also specify a range of VLAN IDs using a dash
(for example, 1–4095)
a-tx rates
Indicates the transmit rates for the 802.11a
radio.
The AP attempts to use the highest transmission
rate to establish a mesh link. If a rate is
unavailable, the AP goes through the list and
uses the next highest rate.
6, 9, 12, 18,
24, 36, 48,
54 Mbps
6, 9, 12, 18,
24, 36, 48, 54
Mbps
children
Indicates the maximum number of children a
mesh node can accept.
1-64
64
clone
Name of an existing mesh radio profile from
which parameter values are copied.
eapol-rate-opt
Use a more conservative rate for more reliable
delivery of EAPOL frames.
enabled
disabled
disabled
ArubaOS 6.4| Reference Guide
ap mesh-radio-profile | 151
Parameter
Description
Range
Default
g-tx rates
Indicates the transmit rates for the 802.11b/g
radio.
The AP attempts to use the highest transmission
rate to establish a mesh link. If a rate is
unavailable, the AP goes through the list and
uses the next highest rate.
1, 2, 5, 6, 9,
11, 12, 18,
24, 36, 48,
54
1, 2, 5, 6, 9,
11, 12, 18,
24, 36, 48, 54
Mbps
heartbeatthreshold
Indicates the maximum number of heartbeat
messages that can be lost between neighboring
mesh nodes.
1-255
10
hop-count
Indicates the maximum hop count from the
mesh portal.
1-32
8
link-threshold
Indicates the minimal RSSI value. If the RSSI
value is below this threshold, the link may be
considered a sub-threshold link. A subthreshold link is a link whose average RSSI
value falls below the configured threshold.
If this occurs, the mesh node may try to find a
better link on the same channel and cluster
(only neighbors on the same channel are
considered).
The supported threshold is hardware
dependent, with a practical range of 10-90.
hardware
dependent
12
mesh-ht-ssid-profile
High-throughput SSID Profile for the mesh
feature.
max-retries
Maximum number of times a mesh node can resend a packet.
mesh-mcast-opt
Enables or disables scanning of all active
stations currently associated to a mesh point to
select the lowest transmission rate based on the
slowest connected mesh child.
When enabled, this setting dynamically adjusts
the multicast rate to that of the slowest
connected mesh child. Multicast frames are not
sent if there are no mesh children.
Best practices are to use the default value.
mesh-survivability
Allow mesh points and portals to become active
even if the controller cannot be reached by
bridging LAN traffic. This is a beta feature that is
disabled by default; it should not be enabled
unless you are instructed to do so by Aruba
technical suppport.
—
distributedtreerssi
metricalgorithm
Specifies the algorithm used by a mesh node to
select its parent.
Best practices are to use the default value
distributed-tree-rssi.
—
distributedtreerssi
best-link rssi
Selects the parent with the strongest RSSI,
regardless of the number of children a potential
parent has.
—
—
distributed tree-rssi
Selects the parent based on link-RSSI and
node cost based on the number of children.
—
—
152 | ap mesh-radio-profile
default
0-15
4 times
enabled
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
This option evenly distributes the mesh points
over high quality uplinks. Low quality uplinks
are selected as a last resort.
mpv
This parameter is experimental and reserved for
future use.
0-4094
0 (disabled)
no
Negates any configured parameter.
—
—
reselection-mode
Specifies the method used to find a better mesh
link.
Best practices are to use the default value
startup-subthreshold.
(see below)
startup-sub
threshold
reselect-anytime
Mesh points using the reselect-anytime
reselection mode perform a single topology
readjustment scan within 9 minutes of startup
and 4 minutes after a link is formed. If no better
parent is found, the mesh point returns to its
original parent. This initial scan evaluates more
distant mesh points before closer mesh points,
and incurs a dropout of 5-8 seconds for each
mesh point.
After the initial startup scan is completed,
connected mesh nodes evaluate mesh links
every 30 seconds. If a mesh node finds a better
uplink, the mesh node connects to the new
parent to create an improved path to the mesh
portal.
—
—
reselect-never
Connected mesh nodes do not evaluate other
mesh links to create an improved path to the
mesh portal.
—
—
startup-subthresho
ld
Mesh points using the startup-subthreshold
reselection mode perform a single topology
readjustment scan within 9 minutes of startup
and 4 minutes after a link is formed. If no better
parent is found, the mesh point returns to its
original parent. This initial startup scan
evaluates more distant mesh points before
closer mesh points, and incurs a dropout of 5-8
seconds for each mesh point. After that time,
each mesh node evaluates alternative links if
the existing uplink falls below the configured
threshold level (the link becomes a subthreshold link). Best practices are to use the
default startup-subthreshold value.
—
—
ArubaOS 6.4| Reference Guide
ap mesh-radio-profile | 153
Parameter
Description
Range
Default
Connected mesh nodes evaluate alternative
links only if the existing uplink becomes a subthreshold link.
NOTE: Starting with ArubaOS 3.4.1, if a mesh
point using the subthreshold-only mode
reselects a more distant parent because its
original, closer parent falls below the
acceptable threshold, then as long as that mesh
point is connected to that more distant parent, it
will seek to reselect a parent at the earlier
distance (or less) with good link quality. For
example, if a mesh point disconnects from a
mesh parent 2 hops away and subsequently
reconnects to a mesh parent 3 hops away, then
the mesh point will continue to seek a
connection to a mesh parent with both an
acceptable link quality and a distance of two
hops or less, even if the more distant parent
also has an acceptable link quality.
—
—
Defines the packet size sent by mesh nodes.
Mesh nodes transmitting frames larger than this
threshold must issue request to send (RTS) and
wait for other mesh nodes to respond with clear
to send (CTS) to begin transmission. This helps
prevent mid-air collisions.
256-2,346
2,333 bytes
Starting with ArubaOS 3.4.1, if a mesh point
using the startup-subthreshold mode reselects
a more distant parent because its original,
closer parent falls below the acceptable
threshold, then as long as that mesh point is
connected to that more distant parent, it will
seek to reselect a parent at the earlier distance
(or less) with good link quality. For example, if a
mesh point disconnects from a mesh parent 2
hops away and subsequently reconnects to a
mesh parent 3 hops away, then the mesh point
will continue to seek a connection to a mesh
parent with both an acceptable link quality and
a distance of two hops or less, even if the more
distant parent also has an acceptable link
quality.
subthreshold-only
rts-threshold
Usage Guidelines
Mesh radio profiles are specific to mesh nodes (APs configured for mesh) and determine the radio frequency/channel
used by mesh nodes to establish mesh links and the path to the mesh portal. You can configure multiple radio
profiles; however, you select and deploy only one radio profile per mesh cluster.
Radio profiles, including the “default” profile, are not active until you provision your APs for mesh. If you modify a
currently provisioned and running radio profile, your changes take place immediately. You do not reboot the controller
or the AP.
Example
The following command creates a mesh radio profile named “radio2” and associates a mesh high-throughput profile
named meshHT1:
(host) (config) #ap mesh-radio-profile radio2
mesh-ht-ssid-profile meshHT1
154 | ap mesh-radio-profile
ArubaOS 6.4| Reference Guide
Related Commands
To view a complete list of mesh radio profiles and their status, use the following command:
(host) (config) #show ap mesh-radio-profile
To view the settings of a specific mesh radio profile, use the following command:
(host) (config) #show ap mesh-radio-profile <name>
Command History
Release
Modification
ArubaOS 3.2
Command introduced.
ArubaOS 3.2.0.x, 3.3.1.x
The tx-power default increased from 14 to 30 dBm.
ArubaOS 3.3
The heartbeat-threshold default increased from 5 to 10 heartbeat messages.
ArubaOS 3.3.2
The mesh-mcast-opt parameter was introduced.
ArubaOS 3.4
The mesh-ht-ssid-profile parameter was introduced
The 11a-portal-channel, 11g-portal-channel, beacon-period and tx-power
parameters were deprecated. These settings can now be configured via the
rf dot11a-radio-profile and rf dot11g-radio-profile commands.
ArubaOS 6.1
The eapol-rate-opt parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ap mesh-radio-profile | 155
ap provisioning-profile
ap provisioning-profile <profile>
apdot1x-passwd
apdot1x-username
cellular_nw_preference 3g-only|4g-only|advanced|auto
clone
link-priority-cellular
link-priority-ethernet
master clear|{set <masterstr>}
no
pppoe-passwd
pppoe-service-name
pppoe-user
remote-ap
reprovision
uplink-vlan <uplink-vlan>
usb-dev
usb-dial
usb-init
usb-modeswitch -v <default_vendor> -p <default_product> -V <target_vendor> -P <target_produ
ct> -M <message_content>
usb-passwd
usb-power-mode auto| enable|disable
usb-tty
usb-tty-control
usb-type
usb-user
Description
This command defines a provisioning profile for an AP or group of APs.
Syntax
Parameter
Description
Default
Range
apdot1x-passwd
Password of the AP to authenticate to 802.1X using PEAP
—
—
apdot1x-username
Username of the AP to authenticate to 802.1X using PEAP
—
—
cellular_nw_preference
g-only|4g-only|
advanced|auto
The cellular network preference setting allows you to select
how the modem should operate.
auto
—
l
l
l
156 | ap provisioning-profile
auto (default): In this mode, modem firmware will control
the cellular network service selection; so the cellular
network service failover and fallback is not interrupted
by the remote AP (RAP).
3g_only: Locks the modem to operate only in 3G.
4g_only: Locks the modem to operate only in 4G.
advanced: The RAP controls the cellular network service
selection based on an Received Signal Strength
Indication (RSSI) threshold-based approach. Initially the
modem is set to the default auto mode. This allows the
modem firmware to select the available network. The
RAP determines the RSSI value for the available
network type (for example 4G), checks whether the RSSI
ArubaOS 6.4| Reference Guide
Parameter
Description
Default
Range
is within required range, and if so, connects to that
network. If the RSSI for the modem’s selected network is
not within the required range, the RAP will then check
the RSSI limit of an alternate network (for example, 3G),
and reconnect to that alternate network. The RAP will
repeat the above steps each time it tries to connect
using a 4G multimode modem in this mode.
The RAP determines the RSSI value for the available
network type (for example 4G), checks whether the RSSI
is within required range, and if so, connects to that
network..
If the RSSI for the modem’s selected network is not
within the required range, the RAP will then check the
RSSI limit of an alternate network (for example, 3G), and
reconnect to that alternate network.
The RAP will repeat the above steps each time it tries to
connect using a 4G multimode modem in this mode.
clone <source>
Clone an existing ap provisioning profile
—
—
link-priority-cellular
<link-priority-cellular>
Set the priority of the cellular uplink. By default, the cellular
uplink is a lower priority than the wired uplink; making the
wired link the primary link and the cellular link the
secondary or backup link.
Configuring the cellular link with a higher priority than your
wired link priority will set your cellular link as the primary
controller link.
0-255
0
link-priority-ethernet
<link-priority-ethernet>
Set the priority of the wired uplink. Each uplink type has an
associated priority; wired ports having the highest priority by
default.
0-255
0
master
Change the FQDN or IP address for the master controller.
—
—
set <masterstr>
Specify the or IP address or FQDN for the master controller.
—
—
clear
Clear the definition for the master controller in this profile.
—
—
no
Negates any configured parameter.
—
—
pppoe-passwd
Point-to-Point Protocol over Ethernet (PPPoE) password for
the AP.
—
—
pppoe-servicename
PPPoE service name for the AP.
—
—
pppoe-user
PPPoE username for the AP.
—
—
remote-ap
Specifies that the profile is to be associated with a remote
AP using certificates.
—
—
reprovision
Provisions one or more APs with the values in the
provisioning profile.
—
—
reset-bootinfo
Restores factory default provisioning parameters to the
specified AP.
NOTE: This parameter can only be used on the master
controller.
—
—
ArubaOS 6.4| Reference Guide
ap provisioning-profile | 157
Parameter
Description
Default
Range
uplink-vlan <uplink-vlan>
If you configure an uplink VLAN on an AP connected to a
port in trunk mode, the AP sends and receives frames
tagged with this VLAN on its Ethernet uplink.
By default, an AP has an uplink vlan of 0, which disables
this feature.
NOTE: If an AP is provisioned with an uplink VLAN, it must
be connected to a trunk mode port or the AP’s frames will be
dropped.
0 ( disabled)
to 4095
0
usb-dev
The USB device identifier.
—
—
usb-dial
The dial string for the USB modem. This parameter only
needs to be specified if the default string is not correct.
—
—
usb-init
The initialization string for the USB modem. This parameter
only needs to be specified if the default string is not correct.
—
—
usb-modeswitch
-v <default_vendor>
-p <default_product>
-V <target_vendor>
-P <target_product>
-M <message_content>
USB cellular devices on remote APs typically register as
modems, but may occasionally register as a mass-storage
device. If a remote AP cannot recognize its USB cellular
modem, use the usb-modeswitch command to specify the
parameters for the hardware model of the USB cellular
data-card.
NOTE: You must enclose the entire modeswitch parameter
string in quotation marks.
—
—
usb-passwd
A PPP password, if provided by the cellular service provider
—
—
usb-power-mode auto|
enable|disable
Set the USB power mode to control the power to the USB
port.
—
—
usb-tty
The TTY device path for the USB modem. This parameter
only needs to be specified if the default path is not correct.
—
—
usb-tty-control
The TTY device control path for the USB modem. This
parameter only needs to be specified if the default path is
not correct.
—
—
Specify the USB driver type.
acm: Use ACM driver
l airprime: Use Airprime driver
l beceem-wimax: Use Beceem driver for 4G-WiMAX
l ether: Use CDC Ether driver for direct IP 4G device
l hso: Use HSO driver for newer Option
l none: Disable 3G or 2G network on USB
l option: Use Option driver
l pantech-3g: Same as "pantech-uml290" - to support
upgrade
l pantech-uml290: Use Pantech USB driver for UML290
device
l ptumlusbnet: Use Pantech USB driver for 4G device
l rndis: Use a RNDIS driver for a 4G device
l sierra-evdo: Use EVDO Sierra Wireless driver
l sierra-gsm: Use GSM Sierra Wireless driver
l sierrausbnet:Use SIERRA Direct IP driver for 4G device
l storage: Use USB flash as storage device for storing
RAP certificates
—
none
The PPP username provided by the cellular service
provider
—
—
usb-type
l
usb-user
158 | ap provisioning-profile
ArubaOS 6.4| Reference Guide
Usage Guidelines
The AP provisioning profile allows you to define a set of provisioning parameters to an AP group. These settings can
be saved or assigned to an AP group via the command ap-group <group> provisioning-profile <profile>.
In order to enable cellular uplink for a remote AP (RAP), the RAP must have the device driver for the USB data card
and the correct configuration parameters. ArubaOS includes device drivers for the most common hardware types,
but you can use the usb commands in this profile to configure a RAP to recognize and use an unknown USB modem
type.
Related Commands
Command
Description
provision-ap
Change provisioning parameters for an individual AP. This command does not
save the provisioning parameters settings in a reusable profile.
Example
The following commands create a provisioning profile named profile_branch, in which the cellular link is the primary
uplink because it has a higher priority than the Ethernet link:
(host) (config) #ap provision-profile profile_branch
link-priority-cellular 2
link-priority-ethernet 1
usb-type acm
usb-modeswitch "-v 0x106c -p 0x3b06 -V 0x106c -P 0x3717 -M 5534243b82e238c24000000800008ff0
20000000000000000000000000000"
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.4
Introduced support for the following parameters:
l usb-dev
l usb-dial
l usb-init
l usb-passwd
l usb-tty
l usb-type
l usb-user
l link-priority-cellular
l link-priority-ethernet
ArubaOS 6.0
The uplink-vlan parameter was introduced.
ArubaOS 6.1
The following new parameters were introduced for provisioning APs for 802.1X
authentication:
l apdot1x-passwd
l apdot1x-username
ArubaOS 6.4| Reference Guide
ap provisioning-profile | 159
Release
Modification
The following new parameters were introduced for provisioning Remote APs
using USB modems:
l usb-modeswitch
l 4g-usb-type
ArubaOS 6.2.1.0
the cellular_nw_preference parameter was introduced for provisioning multimode modems, and the 4g-usb-type parameter was deprecated. Specify a
2/3G or 4G modem type using the usb-type parameter.
ArubaOS 6.3
The sierrausbnet and storage usb-type parameters were introduced.
ArubaOS 6.3.1
the rndis parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
160 | ap provisioning-profile
ArubaOS 6.4| Reference Guide
ap packet-capture
ap packet-capture [open-port|close-port] <port>
ap packet-capture raw-start [<ap-name|ip-addr|ip6-addr>] <target-ip> <target-port> <format> ra
dio <0|1> channel <channel> maxlen <maxlen>
ap packet-capture interactive [<ap-name|ip-addr|ip6-addr>] <filter-spec> <target-ip> <target-p
ort> radio <0|1> channel <channel>
ap packet-capture [clear|stop|pause|resume][<ap-name|ip-addr|ip6-addr>] <pcap-id> radio <0|1>
show ap packet-capture status <ap-name|ip-addr|ip6-addr>
Description
These commands manage WiFi packet capture (PCAP) on Aruba APs. The WiFi packets are encapsulated in a
UDP header and sent to a client running a packet analyzer like Wildpacket’s Airopeek, Omnipeek, or Wireshark.
Syntax
Parameter
Description
open-port
(CPSEC CAPs and RAPs only) Enable or allow access to this UDP port on the AP
for packet capture purposes.
close-port
(CPSEC CAPs and RAPs only) Close or disallow access to this UDP port on the
AP for packet capture purposes.
raw-start
Stream packets from the driver to a client running the packet analyzer.
<ipaddr>
IP address of the AP.
<target-ipaddr>
IP address of the client running the packet analyzer.
<target-port>
UDP port number on the client station where the captured packets are sent.
<format>
Specify a number to indicate one of the following formats for captured packets:
l 0 : pcap
l 1 : peek
l 2 : airmagnet
l 3 : pcap+radio header
l 4 : ppi
channel
(Optional/Applicable only in Air Monitor mode) Number of a radio channel to tune
into to capture packets.
maxlen
(Optional) Limit the length of 802.11 frames to include in the capture to a specified
maximum.
interactive
Start an interactive packet capture session between an AP and a client running a
packet analyzer.
<filter-spec>
clear
ArubaOS 6.4| Reference Guide
Packet Capture filter specification. See Usage Guidelines for details.
Clears the packet capture session.
ap packet-capture | 161
Parameter
Description
pause
Pause a packet capture session.
stop
Stop a packet capture session.
resume
Resume a packet capture session.
<pcap-id>
ID of the PCAP session.
Usage Guidelines
These commands direct an Aruba AP to send WiFi packet captures to a client packet analyzer utility such as
Airmagnet, Wireshark and so on, on a remote client.
Before using these commands, you need to start the packet analyzer utility on the client and open a capture window
for the port from which you are capturing packets. The packet analyzer cannot be used to control the flow or type of
packets sent from Aruba APs.
The packet analyzer processes all packets. However, you can apply display filters on the capture window to control
the number and type of packets being displayed. In the capture window, the timestamp displayed corresponds to the
time that the packet is recevied by the client and is not synchronized with the time on the Aruba AP.
Filter specification (used in ap packet-capture interactive) supports the following:
- type (beacon/rts/cts/data/ack/ctrl/mgmt/all)
- sta (mac address)
- bss (mac address)
- da (mac address)
- sa (mac address)
- dir (tods, fromds)
- retry (1, 0)
- frag (1, 0)
- wep (1, 0)
Filter spec examples:
(type eq beacon) or ((sta eq 000000010203) and (dir eq tods))
(type == data) && ((sta = 000000010203) || (sta == 000000010203))
(type != beacon)
(wep nq 1)
(type eq all)
Examples
The following command starts a raw packet capture session for the AP ly115 on radio 0, and sends the packets to
the client at 10.64.102.4 on port 5000.
(host) (config) #ap packet-capture raw-start ap-name ly115 10.64.102.4
Packet capture has started for pcap-id:1
5000 0 radio 0
The following commands start an interactive packet capture session for the AP ap1.
162 | ap packet-capture
ArubaOS 6.4| Reference Guide
#ap packet-capture open-port 5555
#ap packet-capture interactive ap-name ap1 "type eq all" 192.168.0.3 5555 radio 0
The output of the command in the example below displays packet capture session statistics for the AP ap1. In this
example, the output has been divided into multiple sections to better fit on the pages of this document. In the actual
command-line interface, it will appear in a single, long table.
#show ap packet-capture status ap-name ap1
Packet Capture Sessions at ap1, IP 10.3.44.167
---------------------------------------------pcap-id
------1
filter
-----type eq all
max-pkt-size
-----------65536
type
---interactive
num-pkts
-------3759
intf
---6c:f3:7f:ba:65:70
status
-----in-progress
channel max-pkts
------- -------153
0
url target
Radio ID
----------192.168.0.3/5555 0
Related Commands
To view the status of outstanding packet capture (pcap) sessions, use show ap packet capture.
Command History
Version
Change
ArubaOS3.0
Command Introduced
ArubaOS3.4
The maxlen parameter was introduced, and the pcap start command
deprecated.
ArubaOS6.2
Name changed from pcap to ap packet capture.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Works in Access Point, Air Monitor, and
Spectrum Monitor modes on all AP models
in enable mode.
ArubaOS 6.4| Reference Guide
ap packet-capture | 163
ap process restart
ap process restart
{ap-name <ap-name>}|{ip-addr <ip>}|{ip6-addr <ip6>}
Description
Use this command to restart the AP process of a particular AP.
Syntax
Parameter
Description
ap-name <ap-name>
Name of the AP.
ip-addr <ip-addr>
IPv4 address of the AP.
ip6-addr <ip6-add
r>
IPv6 address of the AP.
Usage Guidelines
This command should only be used under the guidance of Aruba technical support.
Command History
Introduced in ArubaOS 6.3.
Command Information
Platforms
Licensing
Command Mode
Available on all platforms.
Base operating system
Enable mode on master or local
controllers
164 | ap process restart
ArubaOS 6.4| Reference Guide
ap regulatory-domain-profile
ap regulatory-domain-profile <profile>
clone <profile>
country-code <code>
no ...
valid-11a-40mhz-channel-pair <valid-11a-40mhz-channel-pair>
valid-11a-80mhz-channel-group <valid-11a-80mhz-channel-group>
valid-11a-channel <num>
valid-11g-40mhz-channel-pair <valid-11g-40mhz-channel-pair>
valid-11g-channel <num>
Description
This command configures an AP regulatory domain profile.
Syntax
Parameter
Description
<profile>
Name of this instance of the profile. The name must
be 1-63 characters.
—
Name of an existing regulatory domain profile from
which parameter values are copied.
—
clone
country-code
no
Code that represents the country in which the APs
will operate. The country code determines the
802.11 wireless transmission spectrum.
Improper country code assignment can disrupt
wireless transmissions. Most countries impose
penalties and sanctions for operators of wireless
networks with devices set to improper country
codes.
Default
country code configured on the
master controller during initial
setup
Negates any configured parameter.
—
valid-11a-40mhz
-channel-pair
Specify a channel pair valid for 40 MHz operation
in the 802.11a frequency band for the specified
regulatory domain. The two channels must be
separated by a dash.
Example:
36-40
44-48
52-56
country code determines
supported channel pairs
Note: Changing the country
code causes the valid channel
lists to be reset to the defaults
for the country.
valid-11a-80mhzchannel-group
This parameter defines which 80MHz channels on
the “a” band are available for assignment by ARM
and for controller to randomly assign if the user has
not specified a channel. The channel numbers
below correspond to channel center frequency.
—
valid-11achannel
Enter a single 802.11a channel number for 20 MHz
operation within the specified regulatory domain.
country code determines
supported channels
ArubaOS 6.4| Reference Guide
ap regulatory-domain-profile | 165
Parameter
Description
Default
Note: Changing the country
code causes the valid channel
lists to be reset to the defaults
for the country.
valid-11g-40mhz
-channel-pair
Specify a channel pair valid for 40 MHz operation
in the 802.11g frequency band for the specified
regulatory domain. The two channels must be
separated by a dash.
Example:
1-5
2-6
7-11
country code determines
supported channel pairs
Note: Changing the country
code causes the valid channel
lists to be reset to the defaults
for the country.
valid-11gchannel
Enter a single 802.11g channel number for 20 MHz
operation within the specified regulatory domain.
country code determines
supported channels
Note: Changing the country
code causes the valid channel
lists to be reset to the defaults
for the country.
Usage Guidelines
This profile configures the country code and valid channels for operation of APs. The list of valid channels only
affects the channels that may be selected by ARM or by the controller when no channel is configured. Channels that
are specifically configured in the AP radio settings profile (see rf dot11a-radio-profile or rf dot11g-radio-profile) must
be valid for the country and the AP model.
A controller shipped to certain countries, such as the U.S. and Israel, cannot terminate APs with regulatory domain
profiles that specify different country codes from the controller. For example, if a controller is designated for the U.S.,
then only a regulatory domain profile with the “US” country code is valid; setting APs to a regulatory domain profile
with a different country code will result in the radios not coming up. For controllers in other countries, you can mix
regulatory domain profiles on the same controller; for example, one controller can support APs in Japan, Taiwan,
China, and Singapore.
In order for an AP to boot correctly, the country code configured in the AP regulatory domain profile must match the
country code of the LMS. If none of the channels supported by the AP have received regulatory approval by the
country whose country code you selected, the AP will revert to Air Monitor mode.
Examples
The following command configures the regulatory domain profile for APs in Japan:
(host) (config) #ap regulatory-domain-profile rd1
country-code JP
The following command configures a regulatory domain profile for APs in the United States and specifies that the
channel pair of 36 and 40, is allowed for 40 MHz mode of operation on the 5 GHz frequency band:
(host) (config) #ap regulatory-domain-profile usa1
country-code US
valid-11a-40mhz-channel-pair 36-40
The following command configures a regulatory domain profile for APs in the United States and specifies that the
channel pair of 5 and 1, is allowed for 40 MHz mode of operation on the 2.4 GHz frequency band:
(host) (config) #ap regulatory-domain-profile usa1
country-code US
valid-11g-40mhz-channel-pair 1-5
166 | ap regulatory-domain-profile
ArubaOS 6.4| Reference Guide
Related Commands
To view the supported channels, use the show ap allowed-channels command.
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3
Support for the IEEE 802.11n standard, including channel pairs for 40 MHz
mode of operation, was introduced.
ArubaOS 5.0
The valid-11a-40mhz-channel-pair and valid-11g-40mhz-channel-pair
parameters no longer support the + and - parameters that allowed you to
define a primary and backup channel within the channel pair.
ArubaOS 6.3
Support for the valid-11a-80mhz-channel-group parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ap regulatory-domain-profile | 167
ap snmp-profile (deprecated)
Description
This command configures an SNMP profile for APs.
Command History
Version
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.4
Command deprecated
168 | ap snmp-profile (deprecated)
ArubaOS 6.4| Reference Guide
ap snmp-user-profile (deprecated)
ap snmp-user-profile <profile>
auth-passwd <password>
auth-prot {md5|none|sha}
clone <profile>
no ...
priv-passwd <password>
user-name <name>
Description
This command configures an SNMPv3 user profile for APs.
Command History
Version
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.4
Command deprecated
ArubaOS 6.4| Reference Guide
ap snmp-user-profile (deprecated) | 169
ap spectrum clear-webui-view-settings
ap spectrum clear-webui-view-settings
Description
Clear a saved spectrum dashboard view.
Syntax
no parameters
Usage Guidelines
Saved spectrum view preferences may not be backwards compatible with the spectrum analysis dashboard in
earlier versions of ArubaOS. If you downgrade to an earlier version of ArubaOS and your client is unable to load a
saved spectrum view in the spectrum dashboard, access the CLI in enable mode and issue this command to delete
the saved spectrum views and display default view settings in the spectrum dashboard.
Command History
Introduced in ArubaOS 6.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
RF Protect license
Enable mode on master or local
controllers
170 | ap spectrum clear-webui-view-settings
ArubaOS 6.4| Reference Guide
ap spectrum local-override
no
override ap-name <ap-name>
spectrum-band 2ghz|5ghz
Description
Convert an AP or AM into a spectrum monitor by adding it to the spectrum local-override list.
Syntax
Parameter
Description
Range
Default
override ap-name <ap-nam
e>
name of an AP whose radio
should be converted to a
spectrum monitor radio
—
—
spectrum band
Spectrum band or portion of
the band to be monitored by
the spectrum monitor radio
2GHz (channels 1-14)
5GHz(channels 36-64, 100140 and 149-165).
2Ghz
Usage Guidelines
There are two ways to change an AP that supports the spectrum monitor feature into a spectrum monitor. You can
assign that AP to a 802.11a and 802.11g radio profile that is already set to spectrum mode, or you can temporarily
change the AP into a spectrum monitor using a local spectrum override profile. When you use a local spectrum
override profile to override an AP’s mode setting, that AP will begin to operate as a spectrum monitor, but will remain
associated with its previous 802.11a and 802.11g radio profiles. If you change any parameter (other than the
overridden mode parameter) in the spectrum monitor’s 802.11a or 802.11 radio profiles, the spectrum monitor will
immediately update with the change. When you remove the local spectrum override, the spectrum monitor will revert
back to its previous mode, and remain assigned to the same 802.11a and 802.11 radio profiles as before.
For a list of APs that can be converted into a spectrum monitor or hybrid AP, refer to the Spectrum Analysis chapter of
the ArubaOS 6.4 User Guide.
Related Commands
Command
Description
Mode
show ap spectrum localoverride
This command shows a list of AP radios
currently converted to spectrum monitors via the
spectrum local-override list
Config mode on master or
local controllers
Command History
Release
Modification
ArubaOS 6.0
Command introduced
ArubaOS 6.2
The spectrum-band parameter supports a 5ghz value, allowing an AP to monitor
the entire 5 Ghz radio band. Previous versions of ArubaOS supported 5ghz-lower,
5ghz-middle and 5ghz-upper settings.
ArubaOS 6.4| Reference Guide
ap spectrum local-override | 171
Command Information
Platforms
Licensing
Command Mode
All platforms
RF Protect license
Config mode on master controllers
172 | ap spectrum local-override
ArubaOS 6.4| Reference Guide
ap system-profile
ap system-profile <profile>
aeroscout-rtls-server ip-or-dns <ipaddr-or-dns> port <port> include-unassoc-sta
am-scan-rf-band [a | g | all]
bkup-lms-ip <ipaddr>
bkup-lms-ipv6 <ipaddr>
lms-ping-interval
bootstrap-threshold <number>
clone <profile>
dns-domain <domain>
double-encrypt
dump-server <server>
gre-striping-ip
heartbeat-dscp <number>
heartbeat-in <secs>
led-mode normal|off
lms-hold-down-period <seconds>
lms-ip <ipaddr>
lms-ipv6 <ipaddr>
lms-preemption
maintenance-mode
max-request-retries <number>
mtu <bytes>
native-vlan-id <vlan>
no ...
number_ipsec_retries
rap-bw-total
rap-bw-resv-1
rap-bw-resv-2
rap-bw-resv-3
rap-dhcp-default-router <ipaddr>
rap-dhcp-dns-server <ipaddr>
rap-dhcp-lease <days>
rap-dhcp-pool-end <ipaddr>
rap-dhcp-pool-netmask <netmask>
rap-dhcp-pool-start <ipaddr>
rap-dhcp-server-id <ipaddr>
rap-dhcp-server-vlan <vlan>
rap-gre-mtu
rap-local-network-access
request-retry-interval <seconds>
rf-band <band>
rtls-server ip-or-dns <ipaddr-ordns> port <port> key <key> station-message-frequency <secon
ds> include-unassoc-sta
session-acl <acl>
spanning-tree
syscontact <name>
telnet
Description
This command configures an AP system profile.
ArubaOS 6.4| Reference Guide
ap system-profile | 173
Syntax
Parameter
Description
Range
Default
<profile>
Name of this instance of the profile. The name
must be 1-63 characters.
—
“default”
aeroscout-rtlsserver
Enables the AP to send RFID tag information
to an AeroScout real-time asset location
(RTLS) server.
RTLS station reporting includes information
for APs and the clients that the AP has
detected. If you include the include-unassocsta parameter, the station reports will also
include information about clients not
associated to any AP. By default,
unassociated clients are not included in
station reports.
—
—
am-scan-rf-band
Scanning band for multiple RF radios
a, g, all
all
a
Set the scanning band to 802.11a only
—
all
g
Set the scanning band to 802.11g only
—
all
all
Set the scanning band to apply to all bands
—
all
ip-or-dns
IP address or the DNS of the AeroScout
server to which location reports are sent.
—
—
port
Port number on the AeroScout server to which
location reports are sent.
—
—
bkup-lms-ip
In multi-controller networks, specifies the IP
address of a backup to the IP address
specified with the lms-ip parameter.
—
—
bkup-lms-ipv6
In multi-controller ipv6 networks, specifies the
IPv6 address of a backup to the IPv6 address
specified with the lms-ipv6 parameter.
—
—
bootstrapthreshold
Number of consecutive missed heartbeats on
a GRE tunnel (heartbeats are sent once per
second on each tunnel) before an AP
rebootstraps. On the controller, the GRE
tunnel timeout is 1.5 x bootstrap-threshold;
the tunnel is torn down after this number of
seconds of inactivity on the tunnel.
1-65535
8
clone
Name of an existing AP system profile from
which parameter values are copied.
—
—
dns-domain
Name of domain that is resolved by corporate
DNS servers. Use this parameter when
configuring split tunnel.
—
—
double-encrypt
This parameter applies only to remote APs.
Use double encryption for traffic to and from a
wireless client that is connected to a tunneled
SSID.
—
disabled
174 | ap system-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
When enabled, all traffic is re-encrypted in the
IPsec tunnel. When disabled, the wireless
frame is only encapsulated inside the IPsec
tunnel.
All other types of data traffic between the
controller and the AP (wired traffic and traffic
from a split-tunneled SSID) are always
encrypted in the IPsec tunnel.
dump-server
(For debugging purposes.) Specifies the
server to receive a core dump generated
when an AP process crashes.
—
—
gre-striping-ip
Specify an IPv4 address for the .g radio of the
controller to allow LACP enabled switches to
send traffic for the 2 radios on different links.
Recommended value is LMS_IP+1.
—
—
heartbeat-dscp
Define the DSCP value of AP heartbeats.
Use this feature to prioritize AP heartbeats
and prevent the AP from losing connectivity
with the controller over high-latency or
low-bandwidth WAN connections.
0-63
0
heartbeat-in <secs>
Set the interval between heartbeat messages
between a remote or campus AP and its associated controller. An increase in the heartbeat
interval increases the time it will take for an
AP to detect the loss in connectivity to the controller, but can reduce internet bandwidth consumed by a remote AP.
1-60 secs
1 sec
led-mode
The operating mode for the AP LEDs. This
option is available on all 802.11n indoor
AP platforms.
normal
Display LEDs in normal mode.
off
Turn off all LEDs.
normal
lms-hold-downperiod
Time, in seconds, that the primary LMS must
be available before an AP returns to that LMS
after failover.
1-3600
600 seconds
lms-ip
In multi-controller networks, this parameter
specifies the IP address of the local
management switch (LMS)—the
Arubacontroller—which is responsible for
terminating user traffic from the APs, and
processing and forwarding the traffic to the
wired network. This can be the IP address of
the local or master controller.
When using redundant controllers as the
LMS, set this parameter to be the VRRP IP
address to ensure that APs always have an
active IP address with which to terminate
sessions.
—
—
NOTE: If the LMS-IP is blank, the access
ArubaOS 6.4| Reference Guide
ap system-profile | 175
Parameter
Description
Range
Default
point will remain on the controller that it finds
using methods like DNS or DHCP. If an IP
address is configured for the LMS IP
parameter, the AP will be immediately
redirected to the controller at that address.
lms-ipv6
In multi-controller ipv6 networks, specifies the
IPv6 address of the local management switch
(LMS)—the controller—which is responsible for
terminating user traffic from the APs, and
processing and forwarding the traffic to the
wired network. This can be the IP address of
the local or master controller.
When using redundant controllers as the
LMS, set this parameter to be the VRRP IP
address to ensure that APs always have an
active IP address with which to terminate
sessions.
—
—
lms-ping-interval
Specifies the interval at which application
level ping needs to be sent to primary controller to check the reachability. Applicable
only for RAP.
10-60
seconds
20 seconds
—
disabled
NOTE: If this parameter is changed, UDP
session timeout on an intermediate router
which performs NATing should be set
accordingly. The preferred timeout value is
(lms-ping-interval + 30sec).
lms-preemption
Automatically reverts to the primary LMS IP
address when it becomes available.
maintenancemode
Enable or disable AP maintenance mode.
This setting is useful when deploying,
maintaining, or upgrading the network.
If enabled, APs stop flooding unnecessary
traps and syslog messages to network
management systems or network operations
centers when deploying, maintaining, or
upgrading the network. The controller still
generates debug syslog messages if debug
logging is enabled.
max-request-re
tries
Maximum number of times to retry APgenerated requests, including keepalive
messages. After the maximum number of
retries, the AP either tries the IP address
specified by the bkup-lms-ip (if configured) or
reboots.
1-65535
10
mtu
MTU, in bytes, on the wired link for the AP.
10241578
—
native-vlan-id
Native VLAN for bridge mode virtual APs
(frames on the native VLAN are not tagged
with 802.1q tags).
—
1
no
Negates any configured parameter.
—
—
176 | ap system-profile
disabled
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
number-ipsec-retries
The number of times the AP will attempt to
recreate an IPsec tunnel with the master
controller before the AP will reboot. A value of
0 disables the reboot.
1-1000
85
rap-bw-total
This is the total reserved uplink bandwidth (in
Kilobits per second).
—
—
rap-bw-resv-1
Session ACLs with uplink bandwidth
reservation in kilobits per second. You can
specify up to three session ACLs to reserve
uplink bandwidth. The sum of the three uplink
bandwidths should not exceed the rap-bwtotal value.
—
—
—
—
—
—
rap-dhcpdefault-router
IP address for the default DHCP router.
—
192.168.11.1
rap-dhcp-dnsserver
IP address of the DNS server.
—
192.168.11.1
rap-dhcp-lease
The amount of days that the assigned IP
address is valid for the client. Specify the
lease in <days>.
0 indicates the IP address is always valid; the
lease does not expire.
0-30
0
rap-dhcp-poolend
Configures a DHCP pool for remote APs. This
is the last IP address of the DHCP pool.
—
192.168.11.2
54
rap-dhcp-poolnetmask
Configures a DHCP pool for remote APs. This
is the netmask used for the DHCP pool.
—
255.255.255.
0
rap-dhcp-poolstart
Configures a DHCP pool for remote APs. This
is the first IP address of the DHCP pool.
—
192.168.11.2
rap-dhcp-server-id
IP address used as the DHCP server
identifier.
—
192.168.11.1
rap-dhcp-server-vlan
VLAN ID of the remote AP DHCP server used
if the controller is unavailable. This VLAN
enables the DHCP server on the AP (also
known as the remote AP DHCP server VLAN).
If you enter the native VLAN ID, the DHCP
server is unavailable.
—
—
rap-gre-mtu
Configures the maximum size of the GRE
packets exchanged between a RAP and the
controller.
10241578
bytes
1200 bytes
rap-local-network-access
Enable or disable local network access
across VLANs in a Remote-AP.
—
disabled
request-retryinterval
Interval, in seconds, between the first and
second retries of AP-generated requests. If
the configured interval is less than 30
seconds, the interval for subsequent retries is
increased up to 30 seconds.
1-65535
10 seconds
rap-bw-resv-2
rap-bw-resv-3
ArubaOS 6.4| Reference Guide
ap system-profile | 177
Parameter
Description
Range
Default
rf-band
For APs that support both a and b/g RF
bands, RF band in which the AP should
operate:
l g = 2.4 GHz
l a = 5 GHz
a/g
g
rtls-server
Enables the AP to send RFID tag information
to an RTLS server.
—
—
ip-or-dns
IP address or the DNS of the RTLS server to
which location reports are sent.
—
—
port
Port number on the server to which location
reports are sent.
—
—
key
Shared secret key.
—
—
station-message-freque
ncy
Indicates how often packets are sent to the
server.
5-3600
30 seconds
include-unassoc-sta
RTLS station reporting includes information
for APs and the clients that the AP has detected. If you include theinclude-unassoc-sta
parameter, the station reports will also include
information about clients not associated to
any AP. By default, unassociated clients are
not included in station reports.
—
disabled
session-acl
Session ACL configured with the ip accesslist session command.
NOTE: This parameter requires the PEFNG
license.
—
—
spanning-tree
Enables the spanning-tree protocol.
—
disabled
syscontact
SNMP system contact information.
—
—
telnet
Enable or disable telnet to the AP.
—
disabled
Usage Guidelines
The AP system profile configures AP administrative operations, such as logging levels.
Example
The following command sets the LMS IP address in an AP system profile:
(host) (config) #ap system-profile local1
lms-ip 10.1.1.240
178 | ap system-profile
ArubaOS 6.4| Reference Guide
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.2
Support for additional RTLS servers, and remote AP enhancements was
introduced.
ArubaOS 3.3.2
l
l
l
l
Maintenance-mode parameter was introduced.
Multiple remote AP DHCP server enhancements were introduced.
Support for RFprotect server and backup server configuration was introduced.
The mms-rtls-server parameter was deprecated in ArubaOS 3.3.2.
ArubaOS5.0
The master-ip, rfprotect-server-ip and rfprotect-bkup-server parameters were
deprecated.
ArubaOS 6.0
Added support for the option to set the RF scanning band (am-scan-rf-band).
The keepalive-interval parameter was deprecated.
ArubaOS 6.2
The default number of IPsec retries defined by number_ipsec_retries was reduced
from 360 to 85.
ArubaOS 6.2.1.3
The root-ap parameter was deprecated. This parameter identifies the root AP in a
hierarchy of Remote APs.
ArubaOS 6.3
l
l
l
ArubaOS 6.3.1
The aeroscout-rtls-server include-unassoc-sta parameter was introduced.
The spanning-tree and heartbeat-in parameters were introduced.
The rtls-serverip and aeroscout-rtls-server ip parameters were modified to rtlsserver ip-or-dns and aeroscout-rtls-server ip-or-dns.
The gre-striping-ip parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system, except
for noted parameters
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ap system-profile | 179
ap wipe out flash
ap wipe out flash
ap-name <ap-name>
ip-addr <ip-addr>
Description
Overwrite the entire AP compact flash, destroying its contents (including the current image file).
Syntax
Parameter
Description
Range
Default
ap-name
Wipe out the flash of the AP with the specified
name.
—
—
ip-addr
Wipe out the flash of the AP with the specified IP
address.
—
—
Usage Guidelines
Use this command only under the supervision of Aruba technical support. If you delete the current image in the AP’s
flash memory, the AP will not function until you reload another image.
Command History
This command was introduced in ArubaOS 3.3.2.
Command Information
Platforms
Licensing
Command Mode
All platforms running
ArubaOS 3.3.2.x-FIPS or
later.
Base operating system
Config mode on master controllers
180 | ap wipe out flash
ArubaOS 6.4| Reference Guide
ap wired-ap-profile
ap wired-ap-profile <profile>
broadcast
clone <profile>
forward-mode {bridge|split-tunnel|tunnel}
no ...
switchport access vlan <vlan> | {mode access|trunk} |trunk {allowed vlan <list>|
add <list> | except <list> | remove <list>}| native vlan <vlan>
trusted
wired-ap-enable
Description
This command configures a wired AP profile.
Syntax
Parameter
Description
<profile>
Name of this instance of the profile. The name must be 1-63 characters.
broadcast
Forward broadcast traffic to this tunnel.
clone
Name of an existing wired AP profile from which parameter values are copied.
forward-mode
This parameter controls whether data is tunneled to the controller using generic routing
encapsulation (GRE), bridged into the local Ethernet LAN (for remote APs), or a
combination thereof depending on the destination (corporate traffic goes to the
controller, and Internet access remains local). All forwarding modes support band
steering, TSPEC/TCLAS enforcement, 802.11k and station blacklisting.
tunnel
In this default forwarding mode, the AP handles all 802.11 association requests and
responses, but sends all 802.11 data packets, action frames and EAPOL frames over a
GRE tunnel to the controller for processing. The controller removes or adds the GRE
headers, decrypts or encrypts 802.11 frames and applies firewall rules to the user traffic
as usual.
bridge
802.11 frames are bridged into the local Ethernet LAN. When a remote AP or campus
AP is in bridge mode, the AP handles all 802.11 association requests and responses,
encryption/decryption processes, and firewall enforcement. The 802.11e and 802.11k
action frames are also processed by the AP, which then sends out responses as
needed.
An AP in bridge mode supports only the 802.1X authentication type.
NOTE: Virtual APs in bridge mode using static WEP should use key slots 2-4 on the
controller. Key slot 1 should only be used with Virtual APs in tunnel mode.
split-tunnel
802.11 frames are either tunneled or bridged, depending on the destination (corporate
traffic goes to the controller, and Internet access remains local). An AP in split-tunnel
mode supports only the 802.1X authentication type.
An AP in split-tunnel forwarding mode handles all 802.11 association requests and
responses, encryption/decryption, and firewall enforcement. The 802.11e and 802.11k
action frames are also processed by the AP, which then sends out responses as
needed.
NOTE: Virtual APs in split-tunnel mode using static WEP should use key slots 2-4 on
the controller. Key slot 1 should only be used with Virtual APs in tunnel mode.
no
ArubaOS 6.4| Reference Guide
Negates any configured parameter.
ap wired-ap-profile | 181
Parameter
Description
switchport
Configures the switching mode characteristics for the port.
access
The VLAN to which the port belongs. The default is VLAN 1.
mode
The mode for the port, either access or trunk mode. The default is access mode.
trunk allowed
Allows multiple VLANs on the port interface.
You must define this parameter using VLAN IDs or VLAN names
VLAN IDs and VLAN names cannot be listed together.
trunk native
The native VLAN for the port (frames on the native VLAN are not tagged with 802.1q
tags).
trusted
Sets port as either trusted or untrusted. The default setting is untrusted.
wired-ap-enable
Enables the wired AP. The wired AP is disabled by default.
Usage Guidelines
This command is only applicable to Aruba APs that support a second Ethernet port. The wired AP profile configures
the second Ethernet port (enet1) on the AP.
For mesh deployments, this command is applicable to all Aruba APs configured as mesh nodes. If you are using
mesh to join multiple Ethernet LANs, configure and enable bridging on the mesh point Ethernet port.
Mesh nodes only support bridge mode and tunnel mode on their wired ports (enet0 or enet1). Split tunnel mode is not
supported.
Use the bridge mode to configure bridging on the mesh point Ethernet port. Use tunnel mode to configure secure jack
operation on the mesh node Ethernet port.
When configuring the Ethernet ports on APs with multiple Ethernet ports, note the following requirements:
l
If configured as a mesh portal, connect enet0 to the controller to obtain an IP address. The wired AP profile
controls enet1.Only enet1 supports secure jack operation.
l
If configured as a mesh point, the same wired AP profile will control both enet0 and enet1.
Example
The following command configures the enet1 port on a multi-port AP as a trunk port:
(host) (config) #ap wired-ap-profile wiredap1
switchport mode trunk
switchport trunk allowed 4,5
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.2
The split-tunnel forwarding mode was introduced.
ArubaOS 6.0
Wired ports on campus APs support bridge forwarding mode.
182 | ap wired-ap-profile
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system, except
for noted parameters
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ap wired-ap-profile | 183
ap wired-port-profile
ap wired-port-profile <profile>
aaa-profile <profile>
authentication-timeout <seconds>
clone
enet-link-profile <profile>
lldp-profile <profile>
no
rap-backup
shutdown
spanning-tree
wired-ap-profile <profile>
Description
This command configures a wired port profile.
Syntax
Parameter
Description
aaa-profile <profile>
Name of a AAA profile to be used by devices connecting to the AP’s wired
port.
authentication-timeout
Authentication timeout value, in seconds, for devices connecting the AP’s
wired port. The supported range is 1-65535 seconds, and the default value
is 20 seconds.
clone <profile>
Create a new AP wired port profile based upon the values of an existing
profile.
enet-link-profile <profil
e>
Specify an Ethernet link profile to be used by devices associated with this
wired port profile. The Ethernet link profile defines the duplex value and
speed to be used by the port.
lldp-profile <profile>
Specify an LLDP profile to be used by devices associated with this wired port
profile. The LLDP profile specifies the type-length-value (TLV) elements to
be sent in LLDP PDUs.
no
Negates any defined parameter
rap-backup
Use the rap-backup parameter to use the wired port on a Remote AP for
local connectivity and troubleshooting when the AP cannot reach the
controller. If the AP is not connected to the controller, no firewall policies will
be applied when this option is enabled. (The AAA profile will be applied
when the AP is connected to controller).
shutdown
Disable the wired AP port.
spanning-tree
Enables the spanning-tree protocol.
wired-ap-profile <profil
e>
Name of a wired AP profile to be used by devices connecting the AP’s wired
port. The wired AP profile defines the forwarding mode and switchport
values used by the port.
184 | ap wired-port-profile
ArubaOS 6.4| Reference Guide
Usage Guidelines
This command is only applicable to APs with Ethernet ports. Issue this command to enable or disable the wired port,
define an AAA profile for wired port devices, and associate the port with an ethernet link profile that defines its speed
and duplex values.
Example
The following command defines a AAA profile for wired port devices:
(host) (config) #ap wired-port-profile wiredport1
aaa-profile default-open
authentication-timeout 30
wired-ap-profile wiredap1
Command History
Release
Modification
ArubaOS 6.0
Command introduced
ArubaOS 6.3
The spanning-tree parameter was added.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system, except
for noted parameters
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ap wired-port-profile | 185
apboot
apboot {all [global|local]|ap-group <group> [global|local]|ap-name <name>|ip-addr <ipaddr>|wir
ed-mac <macaddr>}
Description
This command reboots the specified APs.
Syntax
Parameter
Description
Default
all
Reboot all APs.
all
global
Reboot APs on all controllers.
global
local
Reboot only APs registered on this controller. This
is the default.
local
ap-group
Reboot APs in a specified group.
ap-group
global
Reboot APs on all controllers.
global
local
Reboot only APs registered on this controller. This
is the default.
local
ap-name
Reboot the AP with the specified name.
ap-name
ip-addr
Reboot the AP at the specified IP address.
ip-addr
wired-mac
Reboot the AP at the specified MAC address.
wired-mac
Usage Guidelines
You should not normally need to use this command as APs automatically reboot when you reprovision them. Use
this command only when directed to do so by your Aruba representative.
Example
The following command reboots a specific AP:
(host)(config)# apboot ap-name Building3-Lobby
Command History
This command was introduced in ArubaOS 3.0.
Command Information
186 | apboot
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config mode on master
controllers
ArubaOS 6.4| Reference Guide
apconnect
apconnect {ap-name <name>|bssid <bssid>|ip-addr <ipaddr>} parent-bssid <bssid>
Description
This command instructs a mesh point to disconnect from its current parent and connect to a new parent.
Syntax
Parameter
Description
ap-name <name>
Specify the name of the mesh point to be connected to a new parent.
bssid <bssid>
Specific the BSSID of the mesh point to be connected to a new parent.
ip-addr <ipaddr>
Specific the IP address of the mesh point to be connected to a new parent.
parent-bssid <bssid>
BSSID of the parent to which the mesh point should connect.
Usage Guidelines
To maintain a mesh topology created using the apconnect command, Aruba suggests setting the mesh reselectionmode to reselect-never, otherwise the normal mesh reselection mechanisms could break up the selected topology.
Example
The following command connects the mesh point “meshpoint1” to a new parent with the specified BSSID.
(host) (config) #apconnect ap-name meshpoint1 parent-bssid 00:12:6d:03:1c:f1
Related Commands
Command
Description
Mode
ap mesh-radioprofilereselectionmodereselect-never
Use this command to prevent the AP from
reselecting a new parent.
Enable or Config mode
Command History
This command was introduced in ArubaOS 3.4.1
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config mode on master
controllers
ArubaOS 6.4| Reference Guide
apconnect | 187
apdisconnect
apdisconnect {ap-name <name>|bssid <bssid>|ip-addr <ipaddr>}
Description
This command disconnects a mesh point from its parent.
Syntax
Parameter
Description
ap-name
Specifies the name of the parent AP.
bssid
Specifies the BSSID of the parent AP.
ip-addr
Specifies the IP address of the parent AP.
Usage Guidelines
Each mesh point learns about the mesh portal from its parent (a mesh node that is part of the path to the mesh
portal). This command directs a mesh point to disassociate from its parent. The mesh point will attempt to associate
with another neighboring mesh node, if available. The old parent is not eligible for re-association for 60 seconds after
disconnection.
Example
The following command disconnects a specific mesh point from its parent:
(host) (config) #apdisconnect ap-name meshpoint1
Related Commands
Command
Description
Mode
apconnect
This command connects a mesh point to a new specified
parent.
Enable or Config mode
Command History
This command was introduced in ArubaOS 3.2
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config mode on master
controllers
188 | apdisconnect
ArubaOS 6.4| Reference Guide
apflash [deprecated]
apflash all|{ap-group <group>}|{ap-name <name>}|{ip-addr <ipaddr>}|{wired-mac <macaddr>} globa
l|local [backup-partition] [server <ipaddr>]
Description
This command reflashes the specified AP. Starting with ArubaOS 6.1, this command can only be run by Aruba
Technical Support or users in support mode.
Command History
Version
Description
ArubaOS 3.0
Command introduced
ArubaOS 6.0
The global and local parameters were introduced.
ArubaOS 6.1
Command deprecated
ArubaOS 6.4| Reference Guide
apflash [deprecated] | 189
ap-group
ap-group <group>
ap-system-profile <profile>
authorization-profile <profile>
clone <profile>
dot11a-radio-profile <profile>
dot11a-traffic-mgmt-profile <profile>
dot11g-radio-profile <profile>
dot11g-traffic-mgmt-profile <profile>
enet0-port-profile <profile>
enet1-port-profile <profile>
enet2-port-profile <profile>
enet3-port-profile <profile>
enet4-port-profile <profile>
event-thresholds-profile <profile>
ids-profile <profile>
mesh-cluster-profile <profile> priority <priority>
mesh-radio-profile <profile>
no ...
regulatory-domain-profile <profile>
rf-optimization-profile <profile>
virtual-ap <profile>
voip-cac-profile <profile>
Description
This command configures an AP group.
Syntax
Parameter
Description
Range
Default
<group>
Name that identifies the AP group. The name
must be 1-63 characters.
NOTE: You cannot use quotes (“) in the AP
group name.
—
“default”
ap-system-profile
Configures AP administrative operations, such
as logging levels. See ap system-profile on
page 173.
—
“default”
authorization-profile
Restrictive group for unauthorized AP.
—
—
clone
Name of an existing AP group from which
profile names are copied.
—
—
dot11a-radio-profile
Configures 802.11a radio settings and load
balancing for the AP group; contains the ARM
profile. See rf dot11a-radio-profile on page 602.
—
“default”
dot11a-traffic-mgmt-prof
ile
Configures bandwidth allocation. See wlan
traffic-management-profile on page 1940.
—
—
dot11g-radio-profile
Configures 802.11g radio settings and load
balancing for the AP group; contains the ARM
profile. See rf dot11a-radio-profile on page 602.
—
“default”
190 | ap-group
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
dot11g-traffic-mgmt-prof
ile
Configures bandwidth allocation. See wlan
traffic-management-profile on page 1940.
—
—
enet0-port-profile
Configures the duplex and speed of the
Ethernet interface 0 on the AP. For information
on how these profiles are defined, see ap
wired-port-profile on page 184.
—
“default”
enet1-port-profile
Configures the duplex and speed of the
Ethernet interface 1 on the AP. For information
on how these profiles are defined, see ap
wired-port-profile on page 184.
—
“default”
enet2-port-profile
Configures the duplex and speed of an
Ethernet interface 2 on the AP. These profiles
are defined using the command ap wired-portprofile on page 184.
—
“default”
enet3-port-profile
Configures the duplex and speed of an
Ethernet interface 3 on the AP. These profiles
are defined using the command ap wired-portprofile on page 184.
—
“default”
enet4-port-profile
Configures the duplex and speed of an
Ethernet 4 interface on the AP. For information
on how these profiles are defined, see ap
wired-port-profile on page 184.
—
“default”
event-thresholds-profile
Configures Received Signal Strength Indication
(RSSI) metrics. See rf event-thresholds-profile
on page 621.
—
“default”
ids-profile
Configures Aruba’s Intrusion Detection System
(IDS). See ids profile on page 349.
—
“default”
mesh-cluster-profile
Configures the mesh cluster profile for mesh
nodes that are members of the AP group. There
is a “default” mesh cluster profile; however, it is
not applied until you provision the mesh node.
See ap mesh-cluster-profile on page 145.
—
“default”
priority
Configures the priority of the mesh cluster
profile. If more than two mesh cluster profiles
are configured, mesh points use this number to
identify primary and backup profile(s).
The lower the number, the higher the priority.
1-16
1
mesh-radio-profile
Configures the 802.11g and 802.11a radio
settings for mesh nodes that are members of
the AP group. See ap mesh-ht-ssid-profile on
page 147.
Commands to configure mesh for outdoor APs
require the Outdoor Mesh license.
—
“default”
no
Negates any configured parameter.
—
—
regulatory-domain-profile
Configures the country code and valid
channels. See ap regulatory-domain-profile on
page 165.
—
“default”
ArubaOS 6.4| Reference Guide
ap-group | 191
Parameter
Description
Range
Default
rf-optimization-profile
Configure coverage hole and interference
detection. See rf optimization-profile on page
626.
—
“default”
virtual-ap
One or more profiles, each of which configures
a specified WLAN. See wlan virtual-ap on page
1945.
—
“default”
voip-cac-profile
Configures voice over IP (VoIP) call admission
control (CAC) options. See wlan voip-cacprofile on page 1955.
This parameter requires the PEFNG license.
—
“default”
Usage Guidelines
AP groups are at the top of the configuration hierarchy. An AP group collects virtual AP definitions and configuration
profiles, which are applied to APs in the group.
Example
The following command configures a virtual AP profile to the “default” AP group:
(host)(config) #ap-group default
virtual-ap corpnet
Related Commands
View AP group settings using the command show ap-group.
Command History:
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.2
Support for the mesh parameters was introduced
ArubaOS 3.4.1
The voip-cac-profile parameter required the PEF license.
ArubaOS 5.0
The voip-cac-profile parameter requires the PEFV license.
ArubaOS 6.0
The enet-port-profile parameters parameters were introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system, except
for noted parameters
Config mode on master controllers
192 | ap-group
ArubaOS 6.4| Reference Guide
ap-leds
ap-leds
{all | ap-group <ap-group> | ap-name <ap-name> | ip-addr <ip address> | wired-mac <mac addr
ess>} {global blink|normal}|{local blink|normal}
Description
This command allows you to set the behavior of an AP’s LEDs.
Syntax
Parameter
Description
all
Controls the LED behavior for all APs
ap-group <ap-group>
Controls the LED behavior for APs in the specified group
ap-name <ap-name>
Controls the LED behavior for the AP with the specified name
ip-addr <ip-addr>
Controls the LED behavior for the AP with the specified IP address
wired-mac <mac-addr>
Controls the LED behavior for the AP with the specified MAC address
global
Selects all APs on all controllers
local
Selects all APs registered on this controller
blink
Causes the LEDs to blink for identification
normal
Restores the LEDs to their normal behavior
Usage Guidelines
Use the ap-leds command to make the LEDs on a defined set of APs either blink or display in the currently
configured LED operating mode. Note that if the LED operating mode defined in the AP’s system profile is set to
“off”, then the normal parameter in the ap-leds command will disable the LEDs. If the LED operating mode in the AP
system profile is set to “normal” then the normal parameter in this command will allow the LEDs light as usual.
Example
The following command causes all local APs to blink their LEDs for identification purposes:
ap-leds all local blink
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.4| Reference Guide
ap-leds | 193
Command Information
194 | ap-leds
Platforms
Licensing
Command Mode
Available on all platforms
Base operating system
Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
ap-move
ap-move
all
ap-group <ap-group>
ap-name <ap-name>
Description
When HA is enabled, use this command to move an AP or group of APs to their standby controller.
Syntax
Parameter
Description
all
Move all APs.
ap-group <ap-group>
Move all APs belonging to the specified AP group.
ap-name <ap-name>
Move the specified AP.
Usage Guidelines
When HA is enabled on a pair of controllers, this command should be used when it is necessary to move a single
AP, all APs in an ap-group, or all APs to switchover to their standby controller without an actual failure of the active
controller. For example, this allows the network admin to manually move one or more APs to their standby controller
and perform a planned upgrade or maintenance on the active controller.
Command History
Introduced in ArubaOS 6.3.
Command Information
Platforms
Licensing
Command Mode
Available on all platforms.
Base operating system
Enable mode on master or local
controllers
ArubaOS 6.4| Reference Guide
ap-move | 195
ap-name
ap-name <name>
ap-system-profile <profile>
authorization-profile <profile>
clone <profile>
dot11a-radio-profile <profile>
dot11a-traffic-mgmt-profile <profile>
dot11g-radio-profile <profile>
dot11g-traffic-mgmt-profile <profile>
enet0-profile <profile>
enet1-profile <profile>
event-thresholds-profile <profile>
exclude-mesh-cluster-profile-ap <profile>
exclude-virtual-ap <profile>
ids-profile <profile>
mesh-cluster-profile <profile> priority <priority>
mesh-radio-profile <profile>
no ...
regulatory-domain-profile <profile>
rf-optimization-profile <profile>
snmp-profile <profile>
virtual-ap <profile>
voip-cac-profile <profile>
Description
This command configures a specific AP.
Syntax
Parameter
Description
Default
<name>
Name that identifies the AP. By default, an AP’s name can
either be the AP’s Ethernet MAC address, or if the AP has
been previously provisioned with an earlier version of
ArubaOS, a name in the format <building>.<floor>.<location>.
The name must be 1-63 characters.
NOTE: You cannot use quotes (“) in the AP name.
—
ap-system-profile
Configures AP administrative operations, such as logging
levels. See ap system-profile on page 173.
“default”
authorization-profile
Restrictive group for unauthorized AP.
—
clone
Name of an existing AP name from which profile names are
copied.
—
dot11a-radio-profile
Configures 802.11a radio settings for the AP group; contains
the ARM profile. See rf dot11a-radio-profile on page 602.
“default”
dot11a-traffic-mgmt-profile
Configures bandwidth allocation. See wlan trafficmanagement-profile on page 1940.
—
dot11g-radioprofile
Configures 802.11g radio settings for the AP group; contains
the ARM profile. See rf dot11a-radio-profile on page 602.
“default”
196 | ap-name
ArubaOS 6.4| Reference Guide
Parameter
Description
Default
dot11g-trafficmgmt-profile
Configures bandwidth allocation. See wlan trafficmanagement-profile on page 1940.
—
enet0-profile
Configures the duplex and speed of the Ethernet 0 interface
on the AP. See ap enet-link-profile on page 134.
“default”
enet1-profile
Configures the duplex and speed of the Ethernet 1 interface
on the AP. See ap enet-link-profile on page 134.
“default”
event-thresholds-profile
Configures Received Signal Strength Indication (RSSI)
metrics. See rf event-thresholds-profile on page 621.
“default”
exclude-mesh-cluster-profil
e-ap
Excludes the specified mesh cluster profile from this AP.
The Secure Enterprise Mesh license must be installed.
—
exclude-virtual-ap
Excludes the specified virtual AP profiles from this AP.
ids-profile
Configures Aruba’s Intrusion Detection System (IDS). See ids
profile on page 349.
“default”
mesh-cluster-profile
Configures the mesh cluster profile for the AP (mesh node).
There is a “default” mesh cluster profile; however, it is not
applied until you provision the mesh node. See ap meshcluster-profile on page 145.
The Secure Enterprise Mesh license must be installed.
“default”
priority
Configures the priority of the mesh cluster profile. If more than
two mesh cluster profiles are configured, mesh points use
this number to identify primary and backup profile(s).
The supported range of values is 1-16. The lower the
number, the higher the priority.
1
mesh-radio-profile
Configures the 802.11g and 802.11a radio settings for the AP
(mesh node). See ap mesh-ht-ssid-profile on page 147.
The Secure Enterprise Mesh license must be installed.
“default”
no
Negates any configured parameter.
—
regulatory-domain-profile
Configures the country code and valid channels. See ap
regulatory-domain-profile on page 165.
“default”
rf-optimization
-profile
Configures load balancing and coverage hole and
interference detection. See rf optimization-profile on page
626.
“default”
snmp-profile
Configures SNMP-related parameters. See ap snmp-profile
(deprecated) on page 168.
“default”
virtual-ap
One or more profiles, each of which configures a specified
WLAN. See wlan virtual-ap on page 1945.
“default”
voip-cac-profile
Configures voice over IP (VoIP) call admission control (CAC)
options. See wlan voip-cac-profile on page 1955.
This parameter requires the PEFNG license.
“default”
Usage Guidelines
Profiles that are applied to an AP group can be overridden on a per-AP name basis, and virtual APs can be added or
excluded on a per-AP name basis. If a particular profile is overridden for an AP, all parameters from the overriding
ArubaOS 6.4| Reference Guide
ap-name | 197
profile are used. There is no merging of individual parameters between the AP and the AP group to which the AP
belongs.
Example
The following command excludes a virtual AP profile from a specific AP:
(host) (config) #ap-name 00:0b:86:c0:cf:d8
exclude-virtual-ap corpnet
Related Commands
View AP settings using the command show ap-name.
Command History:
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.2
Support for mesh parameters was introduced.
ArubaOS 3.4
License requirements changed in ArubaOS 3.4.1, so the voip-cac-profile
parameter required the PEF license instead of the Voice Services Module
license required in earlier versions.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
198 | ap-name
ArubaOS 6.4| Reference Guide
ap-regroup
ap-regroup {ap-name <name>|serial-num <num>|wired-mac <macaddr>} <group>
Description
This command moves a specified AP into a group.
Syntax
Parameter
Description
Default
ap-name
Name of the AP.
—
serial-num
Serial number of the AP.
—
wired-mac
MAC address of the AP.
—
<group>
Name that identifies the AP group. The name must be 1-63
characters.
“default”
Usage Guidelines
All APs discovered by the controller are assigned to the “default” AP group. An AP can belong to only one AP group
at a time. You can move an AP to an AP group that you created with the ap-group command.
This command automatically reboots the AP.
Example
The following command moves an AP to the ‘corpnet’ group:
(host)(config) #ap-regroup wired-mac 00:0f:1e:11:00:00 corpnet
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config mode on master
controllers
ArubaOS 6.4| Reference Guide
ap-regroup | 199
ap-rename
ap-rename {ap-name <name>|serial-num <num>|wired-mac <macaddr>} <new-name>
Description
This command changes the name of an AP to the specified new name.
Syntax
Parameter
Description
ap-name
Current name of the AP.
serial-num
Serial number of the AP.
wired-mac
MAC address of the AP.
<new-name>
New name for the AP. The name must be 1-63 characters.
NOTE: You cannot use quotes (“) in the AP name.
Usage Guidelines
An AP name must be unique within your network.
This command automatically reboots the AP.
Example
The following command renames an AP:
(host) (config) #ap-rename wired-mac 00:0f:1e:11:00:00 building3-lobby
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config mode on master
controllers
200 | ap-rename
ArubaOS 6.4| Reference Guide
app lync traffic-control
app lync traffic-control <profile-name>
clone <source>
no ...
prioritize-desktop-sharing
prioritize-file-transfer
prioritize-video
prioritize-voice
Description
This command creates a traffic control profile that allows the controller to recognize and prioritize a specific type of
Lync traffic in order to apply QoS through the Lync Application Layer Gateway (ALG).
Syntax
Parameter
Description
clone
Copy configuration from another traffic control prioritization profile.
no ...
Include this parameter to disable Lync ALG for the specified traffic type.
prioritizedesktop-sharing
Issue this command to enable or disable prioritization of desktop-sharing traffic by Lync
ALG.
prioritize-filetransfer
Issue this command to enable or disable prioritization of file-transfer traffic by Lync ALG.
prioritize-video
Issue this command to enable or disable prioritization of video traffic by Lync ALG.
prioritize-voice
Issue this command to enable or disable prioritization of voice traffic by Lync ALG.
Example
All Lync traffic types are recognized and prioritized by default. The following commands disables Lync ALG
prioritization for desktop sharing traffic.
(host) (config) #app lync traffic-control default
(host) (Traffic Control Prioritization Profile "default") #no prioritize-desktop-sharing
Related Commands
Command History
Command
Description
show ucc configuration
traffic-control
lync <profilename>
Displays the Lync traffic control profile configuration in the controller.
ArubaOS 6.4| Reference Guide
app lync traffic-control | 201
Version
Description
ArubaOS 6.4
Command introduced.
NOTE: This command replaces app lync traffic-control (deprecated).
Command Information
Platforms
Licensing
Command Mode
All platforms
This command requires the
PEFNG license
Config mode on master or local
controllers
202 | app lync traffic-control
ArubaOS 6.4| Reference Guide
app lync traffic-control (deprecated)
app lync traffic-control
no ...
prioritize desktop-sharing
prioritize file-transfer
prioritize video
prioritize voice
Description
This command allows the controller to recognize and prioritize a specific type of Lync traffic in order to apply QoS
through the Lync Application Layer Gateway (ALG).
Command History
Version
Description
ArubaOS 6.3
Command introduced.
ArubaOS 6.4
Command deprecated.
NOTE: This command is replaced by app lync traffic-control <profile-name>.
ArubaOS 6.4| Reference Guide
app lync traffic-control (deprecated) | 203
arm move-sta
arm move-sta <client-mac> <newbssid>
Description
This command moves a client station to another BSSID.
Syntax
Parameter
Description
<mac>
MAC address of the client to be moved to another BSSID
<newbssid>
BSSID of the AP to which the client should associate.
Usage Guidelines
Issue this command to manually move a client to a different BSSID
Example
The following command moves a client with the MAC address 00:0B:86:01:7A:C0 to the BSSID
00:1C:B3:09:85:15.
(host) (config) #arm move-sta 00:0B:86:01:7A:C0 00:1C:B3:09:85:15
Command History
This command was introduced in ArubaOS 6.3.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
204 | arm move-sta
ArubaOS 6.4| Reference Guide
arp
arp <ipaddr> <macaddr>
Description
This command adds a static Address Resolution Protocol (ARP) entry.
Syntax
Parameter
Description
<ipaddr>
IP address of the device to be added.
<macaddr>
Hardware address of the device to be added, in the format xx:xx:xx:xx:xx:xx.
Usage Guidelines
If the IP address does not belong to a valid IP subnetwork, the ARP entry is not added. If the IP interface that defines
the subnetwork for the static ARP entry is deleted, you will be unable to use the arp command to overwrite the
entry’s current values; use the no arp command to negate the entry and then enter a new arp command.
Example
The following command configures an ARP entry:
(host) (config) #arp 10.152.23.237 00:0B:86:01:7A:C0
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
arp | 205
audit-trail
audit-trail [all]
Description
This command enables an audit trail.
Syntax
Parameter
Description
all
Enables audit trail for all commands, including enable mode commands. The
audit-trail command without this option enables audit trail for all commands in
configuration mode.
Usage Guidelines
By default, audit trail is enabled for all commands in configuration mode. Use the show audit-trail command to
display the content of the audit trail.
Example
The following command enables an audit trail:
(host) (config) #audit-trail
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
206 | audit-trail
ArubaOS 6.4| Reference Guide
backup
backup {flash|pcmcia}
Description
This command backs up compressed critical files in flash.
Syntax
Parameter
Description
flash
Backs up flash directories to flashbackup.tar.gz file.
pcmcia
Backs up flash images to external PCMCIA flash card. This option can only be
executed on controllers that have a PCMCIA slot.
Usage Guidelines
Use the restore flash command to untar and uncompress the flashbackup.tar.gz file.
Example
The following command backs up flash directories to the flashbackup.tar.gz file:
(host)(config) #backup flash
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config modes on master
controllers
ArubaOS 6.4| Reference Guide
backup | 207
banner motd
banner motd <delimiter> <textString>
Description
This command defines a text banner to be displayed at the login prompt when a user accesses the controller.
Syntax
Parameter
Description
Range
<delimiter>
Indicates the beginning and end of the banner text.
—
<textString>
The text you want displayed.
up to 1023 characters
Usage Guidelines
The banner you define is displayed at the login prompt to the controller. The banner is specific to the controller on
which you configure it. The WebUI displays the configured banner at its login prompt, but you cannot use the WebUI
to configure the banner.
The delimiter is a single character that indicates the beginning and the end of the text string in the banner. Select a
delimiter that is not used in the text string you define, because the controller ends the banner when it sees the
delimiter character repeated.
There are two ways of configuring the banner message:
l
Enter a space between the delimiter and the beginning of the text string. The text can include any character
except a quotation mark (“). Use quotation marks to enclose your text if you are including spaces (spaces are not
recognized unless your text string is enclosed in quotation marks; without quotation marks, the text is truncated
at the first space). You can also use the delimiter character within quotation marks.
l
Press the Enter key after the delimiter to be placed into a mode where you can simply enter the banner text in
lines of up to 255 characters, including spaces. Quotation marks are ignored.
Example
The following example configures a banner by enclosing the text within quotation marks:
(host)(config) #banner motd * “Welcome to my controller. This controller is in the production
network, so please do not save configuration changes. Zach Jennings is awesome. Maintenance wi
ll be performed at 7:30 PM, so please log off before 7:00 PM.”*
The following example configures a banner by pressing the Enter key after the delimiter:
(host)(config) #banner motd *
Enter TEXT message [maximum of 1023 characters].
Each line in the banner message should not exceed 255 characters.
End with the character '*'.
Welcome to my controller. This controller is in the production network, so please do not save
configuration changes. Zach Jennings is awesome. Maintenance will be performed at 7:30 PM, so
please log off before 7:00 PM.*
The banner display is as follows:
Welcome to my controller. This controller is in the production network, so please do not save
configuration changes. Zach Jennings is awesome. Maintenance will be performed at 7:30 PM, so
please log off before 7:00 PM.
208 | banner motd
ArubaOS 6.4| Reference Guide
Command History
This command was introduced in ArubaOS 1.0
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
banner motd | 209
boot
boot
cf-test [fast | read-only | read-write]
config-file <filename>
remote-node [all|ip-address <A.B.C.D]
system partition [0 | 1]
verbose
Description
Configure the boot options for the controller and the remote node.
Syntax
Parameter
Description
cf-test
Sets the type of compact flash test to run when booting the controller.
fast
Performs a fast test, which does not include media testing.
read-only
Performs a read-only media test.
read-write
Performs a read-write media test.
config-file
<filename>
remote-node
Sets the configuration file to use when booting the controller.
Specifies the name of the configuration file from which to boot the controller.
Reloads the remote node controller. Deprecated.
all
Reloads all remote nodes on the network.
ip address
<A.B.C.D>
Reloads on the remote node specified by its IP address.
system 0 | 1
Enter the keyword system followed by the partition number (0 or 1) that you want
the controller to use during the next boot (login) of the controller.
NOTE: A controller reload is required before the new boot partition takes effect.
verbose
Prints extra debugging information at boot.
Usage Guidelines
Use the following options to control the boot behavior of the controller:
l
cf-test—Test the flash during boot.
l
config-file—Set the configuration file to use during boot.
l
system—Specify the system partition to use during the controller’s next boot (login).
l
verbose—Print extra debugging information during boot. The information is sent to the screen at boot time.
Printing the extra debugging information is disabled using the no boot verbose command.
Example
The following command uses the configuration file january-config.cfg the next time the controller boots:
boot config-file january-config.cfg
210 | boot
ArubaOS 6.4| Reference Guide
The following command uses system partition 1 the next time the controller boots:
boot system partition 1
Command History
Modification
ArubaOS 1.0
Introduced for the first time.
ArubaOS 6.0
The remote-node parameter was introduced.
ArubaOS 6.2
The remote-node parameter was deprecated.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config mode on master
controllers
ArubaOS 6.4| Reference Guide
boot | 211
cellular profile
cellular profile <profile_name>
dialer <group>
driver acm|hso|option|sierra|ptumlusbnet
import <address>
modeswitch {eject <params>}|rezero
no
priority <1-255>
serial <sernum>
tty <ttyport>
user <login> password <password>
vendor <vend_id> product <prod_id>
Description
Create new profiles to support new USB modems or to customize USB characteristics.
Syntax
Parameter
Description
cellular profile <profile_name>
Enter the keywords cellular profile followed by your
profile name. This command changes the configuration
mode and the command line prompt changes to:
host (config-cellular <profile_name>)#
dialer <group>
Enter the keyword dialer followed by a group name to
specify the dialing parameters for the carrier. The
parameters tend to be common between service
providers on the same type of network (CDMA vs.
GSM) as displayed in the show dialer group command.
driver acm|hso|option|sierra|ptumlusbnet
Enter the keyword driver followed by one of the driver
options:
l acm: Linux ACM driver.
l hso: Option High Speed driver.
l option: Option USB data card driver (default).
l sierra: Sierra Wireless driver.
l ptumlusbnet: Pantech UML290 driver.
import <address>
Enter the keyword import followed by the USB device
address as displayed in the show usb command.
Import retrieves the vendor/product serial numbers
from the USB device list and populates them into the
profile.
modeswitch {eject <params>}|rezero
Enter the keyword modeswitch followed by either:
eject followed by the CDROM device.
l rezero: Send SCSI CDROM rezero command.
Certain cellular devices must be modeswitched before
the modem switches to data mode.
l
no
Enter the keyword no to negate the command and
revert back to the defaults.
priority <1-255>
Enter the keyword priority to override the default
cellular priority (100).
Range: 1 to 255.
212 | cellular profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Default: 100
serial <sernum>
Enter the keyword serial followed by the USB device
serial number
tty <ttyport>
Enter the keyword tty followed by the Modem TTY port
(i.e. ttyUSB0, ttyACM0)
user <login> password <password>
Enter the keyword user followed by your login, and
then enter the keyword password followed by your
password to establish user name authentication.
vendor <vend_id> product <prod_id> in hex
Enter the keyword vendor followed by the vendor ID in
hexadecimal (see show usb on page 1621) and then
enter the keyword product followed by the product ID
listed in the show usb command.
Usage Guidelines
The cellular modems are plug-and-play and support most native USB modems. Cellular modems are activated only if
it is the uplink with the highest priority (see show uplink on page 1620). However, new profiles can be created using
this command to support new data cards or to customize card characteristics. A list of supported modems is
published at http://www.arubanetworks.com/products/usb-devices/.
Command History
Introduced in ArubaOS 3.4.
Command Information
Platforms
Licensing
Command Mode
600 Series controllers
Base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
cellular profile | 213
cfgm
cfgm {set config-chunk <kbytes>|set heartbeat <seconds>|set maximum-updates <number>|snapshottimer <minutes>|sync-command-blocks <number>|sync-typecomplete|sync-type snapshot}
Description
This command configures the configuration module on the master controller.
Syntax
Parameter
Description
Range
Default
set config-chunk
Maximum packet size, in Kilobytes, that is sent
every second to the local controller whenever
the master controller sends a configuration to the
local. If the connection between the master and
local is slow or uneven, you can lower the size to
reduce the amount of data that needs to be
retransmitted. If the connection is very fast and
stable, you can increase the size to make the
transmission more efficient.
1-100
10 Kbytes
set heartbeat
Interval, in seconds, at which heartbeats are
sent. You can increase the interval to reduce
traffic load.
10-300
10 seconds
set maximum-updates
Maximum number of local controllers that can be
updated at the same time with configuration
changes. You can decrease this value if you
have a busy network. You can increase this
value to improve configuration synchronization.
2-25
5
snapshot-timer
Interval, in minutes, that the local controller waits
for a configuration download from the master
upon bootup or startup before loading the last
snapshot configuration.
5-60
5 minutes
sync-command-blocks
To configure the number of command-list blocks.
Each block contains a list of global configuration
commands for each write-mem operation.
3-10
5
sync-type complete
The master sends full configuration file to the
local.
—
—
sync-type snapshot
The master sends only the incremental configuration to the local.
—
Enable
NOTE: By default, this configuration is enabled.
Usage Guidelines
By default, MMS configuration updates on the controller are disabled to prevent any alterations to the controller
configuration.
You need to explicitly enable MMS configuration updates for the controller to accept configuration changes from
MMS. When MMS configuration updates are enabled, global configuration changes can only be done from MMS and
are not available on the master controller. You can use the cfgm mms config disable command if the controller
214 | cfgm
ArubaOS 6.4| Reference Guide
loses connectivity to the Mobility Management System and you must enter a configuration change on the master
controller.
Example
The following command sets the maximum packet size as 20 KB per second whenever the master controller sends a
configuration to the local :
(host) (config) #cfgm set config-chunk 20
Command History
This command was introduced in ArubaOS 3.1.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
cfgm | 215
clear
clear
aaa
acl
airgroup {server|statistics|user}
ap
arm
arp
counters
crypto
datapath
dot1x
fault
gab-db
ip
ipc
ipv6
lldp
loginsession
master-local-entry
master-local-session
port
provisioning-ap-list
provisioning-params
rap-wml
update-counter
upgrade-images
voice
vpdn
wms
Description
This command clears various user-configured values from your running configuration.
Syntax
216 | clear
Parameter
Description
aaa
Clear all values associated with authentication profile.
authentication-server
Provide authentication server details to clear values specific to an
authentication server or all authentication server.
Parameters:
l all — Clear all server statistics.
l internal — Clear Internal server statistics.
l ldap - Clear LDAP server statistics.
l radius — Clear RADIUS server statistics.
l tacacs — Clear TACACS server statistics.
device-id-cache
Clear all device ID cache.
Parameters:
l all — Clear all entries in the device ID cache.
l mac — Clear entries in the device ID cache for MAC address.
load-balance
Clear load balance statistics.
ArubaOS 6.4| Reference Guide
Parameter
Description
Parameters:
statistics — Clear load balance statistics.
l
multiple-server-accounting
Clear multiple server accounting statistics.
Parameters:
l statistics — Clear multiple server accounting statistics.
state
Clear internal status of authentication modules.
Parameters:
l configuration — Clear all configured objects.
l debug-statistics — Clear debug statistics.
l messages — Clear authentication messages that were sent and
received.
acl
hits
airgroup
Clear ACL statistics.
Clear ACL hit statistics
Clear airgroup statistics and user entries from the user table.
server
Clears AirGroup servers.
statistics
l
l
l
l
l
l
l
user
l
l
l
l
blocked-queries — Clears the statistics of service IDs which were
queried but not available in the AirGroup service table.
blocked-service-id — Clears the statistics for the list of blocked
services.
cppm-entries — Clears the statistics that are displayed for show
airgroup cppm entries command.
internal-state — Clears internal state statistics of mDNS module.
multi-controller — Clears the statistics maintained for multi-controller
message exchanges.
query — Clears statistics maintained in the user and server table.
service — Clears statistics maintained in the AirGroup service table.
Mac Address - Clears the AirGroup server Mac addresses.
dlna - Clears the AirGroup DLNA users.
mdns - Clears the AirGroup mDNS users.
all - Removes the current AirGroup user entries from the user table.
Clear all AP related information.
ap
arm bandwidth-management
Clears AP bandwidth management table counters. An AP can be
specified by ap-name, BSSID, IPv4 address, or IPv6 address.
arm client-match
summary — Clears the client match summary information
unsupported — Clears the MAC address of an unsteerable client or clients.
crash-info
Clears AP crash information. An AP can be specified by ap-name, IPv4
address, or IPv6 address.
debug
l
l
l
l
l
ArubaOS 6.4| Reference Guide
bss-dmo-stats— Clears DMO debug statistics from a specific BSSID
of an AP.
client-stats— Clears statistics from a client.
dot11r {efficiency-stat}— Clears 802.11r related stats.
lldp— Clears Link Layer Discovery Protocol.
radio-stats— Clears aggregate radio debug statistics of an AP.
clear | 217
Parameter
Description
mesh
Clear all mesh commands.
port
Toggle the link on the specified port.
remote flash-config
Clears the flash configuration from a specified AP. An AP can be specified by ap-name, BSSID, IPv4 address, or IPv6 address.
arm
Clear the following types of ARM client match information
l
l
arp
Clear all ARP table information. You can either clear all information or
enter the IP address of the ARP entry to clear a specific value.
counters
Clear all interface configuration values.
fastethernet
Clears configuration related to fastethernet ports.
gigabitethernet
Clears configuration related to fastethernet ports.
tunnel
Clears all tunnel configuration values on interface ports.
vrrp [ipv6]
Clears all VRRP configuration values on interface ports. Include the
ipv6 parameter to clear IPv6 counters.
crypto
Clears the specified crypto information.
dp
Clears crypto latest DP packets.
ipsec sa
Clears crypto ipsec state security associations.
isakmp sa
Clears crypto isakmp state security associations.
stats
Clears crypto statistics.
datapath
218 | clear
client-match-summary
client-match-unsteerable
Clears all configuration values and statistics for the following datapath
modules.
l application {counters}
l bridge {counters}
l bwm {counters}
l crypto {counters}
l debug {performance}
l dma {counters}
l eap {counters}
l frame {counters}
l hardware {counters|statistics}
l ip-fragment-table {ipv4|ipv6}
l ip-reassembly {counters}
l maintenance {counters}
l message-queue {counters}
l mobility {stats}
l network {ingress}
l papi {counters}
l route {counters}
l route-cache {A.B.C.D|counters}
l session {counters}
l ssl {counters}
ArubaOS 6.4| Reference Guide
Parameter
Description
l
l
l
l
l
l
station {counters}
tcp {counters}
tunnel {counters}
user {counters}
wifi-reassembly {counters}
wmm {counters}
dot1x
Clears all 802.1X specific counters and supplicant statistics. Use the
following parameters:
l counters
l supplicant-info
fault
Clears all SNMP fault configuration.
gap-db
Clears global AP database. This command is often used to clear all
stale AP records. Use the following parameters:
l ap-name
l lms
l wired-mac
ip
Clears all IP information from DHCP bindings, IGMP groups and IP
mobility configuration. Use the following parameters:
l dhcp
l igmp {group|proxy-mobility-group|stats-counters}
l mobile {multicast-vlan-table|traffic|trail}
ipc
Clears all inter process communication statistics.
statistics {app-ap|app-id|app-name}
l
ipv6
Clears all IPv6 session statistics, multicast listener discovery (MLD)
group and member information, MLD statistics, counters, and DHCPv6
binding information. Use the following parameters:
l datapath {session}
l dhcp {binding}
l mld {group|proxy-mobility-group|stats-counters}
l neighbor
lldp
Clears lldp information on all the interfaces. Use the following parameters:
l
l
neighbors {interface gigabitethernet slot/port}
statistics {interface gigabitethernet slot/port}
loginsession
Clears loginsession information for a specific login session, as
identified by the session id.
master-local-entry
Clears local controller information from the master controller LMS list.
Specify the IP address of the local controller to be removed from master
controller active LMS list.
master-local-session
Clear and reset master local TCP connection. Specify the IP address of
either the master or local controller.
port
Clear all port statistics that includes link-event counters or all counters.
Use the following parameters:
l link-event
l stats
ArubaOS 6.4| Reference Guide
clear | 219
Parameter
Description
provisioning-ap-list
Clear AP entries from the provisioning list.
provisioning-params
Clear provisioning parameters and reset them to the default
configuration values.
rap-wml
Clear wired MAC lookup cache for a DB server.
update-counter
Clear all update counter statistics.
upgrade-images
Clear all upgrade images used by the centralized licensing feature.
Clear all voice state information. Use the following parameters:
call-counters
l call-status
l statisticscac | tspec-enforcement
voice
l
vpdn
Clear all VPDN configuration for L2TP and PPTP tunnel. Use the
following parameters:
l tunnle l2tp id <l2tp-tunnel-id>
l tunnel pptp id <pptp-tunnel-id>
wms
Clear all WLAN management commands. Use the following
parameters:
l ap—clear — All AP related commands. Specify the BSSID of the AP.
l client— Clear all wired client related commands. Specify the MAC
address of the client.
l probe — Clear all probe information. Specify the BSSID of the probe.
Usage Guidelines
The clear command clears the specified parameters of their current values.
Example
The following command clears all aaa counters for all authentication servers:
(host) (config) #clear aaa authentication-server all
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.1
The following MLD parameters are added to the ipv6 option:
l mld group
l mld stats-counters
ArubaOS 6.3
l
l
l
l
l
ArubaOS 6.4
l
l
220 | clear
The device-id-cache, load-balance, multiple-server-accounting parameters
were introduced under aaa parameter.
The airgroup parameter was introduced.
The dhcp binding parameter under ipv6 was introduced.
The proxy-mobilty-group parameter under mld was introduced.
The ip-fragment-table parameter under datapath was introduced.
The lldp parameter was introduced.
The Server and User options were introduced under the clear airgroup
command.
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config mode on master
controllers
ArubaOS 6.4| Reference Guide
clear | 221
clear wms wired-mac
clear wms wired-mac [ all | gw-mac <mac> | monitored-ap-wm <mac> | prop-eth-mac <mac> | reg-a
p-oui <mac> | system-gw-mac <mac>| system-wired-mac <mac> | wireless-device <mac>]
Description
Clear learned and collected Wired MAC information. Optionally, enter the MAC address, in nn:nn:nn:nn:nn:nn
format, of the AP that has seen the Wired Mac.
Syntax
Description
all
Clear all the learned and collected wired Mac information.
gw-mac <mac>
Clear the gateway wired Mac information collected from the APs.
monitored-ap-wm <mac>
Clear monitored AP wired Mac information collected fom the APs.
prop-eth-mac <mac>
Clear the wired Mac information collected from the APs.
reg-ap-oui <mac>
Clear the registered AP OUI information collected from the APs.
system-gw-mac <mac>
Clear system gateway Mac information learned at the controller.
system-wired-mac <mac>
Clear system wired Mac information learned at the controller.
wireless-device <mac>]
Clear routers or potential wireless devices information.
Revision History
Release
Modification
ArubaOS 6.1
Command introduced
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config mode on master
controllers
222 | clear wms wired-mac
ArubaOS 6.4| Reference Guide
clock append
clock
clock append
Description
This command enables the timestamp feature, adding a date and time to the output of show commands.
Syntax
No parameters.
Usage Guidelines
When you enable the timestamp feature, the command-line interface includes a timestamp in the output of each
show command indicating when the show command was issued. Note that the output of show clock and show log
do not include timestamps, even when this feature is enabled. You can disable timestamps using the command no
clock append.
Example
The following example enables the timestamp feature.
(host)(config) #clock append
Command History
This command was introduced in ArubaOS 6.2.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode
ArubaOS 6.4| Reference Guide
clock append | 223
clock set
clock
clock set <year><month><day><time>
Description
This command sets the date and time.
Syntax
Parameter
Description
Range
year
Sets the year. Requires all 4 digits.
Numeric
month
Sets the month. Requires the first three letters of the month.
Alphabetic
day
Sets the day.
1-31
time
Sets the time. Specify hours, minutes, and seconds separated by
spaces.
Numeric
Usage Guidelines
You can configure the year, month, day, and time. You must configure all four parameters.
Specify the time using a 24-hour clock. You must specify the seconds.
Example
The following example configures the clock to January 1st of 2007, at 1:03:52 AM.
(host)(config) #clock set 2007 jan 1 1 3 52
Command History
This command was introduced in ArubaOS 1.0
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
224 | clock set
ArubaOS 6.4| Reference Guide
clock summer-time recurring
clock summer-time <WORD> [recurring]
<1-4> <start day> <start month> <hh:mm>
first <start day> <start month> <hh:mm>
last <start day> <start month> <hh:mm>
<1-4> <end day> <end month> <hh:mm>
first <end day> <end month> <hh:mm>
last <end day> <end month> <hh:mm>
[<-23 - 23>]
Description
Set the software clock to begin and end daylight savings time on a recurring basis.
Syntax
Parameter
Description
Range
WORD
Enter the abbreviation for your time zone. For example, PDT for Pacific
Daylight Time.
3-5 characters
1-4
Enter the week number to start/end daylight savings time. For
example, enter 2 to start daylight savings time on the second week of
the month.
1-4
first
Enter the keyword first to have the time change begin or end on the
first week of the month.
—
last
Enter the keyword last to have the time change begin or end on the
last week of the month.
—
start day
Enter the weekday when the time change begins or ends.
SundaySaturday
start month
Enter the month when the time change begins or ends.
JanuaryDecember
hh:mm
Enter the time, in hours and minutes, that the time change begins or
ends.
24 hours
-23 - 23
Hours offset from the Universal Time Clock (UTC).
-23 - 23
Usage Guidelines
This command subtracts exactly 1 hour from the configured time.
The WORD can be any alphanumeric string, but cannot start with a colon (:). A WORD longer than five characters is not
accepted. If you enter a WORD containing punctuation, the command is accepted, but the timezone is set to UTC.
You can configure the time to change on a recurring basis. To do so, set the week, day, month, and time when the
change takes effect (daylight savings time starts). You must also set the week, day, month, and time when the time
changes back (daylight savings time ends).
The start day requires the first three letters of the day. The start month requires the first three letters of the
month.
You also have the option to set the number of hours by which to offset the clock from UTC. This has the same effect
as the clock timezone command.
ArubaOS 6.4| Reference Guide
clock summer-time recurring | 225
Example
The following example sets daylight savings time to occur starting at 2:00 AM on Sunday in the second week of
March, and ending at 2:00 AM on Sunday in the first week of November. The example also sets the name of the time
zone to PST with an offset of UTC - 8 hours.
clock summer-time PST recurring 2 Sun Mar 2:00 first Sun Nov 3:00 -8
Command History
This command was introduced in ArubaOS 1.0
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
226 | clock summer-time recurring
ArubaOS 6.4| Reference Guide
clock timezone
clock timezone <name> <-23 to 23>
Description
This command sets the time zone on the controller.
Syntax
Parameter
Description
Range
<name>
Name of the time zone.
3-5 characters
-23 to 23
Hours offset from UTC.
-23 to 23
Usage Guidelines
The name parameter can be any alphanumeric string, but cannot start with a colon (:). A time zone name longer than
five characters is not accepted. If you enter a time zone name containing punctuation, the command is accepted, but
the time zone is set to UTC.
Example
The following example configures the timezone to PST with an offset of UTC - 8 hours.
clock timezone PST -8
Command History
This command was introduced in ArubaOS 1.0
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
clock timezone | 227
cluster-member-custom-cert
cluster-member-custom-cert member-mac <mac> ca-cert <ca> server-cert <cert>
suite-b <gcm-128 | gcm-256>]
Description
This command sets the controller as a control plane security cluster root, and specifies a custom user-installed
certificate for authenticating cluster members.
Syntax
Parameter
Description
member-mac <ca>
MAC address of the cluster member
ca-cert <ca>
Name of the CA certificate uploaded via the WebUI
ca-cert <ca>
Name of the CA certificate uploaded via the WebUI
server-cert <cert>
Name of the server certificate uploaded via the WebUI.
suite-b
To use Suite-B encryption in the secure communication between the cluster root
and cluster member, specify one of the following Suite-B algorithms
l gcm-128: Encryption using 128-bit AES-GCM
l gcm-256: Encryption using 256-but AES-GCM
Usage Guidelines
If your network includes multiple master controllers each with their own hierarchy of APs and local controllers, you
can allow APs from one hierarchy to failover to any other hierarchy by defining a cluster of master controllers. Each
cluster will have one master controller as its cluster root, and all other master controllers as cluster members.
To define a controller as a cluster root, issue one of the following commands on that controller:
l
cluster-member-custom-cert: Define the controller as a cluster root, and select a user-installed certificate to
authenticate that cluster member.
l
cluster-member-factory-cert: Define the controller as a cluster root, and select a factory-installed certificate to
authenticate that cluster member.
l
cluster-member-ip : Define the controller as a cluster root, and set the IPsec key to authenticate that cluster
member.
For information on installing certificates on your controller, refer to the Management Utilities chapter of the ArubaOS User
Guide.
Example
The following example selects a customer installed certificate for cluster member authentication.
(host)(config) # cluster-member-custom-cert member-mac 00:1E:37:CB:D4:52 ca-cert cacert1 serve
r-cert servercert1
228 | cluster-member-custom-cert
ArubaOS 6.4| Reference Guide
Related Commands
Parameter
Description
Mode
control-plane-securi
ty
Configure the control plane security profile.
Config mode
show cluster-config
Show the multi-master cluster configuration for the control
plane security feature.
Enable mode
show cluster-switches
Issue this command on a master controller using control
plane security in a multi-master environment to show other
the other controllers to which it is connected.
Enable mode
Command History.
Introduced in ArubaOS 6.1.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on cluster root controllers
ArubaOS 6.4| Reference Guide
cluster-member-custom-cert | 229
cluster-member-factory-cert
cluster-member-factory-cert member-mac <mac>
Description
This command sets the controller as a control plane security cluster root, and specifies a custom user-installed
certificate for authenticating cluster members.
Syntax
Parameter
Description
<mac>
MAC address of the user-installed certificate on the cluster member
Usage Guidelines
If your network includes multiple master controllers each with their own hierarchy of APs and local controllers, you
can allow APs from one hierarchy to failover to any other hierarchy by defining a cluster of master controllers. Each
cluster will have one master controller as its cluster root, and all other master controllers as cluster members.
To define a controller as a cluster root, issue one of the following commands on that controller:
l
cluster-member-custom-cert: Define the controller as a cluster root, and select a user-installed certificate to
authenticate that cluster member.
l
cluster-member-factory-cert: Define the controller as a cluster root, and select a factory-installed certificate to
authenticate that cluster member.
l
cluster-member-ip : Define the controller as a cluster root, and set the IPsec key to authenticate that cluster
member.
For information on installing certificates on your controller, refer to the Management Utilities chapter of the ArubaOS User
Guide.
Example
The following command sets the controller on which you issue command as a root controller, and adds the
controller172.21.18.18 as a cluster member with the IPsec key ipseckey1:
(host) (config) #cluster-member-factory-cert member-mac 00:1E:37:CB:D4:52
Related Commands
Parameter
Description
Mode
control-plane-securi
ty
Configure the control plane security profile.
Config mode
show cluster-config
Show the multi-master cluster configuration for the control
plane security feature.
Enable mode
show cluster-switches
Issue this command on a master controller using control
plane security in a multi-master environment to show other
the other controllers to which it is connected.
Enable mode
230 | cluster-member-factory-cert
ArubaOS 6.4| Reference Guide
Command History
Introduced in ArubaOS 6.1.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on cluster root controllers
ArubaOS 6.4| Reference Guide
cluster-member-factory-cert | 231
cluster-member-ip
cluster-member-ip <ip-address>
ipsec <key>
Description
This command sets the controller as a control plane security cluster root, and specifies the IPsec key for a cluster
member.
Syntax
Parameter
Description
<ip-address>
Switch IP address of a control plane security cluster member. You can also use the
IP address 0.0.0.0 to set a single IPsec key for all cluster members.
ipsec <key>
Configure the value of the IPsec key for secure communication between the
cluster root and the specified cluster member. The key must be between 6-64
characters.
Usage Guidelines
If your network includes multiple master controllers each with their own hierarchy of APs and local controllers, you
can allow APs from one hierarchy to failover to any other hierarchy by defining a cluster of master controllers. Each
cluster will have one master controller as its cluster root, and all other master controllers as cluster members.
The master controller operating as the cluster root will use the control plane security feature to create a self-signed
certificate, then certify it’s own local controllers and APs. Next, the cluster root will send the certificate to each
cluster member, which in turn certifies their own local controllers and APs. Since all controllers and APs in the
cluster get their certificates from the cluster root, they will all have the same trust anchor, and the APs can switch to
any other controller in the cluster and still remain connected to the secure network.
Issue the cluster-member-ip command on the controller you want to define as the cluster root to set the IPsec key
for secure communication between the cluster root and each cluster member. Use the IP address 0.0.0.0 in this
command to set a single IPsec key for all member controllers, or repeat this command as desired to define a different
IPsec key for each cluster member.
Once the cluster root has defined an IPsec key for all cluster members, you must access each of the member
controllers and issue the command cluster-root-ip to define the IPsec key for communication to the cluster root.
Example
The following command sets the controller on which you issue command as a root controller, and adds the
controller172.21.18.18 as a cluster member with the IPsec key ipseckey1:
(host) (config) #cluster-member-ip 172.21.18.18 ipsec ipseckey1
232 | cluster-member-ip
ArubaOS 6.4| Reference Guide
Related Commands
Parameter
Description
Mode
control-plane-securi
ty
Configure the control plane security profile.
Config mode
show cluster-config
Show the multi-master cluster configuration for the control
plane security feature.
Enable mode
show cluster-switches
Issue this command on a master controller using control
plane security in a multi-master environment to show other
the other controllers to which it is connected.
Enable mode
Command History
Introduced in ArubaOS 5.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on cluster root controllers
ArubaOS 6.4| Reference Guide
cluster-member-ip | 233
cluster-root-ip
cluster-root-ip <ip-address>
ipsec <key>
ipsec-custom-cert root-mac1 <mac1> [root-mac2 <mac2>] ca-cert <ca> server-cert <cert>
te-b <gcm-128 | gcm-256>]
ipsec-factory-cert root-mac-1 <mac> [root-mac-1 <mac>]
[sui
Description
This command sets the controller as a control plane security cluster member, and defines the IPsec key or
certificate for secure communication between the cluster member and the controller’s cluster root.
Syntax
Parameter
Description
<ip-address>
The IP address of control plane security cluster root controller. To set a single
IPsec key for all member controllers in the cluster use the IP address 0.0.0.0.
ipsec <key>
ipsec-factory-cert
Set the value of the IPsec pre-shared key for communication with the cluster root.
This parameter must be have the same value as the IPsec key defined for the
cluster member via the cluster-member-ip command.
Use a factory-installed certificate for secure communication between the cluster
root and the specified cluster member by specifying the MAC address of the
certificate.
root-mac-1 <mac>
Specify MAC address of the cluster root.
root-mac-2 <mac>
Specify MAC address of the redundant cluster Root.
ipsec-custom-cert
Use a custom user-installed certificate for secure communication between the
cluster root and the specified cluster member.
root-mac-1 <mac>
Specify the MAC address of the cluster-root’s certificate.
root-mac-2 <mac>
(Optional) If your network has multiple master controllers, use this parameter to
specify he MAC address of the redundant cluster-root’s certificate.
ca-cert <ca>
Name of the CA certificate uploaded via the WebUI
server-cert <cer
t>
Name of the server certificate uploaded via the WebUI.
suite-b
To use Suite-B encryption in the secure communication between the cluster root
and cluster member, specify one of the following Suite-B algorithms
l gcm-128: Encryption using 128-bit AES-GCM
l gcm-256: Encryption using 256-but AES-GCM
Usage Guidelines
If your network includes multiple master controllers each with their own hierarchy of APs and local controllers, you
can allow APs from one hierarchy to failover to any other hierarchy by defining a cluster of master controllers. Each
cluster will have one master controller as its cluster root, and all other master controllers as cluster members.
The master controller operating as the cluster root will use the control plane security feature to create a self-signed
certificate, then certify it’s own local controllers and APs. Next, the cluster root will send the certificate to each
234 | cluster-root-ip
ArubaOS 6.4| Reference Guide
cluster member, which in turn certifies their own local controllers and APs. Since all controllers and APs in the
cluster get their certificates from the cluster root, they will all have the same trust anchor, and the APs can switch to
any other controller in the cluster and still remain connected to the secure network. Issue the cluster-member-ip
command on the controller you want to define as the cluster root to select the certificate or define the IPsec key for
secure communication between the cluster root and each cluster member.
Once the cluster root has defined an IPsec key or certificate for all cluster members, you must access each of the
member controllers and issue the command cluster-root-ip to define the IPsec key or certificate for communication
to the cluster root.
For information on installing certificates on your controller, refer to the Management Utilities chapter of the ArubaOS User
Guide.
Example
The following command defines the IPsec key for communication between the cluster member and the root
controller172.21.45.22:
(host) (config) #cluster-root-ip 172.21.45.22 ipsec ipseckey1
Related Commands
Parameter
Description
Mode
control-plane-securi
ty
Configure the control plane security profile.
Config mode
show cluster-config
Show the multi-master cluster configuration for the control
plane security feature.
Enable mode
show cluster-switches
Issue this command on a master controller using control
plane security in a multi-master environment to show other
the other controllers to which it is connected.
Enable mode
Command History
Release
Modification
ArubaOS 5.0
Command introduced.
ArubaOS 6.1
The ipsec-factory-cert and ipsec-custom-cert parameters were introduced to
allow certificate-based authentication of cluster members.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on cluster member
controllers
ArubaOS 6.4| Reference Guide
cluster-root-ip | 235
configure terminal
configure terminal
Description
This command allows you to enter configuration commands.
Syntax
No parameters.
Usage Guidelines
Upon entering this command, the enable mode prompt changes to:
(host) (config) #
To return to enable mode, enter Ctrl-Z or exit.
Example
The following command allows you to enter configuration commands:
(host) # configure terminal
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
236 | configure terminal
ArubaOS 6.4| Reference Guide
control-plane-security
control-plane-security
auto-cert-allow-all
auto-cert-allowed-addrs <ipaddress-start> <ipaddress-end>
auto-cert-prov
cpsec-enable
no ...
Description
Configure the control plane security profile by identifying APs to receive security certificates.
Syntax
Parameter
Description
auto-cert-allow-all
When you issue the control-plane-security auto-certallow-all command, the controller will send a certificate
to all associated APs when auto certificate
provisioning is enabled. When disabled, the controller
sends certificates only to APs whose IP addresses are
in the ranges specified by auto-cert-allowed-addrs.
auto-cert-allowed-addrs <ipaddress-start>
<ipaddress-end>
Use this command to define a specific range of AP IP
addresses. The controller will send certificates to the
APs in this IP range when auto certificate provisioning
is enabled. Identify a range by entering the starting IP
address and the ending IP address in the range,
separated by a single space. You can repeat this
command as many times as necessary to define
multiple IP ranges.
auto-cert-prov
Issue this command to enable automatic certificate
provisioning. When this feature is enabled, the
controller will attempt to send certificates to associated
APs. To disable this feature, use the command no
auto-cert-prov. Automatic certificate provisioning is
disabled by default
cpsec-enable
Issue this command to enable control plane security.
To disable this feature, use the command no cpsecenable. Control plane security is enabled by default.
Usage Guidelines
Controllers enabled with control plane security will only send certificates to APs that you have identified as valid APs
on the network. If you are confident that all campus APs currently on your network are valid APs, you can configure
automatic certificate provisioning to send certificates from the controller to each campus AP, or to all campus APs
within a specific range of IP addresses. If you want closer control over each AP that gets certified, you can manually
add individual campus APs to the secure network by adding each AP's information to a campus AP whitelist.
Example
The following command defines a range of IP addresses that should receive certificates from the controller, and
enables the control plane security feature:
(host)(config) # control-plane-security
auto-cert-allowed-addrs 10.21.18.10 10.21.10.90
ArubaOS 6.4| Reference Guide
control-plane-security | 237
cpsec-enable
Related Commands
Command
Description
Mode
show control-plane-security
Show the current configuration of the control
plane security profile.
Config mode
Command History
This command was introduced in ArubaOS 5.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system.
Config mode on master or local
controllers
238 | control-plane-security
ArubaOS 6.4| Reference Guide
controller-ip
controller-ip [loopback|vlan <VLAN ID>]
no ...
Description
This command sets the controller IP to the loopback interface address or a specific VLAN interface address.
Syntax
Parameter
Description
Default
loopback
Sets the controller IP to the loopback interface.
disabled
vlan
Set the controller IP to a VLAN interface.
—
Specifies the VLAN interface ID.
—
VLAN ID
Usage Guidelines
This command allows you to set the controller IP to the loopback interface address or a specific VLAN interface
address. If the controller IP command is not configured then the controller IP defaults to the loopback interface
address. If the loopback interface address is not configured then the first configured VLAN interface address is
selected. Generally, VLAN 1 is the factory default setting and thus becomes the controller IP address.
Example
The following command sets the controller IP address to VLAN interface 6.
(host) (config) #controller-ip vlan 6
Related Commands
(host) (config) #show controller-ip
Command History
This command was introduced in ArubaOS 3.4
Command Information
Platform
License
Command Mode
Available on all platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
controller-ip | 239
controller-ipv6
controller-ipv6 [loopback|vlan <VLAN ID>]
no ...
Description
This command sets the default IPv6 address of the controller to the IPv6 loopback interface address or a specific
VLAN interface address.
Syntax
Parameter
Description
Default
loopback
Sets the controller IP to the loopback interface.
disabled
vlan
Set the controller IP to a VLAN interface.
—
Specifies the VLAN interface ID.
—
VLAN ID
Usage Guidelines
This command allows you to set the default IPv6 address of the controller to the IPv6 loopback interface address or
a specific IPv6 VLAN interface address. If the controller IPv6 command is not configured then the controller IP
defaults to the loopback interface address. If the loopback interface address is not configured then the first
configured VLAN interface address is selected. Generally, VLAN 1 is the factory default setting and thus becomes
the controller IP address.
Example
The following command sets the controller IP address to VLAN interface 6.
(host) (config) #controller-ipv6 vlan 6
Related Commands
(host) (config) #show controller-ipv6
Command History
This command is introduced in ArubaOS 6.1.
Command Information
Platform
License
Command Mode
Available on all platforms
Base operating system
Config mode on master controllers
240 | controller-ipv6
ArubaOS 6.4| Reference Guide
copy
copy
flash: <srcfilename> {flash: <destfilename> | scp: <scphost> <username> <destfilename> tftp: <
tftphost> <destfilename> | usb: partition {0|1} <destfilename>}
ftp: <ftphost> <user> <filename> system: partition {0|1} |
running-config {flash: <filename> | ftp: <ftphost> <user> <password> <filename>
[<remote-dir>] | startup-config | tftp: <tftphost> <filename>} |
scp: <scphost> <username> <filename> {flash: <destfilename>| system: partition [0|1]}|
startup-config {flash: <filename> | tftp: <tftphost> <filename>} |
system: partition {<srcpartition> 0|1} [<destpartition> 0 | 1] |
tftp: <tftphost> <filename> {flash: <destfilename> | system: partition [0|1]}
usb: partition <partition-number> <filename> flash: <destfilename>
Description
This command copies files to and from the controller.
Syntax
Parameter
Description
flash:
Copy the contents of the controller’s flash file system, the system image, to a
specified destination.
srcfilename
Full name of the flash file to be copied.
flash:
Copy the file to the flash file system.
destfilename
Specify the new name of the copied file.
tftp:
Copy the file to a TFTP server.
tftphost
Specify the IP address or hostname of the TFTP server.
usb:
Copy the file to an attached USB storage device.
partition
Specify the partition on the USB device.
ftp:
Copy a file from the FTP server.
ftphost
Specify the IP address or hostname of the FTP server.
user
User account name required to access the FTP server.
filename
Full name of the file to be copied.
0 | 1
Specify the system partition to save the file.
running-config
Copy the active, running configuration to a specified destination.
flash:
Copy the configuration to the flash file system.
filename
Specify the new name of the copied configuration file.
ftp:
Using FTP, copy the configuration to an FTP server.
ArubaOS 6.4| Reference Guide
copy | 241
242 | copy
Parameter
Description
ftphost
Specify the IP address of the FTP server.
user
User account name required to access the FTP server.
password
Password required to access the FTP server.
remote-dir
Specify a remote directory, if needed.
startup-config
Copy the active, running configuration to the start-up configuration.
tftp:
Using TFTP, copy the configuration to a TFTP server
tftphost
Specify the IP address or hostname of the TFTP server.
scp:
Copy an ArubaOS image file or file from the flash file system using the Secure
Copy protocol. The SCP server or remote host must support SSH version 2
protocol.
scphost
Specify the IP address of the SCP server or remote host.
username
User account name required to access the SCP server or remote host.
filename
Specify the absolute path of the filename to be copied.
flash:
Copy the file to the flash file system.
destfilename
Specify the new name of the copied file.
system:
Copy the file to the system partition.
startup-config
Copy the startup configuration to a specified flash file or to a TFTP server.
flash:
Copy the file to the flash file system.
filename
Specify the new name of the copied startup configuration file.
tftp:
Using TFTP, copy the startup configuration to a TFTP server
tftphost
Specify the IP address or hostname of the TFTP server.
system:
Copy the specified system partition
srcpartition
Disk partition from which to copy the system data, as either 0 or 1.
destpartition
Disk partition to copy the system data to, as either 0 or 1.
tftp:
Copy a file from the specified TFTP server to either the controller or another
destination. This command is typically used when performing a system restoration,
or to pull a specified file name into the wms database.
tftphost
Specify the IP address or hostname of the TFTP server.
filename
Full name of the file to be copied.
flash:
Copy the file to the flash file system
destfilename
Specify the new name of the copied file.
ArubaOS 6.4| Reference Guide
Parameter
Description
system
Copy the file to the system partition.
usb:
Copy a file from an attached USB device to the flash file system.
partition
Specify the partition on the USB device.
filename
Full name of the file to be copied.
flash:
Copy the file to the flash file system
destfilename
Specify the new name of the copied file.
Usage Guidelines
Use this command to save back-up copies of the configuration file to an FTP or TFTP server, or to load a saved file
from an FTP or TFTP server.
Three partitions reside on the file system flash. Totalling 256MB, the three partitions provide space to hold the
system image files (in partitions 1 and 2 which are 45MB each) and user files (in partition 3, which is 165MB).
System software runs on the system partitions; the database, DHCP, startup configuration, and logs are positioned
on the user partition.
To restore a database, copy the database from the network server and import the database.
To restore a configuration file, copy the file from network server to the controller’s flash system then copy the file
from the flash system to the system configuration. This ensures that you do not accidentally overwrite your system
startup configuration file.
Unlike the controller's flash, the USB device has more than two partitions; not just 0 and 1. When copying a file from
a USB device, you must know which partition the target file is on. Use the show storage command to identify the
location of the file to identify the correct USB partition.
Example
The following commands copy the configuration file named engineering from the TFTP server to the controller’s flash
file system and then uses that file as the startup configuration. This example assumes the startup configuration file
is named default.cfg:
(host) (config) #copy tftp: 192.0.2.0 engineering flash: default.bak
copy flash: default.bak flash: default.cfg
Command History
This command was introduced in ArubaOS 1.0.
Modification
ArubaOS 1.0
Introduced for the first time.
ArubaOS 6.2
The USB parameters introduced.
ArubaOS 6.4| Reference Guide
copy | 243
Command Information
244 | copy
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config modes on master
controllers
ArubaOS 6.4| Reference Guide
cp-bandwidth-contract
cp-bandwidth-contract <name> {mbits <1..2000>}|{kbits <256..2000000>}
Description
This command configures a bandwidth contract traffic rate which can then be associated with a whitelist session
ACL.
Syntax
Parameter
Description
<name>
Name of a bandwidth contract.
mbits <1..2000>
Set a bandwidth rate inn mbits/seconds.
kbits <256..2000000>
Set a bandwidth rate in kbits/seconds.
Example
The following example configures a bandwidth contract named “cp-rate” with a rate of 10,000Kbps.
(host)(config) #cp-bandwidth-contract cp-rate kbits 10000
Related Commands
Command
Description
Mode
show cp-bwcontracts
Display a list of Control Processor (CP) bandwidth
contracts for whitelist ACLs.
Enable or Config modes
firewall cp
This command creates a new whitelist ACL and
can associate a bandwidth contract with that ACL.
Enable or Config modes
Command History
This command was introduced in ArubaOS 3.4
Command Information
Platforms
Licensing
Command Mode
All platforms
This command requires the PEFNG
license.
Config mode on master controllers
ArubaOS 6.4| Reference Guide
cp-bandwidth-contract | 245
crypto-local ipsec sa-cleanup
crypto-local ipsec sa-cleanup
Description
Issue this command to clean IPsec security associations (SAs).
Syntax
No parameters
Usage Guidelines
Use this command to remove old IPsec security associations if remote APs on your network still use an old SA after
upgrading to a newer version of ArubaOS.
Command History
This command was introduced in ArubaOS 6.1.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
246 | crypto-local ipsec sa-cleanup
ArubaOS 6.4| Reference Guide
crypto dynamic-map
crypto dynamic-map <name> <priority>
disable
no ...
set pfs {group1|group2|group14|group19|group20}
set security-association lifetime kilobytes <kilobytes>
set security-association lifetime seconds <seconds>
set transform-set <name1> [<name2>] [<name3>] [<name4>]
version v1|v2
Description
This command configures a new or existing dynamic map.
Syntax
Parameter
Description
Range
Default
<name>
Name of the map.
—
—
<priority>
Priority of the map.
1-10000
10000
no
Negates a configured parameter.
—
—
disable
Disables the dynamic map.
—
—
enable [bypass|secret]
Enables the dynamic map using the bypass or
secret. Bypass prompts for the enable mode login
and password. Secret prompts for the enable password.
—
—
set pfs
Enables Perfect Forward Secrecy (PFS) mode.
Use one of the following:
l group1: 768-bit Diffie Hellman prime modulus
group.
l group2: 1024-bit Diffie Hellman
l group14: 2048-bit Diffie Hellman.
l group19: 256-bit random Diffie Hellman ECP
modulus group.
l group20: 384-bit random Diffie Hellman ECP
modulus group.
—
group1
set security-association lifetime
Configures the lifetime for the security association
(SA) in seconds or kilobytes.
—
—
seconds <seconds>
Lifetime for the SA in seconds.
300-86400
7200
kilobytes <kilobytes>
Lifetime for the SA in kilobytes.
1000 1000000000
—
Name of the transform set for this dynamic map.
You can specify up to four transform sets. You
configure transform sets with the crypto ipsec
transform-set command.
—
defaulttransform
set transform-set
ArubaOS 6.4| Reference Guide
crypto dynamic-map | 247
Parameter
Description
Range
Default
version
Specify the version of IKE protocol the controller
uses to set up a security association (SA) in the
IPsec protocol suite
l v1:IKEv1
l v2: IKEv2
—
v1
Usage Guidelines
Dynamic maps enable IPsec SA negotiations from dynamically addressed IPsec peers. Once you have defined a
dynamic map, you can optionally associate that map with the default global map using the command crypto map
global-map.
Example
The following command configures a dynamic map:
(host) (config)# crypto dynamic-map dmap1 100
set pfs group2
set security-association lifetime seconds 300
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.1
The version parameter was introduced.
The pfs parameter was modified to support the group19 and group20 PFS
group values.
ArubaOS 6.3
The set security-association lifetime kilobytesand Diffie-Hellman set pfs
group 14 parameters were added.
ArubaOS 6.4
The disable/enable parameters were introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
The group19 and group20 PFS options requires the
Advanced Cryptography (ACR) license. All other
parameters are available in the base operating
system.
Config mode on master controllers
248 | crypto dynamic-map
ArubaOS 6.4| Reference Guide
crypto ipsec
crypto ipsec
mtu <max-mtu>
transform-set <transform-set-mtu> esp-3des|esp-aes128|esp-aes128-gcm|esp-aes192|esp-aes256|
esp-aes256-gcm|esp-des esp-md5-hmac|esp-null-hmac|esp-sha-hmac}
Description
This command configures IPsec parameters.
Syntax
Parameter
Description
mtu <max-mtu>
Configure the IPsec Maximum Transmission Unit (MTU) size.
The supported range is 1024 to 1500 and the default is 1500.
transform-set <transform-setmtu>
Create or modify a transform set.
esp-3des
Use ESP with 168-bit 3DES encryption.
esp-aes128
Use ESP with 128-bit AES encryption.
esp-aes128-gcm
Use ESP with 128-bit AES-GCM encryption.
esp-aes192
Use ESP with 192-bit AES encryption.
esp-aes256
Use ESP with 256-bit AES encryption.
esp-aes256-gcm
Use ESP with 256-bit AES-GCM encryption.
esp-des
Use ESP with 56-bit DES encryption.
esp-md5-hmac
Use ESP with the MD5 (HMAC variant) authentication algorithm
esp-null-hmac
Use ESP with no authentication. This option is not recommended.
esp-sha-hmac
Use ESP with the SHA (HMAC variant) authentication algorithm.
Usage Guidelines
Define the Maximum Transmission Unit (MTU) size allowed for network transmissions using IPsec security, and
create or edit transform sets that define a specific encryption and authentication type.
Example
The following command configures 3DES encryption and MD5 authentication for a transform set named set2:
(host) (config)# crypto ipsec transform-set set2 esp-3des esp-md5-hmac
ArubaOS 6.4| Reference Guide
crypto ipsec | 249
Command History
Release
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The esp-aes128-gcm and esp-aes256-gcm transform-set parameters were
introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
The esp-aes128-gcm and esp-aes56-gcm transform-set
parameters require the Advanced Cryptography (ACR) license. All
other parameters are available in the base OS.
Config mode on master
controllers
250 | crypto ipsec
ArubaOS 6.4| Reference Guide
crypto isakmp
crypto isakmp
address <peer-address> netmask <mask>}
disable
eap-passthrough eap-mschapv2|eap-peap|eap-tls
enable
groupname <name>
key <keystring> address <peer-address> netmask <mask>
udpencap-behind-natdevice enable|disable
packet-dump
Description
This command configures Internet Key Exchange (IKE) parameters for the Internet Security Association and Key
Management Protocol (ISAKMP).
Syntax
Parameter
Description
address
Configure the IP address for the group key.
<peer-address>
netmask
<mask>
IP address for the group key, in dotted-decimal format.
Configure the IP netmask for the group key.
Subnet mask for the group key.
disable
Disable IKE processing.
eap-passthrough
Select one of the following authentication types for IKEv2 user authentication
using EAP.
l eap-mschapv2
l eap-peap
l eap-tls
enable
Enable IKE processing.
groupname
Configure the IKE Aggressive group name. Aggressive-mode IKE is a 3packet IKE exchange that does not provide identity-protection, but is faster,
because fewer messages are exchanged.
<name>
key
<keystring>
address
<peer-address>
netmask
<mask>
ArubaOS 6.4| Reference Guide
Name of the IKE aggressive group.
Configure the IKE preshared key.
Configure the value of the IKE PRE-SHARED key. The key must be between
6-64 characters long.
Configure the IP address for the group key.
An IP for the group key, in dotted-decimal format.
Configure the netmask for the group key IP address.
A subnet mask, in dotted-decimal format
crypto isakmp | 251
Parameter
Description
udpencap-behind-natdevic
e
Configure NAT-T if controller is behind NAT device. (For Windows VPN Dialer
only)
enable
Enable Nat-T. This is the recommended setting if the controller is behind a
NAT device.
disable
Disable Nat-T.
packet-dump
Issue this command in enable mode to troubleshoot an IPsec tunnel
establishment by looking at the packet exchanges between the controller and
the remote AP or the other IPsec peer. The packet dump output is saved to a
file named ike.pcap.
NOTE: This is a testing feature only, and should not be enabled on a
production network. To disable this feature, use the command no crypto
isakmp packet-dump.
Usage Guidelines
Use this command to configure the IKE pre-shared key, set the EAP authentication method for IKEv2 clients using
EAP user authentication, and enable source NAT if the IP addresses of clients need to be translated to access the
network.
Example
The following command configures an ISAKMP peer IP address and subnet mask. After configuring an ISAKMP
address and netmask, you will be prompted to enter the IKE preshared key.
(host)(config) #crypto isakmp address 10.3.14.21 netmask 255.255.255.0
Key:*******Re-Type Key:*******
Command History
Release
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The eap-passthrough parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
252 | crypto isakmp
ArubaOS 6.4| Reference Guide
crypto isakmp block-aruba-ca
crypto-local isakmp block-aruba-ca
enable
disable
Description
This command configures the controller to accept or reject Aruba certified clients.
Syntax
Parameter
Description
enable
Accept Aruba certified client certificates.
disable
Reject Aruba certified client certificates and use custom certificates instead.
Example
This command configures a CA certificate:
crypto-local isakmp block-aruba-ca enable
Command History
This command was introduced in ArubaOS 6.3.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
crypto isakmp block-aruba-ca | 253
crypto isakmp policy
crypto isakmp policy
authentication pre-share|rsa-sig|ecdsa-256|ecdsa-384
disable|enable [bypass|secret]
encryption 3DES|AES128|AES192|AES256|DES
group 1|2|14|19|20
hash md5|sha|sha1-96|sha2-256-128|sha2-384-192
prf PRF-HMAC-MD5|PRF-HMAC-SHA1|PRF-HMAC-SHA256|PRF-HMAC-SHA384
lifetime <seconds>
no disable
version v1|v2
Description
This command configures Internet Key Exchange (IKE) policy parameters for the Internet Security Association and
Key Management Protocol (ISAKMP).
Syntax
Parameter
Description
policy
Configure an IKE policy
<priority>
authentication
Specify a number from 1 to 10,000 to define a priority level for the policy. The
higher the number, the higher the priority level.
Configure the IKE authentication method.
pre-share
Use Pre Shared Keys for IKE authentication. This is the default authentication
type.
rsa-sig
Use RSA Signatures for IKE authentication.
ecdsa-256
Use ECDSA-256 signatures for IKE authentication.
ecdsa-384
Use ECDSA-384 signatures for IKE authentication.
disable
Disables the IKE policy.
enable
[bypass|secret]
Enables the IKE policy using the bypass or secret. Bypass prompts for the enable
mode login and password. Secret prompts for the enable password.
encryption
Configure the IKE encryption algorithm.
3DES
Use 168-bit 3DES-CBC encryption algorithm. This is the default encryption value.
AES128
Use 128-bit AES-CBC encryption algorithm.
AES192
Use 192-bit AES-CBC encryption algorithm.
AES256
Use 256-bit AES-CBC encryption algorithm.
DES
Use 56-bit DES-CBC encryption algorithm.
254 | crypto isakmp policy
ArubaOS 6.4| Reference Guide
Parameter
Description
group
Configure the IKE Diffie Hellman group.
1
Use the 768-bit Diffie Hellman prime modulus group. This is the default group
setting.
2
Use the 1024-bit Diffie Hellman prime modulus group.
14
Use the 2048-bit Diffie Hellman DDH prime modulus group.
19
Use the 256-bit random Diffie Hellman ECP modulus group.
20
Use the 384-bit random Diffie Hellman ECP modulus group
hash
md5
Use MD5 as the hash algorithm.
sha
Use SHA-1 as the hash algorithm. This is the default policy algorithm.
SHA1-96
Use SHA1-96 as the hash algorithm.
SHA2-256-128
Use SHA2-256-128 as the hash algorithm.
SHA2-384-192
Use SHA2-384-192 as the hash algorithm.
prf
Set one of the following pseudo-random function (PRF) values for an IKEv2
policy:
l PRF-HMAC-MD5 (default)
l PRF-HMAC-SHA1
l PRF-HMAC-SHA256
l PRF-HMAC-SHA384
lifetime <seconds>
Specify the lifetime of the IKE security association (SA), from 300 - 86400
seconds.
no
Disables the policy.
version
Specify the version of IKE protocol for the IKE policy
l v1: IKEv1
l v2: IKEv2
Usage Guidelines
To define settings for a ISAKMP policy, issue the command crypto isakmp policy <priority> then press Enter. The
CLI will enter config-isakmp mode, which allows you to configure the policy values.
Example
The following command configures an ISAKMP peer IP address and subnet mask.. After configuring an ISAKMP
address and netmask, you will be prompted to enter the IKE preshared key.
(host)(config) #crypto isakmp policy1
(host)(config-isakmp) #auth rsa-sig
Key:*******Re-Type Key:*******
ArubaOS 6.4| Reference Guide
crypto isakmp policy | 255
Command History
Release
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The following parameters were introduced.
l authentication ecdsa-256
l authentication ecdsa-384
l hash sha1-96
l hash sha2-256-128
l hash sha2-384-192
l prf
ArubaOS 6.3
The Diffie-Hellman group 14 parameter was introduced.
ArubaOS 6.4
The disable/enable and no parameters were introduced.
Command Information
Platforms
Licensing
All
platforms
The following settings require the Advanced Cryptogram (ACR) license:
l hash algorithm: SHA-256-128, SHA-384-192
l Diffie-Hellman (DH) Groups: 19 and 20
l Pseudo-Random Function (PRF): PRF-HMAC-SHA256, PRF-HMACSHA384
l Authentication: ecdsa-256 and ecdsa-384
Command
Mode
Config mode on
master controllers
All other parameters are supported in the base OS.
256 | crypto isakmp policy
ArubaOS 6.4| Reference Guide
crypto-local ipsec-map
crypto-local
crypto-local ipsec-map <map> <priority>
dst-net <ipaddr> <mask>
force-natt
no ...
local-fqdn <local_id_fqdn>
peer-cert-dn <peer-dn>
peer-fqdn any-fqdn|{peer-fqdn <peer-id-fqdn>}
peer-ip <ipaddr>
pre-connect {disable|enable}
set ca-certificate <cacert-name>
set ike1-policy <policy-v1-number>
set ikev2-policy <policy-v2-number>
set pfs {group1|group2|group14|group19|group20}
set security-association lifetime kilobytes <kilobytes>
set security-association lifetime seconds <seconds>
set server-certificate <cert-name>
set transform-set <name1> [<name2>] [<name3>] [<name4>]
src-net <ipaddr> <mask>
trusted {disable|enable}
version v1|v2
vlan <vlan>
Description
This command configures IPenablsec mapping for site-to-site VPN.
Syntax
Parameter
Description
Range
Default
<map>
Name of the IPsec map.
—
—
<priority>
Priority of the entry.
1-9998
—
dst-net
IP address and netmask for the destination
network.
—
—
force-natt
Include this parameter to always enforce
UDP 4500 for IKE and IPsec. This option is
disabled by default.
—
—
no
Negates a configured parameter.
—
—
local-fqdn <local_id_fqdn>
If the local controller has a dynamic IP
address, you must specify the fully qualified
domain name (FQDN) of the controller to
configure it as a initiator of IKE aggressivemode.
—
—
peer-cert-dn <peer-dn>
If you are using IKEv2 to establish a site-tosite VPN to a statically addressed remote
peer, identify the peer device by entering its
certificate subject name in the Peer
Certificate Subject Name field
—
—
ArubaOS 6.4| Reference Guide
crypto-local ipsec-map | 257
Parameter
Description
Range
Default
peer-ip <ipaddr>
If you are using IKEv1 to establish a site-tosite VPN to a statically addressed remote
peer, identify the peer device by enteringIP
address of the peer gateway.
NOTE: If you are configuring an IPsec map
for a static-ip controller with a dynamically
addressed remote peer, you must leave the
peer gateway set to its default value of
0.0.0.0.
—
—
peer-fqdn
For site-to-site VPNs with dynamically
addressed peers, specify a fully qualified
domain name (FQDN) for the controller.
any-fqdn
fqdn-id
any-fqdn
any-fqdn
If the controller is defined as a dynamically
addressed responder, you can select anyfqdn to make the controller a responder for
all VPN peers,
—
—
fqdn-id <peer-id-fqdn>
Specify the FQDN of a peer to make the
controller a responder for one specific
initiator only.
—
—
pre-connect
Enables or disables pre-connection.
enable/
disable
disabled
set ike1-policy
<policy-v1-number>
Select an IKEv1 policy for the ipsec-map.
Predefined policies are described in the
table below.
—
—
set ikev2-policy
<policy-v2-number>
Select IKEv2 policy for the ipsec-map. Predefined policies are described in the table
below.
—
—
set ca-certificate
<cacert-name>
User-defined name of a trusted CA
certificate installed in the controller. Use the
show crypto-local pki TrustedCA command
to display the CA certificates that have been
imported into the controller.
—
—
set pfs
If you enable Perfect Forward Secrecy (PFS)
mode, new session keys are not derived
from previously used session keys.
Therefore, if a key is compromised, that
compromised key will not affect any
previous session keys. To enable this
feature, specify one of the following Perfect
Forward Secrecy modes:
l group1 : 768-bit Diffie Hellman prime
modulus group.
l group2: 1024-bit Diffie Hellman prime
modulus group.
l group14: 2048-bit Diffie Hellman prime
modulus group.
l group19: 256-bit random Diffie Hellman
ECP modulus group. (For IKEv2 only)
l group20: 384-bit random Diffie Hellman
ECP modulus group. (For IKEv2 only)
group1
group2
group14
group19
group20
disabled
258 | crypto-local ipsec-map
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
set security-association lifetime
Configures the lifetime for the security
association (SA).
set seconds <seconds>
In seconds
300-86400
7200
seconds
kilobytes <kilobytes>
In kilobytes
1000 1000000000
—
set server-certificate
<cert-name>
User-defined name of a server certificate
installed in the controller. Use the show
crypto-local pki ServerCert command to
display the server certificates that have been
imported into the controller.
—
—
set transform-set
<name1>
Name of the transform set for this IPsec map.
One transform set name is required, but you
can specify up to four transform sets.
Configure transform sets with the crypto
ipsec transform-set command.
—
defaulttransform
src-net <ipaddr>
<mask>
IP address and netmask for the source
network.
—
—
trusted
Enables or disables a trusted tunnel.
enable/
disable
disabled
version v1|v2
Select the IKE version for the IPsec map.
v1: IKEv1
l v2: IKEv2
v1
l
vlan <vlan>
VLAN ID. Enter 0 for the loopback.
1-4094
—
Usage Guidelines
You can use controllers instead of VPN concentrators to connect sites at different physical locations.
You can configure separate CA and server certificates for each site-to-site VPN. You can also configure the same
CA and server certificates for site-to-site VPN and client VPN. Use the show crypto-local ipsec-map command to
display the certificates associated with all configured site-to-site VPN maps; use the tag <map> option to display
certificates associated with a specific site-to-site VPN map.
ArubaOS supports site-to-site VPNs with two statically addressed controllers, or with one static and one
dynamically addressed controller. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to
authenticate the IKE SA. This method uses the IP address of the peer, and therefore will not work for dynamically
addressed peers.
To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with
Authentication based on a Pre-Shared-Key. A controller with a dynamic IP address must be configured to be the
initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be configured
as the responder of IKE Aggressive-mode.
Understanding Default IKE policies
ArubaOS includes the following default IKE policies. These policies are predefined and cannot be edited.
ArubaOS 6.4| Reference Guide
crypto-local ipsec-map | 259
Table 6: Default IKE Policy Settings
Policy
Numbe
r
IKE
Versio
n
Encryptio
n
Algorithm
Hash
Algorithm
Authentica
-tion
Method
PRF
Metho
d
DiffieHellman
Group
Default protection
suite
10001
IKEv1
3DES-168
SHA 160
Pre-Shared
Key
N/A
2 (1024
bit)
Default RAP
Certificate
protection suite
10002
IKEv1
AES -256
SHA 160
RSA
Signature
N/A
2 (1024
bit)
Default RAP PSK
protection suite
10003
AES -256
SHA 160
Pre-Shared
Key
N/A
2 (1024
bit)
Default RAP
IKEv2 RSA
protection suite
1004
IKEv2
AES -256
SSHA160
RSA
Signature
hmacsha1
2 (1024
bit)
Default Cluster
PSK protection
suite
10005
IKEv1
AES -256
SHA160
Pre-Shared
Key
PreShared
Key
2 (1024
bit)
Default IKEv2
RSA protection
suite
1006
IKEv2
AES - 128
SHA 96
RSA
Signature
hmacsha1
2 (1024
bit)
Default IKEv2
PSK protection
suite
10007
IKEv2
AES - 128
SHA 96
Pre-shared
key
hmacsha1
2 (1024
bit)
Default Suite-B
128bit ECDSA
protection suite
10008
IKEv2
AES - 128
SHA 256128
ECDSA-256
Signature
hmacsha2256
Random
ECP
Group
(256 bit)
Default Suite-B
256 bit ECDSA
protection suite
10009
IKEv2
AES -256
SHA 384192
ECDSA-384
Signature
hmacsha2384
Random
ECP
Group
(384 bit)
Default Suite-B
128bit IKEv1
ECDSA protection
suite
10010
IKEv1
AES-GCM128
SHA 256128
ECDSA-256
Signature
hmacsha2256
Random
ECP
Group
(256 bit)
Default Suite-B
256-bit IKEv1
ECDSA protection
suite
10011
IKEv1
AES-GCM256
SHA 256128
ECDSA-256
Signature
hmacsha2256
Random
ECP
Group
(256 bit)
Policy Name
When using a default IKE (V1 or V2) policy for an IPsec map, the priority number should be the same as the policy
number.
Examples
The following commands configures site-to-site VPN between two controllers:
(host) (config) #crypto-local ipsec-map sf-chi-vpn 100
260 | crypto-local ipsec-map
ArubaOS 6.4| Reference Guide
src-net 101.1.1.0 255.255.255.0
dst-net 100.1.1.0 255.255.255.0
peer-ip 172.16.0.254
vlan 1
trusted
(host) (config) #crypto-local ipsec-map chi-sf-vpn 100
src-net 100.1.1.0 255.255.255.0
dst-net 101.1.1.0 255.255.255.0
peer-ip 172.16.100.254
vlan 1
trusted
For a dynamically addressed controller that initiates IKE Aggressive-mode for Site-Site VPN:
(host) (config)crypto-local ipsec-map <name> <priority>
src-net <ipaddr> <mask>
dst-net <ipaddr> <mask>
peer-ip <ipaddr>
local-fqdn <local_id_fqdn>
vlan <id>
pre-connect enable|disable
trusted enable
For the Pre-shared-key:
crypto-local isakmp key <key> address <ipaddr> netmask <mask>
For a static IP controller that responds to IKE Aggressive-mode for Site-Site VPN:
(host) (config)crypto-local ipsec-map <name2> <priority>
src-net <ipaddr> <mask>
dst-net <ipaddr> <mask>
peer-ip 0.0.0.0
peer-fqdn fqdn-id <peer_id_fqdn>
vlan <id>
trusted enable
For the Pre-shared-key:
crypto-local isakmp key <key> fqdn <fqdn-id>
For a static IP controller that responds to IKE Aggressive-mode for Site-Site VPN with One PSK for All FQDNs:
(host) (config)crypto-local ipsec-map <name2> <priority>
src-net <ipaddr> <mask>
peer-ip 0.0.0.0
peer-fqdn any-fqdn
vlan <id>
trusted enable
For the Pre-shared-key for All FQDNs:
crypto-local isakmp key <key> fqdn-any
ArubaOS 6.4| Reference Guide
crypto-local ipsec-map | 261
Command History
Release
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The peer-cert-dn and peer-fqdn parameters were introduced.
The set pfs command introduced the group19 and group20 parameters.
ArubaOS 6.3
The set security-association lifetime kilobytesand Diffie-Hellman set pfs
group 14 parameters were added.
Command Information
Platforms
Licensing
Command Mode
All platforms
The group19 and group20 PFS
options requires the Advanced
Cryptography (ACR) license. All
other parameters are available in
the base operating system.
Config mode on master controllers
262 | crypto-local ipsec-map
ArubaOS 6.4| Reference Guide
crypto-local isakmp ca-certificate
crypto-local isakmp ca-certificate <cacert-name>
Description
This command assigns the Certificate Authority (CA) certificate used to authenticate VPN clients.
Syntax
Parameter
Description
ca-certificate
User-defined name of a trusted CA certificate installed in the controller. Use
the show crypto-local pki TrustedCA command to display the CA certificates
that have been imported into the controller.
Usage Guidelines
You can assign multiple CA certificates. Use the show crypto-local isakmp ca-certificate command to view the
CA certificates associated with VPN clients.
Example
This command configures a CA certificate:
crypto-local isakmp ca-certificate TrustedCA1
Command History
This command was introduced in ArubaOS 3.2.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
crypto-local isakmp ca-certificate | 263
crypto-local isakmp certificate-group
crypto-local isakmp certificate-group server-certificate <server_certificate> ca-certificate <
ca_cert-name>
Description
The command configures an IKE Certificate Group for VPN Clients.
Syntax
Defa
ult
Parameter
Description
Range
server-certificate <server-certifi
cate>
The IKE server certificate name for VPN
clients.
1-64
characte
rs
—
ca-certificate <ca-cert-name>
The IKE CA Certificate for this server
certificate.
1-64
characte
rs
—
Usage Guidelines
This feature allows you to create a certificate group so you can access multiple types of certificates on the same
controller.
Example
This command configures a certificate group that consists of server certificate named newtest with the CA
certificate TrustedCA.
crypto-local isakmp certificate-group server-certificate newtest ca-certificate TrustedCA
Command History
This command was introduced in ArubaOS 6.1.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
264 | crypto-local isakmp certificate-group
ArubaOS 6.4| Reference Guide
crypto-local isakmp disable-aggressive-mode
crypto-local isakmp disable-aggressive-mode
Description
The command disables the IKEv1 aggressive mode.
Syntax
No parameters.
Usage Guidelines
The master-local communication by default uses IPsec aggressive mode when a PSK is used for authentication
between controllers. You need to convert master-local communication to certificate-based IPsec authentication
before disabling aggressive mode.
Disabling Aggressive Mode will impact other sessions which use aggressive mode such as Master-local IKE
session with PSK.
Example
crypto-local isakmp disable-aggressive-mode
Command History
This command was introduced in ArubaOS 6.3.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
crypto-local isakmp disable-aggressive-mode | 265
crypto-local isakmp dpd
crypto-local isakmp dpd idle-timeout <seconds> retry-timeout <seconds> retry-attempts <numbe
r>
Description
This command configures IKE Dead Peer Detection (DPD) on the local controller.
Syntax
Parameter
Description
Range
Default
idle-timeout
Idle timeout, in seconds.
10-3600
22 seconds
retry-timeout
Retry interval, in seconds.
2-60
2 seconds
retry-attempts
Number of retry attempts.
3-10
3
Usage Guidelines
DPD is enabled by default on the controller for site-to-site VPN.
Example
This command configures DPD parameters:
crypto-local isakmp dpd idle-timeout 60 retry-timeout 3 retry-attempts 5
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master and local
controllers
266 | crypto-local isakmp dpd
ArubaOS 6.4| Reference Guide
crypto-local isakmp key
crypto-local isakmp key <key> {address <peer-ipaddr> netmask <mask>}|{fqdn <ike-id-fqdn>}|fqd
n-any
Description
This command configures the IKE preshared key on the local controller for site-to-site VPN.
Syntax
Parameter
Description
key <key>
IKE preshared key value, between 6-64 characters.
To configure a pre-shared key that contains non-alphanumeric characters,
surround the key with quotation marks. For example: crypto-local isakmp key
“key with spaces” fqdn-any.
address <peer-ipaddr>
IP address for the preshared key.
netmask <mask>
Netmask for the preshared key.
fqdn <ike-id-fqdn>
Configure the PSK for the specified FQDN.
fqdn-any
Configure the PSK for any FQDN.
Usage Guidelines
This command configures the IKE preshared key.
Example
The following command configures an IKE preshared key for site-to-site VPN:
crypto-local isakmp key R8nD0mK3y address 172.16.100.1 netmask 255.255.255.255
Command History
Version
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 3.4
The fqdn and fqdn-any parameters were introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
crypto-local isakmp key | 267
crypto-local isakmp permit-invalid-cert
crypto-local isakmp permit-invalid-cert
Description
This command allows invalid or expired certificates to be used for site-to-site VPN.
Syntax
No parameters.
Usage Guidelines
This command allows invalid or expired certificates to be used for site-to-site VPN.
Command History
This command was introduced in ArubaOS 3.2.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master and local
controllers
268 | crypto-local isakmp permit-invalid-cert
ArubaOS 6.4| Reference Guide
crypto-local isakmp sa-cleanup
crypto-local isakmp sal-cleanup
Description
This command enables the cleanup of IKE SAs.
Syntax
No parameters.
Usage Guidelines
This command removes expired ISAKMP SAs from the controller.
Command History
This command was introduced in ArubaOS 6.1.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
crypto-local isakmp sa-cleanup | 269
crypto-local isakmp server-certificate
crypto-local isakmp server-certificate <cert-name>
Description
This command assigns the server certificate used to authenticate the controller for VPN clients using IKEv1 or
IKEv2
Syntax
Parameter
Description
server-certificate
User-defined name of a server certificate installed in the controller. Use the
show crypto-local pki ServerCert command to display the server certificates
that have been imported into the controller.
Usage Guidelines
This certificate is only for VPN clients and not for site-to-site VPN clients. You can assign separate server certificate
for use with VPN clients using IKEv1 and clients using IKEv2. Use the show crypto-local isakmp servercertificate command to view the server certificate associated with VPN clients. You must import and configure
server certificates separately on master and local controllers.
There is a default server certificate installed in the controller, however this certificate does not guarantee security for
production networks. Best practices is to replace the default certificate with a custom certificate issued for your site or
domain by a trusted CA. You can use the WebUI to generate a Certificate Signing Request (CSR) to submit to a CA and
then import the signed certificate received from the CA into the controller. For more information, see “Managing
Certificates” in the ArubaOS User Guide.
Example
This command configures a server certificate:
crypto-local isakmp server-certificate MyServerCert
Command History
This command was introduced in ArubaOS 3.2.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master and local
controllers
270 | crypto-local isakmp server-certificate
ArubaOS 6.4| Reference Guide
crypto-local isakmp xauth
crypto-local isakmp xauth
Description
This command enables IKE XAuth for VPN clients.
Syntax
No parameters.
Usage Guidelines
The no crypto-local isakmp xauth command disables IKE XAuth for VPN clients. This command only applies to
VPN clients that use certificates for IKE authentication. If you disable XAuth, then a VPN client that uses
certificates will not be authenticated using username/password. You must disable XAuth for Cisco VPN clients
using CAC Smart Cards.
Example
This command disables IKE XAuth for Cisco VPN clients using CAC Smart Cards:
no crypto-local isakmp xauth
Command History
This command was introduced in ArubaOS 3.2.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
crypto-local isakmp xauth | 271
crypto-local pki
crypto-local pki
CRL <name> <filename>
IntermediateCA <name> <filename>
OCSPResponderCert <certname> <filename>
OCSPSignerCert <certname> <filename>
PublicCert <name> <filename>
ServerCert <name> <filename>
TrustedCA <name> <filename>
global-oscp-signer-cert
rcp <name>
Issue this command to configure a local certificate, OCSP signer or responder certificate and Certificate Revocation
List (CRL). You can also list revocation checkpoints and enable the responder service.
Syntax
Parameter
Description
CRL
Specifies a Certificate Revocation list. Validation of the CRL is done when it
imported through the WebUI (requires the CA to have been already present).
CRLs can only be imported through the WebUI.
<name>
Name of the CRL.
<filename>
Original imported filename of the CRL.
IntermediateCA
Configures an intermediate CA certificate
<name>
Name of the intermediate CA certificate.
<filename>
Original imported filename of the CRL.
OCSPResponderCert
Configures a OCSP responder certificate.
<certname>
Name of responder certificate.
<filename>
Original imported filename of the responder certificate.
OCSPSignerCert
Configures a OCSP signer certificate.
<certname>
Name of the signer certificate.
<filename>
Original imported filename of the signer certificate.
PublicCert
Public key of a certificate. This allows an application to identify an exact
certificate.
<certname>
Name of the signer certificate.
<filename>
Original imported filename of the signer certificate.
ServerCert
272 | crypto-local pki
Server certificate. This certificate must contain both a public and a private key
(the public and private keys must match). You can import a server certificate in
either PKCS12 or x509 PEM format; the certificate is stored in x509 PEM DES
encrypted format on the controller.
ArubaOS 6.4| Reference Guide
Parameter
Description
<certname>
Name of the signer certificate.
<filename>
Original imported filename of the signer certificate.
TrustedCA
Trusted CA certificate. This can be either a root CA or intermediate CA. Aruba
encourages (but does not require) an intermediate CA’s signing CA to be the
controller itself.
<certname>
Name of the signer certificate.
<filename>
Original imported filename of the signer certificate.
global-ocsp-signer-cert
Specifies the global OCSP signer certificate to use when signing OCSP
responses if there is no check point specific OSCP signer certificate present. If
the ocsp-signer-cert is not specified, OCSP responses are signed using the
global OCSP signer certificate. If this is not present, than an error message is
sent out to clients.
NOTE: The OCSP signer certificate (if configured) takes precedence over the
global OCSP signer certificate as this is check point specific.
rcp <name>
Specifies the revocation check point. A revocation checkpoint is automatically
created when a TrustedCA or IntermediateCA certificate is imported on the
controller.
service-ocsp-responder
This is a global knob that turns the OCSP responder on or off. The default is off
(disabled). To enable this option a CRL must be configured for this revocation
checkpoint as this is the source of revocation information in the OCSP
responses.
Usage Guidelines
This command lets you configure the controller to perform real-time certificate revocation checks using the Online
Certificate Status Protocol (OCSP) or traditional certificate validation using the Certificate Revocation List (CRL)
client. Refer to the Certificate Revocation chapter in the ArubaOS 6.4 User Guide for more information on how to
configure this feature using both the WebUI and CLI.
Example
This example configures the controller as an OCSP responder.
The revocation check point is specified as CAroot. (The revocation check point CAroot was automatically created
when the CAroot certificate was previously uploaded to this controller.) The OCSP signer certificate is RootCAOcsp_signer. The CRL file is Security1-WIN-05PRGNGEKAO-CA-unrevoked.crl The OCSP responder is enabled.
crypto-local pki service-ocsp-responder
crypto-local pki rcp CARoot
ocsp-signer-cert RootCA-Ocsp_signer
crl-location file Security1-WIN-05PRGNGEKAO-CA-unrevoked.crl
enable-ocsp-responder
Related Commands
Command
Description
Mode
crypto-local pki rcp
Specifies the certificates that are used to sign
OCSP responses for this revocation check point
Config mode
ArubaOS 6.4| Reference Guide
crypto-local pki | 273
Command
Description
Mode
show crypto-local pk
i
This command shows local certificate, OCSP
signer or responder certificate and CRL data and
statistics.
Config mode
Command History
Version
Modification
ArubaOS 3.2
Command introduced.
ArubaOS 6.1
The following parameters were introduced:
l CRL
l Intermediate CA
l OCSPResponderCert
l OCSPSignerCert
l global-ocsp-signer-cert
l rcp
l service-ocsp-responder
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master or local controllers
274 | crypto-local pki
ArubaOS 6.4| Reference Guide
crypto-local pki rcp
crypto-local pki rcp
<name> [crl-location <file>]|[enable-ocsp-responder]|[ocsp-responder-cert <ocsp-responder-c
ert>]|[ocsp-signer-cert <ocsp-signer-cert>]|
[ocsp-url <ocsp-url>]|[revocation-check [None|<method1>|<method2>]]
Description
Use this command to specify the certificates used to sign OCSP for the revocation check point.
Syntax
Parameter
Description
rcp
Specifies the revocation check point. A revocation checkpoint is
automatically created when a TrustedCA or IntermediateCA
certificate is imported on the controller.
crl-location <file>
Location of the CRL that is used for the rcp. The specified CRL
filename must be previously imported onto the controller before
using this option.
enable-ocsp-responder
Enables the OCSP Responder for this revocation checkpoint.
The default is disabled.
ocsp-responder-cert <ocsp-respon
der-cert>
Specifies the certificate that is used to verify OCSP responses.
The certificate name has to be one of the certificates shown as
output when the CLI command
show crypto-local pki ocsprespondercert is used.
ocsp-signer-cert <ocsp-signer-ce
rt>
Specifies the certificate that is used to sign OCSP responses for
this revocation check point. The OCSP signer certificate must
be previously imported on to the controller (using the WebUI).
The OCSP signer cert can be the same trusted CA as the check
point, a designated OCSP signer certificate issued by the same
CA as the check point or some other local trusted authority.
If the ocsp-signer-cert is not specified, OCSP responses are
signed using the global OCSP signer certificate. If that is not
present, than an error message is sent out to clients.
NOTE: The OCSP signer certificate (if configured) takes
precedence over the global OCSP signer certificate as this is
check point specific.
ocsp-url <ocsp-url>
Configures the OCSP Server URL. The URL has to be in the
form of
http://my.responder.com/path. This parameter can contain only
one responder URL at time.
revocation-check None <method1>
<method2>
Configures the revocation check methods used for this rcp.
Options include:
l None (default)- No revocation checks are performed for
certificates being verified against this trusted CA.
l CRL- CRL is used for the revocation check method.
l OCSP- OCSP is used for the revocation check method.
You can configure one fallback method.
ArubaOS 6.4| Reference Guide
crypto-local pki rcp | 275
Usage Guidelines
This command lets you configure the check methods that are used for this revocation check point.. You can
configure the controller to perform real-time certificate revocation checks using the Online Certificate Status Protocol
(OCSP) or traditional certificate validation using the Certificate Revocation List (CRL) client. Refer to the Certificate
Revocation chapter in the ArubaOS 6.4 User Guide for more information on how to configure this feature using both
the WebUI and CLI.
Example
This example configures an OCSP client with the revocation check method as OCSP with CRL configured as the
back up method.
The OCSP responder certificate is configured as RootCA-Ocsp_responder. The corresponding OCSP responder
service is available at http://10.4.46.202/ocsp. The revocation check method is OCSP with CRL configured as the
back up method.
crypto-local pki rcp CARoot
ocsp-responder-cert RootCA-Ocsp_responder
ocsp-url http://10.4.46.202/ocsp
crl-location file Security1-WIN-05PRGNGEKAO-CA-unrevoked.crl
revocation-check ocsp crl
Related Commands
Command
Description
Mode
crypto-local pki
This command configures a local certificate,
OCSP signer or responder certificate and
Certificate Revocation List (CRL). You can also
list revocation checkpoints and enable the
responder service.
Config mode
show crypto-local pk
i
This command shows local certificate, OCSP
signer or responder certificate and CRL data and
statistics.
Config mode
Command History
Version
Modification
ArubaOS 3.2
Command introduced.
ArubaOS 6.1
The following parameters were introduced:
l CRL
l Intermediate CA
l OCSPResponderCert
l OCSPSignerCert
l global-ocsp-signer-cert
l rcp
l service-ocsp-responder
276 | crypto-local pki rcp
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master or local controllers
ArubaOS 6.4| Reference Guide
crypto-local pki rcp | 277
crypto map global-map
crypto map global-map <map-number> ipsec-isakmp {dynamic <dynamic-map-name>}|{ipsec <ipsec-ma
p-name>}
Description
This command configures the default global map.
Syntax
Parameter
Description
<map-number>
dynamic
<dynamic-map-name>}
ipsec
<ipsec-map-name>
Use a dynamic map.
Name of the dynamic map.
Use a IPsec map.
Name of an IPsec map.
Usage Guidelines
This command identifies the dynamic or ipsec map used as the default global map. If you have not yet defined a
dynamic or ipsec map, issue the command crypto map global-map or crypto-local ipsec-map to define map
parameters.
Example
The following command configures the global map with the dynamic map named dynamic_map_2.
(host)(config) #crypto map global-map 2 ipsec-isakmp dynamic dynamic_map_2
Command History
This command was introduced in ArubaOS 3.0
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
278 | crypto map global-map
ArubaOS 6.4| Reference Guide
crypto
crypto pki
csr {rsa key_len <key_val> |{ec curve-name <key_val>} common_name <common_val> country <cou
ntry_val> state_or_province <state> city <city_val> organization <organization_val> unit <u
nit_val> email <email_val>
expirycheck
Description
Generate a certificate signing request (CSR) for the captive portal feature.
Syntax
Parameter
Description
rsa key_len <key_val>
Generate a certificate signing request with a
Rivest, Shamir and Adleman (RSA) key with
one of the following supported RSA key
lengths:
l 1024
l 2048
l 4096
ec curve-name <key_val>
Generate a certificate signing request with an
elliptic-curve (EC) key, with one of the following
EC types:
l secp256r1
l secp384r1
common_name <common_val>
Specify a common name, e.g.,
www.yourcompany.com.
country <country_val>
Specify a country name, e.g., US or CA.
state_or_province <state>
Specify the name of a state or province.
city <city_val>
Specify the name of a city.
organization <organization_val>
Specify the name of an organization unit, e.g.,
sales.
unit <unit_val>
Specify a unit value, e.g. EMEA.
email <email_val>
Specify an email address, in the format
name@mycompany.com.
expirycheck
Run an expiry check on all certificates on the
controller.
Usage Guidelines
Use this command in enable mode to generate a CSR for the Captive Portal feature or to see all controller
certificates are expiring.
ArubaOS 6.4| Reference Guide
crypto | 279
Display the CSR output by entering the command show crypto pki csr. Note that this command only generates
CSR on a controller running ArubaOS 3.x or later. Earlier versions require that you generate the certificate externally.
Example
The following command configures a CSR for a user with the email address jdoe@example.com.
(host)(config) #crypto pki csr key 1024 common_name www.example.lcom country US state_or_provi
nce ca city Sunnyvale organization engineering unit pubs email jdoe@example.com
Command History
Release
Modification
ArubaOS 3.1
Command introduced.
ArubaOS 6.1
The ec curve-name parameter was introduced to support certificate signing
requests using an elliptic-curve (EC) key
Command Information
280 | crypto
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
crypto pki-import
crypto pki-import {der|pem|pfx|pkcs12|pkcs7}
{CRL|IntermediateCA|OCSPResponderCert|OCSPSignerCert|PublicCert|ServerCert|TrustedCA} <name>
Description
Import certificates for the captive portal feature.
Syntax
Parameter
Description
der
Import the following certificates in DER format.
CRL <name>
Import a CRL.
IntermediateCA <name>
Import an intermediate CA certificate.
OCSPResponderCert <nam
e>
Import an OCSP Responder certificate.
OCSPSignerCert <name>
Import an OCSP Signer certificate.
PublicCert <name>
Import a public certificate.
ServerCert <name>
Import a server certificate.
TrustedCA <name>
Import a trusted CA certificate.
pem
Import a certificate in x509 PEM format. See certificate types under the der
parameter.
pfx
Import a certificate in PFX format. See certificate types under the der
parameter.
pkcs12
Import a certificate in PKCS12 format.See certificate types under the
derparameter.
pkcs7
Import a certificate in PKCS7 format. See certificate types under the der
parameter.
Usage Guidelines
Use this command in enable mode to install a CSR for the Captive Portal feature.
Example
The following command installs a server certificate in DER format.
(host)(config) #crypto pki-import der ServerCert cert_20
ArubaOS 6.4| Reference Guide
crypto pki-import | 281
Command History
Release
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The CRL, IntermediateCA, OCSPResponderCert, OCSPSignerCert
parameters were added.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
282 | crypto pki-import
ArubaOS 6.4| Reference Guide
database synchronize
database synchronize period <minutes>|captive-portal-custom
Description
This command manually synchronizes the database between a pair of redundant master controllers
Syntax
Parameter
Description
captive-portal custom
Includes custom captive portal files..
period
Configures the interval for automatic database synchronization.
<minutes>
Interval in minutes. Range is 1 — 25200 minutes.
Usage Guidelines
This command takes effect immediately. If a peer is not configured, the controller displays an error message.
Use the database synchronize period command in config mode to configure the interval for automatic database
synchronization. Use the database synchronize rf-plan-data command to include RF plan data when
synchronizing in standby mode.
Example
The following commands cause the database on the active master controller to synchronize with the standby in 25
minute intervals. The synchronization includes RF plan data.
(host) (config) #database synchronize period 25
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 6.3
The captive-portal-custom parameter was introduced.
The parameter rf-plan-data is deprecated.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config modes on master
controllers
ArubaOS 6.4| Reference Guide
database synchronize | 283
delete
delete {filename <filename>|ssh-host-addr <ipaddr>|ssh-known-hosts}
Description
This command deletes a file or RSA signature entry from flash.
Syntax
Parameter
Description
filename
Name of the file to be deleted.
ssh-host-addr
Deletes the entry stored in flash for the RSA host signature created when you run
the copy scp command.
ssh-known -hosts
Deletes all entries stored in flash for the RSA host signatures created when you
run the copy scp command.
Usage Guidelines
To prevent running out of flash file space, you should delete files that you no longer need.
The copy scp command creates RSA signatures whenever it connects to a new host. These host signatures are
stored in the flash file system.
Example
The following command deletes a file:
(host) #delete filename december-config-backup.cfg
The following command deletes an RSA signature entry from flash:
(host) #delete ssh-host-addr 10.100.102.101
The following command deletes all RSA signature entries from flash:
(host) #delete ssh-known-hosts
Command History
This command was introduced in ArubaOS 3.0.
Command Information
284 | delete
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
destination
destination <STRING> <A.B.C.D> [invert]
Description
This command configures the destination name and address.
Syntax
Parameter
Description
Range
STRING
Destination name.
Alphanumeric
A.B.C.D
Destination IP address or subnet.
—
invert
Specifies all destinations except this one.
—
Usage Guidelines
You can configure the name and IP address of the destination. You can optionally configure the subnet, or invert the
selection.
Example
The following example configures a destination called “Home” with an IP address of 10.10.10.10.
(host) (config) #destination Home 10.10.10.10
Command History
Release
Modification
ArubaOS 1.0
Command introduced
ArubaOS 3.0
Replaced with netdestination command.
Command Information
Availability
License
Command Mode
Can be used only on the master
controller.
Requires the PEF NG
license
Config mode on master controllers
ArubaOS 6.4| Reference Guide
destination | 285
dialer group
crypto-local
dialer group <name>
dial-string <string>
init-string <string>
no ...
Description
Configure a dialer group with dialing parameters for a USB modem.
Syntax
Parameter
Description
dial-string
The dial string column specifies the number to dial.
init-string
The init string can contain carrier-specific dialing options for the USB modem. You can
often find these settings in online forums or from your ISP.
Usage Guidelines
Use this command to configure dial settings for a USB modem connected to a 600 Series controller.
Example
(host) (config) dialer group gsm_us
init-string AT+CGDCONT=1,"IP","ISP.CINGULAR"
Command History
Introduced in ArubaOS 3.4.
Command Information
Platforms
Licensing
Command Mode
600 Series controllers
Base operating system
Config mode on master and local
controllers
286 | dialer group
ArubaOS 6.4| Reference Guide
dir
dir
Description
This command displays a list of files stored in the flash file system.
Syntax
No parameters.
Usage Guidelines
Use this command to view the system files associated with the controller.
Output from this command includes the following:
l
The first column contains ten place holders that display the file permissions.
n
First place holder: Displays - for a file or d for directory.
n
Next three place holders: Display file owner permissions: r for read access, w for write access permissions, x
for executable.
n
Following three place holders: Display member permissions: r for read access or x for executable.
n
Last three place holders: Display non-member permissions: r for read access or x for executable.
l
The second column displays the number of links the file has to other files or directories.
l
The third column displays the file owner.
l
The fourth column displays group/member information.
l
The remaining columns display the file size, date and time the file was either created or last modified, and the file
name.
Example
The following command displays the files currently residing on the system flash:
(host) #dir
The following is sample output from this command:
-rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--
1
1
1
1
1
1
2
root
root
root
root
root
root
root
root
root
root
root
root
root
root
9338
1457
16182
14174
16283
22927
19869
Nov
Nov
Nov
Nov
Nov
Oct
Nov
20
20
14
9
9
25
9
10:33
10:33
09:39
2005
12:25
12:21
12:20
class_ap.csv
class_sta.csv
config-backup.cfg
default-backup-11-8-05.cfg
default.cfg
default.cfg.2006-10-25_20-21-38
default.cfg.2006-11-09_12-20-22
Command History
Introduced in ArubaOS 1.0
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating
system
Enable and Config modes on
local or master controllers
ArubaOS 6.4| Reference Guide
dir | 287
dot1x
crypto-local
high-watermark <1-32000>
stm-throttling percent <throttling%>
no ...
Description
Use this command under the guidance of Aruba support to configure the maximum and minimum thresholds of the
table that contains 802.1X sessions being processed.
Syntax
Parameter
Description
high-watermark
The maximum entries in the Active table. When the number of entries in the Active
Table reaches the High WaterMark value, new requests are queued on the Pending
Table
stm-throttling
Use this command to enable STM throttling when the total entries in Pending Table are
greater than (stm-throttling perceng) * (high watermark).
Use this command only under the supervision of Aruba support.
Command History
Introduced in ArubaOS 6.3.1.0
Command Information
288 | dot1x
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master or local controllers
ArubaOS 6.4| Reference Guide
dpi
dpi
custom-app <name> <http/s uri host> <http/s uri path>
global-bandwidth-contract {app <name>[downstream |upstream][kbits|mbits <value>}|{appcatego
ry <name>[downstream |upstream][kbits|mbits <value>}
Description
This command configures Deep-Packet Inspection and the global bandwidth contractfor an application or application
category for the AppRF feature.
Syntax
Parameter
Description
custom-app
The application or application category.
<name>
Name of the application or application category.
<http/s uri host>
HTTP or HTTPS URI host of the application or application category.
<http/s uri path>
HTTP or HTTPS URI path of the application or application category.
global-bandwidth-contract
Configures the global bandwidth contract for an application or
application category.
app <name>
Name of the application.
appcategory <name>
Name of the application category.
downstream
Bandwidth contract to downstream traffic.
upstream
Bandwidth contract to upstream traffic.
kbits <value>
Specify bandwidth in kbits per second.
Range: 256-2000000.
mbits <value>
Specify bandwidth in mbits per second.
Range: 1-2000.
Usage Guidelines
You can configure bandwidth contracts to limit application and application categories on an application or global
level.
Example
To configure global bandwidth contracts:
(host)(config) #dpi global-bandwidth-contract[app|appcategory]
<name>[downstream|upstream][kbits|mbits]<256..2000000>
To show global bandwidth contract configuration output:
(host) #show dpi global-bandwidth-contract all
(host) #show dpi global-bandwidth-contract app name
(host) #show dpi global-bandwidth-contract appcategory name
ArubaOS 6.4| Reference Guide
dpi | 289
Command History
Introduced in ArubaOS 6.4
Command Information
290 | dpi
Platform
License
Command Mode
Available on all platforms
Available in the base operating
system
Config mode on local or master
controllers
ArubaOS 6.4| Reference Guide
dynamic-ip
dynamic-ip restart
Description
This command restarts the PPPoE or DHCP process.
Syntax
No parameters.
Usage Guidelines
This command can be used to renegotiate DHCP or PPPoE parameters. This can cause new addresses to be
assigned on a VLAN where the DHCP or PPPoE client is configured.
Command History
This command was introduced in ArubaOS 3.0
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
dynamic-ip | 291
eject usb
eject usb:
Description
Use this command to eject a USB device from your controller.
Usage Guidelines
Use this command to safely remove an external USB device,
Example
(host) #eject usb:
Command History
Command introduced in ArubaOS 6.2
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
User mode on master or
local controllers in
enable mode.
292 | eject usb
ArubaOS 6.4| Reference Guide
enable
enable
Description
This user mode command switches the controller into enable mode. The enable mode allows you to access
privileged commands.
Usage Guidelines
To enter enable mode, you are prompted for the password configured during the controller’s initial setup. Passwords
display as asterisks (*) when you enter them.
To change the password, use the config mode enable secret command. If you lose or forget the enable mode
password, resetting the default admin user password also resets the enable mode password to “enable”. See the
ArubaOS User Guide for more information about resetting the admin and enable mode passwords.
When you are in enable mode, the CLI prompt ends with the hash (#) character.
Example
The following example allows you to enter enable mode on the controller.
(host) >enable
Password: ******
(host) #
Command History
Command introduced in ArubaOS 1.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
User mode on master or
local controllers
ArubaOS 6.4| Reference Guide
enable | 293
enable bypass
enable bypass
no enable bypass
Description
This config mode command allows you to bypass the enable password prompt and go directly to the privileged
command mode.
Usage Guidelines
Use this command when you want to access the privileged mode directly after logging in to the controller and not be
prompted to enter an enable mode password.
To restore the enable mode password prompt, use the config mode command. no enable bypass.
Example
The following example allows bypass the enable mode password prompt.
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #enable bypass
(host) (config) #
Command History
Version
Modification
ArubaOS 6.0
Command introduced
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating
system
Config mode on master or local
controllers
294 | enable bypass
ArubaOS 6.4| Reference Guide
enable secret
enable secret
Description
This config mode command allows you to change the password for enable mode.
Usage Guidelines
Use this command to change the password for enable mode. To reset the password to the factory default of “enable”,
use the no enable command.
The password must not contain a space and special characters.
Example
The following example allows you to change the password for enable mode.
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #enable secret
Password:******
Re-Type password: ******
(host) (config) #
Command History
Version
Modification
ArubaOS 1.0
Command introduced
ArubaOS 3.3.2
Updated with restriction of the secret phase
Command Informatio
Platform
License
Command Mode
Available on all platforms
Available in the base operating
system
Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
enable secret | 295
encrypt
encrypt {disable|enable}
Description
This command allows passwords and keys to be displayed in plain text or encrypted.
Syntax
Parameter
Description
Default
disable
Passwords and keys are displayed in plain text
—
enable
Passwords and keys are displayed encrypted
enabled
Usage Guidelines
Certain commands, such as show crypto isakmp key, display configured key information. Use the encrypt
command to display the key information in plain text or encrypted.
Example
The following command allows passwords and keys to be displayed in plain text:
(host) #encrypt disable
Command History
Introduced in ArubaOS 3.0
Command Information
296 | encrypt
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Enable mode on master or
local controllers
ArubaOS 6.4| Reference Guide
esi group
esi group <name> [no]|[ping <attributes>]|[server <server>]
Description
This command configures an ESI group.
Syntax
Parameter
Description
no
Negates any configured parameter.
ping
Specify the name of a set of ping checking attributes defined via the command esi ping. Only
one set is allowed.
server
Specify the name of a server to be added or removed from the ESI group. You define ESI
servers via the command esi server.
Usage Guidelines
Use the show esi group command to show ESI group information.
Example
The following command sets up the ESI group named “fortinet.”
(host) (config) #esi group fortinet
ping default
server forti_1
Command History
Introduced in ArubaOS 2.5
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the PEFNG license
Config mode on master or
local controllers
ArubaOS 6.4| Reference Guide
esi group | 297
esi parser domain
esi parser domain <name>
[no] |
[peer <peer-ip>] |
[server <ipaddr>]
Description
This command configures an ESI syslog parser domain.
Syntax
Parameter
Description
no
Negates any configured parameter
peer
(Optional.) Specify the IP address of an another controller in this domain. These controllers
are notified when the user cannot be found locally. This command is needed only when
multiple controllers share a single ESI server
server
Specify the IP address of the ESI server to which the controller listens.
Usage Guidelines
The ESI parser is a generic syslog parser on the controller that accepts syslog messages from external third-party
appliances such as anti-virus gateways, content filters, and intrusion detection systems. It processes syslog
messages according to user-defined rules and takes configurable actions on the corresponding system users.
ESI servers (see esi server on page 305) are configured into domains to which ESI syslog parser rules (see esi
parser rule on page 299) are applied.
Use the show esi parser domains command to show ESI parser domain information.
Example
The following commands configure a virus syslog parser domain named “fortinet” which contains the ESI server
“forti_1” with the trusted IP address configured using the command esi server.
(host) (config) #esi parser domain fortinet
server 10.168.172.3
Command History
Introduced in ArubaOS 3.1.
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the PEFNG license
Config mode on master or
local controllers
298 | esi parser domain
ArubaOS 6.4| Reference Guide
esi parser rule
esi parser rule <rule_name>
[condition <expression>] |
[domain <name>] |
[enable]
[match {ipaddr <expression> | mac <expression> | user <expression> }] |
[no] |
[position <position>] |
[set {blacklist | role <role>} |
[test {msg <msg> | file <filename>}]
Description
This command creates or changes an ESI syslog parser rule.
Syntax
Parameter
Description
Range
Default
condition
Specifies the REGEX (regular expression) pattern that
uniquely identifies the syslog.
—
—
domain
(Optional.) Specify the ESI syslog parser domain to which
this rule applies. If not specified, the rule matches with all
configured ESI servers.
—
—
enables
Enables this rule.
Note: The condition, user match, and set action parameters
must be configured before the rule can be enabled.
—
Not enabled
match
Specifies the user identifier to match, where ipaddr, mac,
and user take a REGEX pattern that uniquely identifies the
user.
—
—
no
Negates any configured parameter.
—
—
position
Specifies the rule’s priority position.
1–32; 1
highest
—
set
Specifies the action to take: blacklist the user or change the
user role.
Note: The role entity should be configured before it is
accepted by the ESI rule.
—
—
test
Test the regular expression output configured in the
esi parser rules command. You can test the
expressions against a specified syslog message, or test the
expression against a sequence of syslog messages
contained in a file.
—
—
Usage Guidelines
The user creates an ESI rule by using characters and special operators to specify a pattern that uniquely identifies a
syslog message. This “condition” defines the type of message and the ESI domain to which this message pertains.
The rule contains three major fields:
l
Condition: The pattern that uniquely identifies the syslog message type.
ArubaOS 6.4| Reference Guide
esi parser rule | 299
l
User: The username identifier. It can be in the form of a name, MAC address, or IP address.
l
Action: The action to take when a rule match occurs.
Once a condition match occurs, no further rule-matching will be made. For the matching rule, only one action can be
defined.
For more details on the character-matching operators, repetition operators, and expression anchors used to defined
the search or match target, refer to the External Services Interfacechapter in the ArubaOS 6.4 User Guide .
Use the show esi parser rules command to show ESI parser rule information. Use the show esi parser stats
command to show ESI parser rule statistical information
Examples
The following command sets up the Fortigate virus rule named “forti_rule.” This rule parses the virus detection syslog
scanning for a condition match on the log_id value (log_id=) and a match on the IP address (src=).
(host) (config) #esi parser rule forti_rule
condition “log_id=[0-9]{10}[ ]”
match ipaddr “src=(.*)[ ]”
set blacklist
domain fortinet
enable
In this example, the corresponding ESI expression is:
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >
The following example of the test command tests a rule against a specified single syslog message.
test msg "26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4"
< 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >
=====
Condition: Matched with rule "forti_rule"
User: ipaddr = 1.2.3.4
=====
The following example of the test command tests a rule against a file named test.log, which contains several syslog
messages.
test file test.log
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >
==========
Condition: Matched with rule "forti_rule"
User: ipaddr = 1.2.3.4
==========
< Oct 18 10:43:40 cli[627]: PAPI_Send: To: 7f000001:8372 Type:0x4 Timed out. >
==========
Condition: No matching rule condition found
==========
< Oct 18 10:05:32 mobileip[499]: <500300> <DBUG> |mobileip| Station 00:40:96:a6:a1:a4, 10.0
.100.103: DHCP FSM received event: RECEIVE_BOOTP_REPLY current: PROXY_DHCP_NO_PROXY, next: PRO
XY_DHCP_NO_PROXY >
==========
Condition: No matching rule condition found
==========
300 | esi parser rule
ArubaOS 6.4| Reference Guide
Command History
Introduced in ArubaOS 3.1
Command Information
Platform
License
Command Mode
Available on all platforms.
Requires the PEFNG license
Config mode on
master and local
controllers
ArubaOS 6.4| Reference Guide
esi parser rule | 301
esi parser rule-test
esi parser rule-test
[file <filename>] |
[msg <msg>]
Description
This command allows you to test all of the enabled parser rules.
Syntax
Parameter
Description
file
Tests against a specified file containing more than one syslog message.
msg
Tests against a syslog message, where <msg> is the message text.
Usage Guidelines
You can test the enabled parser rules against a syslog message input, or run the expression through a file system
composed of syslog messages. The command shows the match result as well as the user name parsed for each
message.
Example
The following command tests against a specified single syslog message.
(host) (config) #esi parser rule-test msg "26 18:30:02 log_id=0100030101 type=virus subtype=in
fected src=1.2.3.4"
< 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >
=====
Condition: Matched with rule "forti_rule"
User: ipaddr = 1.2.3.4
=====
The following command tests against a file named test.log, which contains several syslog messages.
esi parser rule-test file test.log
< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >
==========
Condition: Matched with rule "forti_rule"
User: ipaddr = 1.2.3.4
==========
< Oct 18 10:43:40 cli[627]: PAPI_Send: To: 7f000001:8372 Type:0x4 Timed out. >
==========
Condition: No matching rule condition found
==========
< Oct 18 10:05:32 mobileip[499]: <500300> <DBUG> |mobileip| Station 00:40:96:a6:a1:a4, 10.0
.100.103: DHCP FSM received event: RECEIVE_BOOTP_REPLY current: PROXY_DHCP_NO_PROXY, next: PRO
XY_DHCP_NO_PROXY >
==========
Condition: No matching rule condition found
==========
302 | esi parser rule-test
ArubaOS 6.4| Reference Guide
Command History
Introduced in ArubaOS 3.1
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the PEFNG license
Config mode on master and
local controllers
ArubaOS 6.4| Reference Guide
esi parser rule-test | 303
esi ping
esi ping <ping-name>
[frequency <seconds>] |
[no] |
[retry-count <count>] |
[timeout <seconds>] |
Description
This command specifies the ESI ping health check configuration.
Syntax
Parameter
Description
Range
Default
frequency
Specifies the ping frequency in seconds.
1–65536
no
Negates any configured parameter
—
—
retry-count
Specifies the ping retry count
1–65536
2
timeout
Specifies the ping timeout in seconds.
1–65536
2
Usage Guidelines
Use the show esi ping command to show ESI ping information.
Example
The following command specifies the ping health check attributes.
(host) (config) #esi ping default
frequency 5
retry-count 2
timeout 2
Command History
Introduced in ArubaOS 2.5
Command Information
304 | esi ping
Platform
License
Command Mode
Available on all platforms
Requires the PEFNG license
Config mode on master
and local controllers
ArubaOS 6.4| Reference Guide
esi server
esi server <name>
[dport <tcp-udp-port>] |
[mode {bridge | nat | route}] |
[no] |
[trusted-ip-addr <ip-addr> [health-check]] |
[trusted-port <slot/port>] |
[untrusted-ip-port <ip-addr> [health-check]] |
[untrusted-port <slot/port>]
Description
This command configures an ESI server.
Syntax
Parameter
Description
dport
Specifies the NAT destination TCP/UDP port.
mode
Specifies the ESI server mode of operation: bridge, nat, or route
no
Negates any configured parameter.
trusted-ip-addr
Specifies the server IP address on the trusted network. As an option, you can also
enable a health check on the specified address
trusted-port
Specifies the port connected to the trusted side of the ESI server; slot/port format.
untrusted-ip-addr
Specifies the server IP address on the untrusted network. As an option, you can also
enable a health check on the specified address
untrusted-port
Specifies the port connected to the untrusted side of the ESI server.
Usage Guidelines
Use the show esi server command to show ESI server information.
Example
The following command specifies the ESI server attributes.
(host) (config) #esi server forti_1
mode route
trusted-ip-addr 10.168.172.3
untrusted-ip-addr 10.168.171.3
Command History
Introduced in ArubaOS 2.5.
ArubaOS 6.4| Reference Guide
esi server | 305
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the PEFNG license
Config mode on
master and local
controllers
306 | esi server
ArubaOS 6.4| Reference Guide
exit
exit
Description
This command exits the current CLI mode.
Syntax
No parameters.
Usage Guidelines
Upon entering this command in a configuration sub-mode, you are returned to the configuration mode. Upon entering
this command in configuration mode, you are returned to the enable mode. Upon entering this command in enable
mode, you are returned to the user mode. Upon entering this command in user mode, you are returned to the user
login.
Example
The following sequence of exit commands return the user from the interface configuration sub-mode to the user
login:
(host)
(host)
(host)
(host)
User:
(config-if) #exit
(config) #exit
#exit
>exit
Command History
Introduced in ArubaOS 3.0
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base
operating system
Available in the following command modes:
l User
l Enable
l Config
l Config sub-modes
ArubaOS 6.4| Reference Guide
exit | 307
export
export gap-db <filename>
Description
This command exports the global AP database to the specified file.
Syntax
Parameter
Description
<filename>
Name of the file to which the global AP database is exported.
Usage Guidelines
This command is intended for system troubleshooting. You should run this command only when directed to do so by
an Aruba support representative.
The global AP database resides on a master controller and contains information about known APs on all controllers
in the system. You can view the contents of the global AP database with the show ap database command.
Example
The following command exports the global AP database to a file:
(host) #export gap-db global-ap-db
Command History
This command was introduced in ArubaOS 3.0.
Command Information
308 | export
Platform
License
Command Mode
Available on all platforms
Available in the base
operating system
Enable mode on master controllers.
ArubaOS 6.4| Reference Guide
fips
fips [disable|enable]
This command applies only to the FIPS version of ArubaOS.
Description
This command enables and disables the FIPS mode of operation.
Syntax
Parameter
Description
enable
Enables the FIPS mode of operation.
disable
Disables the FIPS mode of operation.
Usage Guidelines
This command enables or disables the FIPS mode of operation. You can view the FIPS mode of operation status
using the show fips command.
Example
The following example shows how to enable the FIPS mode of operation.
(host) #fips enable
Command History
This command was introduced in ArubaOS-FIPS 2.4.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base
operating system
Enable mode on master controllers.
ArubaOS 6.4| Reference Guide
fips | 309
firewall
firewall
{allow-stun|allow-tri-session|amsdu|attack-rate {cp <rate>|ping <number>|session <number>}|
broadcast-filter-arp|cp|bwcontracts-subnet-broadcast|cp-bandwidth-contract|tcp-syn <number>
|bwcontracts-subnet-broadcast |deny-inter-user-bridging |deny-inter-user-traffic|deny-sourc
e-routing|disable-ftp-server |disable-ftp-server| disable-stateful-h323| disable-stateful-s
ccp-processing|disable-stateful-sip-processing |[no] disable-stateful-sips-processing| disa
ble-stateful-ua-processing|disable-stateful-vocera-processing|dpi|drop-ip-fragments|
|jumbo |enable-per-packet-logging |enforce-tcp-handshake|enforce-tcp-sequence|gre-call-id-p
rocessing|imm-fb|local-valid-users|log-icmp-error|prevent-dhcp-exhaustion|prohibit-arp-spoo
fing|prohibit-ip-spoofing |prohibit-rst-replay|public-access|session-idle-timeout <seconds>
|session-tunnel-fib|port <slot>/<port>}
|shape-mcastfirew|stall-crash|voip-wmm-content-enforcement}
Description
This command configures firewall options on the controller.
Syntax
310 | firewall
Parameter
Description
Range
Default
allow-stun
Allows ICE-STUN based firewall traversal.
—
enabled
allow-tri-session
Allows three-way session when
performing destination NAT. This option
should be enabled when the controller is
not the default gateway for wireless
clients and the default gateway is behind
the controller. This option is typically used
for captive portal configuration.
—
disabled
amsdu
Aggregated Medium Access Control
Service Data Units (AMSDU) packets are
dropped if this option is enabled.
—
disabled
attack-rate
Sets rates which, if exceeded, can
indicate a denial of service attack.
—
—
bwcontracts-subnet-broadcast
Applies bw contracts to local subnet
broadcast traffic.
—
—
broadcast-filter-arp
If enabled, all broadcast ARP requests
are converted to unicast and sent directly
to the client. You can check the status of
this option using the show ap active and
the show datapath tunnel command. If
enabled, the output will display the letter a
in the flags column.
NOTE: This parameter is deprecated.
Use the virtual AP profile to configure this
setting.
—
disabled
cp
See firewall cp on page 316
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
cp-bandwidth-contract
See firewall cp-bandwidth-contract on
page 318
deny-inter-user-bridging
Prevents the forwarding of Layer2 traffic
between wired or wireless users. You can
configure user role policies that prevent
Layer3 traffic between users or networks
but this does not block Layer2 traffic. This
option can be used to prevent traffic, such
as Appletalk or IPX from being forwarded.
If enabled, traffic (all non-IP traffic) to
untrusted port or tunnel is also blocked.
—
disabled
deny-inter-user-traffic
Denies downstream traffic between users
in a wireless network (untrusted users) by
disallowing layer2 and layer3 traffic. This
parameter does not depend on the denyinter-user-bridging parameter
being enabled or disabled.
—
disabled
deny-source-routing
Disallows forwarding of IP frames with
source routing with the source routing
options set.
—
disabled
disable-ftp-server
Disables the FTP server on the controller.
Enabling this option prevents FTP
transfers.
Enabling this option could cause APs to
not boot up. You should not enable this
option unless instructed to do so by an
Aruba representative.
—
disabled
disable-stateful-h323processing
Disables stateful H.323 processing.
—
disabled
disable-stateful-sccp-processing
Disables SCCP processing.
—
disabled
disable-stateful-sip-processing
Disables monitoring of exchanges
between a voice over IP or voice over
WLAN device and a SIP server. This
option should be enabled only when
there is no VoIP or VoWLAN traffic on the
network.
—
disabled
[no] disable-stateful-sips-processing
Configure the controller to read SIP signaling messages sent by Lync clients on
port 5061.
—
enabled
disable-stateful-ua-processing
Disables stateful UA processing.
—
disabled
disable-stateful-vocera-processing
Disables stateful VOCERA processing.
—
disabled
dpi
Enables Deep-Packet Inspection (DPI)
—
disabled
ArubaOS 6.4| Reference Guide
firewall | 311
312 | firewall
Parameter
Description
Range
Default
drop-ip-fragments
When enabled, all IP fragments are
dropped. You should not enable this
option unless instructed to do so by an
Aruba representative.
—
disabled
enable-bridging
Enables bridging when the controller is in
factory default.
—
disabled
enable-per-packet-logging
Enables logging of every packet if logging
is enabled for the corresponding session
rule. Normally, one event is logged per
session. If you enable this option, each
packet in the session is logged. You
should not enable this option unless
instructed to do so by an Aruba
representative, as doing so may create
unnecessary overhead on the controller.
—
disabled
enforce-tcp-handshake
Prevents data from passing between two
clients until the three-way TCP
handshake has been performed. This
option should be disabled when you have
mobile clients on the network as enabling
this option will cause mobility to fail. You
can enable this option if there are no
mobile clients on the network.
—
disabled
enforce-tcp-sequence
Enforces the TCP sequence numbers for
all packets.
—
disabled
gre-call-id-processing
Creates a unique state for each PPTP
tunnel. Do not enable this option unless
instructed to do so by a technical support
representative.
—
disabled
imm-fb
Immediately free buffers on 7200 controllers. Do not enable this option unless
instructed to do so by a technical support
representative.
—
—
jumbo
Enables jumbo frames processing.
—
disabled
local-valid-users
Adds only IP addresses, which belong to
a local subnet, to the user-table.
—
disabled
log-icmp-error
Logs received ICMP errors. You should
not enable this option unless instructed to
do so by an Aruba representative.
—
disabled
prevent-dhcp-exhaustion
Enable check for DHCP client hardware
address against the packet source MAC
address. This command checks the
frame's source-MAC against the DHCPv4
client hardware address and drops the
packet if it does not match. Enabling this
feature prevents a client from submitting
multiple DHCP requests with different
hardware addresses, thereby preventing
DHCP pool depletion.
—
disabled
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
prohibit-arp-spoofing
Detects and prohibits arp spoofing. When
this option is enabled, possible arp
spoofing attacks are logged and an
SNMP trap is sent.
—
disabled
prohibit-ip-spoofing
Detects IP spoofing (where an intruder
sends messages using the IP address of
a trusted client). When this option is
enabled, source and destination IP and
MAC addresses are checked; possible IP
spoofing attacks are logged and an
SNMP trap is sent.
—
enabled
in IPv4
prohibit-rst-replay
Closes a TCP connection in both
directions if a TCP RST is received from
either direction. You should not enable
this option unless instructed to do so by
an Aruba representative.
—
disabled
session-idle-timeout
Time, in seconds, that a non-TCP session
can be idle before it is removed from the
session table. You should not modify this
option unless instructed to do so by an
Aruba representative.
16-259
15
seconds
session-tunnel-fib
Enable session tunnel-basedforwarding.
NOTE: Best practices is to enable this
parameter only during maintenance
window or off-peak production hours. On
the M3, this parameter only enables
tunnel-based forwarding, as sessionbased forwarding does not apply to this
platform.
—
disabled
session-voip-timeout
Idle session timeout, in seconds, for
sessions that are marked as voice
sessions. If no voice packet exchange
occurs over a voice session for the
specified time, the voice session is
removed.
16-300
300
seconds
shape-mcast
Enables multicast optimization and
provides excellent streaming quality
regardless of the amount of VLANs or IP
IGMP groups that are used.
—
disabled
stall-crash
Triggers datapath crash on stall detection.
Applies to the to 7200 Series controllers
only.
—
enabled
voip-wmm-voip-content-enforcement
If traffic to or from the user is inconsistent
with the associated QoS policy for voice,
the traffic is reclassified to best effort and
data path counters incremented.
This parameter requires the PEFNG
license.
—
disabled
disabled
in IPv6
Usage Guidelines
This command configures global firewall options on the controller.
ArubaOS 6.4| Reference Guide
firewall | 313
Example
The following command disallows forwarding of non-IP frames between users:
firewall deny-inter-user-bridging
Related Commands
(host) (config) #show firewall
Command History
Release
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 3.2
The wmm-voip-content-enforcement parameter was introduced.
ArubaOS 3.3
The session-mirror-destination parameter was modified.
ArubaOS 3.3.2
The local-valid-users parameter was added.
ArubaOS 3.4
The voip-proxy-arp parameter was renamed to broadcast-filter-arp and it does not
require a Voice license.
The prohibit-arp-spoofing parameter was added.
The deny-inter-user-traffic parameter was added.
ArubaOS 6.0
The shape-mcast parameter was added.
ArubaOS 6.1
The parameter amsdu was added.
ArubaOS 6.2
The parameter clear-sessions-role-update was deprecated.
ArubaOS 6.2.1
The imm-fb parameter was introduced.
ArubaOS 6.3
The following parameters were added:
l
l
l
jumbo
disable-stateful-sips-processing
deny-source-routing
The parameters session-mirror-destination and
session-mirror-ipsec have been deprecated. They were replaced by the destination and datapath ipsec parameters, respectively, of the packet-capture command.
ArubaOS 6.4
314 | firewall
The following parameters were added:
l allow-stun
l dpi
l stall-crash
ArubaOS 6.4| Reference Guide
Command Information
Platform
License
Command Mode
Available on all platforms
Base operating system
except the
voip-wmm-voip-contentenforcement parameter
which requires the
PEFNG license.
Config mode on master controllers
ArubaOS 6.4| Reference Guide
firewall | 315
firewall cp
firewall cp
ipv4|ipv6 deny|permit <ip-addr><ip-mask>|any|{host <ip-addr>} proto{<ip-protocol-number> po
rts <start port number><end port number>}|ftp|http|https|icmp|snmp|ssh|telnet|tftp[bandwidt
h-contract <name>]
no...
Description
This command creates whitelist session ACLs. Whitelist ACLs consist of rules that explicitly permit or deny session
traffic from being forwarded or not to the controller. This prohibits traffic from being automatically forwarded to the
controller if it was not specifically denied in a blacklist.The maximum number of entries allowed in the whitelist is 64.
Syntax
Parameter
Description
Range
Default
ipv4|ipv6
Specifies ipv4 or ipv6.
—
—
deny|permit
<ip-addr><ip-mask>
Specifies the entry to reject (deny) on the session
ACL whitelist.
Specifies an entry that is allowed (permit) on the
session ACL whitelist.
—
—
any
Specifies any IPv4 or IPv6 source address.
—
—
host <ip-addr>
Indicates a specific IPv4 or IPv6 source address.
—
—
proto
Protocol that the session traffic is using.
—
—
IP protocol number
Specifies the IP protocol number that is permitted
or denied.
1-255
—
start port
Specifies the starting port, in the port range, on
which session traffic is running.
1-65535
—
end port
Specifies the last port, in the port range, on which
session traffic is running.
1-65535
—
ftp
Specifies the File Transfer Protocol.
—
—
http
Specifies the Hypertext Trasfer Protocol.
—
—
https
Specifies the Secure HTTP Protocol.
—
—
icmp
Specifies the Internet Control Message Protocol.
—
—
snmp
Specifies the Simple Network Management
Protocol.
—
—
ssh
Specifies the Secure Shell.
—
—
telnet
Specifies the Telnet protocol.
—
—
tftp
Specifies the Trivial File Transfer Protocol.
—
—
Specify the name of a bandwidth contract defined
via the cp-bandwidth-contract command.
—
—
bandwidth-contract <name>
316 | firewall cp
ArubaOS 6.4| Reference Guide
Usage Guidelines
This command turns the session ACL from a blacklist to a whitelist. A rule must exist that explicitly permits the
session before it is forwarded to the controller and the last rule in the list denies everything else.
Example
The following command creates a whitelist ACL that allows on with the source address as 10.10.10.10 and the
source mask as 2.2.2.2. The protocol is FTP and the bandwidth contract name is mycontract.
(host) (config-fw-cp) #ipv4 permit 10.10.10.10 2.2.2.2 proto ftp bandwidth-contract name mycon
tract
The following command creates a a whitelist ACL entry that denies traffic using protocol 2 on port 5000 from being
forwarded to the controller:
(host) (config-fw-cp) #deny proto 6 ports 5000 6000
Related Commands
Command
Description
Mode
show firewall-cp
Show Control Processor (CP) whitelist ACL info.
Enable or Config modes
cp-bandwidth-contract
This command configures a bandwidth contract
traffic rate which can then be associated with a
whitelist session ACL.
Enable or Config modes
Command History
Modification
ArubaOS 3.4
Command introduced.
ArubaOS 6.2
The permit <ip-addr><ip-mask> parameter was added.
The deny <ip-addr> parameter was added.
The any parameter was added.
The host parameter was added.
The ftp, http, https, icmp, snmp, ssh, telnet and tftp parameters were added.
ArubaOS 6.3
The ipv4 and ipv6 parameters were added.
Command Information
Platform
License
Command Mode
Available on all platforms
Base operating system, except for noted
parameters
Config mode on master
controllers
ArubaOS 6.4| Reference Guide
firewall cp | 317
firewall cp-bandwidth-contract
firewall cp-bandwidth-contract {auth|route|sessmirr|trusted-mcast|trusted-ucast
|untrusted-mcast|untrusted-ucast} <Rate>
Description
This command configures bandwidth contract traffic rate limits, in packets per second, to prevent denial of service
attacks.
Syntax
Parameter
Description
Range
Default
auth
Specifies the traffic rate limit that is forwarded to the
authentication process.
1-65535 pps
976 pps
route
Specifies the traffic rate limit that needs ARP requests.
1-65535 pps
976 pps
sessmirr
Specifies the session mirrored traffic forwarded to the
controller.
1-65535 pps
976 pps
trusted-mcast
Specifies the trusted multicast traffic rate limit.
1-65535 pps
1953 pps
trusted-ucast
Specifies the trusted unicast traffic rate limit.
1-65535 pps
65535
pps
untrusted-mcast
Specifies the untrusted multicast traffic rate limit.
1-65535 pps
1953 pps
untrusted-ucast
Specifies the untrusted unicast traffic rate limit.
1-65535 pps
9765 pps
Usage Guidelines
This command configures firewall bandwidth contract options on the controller.
Example
The following command disallows forwarding of non-IP frames between users:
(host) (config) #firewall deny-inter-user-bridging
Related Commands
(host) (config) #show firewall
Command History
Introduced in ArubaOS 3.4
Command Information
Platform
License
Command Mode
Available on all platforms
This command requires the PEFNG
license
Config mode on master
controllers
318 | firewall cp-bandwidth-contract
ArubaOS 6.4| Reference Guide
firewall-visibility
firewall-visibility
no ...
Description
Enables or disables policy enforcement firewall visibility feature.
Syntax
No parameters.
Usage Guideline
When you enable this feature, the Firewall Monitoring page on the Dashboard tab of the WebUI displays the
summary of all sessions in the controller aggregated by users, devices, destinations, applications, WLANs, and
roles.
Example
The following command enables firewall visibility.
(host)(config) #firewall-visibility
Related Commands
Command
Description
Mode
show firewall-visibility
Displays the policy enforcement firewall visibility
process state and status information
Config or Enable mode
Command History
This command is introduced in ArubaOS 6.2.
Command Information
Platforms
Licensing
Command Mode
3200XM, 3400, 3600, M3,
and 7200 controllers
This command requires the
PEFNG license
Config mode on master or local controller
ArubaOS 6.4| Reference Guide
firewall-visibility | 319
gateway health-check disable
gateway health-check disable
Description
Disable the gateway health check.
Usage Guidelines
The gateway health check feature can only be enabled by Aruba Technical Support. This command disables the
gateway health check, and should only be issued under the guidance of the support staff.
Related Commands
Command
Description
Mode
show gateway healthcheck
Display the current status of
the gateway health-check
feature
This command is available in Config and
Enable mode on master and local controllers
(host) (config) #show gateway health-check
History
Introduced in ArubaOS 3.4
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master or local controllers.
320 | gateway health-check disable
ArubaOS 6.4| Reference Guide
guest-access-email
guest-access-email
smtp-port
smtp-server
no...
Description
This command configures the SMTP server which is used to send guest email. Guest email is generated when a
guest user account is created or when the Guest Provisioning user sends guest user account email a later time.
Syntax
Parameter
Description
Range
Default
smtp-port
Identifies the SMTP port through which the guestaccess email is sent.
—
—
The SMTP port number.
1–65535
25
The SMTP server to which the controller sends the
guest-access email.
—
—
The SMTP server’s IP address.
—
—
Deletes the command configuration
—
—
<Port number>
smtp-server
<IP-Address>
no
Usage Guidelines
As part of the guest provisioning feature, the guest-access-email command allows you to set up the SMTP port and
server that process guest provisioning email. This email process sends email to either the guest or the sponsor
whenever a guest user account is created or when the Guest Provisioning user manually sends email from the Guest
Provisioning page.
Example
The following command creates a guest-access email profile and sends guest user email through SMTP server IP
address 1.1.1.1 on port 25.
(host)
(host)
(host)
(host)
(config) #guest-access-email
(Guest-access Email Profile) #
(Guest-access Email Profile) #smtp-port 25
(Guest-access Email Profile) #smtp-server 1.1.1.1
Related Commands
(host)
(host)
(host)
(host)
#show guest-access-email
#local-userdb-guest add
#local-userdb-guest modify
#show local-userdb-guest
Command History
Modification
ArubaOS 3.4
ArubaOS 6.4| Reference Guide
Introduced for the first time.
guest-access-email | 321
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
Config mode on master
controllers.
322 | guest-access-email
ArubaOS 6.4| Reference Guide
ha
ha
group-membership <profile>
group-profile <profile>]
clone <profile-name>
controller <controller> role active|dual|standby
controller-v6 <ipv6> role active|dual|standby
heartbeat
heartbeat-interval <heartbeat-interval>
heartbeat-threshold <heartbeat-threshold>
no
over-subscription
pre-shared-key <key>
preemption
state-sync
Description
This command configures the High Availability:Fast Failover feature by assigning controllers to a high-availability
group, and defining the deployment role for each controller.
Parameter
Description
group-membership
Displays the high availability group in which the controller is a member.
group-profile <profile>
Create a new high availability group, or define settings for an existing
group
clone
Name of an existing high availability profile from which parameter values are copied.
controller <controller>
IPv4 address of a controller that should be added to the specified high
availability group.
role
Assign one of the following roles to each controller in the high availability group.
l
l
l
Active: Controller is active and is serving APs.
Dual: Controller serves some APs and acts as a standby controller
for other APs.
Standby: Controller does not serve APs, as only acts as a standby
in case of failover.
controller-v6 <controller-v
6>
IPv6 address of a controller that should be added to the specified high
availability group.
role
Assign one of the following roles to each controller in the high availability group.
l
l
l
heartbeat
ArubaOS 6.4| Reference Guide
Active: Controller is active and is serving APs.
Dual: Controller serves some APs and acts as a standby controller
for other APs.
Standby: Controller does not serve APs, as only acts as a standby
in case of failover.
The high availability inter-controller heartbeat feature allows for faster
ha | 323
Parameter
Description
AP failover from an active controller to a standby controller, especially
in situations where the active controller reboots or loses connectivity to
the network.
heartbeat-interval
<heartbeat-interval>
Enter a heartbeat interval in the Heartbeat Interval field to define how
often inter-controller heartbeats are sent.
Range: 100-1000 ms; Default:100ms
heartbeat-threshold
<heartbeat-threshold>
Enter a heartbeat threshold in the Heartbeat Threshold field to define
the number of heartbeats that must be missed before the APs are
forced to fail over to the standby controller.
Range: 3-10 heartbeats; Default: 5 heartbeats
no
Negates or removes any configured parameter.
over-subscription
The standby controller oversubscription feature allows a standby
controller to support connections to standby APs beyond the
controller's original rated AP capacity.
Starting with ArubaOS 6.4.0.0, a 7200 Series controller acting as a
standby controller can oversubscribe to standby APs by up to four
times that controller's rated AP capacity, and a standby M3 controller
module or 3600 controller can oversubscribe by up to two times its
rated AP capacity, as long as the tunnels consumed the standby APs
do not exceed the maximum tunnel capacity for that standby controller.
pre-shared-key <key>
Define a pre-shared key to be used with the state synchronization
feature.
preemption
If you include this optional parameter to enable preemption, an AP that
has failed over to a standby controller attempts to connect back to its
original active controller once that controller is reachable again. When
you enable this setting, the AP will wait for the time specified by the
lms-hold-down-period parameter in the ap system-profile profile
before the standby AP attempts to switch back to original controller.
state-sync
State synchronization improves failover performance by synchronizing
PMK and Key cache values from the active controller to the standby
controller, allowing clients to authenticate on the standby controller
without repeating the complete 802.1X authentication process.
NOTE: To use the state synchronization feature, configure a preshared key with the pre-shared-key parameter.
Usage Guidelines
The High Availability:Fast Failover feature supports redundancy models with an active controller pair, or an
active/standby deployment model with one backup controller supporting one or more active controllers. Each of
these clusters of active and backup controllers comprises a high-availability group. Note that all active and backup
controllers within a single high-availability group must be deployed in a single master-local topology. The High
Availability: Fast Failover features works across Layer-3 networks, so there is no need for a direct Layer-2
connection between controllers in a high-availability group.
By default, an AP’s active controller is the controller to which the AP first connects when it comes up. Other dual
mode or standby mode controllers in the same High Availability group become potential standby controllers for that
AP. This feature does not require that the active controller act the configuration master for the local standby
controller . A master controller in a master-local deployment can act as an active or a standby controller .
324 | ha
ArubaOS 6.4| Reference Guide
When the AP first connects to its active controller, that controller sends the AP the IP address of a standby
controller, and the AP attempts to connect to the standby controller. If an AP that is part of a cluster with multiple
backup controllers fails to connect to the first standby controller, the active controller will select a new standby
controller for that AP, and the AP will attempt to connect to that standby controller. APs using control plane security
establish an IPsec tunnel to their standby controllers. APs that are not configured to use control plane security send
clear, unencrypted information to the standby controller.
An AP will failover to its backup controller if it fails to contact its active controller through regular heartbeats and
keepalive messages, or if the user manually triggers a failover using the WebUI or CLI.
A controller using this feature can have one of three high availability roles – active, standby or dual. An active
controller serves APs, but cannot act as a failover standby controller for any AP except the ones that it serves as
active. A standby controller acts as a failover backup controller, but cannot be configured as the primary controller for
any AP. A dual controller can support both roles, and acts as the active controller for one set of APs, and also acts
as a standby controller for another set of APs.
Examples
The following commands configures a high availability group, and assigns controllers and roles to each controller in
the group.
(host)
(host)
(host)
(host)
(host)
(config) #ha group-profile new
(HA group information "new") #controller 192.0.2.2 role active
(HA group information "new") #controller 192.0.2.3 role active
(HA group information "new") #controller 192.0.2.4 role standby
(HA group information "new") #preemption
Command History
Version
Description
ArubaOS 6.3
Command introduced
ArubaOS 6.4
The following parameters were introduced
l heartbeat
l heartbeat-interval
l heartbeat-threshold
l over-subscription
l pre-shared-key
l state-sync
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
Config mode on master and
local controllers.
ArubaOS 6.4| Reference Guide
ha | 325
halt
halt
Description
This command halts all processes on the controller.
Syntax
No parameters.
Usage Guidelines
This command gracefully stops all processes on the controller. You should issue this command before rebooting or
shutting down to avoid interrupting processes.
Command History
Introduced in ArubaOS 3.0
Command Information
326 | halt
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
Enable mode on master and
local controllers.
ArubaOS 6.4| Reference Guide
help
help
Description
This command displays help for the CLI.
Syntax
No parameters.
Usage Guidelines
This command displays keyboard editing commands that allow you to make corrections or changes to the command
without retyping.
You can also enter the question mark (?) to get various types of command help:
l
When typed at the beginning of a line, the question mark lists all commands available in the current mode.
l
When typed at the end of a command or abbreviation, the question mark lists possible commands that match.
l
When typed in place of a parameter, the question mark lists available options.
Example
The following command displays help:
(host) #help
Command History
Available in ArubaOS 3.0
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base
operating system
Available in the following command modes:
l User
l Enable
l Config
ArubaOS 6.4| Reference Guide
help | 327
hostname
hostname <hostname>
Description
This command changes the hostname of the controller.
Syntax
Parameter
Description
Range
Default
hostname
The hostname of the controller
1-63
See below
Usage Guidelines
The hostname is used as the default prompt. You can use any alphanumeric character, punctuation, or symbol
character. To use spaces, plus symbols (+), question marks (?), or asterisks (*), enclose the text in quotes.
The default names for the following controllers are:
l
6000controller: Aruba6000
l
3200XMcontroller: Aruba3200XM
l
3400 controller: Aruba3400
Example
The following example configures the controller hostname to “Controller 1”.
hostname “Controller 1”
Command History
Introduced in ArubaOS 1.0
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master and
local controllers
328 | hostname
ArubaOS 6.4| Reference Guide
iap del branch-key
iap del branch-key <brkey>
Description
This command removes a branch from the controller based on the branch key.
Syntax
Parameter
Description
branch-key <brkey>
Key for the branch, which is unique to each branch.
Example
(host) (config) #iap del branch-key b3c65c4d013836cf190566ca1afdf87c95350cffb1c782e463
Related Commands
Command
Description
show iap table
This command displays the branch details connected to the controller.
Command History
Release
Modification
ArubaOS 6.2
Command introduced
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system, except
for noted parameters
Configuration mode on master and local
controller
ArubaOS 6.4| Reference Guide
iap del branch-key | 329
iap trusted-branch-db
iap trusted-branch-db
add {mac-address <mac-address>}
allow-all
del {mac-address <mac-address>}
del-all
Description
This command is used to configure an IAP-VPN branch as trusted.
Syntax
Parameter
Description
add
Configure an IAP trusted branch entry
mac-address <mac-address>
MAC-address of an AP
allow-all
Configure all branches as trusted
del
Delete an IAP trusted branch entry
mac-address <mac-address>
MAC-address of AP
Delete all trusted branch entries
del-all
Example
The following command configures a specific IAP-VPN branch as trusted:
(host) (config) #iap trusted-branch-db add mac-address 01:01:0e:3e:4c:33
The following is the output of the above command:
Trusted branch added
This following command configures all IAP-VPN branches as trusted:
(host) (config) #iap trusted-branch-db allow-all
The following is the output of the above command:
All IAP+VPN branches are trusted
Related Commands
Command
Description
show iap detailed-table
This command displays the IAP trusted branch table
Command History
Release
Modification
ArubaOS 6.4
Command introduced
330 | iap trusted-branch-db
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system, except for
noted parameters
Enable or Configuration mode on master and local
controller
ArubaOS 6.4| Reference Guide
iap trusted-branch-db | 331
ids ap-classification-rule change
id-classification-rule <rule-name>
check-min-discovered-aps
classify-to-type [neighbor | suspected-rogue]
clone
conf-level-incr
discovered-ap-cnt <discovered-ap-cnt>
match-ssids
no
snr-max <value>
snr-min <value>
ssid <ssid>
Description
Configure the AP classification rule profile.
Syntax
Parameter
Description
Range
Default
<rule-name>
Enter the AP classification rule profile
name.
—
—
check-min-discovered-aps
Have the rule check for the minimum
number of APs
true
false
true
classify-to-type
[neighbor | suspected-rogu
e]
Specify if the type the AP will be classified,
neighbor or suspected-rogue, if the rule is
matched.
—
suspecte
d-rogue
clone
Copy data from another AP classification
rule profile
—
—
conf-level-incr
Increase the confidence level (in
percentage) when the rule matches
0-100
5
discovered-ap-cnt
<discovered-ap-cnt>
Enter the keyword discovered-ap-cnt
followed by the number of APs to be
discovered.
0-100
0
match-ssids
Match SSIDs; match or do not match
true
false
false
no
Negates any configured parameter
—
—
snr-max <value>
Use the maximum SNR value
0-100
0
snr-min <value>
Use the minimum SNR value
0-100
0
ssid <ssid>
Enter the keyword ssid followed by the
SSID string to be matched or excluded
—
—
Usage Guidelines
AP classification rule configuration is performed only on a master controller. If AMP is enabled via the mobilitymanager command, then processing of the AP classification rules is disabled on the master controller. A rule is
332 | ids ap-classification-rule change
ArubaOS 6.4| Reference Guide
identified by its ASCII character string name (32 characters maximum). The AP classification rules have one of the
following specifications:
l
SSID of the AP
l
SNR of the AP
l
Discovered-AP-Count or the number of APs that can see the AP
Once you have created an AP classification rule, but must ienable it by adding it to the IDS AP Matching Rules
profile:
ids ap-rule-matching
rule-name <name>
SSID specification
Each rule can have up to 6 SSID parameters. If one or more SSIDs are specified in a rule, an option of whether to
match any of the SSIDs, or to not match all of the SSIDs can be specified. The default is to check for a match
operation.
SNR specification
Each rule can have only one specification of the SNR. A minimum and/or maximum can be specified in each rule and
the specification is in SNR (db).
Discovered-AP-Count specification
Each rule can have only one specification of the Discovered-AP-Count. Each rule can specify a minimum or
maximum of the Discovered-AP-count. The minimum or maximum operation must be specified if the DiscoveredAP-count is specified. The default setting is to check for the minimum discovered-AP-count.
Example
The following example configures the AP Configuration Rule Profile named “rule1”, then enables the rule by adding it
to the IDS AP Matching Rules profile.
(host)
(host)
(host)
(host)
(host)
(config) #ids ap-classification-rule rule1
(IDS AP Classification Rule Profile "rule1") #check-min-discovered-aps
(IDS AP Classification Rule Profile "rule1") #classify-to-type neighbor
(IDS AP Classification Rule Profile "rule1") !
(config) #ap-rule-matching rule-name rule1
Command History
Release
Modification
ArubaOS 6.0
Command introduced
Command Information
Platforms
Licensing
Command Mode
Available on all platforms
Requires the RFprotect license
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ids ap-classification-rule change | 333
ids ap-rule-matching
no
rule-name
Description
Configure the IDS active AP rules profile by enabling an AP classification rule.
Syntax
Parameter
Description
no
Negates any configured parameter
rule-name
Name of the IDS AP classification rule
Usage Guidelines
This command activates an active AP rule created by the ids ap-classification-rule change command. You must
create the rule before you can activate it.
Example
(host) (IDS Active AP Rules Profile) #rule-name rule2
Command History
Release
Modification
ArubaOS 6.0
Command introduced
Command Information
Platforms
Licensing
Command Mode
Available on all platforms
Requires the RFprotect license
Config mode on master controllers
334 | ids ap-rule-matching
ArubaOS 6.4| Reference Guide
ids dos-profile
ids
ids dos-profile <profile>
ap-flood-inc-time <seconds>
ap-flood-quiet-time <seconds>
ap-flood-threshold <number>
assoc-rate-thresholds <number>
auth-rate-thresholds <number>
block-ack-dos-quiet-time
chopchop-quiet-time
client-ht-40mhz-intol-quiet-time <seconds>
client-flood-inc-time
client-flood-quiet-time
client-flood-threshold
client-ht-40mhz-intolerance
clone <profile>
cts-rate-quiet-time
cts-rate-threshold
cts-rate-time-interval
deauth-rate-thresholds <number>
detect-ap-flood
detect-block-ack-dos
detect-chopchop-attack
detect-client-flood
detect-cts-rate-anomaly
detect-disconnect-station
detect-eap-rate-anomaly
detect-fata-jack-attack
detect-ht-40mhz-intolerance
detect-invalid-address
detect-malformed-association-request
detect-malformed-auth-frame
detect-malformed-htie
detect-malformed-large-duration
detect-omerta-attack
detect-overflow-eapol-key
detect-overflow-ie
detect-power-save-dos-attack
detect-rate-anomalies
detect-rts-rate-anomaly
detect-tkip-replay-attack
disassoc-rate-thresholds <number>
disconnect-deauth-disassoc-threshold
disconnect-sta-assoc-resp-threshold
disconnect-sta-quiet-time <seconds>
eap-rate-quiet-time <seconds>
eap-rate-threshold <number>
eap-rate-time-interval <seconds>
fata-jack-quiet-time
invalid-address-combination-quiet-time
malformed-association-request-quiet-time
malformed-auth-frame-quiet-time
malformed-htie-quiet-time
malformed-large-duration-quiet-time
no ...
omerta-quiet-time
omerta-threshold
overflow-eapol-key-quiet-time
overflow-ie-quiet-time
power-save-dos-min-frames
ArubaOS 6.4| Reference Guide
ids dos-profile | 335
power-save-dos-quiet-time
power-save-dos-threshold
probe-request-rate-thresholds <number>
probe-response-rate-thresholds <number>
rts-rate-quiet-time
rts-rate-threshold
rts-rate-time-interval
spoofed-deauth-blacklist
tkip-replay-quiet-time
Description
This command configures traffic anomalies for denial of service (DoS) attacks.
Syntax
Parameter
Description
Range
Default
<profile>
Name that identifies an instance of the
profile. The name must be 1-63
characters.
—
“default”
ap-flood-inc-time
Time, in seconds, during which a
configured number of fake AP beacons
must be received to trigger an alarm.
0-36000
3600
seconds
ap-flood-quiet-time
After an alarm has been triggered by a
fake AP flood, the time, in seconds, that
must elapse before an identical alarm
may be triggered.
60-360000
900
seconds
ap-flood-threshold
Number of fake AP beacons that must
be received within the flood increase
time to trigger an alarm.
0-100,000
50
assoc-rate-thresholds
Rate threshold for associate request
frames.
—
—
auth-rate-thresholds
Rate threshold for authenticate frames.
—
—
block-ack-dos-quiet-time
Time to wait, in seconds, after
detecting an attempt to reset the
receive window using a forged block
ACK add.
60-360000
seconds
900
seconds
chopchop-quiet-time
Time to wait, in seconds, after
detecting a ChopChop attack after
which the check can be resumed.
60-360000
seconds
900
seconds
client-ht-40mhz-intol-quiettime <seconds>
Controls the quiet time (when to stop
reporting intolerant STAs if they have
not been detected), in seconds, for
detection of 802.11n 40 MHz
intolerance setting.
60-360000
seconds
900
seconds
client-flood-inc-time
Number of consecutive seconds over
which the client count is more than the
threshold.
0-36000
seconds
3
seconds
336 | ids dos-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
client-flood-quiet-time
Time to wait, in seconds, after
detecting a client flood before
continuing the check.
60-360000
seconds
900
seconds
client-flood-threshold
Threshold for the number of spurious
clients in the system.
0-100000
150
clone
Copy data from another IDS Denial Of
Service Profile.
—
—
cts-rate-quiet-time
Time to wait, in seconds, after
detecting a CTS rate anomaly after
which the check can be resumed.
60-360000
seconds
900
seconds
cts-rate-threshold
Number of CTS control packets over
the time interval that constitutes an
anomaly.
0-100000
5000
cts-rate-time-interval
Time interval, in seconds, over which
the packet count should be checked.
1-120
seconds
5
seconds
deauth-rate-thresholds
Rate threshold for deauthenticate
frames.
—
—
detect-ap-flood
Enables detection of flooding with fake
AP beacons to confuse legitimate
users and to increase the amount of
processing needed on client operating
systems.
true
false
false
detect-block-ack-dos
Enable/disable detection of attempts to
reset traffic receive windows using
forged Block ACK Add messages.
true
false
true
detect-chopchop-attack
Enable/disable detection of ChopChop
attack.
true
false
false
detect-client-flood
Enable/disable detection of client flood
attack.
true
false
disable
detect-cts-rate-anomaly
Enable/disable detection of CTS rate
anomaly.
true
false
disable
detect-disconnect-station
In a station disconnection attack, an
attacker spoofs the MAC address of
either an active client or an active AP.
The attacker then sends
deauthenticate frames to the target
device, causing it to lose its active
association.
Use this command to enable the
detection of disconnect station attack.
true
false
enable
detect-eap-rate-anomaly
Enables Extensible Authentication
Protocol (EAP) handshake analysis to
detect an abnormal number of
authentication procedures on a
channel and generate an alarm when
this condition is detected.
true
false
false
ArubaOS 6.4| Reference Guide
ids dos-profile | 337
Parameter
Description
Range
Default
detect-fata-jack-attack
Enable/disable detection of FATA-Jack
attack
true
false
enable
detect-ht-40mhz-intolerance
Enables or disables detection of
802.11n 40 MHz intolerance setting,
which controls whether stations and
APs advertising 40 MHz intolerance
will be reported.
true
false
false
detect-invalid-address
Enable/disable detection of invalid
address combinations
true
false
false
detect-malformed-associationrequest
Enable/disable detection of malformed
association requests.
true
false
disable
detect-malformed-auth-frame
Enable/disable detection of malformed
authentication frames
true
false
disable
detect-malformed-htie
Enable/disable detection of malformed
HT IE
true
false
false
detect-malformed-large-duration
Enable/disable detection of unusually
large durations in frames
true
false
true
detect-omerta-attack
Enable/disable detection of Omerta
attack
true
false
enable
detect-overflow-eapol-key
Enable/disable detection of overflow
EAPOL key requests
true
false
disable
detect-overflow-ie
Enable/disable detection of overflow
Information Elements (IE)
true
false
disable
detect-power-save-dos-attack
Enable/disable detection of Power
Save DoS attack
true
false
enable
detect-rate-anomalies
Enable/disable detection of rate
anomalies
true
false
disable
detect-rts-rate-anomaly
Enable/disable detection of RTS rate
anomaly
true
false
disable
detect-tkip-replay-attack
Enable/disable detection of TKIP
replay attack
true
false
disable
disassoc-rate-thresholds
Rate threshold for disassociate frames.
—
—
disconnect-deauth-disassocthreshold
Rate thresholds for Disassociate
frames
1-50
8
disconnect-sta-assoc-respthreshold
The number of successful Association
Response or Reassociation response
frames seen in an interval of 10
seconds that should trigger this event.
1-30
5
338 | ids dos-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
disconnect-sta-quiet-time
After a station disconnection attack is
detected, the time, in seconds, that
must elapse before another identical
alarm can be generated.
60360000secon
ds
900
seconds
eap-rate-quiet-time
After an EAP rate anomaly alarm has
been triggered, the time, in seconds,
that must elapse before another
identical alarm may be triggered.
60-360000
900
seconds
eap-rate-threshold
Number of EAP handshakes that must
be received within the EAP rate time
interval to trigger an alarm.
0-100000
60
eap-rate-time-interval
Time, in seconds, during which the
configured number of EAP
handshakes must be received to
trigger an alarm.
1-120
seconds
3
seconds
fata-jack-quiet-time
Time to wait, in seconds, after
detecting a FATA-Jack attack after
which the check can be resumed.
60-360000
seconds
900
seconds
invalid-address-combinationquiet-time
Time to wait, in seconds, after
detecting an invalid address
combination after which the check can
be resumed.
60-360000
seconds
900
seconds
malformed-association-requestquiet-time
Time to wait, in seconds, after
detecting a malformed association
request after which the check can be
resumed.
60-360000
seconds
900
seconds
malformed-auth-frame-quiet-time
Time to wait, in seconds, after
detecting a malformed authentication
frame after which the check can be
resumed.
60-360000
seconds
900
seconds
malformed-htie-quiet-time
Time to wait, in seconds, after
detecting a malformed HT IE after
which the check can be resumed.
60-360000
seconds
900
seconds
malformed-large-duration-quiettime
Time to wait, in seconds, after
detecting a large duration for a frame
after which the check can be resumed.
60-360000
seconds
900
seconds
no
Negates any configured parameter.
—
—
omerta-quiet-time
Time to wait, in seconds, after
detecting an Omerta attack after which
the check can be resumed.
60-360000
seconds
900
seconds
omerta-threshold
The Disassociation packets received
by a station as a percentage of the
number of data packets sent, in an
interval of 10 seconds.
1-100
10%
ArubaOS 6.4| Reference Guide
ids dos-profile | 339
Parameter
Description
Range
Default
overflow-eapol-key-quiet-time
Time to wait, in seconds, after
detecting a overflow EAPOL key
request after which the check can be
resumed.
60-360000
seconds
900
seconds
overflow-ie-quiet-time
Time to wait, in seconds, after
detecting a overflow IE after which the
check can be resumed.
60-360000
seconds
900
seconds
power-save-dos-min-frames
The minimum number of Power
Management OFF packets that are
required to be seen from a station, in
intervals of 10 second, in order for the
Power Save DoS check to be done.
1-1000
120
power-save-dos-quiet-time
Time to wait, in seconds, after
detecting a Power Save DoS attack
after which the check can be resumed.
60-360000
seconds
900
seconds
power-save-dos-threshold
The Power Management ON packets
sent by a station as a percentage of the
Power Management OFF packets sent,
in intervals of 10 second, which will
trigger this event.
1- 100 %
80%
probe-request-rate-thresholds
Rate threshold for probe request
frames.
—
—
probe-response-rate-thresholds
Rate threshold for probe response
frames.
—
—
rts-rate-quiet-time
Time to wait, in seconds, after
detecting an RTS rate anomaly after
which the check can be resumed.
60-360000
seconds
900
seconds
rts-rate-threshold
Number of RTS control packets over
the time interval that constitutes an
anomaly.
0-100000
5000
rts-rate-time-interval
Time interval, in seconds, over which
the packet count should be checked.
1-120
seconds
5
seconds
spoofed-deauth-blacklist
Enables detection of a deauth attack
initiated against a client associated to
an AP. When such an attack is
detected, the client is quarantined from
the network to prevent a man-in-themiddle attack from being successful.
true
false
false
tkip-replay-quiet-time
Time to wait, in seconds, after
detecting a TKIP replay attack after
which the check can be resumed.
60-360000
seconds
900
seconds
Usage Guidelines
DoS attacks are designed to prevent or inhibit legitimate clients from accessing the network. This includes blocking
network access completely, degrading network service, and increasing processing load on clients and network
equipment.
340 | ids dos-profile
ArubaOS 6.4| Reference Guide
Example
The following command enables a detection in the DoS profile named “floor2”:
(host) (config) #ids dos-profile floor2
(host) (IDS Denial Of Service Profile "floor2") detect-ap-flood
Command History
Release
Modification
ArubaOS 3.0
Command Introduced.
ArubaOS 3.3
Updated with support for high-throughput IEEE 802.11n standard.
ArubaOS 3.4
detect-disconnect-sta and disconnect-sta-quiet-time parameters deprecated.
ArubaOS 6.0
Deprecated predefined profiles and added numerous DoS profile options
ArubaOS 6.1
Added the following parameter in support of Detection of the Meiners Power Save
DoS attack, including event notification to the user.
detect-power-save-dos-attack
power-save-dos-min-frames
power-save-dos-quiet-time
power-save-dos-threshold
Deprecated Predefined Profiles
Deprecated DOS profile:
l
ids-dos-disabled
l
ids-dos-low-setting
l
ids-dos-medium-setting
l
ids-dos-high-setting
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the RFprotect license
Config mode on master
controllers
ArubaOS 6.4| Reference Guide
ids dos-profile | 341
ids general-profile
ids general-profile <profile-name>
adhoc-ap-inactivity-timeout
adhoc-ap-max-unseen-timeout
ap-inactivity-timeout <seconds>
ap-max-unseen-timeout
clone <profile>
ids-events [logs-and-traps | logs-only | none | traps-only]
min-pot-ap-beacon-rate <percent>
min-pot-ap-monitor-time <seconds>
mobility-manager-rtls
mon-stats-update-interval
no ...
send-adhoc-info-to-controller
signature-quiet-time <seconds>
sta-inactivity-timeout <seconds>
stats-update-interval <seconds>
wired-containment
wired-containment-ap-adj-mac
wired-containment-susp-l3-rogue
wireless-containment [deauth-only | none | tarpit-all-sta | tarpit-non-valid-sta]
wired-containment-ap-adj-mac
wireless-containment-debug
Description
Configure an IDS general profile.
Syntax
Parameter
Description
Range
Default
<profile-name>
Name that identifies an instance of the profile.
The name must be 1-63 characters.
—
“default”
adhoc-ap-inactivity-timeout
Ad hoc (IBSS) AP inactivity timeout in number of
scans.
5-36000
seconds
5
seconds
adhoc-ap-max-unseen-timeout
Ageout time in seconds since ad hoc (IBSS) AP
was last seen.
5-36000
seconds
5
seconds
ap-inactivity-timeout
Time, in seconds, after which an AP is aged out.
5-36000
seconds
5
seconds
ap-max-unseen-timeout
Ageout time, in seconds, since AP was last
seen.
5-36000
seconds
600
seconds
clone
Name of an existing IDS general profile from
which parameter values are copied.
—
—
ids-events
logs-and-traps
logs-only
none
traps-only]
Enable or disable IDS event generation from
the AP. Event generation from the AP can be
enabled for syslogs, traps, or both. This does
not affect generation of IDS correlated events
on the switch.
—
logsandtraps
342 | ids general-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
min-pot-ap-beacon-rate
Minimum beacon rate acceptable from a
potential AP, in percentage of the advertised
beacon interval.
0-100
25%
min-pot-ap-monitor-time
Minimum time, in seconds, a potential AP has to
be up before it is classified as a real AP.
2-36000
2
seconds
mobility-manager-rtls
Enable/disable RTLS communication with the
configured mobility-manager
enabled
disabled
disabled
mon-stats-update-interval
Time interval, in seconds, for AP to update the
switch with stats for monitored devices.
Minimum is 60.
60360000
seconds
60
seconds
no
Negates any configured parameter.
—
—
send-adhoc-info-to-controlle
r
Enable or disable sending Adhoc information to
the controller from the AP.
enable
disable
disable
signature-quiet-time
After a signature match is detected, the time to
wait, in seconds, to resume checking.
60360000
seconds
900
seconds
sta-inactivity-timeout
Time, in seconds, after which a station is aged
out.
30360000
seconds
60
seconds
sta-max-unseen-timeout
Ageout time, in seconds, since station was last
seen. Minimum is 5.
5-36000
seconds
5
seconds
stats-update-interval
Interval, in seconds, for the AP to update the
controller with statistics. This setting takes effect
only if the Mobility Management System is
configured. Otherwise, statistics update to the
controller is disabled.
60360000
seconds
60
seconds
wired-containment
Enable containment from the wired side.
true
false
false
wired-containment-ap-adj-mac
Enable/disable wired containment of MACs
offset by one from APs BSSID.
true
false
false
wired-containment-susp-l3-ro
gue
The basic wired containment feature enabled
using the wired-containment command contains
layer-3 APs whose wired interface MAC
addresses are either the same as (or one
character off from) their BSSIDs. This feature
can also identify and contain an AP with a
preset wired MAC address that is completely
different from the AP’s BSSID if the MAC
address that the AP provides to wireless clients
as the ‘gateway MAC’ is offset by one character
from its wired MAC address.
NOTE: This feature requires that the following
wired-containment parameter in the ids
general-profile is also enabled, and that the
confidence level of the suspected rogue
exceeds the level configured by the suspect-
true
false
ArubaOS 6.4| Reference Guide
ids general-profile | 343
Parameter
Description
Range
Default
rogue-containment and suspect-rogue-conflevel parameters in the ids unauthorizeddevice-profile.
wireless-containment
deauth-only
none
tarpit-all-sta
tarpit-non-valid-sta
Enable wireless containment including Tarpit
Shielding. Tarpit shielding works by steering a
client to a tarpit so that the client associates with
it instead of the AP that is being contained.
deauth-only—Containment using
deauthentication only
none—Disable wireless containment
tarpit-all-sta—Wireless containment by tarpit of
all stations
tarpit-non-valid-sta—Wireless containment by
tarpit of non-valid clients
—
deaut
honly
wireless-containment-debug
Enable/disable debug of containment from the
wireless side.
Note: Enabling this debug option will cause
containment to not function properly.
true
false
false
Usage Guidelines
This command configures general IDS profile attributes.
Example
The following command enables containments in the general IDS profile:
(host)
(host)
(host)
(host)
(config) #ids general-profile floor7
(IDS General Profile "floor7") #wired-containment
(IDS General Profile "floor7") #wireless-containment tarpit-all-sta
(IDS General Profile "floor7") #wireless-containment-debug
Command History
Version
Description
ArubaOS 3.0
Command Introduced
ArubaOS 5.0
Introduced the mobility-manager-rtls parameter.
ArubaOS 6.0
Deprecated predefined profiles and added numerous General profile options
ArubaOS 6.3
Introduced the wired-containment-susp-l3-rogue parameter.
Deprecated Predefined Profiles
Deprecated General profiles:
l
ids-general-disabled
l
ids-general-high-setting
344 | ids general-profile
ArubaOS 6.4| Reference Guide
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the RFprotect license.
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ids general-profile | 345
ids impersonation-profile
ids impersonation-profile <name>
ap-spoofing-quiet-time
beacon-diff-threshold <percent>
beacon-inc-wait-time <seconds>
beacon-wrong-channel-quiet-time
clone <profile>
detect-ap-impersonation
detect-ap-spoofing
detect-beacon-wrong-channel
detect-hotspotter
hotspotter-quiet-time
no ...
protect-ap-impersonation
Description
This command configures anomalies for impersonation attacks.
Syntax
Parameter
Description
Range
Default
<profile>
Name that identifies an instance of the
profile. The name must be 1-63 characters.
—
“default”
ap-spoofing-quiet-tim
Time to wait in seconds after detecting AP
Spoofing after which the check can be
resumed. Minimum is wait time is 60.
beacon-diff-threshold
Percentage increase in beacon rates that
triggers an AP impersonation event.
0-100
50%
beacon-inc-wait-time
Time, in seconds, after the beacon
difference threshold is crossed before an
AP impersonation event is generated.
—
3
seconds
beacon-wrong-channel-quiet-tim
e
Time to wait, in seconds, after detecting a
beacon with the wrong channel after which
the check can be resumed.
60360000
seconds
900
seconds
clone
Name of an existing IDS impersonation
profile from which parameter values are
copied.
—
—
detect-ap-impersonation
Enables detection of AP impersonation. In
AP impersonation attacks, the attacker sets
up an AP that assumes the BSSID and
ESSID of a valid AP. AP impersonation
attacks can be done for man-in-the-middle
attacks, a rogue AP attempting to bypass
detection, or a honeypot attack.
—
true
detect-ap-spoofing
Enable/disable AP Spoofing detection
—
enable
346 | ids impersonation-profile
60
seconds
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
detect-beacon-wrong-channel
Enable/disable detection of beacons
advertising the incorrect channel
—
disable
detect-hotspotter
Enable/disable detection of the Hotspotter
attack to lure away valid clients.
—
disable
hotspotter-quiet-time
Time to wait in seconds after detecting an
attempt to Use the Hotspotter tool against
clients.
60360000
seconds
900
seconds
no
Negates any configured parameter.
—
—
protect-ap-impersonation
When AP impersonation is detected, both
the legitimate and impersonating AP are
disabled using a denial of service attack.
—
false
Usage Guidelines
A successful man-in-the-middle attack will insert an attacker into the data path between the client and the AP. In
such a position, the attacker can delete, add, or modify data, provided he has access to the encryption keys. Such
an attack also enables other attacks that can learn a client’s authentication credentials. Man-in-the-middle attacks
often rely on a number of different vulnerabilities.
Example
The following command enables detections in the impersonation profile:
(host) (config) #ids impersonation-profile floor1
(host) (IDS Impersonation Profile "floor1") #detect-beacon-wrong-channel
(host) (IDS Impersonation Profile "floor1") #detect-ap-impersonation
Command History
Version
Modification
ArubaOS 3.0
Command Introduced
ArubaOS 3.4
detect-sequence-anomaly, sequence-diff, sequence-quiet-time, sequence-time-tolerance
parameters deprecated.
ArubaOS 6.0
Deprecated predefined profiles and added numerous Impersonation profile options
Deprecated Predefined Profiles
IDS Impersonation profile:
l
ids-impersonation-disabled
l
ids-impersonation-high-setting
Command Information
Platform
License
Command Mode
Available on all
platforms
Requires the RFprotect license
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ids impersonation-profile | 347
ids management-profile
event-correlation
[logs-and-traps | logs-only | none | traps-only]
event-correlation-quiet-time <value>
Description
Mange the event correlation.
Syntax
Parameter
Description
Range
event-correlation
logs-and-traps
logs-only
none
traps-only
Correlation mode for IDS event traps and
syslogs (logs). Event correlation can be
enabled with generation of correlated logs,
traps, or both. To disable correlation, enter
the keyword none.
event-correlation-quiet-time
<value>
Time to wait, in seconds, after generating a
correlated event after which the event
could be raised again. This only applies to
events that are repeatedly raised by an AP.
Default
logs-andtraps
30360000
seconds
900
seconds
Usage Guidelines
Manage the events correlation for IDS event traps and syslogs (logs).
Example
(host) (config) #ids management-profile
(host) (IDS Management Profile) #event-correlation-quiet-time 30
(host) (IDS Management Profile) #event-correlation logs-and-traps
Command History
Release
Modification
ArubaOS 6.0
Command introduced
Command Information
Platforms
Licensing
Command Mode
Available on all platforms
Requires the RFprotect license
Config mode on master controllers
348 | ids management-profile
ArubaOS 6.4| Reference Guide
ids profile
ids profile <name>
clone <profile>
dos-profile <profile>
general-profile <profile>
impersonation-profile <profile>
no ...
signature-matching-profile <profile>
unauthorized-device-profile <profile>
Description
This command defines a set of IDS profiles.
Syntax
Parameter
Description
Default
<profile>
Name that identifies an instance of the profile. The
name must be 1-63 characters.
“default”
clone
Name of an existing IDS profile from which parameter
values are copied.
—
dos-profile
Name of a IDS denial of service profile to be applied to
the AP group/name. See ids dos-profile on page 335.
“default”
general-profile
Name of an IDS general profile to be applied to the AP
group/name. See ids general-profile on page 342.
“default”
impersonation-profile
Name of an IDS impersonation profile to be applied to
the AP group/name. See ids impersonation-profile on
page 346.
“default”
no
Negates any configured parameter.
—
signature-matching-profile
Name of an IDS signature matching profile to be
applied to the AP group/name. See ids signaturematching-profile on page 353
“default”
unauthorized-device-profile
Name of an IDS unauthorized device profile to be
applied to the AP group/name. See ids unauthorizeddevice-profile on page 358.
“default”
Usage Guidelines
This command defines a set of IDS profiles that you can then apply to an AP group (with the ap-group command) or
to a specific AP (with the ap-name command).
Example
The following command defines a set of IDS profiles:
(host) (config) #ids profile floor2
(host) (IDS Profile "floor2") #dos-profile dos1
general-profile general1
impersonation-profile mitm1
signature-matching-profile sig1
ArubaOS 6.4| Reference Guide
ids profile | 349
unauthorized-device-profile unauth1
Command History
Version
Modification
ArubaOS 3.0
Command Introduced
ArubaOS 6.0
Deprecated predefined profiles
Deprecated Predefined Profile
Deprecated Profile for levels: disabled, high, medium, and low
l
ids-disabled
l
ids-high-setting
l
ids-medium-setting
l
ids-low-setting
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the RFprotect license
Config mode on master
controllers.
350 | ids profile
ArubaOS 6.4| Reference Guide
ids rate-thresholds-profile
ids rate-thresholds-profile <name>
channel-inc-time <seconds>
channel-quiet-time <seconds>
channel-threshold
clone <profile>
no ...
node-quiet-time <seconds>
node-threshold <number>
node-time-interval <seconds>
Description
This command configures thresholds that are assigned to the different frame types for rate anomaly checking.
Syntax
Parameter
Description
Range
Default
<profile>
Name that identifies an instance of the profile. The name
must be 1-63 characters.
—
“default”
channel-inc-time
Time, in seconds, in which the threshold must be
exceeded in order to trigger an alarm.
0360000
seconds
15
seconds
channel-quiet-time
After a channel rate anomaly alarm has been triggered,
the time that must elapse before another identical alarm
may be triggered. This option prevents excessive
messages in the log file.
60360000
900
seconds
channel-threshold
Number of a specific type of frame that must be exceeded
within a specific interval in an entire channel to trigger an
alarm.
any
300
clone
Name of an existing IDS rate thresholds profile from which
parameter values are copied.
—
—
no
Negates any configured parameter.
—
—
node-quiet-time
After a node rate anomaly alarm has been triggered, the
time, in seconds, that must elapse before another identical
alarm may be triggered. This option prevents excessive
messages in the log file.
60360000
900
seconds
node-threshold
Number of a specific type of frame that must be exceeded
within a specific interval for a particular client MAC
address to trigger an alarm.
0100000
frames
200
node-time-interval
Time, in seconds, in which the threshold must be
exceeded in order to trigger an alarm.
1-120
15
seconds
Usage Guidelines
A profile of this type is attached to each of the following 802.11 frame types in the IDS denial of service profile:
l
Association frames
l
Disassociation frames
ArubaOS 6.4| Reference Guide
ids rate-thresholds-profile | 351
l
Deauthentication frames
l
Probe Request frames
l
Probe Response frames
l
Authentication frames
Example
The following command configures frame thresholds:
(host) (config) #ids rate-thresholds-profile Lobby
(host) (IDS Rate Thresholds Profile "Lobby") #channel-threshold 250
Command History
Version
Modification
ArubaOS 3.0
Command Introduced
ArubaOS 6.0
Deprecated predefined profiles
Deprecated Predefined Profiles
Deprecated the predefined profile with probe-request-response-threshold.
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the RFprotect license
Config mode on master
controllers
352 | ids rate-thresholds-profile
ArubaOS 6.4| Reference Guide
ids signature-matching-profile
ids signature-matching-profile <name>
clone <profile>
no ...
signature <profile>
Description
This command contains defined signature profiles.
Syntax
Parameter
Description
Default
<profile>
Name that identifies an instance of the profile. The name must be 1-63
characters.
“default”
clone
Name of an existing IDS signature matching profile from which parameter
values are copied.
—
no
Negates any configured parameter.
—
signature
Name of a signature profile. See ids signature-profile on page 355.
—
Usage Guidelines
You can include one or more predefined signature profiles or a user-defined signature profile in a signature matching
profile.
Example
The following command configures a signature matching profile:
(host) (config) IDS signature matching LobbyEast
(host) (IDS Signature Matching Profile "LobbyEast") #signature Null-Probe-Response
Command History
Version
Modification
ArubaOS 3.0
Command Introduced
ArubaOS 6.0
Deprecated predefined profiles
Deprecated Predefined Profiles
Deprecated Signature Matching profile:
l
factory-default-signatures
ArubaOS 6.4| Reference Guide
ids signature-matching-profile | 353
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the RFprotect license
Config mode on master
controllers
354 | ids signature-matching-profile
ArubaOS 6.4| Reference Guide
ids signature-profile
ids signature-profile <name>
bssid <macaddr>
clone <profile>
dst-mac <macaddr>
frame-type {assoc|auth|beacon|control|data|deauth|disassoc|mgmt|probe-request|probe-respons
e
no ...
payload <pattern> [offset <number>]
seq-num <number>
src-mac <macaddr>
Description
This command configures signatures for wireless intrusion detection.
Syntax
Parameter
Description
Default
<profile>
Name that identifies an instance of the profile. The name must
be 1-63 characters.
“default”
bssid
BSSID field in the 802.11 frame header.
—
clone
Name of an existing IDS signature profile from which parameter
values are copied.
—
dst-mac
Destination MAC address in the 802.11 frame header.
—
frame-type
Type of 802.11 frame. For each type of frame, further parameters
can be specified to filter and detect only the required frames.
—
assoc
Association frame type
auth
Authentication frame type
beacon
Beacon frame type
control
All control frames
data
All data frames
deauth
Deauthentication frame type
disassoc
Disassociation frame type
mgmt
Management frame type
probe-request
Frame type is probe request
probe-response
Frame type is probe response
ssid
For beacon, probe-request, and probe-response frame types,
specify the SSID as either a string or hex pattern.
ArubaOS 6.4| Reference Guide
—
ids signature-profile | 355
Parameter
Description
Default
For beacon, probe-request, and probe-response frame types,
specify the length, in bytes, of the SSID. Maximum length is 32
bytes.
—
no
Negates any configured parameter.
—
payload <pattern>
Pattern at a fixed offset in the payload of an 802.11 frame.
Specify the pattern to be matched as a string or hex pattern.
Maximum length is 32 bytes.
—
When a payload pattern is configured, specify the offset in the
payload where the pattern is expected to be found in the frame.
—
seq-num
Sequence number of the frame.
—
src-mac
Source MAC address in the 802.11 frame header.
—
Matches a valid AP SSID
—
ssid-length
offset
valid-ap
Examplevali
The following command configures a signature profile:
(host) (config) #ids signature-profile floor4
(host) (IDS Signature Profile "floor4") #frame-type assoc
(host) (IDS Signature Profile "floor4") #src-mac 00:00:00:00:00:00
Usage Guidelines
The following describes the configuration for the predefined signature profiles:
Signature Profile
Parameter
Value
AirJack
frame-type
beacon ssid = AirJack
ASLEAP
frame-type
beacon ssid = asleap
Deauth-Broadcast
frame-type
deauth
dst-mac
ff:ff:ff:ff:ff:ff
payload
offset=3 pattern=0x00601d
payload
offset=6 pattern=0x0001
payload
offset=3 pattern=0x00601d
payload
offset=12 pattern=0x000102
frame-type
probe-response ssid length = 0
Netstumbler Generic
Netstumbler Version
3.3.0x
Null-Probe-Response
Command History
Version
Modification
ArubaOS 3.0
Command Introduced
356 | ids signature-profile
ArubaOS 6.4| Reference Guide
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the RFprotect license
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ids signature-profile | 357
ids unauthorized-device-profile
ids unauthorized-device-profile <name>
adhoc-using-valid-ssid-quiet-time <seconds>
allow-well-known-mac [hsrp|iana|local-mac|vmware|vmware1|vmware2|vmware3]
cfg-valid-11a-channel <channel>
cfg-valid-11g-channel <channel>
classification
clone <profile>
detect-adhoc-network
detect-adhoc-using-valid-ssid
detect-bad-wep
detect-ht-greenfield
detect-invalid-mac-oui
detect-misconfigured-ap
detect-sta-assoc-to-rogue
detect-unencrypted-valid-client
detect-valid-client-misassociation
detect-valid-ssid-misuse
detect-windows-bridge
detect-wireless-bridge
detect-wireless-hosted-network
mac-oui-quiet-time <seconds>
no ...
oui-classification
overlay-classification
privacy
prop-wm-classification
protect-adhoc-enhanced
protect-adhoc-network
protect-high-throughput
protect-ht-40mhz
protect-misconfigured-ap
protect-ssid
protect-valid-sta x
protect-windows-bridge
protect-wireless-hosted-network
require-wpa
rogue-containment
suspect-rogue-conf-level <level>
suspect-rogue-containment
unencrypted-valid-client-quiet-time
valid-and-protected-ssid <ssid>
valid-oui <oui>
valid-wired-mac <macaddr>
wireless-bridge-quiet-time <seconds>
wireless-hosted-network-quiet-time
Description
This command configures detection of unauthorized devices, as well as rogue AP detection and containment.
358 | ids unauthorized-device-profile
ArubaOS 6.4| Reference Guide
Syntax
Parameter
Description
Range
Default
<profile>
Name that identifies an instance of the profile.
The name must be 1-63 characters.
—
“default”
adhoc-using-valid-ssid-quiet-ti
me
Time to wait, in seconds, after detecting an
adhoc network using a valid SSID, after which
the check can be resumed.
60360000
900
seconds
allow-well-known-mac
Allows devices with known MAC addresses to
classify rogues APs.
Depending on your network, configure one or
more of the following options for classifying
rogue APs:
l hsrp—Routers configured for HSRP, a
Cisco-proprietary redundancy protocol,
with the HSRP MAC OUI 00:00:0c.
l iana—Routers using the IANA MAC OUI
00:00:5e.
l local-mac—Devices with locally
administered MAC addresses starting with
02.
l vmware—Devices with any of the following
VMWare OUIs: 00:0c:29, 00:05:69, or
00:50:56
l vmware1—Devices with VMWare OUI
00:0c:29.
l vmware2—Devices with VMWare OUI
00:05:69.
l vmware3—Devices with VMWare OUI
00:50:56.
If you modify an existing configuration, the
new configuration overrides the original
configuration. For example, if you configure
allow-well-known-mac hsrp and then
configure allow-well-known-mac iana,
the original configuration is lost. To add more
options to the original configuration, include
all of the required options, for example:
allow-well-known-mac hsrp iana.
Use caution when configuring this command.
If the neighboring network uses similar
routers, those APs might be classified as
rogues. If containment is enabled, clients
attempting to associate to an AP classified as
a rogue are disconnected through a denial of
service attack.
To clear the well known MACs in the system,
use the following commands:
l clear wms wired-mac:This clears all of
the learned wired MAC information on the
controller.
l reload: This reboots the controller.
—
—
cfg-valid-11a-channel
List of valid 802.11a channels that third-party
APs are allowed to use.
34-165
N/A
ArubaOS 6.4| Reference Guide
ids unauthorized-device-profile | 359
Parameter
Description
Range
Default
cfg-valid-11g-channel
List of valid 802.11b/g channels that thirdparty APs are allowed to use.
1-14
N/A
classification
Enable/disable rogue AP classification. A
rogue AP is one that is unauthorized and
plugged into the wired side of the network.
Any other AP seen in the RF environment that
is not part of the valid enterprise network is
considered to be interfering — it has the
potential to cause RF interference but it is not
connected to the wired network and thus
does not represent a direct threat.
—
true
clone
Name of an existing IDS rate thresholds
profile from which parameter values are
copied.
—
—
detect-adhoc-network
Enable detection of adhoc networks.
—
false
detect-adhoc-using-validssid
Enable/disable detection of adhoc networks
using valid/protected SSIDs
—
enable
detect-bad-wep
Enables detection of WEP initialization
vectors that are known to be weak and/or
repeating. A primary means of cracking WEP
keys is to capture 802.11 frames over an
extended period of time and search for
implementations that are still used by many
legacy devices.
—
false
detect-ht-greenfield
Enables or disables detection of highthroughput devices advertising greenfield
preamble capability.
—
false
detect-invalid-mac-oui
Enables checking of the first three bytes of a
MAC address, known as the organizationally
unique identifier (OUI), assigned by the IEEE
to known manufacturers. Often clients using a
spoofed MAC address do not use a valid OUI
and instead use a randomly generated MAC
address. Enabling MAC OUI checking causes
an alarm to be triggered if an unrecognized
MAC address is in use.
—
false
detect-misconfigured-ap
Enables detection of misconfigured APs. An
AP is classified as misconfigured if it is
classified as valid and does not meet any of
the following configurable parameters:
- valid channels
- encryption type
- list of valid AP MAC OUIs
- valid SSID list
—
false
detect-sta-assoc-to-rogue
Enable/disable detection of station
association to rogue AP.
detect-unencrypted-validclient
Enable/disable detection of unencrypted valid
clients.
360 | ids unauthorized-device-profile
enable
—
enable
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
detect-valid-clientmisassociation
Enable/disable detection of misassociation
between a valid client and an unsafe AP. This
setting can detect the following
misassociation types:
l MisassociationToRogueAP
l MisassociationToExternalAP
l MisassociationToHoneypotAP
l MisassociationToAdhocAP
l MisassociationToHostedAP
—
enable
detect-valid-ssid-misuse
Enable/disable detection of Interfering or
Neighbor APs using valid/protected SSIDs.
—
disable
detect-windows-bridge
Enables detection of Windows station
bridging.
—
true
detect-wireless-bridge
Enables detection of wireless bridging.
—
false
detect-wireless-hosted-network
If enabled, this feature can detect the
presence of a wireless hosted network.
When a wireless hosted network is detected
this feature sends a “Wireless Hosted
Network” warning level security log message
and the wlsxWirelessHostedNetworkDetected
SNMP trap.
If there are clients associated to the hosted
network, this feature will send a “Client
Associated To Hosted Network” warning level
security log message and the
wlsxClientAssociatedToHostedNetworkDetec
ted SNMP trap.
—
enable
mac-oui-quiet-time
Time, in seconds, that must elapse after an
invalid MAC OUI alarm has been triggered
before another identical alarm may be
triggered.
60360000
second
s
900
seconds
no
Negates any configured parameter.
—
—
oui-classification
Enable/disable OUI based rogue AP
classification
—
enable
overlay-classification
Enable/disable overlay rogue AP
classification
—
enable
privacy
Enables encryption as a valid AP
configuration.
—
false
prop-wm-classification
Enable/disable rogue AP classification
through propagated wired MACs
—
true
protect-adhoc-enhanced
Enables advanced protection from open/WEP
adhoc networks. When enhanced adhoc
containment is carried out, a new repeatable
event, syslog and SNMP trap will be
generated for each containment event.
—
false
ArubaOS 6.4| Reference Guide
ids unauthorized-device-profile | 361
Parameter
Description
Range
Default
protect-adhoc-network
Enables protection from adhoc neworks using
WPA/WPA2 security. When adhoc networks
are detected, they are disabled using a denial
of service attack.
—
false
protect-high-throughput
Enables or disables protection of highthroughput (802.11n) devices.
—
false
protect-ht-40mhz
Enables or disables protection of highthroughput (802.11n) devices operating in 40
MHz mode.
—
false
protect-misconfigured-ap
Enables protection of misconfigured APs.
—
false
protect-ssid
Enables use of SSID by valid APs only.
—
false
protect-valid-sta
When enabled (true), does not allow valid
stations to connect to a non-valid AP.
—
false
protect-windows-bridge
Enable/disable protection of a windows
station bridging
—
disabled
protect-wireless-hosted-network
When you enable the wireless hosted
network protection feature, the controller
enforces containment on a wireless hosted
network by launching a denial of service
attack to disrupt associations between a
Windows 7 software-enabled Access Point
(softAP) and a client, and disrupt associations
between the client that is hosting the softAP
and any access point to which the host
connects.
When a wireless hosted network triggers this
feature, wireless hosted network protection
sends the Wireless Hosted Network
Containment and
Host of Wireless Network Containment
warning level security log messages, and the
wlsxWirelessHostedNetworkContainment
and wlsxHostOfWirelessNetworkContainment
SNMP traps.
NOTE: The existing generic containment
SNMP traps and log messages will also be
sent when Wireless Hosted Network
Containment or Host of Wireless Network
Containment is enforced.
—
disabled
require-wpa
When enabled (true), any valid AP that is not
using WPA encryption is flagged as
misconfigured.
—
false
rogue-containment
Rogue APs can be detected (see
classification) but are not automatically
disabled. This option automatically shuts
down rogue APs. When this option is enabled
(true), clients attempting to associate to an AP
classified as a rogue are disconnected
through a denial of service attack.
—
false
362 | ids unauthorized-device-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
suspect-rogue-conf-level
Confidence level of suspected Rogue AP to
trigger containment.
When an AP is classified as a suspected
rogue AP, it is assigned a 50% confidence
level. If multiple APs trigger the same events
that classify the AP as a suspected rogue, the
confidence level increases by 5% up to 95%.
In combination with suspected rogue
containment, this option configures the
threshold by which containment should occur.
Suspected rogue containment occurs only
when the configured confidence level is met.
50100%
60%
suspect-rogue-containment
Suspected rogue APs are treated as
interfering APs, thereby the controller
attempts to reclassify them as rogue APs.
Suspected rogue APs are not automatically
contained. In combination with the configured
confidence level (see suspect-rogue-conflevel), this option contains the suspected
rogue APs.
—
false
unencrypted-valid-clientquiet-time
Time to wait, in seconds, after detecting an
unencrypted valid client after which the check
can be resumed.
60360000
second
s
900
seconds
valid-and-protected-ssid
List of valid and protected SSIDs.
—
—
valid-oui
List of valid MAC OUIs.
—
—
valid-wired-mac
List of MAC addresses of wired devices in the
network, typically gateways or servers.
—
—
wireless-bridge-quiet-time
Time, in seconds, that must elapse after a
wireless bridge alarm has been triggered
before another identical alarm may be
triggered.
60360000
second
s
900
seconds
wireless-hosted-network-quiet-t
ime
The wireless hosted network detection
feature sends a log message and trap when a
wireless hosted network is detected. The
quiet time defined by this parameter sets the
amount of time, in seconds, that must elapse
after a wireless hosted network log message
or trap has been triggered before an identical
log message or trap can be sent again.
60360000
second
s
900
seconds
Usage Guidelines
Unauthorized device detection includes the ability to detect and disable rogue APs and other devices that can
potentially disrupt network operations.
Example
The following command copies the settings from the ids-unauthorized-device-disabled profile and then enables
detection and protection from adhoc networks:
(host) (config) #ids unauthorized-device-profile floor7
(host) (IDS Unauthorized Device Profile "floor7") #unauth1
(host) (IDS Unauthorized Device Profile "floor7") #clone ids-unauthorized-device-disable
ArubaOS 6.4| Reference Guide
ids unauthorized-device-profile | 363
(host) (IDS Unauthorized Device Profile "floor7") #detect-adhoc-network
(host) (IDS Unauthorized Device Profile "floor7") #protect-adhoc-network
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3
Update with support for the high-throughput IEEE 802.11n standard. Also,
introduced allow-well-known-mac, suspect-rogue-conf-level, and suspectrogue-containment parameters.
ArubaOS 6.0
Deprecated predefined profiles
ArubaOS 6.1
Added the detect-valid-ssid-misuse parameter to internally generate a list of
valid SSIDs to use in addition to the user configured list of Valid and Protected
SSIDs.
ArubaOS 6.3
Added the following parameters
l protect-adhoc-enhanced
l detect-wireless-hosted-network
l wireless-hosted-network-quiet-time
l protect-wireless-hosted-network
Deprecated Predefined Profiles
IDS Unauthorized Device profile:
l
ids-unauthorized-device-disabled
l
ids-unauthorized-device-medium-setting
l
ids-unauthorized-device-high-setting
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the RFprotect license
Config mode on master
controllers
364 | ids unauthorized-device-profile
ArubaOS 6.4| Reference Guide
ids wms-general-profile
wms general
adhoc-ap-ageout-interval <adhoc-ap-ageout-interval>
ap-ageout-interval <ap-ageout-interval>
collect-stats
learn-ap
learn-system-wired-macs
no
persistent-neighbor
persistent-valid-sta
poll-interval <poll-interval>
poll-retries <poll-retries>
propagate-wired-macs
sta-ageout-interval <sta-ageout-interval>
stat-update
Description
This command configures the WLAN management system (WMS).
Syntax
Parameter
Description
Range
Default
adhoc-ap-ageout-interva
l
<adhoc-ap-ageout-interv
al>
Time, in minutes, that an adhoc (IBSS) AP
remains unseen before it is deleted (ageout) from
the database.
?
30 minutes
ap-ageout-interval
<ap-ageout-interval>
Time, in minutes, that an AP remains unseen by
any probes before it is deleted from the database.
?
30 minutes
collect-stats
Enables collection of statistics (up to 25,000
entries) on the master controller for monitored APs
and clients. This only applies when MMS is not
configured.
—
disabled
learn-ap
Enables “learning” of non-Aruba APs.
—
disabled
learn-system-wired-macs
Enable or disable “learning” of wired MACs at the
controller.
—
disabled
no
Negates any configured parameter.
—
—
persistent-neighbor
Do not age out known AP neighbors.
—
disabled
persistent-valid-sta
Do not age out valid stations.
—
?
poll-interval
<poll-interval>
Interval, in milliseconds, for communication
between the controller and Aruba AMs. The
controller contacts the AM at this interval to
download AP to station associations, update
policy configuration changes, and download AP
and station statistics.
(any)
60000
millisecond
s
(1 minute)
poll-retries
<poll-retries>
Maximum number of failed polling attempts before
the polled AM is considered to be down.
(any)
2
ArubaOS 6.4| Reference Guide
ids wms-general-profile | 365
Parameter
Description
Range
Default
propagate-wiredmacs
Enables the propagation of the gateway wired
MAC information.
—
enabled
sta-ageout-interval
<sta-ageout-interval>
Time, in minutes, that a client remains unseen by
any probes before it is deleted from the database.
?
30 minutes
stat-update
Enables statistics updating in the database.
—
enabled
Usage Guidelines
By default, non-Aruba APs that are connected on the same wired networks as Aruba APs are classified as “rogue”
APs. Enabling AP learning classifies non-Aruba APs as “valid” APs. Typically, you would want to enable AP learning
in environments with large numbers of existing non-Aruba APs and leave AP learning enabled until all APs in the
network have been detected and classified as valid. Then, disable AP learning and reclassify any unknown APs as
interfering.
VLAN Trunking
In deployments where Aruba APs are not placed on every VLAN and where it is not possible to truck all VLANs to an
Aruba AP, enable the parameter learned-system-wired-mac. When this is enabled, ArubaOS is able to classify
rogues on all the VLANs that belong to the Aruba controller, as long as Aruba APs can see the rogues in the air. If
there are VLANs in the network residing on a third party controller and if those VLANs are trunked to a port on the
Aruba controller, enabling this feature will allow detection of rogues on those VLANs as well.
Master/Local
When learned-system-wired-mac is enabled in a master/local deployment, the learning of Wired and Gateway
MACs will happen at each local controller. For topologies with local controllers in geographical locations, the local
controller collects the Wired and Gateway MAC info and passes it to the APs that are connected to it. Even though
the locals do the collection of Wired and Gateway MACs, the master is still be responsible for classification.
Example
The following command enables AP learning:
(host)(IDS WMS General Profile) #learn-ap
To disable AP learning:
(host)(IDS WMS General Profile) #no learn-ap
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.1
Added parameter learned-system-wired-mac
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
366 | ids wms-general-profile
ArubaOS 6.4| Reference Guide
ids wms-local system-profile
ids wms-locals-profile <profile>
max-rbtree-entries <number>
max-system-wm <number>
max-threshold <number>
system-wm-update-interval <number>]
Description
This command sets the local configuration parameters to control the size of the Wired MAC table and APs and
Stations.
Syntax
Parameter
Description
max-rbtree-entries
Set the max threshold for the total number of AP and Station RBTree entries.
max-system-wm
Set the max number of system wired MAC table entries learned at the
controller.
Range: 1-2000
Default: 1000
max-threshold
Set the max threshold for the total number of APs and Stations.
system-wm-update-interval
Set the interval, in minutes, for repopulating the system wired MAC table at
the controller.
Range: 1 to 30 minutes
Default: 8 minutes
Usage Guidelines
The wms-local system command is used for configuring commands that are local, not global. This means in a
master-local system, the configuration parameter is modifiable at each individual controller, and the setting on one
controller does not affect the setting on other controllers.
Increasing the max threshold limit will cause an increase in usage in the memory by WMS. In general, each entry will
consume about 500 bytes of memory. If the setting is bumped up by 2000, then it will cause an increase in WMS
memory usage by 1MB.
Example
The following commands first set the interval time for repopulating the MAC table to 10 minutes and then sets the
maximimum number of APs and stations to 500.
(host) (config) #ids wms-locals-profile system system-wm-update-interval 10
(host) (config)# ids wms-locals-profile system max-threshold 500
ArubaOS 6.4| Reference Guide
ids wms-local system-profile | 367
Command History
Release
Modification
ArubaOS 3.
Introduced
ArubaOS 6.1
Local configuration parameters to control the size of the Wired MAC table
max-system-wm and system-wm-update-interval
ArubaOS 6.1.3
The wms-local command was renamed to ids wms-local-system-profile.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
368 | ids wms-local system-profile
ArubaOS 6.4| Reference Guide
ifmap
ifmap cppm
enable
no
server host <host>
port <port>
username<username>
passwd <password>
Description
This command is used in conjunction with ClearPass Policy Manager. It sends HTTP User Agent Strings and
mDNS broadcast information to ClearPass so that it can make more accurate decisions about what types of devices
are connecting to the network.
Syntax
Parameter
Description
Default
enable
Enables the IFMAP protocol.
—
server
Configures the CPPM IF-MAP server.
—
host <host>
IP address/hostname of the CPPM IF-MAP server.
—
port <port>
Port number for the CPPM IF-MAP server. The range is 1-65535.
443
username<username>
Username for the user who performs actions on the CPPM IFMAP server. The name must be between 1-255 bytes in length.
—
passwd <password>
Password of the user who performs actions on the CPPM IFMAP server. The password must be between 6-100 bytes in
length.
—
Example
This example configures IFMAP and enables it.
(host)
(host)
(host)
(host)
(host)
(host)
(config) #ifmap
(config) #ifmap cppm
(CPPM IF-MAP Profile)
(CPPM IF-MAP Profile)
(CPPM IF-MAP Profile)
(CPPM IF-MAP Profile)
#server host <host>
#port <port>
#passwd <psswd>
#enable
Usage Guidelines
Use this command in conjunction with ClearPass Policy Manager.
Related Commands
Command
Description
Mode
show ifmap
This command is used in conjunction with
Config mode
ArubaOS 6.4| Reference Guide
ifmap | 369
Command
Description
Mode
ClearPass Policy Manager. It sends HTTP User
Agent Strings and mDNS broadcast information to
ClearPass so that it can make more accurate
decisions about what types of devices are connecting to the network
Command History
Version
Modification
ArubaOS 6.3
Command Introduced
Command Information
370 | ifmap
Platform
License
Command Mode
Available on all platforms
Available in the base operating
system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
Interface cellular
interface cellular ip access-group <name> session
Description
This command allows you to specify an ingress or egress ACL to the cellular interface of an EVDO modem.
Syntax
Parameter
Description
<name>
Enter the name or number of the access group you want to apply to the EVDO
modem.
Example
(host) (config-cell)#ip access-group 3 session
Related Command
Command
Description
show interface cellular
access-group
List the Access groups configured on the cellular interface
Command History
Release
Modification
ArubaOS 5.0
Command introduced
Command Information
Platforms
Licensing
Command Mode
600 Series
Base operating system
Configuration Mode (config-cell)
ArubaOS 6.4| Reference Guide
Interface cellular | 371
interface fastethernet | gigabitethernet
interface
interface {fastethernet|gigabitethernet} <slot>/<port>
description <string>
duplex {auto|full|half}
ip access-group <acl> {in|out|session {vlan <vlanId>}}
tunneled-node-port
no ...
poe [cisco]
jumbo
lldp {fast-transmit-counter <1-8>|fast-transmit-interval <1-3600>|med|receive|transmit|tran
smit-hold <1-100>|transmit-interval <1-3600> }600>
port monitor {fastethernet|gigabitethernet} <slot>/<port>
priority-map <name>
shutdown
spanning-tree [cost <value>] [port-priority <value>] [portfast]
speed {10|100|auto}
switchport {access vlan <vlan>|mode {access|trunk}|
trunk {allowed vlan {<vlans>|add <vlans>|all|except <vlans>|remove <vlans>}|
native vlan <vlan>}}
trusted {vlan <word>}
xsec {point-to-point <macaddr> <key> allowed vlan <vlans> [<mtu>]|vlan <vlan>}
Description
This command configures a FastEthernet or GigabitEthernet interface on the controller.
Syntax
Parameter
Description
Range
Defaul
t
<slot>
<slot> is always 1 except for the 6000
controllers, where the slots can be 0, 1, 2, or 3.
—
—
<port>
Number assigned to the network interface
embedded in the controller.Port numbers start
at 0 from the left-most position.
—
—
description
String that describes this interface.
—
—
duplex
Transmission mode on the interface: full or halfduplex or auto to automatically adjust
transmission.
auto/full/h
alf
auto
ip access-group
Applies the specified access control list (ACL)
to the interface. Use the ip access-list
command to configure an ACL.
NOTE: This parameter requires the PEFNG
license.
—
—
in
Applies ACL to interface’s inbound traffic.
—
—
out
Applies ACL to interface’s outbound traffic.
—
—
372 | interface fastethernet | gigabitethernet
ArubaOS 6.4| Reference Guide
Description
Range
Defaul
t
Applies session ACL to interface and optionally
to a selected VLAN associated with this port.
—
—
tunneled-node-port
Enable tunneled node capability on the
interface.
—
disable
d
no
Negates any configured parameter.
—
—
poe
Enables Power-over-Ethernet (PoE) on the
interface.
—
enable
d
Enables Cisco-style PoE on the interface.
—
disable
d
jumbo
Enables or disables jumbo frame MTU configured via firewall on a port.
—
disabled
lldp
Configures an LLDP functionality on an interface.
—
—
fast-transmit-counter <1-8
>
Set the number of the LLDP data units sent
each time fast LLDP data unit transmission is
triggered
1-8
4
fast-transmit-interval <13600>
Set the LLDP fast transmission interval in
seconds.
1-3600
1
med
Enables the LLDP MED protocol.
—
disabled
receive
Enables processing of LLDP PDU received.
—
disabled
transmit
Enables LLDP PDU transmit.
—
disabled
transmit-hold <1-100>
Set the transmit hold multiplier.
1-100
4
transmit-interval <1-3600>
Sets the transmit interval in seconds.
1-3600
30
port monitor
Monitors another interface on the controller.
—
—
priority-map
Applies a priority map to the interface. Use the
priority-map command to configure a priority
map which allows you to map ToS and CoS
values into high priority traffic queues.
—
—
shutdown
Causes a hard shutdown of the interface.
—
—
spanning-tree
Enables Rapid spanning tree or Per-VLAN
spanning tree
—
enable
d
Parameter
session
cisco
ArubaOS 6.4| Reference Guide
interface fastethernet | gigabitethernet | 373
Parameter
Defaul
t
Description
Range
cost
Administrative cost associated with the
spanning tree.
1-65535
19
(Fast
Ethern
et)
4
(Gigabi
t
Ethern
et)
port-priority
Spanning tree priority of the interface. A lower
setting brings the port closer to root port
position (favorable for forwarding traffic) than
does a higher setting. This is useful if ports may
contend for root position if they are connected
to an identical bridge.
0-255
128
portfast
Enables forwarding of traffic from the interface.
—
disable
d
speed
Sets the interface speed: 10 Mbps, 100 Mbps,
or auto configuration.
10|100|au
to
auto
switchport
Sets switching mode parameters for the
interface.
—
—
access vlan
Sets the interface as an access port for the
specified VLAN. The interface carries traffic
only for the specified VLAN.
—
1
mode
Sets the mode of the interface to access or
trunk mode only.
access|tru
nk
access
trunk
Sets the interface as a trunk port for the
specified VLANs. A trunk port carries traffic for
multiple VLANs using 802.1q tagging to mark
frames for specific VLANs. You can include all
VLANs configured on the controller, or add or
remove specified VLANs. Specify native to
identify the native VLAN for the trunk mode
interface. Frames on the native VLAN are not
802.1q tagged.
—
—
Set this interface and range of VLANs to be
trusted. VLANs not included in the trusted
range of VLANs will be, by default, untrusted.
Trusted ports and VLANs are typically
connected to internal controlled networks,
while untrusted ports connect to third-party
APs, public areas, or other networks to which
access controls should be applied. When
Aruba APs are attached directly to the
controller, set the port to be trusted.
—
enable
d
Sets the supplied range of VLANs as trusted.
All remaining become untrusted automatically.
For example, If you set a VLAN range as:
vlan 1-10, 100-300, 301, 305-400, 501-4094
1-4094
—
trusted
vlan <word>
374 | interface fastethernet | gigabitethernet
ArubaOS 6.4| Reference Guide
Range
Defaul
t
Enables and configures the Extreme Security
(xSec) protocol.
NOTE: You must purchase and install the xSec
software module license in the controller.
—
—
point-to-point
MAC address of the controller that is the xSec
tunnel termination point, and the 16-byte
shared key used to authenticate the controllers
to each other. The key must be the same on
both controllers.
—
—
allowed vlan
VLANs that are allowed on the xSec tunnel.
—
—
mtu
(Optional) MTU size for the xSec tunnel.
—
—
vlan
xSec VLAN ID. For controller-to-controller
communications, both controllers must belong
to the same VLAN.
1-4094
—
Parameter
Description
Then all VLANs in this range are trusted and all
others become untrusted by default. You can
also use the no trusted vlan command to
explicitly make an individual VLAN untrusted.
The no trusted vlan command is additive and
adds given vlans to the existing untrusted vlan
set.
However, if you execute the trusted vlan
<word> command, it overrides any earlier
untrusted VLANs or a range of untrusted
VLANs and creates a new set of trusted VLANs.
NOTE: A port supports a user VLAN range
from 1-4094. If you want to set all VLANs (14094) on a port as untrusted then mark the port
itself as untrusted. By default the port and all its
associated VLANs are trusted.
xsec
Usage Guidelines
Use the show port status command to obtain information about the interfaces available on the controller.
Example
The following commands configure an interface as a trunk port for a set of VLANs:
(host)
(host)
(host)
(host)
(config) # interface fastethernet 1/2
(config-range)# switchport mode trunk
(config-range)# switchport trunk native vlan 10
(config-range)# switchport trunk allowed vlan 1,10,100
The following commands configure trunk port 1/2 with test-acl session for VLAN 2.
(host)
(host)
(host)
(host)
(config) # interface range fastethernet 1/2
(config-range)# switchport mode trunk
(config-range)# ip access-group
(config-range) # ip access-group test session vlan 2
Related Commands
(host) #show interface {fastethernet|gigabitethernet} <slot>/<port>
(host) #show datapath port vlan-table <slot>/<port>
ArubaOS 6.4| Reference Guide
interface fastethernet | gigabitethernet | 375
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.4
The trusted VLAN and ip access-group session vlan parameters were
introduced.
ArubaOS 3.4.1
The trusted vlan <word> parameter was added.
ArubaOS 6.1
The parameter muxport was changed to tunneled-node-port
ArubaOS 6.3
The jumbo parameter was added to enable or disable jumbo frame MTU configured via firewall on port.
ArubaOS 6.4
The lldp parameter was added.
Command Information
Platforms
Licensing
Command Mode
All platforms
This command is available in the
base operating system. The ip
access-group parameter
requires the PEFNG license. The
xsec parameter requires the
xSec license.
Config mode on master and local
controllers
376 | interface fastethernet | gigabitethernet
ArubaOS 6.4| Reference Guide
interface loopback
interface loopback
ip address <ipaddr>
ipv6 address <ipv6-prefix>
no ...
Description
This command configures the loopback address on the controller.
Syntax
Parameter
Description
ip address
Host IP address in dotted-decimal format. This address should be routable from all
external networks.
ipv6 address
Host IPv6 address that is routable from all external networks.
no
Negates any configured parameter.
Usage Guidelines
If configured, the loopback address is used as the controller’s IP address. If you do not configure a loopback address
for the controller, the IP address assigned to VLAN 1 is used as the controller’s IP address. After you configure or
modify a loopback address, you need to reboot the controller.
Example
The following command configures a loopback address:
(host) (config) #interface loopback
ip address 10.2.22.220
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.1
The parameter ipv6 address was added.
Command Information
Platforms
Licensing
Command Mode
All platforms
This command is available in the
base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
interface loopback | 377
interface mgmt
interface mgmt
dhcp
ip address <ipaddr> <netmask>
ipv6 address <ipv6-prefix/prefix-length>
no ...
shutdown
Description
This command configures the out-of-band Ethernet management port on an 6000 controller.
Syntax
Parameter
Description
dhcp
Enables DHCP on the interface.
ip address
Configures an IP address and netmask on the interface.
ipv6 address <ipv6-prefix/pref
ix-length>
Configures an IPv6 address on the interface.
no
Negates any configured parameter.
shutdown
Causes a hard shutdown of the interface.
Usage Guidelines
This command applies to the Aruba Multi-Service Mobility Module Mark I.
Use the show interface mgmt command to view the current status of the management port.
Example
The following command configures an IP address on the management interface:
(host) (config) #interface mgmt
ip address 10.1.1.1 255.255.255.0
Platform Availability
This command is only available on the 6000 controller.
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.1
The parameter ipv6 address was added.
378 | interface mgmt
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
6000 controllers
Base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
interface mgmt | 379
interface port-channel
interface port-channel <id>
add {fastethernet|gigabitethernet} <slot>/<port>
del {fastethernet|gigabitethernet} <slot>/<port>
ip access-group <acl> {in|out|session {vlan <vlanId>}}
jumbo
no ...
shutdown
spanning-tree [portfast]
switchport {access vlan <vlan>|mode {access|trunk}|
trunk {allowed vlan {<vlans>|add <vlans>|all|except <vlans>|remove <vlans>|
native vlan <vlan>}
trusted {vlan <word>}
xsec {point-to-point <macaddr> <key> allowed vlan <vlans> [<mtu>]|vlan <vlan>}
Description
This command configures an Ethernet port channel.
Syntax
Parameter
Description
Rang
e
Default
port-channel
ID number for this port channel.
0-7
—
add
Adds the specified FastEthernet or GigabitEthernet interface
to the port channel.
You cannot specify both FastEthernet and GigabitEthernet
interfaces for the same port channel.
—
—
del
Deletes the specified Fastethernet or Gigabitethernet
interface to the port channel.
—
—
ip access-group
Applies the specified access control list (ACL) to the
interface. Use the ip access-list command to configure an
ACL.
NOTE: This command requires the PEFNG license.
—
—
in
Applies ACL to interface’s inbound traffic.
—
—
out
Applies ACL to interface’s outbound traffic.
—
—
session
Applies session ACL to interface and optionally to a
selected VLAN associated with this port.
—
—
jumbo
Enable or disables jumbo frame MTU configured via firewall
on a port channel.
no
Negates any configured parameter.
—
—
shutdown
Causes a hard shutdown of the interface.
—
—
spanning-tree
Enables spanning tree.
—
—
Enables forwarding of traffic from the interface.
—
—
portfast
380 | interface port-channel
Disabled
ArubaOS 6.4| Reference Guide
Parameter
Description
Rang
e
Default
switchport
Sets switching mode parameters for the interface.
—
—
access vlan
Sets the interface as an access port for the specified VLAN.
The interface carries traffic only for the specified VLAN.
—
—
mode
Sets the mode of the interface to access or trunk mode only.
—
—
trunk
Sets the interface as a trunk port for the specified VLANs. A
trunk port carries traffic for multiple VLANs using 802.1q
tagging to mark frames for specific VLANs. You can include
all VLANs configured on the controller, or add or remove
specified VLANs.
—
—
native
Specifies the native VLAN for the trunk mode interface.
Frames on the native VLAN are not 802.1q tagged.
—
—
Set this interface and range of VLANs to be trusted. VLANs
not included in the trusted range of VLANs will be, by
default, untrusted.
Trusted ports and VLANs are typically connected to internal
controlled networks, while untrusted ports connect to thirdparty APs, public areas, or other networks to which access
controls should be applied. When Aruba APs are attached
directly to the controller, set the port to be trusted.
—
disabled
Sets the supplied range of VLANs as trusted. All remaining
become untrusted automatically.
For example, if you set a VLAN range as:
vlan 1-10, 100-300, 301, 305-400, 501-4094
Then all VLANs in this range are trusted and all others
become untrusted by default. You can also use the no
trusted vlan command to explicitly make an individual VLAN
untrusted. The no trusted vlan command is additive and
adds given vlans to the existing untrusted vlan set.
However, if you execute the trusted vlan <word>command,
it overrides any earlier untrusted VLANs or a range of
untrusted VLANs and creates a new set of trusted VLANs.
NOTE: A port supports a user VLAN range from 1-4094. If
you want to set all VLANs (1-4094) on a port as untrusted
then mark the port itself as untrusted. By default the port and
all its associated VLANs are trusted.
1-4094
—
Enables and configures the Extreme Security (xSec)
protocol.
NOTE: You must purchase and install the xSec software
module license in the controller.
—
—
point-to-point
MAC address of the controller that is the xSec tunnel
termination point, and the 16-byte shared key used to
authenticate the controllers to each other. The key must be
the same on both controllers.
—
—
allowed vlan
VLANs that are allowed on the xSec tunnel.
—
—
mtu
(Optional) MTU size for the xSec tunnel.
—
—
vlan
xSec VLAN ID. For controller-to-controller communications,
both controllers must belong to the same VLAN.
1-4094
—
trusted
vlan <word>
xsec
ArubaOS 6.4| Reference Guide
interface port-channel | 381
Usage Guidelines
A port channel allows you to aggregate ports on a controller. You can configure a maximum of 8 port channels per
supported controller with a maximum of 8 interfaces per port channel.
Note the following when setting up a port channel between a controller and a Cisco switch (such as a Catalyst 6500
Series Switch):
l
There must be no negotiation of the link parameters.
l
The port-channel mode on the Cisco switch must be “on”.
Example
The following command configures a port channel:
(host) (config) #interface port channel 7
add fastethernet 1/1
add fastethernet 1/2
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.4
The trusted VLAN and ip access-group session vlan parameters were
introduced.
ArubaOS 3.4.1
The trusted vlan <word> parameter was added.
ArubaOS 6.3
The jumbo parameter was added.
Command Information
Platforms
Licensing
Command Mode
2400 and 6000 controller,
and 3000 Series controller
This command is available in the
base operating system. The
ipaccess-group parameter
requires the PEFNG license. The
xsec parameter requires the
xSec license.
Config mode on master and local
controllers
382 | interface port-channel
ArubaOS 6.4| Reference Guide
interface-profile voip-profile
interface-profile voip-profile <profile-name>
clone <source>
no{...}
voip-dot1p <priority>
voip-dscp <value>
voip-mode [auto-discover | static]
voip-vlan <VLAN-ID>
Description
This command creates a VoIP profile that can be applied to any interface or an interface group.
Syntax
Defaul
t
Parameter
Description
Range
<profile-name>
Name of the VoIP profile.
1-32
characters;
cannot
begin
with a
numeric
character
—
voip-dot1p <priority>
Specifies the dot1p priority.
—
—
voip-dscp <value>
Specifies the DSCP value for the voice VLAN
—
—
voip-mode [auto-discover | s
tatic]
Specifies the mode of VoIP operation.
—
static
—
—
voip-vlan <vlan id>
l
auto-discover - Operates VoIP on auto
discovery mode.
l
static - Operates VoIP on static mode.
Specifies the Voice VLAN ID.
Usage Guidelines
Use this command to create VoIP VLANs for VoIP phones. Creating a VoIP profile does not apply the configuration
to any interface or interface group. To apply the VoIP profile, use the interface gigabitethernet and
interface-group commands.
Example
The following command configures a VoIP profile:
interface-profile voip-profile VoIP_PHONES
voip-dot1p 100
voip-dscp 125
voip-mode auto-discover
voip-vlan 126
ArubaOS 6.4| Reference Guide
interface-profile voip-profile | 383
Command History
This command was introduced in ArubaOS
Release
Modification
ArubaOS 6.2
Command introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master and local
controllers
384 | interface-profile voip-profile
ArubaOS 6.4| Reference Guide
interface range
interface range {fastethernet|gigabitethernet} <slot>/<port>-<port>
duplex {auto|full|half}
ip access-group <acl> {in|out|session {vlan <vlanId>}}
no ...
poe [cisco]
shutdown
spanning-tree [cost <value>] [port-priority <value>] [portfast]
speed {10|100|auto}
switchport {access vlan <vlan>|mode {access|trunk}|
trunk {allowed vlan {<vlans>|add <vlans>|all|except <vlans>|remove <vlans>}|
native vlan <vlan>}}
trusted {vlan <word>}
Description
This command configures a range of FastEthernet or GigabitEthernet interfaces on the controller.
Syntax
Parameter
Description
Range
Defaul
t
range
Range of Ethernet ports in the format <slot>/<port><port>.
—
—
duplex
Transmission mode on the interface: full- or halfduplex or auto to automatically adjust transmission.
auto/full/hal
f
auto
ip access-group
Applies the specified access control list (ACL) to the
interface. Use the ip access-list command to configure
an ACL.
—
—
in
Applies ACL to interface’s inbound traffic.
—
—
out
Applies ACL to interface’s outbound traffic.
—
—
session
Applies session ACL to interface and optionally to a
selected VLAN associated with this port.
—
—
no
Negates any configured parameter.
—
—
poe
Enables Power-over-Ethernet (PoE) on the interface.
—
—
cisco
Enables Cisco-style PoE on the interface.
—
—
shutdown
Causes a hard shutdown of the interface.
—
—
spanning-tree
Enables spanning tree.
—
—
Administrative cost associated with the spanning tree.
1-65535
—
cost
ArubaOS 6.4| Reference Guide
interface range | 385
Parameter
Defaul
t
Description
Range
port-priority
Spanning tree priority of the interface. A lower setting
brings the port closer to root port position (favorable
for forwarding traffic) than does a higher setting. This
is useful if ports may contend for root position if they
are connected to an identical bridge.
0-255
portfast
Enables forwarding of traffic from the interface.
—
—
speed
Sets the interface speed: 10 Mbps, 100 Mbps, or auto
configuration.
10|100|aut
o
auto
switchport
Sets switching mode parameters for the interface.
—
—
access vlan
Sets the interface as an access port for the specified
VLAN. The interface carries traffic only for the
specified VLAN.
—
—
mode
Sets the mode of the interface to access or trunk mode
only.
—
—
trunk
Sets the interface as a trunk port for the specified
VLANs. A trunk port carries traffic for multiple VLANs
using 802.1q tagging to mark frames for specific
VLANs. You can include all VLANs configured on the
controller, or add or remove specified VLANs. Specify
native to identify the native VLAN for the trunk mode
interface. Frames on the native VLAN are not 802.1q
tagged.
—
—
Set this interface and range of VLANs to be trusted.
VLANs not included in the trusted range of VLANs will
be, by default, untrusted.
Trusted ports and VLANs are typically connected to
internal controlled networks, while untrusted ports
connect to third-party APs, public areas, or other
networks to which access controls should be applied.
When Aruba APs are attached directly to the
controller, set the port to be trusted.
—
enable
d
Sets the supplied range of VLANs as trusted. All
remaining become untrusted automatically.
For example, If you set a VLAN range as:
vlan 1-10, 100-300, 301, 305-400, 501-4094
Then all VLANs in this range are trusted and all others
become untrusted by default. You can also use the no
trusted vlan command to explicitly make an individual
VLAN untrusted. The no trusted vlan command is
additive and adds given vlans to the existing untrusted
vlan set.
However, if you execute the trusted vlan <word>
command, it overrides any earlier untrusted VLANs or
a range of untrusted VLANs and creates a new set of
trusted VLANs.
NOTE: A port supports a user VLAN range from 14094. If you want to set all VLANs (1-4094) on a port
as untrusted then mark the port itself as untrusted. By
default the port and all its associated VLANs are
trusted.
1-4094
—
trusted
vlan <word>
386 | interface range
ArubaOS 6.4| Reference Guide
Usage Guidelines
Use the show port status command to obtain information about the interfaces available on the controller.
Example
The following command configures a range of interface as a trunk port for a set of VLANs:
interface range fastethernet 1/12-15
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 1,10,100
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.4
The trusted VLAN and ip access-group session vlan parameters were
introduced.
ArubaOS 3.4.1
The trusted vlan <word> parameter was added.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
interface range | 387
interface tunnel
interface tunnel <number>
description <string>
inter-tunnel-flooding
ip address <ipaddr> <netmask>
ipv6 address X:X:X:X::X
mtu <mtu>
no ...
shutdown
trusted
tunnel destination {<A.B.C.D>|ipv6 <X:X:X:X::X>}|keepalive <interval>|<retries>|mode gre {<
num>|ip|ipv6}|source {<A.B.C.D>|controller-ip|ipv6 {X:X:X:X::X|controller-ip|loopback|vlan
<vlan id>}|loopback|vlan <vlan id>}|vlan <vlan id>}
Description
This command configures a tunnel interface.
Syntax
Parameter
Description
Range
Default
tunnel
Identification number for the tunnel.
1214748364
7
—
description
String that describes this interface.
—
Tunnel
Interface
inter-tunnel-floodin
g
Enables inter-tunnel flooding.
—
enabled
ip
IP address of the tunnel. This represents the
entrance to the tunnel, enter the following values:
l address—specify interface IP address
—
—
-
-
l
ipv6
n
<ipaddr>—specify an IPv4 address
n
internal—IP address allocated from the
Remote-Node pool
n
<ipmask>—IP address allocated form the
Remote-Node pool
ospf—OSPF interface command
IPv6 address of the tunnel.
Note: This address can be configured only for a L3
GRE Tunnel Interface.
mtu
MTU size for the interface.
1024 - 9216
enabled
IPv4 - 1100
IPv6 - 1500
no
Negates any configured parameter.
—
—
shutdown
Causes a hard shutdown of the interface.
—
—
388 | interface tunnel
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
trusted
Set this interface and range of VLANs to be trusted.
VLANs not included in the trusted range of VLANs
will be, by default, untrusted.
Trusted ports and VLANs are typically connected
to internal controlled networks, while untrusted
ports connect to third-party APs, public areas, or
other networks to which access controls should be
applied. When Aruba APs are attached directly to
the controller, set the port to be trusted.
—
disabled
tunnel
Configures tunneling.
—
mode gre ip
destination
Destination IP address for the tunnel endpoint.
—
—
keepalive
Enables sending of periodic keepalive frames on
the tunnel to determine the tunnel status (up or
down). You can optionally set the interval at which
keepalive frames are sent, and the number of
times the frames are resent before a tunnel is
considered to be down.
<interval>—(Optional) Number of seconds at which
keepalive frames are sent. Range - 1-86400. By
default the value is set to 10 seconds.
<retries>—(Optional) Number of consecutive times
that the keepalives fail before the tunnel is
considered to be down. Range - 0-1024. By default
the value is set to 3.
—
disabled
<interval>
(Optional) Number of seconds at which keepalive
frames are sent.
1-86400
10 seconds
<retries>
(Optional) Number of consecutive times that the
keepalives fail before the tunnel is considered to
be down.
0-1024
3
mode gre
Specifies generic route encapsulation (GRE) type.
You configure any of the following:
—
—
—
—
source
ArubaOS 6.4| Reference Guide
l
<num>—a 16-bit protocol number (for Layer-2
tunnels)
l
ip—(for a Layer-3 tunnel). The 16-bit protocol
number uniquely identifies a Layer-3 tunnel.
The controllers at both endpoints of the tunnel
must be configured with the same protocol
number. By default the mode is set to IPv4.
l
ipv6—(for a Layer-3 tunnel). The 16-bit protocol
number uniquely identifies a Layer-3 tunnel.
The controllers at both endpoints of the tunnel
must be configured with the same protocol
number.
The local endpoint of the tunnel on the controller.
This can be one of the following:
l <A.B.C.D>—specify an IPv4 address
l controller-ip—IPv4 address of the controller
l loopback—loopback interface configured on the
controller
interface tunnel | 389
Parameter
Description
l
l
vlan
Range
Default
—
—
vlan <vlanid>—specify the VLAN interface ID
ipv6—specify one of the following options:
n
<X:X:X:X::X>—specify the IPv6 address
n
controller-ip—IPv6 address of the
controller
n
loopback—IPv6 loopback interface
configured on the controller
n
vlan <vlanid>—specify the VLAN
interface ID
VLANs to be included in this tunnel.
Note: VLAN can be configured only if the tunnel
mode is set to Layer 2. If the tunnel mode is not set
to Layer 2 explicitly, the system throws an error Tunnel is an IP [v6] GRE Tunnel, Change the
Mode before adding this.
Usage Guidelines
You can configure a GRE tunnel between an Aruba controller and another GRE-capable device. Layer-3 GRE tunnel
type is the default (tunnel mode gre ip). You can direct traffic into the tunnel using a static route (specify the tunnel
as the next hop for a static route) or a session-based access control list (ACL).
Example
The following command configures a tunnel interface for IPv4:
(host) (config) #interface tunnel 200
ip address 10.1.1.1 255.255.255.0
tunnel source loopback
tunnel destination 20.1.1.242
tunnel mode gre ip
The following command configures a tunnel interface for IPv6:
(host) (config) # interface tunnel 15
description "Tunnel Interface"
tunnel mode gre ipv6
ipv6 address 2100:15::15
tunnel source ipv6 vlan 498
tunnel destination ipv6 2010:498::2
trusted
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.2
The keepalive parameter was introduced.
ArubaOS 6.4
The checksum parameter was deprecated.
Tunnel destination ipv6, tunnel mode gre ipv6, tunnel source ipv6, parameters
were introduced.
390 | interface tunnel
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
interface tunnel | 391
interface vlan
interface vlan <vlan>
bandwidth-contract <name>
bcmc-optimization
description <string>
ip {address <ipaddr>|dhcp-client client-id<cid>|internal|pppoe}|helper-address <address>|ig
mp [proxy][snooping]|local-proxy-arp|nat[inside]|{ospf {area|authentictaion|cost|dead-inter
val|hello-interval|message-digest-key|priority|retransmit-interval|transmit-delay}| pppoe-m
ax-segment-size <mss>| pppoe-password <password>|pppoe-service-name <service-name>|pppoe-us
ername <username>|routing}
ipv6 {address <ipv6-address> link-local | [<ipv6-prefix>/<prefix-length> | eui-64]}| {dhcp
server <pool name>}| {mld snooping | proxy {fastethernet | gigabitethernet | port-channel}
<slot>/<port>} | nd {ra [dns | enable | hop-limit | interval | life-time | managed-config-f
lag | mtu | other-config-flag | preference | prefix] | reachable-time <value> | retransmittime <value>}}
mtu <number>
multimode-auth {lease-time}
no ...
operstate {up}
option-82 {ap-name|mac}
shutdown
suppress-arp
Description
This command configures a VLAN interface.
Syntax
Rang
e
Defau
lt
VLAN ID number.
14094
—
bandwidth-contract
<name>
Name of the bandwidth contract to be
applied to this VLAN interface. When
applied to a VLAN, the contract limits both
broadcast and multicast traffic. Use the aaa
bandwidth-contract command to configure a
bandwidth contract.
—
—
bcmc-optimization
Enables broadcast and multicast traffic
optimization to prevent flooding of broadcast
and multicast traffic on VLANs. If this feature
is enabled on uplink ports, any controllergenerated Layer-2 packets will be dropped.
—
disabl
ed
description
String that describes this interface.
—
802.1
Q
VLAN
ip
Configures IPv4 for this interface.
—
—
Parameter
Description
vlan
address
392 | interface vlan
Configures the IP address for this interface,
which can be one of the following:
<ipaddr> <netmask>
ArubaOS 6.4| Reference Guide
Parameter
Description
l
l
l
Rang
e
Defau
lt
dhcp-client: use DHCP to obtain the IP
address
internal: IP address allocated from the
Remote Node Profile.
pppoe: use PPPoE to obtain the IP
address
helper-address
IP address of the DHCP server for relaying
DHCP requests for this interface. If the
DHCP server is on the same subnetwork as
this VLAN interface, you do not need to
configure this parameter.
—
—
igmp
Enables IGMP and/or IGMP snooping on
this interface.
—
—
local-proxy-arp
Enables local proxy ARP.
—
—
nat inside
Enables source network address translation
(NAT) for all traffic routed from this VLAN.
—
—
ospf
Define an OSPF area. See ip ospf on page
433 for complete details on this command.
—
—
pppoe-max-segment-site
Configures the TCP maximum segment size
in bytes.
128
—
pppoe-password
Configures the PAP password on the
PPPoE Access Concentrator for the switch.
1–80
—
pppoe-service-name
Configures the PPPoE service name.
1–80
—
pppoe-username
Configures the PAP username on the
PPPoE Access Concentrator for the switch.
1–80
—
routing
Enables layer-3 forwarding on the VLAN
interface. To disable layer-3 forwarding, you
must configure the IP address for the
interface and specify no ip routing.
—
(enabl
ed)
Configures IPv6 for this interface.
—
—
address
Configures the link local address or the
global unicast address for this interface.
—
—
dhcp
Configures dynamic host configuration
protocol for IPv6.
server - Configures the DHCPv6 pool for the
vlan.
—
—
mld
Enables Multicast Listener Discovery (MLD)
on this interface.
snooping— Configures the MLD snooping on
this interface.
proxy—Configures MLD proxy on the
following interfaces.
l fastethernet
l gigabitethernet
—
—
ipv6
ArubaOS 6.4| Reference Guide
interface vlan | 393
Rang
e
Defau
lt
Configures the IPv6 neighbor discovery
options.
l ra—configures the following router
advertizement options:
l dns—Configures IPv6 recursive DNS
server
l enable—Enables IPv6 RA
l hop-limit—Configures RA hop-limit
l interval—Configures RA interval
l life-time—Configures RA lifetime
l managed-config-flag—Enables hosts to
use DHCP server for stateful address
autoconfiguration
l mtu—Configures maximum transmission
unit for RA
l other-config-flag—Enables hosts to use
DHCP server for other non-address
stateful autoconfiguration
l preference—Configures a router
preference
l prefix—Configures IPv6 RA prefix
l reachable-time—configures neighbor
discovery reachable time
l retransmit-time—configures neighbor
discovery retransmit time
—
—
no
Negates any configured parameter.
—
—
mtu
MTU setting for the VLAN.
10241500
—
multimode-auth
MultiMode Authentication Support on VLAN
—
—
operstate up
Set the state of the interface to be up.
—
—
option-82 mac
Allows a DHCP relay agent to insert circuit
specific information into a request that is
being forwarded to a DHCP server.
The controller, when acting as a DHCP relay
agent, needs to be able to insert information
about the AP and SSID through which a
client is connecting into the DHCP request.
Many service providers use this mechanism
to make access control decisions. You can
include only the MAC address or MAC
address and ESSID.
—
—
ESSID is an alphanumeric name that
uniquely identifies a wireless network.
—
—
shutdown
Causes a hard shutdown of the interface.
—
—
suppress-arp
Prevents flooding of ARP broadcasts on all
the untrusted interfaces.
—
—
Parameter
Description
l
nd {ra | reachable-time | retra
nsmit-time}
essid
394 | interface vlan
port-channel
ArubaOS 6.4| Reference Guide
Usage Guidelines
All ports on the controller are assigned to VLAN 1 by default. Use the interface fastethernet|gigabitethernet
command to assign a port to a configured VLAN. User the show interface vlan and show user commands to view
DHCP option-82 related output.
Do not enable the nat inside option for VLAN 1, as this will prevent IPsec connectivity between the controller and its
IPsec peers.
Example
The following command configures a VLAN interface:
(host) (config) #interface vlan 16
ip address 10.26.1.1 255.255.255.0
ip helper-address 10.4.1.22
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3
The ipv6 parameters were introduced.
ArubaOS 3.4
The igmp snooping parameter was deprecated. For information on configuring
IGMP snooping, see interface vlan ip igmp proxy on page 398.
ArubaOS 6.0
The pppoe-max-segment-site, pppoe-password, pppoe-service-name and
pppoe-password parameters were introduced.
ArubaOS 6.1
The option-82 parameter was introduced.
ArubaOS 6.2
The nd parameter for configuring neighbor discovery and router advertizement
options was introduced.
ArubaOS 6.3
The proxy parameter was introduced to enable MLD proxy in a VLAN.
ArubaOS 6.4
The dhcp parameter for configuring dynamic host configuration protocol for
IPv6 was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
interface vlan | 395
interface vlan ipv6
interface vlan <vlan ID>
ipv6 {address <ipv6-address> link-local | [<ipv6-prefix>/<prefix-length> | eui-64]
ipv6 dhcp server <pool-name>
ipv6 mld [snooping]
ipv6 nd {ra [dns | enable | hop-limit | interval | life-time | managed-config-flag | mtu |
other-config-flag | preference | prefix] | reachable-time <value> | retransmit-time <valu
e>}}
Description
This command configures the IPv6 link local address or the global unicast address, and the IPv6 router
advertisement parameters for this interface.
Syntax
Parameter
Description
Range
Default
<ipv6 address> link-local
Configures the specified IPv6 address as the link
local address for this interface.
—
—
<ipv6-prefix>/<prefix-leng
th>
Specify the IPv6 prefix/prefix-length to configure
the global unicast address for this interface.
—
—
eui-64
Specify this optional parameter to configure the
global unicast address in Extended Universal
Identifier 64 bit format (EUI-64) for this interface.
—
—
ipv6 dhcp server <poolname>
Specify the DHCPv6 server pool name for this
VLAN. The configured DHCPv6 pool subnet
must match the interface prefix for DHCPv6
Server to be active.
—
—
ipv6 nd
Configures the IPv6 neighbor discovery options
for router advertizement functionality.
—
—
ra
Configures the following router advertisement
options:
l dns—Configures IPv6 recursive DNS server.
l enable—Enables IPv6 RA.
l hop-limit—Configures RA hop-limit.
l interval—Configures RA interval.
l life-time—Configures RA lifetime.
l managed-config-flag—Enables hosts to use
DHCP server for stateful address
autoconfiguration
l mtu—Configures maximum transmission unit
for RA.
l other-config-flag—Enables hosts to use
DHCP server for other non-address stateful
autoconfiguration.
l preference—Configures a router preference.
l prefix—Configures IPv6 RA prefix.
—
—
reachable-time <value>
Configures the neighbor discovery reachable
time in msec.
03,600,000
0
retransmit-time <value>
Configures the neighbor discovery retransmit
time in msec.
03,600,000
396 | interface vlan ipv6
ArubaOS 6.4| Reference Guide
Usage Guidelines
You can use this command to configure the IPv6 link local address and the global unicast address for this interface.
Example
The following example configures the link local address for the VLAN 1.
(host) (conf)# interface vlan 1
(config-subif)#ipv6 address fe80::b:8600:50d:7700 link-local
The following example configures the global unicast address in EUI-64 format for the VLAN 1.
(host) (conf)# interface vlan 1
(config-subif)#ipv6 address 2001:DB8:0:3::/64 eui-64
Command History
Release
Modification
ArubaOS 6.1
This command was introduced.
ArubaOS 6.2
The nd parameter for configuring neighbor discovery and router advertisement
options was introduced.
ArubaOS 6.3
The dhcp server <pool-name> parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
interface vlan ipv6 | 397
interface vlan ip igmp proxy
interface vlan <vlan>
ip igmp snooping|{proxy fastethernet|gigabitethernet <slot>/<port>}
Description
This command enables IGMP and/or IGMP snooping on this interface, or configures a VLAN interface for
uninterrupted streaming of multicast traffic.
Syntax
Parameter
Description
snooping
Enable IGMP snooping.
The IGMP protocol enables an router to discover the presence of multicast
listeners on directly-attached links. Enable IGMP snooping to limit the sending of
multicast frames to only those nodes that need to receive them.
proxy
Enable IGMP on this interface.
fastethernet
Enable IGMP proxy on the FastEthernet (IEEE 802.3) interface.
gigabitethernet
Enable IGMP proxy on the GigabitEthernet (IEEE 802.3) interface.
<slot>/<port>
Any command that references a Fast Ethernet or Gigabit Ethernet interface
requires that you specify the corresponding port on the controller in the format
<slot>/<port>.
<slot> is always 1, except when referring to interfaces on the 6000 controller . For
the 6000 controller, the four slots are allocated as follows:
l Slot 0: contains a Aruba Multi-Service Mobility Module Mark I.
l Slot 1: can contain either an Aruba Multi-Service Mobility Module Mark I, or a
line card.
l Slot 2: can contain either a Aruba Multi-Service Mobility Module Mark I or a line
card..
l Slot 3: can contain either a Aruba Multi-Service Mobility Module Mark I or a line
card.
<port> refers to the network interfaces that are embedded in the front panel of the
3000 Series controller, Aruba Multi-Service Mobility Module Mark I, or a line card
installed in the 6000 controller. Port numbers start at 0 from the left-most position.
Usage Guidelines
The newer IGMP proxy feature and the older IGMP snooping feature cannot be enabled at the same time, as both
features add membership information to multicast group table. For most multicast deployments, you should enable
the IGMP Proxy feature on all VLAN interfaces to manage all the multicast membership requirements on the
controller. If IGMP snooping is configured on some of the interfaces, there is a greater chance that multicast
information transfers may be interrupted.
Example
The following example configures IGMP proxy for vlan 2. IGMP reports from the controller would be sent to the
upstream router on fastethernet port 1/3.
(host) (conf)# interface vlan 2
(conf-subif)# ip igmp proxy fastethernet 1/3
398 | interface vlan ip igmp proxy
ArubaOS 6.4| Reference Guide
Related Commands
This release of ArubaOS supports version 1 of the Multicast Listener Discovery (MLD) protocol (MLDv1). MLDv1,
defined in RFC 2710, is derived from version 2 of the IPv4 Internet Group Management Protocol (IGMPv2)
Issue the command interface vlan <vlan> ipv6 mld to enable the MLD protocol and allow an IPv6 router to discover
the presence of multicast listeners on directly-attached links. Use the CLI command interface vlan <vlan> ipv6
mld snooping, and the IPv6 router will send multicast frames to only those nodes that need to receive them.
Command History
This command was introduced in ArubaOS 3.4
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
interface vlan ip igmp proxy | 399
ip access-list eth
ip
ip access-list eth {<number>|<name>}
deny {<ethtype> [<bits>]|any} [mirror] [position}
no ...
permit {<ethtype> [<bits>]|any} [mirror][position]
Description
This command configures an Ethertype access control list (ACL).
Syntax
Parameter
Description
Range
eth
Enter a name, or a number in the specified range.
200-299
deny
Reject the specified packets, which can be one of the following:
l Ethertype in decimal or hexadecimal (0-65535) and optional wildcard (065535)
l any: match any Ethertype
Optionally, you can configure the mirror parameter, which mirrors packets to a
datapath or remote destination, or set the position of the ACL. The default
position is last, a position of 1 puts the ACL at the top of the list.
—
no
Negates any configured parameter.
—
permit
Allow the specified packets, which can be one of the following:
l Ethertype in decimal or hexadecimal (0-65535) and optional wildcard (065535)
l any: match any Ethertype
Optionally, you can configure the mirror parameter, which mirrors packets to a
datapath or remote destination, or set the position of the ACL. The default
position is last, a position of 1 puts the ACL at the top of the list.
—
Usage Guidelines
The Ethertype field in an Ethernet frame indicates the protocol being transported in the frame. This type of ACL filters
on the Ethertype field in the Ethernet frame header, and is useful when filtering non-IP traffic on a physical port. This
ACL can be used to permit IP frames while blocking other non-IP protocols such as IPX or Appletalk.
If you configure the mirror option, define the destination to which mirrored packets are sent in the firewall policy. For
more information, see firewall on page 310.
Example
The following command configures an Ethertype ACL:
(host) (config) #ip access-list eth 200
deny 809b
400 | ip access-list eth
ArubaOS 6.4| Reference Guide
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3
The mirror parameter was introduced.
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the PEFNG license.
Config mode on master
controllers
ArubaOS 6.4| Reference Guide
ip access-list eth | 401
ip access-list extended
ip access-list extended {<number>|<name>}
deny <protocol> <source> <dest>
ipv6
no ...
permit <protocol> <source> <dest>
Description
This command configures an extended access control list (ACL). To configure IPv6 specific rules, use the ipv6
keyword for each rule.
Syntax
Parameter
Description
Range
extended
Enter a name, or a number in the specified range.
100-199,
2000-2699
ipv6
Use the ipv6 keyword to add IPv6 specific rules.
—
deny
Reject the specified packets.
—
<protocol>
Protocol, which can be one of the following:
l Protocol number between 0-255
l any: any protocol
l icmp: Internet Control Message Protocol
l igmp: Internet Gateway Message Protocol
l tcp: Transmission Control Protocol
l udp: User Datagram Protocol
—
<source>
Source, which can be one of the following:
l Source address (IPv4 or IPv6) and wildcard
l any: any source
l host: specify a single host IP address
—
<dest>
Destination, which can be one of the following:
l Destination address (IPv4 or IPv6) and wildcard
l any: any destination
l host: specify a single host IP address
—
no
Negates any configured parameter.
—
permit
Allow the specified packets.
<protocol>
Protocol, which can be one of the following:
l Protocol number between 0-255
l any: any protocol
l icmp: Internet Control Message Protocol
l igmp: Internet Gateway Message Protocol
l tcp: Transmission Control Protocol
l udp: User Datagram Protocol
—
<source>
Source, which can be one of the following:
Source address (IPv4 or IPv6) and wildcard
any: any source
—
402 | ip access-list extended
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
host: specify a single host IP address
<dest>
Destination, which can be one of the following:
Destination address (IPv4 or IPv6) and wildcard
any: any destination
host: specify a single host IP address
—
Usage Guidelines
Extended ACLs are supported for compatibility with router software from other vendors. This ACL permits or denies
traffic based on the source or destination IP address or IP protocol.
Example
The following command configures an extended ACL:
(host) (config) #ip access-list extended 100
deny any host 1.1.21.245 any
Command History
This command was available in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the PEFNG license
Config mode on master
and local controllers
ArubaOS 6.4| Reference Guide
ip access-list extended | 403
ip access-list mac
ip access-list mac {<number>|<name>}
deny {<macaddr>[<wildcard>]|any|host <macaddr>} [mirror]
no ...
permit {<macaddr>[<wildcard>]|any|host <macaddr>} [mirror]
Description
This command configures a MAC access control list (ACL).
Syntax
Parameter
Description
Range
mac
Configures a MAC access list. Enter a name, or a number in the
specified range.
700-799, 12001299
deny
Reject the specified packets, which can be the following:
MAC address and optional wildcard
any: any packets
host: specify a MAC address
Optionally, you can configure the mirror parameter, which mirrors
packets to a datapath or remote destination.
—
no
Negates any configured parameter.
—
permit
Allow the specified packets, which can be the following:
MAC address and optional wildcard
any: any packets
host: specify a MAC address
Optionally, you can configure the mirror parameter, which mirrors
packets to a datapath or remote destination.
—
Usage Guidelines
MAC ACLs allow filtering of non-IP traffic. This ACL filters on a specific source MAC address or range of MAC
addresses.
If you configure the mirror option, define the destination to which mirrored packets are sent in the firewall policy. For
more information, see firewall on page 310.
Example
The following command configures a MAC ACL:
(host) (config) #ip access-list mac 700
deny 11:11:11:00:00:00
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3
The mirror parameter was introduced.
404 | ip access-list mac
ArubaOS 6.4| Reference Guide
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the PEFNG license
Config mode
ArubaOS 6.4| Reference Guide
ip access-list mac | 405
ip access-list session
ip access-list session <accname>
<source> <dest> <service> <action> [<extended action>]
ipv6 <source> <dest> <service> <action> [<extended action>]
no ...
Description
This command configures an access control list (ACL) session. To create IPv6 specific rules, use the ipv6
keyword.
Syntax
Parameter
Description
<accname>
Name of an access control list session.
ipv6
Use the ipv6 keyword to create IPv6 specific rules.
<source>
The traffic source, which can be one of the following:
alias: specify the network resource (use the netdestination command to configure aliases;
use the show netdestination command to see configured aliases)
any: match any traffic
host: specify a single host IP address
localip: specify the local IP address to match traffic
network: specify the IP address and netmask
user: represents the IP address of the user
<dest>
The traffic destination, which can be one of the following:
alias: specify the network resource (use the netdestination command to configure aliases;
use the show netdestination command to see configured aliases)
any: match any traffic
host: specify a single host IP address
localip: specify the local IP address to match traffic
network: specify the IP address and netmask
user: represents the IP address of the user
<service>
Network service, which can be one of the following:
IP protocol number (0-255)
name of a network service (use the show netservice command to see configured services)
any: match any traffic
app: application name
appcategory: application category name
tcp
l destination port number: specify the TCP port number (0-65535)
l source: TCP/UDP source port number
udp: specify the UDP port number (0-65535)
<action>
Action if rule is applied, which can be one of the following:
deny: Reject packets. Applicable to both IPv4 and IPv6.
dst-nat: Performs destination NAT on packets. Forward packets from source network to
destination; re-mark them with destination IP of the target network. This action functions in
tunnel/decrypt-tunnel forwarding mode. User should configure the NAT pool in the
controller.
406 | ip access-list session
ArubaOS 6.4| Reference Guide
Parameter
Description
dual-nat: Performs both source and destination NAT on packets. Source IP and destination
IP is changed as per the NAT pool configured. This action functions in tunnel/decrypttunnel forwarding mode. User should configure the NAT pool in the controller.
permit: Forward packets. Applicable to both IPv4 and IPv6.
redirect: Specify the location to which packets are redirected. The following are applicable
only to IPv4:
l Datapath destination ID (0-65535).
l esi-group: Specify the ESI server group configured with the esi group command.
l tunnel: Specify the ID of the tunnel configured with the interface tunnel command.
The following are applicable only to IPv6:
tunnel: Specify the ID of the tunnel configured with the interface tunnel command.
tunnel-group: Specify the tunnel-group configured with the interface tunnel command.
route: Specify the next hop to which packets are routed, which can be one of the following:
l dst-nat: Destination IP changes to the IP configured from the NAT pool. This action
functions in bridge/split-tunnel forwarding mode. User should configure the NAT pool in
the controller.
l src-nat:Source IP changes to RAP’s external IP. This action functions in bridge/splittunnel forwarding mode and uses implied NAT pool.
src-nat: Performs source NAT on packets. Source IP changes to the outgoing interface IP
address (implied NAT pool) or from the pool configured (manual NAT pool). This action
functions in tunnel/decrypt-tunnel forwarding mode.
l
l
<extended ac
tion>
Optional action if rule is applied, which can be one of the following:
blacklist: blacklist user if ACL gets applied.
classify-media: Monitors user UDP packets to classify them as media and tag accordingly.
Use this parameter only for voice and video signaling and control sessions as it causes
deep packet inspection of all UDP packets from/to users.
disable-scanning: pause ARM scanning while traffic is present. Note that you must enable
“VoIP Aware Scanning” in the ARM profile for this feature to work.
dot1p-priority: specify 802.1p priority (0-7)
log: generate a log message
mirror: mirror all session packets to datapath or remote destination
If you configure the mirror option, define the destination to which mirrored packets are sent
in the firewall policy. For more information, see firewall on page 310.
next-hop-list: Route packet to the next hop in the list.
position: specify the position of the rule (1 is first, default is last)
queue: assign flow to priority queue (high/low)
send-deny-response: if <action> is deny, send an ICMP notification to the source
time-range: specify time range for this rule (configured with time-range command)
tos: specify ToS value (0-63)
no
Negates any configured parameter.
Usage Guidelines
Session ACLs define traffic and firewall policies on the controller. You can configure multiple rules for each policy,
with rules evaluated from top (1 is first) to bottom. The first match terminates further evaluation. Generally, you
should order more specific rules at the top of the list and place less specific rules at the bottom of the list. The ACL
ends with an implicit deny all. To configure IPv6 rules, use the ipv6 keyword followed by the regular ACL keywords.
Example
The following command configures a session ACL that drops any traffic from 10.0.0.0 subnetwork:
ip access-list session drop-from10
network 10.0.0.0 255.0.0.0 any any
ArubaOS 6.4| Reference Guide
ip access-list session | 407
The following command configures a session ACL with IPv4 and IPv6 address:
(host) (config)#ip access-list session common
(host) (config-sess-common)#host 10.12.13.14 any any permit
(host) (config-sess-common)#ipv6 host 11:12:11:11::2 any any permit
The following example displays information for an ACL called mylist.
(host) (config) #show ip access-list mylist
ip access-list session mylist
mylist
--------Priority Source Destination Service Application Action TimeRange
OS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ ---------- ----- --------- ------ ------- ------------- ------ -------1
any
any
app gmail
deny
4
Log
Expired
Queue
T
---
-------
-----
-
Low
Command History
Release
Modification
ArubaOS 3.0
This command was introduced.
ArubaOS 6.3
The any tcp source parameter was introduced.
ArubaOS 6.4
The redirect parameter was introduced under action. The app, and appcategory parameters were introduced under service.
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the PEFNG license
Config mode on master controllers
408 | ip access-list session
ArubaOS 6.4| Reference Guide
ip access-list standard
ip access-list standard {<number>|<name>}
deny {<ipaddr> <wildcard>|any|host <ipaddr>}
no ...
permit {<ipaddr> <wildcard>|any|host <ipaddr>}
Description
This command configures a standard access control list (ACL).
Syntax
Parameter
Description
Range
standard
Enter a name, or a number in the specified range.
1-99, 1300-1399
ipv6
Use the ipv6 keyword to create IPv6 specific standard
rules.
deny
Reject the specified packets, which can be the following:
IP address and optional wildcard
any: any packets
host: specify a host IP address
—
no
Negates any configured parameter.
—
permit
Allow the specified packets, which can be the following:
IP address and optional wildcard
any: any packets
host: specify a host IP address
—
Usage Guidelines
Standard ACLs are supported for compatibility with router software from other vendors. This ACL permits or denies
traffic based on the source address of the packet.
Example
The following command configures a standard ACL:
(host) (config) #ip access-list standard 1
permit host 10.1.1.244
Command History
Introduced in ArubaOS 3.0
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the PEFNG license
Config mode on
master controllers
ArubaOS 6.4| Reference Guide
ip access-list standard | 409
ip cp-redirect-address
ip cp-redirect-address <ipaddr> | disable
Description
This command configures a redirect address for captive portal.
Syntax
Parameter
Description
<ipaddr>
Host address with a 32-bit netmask. This address should be routable from all external
networks.
disable
Disables automatic DNS resolution for captive portal.
Usage Guidelines
This command redirects wireless clients that are on different VLANs (from the controller’s IP address) to the captive
portal on the controller.
If you have the Next Generation Policy Enforcement Firewall (PEFNG) license installed in the controller, modify the
captive portal session ACL to permit HTTP/S traffic to the destination cp-redirect-address <ipaddr> instead of
mswitch. If you do not have the PEFNG license installed in the controller, the implicit captive-portal-profile ACL is
automatically modified when you issue this command.
Example
The following command configures a captive portal redirect address:
(host) (config) #ip cp-redirect-address
Command History
Introduced in ArubaOS 3.0
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating
system
Config mode on master
controllers
410 | ip cp-redirect-address
ArubaOS 6.4| Reference Guide
ip default-gateway
ip default-gateway <ipaddr>|{import cell|dhcp|pppoe}|{ipsec <name>} <cost>
Description
This command configures the default gateway for the controller.
Syntax
Parameter
Description
<ipaddr>
IP address of the default gateway.
import
Use a gateway IP address obtained through the cell interface, DHCP or PPPoE.
The default gateway is imported into the routing table and removed when the
uplink is no longer active.
cell
Use a gateway IP address obtained through the cell interface.
dhcp
Use a gateway IP address obtained DHCP.
pppoe
Use a gateway IP address obtained through PPPoE.
ipsec <name>
Define a static route using an ipsec map.
<cost>
Distance metric for this route.
Usage Guidelines
You can use this command to set the default gateway to the IP address of the interface on the upstream router or
switch to which you connect the controller. If you define more than one dynamic gateway type, you must also define
a cost for the route to each gateway. The controller will first attempt to obtain a gateway IP address using the option
with the lowest cost. If the controller is unable to obtain a gateway IP address, it will then attempt to obtain a
gateway IP address using the option with the next-lowest path cost.
Example
The following command configures the default gateway for the controller:
(host) (config) #ip default-gateway 10.1.1.1
Command History
Introduced in ArubaOS 3.0
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ip default-gateway | 411
ip dhcp excluded-address
ip dhcp excluded-address <low-ipaddr> [<high-ipaddr>]
Description
This command configures an excluded address range for the DHCP server on the controller.
Syntax
Parameter
Description
<low-ipaddr>
Low end of range of IP addresses. For example, you can enter the IP address of the
controller so that this address is not assigned.
<high-ipaddr>
High end of the range of IP addresses.
Usage Guidelines
Use this command to specifically exclude certain addresses from being assigned by the DHCP server. Ensure that
the statically assigned IP addresses are excluded.
Example
The following command configures an excluded address range:
ip dhcp excluded-address 192.168.1.1 192.168.1.255
Command History
Introduced in ArubaOS 3.0
Command Information
Platform
License
Command Mode
Available on all platforms
Available in base operating system
Config mode on master
controllers
412 | ip dhcp excluded-address
ArubaOS 6.4| Reference Guide
ip dhcp pool
ip dhcp pool <name>
default-router <ipaddr> ...
dns-server {<ipaddr> ... |import}
domain-name <name>
lease <days> <hours> <minutes>
netbios-name-server {<ipaddr> ... |import}
network <ipaddr> {<netmask>|<prefix>}
no ...
option <code> ip <ipaddr>
pooltype ipupsell|private|public
vendor-class-identifier
Description
This command configures a DHCP pool on the controller.
Syntax
Parameter
Description
default-router
IP address of the default router for the DHCP client. The client should be on the
same subnetwork as the default router. You can specify up to eight IP addresses.
dns-server
IP address of the DNS server, which can be one of the following:
<address>
IP address of the DNS server. You can specify up to eight IP addresses.
import
Use the DNS server address obtained through PPPoE or DHCP.
domain-name
Domain name to which the client belongs.
lease
The amount of time that the assigned IP address is valid for the client. Specify the
lease in <days> <hours> <minutes>.
netbios-nameserver
IP address of the NetBIOS Windows Internet Naming Service (WINS) server,
which can be one of the following:
<address>
IP address of the WINS server. You can specify up to eight IP addresses.
import
Use the NetBIOS name server address obtained through PPPoE or DHCP.
network
Range of addresses that the DHCP server may assign to clients, in the form of
<ipaddr> and <netmask> or <ipaddr> and <prefix> (/n).
no
Negates any configured parameter.
option
Client-specific option code and IP address. See RFC 2132, “DHCP Options and
BOOTP Vendor Extensions”.
pooltype
Configure one of the following DHCP Pool types
l ipupsell: Configure the DHCP pool as an IP upsell pool
l private: Configure the DHCP pool as private
l public: Configure the DHCP pool as public
vendor-class-identifi
er
Send the ArubaAP vendor ID to clients.
ArubaOS 6.4| Reference Guide
ip dhcp pool | 413
Usage Guidelines
A DHCP pool should be created for each IP subnetwork for which DHCP services should be provided. DHCP pools
are not specifically tied to VLANs, as the DHCP server exists on every VLAN. When the controller receives a
DHCP request from a client, it examines the origin of the request to determine if it should respond. If the IP address
of the VLAN matches a configured DHCP pool, the controller answers the request.
Example
The following command configures a DHCP pool:
(host) (config) #ip dhcp pool floor1
default-router 10.26.1.1
dns-server 192.168.1.10
domain-name floor1.test.com
lease 0 8 0
network 10.26.1.0 255.255.255.0
Command History
Introduced in ArubaOS 3.0
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master
controllers
414 | ip dhcp pool
ArubaOS 6.4| Reference Guide
ip domain lookup
ip domain lookup
Description
This command enables Domain Name System (DNS) hostname to address translation.
Syntax
There are no parameters for this command.
Usage Guidelines
This command is enabled by default. Use the no form of this command to disable.
Example
The following command enables DNS hostname translation:
(host)(config) #ip domain lookup
Command History
This command was available in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master
controllers
ArubaOS 6.4| Reference Guide
ip domain lookup | 415
ip domain-name
ip domain-name <name>
Description
This command configures the default domain name.
Syntax
Parameter
Description
domain-name
Name used to complete unqualified host names. Do not specify the leading dot (.).
Usage Guidelines
The controller uses the default domain name to complete hostnames that do not contain domain names. You must
have at least one domain name server configured on the controller (see ip name-server on page 431).
Example
The following command configures the default domain name:
(host) (config) #ip domain-name yourdomain.com
Command History
This command was available in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master
controllers
416 | ip domain-name
ArubaOS 6.4| Reference Guide
ip igmp
ip igmp
last-member-query-count <number>
last-member-query-interval <seconds>
max-members-per-group <val>
query-interval <seconds>
query-response-interval <.1 seconds>
quick-client-convergence
robustness-variable <2-10>
ssm-range
startup-query-count <number>
startup-query-interval <seconds>
version-1-router-present-timeout <seconds>
Description
This command configures Internet Group Management Protocol (IGMP) timers and counters.
Syntax
Parameter
Description
Range
Default
last-member-query-count
Number of group-specific queries that the
controller sends before assuming that there are
no local group members.
1-65535
2
last-member-query-interval
Maximum time, in seconds, that can elapse
between group-specific query messages.
1-65535
seconds
10
seconds
max-members-per-group
Configure maximum members per group.
1-65535
300
query-interval
Interval, in seconds, at which the controller
sends host-query messages to the multicast
group address 224.0.0.1 to solicit group
membership information.
1-65535
seconds
125
seconds
query-response-interval
Maximum time, in 1/10th seconds, that can
elapse between when the controller sends a
host-query message and when it receives a
response. This must be less than the queryinterval.
1-65535
seconds
100 (10
second
s)
quick-client-convergence
Trigger IGMP reports from client during roaming.
—
—
robustness-variable
Increase this value to allow for expected packet
loss on a subnetwork.
2-10
2
ssm-range
Configure the start IP address and mask IP
address for ssm-range.
—
—
startup-query-count
Number of queries that the controller sends out
on startup, separated by startup-query-interval.
The default is the robustness-variable value.
1-65535
2
ArubaOS 6.4| Reference Guide
ip igmp | 417
Parameter
Description
Range
Default
startup-query-interval
Interval, in seconds, at which the controller
sends general queries on startup.
1-65535
seconds
1/4 of
the
query
interval
version-1-router-present-tim
eout
Timeout, in seconds, if a version 1 IGM router is
detected.
1-65535
seconds
400
seconds
Usage Guidelines
IGMP is used to establish and manage IP multicast group membership. See RFC 3376, “Internet Group
Management Protocol, version 3” for more information.
Example
The following command configures IGMP:
(host) (config) #ip igmp
query-interval 130
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.1
Added parameters: max-members-per-group and quick-client-convergence
ArubaOS 6.4
The ssm-range parameter is introduced.
Command Information
418 | ip igmp
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ip local
ip local pool <name> <start-ipaddr> [<end-ipaddr>]
Description
This command configures a local IP pool for Layer-2 Tunnel Protocol (L2TP).
Syntax
Parameter
Description
pool
Name for the address pool.
<start-ipaddr>
Starting IP address for the pool.
<end-ipaddr>
(Optional) Ending IP address for the pool.
Usage Guidelines
VPN clients can be assigned IP addresses from the L2TP pool.
Example
The following command configures an L2TP pool:
(host) (config) #ip local pool 10.1.1.1 10.1.1.99
Command History
This command was available in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ip local | 419
ip mobile active-domain
ip mobile
ip mobile active-domain <name>
Description
This command configures the mobility domain that is active on the controller.
Syntax
Parameter
Description
active-domain
Name of the mobility domain.
Usage Guidelines
All controllers are initially part of the “default” mobility domain. If you use the “default” mobility domain, you do not
need to specify this domain as the active domain on the controller. However, once you assign a controller to a userdefined domain, the “default” mobility domain is no longer an active domain on the controller.
Example
The following command assigns the controller to a user-defined mobility domain:
(host) (config) #ip mobile active-domain campus1
Command History
This command was available in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
420 | ip mobile active-domain
ArubaOS 6.4| Reference Guide
ip mobile domain
ip mobile domain <name>
description <descr>
hat <home-agent> description <dscr>
no
Description
This command configures the mobility domain on the controller.
Syntax
Parameter
<name>
Description
Name of the mobility domain.
description <descr>
Description of the mobility domain. The description can be a maximum of 30 characters (including spaces).
hat
Configures a home agent table (HAT) entry.
<home-agent>
The IP address of the home agent controller that requires mobility service.
description <dscr>
Description of the Home Agent Table (HAT) entry. The description can be a
maximum of 30 characters (including spaces).
no
Negates any configured parameter.
Usage Guidelines
You configure the HAT on a master controller; the mobility domain information is pushed to all local controllers that
are managed by the same master.
HAT entries map subnetworks or VLANs and the home agents. The home agent is typically the controller’s IP
address. The home agent’s IP address must be routable; that is, all controllers that belong to the same mobility
domain must be able to reach the home agent’s IP address.
The maximum number of mobility datapath tunnels supported is 32. A maximum of 32 hat entries can be configured if
the hat entries are not VRRP IP addresses. If VRRP IP addresses are configured in the hat table the maximum
number of hat entires supportd is less than 32 as for each VRRP entry in HAT more than two datapath tunnels are
considered.
The controller looks up information in the HAT to obtain the IP address of the home agent for a mobile client.
Because there can be multiple home agents on a subnetwork, the HAT can contain more than one entry for the same
subnetwork.
Example
The following command configures HAT entries:
(host) (mobility-domain) #ip mobile domain east_building
(host) (mobility-domain) #hat 192.0.2.1 description "East building entries"
(host) (mobility-domain) #show ip mobile domain east_building
Mobility Domains:, 1 domain(s)
-----------------------------Domain name east_building
ArubaOS 6.4| Reference Guide
ip mobile domain | 421
Home Agent Table
Home Agent
Description
--------------- ------------------------192.0.2.1
East building entries
Command History
Release
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.0
A new parameter, description is added for providing more information about a
HAT entry.
ArubaOS 6.3
Under the hat <home-agent> command, following parameters are deprecated:
l <netmask>
l <VLAN-ID>
l <home-agent>
l description <dscr>
The above command is replaced by the hat <home-agent> description <dscr>
command.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
422 | ip mobile domain
ArubaOS 6.4| Reference Guide
ip mobile foreign-agent
ip mobile foreign-agent {lifetime <seconds> | max-visitors <number> |
registrations {interval <msecs> | retransmits <number>}}
Description
This command configures the foreign agent for IP mobility.
Syntax
Parameter
Description
Range
Default
lifetime
Requested lifetime, in seconds, as per RFC 3344, “IP
Mobility Support for IPv4”.
10-65534
180 seconds
max-visitors
Maximum number of active visitors.
0-5000
5000
registrations
Frequency at which re-registration messages are sent
to the home agent:
interval
Retransmission interval, in milliseconds
100-10000
1000
milliseconds
retransmits
Maximum number of times the foreign agent attempts
mobile IP registration message exchanges before
giving up.
0-5
3
Usage Guidelines
A foreign agent is the controller which handles all mobile IP communication with a home agent on behalf of a roaming
client.
Example
The following command configures the foreign agent:
(host) (config) #ip mobile foreign-agent registration interval 10000
Command History
This command was available in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ip mobile foreign-agent | 423
ip mobile home-agent
ip mobile home-agent {max-bindings <number>|replay <seconds>}
Description
This command configures the home agent for IP mobility.
Syntax
Parameter
Description
Range
Default
max-bindings
Maximum number of mobile IP bindings. This option is an
additional limitation to control the maximum number of roaming
users. When the limit is reached, registration requests from the
foreign agent fail which causes a mobile client to set a new
session on the visited controller, which will become its home
controller.
0-5000
5000
replay
Time difference, in seconds, for timestamp-based replay
protection, as described by RFC 3344, “IP Mobility Support for
IPv4”. 0 disables replay.
0-300
7
seconds
Usage Guidelines
A home agent for a mobile client is the controller where the client first appears when it joins the mobility domain. The
home agent is the single point of contact for the client when it roams.
Example
The following command configures the home agent:
(host) (config) #ip mobile home-agent replay 100
Command History
This command was available in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
424 | ip mobile home-agent
ArubaOS 6.4| Reference Guide
ip mobile packet-trace
ip mobile packet-trace <mac-address>
Description
This command enables packet tracing for the given mac address.
Use this command with caution. It replaces the existing users with user entries from the imported file.
Syntax
Platform
License
<mac-address>
The MAC address of the host
Usage Guidelines
Executing this command enables packet tracing for the given mac address. This is used for troubleshooting
purposes only.
Example
The following command enables packet tracing for the host:
(host) (config) #ip mobile packet-trace 00:40:96:a6:a1:a4
Command History
This command was available in ArubaOS 3.4.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ip mobile packet-trace | 425
ip mobile proxy
ip mobile proxy auth-sta-roam-only |event-threshold <number>|log-trail | no-service-timeout <s
econds> | on-association | refresh-stale-ip
stale-timeout <seconds> | trail-length <number> |trail-timeout <seconds>
Description
This command configures the proxy mobile IP module in a mobility-enabled controller.
Syntax
Parameter
Description
Range
Default
auth-sta-roamonly
Allows a client to roam only if has been authenticated. If a
client has not been authenticated, no mobility service is
offered if it roams to a different VLAN or controller.
—
enabled
event-threshold
Maximum number of mobility events (events that can trigger
mobility) handled per second. Mobility events above this
threshold are ignored. This helps to control frequent mobility
state changes when the client bounces back and forth on
APs before settling down.
1-65535
25
log-trail
Enables logging at the notification level for mobile client
moves.
—
enabled
no-service-time
out
Time, in seconds, after which mobility service expires. If
nothing has changed from the previous state, the client is
given another bridge entry but it will have limited
connectivity.
3060000
180
seconds
on-association
Enabling this option triggers mobility on station association.
—
disabled
Mobility move detection is performed when the client associates with the controller and not when the client sends packets. Mobility on association can speed up roaming and
improve connectivity for devices that can trigger mobility if
they do not send many uplink packets. Downside is security;
an association is all it takes to trigger mobility. This option is
applicable only if layer-2 security is enforced. It is recommended to retain the default settings as this option causes
more load in the system due to exchange of extra messages
between controllers in the mobility domain.
refresh-stale-ip
426 | ip mobile proxy
Mobility forces station to renew its stale IP (assuming its
DHCP) by deauthorizing the station.
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
stale-timeout
Number of seconds the mobility state is retained after the
loss of connectivity. This allows authentication state and
mobility information to be preserved on the home agent
controller. The default is 60 seconds but can be safely
increased. Note that in many case a station state is deleted
without waiting for the stale timeout; user delete from
management, foreign agent to foreign agent handoff, etc.
(This is different from the no-service-timeout; no-servicetimeout occurs up front while the stale-timeout begins when
mobility service is provided but the connection is disrupted
for some reason.)
30-3600
60
seconds
stand-alone-AP
Enables support for third party or standalone APs. When this
is enabled, broadcast packets are not used to trigger
mobility and packets from untrusted interfaces are accepted.
If mobility is enabled, you must also enable standalone AP
for the client to connect to the controller’s untrusted port. If
the controller learns wired users via the following methods,
enable standalone AP:
l Third party AP connected to the controller through the
untrusted port.
l Clients connected to ENET1 on APs with two ethernet
ports.
l Wired user connected directly to the controller’s
untrusted port.
l NOTE: When IP mobility is enabled, you must also
enable the Stand Alone AP Support option so that a
MUX server can perform properly and display all wired
users who are connected to a MUX port.
—
disabled
trail-length
Specifies the maximum number of entries (client moves)
stored in the user mobility trail.
1-100
30
trail-timeout
Specifies the maximum interval, in seconds, an inactive
mobility trail is held.
12086400
3600
seconds
Usage Guidelines
The proxy mobile IP module in a mobility-enabled controller detects when a mobile client has moved to a foreign
network and determines the home agent for a roaming client. The proxy mobile IP module performs the following
functions:
l
Derives the address of the home agent for a mobile client from the HAT using the mobile client’s IP address. If
there is more than one possible home agent for a mobile client in the HAT, the proxy mobile IP module uses a
discovery mechanism to find the current home agent for the client.
l
Detects when a mobile client has moved. Client moves are detected based on ingress port and VLAN changes
and mobility is triggered accordingly. For faster roaming convergence between AP(s) on the same controller, it is
recommended that you keep the “on-association” option enabled. This helps trigger mobility as soon as 802.11
association packets are received from the mobile client.
Example
The following command enables the packet trace for the given MAC address:
ip mobile packet-trace 00:40:96:a6:a1:a4
ArubaOS 6.4| Reference Guide
ip mobile proxy | 427
Command History
Version
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.2
The re-home parameter was deprecated as the re-homing functionality is no
longer available.
ArubaOS 6.3
The block-dhcp-release, dhcp aggressive-transaction, dhcp ignore-options,
dhcp max-requests <0-50>, dhcp transaction-hold <1-100>, dhcp transactiontimout <10-600>, stand-alone-AP parameters are deprecated.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
Config mode on master controllers
428 | ip mobile proxy
ArubaOS 6.4| Reference Guide
ip mobile revocation
ip mobile revocation {interval <msec>|retransmits <number>
Description
This command configures the frequency at which registration revocation messages are sent.
Syntax
Parameter
Description
Range
Default
interval
Retransmission interval, in milliseconds.
100-10000
ms
1000
ms
retransmits
Maximum number of times the home agent or foreign agent
attempts mobile IP registration/revocation message
exchanges before giving up.
0-5
3
Usage Guidelines
A home agent or foreign agent can send a registration revocation message, which revokes registration service for the
mobile client. For example, when a mobile client roams from one foreign agent to another, the home agent can send a
registration revocation message to the first foreign agent so that the foreign agent can free any resources held for the
client.
Example
The following command configures registration revocation messages:
(host) (config) #ip mobile revocation interval 2000
Command History
This command was available in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ip mobile revocation | 429
ip mobile trail (deprecated)
ip mobile trail {host IP address | host MAC address}
Description
This command configures the capture of association trail for all devices.
Command History
Version
Description
ArubaOS 3.0
Command introduced
ArubaOS 6.1
Command deprecated
430 | ip mobile trail (deprecated)
ArubaOS 6.4| Reference Guide
ip name-server
ip name-server <ipaddr>
Description
This command configures servers for name and address resolution.
Syntax
Parameter
Description
<ip-addr>
IP address of the server.
Usage Guidelines
You can configure up to six servers using separate commands. Specify one or more servers when you configure a
default domain name (see ip domain-name on page 416).
Example
The following command configures a name server:
ip name-server 10.1.1.245
Command History
This command was available in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ip name-server | 431
ip nat
ip nat pool <name> <start-ipaddr> <end-ipaddr> [<dest-ipaddr>]
Description
This command configures a pool of IP addresses for network address translation (NAT).
Syntax
Parameter
Description
pool
Name of the NAT pool.
<start-ipaddr>
IP address that defines the beginning of the range of source NAT addresses in the pool.
<end-ipaddr>
IP address that defines the end of the range of source NAT addresses in the pool.
<dest-ipaddr>
Destination NAT IP address.
Usage Guidelines
This command configures a NAT pool which you can reference in a session ACL rule (see ip access-list session on
page 406).
Example
The following command configures a NAT pool:
(host) (config) #ip nat pool 2net 2.1.1.1 2.1.1.125
Command History
This command was available in ArubaOS 3.0.
Command Information
432 | ip nat
Platform
License
Command Mode
Available on all platforms
This command requires the PEFNG
license.
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
ip ospf
ip ospf area|{authentication message-digest | cost <cost> | dead-interval <seconds> | hello-in
terval <seconds> | message-digest-key <keyid> <passwd> | priority <number> | retransmit-interv
al <seconds> |transmit-delay <seconds>
Description
Configure OSPF on the VLAN interface.
Syntax
Parameter
Description
Range
Default
area
Enable OSPF on a specific interface by
entering the IP address of the router that
will use OSPF.
authentication message-digest
Set the OSPF authentication mode to
message digest.
cost <cost>
Set the cost associated with the OSPF
traffic on an interface.
1 to 65535
1
dead-interval <seconds>
Set the elapse interval (seconds) since
the last hello-packet was received from
the router. After the interval elapses, the
neighboring routers declare the router
dead.
1 to 65535
seconds
40
hello-interval <seconds>
Set the elapse interval (seconds)
between hello packets sent on the
interface.
1 to 65535
seconds
10
message-digest-key <keyid> <p
asswd>
Enable OSPF MD5 authentication and
set the key identification and a character
string password.
<keyid> = 1
to 256
No default
priority <number>
Set the priority number of the interface to
determine the DR.
0 to 255
1
retransmit-interval <seconds>
Set the retransmission time between link
state advertisements for adjacencies
belonging to the interface.
NOTE: Set the time interval long enough
to prevent unnecessary retransmissions.
1 to 65535
seconds
5
transmit-delay <seconds>
Set the elapse time before retransmitting
link state update packets on the
interface.
1 to 65535
seconds
1
disabled
Usage Guidelines
When configuring OSPF over multiple vendors, use this command to ensure that all routers use the same cost.
Otherwise, OSPF may route improperly.
ArubaOS 6.4| Reference Guide
ip ospf | 433
Related Commands
Command
Description
show ip ospf
View the OSPF configuration
Command History
Release
Modification
ArubaOS 3.4
Command introduced
Command Information
434 | ip ospf
Platforms
Licensing
Command Mode
All Platforms
Base operating system
Configuration Interface Mode (configsubif)
ArubaOS 6.4| Reference Guide
ip pppoe-max-segment-size (deprecated)
ip pppoe-max-segment-size <mss>
Description
This command configures the maximum TCP segment size (mss), in bytes, for Point-to-Point Protocol over Ethernet
(PPPoE) data.
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.1
Command deprecated
ArubaOS 6.4| Reference Guide
ip pppoe-max-segment-size (deprecated) | 435
ip pppoe-password (deprecated)
ip pppoe-password <password>
Description
This command configures the PPP over Ethernet (PPPoE) password.
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.1
Command deprecated
436 | ip pppoe-password (deprecated)
ArubaOS 6.4| Reference Guide
ip pppoe-service-name (deprecated)
ip pppoe-service-name <service_name>
Description
This command configures the PPP over Ethernet (PPPoE) service name.
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.1
Command deprecated
ArubaOS 6.4| Reference Guide
ip pppoe-service-name (deprecated) | 437
ip pppoe-username (deprecated)
ip pppoe-username <username>
Description
This command configures the PPP over Ethernet (PPPoE) username.
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.1
Command deprecated
438 | ip pppoe-username (deprecated)
ArubaOS 6.4| Reference Guide
ip radius
ip radius {nas-ip <ipaddr>|rfc-3576-server udp-port <port>|source-interface {loopback|vlan <vl
an>}
Description
This command configures global parameters for configured RADIUS servers.
Syntax
Parameter
Description
Range
Default
nas-ip
NAS IP address to send in RADIUS packets. A server-specific
NAS IP configured with the aaa authentication-server
radius command supersedes this configuration.
—
—
rfc-3576-server
Configures the UDP port to receive requests from a RADIUS
server that can send user disconnect and change-ofauthorization messages, as described in RFC 3576, “Dynamic
Authorization Extensions to Remote Dial In User Service
(RADIUS)”. See the aaa rfc-3576-server command to configure
the server.
NOTE: This parameter can only be used on the master
controller.
—
—
UDP port to receive server requests.
065535
3799
Interface for all outgoing RADIUS packets. The IP address of
the specified interface is included in the IP header of RADIUS
packets. The interface can be one of the following:
—
—
loopback
The loopback interface.
—
—
vlan
The specified VLAN.
—
—
udp-port
source-inter
face
Usage Guidelines
This command configures global RADIUS server parameters. If the aaa authentication-server radius command
configures a server-specific NAS IP, the server-specific IP address is used instead.
Example
The following command configures a global NAS IP address sent in RADIUS packets:
(host) (config) #ip radius nas-ip 192.168.1.245
Command History
This command was available in ArubaOS 3.0.
ArubaOS 6.4| Reference Guide
ip radius | 439
Command Information
Platform
License
Command Mode
Available on all platforms
The ip radius rfc-3576-server udp-port
command requires the PEFNG license.
Other commands are available in the base
operating system.
Config mode on master and local
controllers
440 | ip radius
ArubaOS 6.4| Reference Guide
ids rap-wml-server-profile
ids rap-wml-server-profile <server-name>
ageout <period>
cache{disable|enable
clone
db-name <name>
ip-addr<ipaddr>
password <password>
type mssql|mysql
user <name>
Description
Use this command to specify the name and attributes of a MySQL or an MSSQL server.
Syntax
Parameter
Description
Default
ageout
(Optional) Specifies the cache ageout period, in seconds.
0
cache
(Optional) Enables the cache, or disables the cache.
Disabled
clone
Copies configuration settings from an existing profile.
db-name
(Optional) Specifies the name of the MySQL or MSSQL
database.
—
ip-addr
(Optional) Specifies the IP address of the named MSSQL server.
0.0.0.0
no
Negates any configured parameter.
—
password
(Optional) Specifies the password required for database login.
—
type
(Optional) Specifies the server type.
—
user
(Optional) Specifies the user name required for database login.
—
Usage Guidelines
Use the show rap-wml cache command to show the cache of all lookups for a database server. Use the show rapwml servers command to show the database server state. Use the show rap-wml wired-mac command to show
wired MAC discovered on traffic through the AP.
Example
(host) (config) #ids rap-wml-server-profile mysqlserver type mysql ip-addr 10.4.11.10 db-name
automatedtestdatabase user sa password sa
ids rap-wml-table-profile mysqlserver table-name mactest_undelimited timestamp-column time loo
kup-time 600
ids rap-wml-table-profile table-name mysqlserver mactest_delimited mac-delimiter : timestamp-c
olumn time lookup-time 600
This example configures an MSSQL server and sets up associated rap-wml table attributes for that server.
(host) (config) # ids rap-wml-server-profile mssqlserver type mssql ip-addr 10.4.11.11 db-nam
e automatedtestdatabase user sa password sa
ArubaOS 6.4| Reference Guide
ids rap-wml-server-profile | 441
ids rap-wml-table-profile mssqlserver table-name mactest_undelimited timestamp-column time loo
kup-time 600
ids rap-wml-table-profile mssqlserver table-name mactest_delimited mac-delimiter : timestamp-c
olumn time lookup-time 600
Command History
Release
Modification
ArubaOS 2.0
Command introduced
ArubaOS 6.1
This command was renamed from rap-wml to ids rap-wml-server-profile.
Command Information
Platforms
Licensing
Command Mode
All platforms
Requires the RF Protect license.
Config mode on master controllers
442 | ids rap-wml-server-profile
ArubaOS 6.4| Reference Guide
ids rap-wml-table-profile
ids rap-wml-table-profile <profile>
clone <profile>
column-name <column-name>
lookup-time <lookup-time>
mac-delimiter <char>
no ...
<table-name> timestamp-column <timestamp-column-name> Description
Use this command to specify the name and attributes of the database table to be used for lookup.
Syntax
Parameter
Description
Default
<profile>
Name of an ids rap-wml-table profile
—
clone
Makes a copy of an existing profile
—
column-name
Specifies the database column name with the MAC
address.
—
lookup-time
Specifies how far back—in seconds—to look for the
MAC address. Use 0 seconds to lookup everything.
0
mac-delimiter
Specifies the optional delimiter character for the
MAC address in the database.
No
delimiter
no
Negates the rap-wml table for the named server.
—
table-name
Specifies the database table name.
—
timestamp-column <timestamp-colu
mn-name>
Specify the database column name with the
timestamp last seen.
—
Usage Guidelines
Use the ids rap-wml-server-profile <servername> command to configure a MySQL or an MSSQL server, then
use the ids rap-wml-table-profile command to configure the associated database table for the server.
Example
This example configures a MySQL server and sets up associated rap-wml table attributes for that server.
(host) (config) #ids rap-wml-server-profile mysqlserver type mysql ip-addr 10.4.11.10 db-name
automatedtestdatabase user sa password sa
ids rap-wml-table-profile mysqlserver table-name mactest_undelimited timestamp-column time loo
kup-time 600
ids rap-wml-table-profile table-name mysqlserver mactest_delimited mac-delimiter : timestamp-c
olumn time lookup-time 600
This example configures an MSSQL server and sets up associated rap-wml table attributes for that server.
(host) (config) # ids rap-wml-server-profile mssqlserver type mssql ip-addr 10.4.11.11 db-nam
e automatedtestdatabase user sa password sa
ArubaOS 6.4| Reference Guide
ids rap-wml-table-profile | 443
ids rap-wml-table-profile mssqlserver table-name mactest_undelimited timestamp-column time loo
kup-time 600
ids rap-wml-table-profile mssqlserver table-name mactest_delimited mac-delimiter : timestamp-c
olumn time lookup-time 600
Command History
Release
Modification
ArubaOS 2.0
Command introduced
ArubaOS 6.1
This command was renamed from rap-wml to ids rap-wml-table-profile.
Command Information
Platforms
Licensing
Command Mode
All platforms
Requires the RF Protect license.
Config mode on master controllers
444 | ids rap-wml-table-profile
ArubaOS 6.4| Reference Guide
ip route
ip route <destip> <destmask> {<nexthop> [<cost>]|ipsec <name>|null 0}
Description
This command configures a static route on the controller.
Syntax
Parameter
Description
<destip>
Enter the destination prefix address in dotted decimal format (A.B.C.D).
<destmask>
Enter the destination prefix mask address in dotted decimal format (A.B.C.D).
<nexthop> [<cos
t>]
Enter the forwarding router address in dotted decimal format (A.B.C.D). Optionally,
enter the distance metric (cost) for this route. The cost prioritizes routing to the
destination. The lower the cost, the higher the priority.
ipsec <name>
Enter the keyword ipsec followed by the ipsec map name to use a static ipsec route
map.
null 0
Enter the key word null 0 to designate a null interface.
Usage Guidelines
This command configures a static route on the controller other than the default gateway. Use the ip defaultgateway command to set the default gateway to the IP address of the interface on the upstream router or switch to
which you connect the controller.
Example
The following command configures a static route:
(host) (config) #ip route 172.16.0.0 255.255.0.0 10.1.1.1
Command History
This command was available in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
ip route | 445
ipv6 cp-redirect-address
ipv6 cp-redirect-address <ip6addr> | disable
Description
This command configures a redirect address for captive portal.
Syntax
Parameter
Description
<ip6addr>
This address should be routable from all external networks.
disable
Disables automatic DNS resolution for captive portal.
Usage Guidelines
This command redirects wireless clients that are on different VLANs (from the controller’s IP address) to the captive
portal on the controller.
If you have the Next Generation Policy Enforcement Firewall (PEFNG) license installed in the controller, modify the
captive portal session ACL to permit HTTP/S traffic to the destination cp-redirect-address <ip6addr> instead of
mswitch. If you do not have the PEFNG license installed in the controller, the implicit captive-portal-profile ACL is
automatically modified when you issue this command.
Example
The following command configures a captive portal redirect address:
(host) (config) #ipv6 cp-redirect-address
Command History
Introduced in ArubaOS 6.1
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating
system
Config mode on master
controllers
446 | ipv6 cp-redirect-address
ArubaOS 6.4| Reference Guide
ipv6 default-gateway
ipv6 default-gateway <ipv6-address> <cost>
Description
This command configures an IPv6 default gateway.
Syntax
Parameter
Description
<ipv6-addres
s>
Specify the IPv6 address of the default gateway.
cost
Specify the distance metric to select the routing protocol that determines the way to learn
the route.
Usage Guidelines
This command configures an IPv6 default gateway.
Example
The following command configures an IPv6 default gateway:
(host) (config) #ipv6 default-gateway 2cce:205:160:100::fe 1
Command History
Introduced in ArubaOS 6.1
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating
system
Config mode on master
controllers
ArubaOS 6.4| Reference Guide
ipv6 default-gateway | 447
448 | ipv6 default-gateway
ArubaOS 6.4| Reference Guide
ArubaOS 6.4| Reference Guide
ipv6 default-gateway | 449
ipv6 enable
ipv6 enable
Description
This command enables IPv6 packet processing globally. This option is disabled by default.
Syntax
No parameters.
Usage Guidelines
This command enables IPv6 packet processing globally.
Command History
This command was introduced in ArubaOS 6.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master
controllers
450 | ipv6 enable
ArubaOS 6.4| Reference Guide
ipv6 firewall
ipv6 firewall
attack-rate {ping <number>|session <number>|tcp-syn <number>}
deny-inter-user-bridging |
drop-ip-fragments |
enable-per-packet-logging |
enforce-tcp-handshake |
prohibit-ip-spoofing |
prohibit-rst-replay |
session-idle-timeout <seconds> |
session-mirror-destination {ip-address <ipaddr>}|{port <slot/<port>}
Description
This command configures firewall options on the controller for IPv6 traffic.
Syntax
Parameter
Description
attack-rate
Sets rates which, if exceeded, can indicate a denial of
service attack.
Range
Default
ping
Number of ICMP pings per second, which if exceeded,
can indicate a denial of service attack. Recommended
value is 4
1-255
—
session
Number of TCP or UDP connection requests per
second, which if exceeded, can indicate a denial of
service attack. Recommended value is 32.
1-255
—
tcp-syn
Number of TCP SYN messages per second, which if
exceeded, can indicate a denial of service attack.
Recommended value is 32.
1-255
—
deny-inter-user-bridg
ing
Prevents the forwarding of Layer-2 traffic between wired
or wireless users. You can configure user role policies
that prevent Layer-3 traffic between users or networks
but this does not block Layer-2 traffic. This option can be
used to prevent Appletalk or IPX traffic from being
forwarded.
—
disabled
drop-ip-frag
ments
When enabled, all IP fragments are dropped. You
should not enable this option unless instructed to do so
by an Aruba representative.
—
disabled
enable-per-pac
ket-logging
Enables logging of every packet if logging is enabled for
the corresponding session rule. Normally, one event is
logged per session. If you enable this option, each
packet in the session is logged. You should not enable
this option unless instructed to do so by an Aruba
representative, as doing so may create unnecessary
overhead on the controller.
—
disabled
ArubaOS 6.4| Reference Guide
ipv6 firewall | 451
Parameter
Description
Range
Default
enforce-tcphandshake
Prevents data from passing between two clients until the
three-way TCP handshake has been performed. This
option should be disabled when you have mobile clients
on the network as enabling this option will cause
mobility to fail. You can enable this option if there are no
mobile clients on the network.
—
disabled
prohibit-ipspoofing
Detects IP spoofing (where an intruder sends messages
using the IP address of a trusted client). When this
option is enabled, IP and MAC addresses are checked;
possible IP spoofing attacks are logged and an SNMP
trap is sent.
—
disabled
prohibit-rst-re
play
Closes a TCP connection in both directions if a TCP
RST is received from either direction. You should not
enable this option unless instructed to do so by an
Aruba representative.
—
disabled
session-idletimeout
Time, in seconds, that a non-TCP session can be idle
before it is removed from the session table. You should
not modify this option unless instructed to do so by an
Aruba representative.
16-259
15
seconds
ip-address <ipaddr>
Send mirrored session packets to the specified IP
address
port <slot>/<port>
Send mirrored session packets to the specified
controller port.
Usage Guidelines
This command configures global firewall options on the controller for IPv6 traffic.
Example
The following command disallows forwarding of non-IP frames between IPv6 clients:
(host) (config) #ipv6 firewall deny-inter-user-bridging
Command History
Version
Description
ArubaOS 3.3
Command introduced
ArubaOS 6.1
The ipv6 firewall enable command was deprecated. Use the command ipv6
enable to enable/disable ipv6 packet/firewall processing on the controller.
ArubaOS 6.3
The session-mirror-destination parameter has been deprecated.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system, except
for noted parameters
Config mode on master
controllers
452 | ipv6 firewall
ArubaOS 6.4| Reference Guide
ipv6 neighbor
ipv6 neighbor <ipv6addr> vlan <vlan#> <mac>
Description
This command configures an IPv6 static neighbor on a VLAN interface.
Syntax
Parameter
Description
<ipv6addr>
Specify the IPv6 address of the neighbor entry.
vlan <vla
n#>
Specify the VLAN ID.
<mac>
Specify the 48-bit hardware address of the neighbor entry.
Usage Guidelines
You can configure an IPv6 static neighbor on a VLAN interface.
Example
The following command configures an IPv6 static neighbor on VLAN 1:
(host) (config) #ipv6 neighbor 2cce:205:160:100::fe vlan 1 00:0b:86:61:13:28
Command History
Introduced in ArubaOS 6.1
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating
system
Config mode on master
controllers
ArubaOS 6.4| Reference Guide
ipv6 neighbor | 453
ipv6 mld
ipv6 mld
query-interval
query-response-interval
robustness-variable
ssm-range
Description
This command configures the IPv6 MLD (Multi-listener discovery) parameters.
Syntax
Parameter
Description
query-interval
Specify the time interval in seconds (1-65535) between general queries sent by the
querier. The default value is 125 seconds.
By varying this value, you can tune the number of MLD messages on the link;
larger values cause MLD queries to be sent less often.
query-response-inte
rval
Specify the maximum response delay in deciseconds (1/10 seconds) that can be
inserted into the periodic general queries. The default value is 100 deciseconds.
By varying this value, you can tune the burstiness of MLD messages on the link;
larger values make the traffic less bursty, as node responses are spread out over a
larger interval.
NOTE: The number of seconds represented by this value must be less than the
query interval.
robustness-variable
Specify a value between 2 to 10. The default value is 2. The robustness variable
allows you to tune for the expected packet loss on a link. If a link is expected to be
lossy, you can increase this value.
NOTE: You must not configure the robustness variable as 0 or 1.
ssm-range
Specify the source specific multicast IPv6 range. This variable allows you to configure a valid multicast IPv6 address range for which SSM semantics needs to be
applied.The default IPv6 SSM address range is FF3X::4000:1 – FF3X::FFFF:FFFF.
Usage Guidelines
You can modify the default values of the MLD parameters for IPv6 MLD snooping. You must enable IPv6 MLD
snooping for these values to take effect. For more information on enabling IPv6 MLD snooping, see interface vlan on
page 392.
Example
The following command configures the query interval of 200 seconds for IPv6 MLD snooping:
(host) (config) #ipv6 mld
(host) (config-mld) # query-interval 200
Command History
Release
Modification
ArubaOS 6.1
Command introduced
ArubaOS 6.4
The ssm-range parameter was introduced.
454 | ipv6 mld
ArubaOS 6.4| Reference Guide
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating
system
Config mode on master
controllers
ArubaOS 6.4| Reference Guide
ipv6 mld | 455
ipv6 proxy-ra
ipv6 proxy-ra
interval
Description
This command configures an interval for proxy Router Advertisement.
Syntax
Parameter
Description
interval
Configures proxy Router Advertisement Interval (180-1800 sec). This overrides interface Router Advertisement interval value if its value is lesser.
Usage Guidelines
This command configures interval for proxy Router Advertisement.
Example
The following command configures a global NAS IPv6 address sent in RADIUS packets:
(host) (config) #ipv6 proxy-ra interval 200
Command History
This command was introduced in ArubaOS 6.3.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
Config mode on master and local
controllers
456 | ipv6 proxy-ra
ArubaOS 6.4| Reference Guide
ipv6 radius
ipv6 radius {nas-ip6 <ipv6-addr>|source-interface {loopback|vlan <vlan> <ip6addr>}
Description
This command configures global parameters for configured IPv6 RADIUS servers.
Syntax
Parameter
Description
nas-ip6
NAS IPv6 address to send in RADIUS packets. A server-specific NAS IPv6
configured with the aaa authentication-server radius command
supersedes this configuration.
source-inter
face
Interface for all outgoing RADIUS packets. The IPv6 address of the specified
interface is included in the IP header of RADIUS packets. The interface can be one
of the following:
loopback
The loopback interface.
vlan
The specified VLAN.
Usage Guidelines
This command configures global IPv6 RADIUS server parameters. If the aaa authentication-server radius
command configures a server-specific NAS IPv6 address, the server-specific IPv6 address is used instead.
Example
The following command configures a global NAS IPv6 address sent in RADIUS packets:
(host) (config) #ipv6 radius nas-ip6 2001:470:20::2
Command History
This command was introduced in ArubaOS 6.3.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
ipv6 radius | 457
ipv6 route
ipv6 route {ipv6-prefix/prefix-length}|ipv6-next-hop|null|vlan[vlanid]|link-local-next-hop}|co
st
Description
This command configures static IPv6 routes on the controller.
Syntax
Parameter
Description
<ipv6-prefix/prefix-le
ngth>
Specify the IPv6 address and the prefix length of the destination.
<ipv6-next-hop>
Specify the next-hop IPv6 address or null 0 to terminate or discard the packets.
Listed below are the following options:
l X:X:X:X::X-IPv6 address of next-hop. The address should only be a Global
IPv6 address.
l null-Null interface
l vlan-Vlan for link local for next-hop
l <vlanid>-Vlan-id for link local next-hop
l X:X:X:X::X-IPv6 link local address of next-hop
<cost>
Specify the distance metric to select the routing protocol that determines the
way to learn the route.
Usage Guidelines
You can configure static IPv6 routes on the controller.
Example
The following command configures a static IPv6 route on the controller:
(host) (config) #ipv6 route 2cce:205:160:100::/<64> 2001:205:160:100::ff 1
(host) (config) #ipv6 route 2000:eab::/64 vlan 1 fe80::1a:1e00:a00:9f0
Command History
Release
Modification
ArubaOS 6.1
This command was introduced.
ArubaOS 6.4
The vlan parameter was introduced.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating
system
Config mode on master
controllers
458 | ipv6 route
ArubaOS 6.4| Reference Guide
lacp group
lacp group <group_number> mode {active | passive}
Description
Enable Link Aggregation Control Protocol (LACP) and configure LACP on the interface.
Parameter
Description
<group_number>
Enter the link aggregation group (LAG) number.
Range: 0-7
mode {active | passive}
Enter the keyword mode followed by either the keyword active or passive.
l Active mode—the interface is in active negotiating state. LACP runs on any
link that is configured to be in the active state. The port in an active mode
also automatically initiates negotiations with other ports by initiating LACP
packets.
l Passive mode—the interface is not in an active negotiating state. LACP runs
on any link that is configured in a passive state. The port in a passive mode
responds to negotiations requests from other ports that are in an active
state. Ports in passive state respond to LACP packets.
Usage Guidelines
LACP is disabled by default; this command enables LACP. If the group number assigned contains static port
members, the command is rejected.
Related Command
Command
Description
show lacp
View the LACP configuration status
show lacp sys-id
View the LACP system ID information
show interface port-channel
View information on a specified port channel interface
Command History
Release
Modification
ArubaOS 3.4.1
Command introduced
Command Information
Platform
Licensing
Command Mode
All Platforms
Base operating system
Configuration Interface Mode (config-if)
for Master and Local controllers
ArubaOS 6.4| Reference Guide
lacp group | 459
lacp port-priority
lacp port-priority <priority_value>
Description
Configure the LACP port priority.
Syntax
Parameter
Description
<priority value>
Enter the port-priority value. The higher the value number the lower the
priority.
Range: 1 to 65535
Default: 255
Usage Guidelines
Set the port priority for LACP.
Related Commands
Command
Description
lacp group
Enable LACP and configure on the interface
show lacp
View the LACP configuration status
show lacp sys-id
View the LACP system ID information
show interface port-channel
View information on a specified port channel interface
Command History
Release
Modification
ArubaOS 3.4.1
Command introduced
Command Information
Platform
Licensing
Command Mode
All Platforms
Base operating system
Configuration Interface Mode (config-if) for
Master and Local controllers
460 | lacp port-priority
ArubaOS 6.4| Reference Guide
lacp system-priority
lacp system-priority <priority_value>
Description
Configure the LACP system priority.
Syntax
Parameter
Description
<priority_value>
Enter the system priority value. The higher the value number the lower the
priority.
Range: 1 to 65535
Default: 32768
Usage Guidelines
Set the LACP system priority.
Related Commands
Command
Description
lacp group
Enable LACP and configure on the interface
show lacp
View the LACP configuration status
show lacp sys-id
View the LACP system ID information
show interface port-channel
View information on a specified port channel interface
Command History
Release
Modification
ArubaOS 3.4.1
Command introduced
Command Information
Platforms
Licensing
Command Mode
All Platforms
Base operating system
Configuration Mode (config) for Master
and Local controllers
ArubaOS 6.4| Reference Guide
lacp system-priority | 461
lacp timeout
lacp timeout {long | short}
Description
Configure the timeout period for the LACP session.
Syntax
Parameter
Description
long
Enter the keyword long to set the LACP session to 90 seconds. This is the
default.
short
Enter the keyword short to set the LACP session to 3 seconds.
Usage Guidelines
The timeout value is the amount of time that a port-channel interface waits for a LACPDU (Link Aggregation Control
Protocol data unit) from the remote system before terminating the LACP session. The default time out value is 90
seconds (long).
Related Commands
Command
Description
lacp group
Enable LACP and configure on the interface
show lacp
View the LACP configuration status
show lacp sys-id
View the LACP system ID information
show interface port-channel
View information on a specified port channel interface
Command History
Release
Modification
ArubaOS 3.4.1
Command introduced
Command Information
Platforms
Licensing
Command Mode
All Platforms
Base operating system
Configuration Interface Mode (config-if)
for Master and Local controllers
462 | lacp timeout
ArubaOS 6.4| Reference Guide
lcd-menu
lcd-menu
[no] disable menu [maintenance [factory-default| media-eject| qui-quick-setup | media-eject
| system-halt | system-reboot | upgrade-image [parition0 | partition1]| upload-config]]
Description
This command allows you to enable or disable the LCD menu either completely or for specific operations.
Syntax
Parameter
Description
lcd-menu
Enters the LCD menu configuration mode.
no
Delete the specified LCD menu option.
disable
Disables (or enables) the complete LCD menu.
maintenance
Disables (or enables) the maintenance LCD menu.
Enabled
factory-default
Disables (or enables) the return to factory default option in the LCD
menu.
Enabled
media-eject
Disables (or enables) the media eject option in the LCD menu.
Enabled
system-halt
Disables (or enables) the system halt option in the LCD menu.
Enabled
system-reboot
Disables (or enables) the system reboot in the LCD menu.
Enabled
upgrade-image
Disables (or enables) the upgrade image option in the LCD menu.
Enabled
Disables (or enables) image upgrade on the specified partition (0 or
1).
Enabled
Disables (or enables) the upload config option in the LCD menu.
Enabled
partition 0
partition 1
upload-config
Default
Usage Guidelines
You can use this command to disable executing the maintenance operations using the LCD menu. You can use the
no form of these commands to enable the specific LCD menu. For example, the following commands enable system
halt and system reboot options:
(host) (config) #lcd-menu
(host) (lcd-menu) #no disable menu maintenance system-halt
(host) (lcd-menu) #no disable menu maintenance system-reboot
You can use the following show command to display the current LCD settings:
(host)#show lcd-menu
lcd-menu
-------Menu
---menu maintenance upgrade-image
menu maintenance upgrade-image
menu maintenance system-reboot
menu maintenance system-reboot
ArubaOS 6.4| Reference Guide
partition0
partition1
reboot-stack
reboot-local
Value
----enabled
enabled
enabled
enabled
lcd-menu | 463
menu
menu
menu
menu
menu
menu
menu
menu
menu
menu
menu
maintenance
maintenance
maintenance
maintenance
maintenance
maintenance
maintenance
maintenance
maintenance
maintenance
system-halt halt-stack
system-halt halt-local
upgrade-image
upload-config
factory-default
media-eject
system-reboot
system-halt
gui-quick-setup
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
Example
The following example disables the LCD menu completely:
(host) #configure terminal
(host) (config) #lcd-menu
(host) (lcd-menu) #disable menu
The following example disables executing the specified maintenance operation using the LCD menu:
(host) #configure terminal
(host) (config) #lcd-menu
(host) (lcd-menu) #disable menu
factory-default
Disable
gui-quick-setup
Disable
media-eject
Disable
system-halt
Disable
system-reboot
Disable
upgrade-image
Disable
upload-config
Disable
(host) (lcd-menu) #disable menu
partition0
Disable
partition1
Disable
maintenance ?
factory default menu
quick setup menu on LCD
media eject menu on LCD
system halt menu on LCD
system reboot menu on LCD
image upgrade menu on LCD
config upload menu on LCD
maintenance upgrade-image ?
image upgrade on partition 0
image upgrade on partition 1
Command History
Introduced in ArubaOS 6.2
Command Information
Platform
License
Command Mode
7200 controller series only.
Available in the base operating
system
Config mode on master
controllers
464 | lcd-menu
ArubaOS 6.4| Reference Guide
license
license
add <key>
del <key>
export <filename>
import <filename>
profile centralized-licensing-enable
report <filename>}
server-ip <ip-addr>
server-redundancy {license-vrrp <id>}|[peer-ip-address <ip-addr>}
Description
This command allows you to install, delete, and manage software licenses on the controller.
Syntax
Parameter
Description
add
Installs the software license key in the controller. The key is normally sent to
you via email. This parameter is available in enable mode.
del
Removes the software license key from the controller. The key is normally sent
to you via email.
This parameter is available in enable mode.
export
Exports the license database on the controller to the specified file in flash.
This parameter is available in enable mode.
import
Replaces the license database on the controller with the specified file in flash.
The system serial numbers referenced in the imported file must match the
numbers on the controller.
This parameter is available in enable mode.
profile centralizedlicensing-enable
This command enables the centralized licensing feature, and is available in
config mode.
Centralized licensing simplifies licensing management by distributing licenses
installed on one controller to other controllers on the network. One controller
acts as a centralized license database for all other controllers connected to it,
allowing all controllers to share a pool of unused licenses. The primary and
backup licensing server can share single set of licenses, eliminating the need
for a redundant license set on the backup server. Local licensing client controllers maintain information sent from the licensing server even if licensing client controller and licensing server controller can no longer communicate
Saves a license report to the specified file in flash.
This parameter is available in enable mode.
report
server-ip
<ip-addr>
server-redundancy
license-vrrp <id>
ArubaOS 6.4| Reference Guide
Enter the IP address of the licensing server. This command is available in config mode.
Use this command to specify configure server redundancy for the centralized
licensing feature. This command is available in config mode.
Use this command to specify a VRRP instance to be used for the centralized
license | 465
Parameter
Description
licensing feature. This command is available in config mode.
By default, the master controller in a master-local topology is the primary licensing server. If this master controller already has a redundant standby master,
that redundant master will automatically act the backup licensing server with
no additional configuration. If your primary licensing server does not yet have a
redundant standby controller and you want to use a backup server with the
centralized licensing feature, you must identify a second controller you want to
designate as the backup licensing server, and define a virtual router on the
primary licensing server. For details, see vrrp.
peer-ip-address <ipaddr>
Enter the IP address of the backup licensing server. This command is available
in config mode.
Usage Guidelines
Obtain an Aruba software license certificate from your Aruba sales representative or authorized reseller. Use the
certificate ID and the system serial number to obtain a software license key which you install in the controller.
Starting with ArubaOS 6.3, you no longer need to reboot a controller after adding or deleting a license.
Users that are not very familiar with this procedure may wish to use the License Management page in the WebUI to
install and manage licenses on the controller.
Centralized licensing simplifies licensing management by distributing licenses installed on one controller to other
controllers on the network. One controller acts as a centralized license database for all other controllers connected to
it, allowing all controllers to share a pool of unused licenses. The primary and backup licensing server can share
single set of licenses, eliminating the need for a redundant license set on the backup server. Local licensing client
controllers maintain information sent from the licensing server even if licensing client controller and licensing server
controller can no longer communicate.
You can use the centralized licensing feature in a master-local topology with a redundant backup master, or in a
multi-master network where all the masters are connected to a single server. In the master-local topology, the
master controller acts as the primary licensing server, and the redundant backup master acts as the backup
licensing server. In a multi-master network, one controller must be designated as a primary server and a second
controller configured as a backup licensing server.
Centralized licensing can distribute the following license types:
l
AP
l
PEFNG
l
RF PRotect
l
xSec
l
ACR
Centralized licensing allows the primary and backup licensing server controllers share a single set of licenses. If you
do not enable this feature, the master and backup master controller each require separate, identical license sets. The
two controllers acting as primary and backup license servers must use the same version of ArubaOS, and must be
connected on the same broadcast domain using the Virtual Router Redundancy Protocol (VRRP). Other client
controllers on the network connect to the licensing server using the VRRP virtual IP address configured for that set
of redundant servers. By default, the primary licensing server uses the configured virtual IP address. However, if the
controller acting as the primary licensing server becomes unavailable, the secondary licensing server will take
ownership of the virtual IP address, allowing licensing clients to retain seamless connectivity to a licensing server.
466 | license
ArubaOS 6.4| Reference Guide
When you enable centralized licensing, information about the licenses already installed on the individual client
controllers are sent to the licensing server, where they are added into the server’s licensing table. The information in
this table is then shared with all client controllers as a pool of available licenses. When a client controller uses a
license in the available pool, it communicates this change to the licensing server master controller, which updates
the table before synchronizing it with the other clients.
Client controllers do not share information about factory-installed or built-in licenses to the licensing server. A
controller using the centralized licensing feature will use its built-in licenses before it consumes available licenses
from the license pool. As a result, when a client controller sends the licensing server information about the licenses
that client is using, it only reports licenses taken from the licensing pool, and disregards any built-in licenses used.
For example, if a controller has a built-in 16-AP license and twenty connected APs, it will disregard the built-in
licenses being used, and will report to the licensing server that it is using only four AP licenses from the license pool.
When centralized licensing is first enabled on the licensing server, its licensing table only contains information about
the licenses installed on that server. When the clients contact the server, the licensing server adds the client
licenses to the licensing table, then it sends the clients back information about the total available licenses for each
license type. In the following example, the licenses installed on two client controllers are imported into the license
table on the license server. The licensing server then shares the total number of available licenses with other
controllers on the network.
For complete information on the centralized licensing feature, refer to the ArubaOS User Guide.
Examples
The following command adds a license key on the controller:
license add 890BobXs-cVPCb3aJ-7FbCijhZ-BuQPtuI4-RjLJW6Pl-n5K
Access the command-line interface of the licensing server, and issue the following commands in config mode:
(host) (config) #license profile
(host) (License provisioning profile) #centralized-licensing-enable
If the licensing server already has a dedicated redundant standby controller, that standby controller will automatically
become the backup license server. If the primary licensing server in your deployment does not have a redundant
master controllerbut you want to define a backup server for the licensing feature, issue the following commands on
the licensing server.
(host) (License provisioning profile) #License server-redundancy
(host) (License provisioning profile) #License-vrrp <vrId>
(host) (License provisioning profile) #Peer-ip-address <ip>
If you are deploying centralized licensing on a cluster of master controllers, access the command-line interface of a
licensing client controller, and issue the following commands in config mode:
(host) (config) #license profile
(host) (License provisioning profile) #centralized-licensing-enable
(host) (License provisioning profile) # license server-ip <ip>
Command History
Version
Description
ArubaOS 3.0
Command introduced
ArubaOS 6.3
The following commands were introduced to support the
centralized licensing feature:
l profile centralized-licensing-enable
l server-ip <ip-addr>
l server-redundancy {license-vrrp <id>}|[peer-ip-address <ipaddr>}
ArubaOS 6.4| Reference Guide
license | 467
Command Information
468 | license
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Enable or config mode on master
and local controllers
ArubaOS 6.4| Reference Guide
local-custom-cert
local-custom-cert local-mac <lmac> ca-cert <ca> server-cert <cert>
suite-b <gcm-128 | gcm-256>
Description
This command configures the user-installed certificate for secure communication between a local controller and a
master controller.
Syntax
Parameter
Description
<lmac>
MAC address of the local controller’s user-installed certificate.
ca-cert <ca>
User-defined name of a trusted CA certificate installed on the local controller. Use
the show crypto-local pki TrustedCA command to display the CA certificates that
have been imported into the controller.
server-cert <cert>
User-defined name of a server certificate installed on the local controller. Use the
show crypto-local pki ServerCert command to display the server certificates that
have been imported into the controller.
suite-b
If you configure your master controllers to use IKEv2 and custom-installed
certificates, you can optionally use Suite-B cryptographic algorithms for IPsec
encryption. Specify one of the following options:
l gcm-128 Use 128-bit AES-GCM Suite-B encryption
l gcm-256 Use 256-bit AES-GCM Suite-B encryption
Usage Guidelines
Use this command on a master controller to configure the custom certificate for communication with a local
controller. On the local controller, use the masterip command to configure the IP address and certificates for the
master controller. If your master and local controllers use certificates for authentication, the IPsec tunnel will be
created using IKEv2.
Example
The following command configures the local controller with a user-installed certificate:
(host) (config) #local-custom-cert local-mac 00:16:CF:AF:3E:E1 ca-cert cacert1 server-cert ser
vercert1
Related Commands
Command
Description
Mode
show local-certmac
Display the IP, MAC address and certificate
configuration of local controllers in a master-local
configuration
Config mode on master
controllers.
Command History
Introduced in ArubaOS 6.1
ArubaOS 6.4| Reference Guide
local-custom-cert | 469
Command Information
Platform
License
Command Mode
Available on
all platforms
The suite-b gcm-128 and suite-b gcm-256 encryption options for IPsec
custom certificates requires the Advanced Cryptography (ACR) license.
All other parameters are available in the base operating system
Config mode on
master controllers
470 | local-custom-cert
ArubaOS 6.4| Reference Guide
local-factory-cert
local-factory-cert local-mac <lmac>
Description
This command configures the factory-installed certificate for secure communication between a local controller and a
master controller.
Syntax
Parameter
Description
<lmac>
MAC address of the local controller’s factory-installed certificate.
Usage Guidelines
Use this command on a master controller to configure the factory certificate for communication with a local
controller. On the local controller, use the masterip command to configure the IP address and certificates for the
master controller. If your master and local controllers use certificates for authentication, the IPsec tunnel will be
created using IKEv2.
Example
The following command configures the local controller with a factory-installed certificate:
(host) (config) #local-factory-cert local-mac 00:16:CF:AF:3E:E1
Related Commands
Command
Description
Mode
show local-certmac
Display the IP, MAC address and certificate
configuration of local controllers in a master-local
configuration
Config mode on master
controllers.
Command History
Introduced in ArubaOS 6.1
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
local-factory-cert | 471
local-userdb-ap add (deprecated)
local-userdb-ap add mac-address <macaddr> ap-group <group>
ap-name <ap-name>
description <desc>
full-name <full-name>
remote-ip <ip-addr>
Description
This command adds a Remote AP entry to the Remote AP whitelist table.
Command History
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.2
Command replaced by whitelist-db rap add.
472 | local-userdb-ap add (deprecated)
ArubaOS 6.4| Reference Guide
local-userdb-guest add
local-userdb-guest
local-userdb-guest add {generate-username|username <name>} {generate-password|password <passw
d>} [comment <g_comments>][email <email>] [expiry {duration <minutes>|time <hh/mm/yyy> <hh:m
m>}] [guest-company <g_company>][guest-fullname <g_fullname>][guest-phone <g-phone>][mode disa
ble][opt-field-1 <opt1>][opt-field-2 <opt2>][opt-field-3 <opt3>][opt-field-4 <opt4>][sponsor-d
ept <sp_dept>][sponsor-mail <sp_email>][sponsor-fullname <sp_fullname>][sponsor-name <sp_nam
e>]
[start-time <mm/dd/yyyy> <hh.mm>]
Description
This command creates a guest user in a local user database.
Syntax
Parameter
Description
Range
Default
generate-username
Automatically generate and add a guest username.
—
—
username
Add the specified guest username.
1 – 64
characters
—
generate-password
Automatically generate a password for the
username.
—
—
password
Add the specified password for the username.
6 – 128
characters
—
comments
Comments added to the guest user account.
—
—
email
Email address for the guest user account.
—
—
expiry
Expiration for the user account. If this is not set, the
account does not expire.
—
no
expiration
duration
Duration, in minutes, for the user account.
1214748364
7
—
time
Date and time, in mm/dd/yyy and hh:mm format, that
the user account expires.
—
—
guest-company
Name of the guest’s company.
NOTE: A guest is the person who needs guest
access to the company’s Aruba wireless network.
guest-fullname
The guest’s full name.
guest-phone
The guest’s phone number.
mode
Enables or disables the user account,
—
Disable
ArubaOS 6.4| Reference Guide
local-userdb-guest add | 473
Parameter
Description
Range
Default
opt-field-1
This category can be used for some other purpose.
For example, the optional category fields can be
used for another person, such as a “Supervisor.” You
can enter username, full name, department and
Email information into the optional fields.
—
—
opt-field-2
Same as opt-field-1.
—
—
opt-field-3
Same as opt-field-1.
—
—
opt-field-4
Same as opt-field-1.
—
—
sponsor-dept
The guest sponsor’s department name.
NOTE: A sponsor is the guest's primary contact for
the visit.
—
—
sponsor-email
The sponsor’s email address.
—
—
sponsor-fullname
The sponsor’s full name.
—
—
sponsor-name
The sponsor’s name.
—
—
start-time
Date and time, in mm/dd/yyy and hh:mm format, the
guest account begins.
—
—
Usage Guidelines
When you specify the internal database as an authentication server, client information is checked against the user
accounts in the internal database. You can modify an existing user account in the internal database with the localuserdb-guest modify command, or delete an account with the local-userdb-guest del command.
By default, the internal database in the master controller is used for authentication. Issue the aaa authenticationserver internal use-local-switch command to use the internal database in a local controller; you then need to add
user accounts to the internal database in the local controller.
Example
The following command adds a guest user in the internal database with an automatically-generated username and
password:
(host) #local-userdb-guest add generate-username generate-password expiry none
The following information is displayed when you enter the command:
GuestConnect
Username: guest-5433352
Password: mBgJ6764
Expiration: none
Related Commands
Command
Description
Mode
show local-userdb-gues
t
Show the parameter configured using the
local-userdb-guest command.
Enable and Config modes
show local-userdb
Show the parameters configured using the
local-userdb command.
Enable and Config modes
474 | local-userdb-guest add
ArubaOS 6.4| Reference Guide
Command History
Introduced in ArubaOS 3.4.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
The role parameter requires the PEFNG
license.
Enable and config modes on
master controllers.
ArubaOS 6.4| Reference Guide
local-userdb-guest add | 475
local-userdb-remote-node (deprecated)
localuserdb
local-userdb-remote-node add mac-address <mac-address> remote-node-profile
<remote-node-profile>
del mac-address <mac-address>
Description
This command adds a Remote Node to the Remote Node whitelist. You can also delete the whitelist entry using this
command.
Syntax
Parameter
Description
Range
Defaul
t
mac-address <mac-address>
MAC address of the Remote Node in
colon-separated six-octet format.
—
—
remote-node-profile <remote-nod
e-profile>
The Remote Node configuration profile to
be assigned to that Remote Node.
1 – 64
characte
rs
—
Usage Guidelines
A Remote Node-master can only assign a configuration profile to a Remote Node in its Remote Node whitelist. To
assign a different configuration to an unprovisioned Remote Node, you must delete the whitelist entry and create a
new Remote Node whitelist entry with the correct Remote Node configuration profile. A remote-node profile has to
be validated before it is configured and pushed to a Remote Node.
Example
This example adds the Remote Node profile named Location-1 to the Remote Node whitelist.
(remote-node-master) #local-userdb-remote-node add mac-address 00:16:CF:AF:3E:E1 remote-node-p
rofile Location_1
This example removes a Remote Node from the Remote Node whitelist.
(remote-node-master)(config) #local-userdb-remote-node del mac-address 00:16:CF:AF:3E:E1
Related Commands
Command
Description
Mode
remote-node-localip (deprecated)
Configures security for all Remote
Node and Remote Controller control
traffic
Config modes
remote-node-masterip (deprecated)
Configures security for the Remote
Node master IP address.
Config mode
remote-node-profile (deprecated)
The remote-node-profile command
lets you create a Remote Node profile.
Config mode
476 | local-userdb-remote-node (deprecated)
ArubaOS 6.4| Reference Guide
Command
Description
Mode
show remote-node (deprecated)
Shows Remote Node configuration,
dhcp instance, license usage and
running configuration information.
Enable and Config
mode
show remote-node-dhcp-pool (depre
cated)
Shows Remote Node dhcp pool
configuration information.
Enable and Config
mode
show remote-node-profile (depreca
ted)
Shows Remote Node profile status
information.
Enable and Config
mode
show local-userdb-remote-node (de
precated)
The output of this command lists the
MAC address and assigned Remote
Node-profile for of each Remote Node
associated with that Remote Node
master.
Enable and Config
mode
Command History
Modification
ArubaOS 6.0
Command introduced.
ArubaOS 6.2
Command was deprecated.
CommArubaOS 6.0and Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
Enable mode on master
controllers.
ArubaOS 6.4| Reference Guide
local-userdb-remote-node (deprecated) | 477
local-userdb add
localuserdb
local-userdb add {generate-username|username <name>} {generate-password|password <passwd>} [co
mment <g_comments>][email <email>] [expiry {duration <minutes>|time <hh/mm/yyy> <hh:mm>}] [gue
st-company <g_company>][guest-fullname <g_fullname>][guest-phone <g-phone>][mode disable][optfield-1 <opt1>][opt-field-2 <opt2>][opt-field-3 <opt3>][opt-field-4 <opt4>][[remote-ip <ip-add
r>][role <role>][sponsor-dept <sp_dept>][sponsor-mail <sp_email>][sponsor-fullname <sp_fullnam
e>][sponsor-name <sp_name>]
[start-time <mm/dd/yyyy> <hh.mm>]
Description
This command creates a user account entry in the controller’s internal database.
Syntax
Parameter
Description
Range
Default
generate-username
Automatically generate and add a username.
—
—
username
Add the specified username.
1 – 64
characters
—
generate-password
Automatically generate a password for the
username.
—
—
password
Add the specified password for the username.
6 – 128
characters
—
comments
Comments added to the user account.
—
—
email
Email address for the user account.
—
—
expiry
Expiration for the user account. If this is not set, the
account does not expire.
—
no
expiration
duration
Duration, in minutes, for the user account.
1214748364
7
—
time
Date and time, in mm/dd/yyy and hh:mm format, that
the user account expires.
—
—
guest-company
Name of the guest’s company.
NOTE: A guest is the person who needs guest
access to the company’s Aruba wireless network.
guest-fullname
The guest’s full name.
guest-phone
The guest’s phone number.
mode
Enables or disables the user account,
—
Disable
478 | local-userdb add
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
opt-field-1
This category can be used for some other purpose.
For example, the optional category fields can be
used for another person, such as a “Supervisor.” You
can enter username, full name, department and
Email information into the optional fields.
—
—
opt-field-2
Same as opt-field-1.
—
—
opt-field-3
Same as opt-field-1.
—
—
opt-field-4
Same as opt-field-1.
—
—
remote-ip
IP address assigned to the remote peer.
role
Role for the user. This role takes effect when the
internal database is specified in a server group
profile with a server derivation rule. If there is no
server derivation rule configured, then the user is
assigned the default role for the authentication
method.
—
guest
sponsor-dept
The guest sponsor’s department name
NOTE: A sponsor is the guest's primary contact for
the visit.
—
—
sponsor-email
The sponsor’s email address.
—
—
sponsor-fullname
The sponsor’s full name.
—
—
sponsor-name
The sponsor’s name.
—
—
start-time
Date and time, in mm/dd/yyy and hh:mm format, the
guest account begins.
—
—
Usage Guidelines
When you specify the internal database as an authentication server, client information is checked against the user
accounts in the internal database. You can modify an existing user account in the internal database with the localuserdb modify command, or delete an account with the local-userdb del command.
By default, the internal database in the master controller is used for authentication. Issue the aaa authenticationserver internal use-local-switch command to use the internal database in a local controller; you then need to
add user accounts to the internal database in the local controller.
Example
The following command adds a user account in the internal database with an automatically-generated username and
password:
(host) #local-userdb add generate-username generate-password expiry duration 480
The following information is displayed when you enter the command:
GuestConnect
Username: guest4157
Password: cDFD1675
Expiration: 480 minutes
ArubaOS 6.4| Reference Guide
local-userdb add | 479
Related Commands
Command
Description
Mode
show local-userdb
Use this command to show the parameters
displayed in the output of this command.
Enable and Config modes
show local-userdb-gues
t
Use this command to show the parameters
displayed in the output of the local-userdb-guest
add command.
Enable and Config modes
mgmt-user
Use the webui-cacert <certificate name>
command if you want an external authentication
server to derive the management user role. This
is helpful if there are a large number of users
who need to be authenticated.
Use the mgmt-user webui-cacert <certificate_
name>serial <number> <username> <role>
command if you want the authentication process
to use previously configured certificate name
and serial number to derive the user role.
Config mode
Command History
Modification
ArubaOS 3.0
Introduced for the first time.
ArubaOS 3.4
The guest, sponsor and optional field parameters were added.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
The role parameter requires the PEFNG
license.
Enable mode on master
controllers.
480 | local-userdb add
ArubaOS 6.4| Reference Guide
localip
localip <ipaddr>
ipsec <key>
Description
This command configures the IP address and preshared key for the local controller on a master controller.
Syntax
Parameter
Description
<ipaddr>
IP address of the local controller. Use the 0.0.0.0 address to configure a global
preshared key for all inter-controller communications.
ipsec <key>
To establish the master-local IPsec tunnel using IKEv1, enter a preshared key
between 6-64 characters.
Usage Guidelines
Use this command on a master controller to configure the IP address and preshared key or certificates for
communication with a local controller. On the local controller, use the masterip command to configure the IP
address and preshared key for the master controller.
If your master and local controllers use a pre-shared key for authentication, they will create the IPsec tunnel using
IKEv1.
Example
The following command configures the local controller with a pre-shared key:
(host) (config) #localip 0.0.0.0 ipsec gw1234xyz
Command History
Command introduced in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
localip | 481
local-userdb-ap del
local-userdb-ap del mac-address <mac-addr> [all]
Description
This command deletes a Remote AP entry from the obsolete Remote AP database.
Syntax
Parameter
Description
mac-address <mac-add
r>
MAC address of the remote AP to be removed from the Remote AP database.
all
Remove all entries from the whitelist.
Usage Guidelines
When you upgrade from ArubaOS 5.0-6.1 to ArubaOS 6.2 or later, the remote AP whitelist table will automatically
move from the legacy remote AP whitelist to the newer remote AP whitelist. Issue the local-userdb-ap del
command to delete any AP entries that did not properly move to the new table during the upgrade procedure. Entries
in the newer remote AP whitelist can be removed using the command whitelist-db rap del.
Example
The example below deletes a Remote AP from the obsolete Remote AP whitelist.
(host)(config) #local-userdb-ap del mac-addr 00:0b:86:c3:58:38
Related CommandsRelated Commands
Command
Description
lacp group
Enable LACP and configure on the interface
show lacp
View the LACP configuration status
show lacp sys-id
View the LACP system ID information
show interface port-channel
View information on a specified port channel interface
Command
Description
show local-userdb-ap
Display the obsolete Remote AP whitelist.
whitelist-db rap del
Delete a remote AP from the current remote AP whitelist table.
482 | local-userdb-ap del
ArubaOS 6.4| Reference Guide
Command History
Version
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.3
The all parameter was added to delete all entries from the obsolete remote AP
database
ArubaOS 6.4| Reference Guide
local-userdb-ap del | 483
local-userdb-ap modify (deprecated)
local-userdb-ap modify mac-address <macaddr>
ap-name <ap-name>
description <desc>
full-name <full-name>
remote-ip <ip-addr>
Description
This command modifies a Remote AP entry in the Remote AP whitelist table.
Command History
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.2
Command replaced by whitelist-db rap modify.
484 | local-userdb-ap modify (deprecated)
ArubaOS 6.4| Reference Guide
local-userdb-ap revoke (deprecated)
local-userdb-ap revoke mac-address <macaddr>
revoke-comment <comment>
Description
Revoke a lost or stolen remote AP to prevent unauthorized users from accessing the company’s corporate network
Command History
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.2
Command deprecated. For ArubaOS 6.3 or later, use or whitelist-db cpsec revoke
ArubaOS 6.4| Reference Guide
local-userdb-ap revoke (deprecated) | 485
local-userdb del
local-userdb {del username <name>|del-all}
Description
This command deletes entries in the controller’s internal database.
Syntax
Parameter
Description
del username
Deletes the user account for the specified username.
del-all
Deletes all entries in the internal database.
Usage Guidelines
User account entries created with expirations are automatically deleted from the internal database at the specified
expiration. Use this command to delete an entry before its expiration or to delete an entry that was created without an
expiration.
Example
The following command deletes a specific user account entry:
(host)#local-userdb del username guest4157
Command History
Introduced in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Enable mode on master
controllers.
486 | local-userdb del
ArubaOS 6.4| Reference Guide
local-userdb export
local-userdb export <filename>
Description
This command exports the internal database to a file.
Use this command with caution. It replaces the existing users with user entries from the imported file.
Syntax
Parameter
Description
export
Saves the internal database to the specified file in flash.
Usage Guidelines
After using this command, you can use the copy command to transfer the file from flash to another location.
Example
The following command saves the internal database to a file:
(host)#local-userdb export jan-userdb
Command History
Introduced in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Enable mode on master
controllers.
ArubaOS 6.4| Reference Guide
local-userdb export | 487
local-userdb fix-database
local-userdb fix-database
Description
This command deletes and reinitializes the internal database.
Syntax
No parameters.
Usage Guidelines
Before using this command, you can save the internal database with the local-userdb export command.
Command History
Introduced in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Enable mode on master
controllers.
488 | local-userdb fix-database
ArubaOS 6.4| Reference Guide
local-userdb-guest del
local-userdb-guest {del username <name>|del-all}
Description
This command deletes entries in the controller’s internal database.
Syntax
Parameter
Description
del username
Deletes the user account for the specified username.
del-all
Deletes all entries in the internal database.
Usage Guidelines
User account entries created with expirations are automatically deleted from the internal database at the specified
expiration. Use this command to delete an entry before its expiration or to delete an entry that was created without an
expiration.
Example
The following command deletes a specific user account entry:
(host) #local-userdb-guest del username guest4157
Command History
Introduced in ArubaOS 3.4.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Enable and config modes on
master controllers.
ArubaOS 6.4| Reference Guide
local-userdb-guest del | 489
local-userdb-guest modify
local-userd-guest modify username <name> [comments <g_comments>][email <email>] [expiry {durat
ion <minutes>|time <hh/mm/yyy> <hh:mm>}] [guest-company <g_company>][guest-fullname <g_fullnam
e>][guest-phone <g-phone>][mode disable][opt-field-1 <opt1>][opt-field-2 <opt2>][opt-field-3 <
opt3>][opt-field-4 <opt4>][password <passwd][sponsor-dept <sp_dept>][sponsor-mail <sp_email>][
sponsor-fullname <sp_fullname>][sponsor-name <sp_name>][start-time <mm/dd/yyyy> <hh.mm>]
Description
This command modifies an existing guest user entry in the controller’s internal database.
Syntax
Parameter
Description
Range
Default
username
Name of the existing user account entry.
1 – 64
characters
—
comments
Comments added to the user account.
—
—
email
Email address for the use account.
—
—
expiry
Expiration for the user account. If this is not set, the
account does not expire.
—
no
expiration
duration
Duration, in minutes, for the user account.
1214748364
7
—
time
Date and time, in mm/dd/yyy and hh:mm format, that
the user account expires.
—
—
guest-company
Name of the guest’s company.
NOTE: A guest is the person who needs guest access
to the company’s Aruba wireless network.
guest-fullname
The guest’s full name.
guest-phone
The guest’s phone number.
mode
Enables or disables the user account,
—
Disable
opt-field-1
This category can be used for some other purpose.
For example, the optional category fields can be used
for another person, such as a “Supervisor.” You can
enter username, full name, department and Email
information into the optional fields.
—
—
opt-field-2
Same as opt-field-1.
—
—
opt-field-3
Same as opt-field-1.
—
—
opt-field-4
Same as opt-field-1.
—
—
password
User’s password
1– 6
characters
—
sponsor-dept
The guest sponsor’s department name
—
—
490 | local-userdb-guest modify
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
NOTE: A sponsor is the guest's primary contact for the
visit.
sponsor-email
The sponsor’s email address.
—
—
sponsor-fullname
The sponsor’s full name.
—
—
sponsor-name
The sponsor’s name.
—
—
start-time
Date and time, in mm/dd/yyy and hh:mm format, the
guest account begins.
—
—
Usage Guidelines
Use the show local-userdb-guest command to view the current user account entries in the internal database.
Example
The following command disables a guest user account in the internal database:
(host)local-userdb-guest modify username guest4157 mode disable
Command History
Introduced in ArubaOS 3.4.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Enable and config modes on
master controllers.
ArubaOS 6.4| Reference Guide
local-userdb-guest modify | 491
local-userdb-guest send-email
local-userdb-guest send-email <username> [to-guest][to-sponsor]
Description
This command causes the controller to send email to the guest and/or sponsor any time a guest user is created.
Syntax
Parameter
Description
Range
Default
<username>
Name of the guest
1 – 64
characters
—
to-guest
Allows you to send email to the guest user’s address.
—
—
to-sponsor
Allows you to send email to the sponsor’s email
address.
—
—
Usage Guidelines
This command allows the guest provisioning user or network administrator to causes the controller to send email to
the guest and/or sponsor any time a guest user is created.
Example
The following command causes the controller to send an email to the sponsor alerting them that the guest user
“Laura” was just created.
(host)# local-userdb-guest send-email Laura to-sponsor
Command History
Introduced in ArubaOS 3.4.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Enable mode on master
controllers
492 | local-userdb-guest send-email
ArubaOS 6.4| Reference Guide
local-userdb import
local-userdb import <filename>
Description
This command replaces the internal database with the specified file from flash.
Syntax
Parameter
Description
import
Replaces the internal database with the specified file.
Usage Guidelines
This command replaces the contents of the internal database with the contents in the specified file. The file must be
a valid internal database file saved with the local-userdb export command.
Example
The following command imports the specified file into the internal database:
(host)#local-userdb import jan-userdb
Command History
Introduced in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Enable mode on master
controllers.
ArubaOS 6.4| Reference Guide
local-userdb import | 493
local-userdb maximum-expiration
local-userdb maximum-expiration <minutes>
Description
This command configures the maximum time, in minutes, that a guest account in the internal database can remain
valid.
Syntax
Parameter
Description
Range
maximum-expiration
Maximum time, in minutes, that a guest account in the internal
database can remain valid.
12147483647
Usage Guidelines
The user in the guest-provisioning role cannot create guest accounts that expire beyond the configured maximum
time. This command is not available to the user in the guest-provisioning role.
Example
The following command sets the maximum time for guest accounts in the internal database to 8 hours (480 minutes):
(host)(config)#local-userdb maximum-expiration 480
Command History
Introduced in ArubaOS 3.0.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Configuration mode on master
controllers.
494 | local-userdb maximum-expiration
ArubaOS 6.4| Reference Guide
local-userdb modify
local-userdb modify username <name> [comments <g_comments>][email <email>] [expiry {duration <
minutes>|time <hh/mm/yyy> <hh:mm>}] [guest-company <g_company>][guest-fullname <g_fullname>][g
uest-phone <g-phone>][mode disable][opt-field-1 <opt1>][opt-field-2 <opt2>][opt-field-3 <opt
3>][opt-field-4 <opt4>][remote-ip <ip-addr>][role <role>][sponsor-dept <sp_dept>][sponsor-mail
<sp_email>][sponsor-fullname <sp_fullname>][sponsor-name <sp_name>][start-time <mm/dd/yyyy> <h
h.mm>]
Description
This command modifies an existing user account entry in the controller’s internal database.
Syntax
Parameter
Description
Range
Default
username
Name of the existing user account entry.
1 – 64
characters
—
comments
Comments added to the user account.
—
—
email
Email address for the use account.
—
—
expiry
Expiration for the user account. If this is not set, the
account does not expire.
—
no
expiration
duration
Duration, in minutes, for the user account.
1214748364
7
—
time
Date and time, in mm/dd/yyy and hh:mm format, that
the user account expires.
—
—
guest-company
Name of the guest’s company.
NOTE: A guest is the person who needs guest access
to the company’s Aruba wireless network.
guest-fullname
The guest’s full name.
guest-phone
The guest’s phone number.
mode
Enables or disables the user account,
—
Disable
opt-field-1
This category can be used for some other purpose.
For example, the optional category fields can be used
for another person, such as a “Supervisor.” You can
enter username, full name, department and Email
information into the optional fields.
—
—
opt-field-2
Same as opt-field-1.
—
—
opt-field-3
Same as opt-field-1.
—
—
opt-field-4
Same as opt-field-1.
—
—
remote-ip
IP address assigned to the remote peer.
role
Role for the user.
—
guest
ArubaOS 6.4| Reference Guide
local-userdb modify | 495
Parameter
Description
Range
Default
This parameter requires the PEFNG license.
sponsor-dept
The guest sponsor’s department name
NOTE: A sponsor is the guest's primary contact for the
visit.
—
—
sponsor-email
The sponsor’s email address.
—
—
sponsor-fullname
The sponsor’s full name.
—
—
sponsor-name
The sponsor’s name.
—
—
start-time
Date and time, in mm/dd/yyy and hh:mm format, the
guest account begins.
—
—
Usage Guidelines
Use the show local-userdb command to view the current user account entries in the internal database.
Example
The following command disables an existing user account in the internal database:
(host)# local-userdb modify username guest4157 mode disable
Command History
Modification
ArubaOS 3.0
Introduced for the first time.
ArubaOS 3.4
The guest, sponsor and optional parameters were added.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Enable mode on master
controllers.
496 | local-userdb modify
ArubaOS 6.4| Reference Guide
local-userdb send-to-guest
local-userdb send-to-guest
Description
This command automatically sends email to the guest when the guest user is created.
Syntax
No parameters.
Usage Guidelines
A guest is the person who needs guest access to the company’s Aruba wireless network. Email is sent directly to
the guest after the guest user is created. When configuring the guest provisioning feature, the guest user is generally
created by Guest Provisioning user. This is the person who is responsible for signing in guests at your company.
Example
(host)(config) #local-userdb send-to-guest
Command History
Introduced in ArubaOS 3.4.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Configuration mode on master
controllers.
ArubaOS 6.4| Reference Guide
local-userdb send-to-guest | 497
local-userdb send-to-sponsor
local-userdb send-to-sponsor
Description
This command automatically sends email to the guest’s sponsor when the guest user is created.
Syntax
No parameters.
Usage Guidelines
The sponsor is the guest's primary contact. Email is sent directly to the guest’s sponsor after the guest user is
created. When configuring the guest provisioning feature, the sponsor is generally created by the Guest Provisioning
user. This is the person who responsible for signing in guests at your company.
Example
(host)(config)#local-userdb send-to-sponsor
Command History
Introduced in ArubaOS 3.4.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Configuration mode on master
controllers.
498 | local-userdb send-to-sponsor
ArubaOS 6.4| Reference Guide
location
location <string>
Description
This command configures the location of the controller.
Syntax
Parameter
Description
location
A text string that specifies the system location.
Usage Guidelines
Use this command to indicate the location of the controller. You can use a combination of numbers, letters,
characters, and spaces to create the name. To include a space in the name, use quotation marks to enclose the text
string.
To change the existing name, enter the command with a different string. To unconfigure the location, enter “” at the
prompt.
Example
The following command configures the location:
(host) (config) #location “Building 10, second floor, room 21E”
Command History
Introduced in ArubaOS 3.0
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
location | 499
location-server-feed
enable
disable
Description
This command allows sends RSSI information from APs to a location management server.
Syntax
Parameter
Description
enable
Enable the feed that sends RSSI information to a location management server.
This feature is disabled by default.
disable
Disable the feed that sends RSSI information to a location management server.
This feature is disabled by default.
Usage Guidelines
This command allows APs to send RSSI information to a location management server, which can use
that information to compute the location of stations seen in the network.
Example
The following command configures the location:
(host) (config) #location-server-feed enable
Command History
Introduced in ArubaOS 6.3
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
500 | location-server-feed
ArubaOS 6.4| Reference Guide
logging
logging [ipaddr|ipv6addr|facility|level]
Description
Use this command to specify the IP address of the remote logging server, facility, severity, and the type.
Syntax
Parameter
Description
Range
ipaddr
To set the remote logging server IPv4 address.
A.B.C.D
ipv6addr
To set the remote logging server IPv6 address.
X:X:X:X::X
facility
To set the remote logging server facility.
level
To set the logging level upto which the messages are
logged.
local 0 to
local7
Default
—
Usage Guidelines
The local use facilities (local0, local1, local2, local3, local4, local5, local6, and local7) are not reserved for specific
message-generating sources, and can be used for sending syslog messages. Use the show logging command to
verify that the device sends logging messages.
Example
The following command adds the remote logging server with the IP address 10.1.2.3 with a user log type using
local4.
(host) (config) #logging 1.1.1.1 user facility local4
Command History
Introduced in ArubaOS 6.0
severity|type
Command History
This command was introduced in ArubaOS 3.0
Release
Modification
ArubaOS 6.0
Command introducedd.
ArubaOS 6.3
The severity and type parameters were deprecated.
The ipv6addr parameter was introduced.
ArubaOS 6.4| Reference Guide
logging | 501
Command Information
502 | logging
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
logging facility
logging facility <facility>
Description
Use this command to set the facility to use when logging to the remote syslog server.
Syntax
Parameter
Description
Range
<facility>
The facility to use when logging to a remote syslog server.
local0 to local7
Usage Guidelines
The local use facilities (local0, local1, local2, local3, local4, local5, local6, and local7) are not reserved for specific
message-generating sources, and can be used for sending syslog messages.
Example
The following command sets the facility to local4.
(host) (config) #logging facility local4
Command History
Introduced in ArubaOS 2.5
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
logging facility | 503
logging level
logging level <level> <category> [process <process>] [subcat <subcategory>]
Description
Use this command to set the categories or subcategories and the severity levels of messages that are logged.
Syntax
Parameter
Description
<level>
The message severity level, which can be one of the following (in order of severity
level):
emergencies
(0) Panic conditions that occur when the system becomes unstable.
alerts
(1) Any condition requiring immediate attention and correction.
critical
(2) Any critical conditions, such as hard drive errors.
errors
(3) Error conditions.
warnings
(4) Warning messages.
notifications
(5) Significant events of a non-critical and normal nature.
informational
(6) Messages of general interest to system users.
debugging
(7) Messages containing information for debugging purposes.
<category>
Message category, which can be one of the following:
ap-debug
AP troubleshooting messages. You must specify a debug value.
network
Network messages.
arm-user-debug
ARM user troubleshooting messages. You must specify a MAC address.
security
Security messages.
system
System messages.
user
User messages.
user-debug
User troubleshooting messages. You must specify a MAC address.
wireless
Wireless messages.
process
Controller process, which can be one of the following:
aaa
AAA logging
activate
Integration and communication with an Activate server
approc
AP processes
504 | logging level
ArubaOS 6.4| Reference Guide
Parameter
Description
armd
ARM processes
authmgr
User authentication
certmgr
Certificate manager
cfgm
Configuration Manager
cpsec
Control plane security
crypto
VPN (IKE/IPsec)
cts
Transport service
dbsync
Database synchronization
dds
logging for DDS processes
dhcpd
DHCP packets
esi
External Services Interface
extifmgr
External Interface Manager
fpapps
Layer 2 and 3 control
fw_visibility
Firewall visibility processes
gsmmgr
GSM manager
ha_mgr
High availability manager
httpd
Apache
hwmon
Hardware monitoring
iapmgr
Instant AP manager process
ipstm
Instant station manager process
l2tp
L2TP
licensemgr
License manager
localdb
Local database
mdns
Multicast DNS proxy
mobileip
Mobile IP
OSPF
OSPF logging
packetfilter
Packet filtering of messaging and control frames
phonehome
PhoneHome
ArubaOS 6.4| Reference Guide
logging level | 505
Parameter
Description
pim
Protocol Independent Multicast
pppoed
PPPoE
pptp
PPTP
processes
Run-time processes
profmgr
Profile Manager
publisher
Publish subscribe service
ravd
Router Advertisement daemon
rfm
RF Troubleshooting Manager
snmp
SNMP
spectrum
Spectrum analysis processes
stm
Station management
syslogdwrap
Syslogd wrap
traffic
Traffic
ucm
UCM processes
wms
Wireless management (master controller only)
subcat
Message subcategory, which depends upon the message category specified. The
following lists the subcategories available for each message category:
l ap-debug: all
l network: all, dhcp, mobility, packet-dump
l security: aaa, all, dot1x, firewall, ike, mobility, packet-trace, vpn, webserver
l system: all, configuration, messages, snmp, webserver, amon
l user: all, captive-portal, dot1x, radius, voice, vpn
l user-debug: all, configuration
l wireless: all
Usage Guidelines
There are eight logging severity levels, each with its associated types of messages. Each level also includes the
levels below it. For example, if you set the logging level to informational (6), all messages from level 0 through level 5
(from emergencies through notifications) are also logged. The warnings severity level is set by default for all
message categories.
Only the logging level warnings security subcat ids and logging level warnings security subcat ids-ap
subcategories are enabled by default. Other subcategories are not generated by default even their severity is
warning or higher. Issue the logging level command to enable all other message subcategories.
Example
The following command logs critical system messages.
logging level critical system
506 | logging level
ArubaOS 6.4| Reference Guide
Command History
Version
Description
ArubaOS 2.5
Command introduced
ArubaOS 6.3
l
l
ArubaOS 6.4
A new subcategory amon is added in the logging level
command to account for AMON related logging messages.
A new process mdns is added to view mDNS debug
messages.
A new process category ha_mgr is added to manage high
availability processes.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master and local
controllers
ArubaOS 6.4| Reference Guide
logging level | 507
loginsession
loginsession timeout <minutes>
Description
This command configures the time management session (via Telnet or SSH) remains active without user activity.
Syntax
Parameter
Description
Range
Default
timeout
Number of seconds or minutes that a
management session remains active without
any user activity.
5-60 minutes or 13600 seconds, 0 to
disable
15 minutes
Usage Guidelines
The management user must re-login to the controller after a Telnet or SSH session times out. If you set the timeout
value to 0, sessions do not time out. The TCP session timeout for wireless and wired user sessions through the
controller is 15 minutes; this timeout for user sessions is not configurable.
Example:
The following command configures management sessions on the controller to not time out:
(host) (config) #loginsession timeout 0
Command History
This command was available in ArubaOS 3.0
Command Information
Platform
License
Command Mode
Available on all platforms
Requires the PEFNG license
Config mode on master
controllers
508 | loginsession
ArubaOS 6.4| Reference Guide
logout
logout
Description
This command exits the current CLI session.
Syntax
No parameters.
Usage Guidelines
Use this command to leave the current CLI session and return to the user login.
Example
The following command exits the CLI session:
(host) >logout
User:
Command History
This command was available in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
User mode on local or master controllers
ArubaOS 6.4| Reference Guide
logout | 509
mac-address-table
mac-address-table static <macaddr> {fastethernet|gigabitethernet} <slot>/<port> vlan <vlan>
Description
This command adds a static entry to the MAC address table.
Syntax
Parameter
Description
Range
<macaddr>
Media Access Control (MAC) address, in the format xx:xx:xx:xx:xx:xx.
—
<slot>
<slot> is always 1 except for the 6000Controller, where the slots can
be 1, 2, or 3.
—
<port>
Number assigned to the network interface embedded in the
controlleror in the line card installed in the 6000Controller. Port
numbers start at 0 from the left-most position.
vlan
ID number of the VLAN.
1-4094
Usage Guidelines
The MAC address table is used to forward traffic between ports on the controller. The table includes addresses
learned by the controller. This command allows you to manually enter static addresses that are bound to specific
ports and VLANs.
Example
The following command configures a MAC address table entry:
(host) (config) #mac-address-table static 00:0b:86:f0:05:60 fastethernet 1/12 vlan 22
Command History
Available in ArubaOS 3.0
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base
operating system
Config mode on master and local controllers
510 | mac-address-table
ArubaOS 6.4| Reference Guide
master-redundancy master-vrrp
master-redundancy master-vrrp <id>
Description
This command associates a VRRP instance with master controller redundancy.
Syntax
Parameter
Description
Range
<id>
The virtual router ID for the VRRP instance
configured with the vrrp command.
1-255
Usage Guidelines
To maintain a highly redundant network, you can use a controller as a standby for the master controller. The
underlying protocol used is VRRP which you configure using the vrrp command.
Example
The following command configures VRRP for the initially preferred master controller:
(host) (config) #vrrp 22
vlan 22
ip address 10.200.22.254
priority 110
preempt
description Preferred-Master
tracking master-up-time 30 add 20
no shutdown
master-redundancy
master-vrrp 22
peer-ip-address 192.168.2.1 ipsec qwerTY012
The following shows the corresponding VRRP configuration for the peer controller.
(host) (config) #vrrp 22
vlan 22
ip address 10.200.22.254
priority 100
preempt
description Backup-Master
tracking master-up-time 30 add 20
no shutdown
master-redundancy
master-vrrp 22
peer-ip-address 192.168.22.1 ipsec qwerTY012
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
master-redundancy master-vrrp | 511
masterip
masterip <ipaddr>
ipsec <key> [interface uplink|{vlan <id>}] [fqdn <fqdn>]
ipsec-custom-cert master-mac1 <mac1> [master-mac2 <mac2>] ca-cert <ca> server-cert <cert> [
interface uplink|{vlan <id>}] [fqdn <fqdn>] [suite-b gcm-128|gcm-256]
ipsec-factory-cert master-mac1 <mac1> [master-mac2 <mac2>] [interface uplink|{vlan <id>}] [
fqdn <fqdn>]
Description
This command configures the IP address and preshared key or certificate for the master controller on a local
controller.
Syntax
Parameter
Description
<ipaddr>
IP address of the master controller.
ipsec <key>
To establish the master-local IPsec tunnel using IKEv1, enter a
preshared key between 6-64 characters.
ipsec-custom-cert
Use a custom-installed certificate on the master controller to establish a
master-local IPsec tunnel using IKEv2.
512 | masterip
master-mac1 <mac1>
The MAC address of the certificate on the Master.
master-mac2 <mac2>
(Optional) the MAC address of the certificate on the backup master
controller.
ca-cert <ca>
User-defined name of a trusted CA certificate installed on the master
controller. Use the show crypto-local pki TrustedCA command to display
the CA certificates that have been imported into the controller.
server-cert <cert>
User-defined name of a server certificate installed on the master
controller. Use the show crypto-local pki ServerCert command to display
the server certificates that have been imported into the controller.
interface
Specify the uplink or VLAN interface on the master controller to initiate
IKE.
uplink
Use the master controller’s current active uplink to initiate IKE.
vlan <id>
Specify a VLAN interface on the master controller to initiate IKE. If you do
not specify a VLAN, the controller IP will be used.
fqdn <fqdn>
Identify a dynamically addressed local controller by entering the Fully
Qualified Domain Name (FQDN) of the controller.
suite-b
If you configure your master and local controllers to use IKEv2 and
custom-installed certificates, you can optionally use Suite-B
cryptographic algorithms for IPsec encryption. Specify one of the
following options:
l gcm-128 Use 128-bit AES-GCM Suite-B encryption
l gcm-256 Use 256-bit AES-GCM Suite-B encryption
ArubaOS 6.4| Reference Guide
Parameter
Description
ipsec-factory-cert
Use the factory-installed certificate on the master controller to establish a
master-local IPsec tunnel using IKEv2.
master-mac1 <mac1>
The MAC address of the certificate on the Master.
master-mac2 <mac2>
(Optional) the MAC address of the certificate on the backup master
controller.
interface
Specify the uplink or VLAN interface on the master controller to initiate
IKE.
uplink
Use the master controller’s current active uplink to initiate IKE.
vlan <id>
Specify a VLAN interface on the master controller to initiate IKE. If you do
not specify a VLAN, the controller IP will be used.
fqdn <fqdn>
Identify a dynamically addressed local controller by entering the Fully
Qualified Domain Name (FQDN) of the controller.
Usage Guidelines
Use this command on a local controller to configure the IP address and preshared key or certificate for secure
communication with the master controller. On the master controller, use the localip command to configure the IP
address and preshared key or certificate for a local controller.
Changing the IP address of the master on a local controller requires a reboot of the local controller
If your master and local controllers use a pre-shared key for authentication, they will create the IPsec tunnel using
IKEv1. If your master and local controllers use certificates for authentication, the IPsec tunnel will be created using
IKEv2.
Example
The following command configures the master controller with a pre-shared key:
(host) (config) #masterip 10.1.1.250 ipsec gw1234567
Command History
Release
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The ipsec-factory-cert and ipsec-custom-cert parameters were introduced to
allow certificate-based authentication of master and local controllers.
Command Information
Platform
License
Command Mode
Available on all platforms
The suite-b gcm-128 and suite-b gcm-256 encryption
options for IPsec custom certificates requires the
Advanced Cryptography (ACR) license. All other
parameters are available in the base operating system
Available in Config
mode on local
controllers
ArubaOS 6.4| Reference Guide
masterip | 513
master-redundancy peer-ip
master-redundancy peer-ip <ipaddr>
ipsec <key>
ipsec-custom-cert master-mac <mac> ca-cert <ca> server-cert <cert> [suite-b gcm-128|gcm-25
6]
ipsec-factory-cert master-mac <mac>
Description
This command configures the IP address and preshared key or certificate for a redundant master controller on
another master controller.
Syntax
Parameter
Description
<ipaddr>
IP address of the redundant controller. Use the 0.0.0.0 address to configure a
global preshared key for all inter-controller communications.
ipsec <key>
To establish the master-master IPsec tunnel using IKEv1, enter a preshared key
between 6-64 characters.
ipsec-custom-cert
Use a custom-installed certificate on the controller to establish the master-master
IPsec tunnel using IKEv2
master-mac <mac>
The MAC address of the certificate on the redundant master controller.
ca-cert <ca>
User-defined name of a trusted CA certificate installed on the redundant master
controller. Use the show crypto-local pki TrustedCA command to display the CA
certificates that have been imported into the controller.
server-cert <cer
t>
User-defined name of a server certificate installed on on the redundant master
controller. Use the show crypto-local pki ServerCert command to display the
server certificates that have been imported into the controller.
suite-b
If you configure your master controllers to use IKEv2 and custom-installed
certificates, you can optionally use Suite-B cryptographic algorithms for IPsec
encryption. Specify one of the following options:
l gcm-128 Use 128-bit AES-GCM Suite-B encryption
l gcm-256 Use 256-bit AES-GCM Suite-B encryption
ipsec-factory-cert
master-mac <mac>
Use the factory-installed certificate on the master controller to establish a masterlocal IPsec tunnel using IKEv2.
The MAC address of the certificate on the redundant master controller.
Usage Guidelines
Use this command on a master controller to configure the IP address and preshared key or certificates for
communication with a redundant master controller.
If your master controllers use a pre-shared key for authentication, they will create the IPsec tunnel using IKEv1. If
your master and local controllers use certificates for authentication, the IPsec tunnel will be created using IKEv2.
Example
The following command configures the local controller on a master controller:
514 | master-redundancy peer-ip
ArubaOS 6.4| Reference Guide
(host) (config) #peer-ip 10.4.62.5 ipsec-custom-cert master-mac 00:02:2D:11:55:4D ca-cert cace
rt1 server-cert server1
Command History
Release
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The ipsec-factory-cert and ipsec-custom-cert parameters were introduced to
allow certificate-based authentication of master and local controllers.
Command Information
Command
Mode
Platform
License
Available on all platforms
The suite-b gcm-128 and suite-b gcm-256 encryption options
for IPsec custom certificates requires the Advanced
Cryptography (ACR) license. All other parameters are
available in the base operating system
ArubaOS 6.4| Reference Guide
Config mode on
master
controllers
master-redundancy peer-ip | 515
mgmt-server profile
wlan
mgmt-server profile <profile-name>
clone
airgroupinfo-enable
location-enable
misc-enable
monitored-info-enable
monitored-stats-enable
no
sessions-enable
stats-enable
tag-enable
uccmonitoring-enable
voiceinfo-enable
Description
Configure a management server profile on the controller for an AirWave management server or for an Analytics
Location Engine (ALE) that should receive Advanced Monitoring (AMON) protocol messages filtered based on the
profile settings. The default profiles provided for the AMP server (default-amp) and ALE (default-ale) are editable
using this command.
Syntax
Parameter
Description
<profile-name>
Associate the controller to an AirWave management server by entering
the IP address of the AirWaveserver.
clone
Use this command to copy from another configuration profile.
airgroup-enable
Enables information about the AirGroup feature.
location-enable
Enables Station RSSI/AP Neighbor messages.
misc-enable
Enables AP system statistics, specifications, and station steer information.
monitored-info-enable
Enables monitored AP or station Information.
monitored-stats-enable
Enables monitored AP or station statistics.
no
Disables the specified messages.
sessions-enable
Enables firewall DNA, application, and aggregate sessions.
stats-enable
Enables statistics for Radio, virtual APs, and clients.
tag-enable
Enables tag messages.
uccmonitoring-enable
Enables messages about the unified communications manager.
voiceinfo-enable
Enables voice call records.
516 | mgmt-server profile
ArubaOS 6.4| Reference Guide
Usage Guidelines
Use this command to create a new management server profile on the controller or to edit the default profiles.
If you delete a management server profile that is applied to a destination server, you must re-apply a different profile to
the server or re-create the same profile for the message filtering process to continue.
Example
The following command configures a management server profile:
(host) (config) #mgmt-server profile AMP-profile
(host) (Mgmt Config profile "AMP-profile") #location-enable
(host) (Mgmt Config profile "AMP-profile") #voiceinfo-enable
Command History
Modification
ArubaOS 6.3.1
Command introduced.
ArubaOS 6.4
The uccmonitoring-enable and airgroup-enable parameters were introduced.
Command Information
Platforms
All platforms
ArubaOS 6.4| Reference Guide
Licensing
Command Mode
Config mode on master controllers
mgmt-server profile | 517
mgmt-server type
wlan
mgmt-server type
ale primary-server <ip-addr> profile <profile-name>
amp primary-server <ip-addr> profile <profile-name>
Description
Register a management server with the controller by specifying the IP address of an AirWave management server or
Analytics and Location Engine that should receive messages from the controller using the Advanced Monitoring
(AMON) protocol. You must also specify the management configuration profile in which the AMON message filtering
settings can be done.
Syntax
Parameter
Description
ale primary-server
<ip-addr> profile <profile>
Associate the controller to analytics and location engine by entering the
IP address of the location server and the management configuration profile.
amp primary-server
<ip-addr> profile <profile>
Associate the controller to an AirWave management server by entering
the IP address of the AirWaveserver and the management configuration
profile.
Example
The following command defines a primary AirWaveManagement server.
(host) (config) #mgmt-server type amp primary-server 192.168.6.2 profile default-amp
Command History
Modification
ArubaOS 3.4
Command introduced.
ArubaOS 6.1
The secondary-server parameter was deprecated.
ArubaOS 6.3
The xc parameter was introduced.
ArubaOS 6.3.1
The xc parameter was changed to ale and a new profile parameter was
introduced.
Command Information
Platforms
All platforms
518 | mgmt-server type
Licensing
Command Mode
Config mode on master controllers
ArubaOS 6.4| Reference Guide
mgmt-user
mgmt-user
mgmt-user
mgmt-user
<role>
mgmt-user
<username> <role> <password>
localauth-disable
ssh-pubkey client-cert <certificate> <username>
webui-cacert <certificate_name> serial <number> <username> <role>
Description
This command configures an administrative user.
Syntax
Parameter
Description
Default
<username>
Name of the user.
You can create a maximum of 10 management users.
NOTE: If you configure a root management user, you can use
special characters except for double-byte characters.
—
<role>
Role assigned to the user. Predefined roles include:
l guest-provisioning: Allows the user to create guest accounts
on a special WebUI page.
l location-api-mgmt: Permits access to location API
information. You can log into the CLI; however, you cannot
use any CLI commands.
l network-operations: Permits access to Monitoring, Reports,
and Events pages in the WebUI. You can log into the CLI;
however, you can only use a subset of CLI commands to
monitor the controller.
l read-only: Permits access to CLI show commands or WebUI
monitoring pages only.
l root: Permits access to all management functions on the
controller.
—
<password>
NOTE: You are prompted for the <password> for this user after
you type in <role> and press Enter.
The password must have a minimum of six characters.
You can use special characters in the management user
password. The restrictions are as follows:
l You cannot use double-byte characters
l You cannot use the question mark (?)
l You cannot use white space <space >
—
localauth-disable
Disables authentication of management users based on the
results returned by the authentication server.
To cancel this setting, use the no form of the command:
no mgmt-user localauth-disable
To verify if authentication of local management user accounts is
enabled or disabled, use the following command:
show mgmt-user local-authentication-mode
Enabled
ssh-pubkey
Configures certificate authentication of administrative users
using the CLI through SSH.
—
Name of the X.509 client certificate for authenticating
administrative users using SSH.
—
client-cert
ArubaOS 6.4| Reference Guide
mgmt-user | 519
Parameter
Description
Default
<username>
Name of the user.
—
<role>
Role assigned to the authenticated user.
—
The client certificate for authenticating administrative users using
the WebUI.
—
<certificate_name>
The CA certificate. If configured, certificate authentication and
authorization are automatically completed using an
authentication server.
—
serial
Serial number of the client certificate.
—
<username>
Name of the user.
—
<role>
Role assigned to the authenticated user.
—
webui-cacert
Usage Guidelines
You can configure client certificate authentication of WebUI or SSH management users (by default, only
username/password is used). To configure certificate authentication for the WebUI or SSH, use the web-server
mgmt-auth certificate or ssh mgmt-auth public-key commands, respectively.
Use webui-cacert <certificate name> command if you want an external authentication server to derive the
management user role. This is helpful if there are a large number of users who need to be authenticated.
Or, use the mgmt-user webui-cacert <certificate_name> serial <number> <username> <role> if you want the
authentication process to use previously configured certificate name and serial number to derive the user role.
Example
See the web-server and ssh command descriptions for examples of certificate and public key authentication. The
following command configures a management user and role:
(host) (config) #mgmt-user zach_jennings root
Password: *****
Re-Type password: *****
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.1
The ssh-pubkey and webui-cacert parameters were introduced.
ArubaOS 3.2
The network-operations role was introduced.
ArubaOS 3.3
The location-api-mgmt role and localauth-disable parameters were introduced.
ArubaOS 3.4
The webui-cacert <certificate name> parameter had additional functionality introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
520 | mgmt-user
ArubaOS 6.4| Reference Guide
mobility-manager
mobility-manager <ipaddr> user <username> <password> [interval <secs>]
[retrycount <number>] [udp-port <port>] [rtls <rtls-udp-port>] trap-version {1|2c|3}
Description
This command allows the controller to communicate with an MMS server.
Syntax
Parameter
Description
Range
Default
<ipaddr>
IP address of the MMS server.
—
—
user
Name and SNMP password for the MMS server
user.
—
—
interval
Round-trip time, in seconds, to trap server.
1-65535
60 seconds
retrycount
Number of retries to the MMS server before giving
up.
1-65535
3
udp-port
UDP port number for trap server.
0-65535
162
rtls
UDP port number on which RSSI location data
should be received from APs.
0-65535
8000
trap-version
Allows the you to specify the SNMP trap version by
the remote trap receiver.
1, 2c, or 3
3
Usage Guidelines
This command needs to be configured before the controller can communicate with the MMS server. This command
performs three tasks:
l
Configures the IP address of the MMS server. In previous ArubaOS releases, this was done with the mobilityserver command.
l
Creates an SNMP version 3 user profile with the configured <username> and <password>. This allows SNMP
SETs from the MMS server to be received by the controller. The authentication protocol is Secure Hash
Algorithm (SHA) and Data Encryption Standard (DES) is used for encryption. If <username> and <password>
match an existing SNMP v3 user profile, the existing one is used. Otherwise, a new profile is created.
This username and password must be used when adding this controller to the MMS server in the MMS
Dashboard.
l
Allows SNMP traps and notifications to be sent to the MMS server IP address, by adding this MMS server as a
trap receiver.
l
Optionally enables the MMS server to function as a Real Time Location System (RTLS) server to receive location
information via APs from RTLS tags or other devices.
Use the show mobility-manager command to check the current status of the configured MMS servers.
Example
The following command configures the IP address and SNMP user profile for the MMS server:
(host) (config)# mobility-manager 10.2.1.245 user mms-user my-password.
ArubaOS 6.4| Reference Guide
mobility-manager | 521
Command History
This command was introduced in ArubaOS 3.1.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
522 | mobility-manager
ArubaOS 6.4| Reference Guide
netdestination
netdestination <name>
description <description6>
host <ipaddr> [position <number>]
invert
name
network <ipaddr> <netmask> [position <number>]
no ...
range <start-ipaddr> <end-ipaddr> [position <number>]
Description
This command configures an alias for an IPv4 network host, subnetwork, or range of addresses.
Syntax
Parameter
Description
<name>
Name for this host or domain. Maximum length is 63 characters.
description
Description about the this destination up to 128 characters long.
host
Configures a single IPv4 host and its position in the list.
invert
Specifies that the inverse of the network addresses configured are used. For example, if
a network of 172.16.0.0 255.255.0.0 is configured, this parameter specifies that the alias
matches everything except this subnetwork.
network
An IPv4 subnetwork consisting of an IP address and netmask.
no
Negates any configured parameter.
range
A range of IPv4 addresses consisting of sequential addresses between a lower and an
upper value. The maximum number of addresses in the range is 16. If larger ranges are
needed, convert the range into a subnetwork and use the network parameter.
Usage
Aliases can simplify configuration of session ACLs, as you can use an alias when specifying the traffic source
and/or destination it in multiple session ACLs. Once you configure an alias, you can use it to manage network and
host destinations from a central configuration point, because all policies that reference the alias will be updated
automatically when you change the alias.
When using the invert option, use caution when defining multiple aliases, as entries are processed one at a time. As
an example, consider a netdestination configured with the following two network hosts:
netdestination dest1 invert
network 1.0.0.0 255.0.0.0
network 2.0.0.0 255.0.0.0
A frame from http://1.0.0.1 would match the first alias entry, (which allows everything except for 1.0.0.0/8) so the
frame would be rejected. However, it would then be compared against the second alias, which allows everything
except for 2.0.0.0/8, and the frame would be permitted.
Example
The following command configures an alias for an internal network:
ArubaOS 6.4| Reference Guide
netdestination | 523
(host) (config) #netdestination Internal
network 10.1.0.0 255.255.0.0
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.1
Host functionality now only supports IPv4 subnets.
ArubaOS 6.2
Name parameter has maximum character length.
Command Information
Platforms
Licensing
Command Mode
All platforms
Requires the Policy Enforcement
Firewall license.
Config mode on master controllers
524 | netdestination
ArubaOS 6.4| Reference Guide
netdestination6
netdestination6 <name>
description <description6>
host <ipaddr> [position <number>]
invert
name
network <ipaddr> <netmask> [position <number>]
no ...
range <start-ipaddr> <end-ipaddr> [position <number>]
Description
This command configures an alias for an IPv6 network host, subnetwork, or range of addresses.
Syntax
Parameter
Description
Default
<name>
Name of the IPv6 destination host or subnetwork up to 63 characters long.
description
Description about the IPv6 netdestination up to 128 characters long.
-
host
Configures a single IPv6 host and position in the list.
—
invert
Specifies that the inverse of the network addresses configured are used. For
example, if a network of fe80:0:0:0:0:0:ac10:0/128 is configured, this parameter
specifies that the alias matches everything except this subnetwork.
—
network
An IPv6 subnetwork consisting of an IP address and netmask.
—
no
Negates any configured parameter.
—
range
A range of IPv6 addresses consisting of sequential addresses between a lower and
an upper value. The maximum number of addresses in the range is 16. If larger
ranges are needed, convert the range into a subnetwork and use the network
parameter.
—
Usage Guidelines
Aliases can simplify configuration of session ACLs, as you can use an alias when specifying the traffic source
and/or destination. Once you configure an alias, you can use it in multiple session ACLs.
When using the invert option, use caution when defining multiple aliases, as entries are processed one at a time. As
an example, consider a netdestination configured with the following two network hosts:
netdestination6 dest1 invert
network 2002:0:0:0:0:0:100:0/128
network 2002:0:0:0:0:0:200:0/128
A frame from http://1.0.0.1 would match the first alias entry, (which allows everything except for
2002:0:0:0:0:0:100:0/128) so the frame would be rejected. However, it would then be compared against the second
alias, which allows everything except for 2002:0:0:0:0:0:200:0/128, and the frame would be permitted.
Example
The following command configures an alias for an internal network:
(host) (config) #netdestination6 Internal
ArubaOS 6.4| Reference Guide
netdestination6 | 525
network fe80:0:0:0:0:0:a01:0/128
Command History
Release
Modification
ArubaOS 6.1
Command introduced
ArubaOS 6.3
A new field, description has been introduced to provide a description about the
netdestination up to 128 characters long.
ArubaOS 6.3
Maximum length allowed for netdestination6 <name> is now 63 characters.
Command Information
Platforms
Licensing
Command Mode
All platforms
Requires the Policy Enforcement
Firewall license.
Config mode on master controllers
526 | netdestination6
ArubaOS 6.4| Reference Guide
netexthdr
netexthdr <alias-name>
eh <eh-type> deny | permit
Description
This command allows you to edit the packet filter options in the extension header (EH).
Syntax
Parameter
Description
Defaul
t
<alias-name>
Specify the EH alias name.
default
eh <eh-typ
e>
Specify one of the following EH types:
l <0-255>: Matches the IPv6 next header type
l authentication: Matches the IPv6 authentication header
l dest-option: Matches the IPv6 destination-option header
l esp: Matches the IPv6 encapsulation security payload header
l fragment: Matches the IPv6 fragment header
l hop-by-hop: Matches the IPv6 hop-by-hop header
l mobility: Matches the IPv6 mobility header
l routing: Matches the IPv6 routing header
—
deny
Denies the IPv6 packets matching the specified extended header type.
—
permit
Permits the IPv6 packets matching the specified extended header type.
NOTE: By default, all the EH types are supported in the default EH.
—
Usage Guidelines
ArubaOS firewall is enhanced to process the IPv6 extension header (EH) to enable IPv6 packet filtering. You can
filter the incoming IPv6 packets based on the EH type. You can edit the packet filter options in the default EH, using
this command. By default, the default EH alias permits all EH types.
Example
The following command denies the IPv6 packets matching the specified extended header type in the default EH:
(host) (config) #netexthdr default
(host) (config-exthdr) #eh authentication deny
Related Commands
(host) #show netexthdr <alias-name>
Command History
Release
Modification
ArubaOS 6.1
Command introduced
ArubaOS 6.4| Reference Guide
netexthdr | 527
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system.
Config mode on master controllers
528 | netexthdr
ArubaOS 6.4| Reference Guide
netservice
netservice <name> <protocol>|tcp|udp {list <port>,<port>}|{<port> [<port>]}
[ALG <service>]
Description
This command configures an alias for network protocols.
Syntax
Parameter
Description
Range
netservice
Name for this alias.
—
<protocol>
IP protocol number.
0-255
tcp
Configure an alias for a TCP protocol
udp
Configure an alias for a UDP protocol
list <port>,<por
t>
Specify a list of non-contiguous port numbers, by entering up to
six port numbers, separated by commas.
0-65535
<port> [<port>]
TCP or UDP port number. You can specify a single port number,
or define a port range by specifying both the lower and upper
port numbers.
0-65535
Application-level gateway (ALG) for this alias.
—
ALG
<service>
Specify one of the following service types:
l dhcp: Service is DHCP
l dns: Service is DNS
l ftp: Service is FTP
l h323: Service is H323
l noe: Service is Alcatel NOE
l rtsp: Service is RTSP
l sccp: Service is SCCP
l sip: Service is SIP
l sips: Service is Secure SIP
l svp: Service is SVP
l tftp: Service is TFTP
l vocera: Service is VOCERA
Usage Guidelines
Aliases can simplify configuration of session ACLs, as you can use an alias when specifying the network service.
Once you configure an alias, you can use it in multiple session ACLs.
Example
The following command configures an alias for a network service:
(host) (config) #netservice HTTP tcp 80
ArubaOS 6.4| Reference Guide
netservice | 529
Command History
Version
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.0
The list parameter for defining non-contiguous ports was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
530 | netservice
ArubaOS 6.4| Reference Guide
network-printer [deprecated]
network-printer [max-clients <2-20> |
max-clients-per-host <1-20> |
max-jobs <1-1000>]
Description
This command allows you to configure client and print job for the USB printer connected to a 600 Series controller.
Syntax
Parameter
Description
max-clients
Specify the maximum number of clients that can use the printer. Currently, the 600
Series supports a maximum of 20 concurrent clients.
max-clients-per-host
Specify the maximum number of concurrent clients for a single host. Currently, the
600 Series supports a maximum of 20 concurrent clients.
max-jobs
Specify the maximum number of jobs that can be saved in the memory Currently,
the 600 Series controller will support a storage of 1000 jobs.
Usage Guidelines
Use this command in the config mode.
In the enable mode, you can use the network-printer delete <printer-name> job <job-id> command to
delete print jobs in specific printer.
Command History
Release
Modification
ArubaOS 3.4
Command introduced.
ArubaOS 6.2
Command deprecated.
Command Information
Platforms
Licensing
Command Mode
600 Series
Base operating system
Config or enable mode
ArubaOS 6.4| Reference Guide
network-printer [deprecated] | 531
network-storage [deprecated]
network-storage [share <share-name>]
share [usb: disk <disk-name> <filesystem-path> mode {read-only | read-write}
no share
Description
This command allows you to perform the following operation on a network share:
l
Configure a file system path for the share–This allows users to access the share from their computer.
l
Remove the share access using the no share command.
Syntax
Parameter
Description
share
Enter a name for the share on the controller. After you enter this command, the CLI
mode will shift to operations on that share.
Usage Guidelines
To access the share, you must create a filesystem path to the share. enter:
(host) (config-network-storage share)# share usb: disk <disk name> <filesystem path> mode
Where,
disk name is the name of the disk. You can also specify the disk alias instead of the disk name.
filesystem path is the path to access the share. This path contains the partition name and the shared folder name.
mode is the permission settings. You can either specify read-only or read-write modes.
Example
The following command associates a share to a file system path and configures the access mode.
(host) (config-network-storage share)#share usb: disk Maxtor1TB Maxtor-Basics_Desktop-2HBADMJ
4_p1/documents mode read-write
(host) (config-network-storage share)#show network-storage shares
NAS Shares
---------Disk Name Partition Name Folder Name Share Name Share Path
Share Mode Status
--------- -------------- ----------- ---------- ------------------ -----Maxtor1TB MxDocs
docum
1/documents Read-Write Active
Command History
Release
Modification
ArubaOS 3.4
Command introduced.
ArubaOS 6.2
Command deprecated.
532 | network-storage [deprecated]
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
600 Series
Base operating system
Enable mode
ArubaOS 6.4| Reference Guide
network-storage [deprecated] | 533
ntp authenticate
ntp authenticate
Description
This command enables or disables NTP authentication.
Syntax
No parameters.
Usage Guidelines
Network Time Protocol (NTP) authentication enables the controller to authenticate the NTP server before
synchronizing local time with server. This helps identify secure servers from fradulent servers. This command has to
be enabled for NTP authentication to work.
Example
The following command configures an NTP server:
(host) (config) #ntp authenticate
Command History
Release
Modification
ArubaOS 6.1
Command introduced
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
534 | ntp authenticate
ArubaOS 6.4| Reference Guide
ntp authentication-key
ntp authentication-key <key-id> md5 <keyvalue>
Description
This command configures a key identifier and secret key and adds them into the database. NTP authentication
works with a symmetric key configured by user. The key is shared by the client (Aruba controller) and an external
NTP server.
Syntax
Parameter
Description
Default
<key-id>
The key identifier is a string that is shared by the client (Aruba
controller) and an external NTP server. This value is added into
the database.
—
md5 <keyvalue>
The key value is a secret string, which along with the key
identifier, is used for authentication. This is added into the
database.
—
Usage Guidelines
NTP authentication works with a symmetric key configured by user. The key is shared by the client (Aruba
controller) and an external NTP server. This command adds both the key identifier and secret string into the
database.
Example
The following command configures the NTP authentication key. The key identifier is 12345 and the shared secret is
67890. Both key identifier and shared secret:
(host) (config) #ntp authentication-key 12345 md5 67890
Command History
Release
Modification
ArubaOS 6.1
Command introduced
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ntp authentication-key | 535
ntp server
#ntp server {<IPv4/IPv6 Address>|[iburst] [key]}
Description
This command configures a Network Time Protocol (NTP) server.
Syntax
Parameter
Description
Default
IPv4/IPv6 Address
IPv4/IPv6 Address of the Peer.
—
iburst
(Optional) This parameter causes the controller to send up to ten
queries within the first minute to the NTP server. This option is
considered “aggressive” by some public NTP servers.
disabled
key <key-id>
This is the key identifier used to authenticate the NTP server.
This needs to match the key identifier configured in the
ntp authentication-key command.
—
Usage Guidelines
You can configure the controller to set its system clock using NTP by specifying one or more NTP servers.
Example
The following command configures an NTP server using the iburst optional parameter and using a key identifier
“123456.”
(host) (config) #ntp server 10.1.1.245 iburst key 12345
Command History
Release
Modification
ArubaOS 1.0
Command introduced
ArubaOS 3.0
The iburst parameter was introduced
ArubaOS 6.1
The key parameter was introduced
ArubaOS 6.4
The IPv6 parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
536 | ntp server
ArubaOS 6.4| Reference Guide
ntp trusted-key
ntp trusted-key <keyid>
Description
This command configures an additional subset of trusted keys which can be used for NTP authentication.
Syntax
Parameter
Description
Default
<keyid>
An additional trusted string that can be used for authentication
—
Usage Guidelines
You can configure additional subset of keys which are trusted and can be used for NTP authentication.
Example
The following command configures an additional trusted key(84956) which can be used for NTP authentication.
(host) (config) #ntp trusted-key 84956
Command History
Release
Modification
ArubaOS 6.1
Command introduced
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
ntp trusted-key | 537
packet-capture
packet-capture
controlpath [interprocess {all | <ports>}] [other] [sysmsg {all | <opcodes>] [tcp {all | <
ports>}] [udp {all | <ports>]]
copy-to-flash {controlpath-pcap | datapath-pcap}
datapath {ipsec <peer-ip>} [wifi-client <mac-address> {decrypted | encrypted | all}]
destination [interface <slot/port>] [ip-address <ip-address>] [local-filesystem]
no
reset-pcap {controlpath-pcap | datapath-pcap}
Description
Use this command to enable or disable packet capturing and set packet capturing options for a single packet capture
session.
Syntax
Parameter
Description
Default
controlpath
Enables controlpath packet capture. Captured packets
are stored in /var/log/oslog/filter.pcap.
Disabled
NOTE: Only capture to local-filesystem is supported for
controlpath capture.
interprocess
Enables or disables interprocess packet capturing. . Specify up to ten comma-separated ports to capture; use all
to sniff all ports. All CLI ports, which are TCP, are always
skipped.
Disabled
other
Enable or disable all other types of packets.
Disabled
sysmsg
Enable or disable internal messaging packets. Specify
up to ten comma-separated opcodes to capture; use all
to sniff all opcodes. All CLI ports, which are TCP, are
always skipped.
Disabled
tcp
Enable or disable TCP packet capturing. Specify up to
ten comma-separated ports to capture; use all to sniff
all TCP ports. All CLI ports, which are TCP, are always
skipped.
Disabled
udp
Enable or disable UDP packet capturing. Specify up to
ten comma-separated ports to capture; use all to sniff
all UDP ports. All CLI ports, which are TCP, are always
skipped.
Disabled
Copies captured packets to the flash.
—
controlpath-pcap
Copies controlpath captures. They are saved as
controlpath-pcap.tar.gz.
—
datapath-pcap
Copies datapath captures. They are saved as datapathpcap.tar.gz.
—
Enables datapath packet capture. Captured packets are
Disabled
copy-to-flash
datapath
538 | packet-capture
ArubaOS 6.4| Reference Guide
Parameter
Description
Default
stored in /var/log/oslog/datapath.pcap or mirrored out of
the controller.
ipsec <peer-ip>
Enable or disable IPSec packet capturing. Enter the
IPSec peer IP address to specify a given peer.
Disabled
NOTE: Capture to local-filesystem is not supported with
this option.
wifi-client
<mac-address>
{decrypted | encrypted |
all}
Enable or disable packet capturing from a wifi client. Specify the client device by entering the device's MAC
address.
Disabled
Additionally, you can specify what type of traffic captured:
decrypted, encrypted, or all.
destination
Configures the capture destination.
—
interface <slot/port>
or
<slot/module/port>
Sends packet captures to a specific interface on the controller. Specify the interface using the slot/port format or
<slot/module/port> for the 7200 Series controllers.
—
ip-address
<ip-address>
Sends packet captures to a specific IP address.
—
local-filesystem
Stores captured packets on the controller in pcap files.
—
no
Negates any configured parameter.
reset-pcap
Deletes old pcap files and restarts the active capture.
—
controlpath-pcap
Deletes old controlpath pcap files and restarts the active
controlpath capture.
—
datapath-pcap
Deletes old datapath pcap files and restarts the active
datapath capture.
—
Usage Guidelines
The packet-capture command can perform two types of packet capture: controlpath and datapath. Controlpath only
captures packet destined for the controller. Datapath captures packets that are being forwarded by the controller,
such as packets from a wifi client.
Packets can be retrieved through the tar logs command; look for the filter.pcap or datapath.pcap file. This command
activates packet capture options on the current session. They are not saved and applied across all reboots.
If you do want to enable a packet capture session without setting values that can be saved and used for another
session, use the command packet-capture . The related command packet-capture-defaults lets you define a set of
packet capture options and save them in the configuration file. These setting will be automatically enabled when the
controller boots up. Any settings defined using the command packet-capture will override packet-capture-defaults.
Example
The following command enables packet capturing for debugging a wireless WEP station doing VPN. This example
uses the following parameters and values:
l
Station up/down: sysmsg opcode 30
l
WEP key plumbing: sysmsg opcode 29
ArubaOS 6.4| Reference Guide
packet-capture | 539
l
DHCP: sysmsg opcode 90
l
IKE: UDP port 500 and 4500
l
Layer 2 Tunneling Protocol (L2TP): UDP port 1701
(host) #packet-capture sysmsg 30,29,90 (host) #packet-capture udp 500,4500,1701,1812,1645
Command History
This command was introduced in ArubaOS 2.3.
Release
Modification
ArubaOS 2.3
Command introduced
ArubaOS 6.3
The following parameters were added:
l controlpath
l copy-to-flash
l datapath ipsec and datapath wifi-client
l destination
l reset-pcap
l no parameter has replaced disable
The following parameters were moved under the controlpath parameter:
l interprocess
l other
l sysmsg
l tcp
l udp
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master and local
controllers
540 | packet-capture
ArubaOS 6.4| Reference Guide
packet-capture-defaults
packet-capture
controlpath [interprocess {all | <ports>}] [other] [sysmsg {all | <opcodes>] [tcp {all | <
ports>}] [udp {all | <ports>]]
datapath {ipsec <peer-ip>} [wifi-client <mac-address> {decrypted | encrypted | all}]
destination [interface <slot/port>] [ip-address <ip-address>] [local-filesystem]
no
Description
Use this command to enable or disable packet capturing and define a set of default packet capturing options on the
control path for debugging purposes.
Syntax
Parameter
Description
Default
controlpath
Enables controlpath packet capture. Captured packets
are stored in /var/log/oslog/filter.pcap.
Disabled
NOTE: Only capture to local-filesystem is supported for
controlpath capture.
interprocess
Enables or disables interprocess packet capturing. . Specify up to ten comma-separated ports to capture; use all
to sniff all ports. All CLI ports, which are TCP, are always
skipped.
Disabled
other
Enable or disable all other types of packets.
Disabled
sysmsg
Enable or disable internal messaging packets. Specify
up to ten comma-separated opcodes to capture; use all
to sniff all opcodes. All CLI ports, which are TCP, are
always skipped.
Disabled
tcp
Enable or disable TCP packet capturing. Specify up to
ten comma-separated ports to capture; use all to sniff
all TCP ports. All CLI ports, which are TCP, are always
skipped.
Disabled
udp
Enable or disable UDP packet capturing. Specify up to
ten comma-separated ports to capture; use all to sniff
all UDP ports. All CLI ports, which are TCP, are always
skipped.
Disabled
datapath
Enables datapath packet capture. Captured packets are
stored in /var/log/oslog/datapath.pcap or mirrored out of
the controller.
Disabled
Enable or disable IPSec packet capturing. Enter the
IPSec peer IP address to specify a given peer.
Disabled
ipsec <peer-ip>
NOTE: Capture to local-filesystem is not supported with
this option.
wifi-client
<mac-address>
ArubaOS 6.4| Reference Guide
Enable or disable packet capturing from a wifi client. Specify the client device by entering the device's MAC
Disabled
packet-capture-defaults | 541
Parameter
{decrypted | encrypted |
all}
Description
Default
address.
Additionally, you can specify what type of traffic captured:
decrypted, encrypted, or all.
destination
Configures the capture destination.
—
interface <slot/port>
or
<slot/module/port>
Sends packet captures to a specific interface on the controller. Specify the interface using the slot/port format or
<slot/module/port> for the 7200 Series controllers.
—
ip-address
<ip-address>
Sends packet captures to a specific IP address.
—
local-filesystem
Stores captured packets on the controller in pcap files.
—
no
Negates any configured parameter.
Usage Guidelines
This command applies to control path packets; not datapath packets. Packets can be retrieved through the tar log
command; look for the filter.pcap file. This command activates packet capture options on the current switch. They
are not saved and applied across switches.
Example
The following command sets the default packet capture values to debug a wireless WEP station doing VPN. Once
these default settings are defined, you can use the packet-capture command to enable packet capturing with these
values. This example uses the following parameters and values:
l
Station up/down: sysmsg opcode 30
l
WEP key plumbing: sysmsg opcode 29
l
DHCP: sysmsg opcode 90
l
IKE: UDP port 500 and 4500
l
Layer 2 Tunneling Protocol (L2TP): UDP port 1701
packet-capture-defaults sysmsg 30,29,90 udp 500,4500,1701,1812,1645
Use the show packet-capture command to show the current action and the default values.
(host) show packet-capture
Current Active Packet Capture Actions(current switch)
=====================================================
Packet filtering TCP with 2 port(s) enabled:
2
1
Packet filtering UDP with 1 port(s) enabled:
1
Packet filtering for internal messaging opcodes disabled.
Packet filtering for all other packets disabled.
Packet Capture Defaults(across switches and reboots if saved)
============================================================
Packet filtering TCP with 2 port(s) enabled:
2
1
542 | packet-capture-defaults
ArubaOS 6.4| Reference Guide
Packet filtering UDP with 1 port(s) enabled:
1
Command History
This command was introduced in ArubaOS 2.3.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
packet-capture-defaults | 543
page
page <length>
Description
This command sets the number of lines of text the terminal will display when paging is enabled.
Syntax
Parameter
Description
Range
length
Specifies the number of lines of text displayed.
24 - 100
Usage Guidelines
Use this command in conjunction with the paging command to specify the number of lines of text to display. For
more information on the pause mechanism that stops the command output from printing continuously to the terminal,
see paging on page 545.
If you need to adjust the screen size, use your terminal application to do so.
Example
The following command sets 80 as the number of lines of text displayed:
(host) (config) #page 80
Command History
This command was introduced in ArubaOS 1.0.
Command Information
544 | page
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config and Enable mode on master
controllers
ArubaOS 6.4| Reference Guide
paging
paging
Description
This command stops the command output from printing continuously to the terminal.
Syntax
No parameters
Usage Guidelines
By default, paging is enabled.
With paging enabled, there is a pause mechanism that stops the command output from printing continuously to the
terminal. If paging is disabled, the output prints continuously to the terminal. To disable paging, use the no paging
command. You must be in enable mode to disable paging.
The paging setting is active on a per-user session. For example, if you disable paging from the CLI, it only affects
that session. For new or existing sessions, paging is enabled by default.
You can also configure the number of lines of text displayed when paging is enabled. For more information, refer to
the command page on page 544.
If you need to adjust the screen size, use your terminal application to do so.
Example
The following command enables paging:
(host) (config) #paging
Command History
This command was introduced in ArubaOS 1.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config and Enable mode on master
controllers
ArubaOS 6.4| Reference Guide
paging | 545
pan active-profile
pan active-profile
profile <profile name>
Description
This command activates a PAN profile.
Syntax
Parameter
Description
profile <profile name>
The name of the PAN profile to be activated.
Usage Guidelines
This command activates an already configured PAN profile. Only one PAN profile can be active at a time.
Command History
Modification
ArubaOS 6.4
Command introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or config mode on master or local
controllers
546 | pan active-profile
ArubaOS 6.4| Reference Guide
pan profile
pan profile <profile-name>
clone
firewall host <host> port <port> username <username> passwd <password>
no
Description
This command configures a PAN profile.
Syntax
Parameter
Description
clone
Name of an existing PAN profile configuration from which parameter values are
copied.
firewall
Configures the information for the associated PAN firewall
host <host>
IP address or hostname of the PAN firewall
port <port>
Port number of the PAN firewall
username <username>
The username of the PAN firewall
passwd <password>
The password of the PAN firewall
no
Negates any configured parameter.
Usage Guidelines
This command is used to configure the PAN firewall that the controller will be communicating with. The username
and password must match the name of the Admin account configured on the PAN firewall.
Command History
Modification
ArubaOS 6.4
Command introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
pan profile | 547
panic
panic {clear | info {file <filename> <symbolfile>|nvram <symbolfile>} | list {file <filename>|
nvram} | save <filename>}
Description
This command manages information created during a system crash.
Syntax
Parameter
Description
clear
Removes panic information from non-volatile random access memory (NVRAM).
info
Displays the content of specified panic files.
list
Lists panic information in the specified file in flash or in NVRAM.
save
Saves panic information from NVRAM into the specified file in flash.
Usage Guidelines
To troubleshoot system crashes, use the panic save command to save information from NVRAM into the specified
file, then use the panic clear command to clear the information from NVRAM.
Example
The following command lists panic information in NVRAM:
(host) #panic list nvram
Command History
This command was introduced in ArubaOS 3.0.
Command Information
548 | panic
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
perf-test
perf-test
server start|stop controller|{ap [ap-name <name>}|{ip-addr <ip>}|{ip6-addr <ip6>} [tcp|udp]
client start|stop controller|{ap [ap-name <name>}|{ip-addr <ip>}|{ip6-addr <ip6>}<host-ip>
tcp|udp
duration <duration>
parallel <parallel>
window
bandwidth <value>
port open|close
Description
Use this command under the guidance of Aruba technical support to launch or halt an Iperf throughput test between
the controller and the AP.
Syntax
Parameter
Description
server
Run Iperf tests in server mode.
start|stop
Start or stop the iperf test. Tests run in server mode must be manually stopped
using the command perf-test server stop.
ap-name <ap-name>
Name of the AP.
ip-addr <ip-addr>
IPv4 address of the AP.
ip6-addr <ip6-add
r>
IPv6 address of the AP.
TCP
Run Iperf tests using the TCP protocol.
UDP
Run Iperf tests using the UDP protocol.
client
Run Iperf tests in client mode by specifying the IPV4 or IPv6 address of the host.
Tests run in client mode automatically stop when they are complete, although they
can also be manually stopped using the perf-test client stop command.
host <ip>|<ipv6>
start|stop
Start or stop the iperf test. Tests run in server mode must be manually stopped
using the command perf-test server stop.
ap-name <ap-name>
Name of the AP.
ip-addr <ip-addr>
IPv4 address of the AP.
ip6-addr <ip6-add
r>
IPv6 address of the AP.
TCP
Run Iperf tests using the TCP protocol.
UDP
Run Iperf tests using the UDP protocol.
ArubaOS 6.4| Reference Guide
perf-test | 549
Parameter
bandwidth <value>
Description
Rate at which the Iperf test data should be sent, in bits/sec. The default value is 1
Mbit/sec. This parameter supports the suffixes K (to represent Kbits/sec) and M (to
represent Mbits/sec.)
duration
Number of seconds for which the test runs. The supported range is 10-120
seconds, and the default value is 10 seconds.
parallel
Number of parallel clients threads to run.
window
TCP window size. This parameter supports the suffixes K (to represent Kbits/sec)
and M (to represent Mbits/sec.)
port open|close
Use this command under the guidance of Aruba technical support to open port
5001 to allow Iperf throughput tests between the controller and the AP.
Usage Guidelines
Only AP-130 Series, AP-220 Series, and AP-105 access points connected to a 7200 Series or M3 controller support
this feature. The report generated by an Iperf throughput test can be viewed by issuing the command .
Related Commands
Command
Description
show perf-test reports
Use this command under the guidance of Arubatechnical support to view the results of
an Iperf throughput test launched from the controller.
Command History
Introduced in ArubaOS 6.3.
Command Information
Platforms
Licensing
Command Mode
M3 controllers
Base operating system
Enable mode on master or local
controllers
550 | perf-test
ArubaOS 6.4| Reference Guide
pcap (deprecated)
pcap {raw-start <ipaddr> <target-ipaddr> <target-port> <format> [bssid <bssid>] [channel <numb
er>] [maxlen <maxlen>]}|{interactive <am-ip> <filter> <target-ipaddr> <target-port> [bssid <bs
sid>][channel <number>]}|{clear|pause|resume|stop <am-ip> <id> [bssid <bssid>]}
Description
These commands manage packet capture (PCAP) on Aruba air monitors.
Syntax
Parameter
Description
raw-start
Stream raw packets to an external viewer.
<ipaddr>
IP address of the air monitor collecting packets.
<target-ipaddr>
IP address of the client station running Wildpacket’s AiroPeek monitoring
application.
<target-port>
UDP port number on the client station where the captured packets are sent.
<format>
Specify a number to indicate one of the following formats for captured packets:
l 0 : pcap
l 1 : peek
l 2 : airmagnet
l 3 : pcap+radio header
l 4 : ppi
bssid
(Optional) BSSID of the Air Monitor interface for the PCAP session.
<bssid>
BSSID of the Air Monitor Interface, which is usually its MAC address.
channel
(Optional) Number of a radio channel to tune into to capture packets
maxlen
(Optional) Limit the length of 802.11 frames to include in the capture to a specified
maximum.
<maxlen>
(Optional) Maximum number of packets to be captured.
interactive
Start an interactive packet capture session.
<am-ip>
IP address of the air monitor collecting packets.
<filter-spec>
Packet Capture filter specification.
<target-ipaddr>
<target-port>
bssid
(Optional) Specify the BSSID of the Air Monitor interface for the PCAP session.
<bssid>
BSSID of the Air Monitor Interface, which is usually its MAC address.
channel
(Optional) Number of a radio channel to tune into to capture packets
ArubaOS 6.4| Reference Guide
pcap (deprecated) | 551
Parameter
Description
clear
Clears the packet capture session.
pause
Pause a packet capture session.
resume
Resume a packet capture session.
start
Start a new packet capture session.
stop
Stop a packet capture session.
<am-ip>
IP address of the air monitor collecting packets.
<id>
ID of the PCAP session.
bssid
(Optional) Specify the BSSID of the Air Monitor interface for the PCAP session.
<bssid>
BSSID of the Air Monitor Interface, which is usually its MAC address.
Usage Guidelines
These commands direct an Aruba air monitor to send packet captures to the Wildpacket’s AiroPeek monitoring
application on a remote client. The AiroPeek application listens for packets sent by the air monitor.
The following pcap commands are available:
Command
Description
clear
Clears the packet capture session.
pause
Pause a packet capture session.
resume
Resume a packet capture session.
start
Start a new packet capture session.
stop
Stop a packet capture session.
Before using these commands, you need to start the AiroPeek application on the client and open a capture window
for the air monitor. The AiroPeek application cannot be used to control the flow or type of packets sent from Aruba air
monitors.
The AiroPeek application processes all packets, however, you can apply display filters on the capture window to
control the number and type of packets being displayed. In the capture window, the time stamp displayed
corresponds to the time that the packet is received by the client and is not synchronized with the time on the Aruba
air monitor.
Example
The following command starts a raw packet capture session for the air monitor at 10.100.100.1 and sends the
packets to the client at 192.168.22.44 on port 604 with pcap format:
(host) (config) #pcap raw-start 10.100.100.1 192.168.22.44 604 0
552 | pcap (deprecated)
ArubaOS 6.4| Reference Guide
Command History
Version
Change
ArubaOS 3.0
Command Introduced
ArubaOS 3.4
The maxlen parameter was introduced, and the pcap start command
deprecated.
ArubaOS 6.2
Functionality with 2 new parameters, now subsumed by the ap packet capture
command.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
pcap (deprecated) | 553
phonehome
phonehome
auto-report
disable
enable
https <from_addr>
now
smtp <a.b.c.d> <from_addr> [port <port_num>] {size <max_size>] [user <username> pass <passw
ord>]
Description
This command configures the PhoneHome auto reporting feature.
Syntax
Parameter
Description
auto-report
The controller will periodically contact Aruba support once a week to report any
errors or changes to the controller configuration or inventory. If the controller has not
reported any errors and its configuration file has not changed, no report will be sent.
NOTE: Before you enable auto-reporting, you must first enable the PhoneHome
feature using the command phonehome enable.
disable
This parameter disables the PhoneHome feature. Phonehome automatic reporting is
disabled by default.
enable
This parameter enables the PhoneHome feature.
now
Issue the phonehome now command in enable mode to immediately create and
send a report from the controller to Aruba support.
NOTE: Before you use the phonehome now command to create and send a report,
you must first access the command-line interface in config mode and issue the
command phonehome enable to enable this feature.
https <from_addr>
Configure controllers running ArubaOS 6.4 or later releases send PhoneHome
reports to an Activate server using HTTPS. Earlier versions of ArubaOS allow the
PhoneHome feature to send reports to an SMTP server only. The <from-addr> email
address is used to properly identify the user sending the report.
smtp
Configure the SMTP server that will send email messages from the controller to
Aruba support.
<a.b.c.d>
IP address of the SMPT server
<from_addr>
Local email address from which the auto reporting messages will be sent. For
example, admin@mycorp.com.
port <port_num>
(Optional) Port number from which the SMTP server will send auto reporting emails.
Default port number: 25.
size <max_size>
(Optional) If your SMTP server has a restriction on the size of the emails it can send,
use this parameter to specify the maximum size limit. Any reports larger than this limit
will be divided into multiple smaller emails.
user <username>
pass <password>
(Optional) If your SMTP server requires user authentication before it can send an
email message, enter the username and password for a valid user on your network.
554 | phonehome
ArubaOS 6.4| Reference Guide
Usage Guidelines
By default, controllers running ArubaOS 6.4 or later releases send PhoneHome reports to the Activate server using
HTTPS. Earlier versions of ArubaOS allow the PhoneHome feature to send reports to an SMTP server only.
Most deployments should retain the default behavior introduced in ArubaOS 6.4 and send PhoneHome reports via
Activate. However, if the controller is behind proxy server and does not have direct access to Internet, PhoneHome
should be configured to send reports using SMTP. The following section of this document describes the benefits of
each of these configurations options.
Sending Phonehome Reports using Activate
PhoneHome integration with Activate offers following benefits:
l
Simpler configuration. Phonehome only requires you to configure the email ID of the network administrator
managing the device. as Activate already has information to accurately identify your controller. If a DNS server is
not configured on the controller, PhoneHome will query the public DNS service (8.8.8.8) to resolve the Activate
server IP address.
l
Smaller bandwidth requirements. When the PhoneHome feature sends the report to the Activate server, the
PhoneHome report is zipped into a smaller package, then divided into smaller 1MB pieces before being sent to
the server using secure HTTPS. Only reports sent to Activate are zipped before they are sent, so reports sent to
Activate use less bandwidth than a report sent to a SMTP server.
l
Enhanced error management. If any individual portion of the report is not successfully received by the
Activate server, PhoneHome makes up to three attempts to resend just that portion of the file, rather than
resending the entire report. Reports sent via SMTP must be resent in their entirety if any portion is not received by
the SMTP server.
l
Automatic removal of old reports. Once the entire report has been sent to the Activate server, Activate sends
an acknowledgment to the controller, prompting the controller to delete its local copy of the report.
Sending Reports using SMTP
If you configure the PhoneHome feature to use SMTP, the PhoneHome status reports is sent in an email. When the
controller generates the report email with the PhoneHome data file attachment, it forwards the email to the local
SMTP server configured on your local network, which then relays the message to Aruba technical support. If your
email server requires the sender to be authenticated before message delivery, the controller can connect to the
SMTP server by supplying the sender’s user name and password.
When PhoneHome reports are sent using SMTP, the PhoneHome report attachment is encrypted before it is
transmitted to the SMTP server, and is decrypted by Aruba support the report it is received. If the PhoneHome status
report email is larger than the maximum email size supported by your SMTP server, the controller divides the
PhoneHome attachment into multiple smaller attachments and sends the report to Aruba in multiple emails. If any
individual portion of the report is not successfully received by the SMTP server, PhoneHome resends the entire
report.
Example
The following command turns on the PhoneHome feature, enables weekly auto-reports, and identifies the SMTP
server to be used by this feature:
(host) (config) #phonehome enable auto-report smtp 172.21.18.170 admin@mycorp.com
ArubaOS 6.4| Reference Guide
phonehome | 555
Command History
Version
Description
ArubaOS 6.0
Command Introduced
ArubaOS 6.4
The https parameter was introduced to allow the controller to send reports to
Aruba support through Activate.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
The phonehome now command must be issued in
enable mode. All other PhoneHome commands
require config mode.
556 | phonehome
ArubaOS 6.4| Reference Guide
ping
ping <ipaddress> | ipv6 {<global-address> | interface vlan <vlanid> <linklocal-address>}
count
df-flag
packet-size
source
Description
This command sends five ICMP echo packets to the specified ip address. You can also ping the specified IPv6
address.
Syntax
Parameter
Description
Default
Range
<ipaddress>
Destination IP Address
—
—
ipv6
<globaladdress>
l interface
vlan <vlanid>
<linklocaladdress>
Specify this parameter to ping an IPv6
address.
l Specify the IPv6 global address.
l Specify the IPv6 link local address of a
specific VLAN interface.
—
—
count
The number of ping packets sent to the target
IP address.
5
1 - 100
df-flag
Sets the Don't Fragment flag.
—
—
packet-size
The size, in bytes, of a ping datagram
100 bytes
10 - 2000
source
Sets the source interface for a ping datagram.
The source can be a valid VLAN ID or a Management Interface.
—
—
l
Usage Guidelines
You can send five ICMP echo packets to a specified IP address. The controller times out after two seconds. You
can also ping the specified IPv6 address.
Examples
The following example pings 10.10.10.5.
(host) #ping 10.10.10.5
The sample controller output is:
Press 'q' to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.5, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0.408/0.5434/1.073 ms
The following example pings the specified IPv6 global address:
(host) #ping ipv6 2005:d81f:f9f0:1001::14
ArubaOS 6.4| Reference Guide
ping | 557
The sample controller output is:
Press 'q' to abort.
Sending 5, 100-byte ICMPv6 Echos to 2005:d81f:f9f0:1001::14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0.309/0.3726/0.463 ms
Command History
Release
Modification
ArubaOS 1.0
Command introduced
ArubaOS 6.1
Introduced ipv6 parameter to provide support for IPv6.
ArubaOS 6.3
Introduced the following parameters:
l
l
l
l
count
df-flag
packet-size
source
This command was introduced in ArubaOS 1.0.
Command Information
558 | ping
Platforms
Licensing
Command Mode
All platforms
Base operating system
User, Enable, and Config modes on
master controllers
ArubaOS 6.4| Reference Guide
pkt-trace
pkt-trace acl <acl-name> {enable|disable} [trace {cptrace|pktrace} [trace-mask <tmask>]]]
Description
Enable packet tracing in the datapath. Use this feature only under the supervision of Aruba technical support.
Syntax
Parameter
Description
<acl-name>
Enable packet tracing for the specified access-control list.
enable
Enable packet tracing for the ACL.
disable
Disable packet tracing for the ACL.
cptrace
Send packet trace data into the Control Processor.
pktrace
Write packet trace data in the packet.
tracemask <tmask>
Specify the trace mask. This value will be provided by Aruba technical support.
Example
The following example enables packet tracing for the traffic matching the acl stateful-dot1x.
(host) #pkt-trace acl stateful-dot1x enable trace cptrace trace-mask <val>
Command History
This command was introduced in ArubaOS 3.4.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
pkt-trace | 559
pkt-trace-global
pkt-trace-global {enable|disable} [trace-mask <tmask>]
Description
Enable global packet tracing in the datapath. Use this feature only under the supervision of Aruba technical support.
Syntax
Parameter
Description
<acl-name>
Enable packet tracing for the specified access-control list.
enable
Enable global packet tracing for the ACL.
disable
Disable global packet tracing for the ACL.
tracemask <tmask>
Specify a trace mask. Use this feature only under the supervision of Aruba
technical support.
Example
The following command enables the global packet tracing for all traffic.
(host) (config) #pkt-trace-global enable
Command History
This command was introduced in ArubaOS 3.4.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
560 | pkt-trace-global
ArubaOS 6.4| Reference Guide
policer-profile (deprecated)
policer-profile <profile-name>
cbs {k | m | g}
cir <cir>
clone <source>
ebs [k | m | g]
exceed-action drop | permit | remark
exceed-profile <policerProfile>
no..
violate-action drop | permit
violate-profile <profile-name>
Description
This command configures a Policer profile to manage the transmission rate of a class of traffic based on user-defined
criteria.
Command History
Release
Modification
ArubaOS 6.2
Command deprecated.
ArubaOS 6.4| Reference Guide
policer-profile (deprecated) | 561
pptp ip local pool
pptp ip local pool <pool> <ipaddr> [<end-ipaddr>]
Description
This command configures an IP address pool for VPN users using Point-to-Point Tunneling Protocol (PPTP).
Syntax
Parameter
Description
<pool>
User-defined name for the address pool.
<ipaddr>
Starting IP address for the pool.
<end-ipaddr>
Ending IP address for the pool.
Usage Guidelines
If VPN is used as an access method, you specify the pool from which the user’s IP address is assigned when the
user negotiates a PPTP session. Use the show vpdn pptp local command to see the used and free addresses in
the pool.
PPTP is an alternative to IPsec that is supported by various hardware platforms. PPTP is considered to be less
secure than IPsec but also requires less configuration. You configure PPTP with the vpdn command.
Example
The following command configures an IP address pool for PPTP VPN users:
(host) (config) #pptp ip local pool pptp-pool1 172.16.18.1 172.16.18.24
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
562 | pptp ip local pool
ArubaOS 6.4| Reference Guide
priority-map
priority-map <name>
dot1p <priority> high
dscp <priority> high
no ...
Description
This command configures the Type of Service (ToS) and Class of Service (CoS) values used to map traffic into high
priority queues.
Syntax
Parameter
Description
Range
<name>
User-defined name of the priority map.
—
dot1p
IEEE 802.1p priority value, or a range of values separated by a
dash (-).
0-7
dscp
Differentiated Services Code Point (DSCP) priority value, or a
range of values separated by a dash (-).
0-63
no
Negates any configured parameter.
—
Usage Guidelines
This command allows you to prioritize inbound traffic that is already tagged with 802.1p and/or IP ToS in hardware
queues. You apply configured priority maps to ports on the controller (using the interface fastethernet or interface
gigbitethernet command). This causes the controller to inspect inbound traffic on the port; when a matching QoS
tag is found, the packet or flow is mapped to the specified queue.
Example
The following commands configure a priority map and apply it to a port:
(host) (config) #priority-map pri1
dscp 4-20 high
dscp 60 high
dot1p 4-7 high
interface gigabitethernet 1/24
priority-map pri1
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
priority-map | 563
process monitor
process monitor log|restart|
Description
The process monitor validates the integrity of processes every 120 seconds. If a process does not respond during
three consecutive 120-second timeout intervals, that process is flagged as nonresponsive and the process monitor
will create a log message, restart the process or reboot the controller
Syntax
Parameter
Description
log
The process monitor creates a log message when a process fails to responding properly.
This is the default behavior for the process monitor
restart
This parameter enables strict behavior for runtime processes.
When you enable this option, the process monitor will restart processes that fail to
responding properly.
Usage Guidelines
The CLI command process monitor log enables logging for process monitoring. By default, whenever a process
does not update a required file or send a heartbeat pulse within the required time limit, the process monitor records a
critical log message, but does not restart any process. If you want the configure watchdog to restart a process once
it fails to respond, use the CLI command process monitor restart.
Example
The following changes the default process monitor behavior, so the process monitor restarts nonresponsive
processes.
(host) #process monitor restart
Related Commands
The show process monitor statistics command displays the current status of all the processes running under the
process monitor watchdog. A partial example of the output of this command is shown below:
host) (config) #show process monitor statistics
Process Monitor Statistics
-------------------------Name
State
Restarts
---/mswitch/bin/arci-cli-helper
/mswitch/bin/fpcli
/mswitch/bin/packet_filter
/mswitch/bin/certmgr
/mswitch/bin/dbstart
/mswitch/bin/cryptoPOST
/mswitch/bin/sbConsoled
/mswitch/bin/pubsub
/mswitch/bin/cfgm
/mswitch/bin/syslogdwrap
/mswitch/bin/aaa
----PROCESS_RUNNING
PROCESS_RUNNING
PROCESS_RUNNING
PROCESS_RUNNING
PROCESS_RUNNING
PROCESS_RUNNING
PROCESS_RUNNING
PROCESS_RUNNING
PROCESS_RUNNING
PROCESS_RUNNING
PROCESS_RUNNING
-------0
0
0
0
0
0
0
0
0
0
0
564 | process monitor
Timeout Value
Chances
------------120
120
120
120
120
120
120
120
120
120
120
Timeout
--------------3
3
3
3
3
3
3
3
3
3
3
ArubaOS 6.4| Reference Guide
/mswitch/bin/fpapps
/mswitch/bin/pim
/mswitch/bin/lic
PROCESS_RUNNING
PROCESS_RUNNING
0
0
120
120
3
3
Command History
Release
Modification
ArubaOS 3.4
Command introduced
ArubaOS 3.4
The process restart command was deprecated.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
process monitor | 565
prompt
prompt <prompt>
Description
This command changes the prompt text.
Syntax
Parameter
Description
Range
Default
prompt
The prompt text displayed by the controller.
1–64
<hostname>
Usage Guidelines
You can use any alphanumeric character, punctuation, or symbol character. To use spaces, plus symbols (+),
question marks (?), or asterisks (*), enclose the text in quotes.
You cannot alter the parentheses that surround the prompt text, or the greater-than (>) or hash (#) symbols that
indicate user or enable CLI mode.
Example
The following example changes the prompt text to “It’s a new day!”.
(host) (config) #prompt “It’s a new day!”
(It’s a new day!) (config) #
Command History
This command was introduced in ArubaOS 1.0.
Command Information
566 | prompt
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
provision-ap
provision-ap
a-ant-bearing <bearing>
a-ant-gain <gain>
a-ant-tilt-angle <angle>
a-antenna {1|2|both}
altitude <altitude>
ap-group <group>
ap-name <name>
apdot1x-passwd <string>
apdot1x-username <name>
cellular_nw_preference 3g-only|4g-only|advanced|auto
copy-provisioning-params {ap-name <name> | ip-addr <ipaddr>}
dns-server-ip <ipaddr>
dns-server-ip6 <ipv6 address>
domain-name <name>
external-antenna
fqln <name>
g-ant-bearing <bearing>
g-ant-gain <gain>
g-ant-tilt-angle <angle>
g-antenna {1|2|both}
gateway <ipaddr>
gateway6 <ipv6-address>
ikepsk <key>
installation default|indoor|outdoor
ip6addr <ipv6-address>
ip6prefix <ipv6-prefix>
ipaddr <ipaddr>
latitude <location>
link-priority-cellular
link-priority-ethernet
longitude <location>
master {<name>|<ipaddr>}
mesh-role {mesh-point|mesh-portal|none|remote-mesh-portal}
mesh-sae {sae-disable|sae-enable}
netmask <netmask>
no ...
pap-passwd <string>
pap-user <name>
pkcs12-passphrase <string>
pppoe-chap-secret<key>
pppoe-passwd <string>
pppoe-service-name <name>
pppoe-user <name>
read-bootinfo {ap-name <name>|ip-addr <ipaddr>|wired-mac <macaddr>}
reprovision {all|ap-name <name>|ip-addr <ipaddr>|serial-num <string>|
wired-mac <macaddr>}
reset-bootinfo {ap-name <name>|ip-addr <ipaddr>|wired-mac <macaddr>}
server-ip <ipaddr>
sch-mode-radio-0
sch-mode-radio-1
server-name <name>
set-ikepsk-by-addr <ip-addr>
syslocation <string>
uplink-vlan <uplink-vlan>
usb-dev <usb-dev>
usb-dial <usb-dial>
usb-init <usb-init>
ArubaOS 6.4| Reference Guide
provision-ap | 567
usb-passwd <usb-passwd>
usb-power-mode auto|enable|disable
usb-tty <usb-tty>
usb-tty-control <usb-tty-control>
usb-type <usb-type>
usb-user <usb-user>
Description
This command provisions or reprovisions an AP.
Syntax
Parameter
Description
Range
a-ant-bearing
Determines the horizontal coverage distance of the 802.11a (5GHz) antenna from True
North.
From a planning perspective, the horizontal coverage pattern does not consider the
elevation or vertical antenna pattern.
NOTE: This parameter is supported on outdoor APs only. If you use this parameter to
configure an indoor AP, an error message is displayed.
0-360
Decimal
Degrees
a-ant-gain
Antenna gain for 802.11a (5GHz) antenna.
—
a-ant-tiltangle
Directs the angle of the 802.11a (5GHz) antenna for optimum coverage.
Use a - (negative) value for downtilt and a + (positive) value for uptilt.
NOTE: This parameter is supported on outdoor APs only. If you use this parameter to
configure an indoor AP, an error message is displayed.
-90 to
+90
Decimal
Degrees
a-antenna
Antenna use for 5 GHz (802.11a) frequency band.
l 1: Use antenna 1
l 2: Use antenna 2
l both: Use both antennas (default)
1, 2, both
(default)
altitude
Altitude, in meters, of the AP.
NOTE: This parameter is supported on outdoor APs only. If you use this parameter to
configure an indoor AP, an error message is displayed.
—
ap-group
Name of the AP group to which the AP belongs.
—
ap-name
Name of the AP to be provisioned.
—
apdot1xpasswd
Password of the AP to authenticate to 802.1X using PEAP.
—
apdot1xusername
Username of the AP to authenticate to 802.1X using PEAP.
—
cellular_nw_
preference
3g-only|4gonly|
advanced|aut
o
This setting allows you to select how the modem should operate.
—
l
l
l
l
568 | provision-ap
auto (default): In this mode, the modem firmware will control the cellular network
service selection; so the cellular network service failover and fallback is not
interrupted by the remote AP (RAP).
3g_only: Locks the modem to operate only in 3G.
4g_only: Locks the modem to operate only in 4G.
advanced: The RAP controls the cellular network service selection based on the
Received Signal Strength Indication (RSSI) threshold-based approach. Initially the
modem is set to the default auto mode. This allows the modem firmware to select the
available network. The RAP determines the RSSI value for the available network type
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
(for example 4G), checks whether the RSSI is within required range, and if so,
connects to that network. If the RSSI for the modem’s selected network is not within
the required range, the RAP will then check the RSSI limit of an alternate network (for
example, 3G), and reconnect to that alternate network. The RAP will repeat the above
steps each time it tries to connect using a 4G multimode modem in this mode.
copyprovisioningparams
Initializes the provisioning-params workspace with the current provisioning parameters
of the specified AP, The provisioning parameters of the AP must have previously been
retrieved with the read-bootinfo option.
NOTE: This parameter can only be used on the master controller.
—
dns-server-ip
IP address of the DNS server for the AP.
—
dns-serverip6
IPv6 address of the DNS server for the AP.
—
domain-name
Domain name for the AP.
—
externalanten
na
Use an external antenna with the AP.
—
fqln
Fully-qualified location name (FQLN) for the AP, in the format
<APname.floor.building.campus>.
—
g-ant-bearing
Determines the horizontal coverage distance of the 802.11g (2.4GHz) antenna from True
North.
From a planning perspective, the horizontal coverage pattern does not consider the
elevation or vertical antenna pattern.
NOTE: This parameter is supported on outdoor APs only. If you use this parameter to
configure an indoor AP, an error message is displayed.
0-360
decimal
degrees
g-ant-gain
Antenna gain for 802.11g (2.4GHz) antenna.
—
g-ant-tiltangle
Directs the angle of the 802.11g (2.4GHz) antenna for optimum coverage.
Use a - (negative) value for downtilt and a + (positive) value for uptilt.
NOTE: This parameter is supported on outdoor APs only. If you use this parameter to
configure an indoor AP, an error message is displayed.
-90 to
+90
Decimal
Degrees
g-antenna
Antenna use for 2.4 GHz (802.11g) frequency band.
l 1: Use antenna 1
l 2: Use antenna 2
l both: Use both antennas
1, 2, both
gateway
IP address of the default gateway for the AP.
—
gateway6
IPv6 address of the default gateway for the AP.
—
ikepsk
IKE preshared key for the AP.
—
installation
Specify the type of installation (indoor or outdoor). The default parameter automatically
selects an installation mode based upon the AP model type.
default
indoor
outdoor
ip6addr
Static IPv6 address of the AP.
—
ip6prefix
The prefix of static IPv6 address of the AP.
—
ArubaOS 6.4| Reference Guide
provision-ap | 569
Parameter
Description
Range
ipaddr
Static IP address for the AP.
—
latitude
Latitude coordinates of the AP. Use the format: Degrees, Minutes, Seconds (DMS). For
example: 37 22 00 N
—
link-prioritycellular <linkprioritycellular>
Set the priority of the cellular uplink. By default, the cellular uplink is a lower priority than
the wired uplink; making the wired link the primary link and the cellular link the
secondary or backup link.
Configuring the cellular link with a higher priority than your wired link priority will set your
cellular link as the primary controller link.
—
link-priorityethernet
<link-priorityethernet>
Set the priority of the wired uplink. Each uplink type has an associated priority; wired
ports having the highest priority by default.
—
longitude
Longitude coordinates of the AP. Use the DMS format.
For example: 122 02 00 W
—
master
Name or IP address of the master controller.
—
mesh-role
Configure the AP to operate as a mesh node. You assign one of three roles: mesh portal,
mesh point or remote mesh point. If you select “none,” the AP operates as a thin AP.
—
mesh-sae
Enable or disable Simultaneous Authentication of Equals (SAE) on a mesh network. This
option offers enhanced security over the default wpa2-psk-aes mesh security setting, and
provides secure, attack-resistant authentication using a pre-shared key. SAE supports
simultaneous initiation of a key exchange, allowing either party to initiate an exchange or
both parties to initiate a key exchange simultaneously
To use the SAE feature, you must enable this parameter on all mesh nodes (points and
portals) in the network, to prevent mesh link connectivity issues.
NOTE: This is a Beta feature only. This parameter should be kept “disabled” for this
release.
—
netmask
Netmask for the IP address.
—
no
Negates any configured parameter.
—
pap-passwd
Password Authentication Protocol (PAP) password for the AP.
You can use special characters in the PAP password. Following are the restrictions:
l You cannot use double-byte characters
l You cannot use a tilde (~)
l You cannot use a tick (‘)
l If you use quotes (single or double), you must use the backslash (\) before and after
the password
—
pap-user
PAP username for the AP.
—
pkcs12-passphrase
Passphrase in PKCS12 format.
—
pppoe-chapsecret
PPPoE CHAP secret key for the AP.
—
pppoepasswd
Point-to-Point Protocol over Ethernet (PPPoE) password for the AP.
—
570 | provision-ap
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
pppoeservicename
PPPoE service name for the AP.
—
pppoe-user
PPPoE username for the AP.
—
read-bootinfo
Retrieves current provisioning parameters of the specified AP.
NOTE: This parameter can only be used on the master controller.
—
reprovision
Provisions one or more APs with the values in the provisioning-params workspace. To
use reprovision, you must use read-bootinfo to retrieve the current values of the APs into
the provisioning-ap-list.
NOTE: This parameter can only be used on the master controller.
—
reset-bootinfo
Restores factory default provisioning parameters to the specified AP.
NOTE: This parameter can only be used on the master controller.
—
sch-moderadio-0
If you are provisioning an 802.11n-capable AP, you can issue the sc
h-mode-radio-0 command to enable single-chain mode for the selected
radio. AP radios in single-chain mode will transmit and receive data
using only legacy rates and single-stream HT rates up to MCS 7. This
setting is disabled by default.
sch-moderadio-1
If you are provisioning an 802.11n-capable AP, you can issue the sch-mode-radio-1
command to enable single-chain mode for the selected radio. AP radios in single-chain
mode will transmit and receive data using only legacy rates and single-stream HT rates
up to MCS 7. This setting is disabled by default.
server-ip
IP address of the controller from which the AP boots.
server-name
DNS name of the controller from which the AP boots.
set-ikepsk-byaddr
Set a IKE preshared key to correspond to a specific IP address.
syslocation
User-defined description of the location of the AP.
uplink-vlan
<uplink-vlan>
If you configure an uplink VLAN on an AP connected to a port in trunk mode, the AP
sends and receives frames tagged with this VLAN on its Ethernet uplink.
By default, an AP has an uplink vlan of 0, which disables this feature.
NOTE: If an AP is provisioned with an uplink VLAN, it must be connected to a trunk mode
port or the AP’s frames will be dropped.
usb-dev
The USB device identifier, if the device is not already supported.
usb-dial
The dial string for the USB modem. This parameter only needs to be specified if the
default string is not correct.
ArubaOS 6.4| Reference Guide
provision-ap | 571
Parameter
Description
Range
usbmodeswitch "v <default_
vendor> -p
<default_
product> -V
<target_
vendor> -P
<target_
product> -M
<message_
content>"
USB cellular devices on remote APs typically register as modems, but may occasionally
register as a mass-storage device. If a remote AP cannot recognize its USB cellular
modem, use the usb-modeswitch command to specify the parameters for the hardware
model of the USB cellular data-card.
NOTE: You must enclose the entire modeswitch parameter string in quotation marks.
usb-init
The initialization string for the USB modem. This parameter only needs to be specified if
the default string is not correct.
usb-passwd
A PPP password, if provided by the cellular service provider
usb-powermode auto|
enable|disabl
e
Set the USB power mode to control the power to the USB port.
usb-tty
The TTY device path for the USB modem. This parameter only needs to be specified if
the default path is not correct.
usb-ttycontrol
The TTY device control path for the USB modem. This parameter only needs to be
specified if the default path is not correct.
usb-type
Specify the USB driver type.
l acm: Use ACM driver
l airprime: Use Airprime driver
l beceem-wimax: Use Beceem driver for 4G-WiMAX
l ether: Use CDC Ether driver for direct IP 4G device
l hso: Use HSO driver for newer Option
l none: Disable 3G or 2G network on USB
l option: Use Option driver
l pantech-3g: Same as "pantech-uml290" - to support upgrade
l pantech-uml290: Use Pantech USB driver for UML290 device
l ptumlusbnet: Use Pantech USB driver for 4G device
l rndis: Use a RNDIS driver for a 4G device
l sierra-evdo: Use EVDO Sierra Wireless driver
l sierra-gsm: Use GSM Sierra Wireless driver
l sierrausbnet:Use SIERRA Direct IP driver for 4G device
l storage: Use USB flash as storage device for storing RAP certificates
usb-user
The PPP username provided by the cellular service provider
Usage Guidelines
You do not need to provision APs before installing and using them.
The exceptions are outdoor APs, which have antenna gains that you must provision before they can be used, and
APs configured for mesh. You must provision the AP before you install it as a mesh node in a mesh deployment.
Users less familiar with this process may prefer to use the Provisioning page in the WebUI to provision an AP.
572 | provision-ap
ArubaOS 6.4| Reference Guide
Provisioned or reprovisioned values do not take effect until the AP is rebooted. APs reboot automatically after they
are successfully reprovisioned.
In order to enable cellular uplink for a remote AP (RAP), the RAP must have the device driver for the USB data card
and the correct configuration parameters. ArubaOS includes device drivers for the most common hardware types,
but you can use the usb commands in this profile to configure a RAP to recognize and use an unknown USB modem
type.
Provisioning a Single AP
To provision a single AP:
1. Use the read-bootinfo option to read the current information from the deployed AP you wish to reprovision.
2. Use the show provisioning-ap-list command to see the AP to be provisioned.
3. Use the copy-provisioning-params option to copy the AP’s parameter values to the provisioning-params
workspace.
4. Use the provision-ap options to set new values. Use the show provisioning-params command to display
parameters and values in the provisioning-params workspace. Use the clear provisioning-params command to
reset the workspace to default values.
5. Use the reprovision option to provision the AP with the values in provisioning-params workspace. The AP
automatically reboots.
Provisioning Multiple APs at a Time
You can change parameter values for multiple APs at a time, however, note the following:
l
You cannot provision the following AP-specific options on multiple APs:
n
ap-name
n
ipaddr
n
pap-user
n
pap-passwd
n
ikepsk
If any of these options are already provisioned on the AP, their values are retained when the AP is
reprovisioned.
l
The values of the server-name, a-ant-gain, or g-ant-gain options are retained if they are not reprovisioned.
l
All other values in the provisioning-params workspace are copied to the APs.
To provision multiple APs at the same time:
1. Use the read-bootinfo to read the current information from each deployed AP that you wish to provision.
The AP parameter values are written to the provisioning-ap-list. To reprovision multiple APs, the APs must be present in
the provisioning-ap-list. Use the show provisioning-ap-list command to see the APs that will be provisioned. Use the
clear provisioning-ap-list command to clear the provisioning-ap-list.
2. Use the copy-provisioning-params option to copy an AP’s parameter values to the provisioning-params
workspace.
3. Use the provision-ap options to set new values. Use the show provisioning-params command to display
parameters and values in the provisioning-params workspace. Use the clear provisioning-params command to
reset the workspace to default values.
4. Use the reprovisionall option to provision the APs in the provisioning-ap-list with the values in provisioningparams workspace. All APs in the provisioning-ap-list automatically reboot.
The following are useful commands when provisioning one or more APs:
ArubaOS 6.4| Reference Guide
provision-ap | 573
l
show|clear provisioning-ap-list displays or clears the APs that will be provisioned.
l
show|clear provisioning-params displays or resets values in the provisioning-params workspace.
l
show ap provisioning shows the provisioning parameters an AP is currently using.
Example
The following commands change the IP address of the master controller on the AP:
(host) (config) #provision-ap
read-bootinfo ap-name lab103
show provisioning-ap-list
copy-provisioning-params ap-name lab103
master 10.100.102.210
reprovision ap-name lab103
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.2
Introduced support for the mesh parameters, additional antenna parameters,
and AP location parameters.
ArubaOS 3.4
Introduced support for the following parameters:
l installation
l mesh-sae
l set-ikepsk-by-addr
l usb-dev
l usb-dial
l usb-init
l usb-passwd
l usb-tty
l usb-type
l usb-user
l link-priority-cellular
l link-priority-ethernet
ArubaOS 5.0
The mesh-sae parameter no longer has the sae-default option. Use the
sae-disable option to return this parameter to its default disabled setting.
ArubaOS 6.0
The uplink-vlan parameter was introduced.
ArubaOS 6.1
The following new parameters were introduced for provisioning IPv6 APs:
l dns-server-ip6
l ip6addr
l ip6prefix
l gateway6
ArubaOS 6.2
The following new parameters provision APs in single-chain mode:
l sch-mode-radio-0
l sch-mode-radio-1
The following new parameters provision APs for 802.1X authentication:
l apdot1x-passwd
l apdot1x-username
The following new parameters provision Remote APs using USB modems:
l usb-modeswitch
l 4g-usb-type
574 | provision-ap
ArubaOS 6.4| Reference Guide
Release
Modification
ArubaOS 6.2.1.0
The cellular_nw_preference parameter was introduced for provisioning multimode modems, and the 4g-usb-type parameter was deprecated. Specify a
2/3G or 4G modem type using the usb-type parameter.
ArubaOS 6.3
The sierrausbnet and storage usb-type parameters were introduced.
ArubaOS 6.3.1
the rndis usb-type parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms, except for the
parameters noted in the Syntax
table.
Base operating system, except
for the parameters noted in the
Syntax table.
Config mode on master controllers
ArubaOS 6.4| Reference Guide
provision-ap | 575
qos-profile (deprecated)
qos-profile <profile-name>
clone <source>
dot1p <priority>
drop-precedence {high | low}
dscp <rewrite-value>
no
traffic-class <traffic-class-value>
Description
This command configures a QoS profile to assign TC/DP, DSCP, and 802.1p values to an interface or policer profile.
Command History
Release
Modification
ArubaOS 6.2
Command deprecated.
576 | qos-profile (deprecated)
ArubaOS 6.4| Reference Guide
reload-peer-sc
reload-peer-sc
Description
This command performs a reboot of the M3 controller module.
Command History
Version
Description
ArubaOS 1.0
Command Introduced
ArubaOS 6.1
Command deprecated
ArubaOS 6.4| Reference Guide
reload-peer-sc | 577
reload
reload
Description
This command performs a reboot of the controller.
Syntax
No parameters.
Usage Guidelines
Use this command to reboot the controller if required after making configuration changes or under the guidance of
Aruba Networks customer support. The reload command powers down the controller, making it unavailable for
configuration. After the controller reboots, you can access it via a local console connected to the serial port, or
through an SSH, Telnet, or WebUI session. If you need to troubleshoot the controller during a reboot, use a local
console connection.
After you use the reload command, the controller prompts you for confirmation of this action. If you have not saved
your configuration, the controller returns the following message:
Do you want to save the configuration (y/n):
l
Enter y to save the configuration.
l
Enter n to not save the configuration.
l
Press [Enter] to exit the command without saving changes or rebooting the controller.
If your configuration has already been saved, the controller returns the following message:
Do you really want to reset the system(y/n):
l
Enter y to reboot the controller.
l
Enter n to cancel this action.
The command will timeout if you do not enter y or n.
Example
The following command assumes you have already saved your configuration and you must reboot the controller:
(host) (config) #reload
The controller returns the following messages:
Do you really want to reset the system(y/n): y
System will now restart!
...
Restarting system.
Command History
This command was introduced in ArubaOS 1.0.
Command Information
578 | reload
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config modes on master controllers
ArubaOS 6.4| Reference Guide
remote-node-local-factory-cert (deprecated)
localuserdb
remote-node-local-factory-cert
Description
Configure factory certificates for secure traffic between Remote-Node-Masters and Remote-Nodes.
Syntax
No parameters
Usage Guidelines
Issue this command on a Remote-Node Master to use a factory-installed certificate to authenticate a Remote-Node.
Example
The following command configures the local remote node on a master remote node:
(host) (config) remote-node-local-factory-certs
Command History
Release
Modification
ArubaOS 6.0
Command introduced
ArubaOS 6.2
Command deprecated
Introduced in ArubaOS 6.1
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
remote-node-local-factory-cert (deprecated) | 579
remote-node-localip (deprecated)
localuserdb
remote-node-localip <remote-node-switch-ip> ipsec KEY <keyword>
Description
This command configures the switch-IP address and preshared key for the local Remote Node on a master Remote
Node.
Syntax
Parameter
Description
<remote-node-switch-i
p>
Switch-IP address of the local remote node. Use the 0.0.0.0 address to configure
a global preshared key for all inter-controller communications.
ipsec <keyword>
Preshared key, which must be between 6-64 characters.
Usage Guidelines
Use this command on a master remote node to configure the switch-IP address and preshared key for
communication with a local remote node. On the local remote node, the pre-shared key is configured in the setup
wizard during the initial boot. The pre-shared keys for both the master and local controllers must match.
On the local remote node, use the remote-node-masterip command to configure the switch-IP address and
preshared key for the master remote node.
Example
The following command configures the local remote node on a master remote node:
(host) (config) remote-node-localip 172.16.0.254 ipsec rhyopevs
Command History
Release
Modification
ArubaOS 6.0
Command introduced
ArubaOS 6.2
Command deprecated
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on master controllers
580 | remote-node-localip (deprecated)
ArubaOS 6.4| Reference Guide
remote-node-masterip (deprecated)
remote-node-masterip <masterip>
ipsec key <pre-shared key>
ipsec-factory-cert
Description
This command configures the IP address and preshared key or factory-installed certificate for the Remote-Node
Master on a local Remote Node.
Syntax
Parameter
Description
<masterip>
IP address of the master Remote Node.
ipsec <key>
Secure communication between a Remote-Node and Remote-Node master by defining a
preshared key, which must be between 6-64 characters.
ipsec-factory-cert
Secure communication between a Remote-Node and Remote-Node master by identifying
a factory-installed certificate on the Remote-Node Master.
Usage Guidelines
Use this command on a local Remote Node to configure the IP address and preshared key for communication with
the master Remote Node. On the master controller, use the
remote-node-localip command to configure the IP address and preshared key for a local Remote Node.
Changing the IP address of the master on a local Remote Node requires a reboot of the local Remote Controller.
Example
The following command configures the Remote-Node Master on a local Remote Node:
(host) (config) #remote-node-masterip 172.16.0.254 ipsec rhyopevs
Command History
Release
Modification
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The ipsec-factory-cert parameter was introduced to allow certificate-based
authentication of Remote-Node Masters.
ArubaOS 6.2
Command deprecated.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system
Config mode on local Remote
Nodes.
ArubaOS 6.4| Reference Guide
remote-node-masterip (deprecated) | 581
remote-node-profile (deprecated)
remote-node-profile <remote-node-profile-name>
aaa authentication-server internal use-local-switch
cellular profile <profile-name>
clone <profile-name>
controller-ip vlan <id> ip address
dialer group <name>
instance <remote-node-mac-address>
interface cellular [{fastethernet|gigabitethernet} <slot>/<port>] |[loopback]|
[port-channel <id>]|[tunnel <1-2147483647>|vlan <id>]
ip [default-gateway <ipaddr>]|{import cell|dhcp|pppoe}|{ipsec <name>} <cost>}|[domain looku
p|domain-name <name>]|[name-server <ipaddr>]|[nat pool <name> <start-ipaddr> <end-ipaddr> <
dest-ipaddr>|[radius {nas-ip <ipaddr>]|[rfc-3576-server udp-port <port>]|[source-interface
{loopback|vlan <vlan>}]|[route <destip> <destmask> {<nexthop> [<cost>]]|[ipsec <name>|null
0}]
ipv6 enable|route <ipv6-prefix/prefix-length> <ipv6-next-hop> <cost>
logging <ipaddr>|facility <facility>|level <level> <category> [process <process>] [subcat <
subcategory>]
mgmt-server [type {amp|other}]|[primary-server <ip-addr>]
mgmt-user [<username> <role> <password>]|[localauth-disablessh-pubkey client-cert <certific
ate> <username> <role>]|[webui-cacert <certificate_name> serial <number> <username> <role>]
mobility-manager <ipaddr> user <username> <password> [interval <secs>]|[retrycount <numbe
r>] [udp-port <port>] [rtls <rtls-udp-port>] trap-version {1|2c|3}
model <model_type>
no
priority-map <name>
remote-node-dhcp-pool <pool-name>|pool-type {vlan <id>}|tunnel|range startip <start-ip> end
ip <end-ip> num_hosts
router ospf enable {area <area-id>|redistribute vlan [<vlan-ids>|add <vlan-ids>|remove <vla
n-ids>] |router-id <rtr-id> |subnet exclude <addr>}
snmp-server community <string>|enable trap|engine-id|host <ipaddr> version {1 <name> udp-po
rt <port>}|2c|{3 <name>} [inform] [interval <seconds>] [retrycount <number>] [udp-port <p
ort>]}|inform queue-length <size>|source|stats|trap enable|disable|{source <ipaddr>}|user <
name> [auth-prot {md5|sha} <password>] [priv-prot {AES|DES} <password>]
spanning-tree [forward-time <value> | hello-time <value> | max-age <value> | priority <valu
e> | vlan range <WORD>|
syscontact <syscontact>
syslocation <syslocation>
uplink {cellular priority <prior>}|disable|enable|{wired priority <prior>}|{wired vlan <i
d>}
582 | remote-node-profile (deprecated)
ArubaOS 6.4| Reference Guide
validate
vlan <id> [<description>]|[<name> <vlan-ids>]|[range <range>]|[wired aaa-profile
<profile>]
vrrp <id> {advertise <interval>|authentication <password>|description <text>|ip address <ip
addr>|preempt|priority <level>|shutdown} tracking interface {fastethernet <slot>/<port>|gig
abitethernet <slot>/<port>}{sub <value>}|tracking master-up-time <duration> add <value>|tra
cking vlan <vlanid> {sub <value>}|tracking vrrp-master-state <vrid> add <value>|vlan <vlani
d>}
Description
The remote-node-profile command lets you create a Remote Node profile. Once in Remote Node profile
configuration mode, you can issue any of the following commands to define the values you want to assign to that
profile.
Syntax
Parameter
Description
aaa
Configure authentication server using an internal server. For
details, see aaa authentication-server internal on page 32.
cellular profile <name>
Cellular interface profile associated with this Remote Node
profile. For details, see cellular profile on page 212.
clone <profile-name>
Use this command to copy a Remote Node profile to this
profile.
controller-ip vlan <id> ip address
Select one of the following parameters for the VLAN interface
dhcp-client: The remote node will use DHCP to obtain IP
address
internal: Then remote node IP will be derived from the remote
node DHCP pool.
pppoe: Use PPPoE to obtain IP address
dialer group <name>
Dialer group profile associated with this Remote Node profile.
instance
Configure the Remote Node MAC address to associate the
Remote Node to this profile. When you create a new Remote
Node profile, enter the remote-node profile instance command
first.
interface
Configure the Remote Node interface
cellular—Configure the cellular Interface.
l fastethernet—Configure the FastEthernet (IEEE 802.3)
interface.
l gigabitethernet—Configure the GigabitEthernet Interface.
l loopback—Configure the Loopback Interface.
l port-channel—Configure the Ethernet channel of interfaces.
l tunnel—Configure the Tunnel interface.
l vlan —Configure the Switch VLAN Virtual Interface.
NOTE: The VLAN ID mapped using the “interface vlan <id> ip
address” command can use the following parameters to define
how the controller-ip is derived:
l
ArubaOS 6.4| Reference Guide
n
dhcp-client: The remote node will use DHCP to obtain
IP address
n
internal: Then remote node IP will be derived from the
remote-node-profile (deprecated) | 583
Parameter
Description
remote node DHCP pool.
pppoe: Use PPPoE to obtain IP address
For details on using this command,
see interface fastethernet | gigabitethernet on page 372
n
ip
Configure the Interface Internet Protocol configuration sub
commands. For details, see command descriptions beginning
with ip default-gateway on page 411.
l default-gateway
l domain lookup
l domain-name
l name-server
l nat
l radius
l route
ipv6
Configure the Global IPv6 configuration sub commands. For
details, see command descriptions beginning with ipv6 enable
on page 450.
logging
l
enable
l
route X:X:X:X::X/<0-128>
Set the logging level up to which messages are logged.
A.B.C.D
l facility
l level
For details on using this command, see logging on page 501
l
mgmt-server
Register Mgmt Server IP Address with the controller.This could
be AirWave Management Server or any other server that would
like to receive messages from the controller using AMON
protocol. For details on using this command, see mgmt-server
type on page 518.
mgmt-user
Configure a management user. For details on using this
command, see mgmt-user on page 519.
mobility-manager
Configure a mobility manager. For details on using command,
see mobility-manager on page 521.
model <model_type>
Controller model associated to the Remote Node profile,
where <model-type> is one of the following controller model
types:
l 3200XM
l 3400
l 3600
l 620
l 650
no
Delete a remote node profile.
priority-map <name>
Priority Map specification, used to prioritize the incoming
packets on an interface. For details on using this command,
see priority-map on page 563.
remote-node-dhcp-pool <pool_name>
Name of the DHCP pool.
584 | remote-node-profile (deprecated)
ArubaOS 6.4| Reference Guide
Parameter
Description
pool-type {vlan <id>}|tunnel
Specify whether you are creating a pool of IP addresses for RN
VLANs or RN tunnels.
<id>
The ID number of the VLAN associated with the RN.
<start-ip>
IP addresses at the start and end of the RN’s address range, in
dotted-decimal format.
<end-ip>
IP address at the end of the RN’s address range, in dotteddecimal format.
num_hosts
Maximum number of hosts supported by an RN using this pool.
router ospf <area-id>
Enables and configures OSPF. Configure an OSP area, control
distribution of default information, redistribute the route,
configure the Router ID and specific the subnet.
snmp-server
Enables SNMP and modifies SNMP parameters. For details on
using this command, see snmp-server on page 1785.
spanning-tree
Create a Spanning Tree Subsystem. For details on using this
command, see spanning-tree (Global Configuration) on page
1787.
syscontact <syscontact>
Configures the name of the system contact for the controller.
Enter an alphanumeric string that specifies the name of the
system contact.
syslocation <syslocation>
Configures the name of the system location for the controller.
Enter an alphanumeric string that specifies the name of the
system location.
uplink
Define an uplink manager configuration. For details on using
this command, see uplink on page 1818.
validate
After you have defined configuration settings for a Remote
Node profile, you must activate that profile by issuing the
command remote-node-profile <profile-name> validate to
validate that the configuration has a correctly defined uplink,
model type, and an interface type supported by the Remote
Node model.
You cannot assign a Remote Node configuration profile to a
Remote Node until that profile has been activated.
vlan
Create a Remote Node VLAN Virtual Interface vlan. For details
on using this command, see vlan on page 1829.
vrrp
Define a Virtual Router Redundancy Protocol (VRRP)
configuration. For details on using this command, see vrrp on
page 1847.
Usage Guidelines
Use the remote-node-profile command to create a Remote Node profile. You define configuration settings for each
Remote Node through a Remote Node profile on the Remote Node-master. The Remote Node-master must be a
master controller.
ArubaOS 6.4| Reference Guide
remote-node-profile (deprecated) | 585
Related Commands
Command
Description
Mode
remote-node-localip (deprecated)
Configures security for all Remote
Node and Remote Controller control
traffic
Enable and Config
mode
remote-node-masterip (deprecated)
Configures security for the Remote
Node master IP address.
Enable and Config
mode
local-userdb-remote-node (depreca
ted)
This command adds a Remote Node
to the Remote Node whitelist. You can
also delete the whitelist entry using
this command.
Enable and Config
mode
show remote-node (deprecated)
Shows Remote Node configuration,
dhcp instance, license usage and
running configuration information.
Enable and Config
mode
show remote-node-dhcp-pool (depre
cated)
Shows Remote Node dhcp pool
configuration information.
Enable and Config
mode
show remote-node-profile (depreca
ted)
Shows Remote Node profile status
information.
Enable and Config
mode
show local-userdb-remote-node (de
precated)
The output of this command lists the
MAC address and assigned remotenode-profile for each Remote
Controller associated with that
Remote Controller master.
Enable and Config
mode
Command History
Modification
ArubaOS 6.0
Command introduced.
ArubaOS 6.1
The controller-ip loopback parameter was deprecated.
The following parameters were added:
l ipv6
l mgmt-server
l mobility-manager
l snmp-server
l syscontact
l syslocation
ArubaOS 6.2
Command deprecated.
Command Information
Platform
License
Command Mode
Available on all platforms
Available in the base operating system.
Enable and Config modes on
master controllers.
586 | remote-node-profile (deprecated)
ArubaOS 6.4| Reference Guide
rename
rename <filename> <newfilename>
Description
This command renames an existing system file.
Syntax
Parameter
Description
filename
An alphanumeric string that specifies the current name of the file on the system.
newfilename
An alphanumeric string that specifies the new name of the file on the system.
Usage Guidelines
Use this command to rename an existing system file on the controller. You can use a combination of numbers,
letters, and punctuation (periods, underscores, and dashes) to rename a file. The new name takes affect
immediately.
Make sure the renamed file uses the same file extension as the original file. If you change the file extension, the file
may be unrecognized by the system. For example, if you have an existing file named upgrade.log, the new file
must include the .log file extension.
You cannot rename the active configuration currently selected to boot the controller. If you attempt to rename the
active configuration file, the controller returns the following message:
Cannot rename active configuration file
To view a list of system files, and for more information about the directory contents, see dir on page 287.
Example
The following command changes the file named test_configuration to deployed_configuration:
(host) (config) #rename test_configuration deployed_configuration
Command History
This command was introduced in ArubaOS 1.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Eanble and Config modes on master
controllers
ArubaOS 6.4| Reference Guide
rename | 587
restore
restore flash
Description
This command restores flash directories backed up to the flashbackup.tar.gz file.
Syntax
Parameter
Description
flash
Restores flash directories from the flashbackup.tar.gz file.
Usage Guidelines
Use the backup flash command to tar and compress flash directories to the flashbackup.tar.gz file.
Example
The following command restores flash directories from the flashbackup.tar.gz file:
(host) #restore flash
Command History
This command was introduced in ArubaOS 3.0.
Command Information
588 | restore
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable mode on master controllers
ArubaOS 6.4| Reference Guide
rf am-scan-profile
<profile-name>
clone <profile>
dwell-time-active-channel
dwell-time-other-reg-domain-channel
dwell-time-rare-channel
dwell-time-reg-domain-channel
no
scan-mode
Description
Configure an Air Monitor (AM) scanning profile.
Syntax
Parameter
Description
Range
Default
<profile-name>
Name of this instance of the profile.
1-63
characters
—
clone <profile>
Copy data from another AM scanning
profile
—
—
dwell-time-active-channel
Dwell time (in ms) for channels where
there is wireless activity.
100-32768 ms
500 ms
dwell-time-other-reg-domain-ch
annel
Dwell time (in ms) for channels not in
the APs regulatory domain.
100-32768 ms
250 ms
dwell-time-rare-channel
Dwell time (in ms) for rare channels.
100-32768 ms
100 ms
dwell-time-reg-domain-channel
Dwell time (in ms ) for AP's Regulatory
domain channels
100-32768 ms
250 ms
no
Delete the command
—
—
scan-mode
Set the scanning mode for the radio.
—
—
all-reg-domain
Scan channels in all regulatory
domain
—
—
rare
Scan all channels (all regulatory
domains and rare channels)
—
—
reg-domain
Scan channels in the APs regulatory
domain
—
—
Usage Guidelines
Channels are categorized into the following types:
l
Active Channel—This qualifier indicates that wireless activity (for example, a probe request) is detected on this
channel by the presence of an AP or other 802.11 activity.
l
All Regulatory Domain Channels—A valid non-overlapping channel that is in the regulatory domain of at least
one country.
ArubaOS 6.4| Reference Guide
rf am-scan-profile | 589
l
Rare Channels —Channels that fall into a frequency range outside of the regulatory domain; 2484 MHz and
4900MHz-4995MHz (J-channels), and 5000-5100Mhz.
l
Regulatory Domain Channels—A channel that belongs to the regulatory domain of the country in which the AP
is deployed. The set of channels that belong to this group is a subset of the channels in all-reg-domain channel
group.
Command History
Release
Modification
ArubaOS 6.0
Command introduced
Command Information
Platforms
Licensing
Command Mode
All Platforms
RFProtect
Configuration Mode (config)
590 | rf am-scan-profile
ArubaOS 6.4| Reference Guide
rft
rft test profile antenna-connectivity ap-name <name> [dest-mac <macaddr> [phy {a|g}| radio {0|
1}]]
rft test profile link-quality {ap-name <name> dest-mac <macaddr> [phy {a|g}|
radio {0|1}] | bssid <bssid> dest-mac <macaddr> | ip-addr <ipaddr>
dest-mac <macaddr> [phy {a|g}|radio {0|1}]}
rft test profile raw {ap-name <name> dest-mac <macaddr> [phy {a|g}|radio {0|1}] | bssid <bssi
d> dest-mac <macaddr> | ip-addr <ipaddr> dest-mac <macaddr> [phy {a|g}|radio {0|1}]}
Description
This command is used for RF troubleshooting.
Syntax
Parameter
Description
Range
ap-name
Name of the AP that performs the test.
—
dest-mac
MAC address of the client to be tested.
—
phy
802.11 type, either a or g.
a|g
radio
Radio ID, either 0 or 1.
0|1
bssid
BSSID of the AP that performs the test.
—
ip-addr
IP address of the AP that performs the test.
Syntax
Usage Guidelines
This command can run predefined test profiles for antenna connectivity, link quality, or raw testing. You should only
run these commands when directed to do so by an Aruba support representative.
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
rft | 591
rf arm-profile
rf arm-profile <profile>
40MHz-allowed-bands {All|None|a-only|g-only}
80MHz support
acceptable-coverage-index <number>
active-scan (not intended for use)
aggressive-scan
assignment {disable|maintain|multi-band|single-band}
backoff-time <seconds>
cellular-handoff-assist
channel-quality-aware-arm
channel-quality-threshold <channel-quality-threshold>
channel-quality-wait-time <seconds>
client-aware
client-match
clone <profile>
cm-lb-client-thresh <#-of-clients>
cm-lb-snr-thresh <dB>
cm-lb-thresh <%-of-clients>
cm-max-steer-fails <#-of-fails>
cm-report-interval
cm-stale-age <secs>
cm-steer-timeout <secs>
cm-sticky-check_intvl <secs>
cm-sticky-min-signal <-dB>
cm-sticky-snr <dB>
cm-sticky-snr-delta
cm-update-interval <dB>
cm-unst-ageout-interval days <days> hours <hours>
error-rate-threshold <percent>
error-rate-wait-time <seconds>
free-channel-index <number>
ideal-coverage-index <number>
load-aware-scan-threshold
max-tx-power <dBm>
min-scan-time <# of scans>
min-tx-power <dBm>
mode-aware
multi-band-scan
no ...
ota-updates
ps-aware-scan
rogue-ap-aware
scan mode all-reg-domain|reg-domain
scan-interval
scanning
video-aware-scan
voip-aware-scan
Description
This command configures the Adaptive Radio Management (ARM) profile.
592 | rf arm-profile
ArubaOS 6.4| Reference Guide
Syntax
Parameter
Description
Range
Default
<profile>
Name of this instance of the profile. The name
must be 1-63 characters.
—
“default”
40MHz-allowed- bands
The specified setting allows ARM to determine
if 40 MHz mode of operation is allowed on the
5 GHz or 2.4 GHz frequency band only, on both
frequency bands, or on neither frequency
band.
All/None/
a-only/g-only
a-only
All
Allows 40 MHz channels on both the 5 GHZ
(802.11a) and 2.4 GHZ (802.11b/g) frequency
bands.
—
—
None
Disallows use of 40 MHz channels.
—
—
a-only
Allows use of 40 MHz channels on the 5 GHZ
(802.11a) frequency band only.
—
—
g-only
Allows use of 40 MHz channels on the 2.4 GHZ
(802.11b/g) frequency band only.
—
—
80MHz-support
If enabled, 80 MHz channels can be used in
the 5GHz frequency band on APs that support
802.11ac.
—
enabled
acceptable-coverage-in
dex
The minimal coverage that the AP should try to
achieve on its channel. The denser the AP
deployment, the lower this value should be.
This setting applies to multi-band
implementations only.
1-6
4
active-scan
When active-scan is enabled, an AP initiates
active scanning via probe request. This option
elicits more information from nearby APs, but
also creates additional management traffic on
the network. This feature is disabled by
default, and should not be enabled except
under the direct supervision of Aruba Technical
Support.
Default: disabled
—
disabled
aggressive-scan
When this feature is enabled, an AP radio with
no clients will scan channels every second.
—
enabled
assignment
Activates one of four ARM channel/power
assignment modes.
—
single-band
(new
installations
only)
disable
Disables ARM channel/power assignments.
—
—
maintain
Maintains existing channel assignments.
—
—
ArubaOS 6.4| Reference Guide
rf arm-profile | 593
Parameter
Description
Range
Default
multi-band
Computes ARM assignments for both 5 GHZ
(802.11a) and 2.4 GHZ (802.11b/g) frequency
bands.
—
—
single-band
Computes ARM assignments for a single band.
—
—
backoff-time
Time, in seconds, an AP backs off after
requesting a new channel or power.
120-3600
240
seconds
cellular-handoffassist
When both the client match and cellular handoff assist features are enabled, the cellular
handoff assist feature can help a dual-mode,
3G/4G-capable Wi-Fi device such as an
iPhone, iPad, or Android client at the edge of
Wi-Fi network coverage switch from Wi-Fi to an
alternate 3G/4G radio that provides better network access. This feature is disabled by
default, and is recommended only for Wi-Fi hotspot deployments.
—
disabled
channel-quality-awarearm
Base ARM changes on channel quality and
noise floor values. If this parameter is disabled,
only noise-floor values will be used to change
channels. Default: Disabled
—
disabled
channel-quality-thresh
old
Channel quality percentage below which ARM
initiates a channel change.
0-100
70
channel-quality-wait-t
ime
If channel quality is below the specified
channel quality threshold for this wait time
period, ARM initiates a channel change.
1-3600
120
client-aware
If the Client Aware option is enabled, the AP
does not change channels if there is active
client traffic on that AP. If Client Aware is
disabled, the AP may change to a more optimal
channel, but this change may also disrupt
current client traffic.
—
enabled
client match
The client match feature helps optimize
network resources by balancing clients across
channels, regardless of whether the AP or the
controller is responding to the wireless clients'
probe requests.
If enabled, the controller compares whether or
not an AP has more clients than its neighboring
APs on other channels. If an AP’s client load is
at or over a predetermined threshold as
compared to its immediate neighbors, or if a
neighboring Aruba AP on another channel
does not have any clients, load balancing will
be enabled on that AP. This feature is enabled
by default
—
enabled
clone
Name of an existing ARM profile from which
parameter values are copied.
—
—
cm-lb-client-thresh
<#-of-clients>
If an AP radio has fewer clients than the client
match load balancing threshold defined by this
0-100 clients
10
594 | rf arm-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
parameter, the AP will not participate in load
balancing.
cm-lb-snr-thresh <dB>
Clients must detect a SNR from an underutilized AP radio at or above this threshold
before the client match feature considers load
balancing a client to that radio.
0-100 dB
25
cm-lb-thresh
<%-of-clients>
When the client match feature is enabled, clients may be steered from a highly utilized channel on an AP to a channel with fewer clients. If
a channel on an AP radio has this percentage
fewer clients than another channel supported
by the client, the client match feature may move
clients from the busier channel to the channel
with fewer clients.
0-100 %
20
cm-max-steer-fails
<#-of-fails>
The controller keeps track of the number of
times the client match feature failed to steer a
client to a different radio, and the reason that
each steer attempt was triggered. If the client
match feature attempts to steer a client to a
new radio multiple consecutive times for the
same reason but client steering fails each time,
the controller notifies the AP to mark the client
as unsteerable for that specific trigger.
0-100 failures
5
This parameter defines the maximum allowed
number of client match steering fails with the
same trigger before the client is marked as
unsteerable for that trigger.
cm-report-interval <se
cs>
This interval defines how often an AP sends an
updated client probe report to the controller.
Each client probe report contains a list of
MAC addresses for clients that have been active in the last two minutes, and the AP radio
SNR values seen by those clients.
0-255 secs
30
cm-stale-age <secs>
The controller maintains client match data for
up to 4096 clients showing the detected
SNR values for up to 16 candidate APs per client. This table is periodically updated as APs
send client probe reports to the controller. This
parameter defines the amount of time that the
controller should retain client match data from
each client probe report.
0- 65535
seconds
900 secs
cm-steer-timeout
When a client is steered from one AP to a more
desirable AP, the steer timeout feature helps
facilitate the move by defining the amount of
time that any APs to which the client should
NOT associate will not respond to the AP.
0-255 secs
cm-sticky-check-interv
al
<secs>
Frequency at which the AP checks for client's
received SNR values. If the SNR value drops
below the threshold defined by the cm-sticky-
0-255 secs
ArubaOS 6.4| Reference Guide
3 secs
rf arm-profile | 595
Parameter
Description
Range
Default
snr parameter for three consecutive check intervals, that client may be moved to an different
AP.
cm-sticky-min-signal
<-dB>
A client triggered to move to a different AP may
consider an AP radio a better match if the client
detects that the signal from the candidate AP
radio is at or higher than the minimum signal
level defined by this parameterand the candidate radio has a higher signal strength than
the radio to which the client is currently associated. (The required improvement in signal
strength can be defined using the cm-stickysnr-delta command.)
0-255 (-dB)
70
cm-sticky-snr
<dB>
If the client's received signal strength indicator
(RSSI) is above this signal-to-noise ratio (SNR)
threshold, that client will be allowed to stay
associated to its current AP. If the client's
received signal strength is below this
threshold, it may be moved to a different AP.
0-255 dB
30
cm-sticky-snr-delta
A client triggered to move to a different AP may
consider an AP radio a better match if the client
detects that the signal from the AP radio is
stronger than its current radio by the dB level
defined by the cm-sticky-snr-thresh parameter,
and the candidate radio also has a minimum
signal level defined by the cm-sticky-min-signal
parameter.
0-100 dB
10
cm-unst-ageoutinterval days <days>
hours <hours>
The client entries in an unsteerable client list
remain in effect for the interval defined by this
parameter before they age out.
—
2 days
cm-unst-ageout
When client match and the client match unsteerable client ageout feature are enabled, the controller periodically sends APs that are not a
desired AP match for a client in a list of unsteerable clients. These lists contain a list of MAC
addresses for up to 128 clients that should not
be steered to that AP.
—
—
error-ratethreshold
The percentage of errors in the channel that
triggers a channel change. Recommended
value is 50%.
0-100
50%
error-rate-wait
-time
Time, in seconds, that the error rate has to be
at least the error rate threshold to trigger a
channel change.
12,147,483,64
7
Recommend
ed Values: 1100
30 seconds
596 | rf arm-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
free-channelindex
The difference in the interference index
between the new channel and current channel
must exceed this value for the AP to move to a
new channel. The higher this value, the lower
the chance an AP will move to the new
channel. Recommended value is 25.
10-40
25
ideal-coverageindex
The coverage that the AP should try to achieve
on its channel. The denser the AP deployment,
the lower this value should be. Recommended
value is 10.
2-20
10
load-aware-scan-thresh
old
Load aware ARM preserves network resources
during periods of high traffic by temporarily
halting ARM scanning if the load for the AP
gets too high.
The Load Aware Scan Threshold is the traffic
throughput level an AP must reach before it
stops scanning. The supported range for this
setting is 0-20000000 bytes/second. (Specify 0
to disable this feature.)
—
1250000
bytes/secon
d
max-tx-power
Maximum effective isotropic radiated power
(EIRP) from 3 to 33 dBm in 3 dBm increments.
You may also specify a special value of 127
dBm for regulatory maximum to disable power
adjustments for environments such as outdoor
mesh links. This value takes into account both
radio transmit power and antenna gain.
Higher power level settings may be
constrained by local regulatory requirements
and AP capabilities.
3, 6, 9, 12, 15,
18, 21, 24,
27, 30, 33,
127
127 dBm
min-scan-time
Minimum number of times a channel must be
scanned before it is considered for assignment.
The supported range for this setting is 02,147,483,647 scans. Best practices are to
configure a Minimum Scan Time between 1-20
scans.
Default: 8 scans
12,147,483,64
7
Recommend
ed Values: 120
8 scans
min-tx-power
Minimum effective isotropic radiated power
(EIRP) from 3 to 33 dBm in 3 dBm increments.
You may also specify a special value of 127
dBm for regulatory minimum. This value takes
into account both radio transmit power and
antenna gain.
Higher power level settings may be
constrained by local regulatory requirements
and AP capabilities.
3, 6, 9, 12, 15,
18, 21, 24,
27, 30, 33,
127
9 dBm
mode-aware
If enabled, ARM will turn APs into Air Monitors
(AMs) if it detects higher coverage levels than
necessary. This helps avoid higher levels of
interference on the WLAN. Although this setting
is disabled by default, you may want to enable
this feature if your APs are deployed in close
proximity (e.g. less than 60 feet apart).
—
disabled
ArubaOS 6.4| Reference Guide
rf arm-profile | 597
Parameter
Description
Range
Default
multi-band-scan
When enabled, single-radio APs try to scan
across bands for rogue AP detection.
—
enabled
no
Negates any configured parameter.
—
—
ota-updates
The ota-updates option allows an AP to get
information about its RF environment from its
neighbors, even the AP cannot scan. If this
feature is enabled, when an AP on the network
scans a foreign (non-home) channel, it sends
other APs an Over-the-Air (OTA) update in an
802.11 management frame that contains
information about the scanning AP's home
channel, the current transmission EIRP value
of its home channel, and one-hop neighbors
seen by that AP.
Default: enabled
—
enabled
ps-aware-scan
When enabled, the AP will not scan if Power
Save is active.
—
disabled
rogue-ap-aware
When enabled, the AP will try to contain offchannel rogue APs.
—
disabled
scan-interval
If scanning is enabled, the scan interval
defines how often the AP will leave its current
channel to scan other channels in the band.
Off-channel scanning can impact client performance. Typically, the shorter the scan interval, the higher the impact on performance. If
you are deploying a large number of new APs
on the network, you may want to lower the
Scan Interval to help those APs find their
optimal settings more quickly. Raise the Scan
Interval back to its default setting after the APs
are functioning as desired.
0-2,147,483,
647 seconds
10seconds
Recommended Values: 0-30 seconds
scan-mode
Select the scan mode for the AP:
l all-reg-domain: The AP scans channels
within all regulatory domains. This is the
default setting.
l reg-domain:Limit the AP scans to just the
regulatory domain for that AP.
—
all-regdomain
scanning
The Scanning checkbox enables or disables
AP scanning across multiple channels.
Disabling this option also disables the
following scanning features:
l Multi Band Scan
l Rogue AP Aware
l Voip Aware Scan
l Power Save Scan
Do not disable Scanning unless you want to
disable ARM and manually configure AP
channel and transmission power.
—
enabled
598 | rf arm-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
video-aware-scan
As long as there is at least one video frame
every 100 mSec the AP will reject an ARM
scanning request. Note that for each radio
interface, video frames must be defined in one
of two ways:
l Classify the frame as video traffic via a
session ACL.
l Enable WMM on the WLAN’s SSID profile
and define a specific DSCP value as a
video stream. Next, create a session ACL to
tag the video traffic with the that DSCP
value.
—
enabled
voip-aware-scan
Aruba’s VoIP Call Admission Control (CAC)
prevents any single AP from becoming
congested with voice calls. When you enable
CAC, you should also enable voip-aware-scan
parameter in the ARM profile, so the AP will not
attempt to scan a different channel if one of its
clients has an active VoIP call. This option
requires that scanning is also enabled.
—
disabled
Usage Guidelines
Adaptive Radio Management (ARM) is a radio frequency (RF) resource allocation algorithm that allows each AP to
determine the optimum channel selection and transmit power setting to minimize interference and maximize
coverage and throughput. This command configures an ARM profile that you apply to a radio profile for the 5 GHz or
2.4 GHz frequency band (see rf dot11a-radio-profile on page 602 or rf dot11g-radio-profile on page 611).
Channel Quality
Hybrid APs and Spectrum Monitors determine channel quality by measuring channel noise, non-Wi-Fi (interferer)
utilization and duty-cycles, and certain types of Wi-Fi retries. Regular APs using the ARM feature derive channel
quality values by measuring the noise floor for that channel.
Client Match
the ARM client match feature continually monitors a client's RF neighborhood to provide ongoing client bandsteering
and load balancing, and enhanced AP reassignment for roaming mobile clients. This feature is recommended over
the legacy bandsteering and spectrum load balancing features, which, unlike client match, do not trigger AP changes
for clients already associated to an AP.
Legacy 802.11a/b/g devices do not support the client match feature. When client match is enabled on 802.11n-capable
devices, the client match feature overrides any settings configured for the legacy bandsteering, station handoff assist or
load balancing features. 802.11ac-capable devices do not support the legacy bandsteering, station hand off or load
balancing settings, so these APs must be managed on using client match.
When this feature is enabled on an AP, that AP is responsible for measuring the RF health of its associated clients.
The AP receives and collects information about clients in its neighborhood, and periodically sends this information to
the controller. The controller aggregates information it receives from all APs using client match, and maintains
information for all associated clients in a database. The controller shares this database with the APs (for their
associated clients) and the APs use the information to compute the client-based RF neighborhood and determine
which APs should be considered candidate APs for each client. When the controller receives a client steer request
from an AP, the controller identifies the optimal AP candidate and manages the client’s relocation to the desired
ArubaOS 6.4| Reference Guide
rf arm-profile | 599
radio. This is an improvement from previous releases, where the ARM feature was managed exclusively by APs, the
without the larger perspective of the client's RF neighborhood.
The following client/AP mismatch conditions are managed by the client match feature:
l
Load Balancing: Client match balances clients across APs on different channels, based upon the client load on
the APs and the SNR levels the client detects from an underutilized AP. If an AP radio can support additional
clients, the AP will participate in client match load balancing and clients can be directed to that AP radio, subject
to predefined SNR thresholds.
l
Sticky Clients: The client match feature also helps mobile clients that tend to stay associated to an AP despite
low signal levels. APs using client match continually monitor the client's RSSI as it roams between APs, and
move the client to an AP when a better radio match can be found. This prevents mobile clients from remaining
associated to an APs with less than ideal RSSI, which can cause poor connectivity and reduce performance for
other clients associated with that AP.
l
Band Steering/Band Balancing: APs using the client match feature monitor the RSSI for clients that advertise
a dual-band capability. If a client is currently associated to a 2.4 GHz radio and the AP detects that the client has
a good RSSI from the 5 Ghz radio, the controller will attempt to steer the client to the 5 Ghz radio, as long as the 5
Ghz RSSI is not significantly worse than the 2.4 GHz RSSI, and the AP retains a suitable distribution of clients
on each of its radios.
ARM Scanning
The default ARM scanning interval is determined by the scan-interval parameter in the ARM profile. If the AP does
not have any associated clients (or if most of its clients are inactive) the ARM feature will dynamically readjust this
default scan interval, allowing the AP obtain better information about its RF neighborhood by scanning non-home
channels more frequently. Starting with ArubaOS 6.2, if an AP attempts to scan a non-home channel but is
unsuccessful, the AP will make additional attempts to rescan that channel before skipping it and continuing on to
other channels.
Using Adaptive Radio Management (ARM) in a Mesh Network
When a mesh portal operates on a mesh network, the mesh portal determines the channel used by the mesh feature.
When a mesh point locates an upstream mesh portal, it will scan the regulatory domain channels list to determine the
channel assigned to it, for a mesh point always uses the channel selected by its mesh portal. However, if a mesh
portal uses an ARM profile enabled with a single-band or multi-band channel/power assignment and the scanning
feature, the mesh portal will scan the configured channel lists and the ARM algorithm will assign the proper channel
to the mesh portal.
If you are using ARM in your network, is important to note that mesh points, unlike mesh portals, do not scan
channels. This means that once a mesh point has selected a mesh portal or an upstream mesh point, it will tune to
this channel, form the link, and will not scan again unless the mesh link gets broken. This provides good mesh link
stability, but may adversely affect system throughput in networks with mesh portals and mesh points. When ARM
assigns optimal channels to mesh portals, those portals use different channels, and once the mesh network has
formed and all the mesh points have selected a portal (or upstream mesh point), those mesh points will not be able to
detect other portals on other channels that could offer better throughput. This type of suboptimal mesh network may
form if, for example, two or three mesh points select the same mesh portal after booting, form the mesh network, and
leave a nearby mesh portal without any mesh points. Again, this will not affect mesh functionality, but may affect
total system throughput.
Example
The following command configures VoIP-aware scanning for the arm-profile named “voice-arm:”
(config) (host) #rf arm-profile voice-arm
600 | rf arm-profile
ArubaOS 6.4| Reference Guide
voip-aware-scan
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3.
Support for the high-throughput IEEE 802.11n standard was introduced
ArubaOS 3.3.2
Support for the wait-time parameter was removed.
ArubaOS 3.4.1
The voip-aware-scan parameter no longer requires a license, and is available
in the base OS.
ArubaOS 6.1
The ps-aware-scan parameter is now disabled by default.
ArubaOS 6.3
The noise-wait-time, and noise-threshold parameters were deprecated, and
the following parameters were introduced.
l 80MHz support
l aggressive-scanning
l client-match
l channel-quality-aware
l channel-quality-threshold
l channel-quality-wait-time
l cm-lb-client-thresh
l cm-lb-snr-thresh
l cm-lb-thresh
l cm-max-steer-fails
l cm-report-interval
l cm-stale-age
l cm-sticky-check-interval
l cm-sticky-min-signal
l cm-sticky-snr
l cm-sticky-snr-delta
l cm-update-interval
l cm-unst-ageout-interval
ArubaOS 6.3.1
The cellular-handoff-assist parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master
controllers
ArubaOS 6.4| Reference Guide
rf arm-profile | 601
rf dot11a-radio-profile
rf dot11a-radio-profile <profile>
am-scan-profile <profile-name>
arm-profile <profile>
beacon-period <milliseconds>
beacon-regulate
cap-reg-eirp <cap-reg-eirp>
cell-size-reduction <cell-size-reduction>
channel <num|num+|num->
channel-reuse {static|dynamic|disable}
channel-reuse-threshold
clone <profile>
csa
csa-count <number>
disable-arm-wids-function
dot11h
high-throughput-enable
ht-radio-profile <profile>
interference-immunity
maximum-distance <maximum-distance>
mgmt-frame-throttle-interval <seconds>
mgmt-frame-throttle-limit <number>
mode {ap-mode|am-mode|spectrum-mode}
no ...
radio-enable
slb-mode channel|radio
slb-threshold
slb-update-interval <secs>
spectrum-load-bal-domain
spectrum-load-balancing
spectrum-monitoring
spectrum-profile <profile>
tpc-power <tpc-power>
tx-power <dBm>
very-high-throughput-enable
Description
This command configures AP radio settings for the 5 GHz frequency band, including the Adaptive Radio
Management (ARM) profile and the high-throughput (802.11n) radio profile.
Syntax
Parameter
Description
Range
Default
<profile>
Name of this instance of the profile. The
name must be 1-63 characters.
—
“default”
am-scan-profile
<name>
Configure an Air Monitor (AM) scanning
profile
—
“default”
arm-profile
Configures Adaptive Radio Management
(ARM) feature. See rf arm-profile on page
592.
—
“default”
602 | rf dot11a-radio-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
beacon-period
Time, in milliseconds, between successive
beacon transmissions. The beacon
advertises the AP’s presence, identity, and
radio characteristics to wireless clients.
60
(minimum)
100 milliseconds
beacon-regulate
Enabling this setting introduces randomness
in the beacon generation so that multiple
APs on the same channel do not send
beacons at the same time, which causes
collisions over the air.
—
disabled
cap-reg-eirp
<cap-reg-eirp>
Work around a known issue on Cisco 7921G
telephones by specifying a cap for a radio’s
maximum equivalent isotropic radiated
power (EIRP). When you enable this
parameter, even if the regulatory approved
maximum for a given channel is higher than
this EIRP cap, the AP radio using this profile
will advertise only this capped maximum
EIRP in its radio beacons.
1–31 dBm.
cell-size-reduction
<cell-size-reduction>
The cell size reduction feature allows you
manage dense deployments and to increase
overall system performance and capacity by
shrinking an AP’s receive coverage area,
thereby minimizing co-channel interference
and optimizing channel reuse. This value
should only be changed if the network is
experiencing performance issues. The possible range of values for this feature is 0-55
dB. The default 0 dB reduction allows the
radio to retain its current default Rx sensitivity
value.
1-5 5dB
0 dB
Depends on
regulatory
domain
—
Values from 1 dB - 55 dB reduce the power
level that the radio can hear by that amount.
If you configure this feature to use a nondefault value, you must also reduce the
radio’s transmission (Tx) power to match its
new received (Rx) power level. Failure to
match a device’s Tx power level to its Rx
power level can result in a configuration that
allows the radio to send messages to a
device that it cannot hear.
channel
ArubaOS 6.4| Reference Guide
Channel number for the AP
802.11a/802.11n.802.11ac physical layer.
The available channels depend on the
regulatory domain (country). Channel
number configuration options for 20 MHz, 40
MHz, and 80 Mhz modes:
l num: Entering a channel number
disables 40 MHz mode and activates 20
MHz mode for the entered channel.
l num+: Entering a channel number with a
plus (+) sign selects a primary and
secondary channel for
40 MHz and 80 Mhz modes. The number
entered becomes the primary channel
and the secondary channel is determined
rf dot11a-radio-profile | 603
Parameter
Description
Range
Default
by increasing the primary channel
number by 4. Example: 157+ represents
157 as the primary channel and 161 as
the secondary channel.
l num-: Entering a channel number with a
minus (-) sign selects a primary and
secondary channel for
40 MHz and 80 Mhz modes. The number
entered becomes the primary channel
and the secondary channel is determined
by decreasing the primary channel
number by 4. Example: 157- represents
157 as the primary channel and 153 as
the secondary channel.
NOTE: 20 MHz clients are allowed to
associate when a primary and secondary
channel are configured; however, the client
will only use the primary channel.
channel-reuse
When you enable the channel reuse feature,
it can operate in either of the following three
modes; static, dynamic or disable. (This
feature is disabled by default.)
l Static mode: This mode of operation is a
coverage-based adaptation of the Clear
Channel Assessment (CCA) thresholds.
In the static mode of operation, the CCA
is adjusted according to the configured
transmission power level on the AP, so as
the AP transmit power decreases as the
CCA threshold increases, and vice versa.
l Dynamic mode: In this mode, the Clear
Channel Assessment (CCA) thresholds
are based on channel loads, and take
into account the location of the
associated clients. When you set the
Channel Reuse This feature is
automatically enabled when the wireless
medium around the AP is busy greater
than half the time. When this mode is
enabled, the CCA threshold adjusts to
accommodate transmissions between the
AP its most distant associated client.
l Disable mode: This mode does not
support the tuning of the CCA Detect
Threshold.
enabled
disabled
enabled
channel-reuse-threshold
RX Sensitivity Tuning Based Channel Reuse
Threshold, in - dBm.
If the Rx Sensitivity Tuning Based Channel
reuse feature is set to static mode, this
parameter manually sets the AP’s Rx
sensitivity threshold (in -dBm). The AP will
filter out and ignore weak signals that are
below the channel threshold signal strength.
If the value is set to zero, the feature will
automatically determine an appropriate
threshold.
Depends on
regulatory
domain
—
604 | rf dot11a-radio-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
client-match
The ARM client match feature continually
monitors a client's RF neighborhood to
provide ongoing client bandsteering and
load balancing, and enhanced AP
reassignment for roaming mobile clients.
This feature is recommended over the legacy
bandsteering and spectrum load balancing
features, which, unlike client match, do not
trigger AP changes for clients already
associated to an AP.
When this feature is enabled on an AP, that
AP is responsible for measuring the RF
health of its associated clients. The
AP receives and collects information about
clients in its neighborhood, and periodically
sends this information to the controller. The
controller aggregates information it receives
from all APs using client match, and
maintains information for all associated
clients in a database. The controller shares
this database with the APs (for their
associated clients) and the APs use the
information to compute the client-based RF
neighborhood and determine which APs
should be considered candidate APs for
each client. When the controller receives a
client steer request from an AP, the controller
identifies the optimal AP candidate and
manages the client’s relocation to the
desired radio. This is an improvement from
previous releases, where the ARM feature
was managed exclusively by APs, the
without the larger perspective of the client's
RF neighborhood
—
Disabled
clone
Name of an existing radio profile from which
parameter values are copied.
—
—
csa
Channel Switch Announcement (CSA), as
defined by IEEE 802.11h, allows an AP to
announce that it is switching to a new
channel before it begins transmitting on that
channel.
Clients must support CSA in order to track
the channel change without experiencing
disruption.
—
disabled
csa-count
Number of CSA announcements that are
sent before the AP begins transmitting on the
new channel.
1-16
4
disable-armwids-function
Disables Adaptive Radio Management
(ARM) and Wireless IDS functions. These
can be disabled if a small increase in packet
processing performance is desired. If a radio
is configured to operate in Air Monitor mode,
then these functions are always enabled
irrespective of this option. CAUTION: Use
carefully, since this effectively disables ARM
and WIDS
1-16
4
ArubaOS 6.4| Reference Guide
rf dot11a-radio-profile | 605
Parameter
Description
Range
Default
dot11h
Enable advertisement of 802.11d (Country
Information) and 802.11h (TPC or Transmit
Power Control) capabilities This parameter is
disabled by default.
—
disabled
high-throughput-enable
Enables high-throughput (802.11n) features
on a radio using the 5 GHz frequency band.
—
enabled
ht-radio-profile
Name of high-throughput radio profile to use
for configuring high-throughput support on
the 5 GHz frequency band. See rf ht-radioprofile on page 624.
—
“default-a”
interference-immunity
Set a value for 802.11 Interference Immunity.
The default setting for this parameter is level
2. When performance drops due to
interference from non-802.11 interferers
(such as DECT or Bluetooth devices), the
level can be increased up to level 5 for
improved performance. However, increasing
the level makes the AP slightly “deaf” to its
surroundings, causing the AP to lose a small
amount of range.
The levels for this parameter are:
l Level-0: no ANI adaptation.
l Level-1: noise immunity only.
l Level-2: noise and spur immunity. This is
the default setting
l Level-3: level 2 and weak OFDM
immunity.
l Level-4: level 3 and FIR immunity.
l Level-5: disable PHY reporting.
NOTE: Do not raise the noise immunity
feature’s default setting if the channel-reusethreshold on page 604 feature is also
enabled. A level-3 to level-5 Noise Immunity
setting is not compatible with the Channel
Reuse feature.
Level-0 Level-15
Level-2
maximum-distance
Maximum distance between a client and an
AP or between a mesh point and a mesh
portal, in meters. This value is used to derive
ACK and CTS timeout times. A value of 0
specifies default settings for this parameter,
where timeouts are only modified for outdoor
mesh radios which use a distance of 16km.
The upper limit for this parameter varies,
depending on the 20/40 MHz mode for a 5
GHz frequency band radio:
l 20MHz mode: 58km
l 40MHz mode: 27km
Note that if you configure a value above the
supported maximum, the maximum
supported value will be used instead. Values
below 600m will use default settings.
0-57km
(40MHz
mode)
0 meters
Averaging interval for rate limiting
management frames in seconds. Zero
disables rate limiting.
0-60
mgmt-frame-throttleinterval
606 | rf dot11a-radio-profile
0-27km
(20MHz
mode)
1 second
interval
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
0-999999
20 frames
per interval
Note: This parameter only applies to AUTH
and ASSOC/RE-ASSOC management
frames.
mgmt-framethrottle-limit
Maximum number of management frames
allowed in each throttle interval.
NOTE: This parameter only applies to AUTH
and ASSOC/RE-ASSOC management
frames.
mode
One of the operating modes for the AP.
ap-mode
ap-mode
Device provides transparent, secure, highspeed data communications between
wireless network devices and the wired LAN.
—
—
am-mode
Device behaves as an air monitor to collect
statistics, monitor traffic, detect intrusions,
enforce security policies, balance traffic load,
self-heal coverage gaps, etc.
—
—
spectrum-mode
Device operates as an spectrum monitor,
and can send spectrum analysis data to a
desktop or laptop client.
For a list of APs that can be converted into a
spectrum monitor or hybrid AP, refer to the
Spectrum Analysis chapter of the ArubaOS
6.4 User Guide.
—
—
no
Negates any configured parameter.
—
—
radio-enable
Enables or disables radio configuration.
—
enabled
slb-mode channel|radio
SLB Mode allows control over how to
balance clients. Select one of the following
options
l channel: Channel-based load-balancing
balances clients across channels. This is
the default load-balancing mode
l radio: Radio-based load-balancing
balances clients across APs
slb-update-interval
<secs>
Specify how often spectrum load balancing
calculations are made (in seconds). The
default value is 30 seconds.
12147483647
seconds
30 seconds
spectrum-load-bal
-domain
Define a spectrum load balancing domain to
manually create RF neighborhoods.
Use this option to create RF neighborhood
information for networks that have disabled
Adaptive Radio Management (ARM)
scanning and channel assignment.
l If spectrum load balancing is enabled in a
802.11a radio profile but the spectrum
load balancing domain is not defined,
ArubaOS uses the ARM feature to
calculate RF neighborhoods.
l If spectrum load balancing is enabled in a
802.11a radio profile and a spectrum
—
—
ArubaOS 6.4| Reference Guide
channel
rf dot11a-radio-profile | 607
Parameter
Description
Range
Default
load balancing domain isalso defined, AP
radios belonging to the same spectrum
load balancing domain will be
considered part of the same RF
neighborhood for load balancing, and will
not recognize RF neighborhoods defined
by the ARM feature.
spectrum-loadbalancing
The Spectrum Load Balancing feature helps
optimize network resources by balancing
clients across channels, regardless of
whether the AP or the controller is
responding to the wireless clients' probe
requests.
If enabled, the controller compares whether
or not an AP has more clients than its
neighboring APs on other channels. If an
AP’s client load is at or over a predetermined
threshold as compared to its immediate
neighbors, or if a neighboring Aruba AP on
another channel does not have any clients,
load balancing will be enabled on that AP.
This feature is disabled by default.
NOTE: The spectrum load balancing feature
available in ArubaOS 3.4.x and later
releases completely replaces the AP load
balancing feature available in earlier
versions of ArubaOS. When you upgrade to
ArubaOS 3.4.x or later, you must manually
configure the spectrum load balancing
settings, as the AP load balancing feature
can no longer be used, and any previous AP
load balancing settings will not be preserved.
—
disabled
spectrum-monitoring
Issue this command to turn APs in ap-mode
into a hybrid AP. An AP in hybrid AP mode
will continue to serve clients as an access
point while it scans and analyzes spectrum
analysis data for a single radio channel.
For further details on using hybrid APs and
spectrum monitors to examine the radio
frequency (RF) environment in which the WiFi network is operating, refer to the Spectrum
Analysis chapter of the ArubaOS User Guide.
For a list of APs that can be converted into a
spectrum monitor or hybrid AP, refer to the
Spectrum Analysis chapter of the ArubaOS
6.4 User Guide.
—
default
spectrum-profile
<profile>
Specify the rf spectrum profile used by hybrid
APs and spectrum monitors. This profile sets
the spectrum band and device ageout times
used by a spectrum monitor or hybrid AP
radio. For details, see rf spectrum-profile on
page 628.
—
default
tpc-power
The transmit power advertised in the TPC IE
of beacons and probe responses. Range: 051 dBm
0-51 dBm
15 dBm
608 | rf dot11a-radio-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
tx-power
Sets the initial transmit power (dBm) on
which the AP operates, unless a better
choice is available through calibration .
This parameter can be set from 0 to 51 in .5
dBm increments, or set to the regulatory
maximum value of 127 dBm.
Transmission power may be further limited
by regulatory domain constraints and AP
capabilities.
0-51 dBm,
127 dBm
14 dBm
very-highthroughput-enable
Enable or disable support for Very High
Throughput (802.11ac) on the radio.
—
Enabled
Usage Guidelines
This command configures radios that operate in the 5 GHz frequency band, which includes radios utilizing the IEEE
802.11a or IEEE 802.11n standard. Channels must be valid for the country configured in the AP regulatory domain
profile (see ap regulatory-domain-profile on page 165).To view the supported channels, use the show ap allowedchannels command.
APs initially start up with default ack-timeout, cts-timeout and slot-time values. When you modify the maximumdistance parameter in an rf dot11a radio profile or rf dot11g radio profile, new ack-timeout, cts-timeout and slottime values may be derived, but those values are never less then the default values for an indoor AP.
Mesh radios on outdoor APs have additional constraints, as mesh links may need to span long distances. For mesh
radios on outdoor APs, the effect of the default maximum-distance parameter on the ack-timeout, cts-timeout and
slot-time values depends on whether the APs are configured as mesh portals or mesh points. This is because mesh
portals use a default maximum-distance value of 16,050 meters, and mesh points use, by default, the maximum
possible maximum-distance value.
The maximum-distance value should be set correctly to span the largest link distance in the mesh network so that
when a mesh point gets the configuration from the network it will apply the correct ack-timeout, cts-timeout and
slot-time values.The values derived from the maximum-distance setting depend on the band and whether
20Mhz/40MHz mode of operation is in use.
The following table indicates values for a range of distances:
Timeouts[usec] --- 5GHz radio ----- 2.4GHz radio --Distance[m]
Ack
CTS
Slot
Ack
CTS
Slot
-------------------------------------------------------------------------0 (outdoor:16050m)
128
128
63
128
128
63
0 (indoor:600a,6450g) 25
25
9
64
48
9
200 (==default)
25
25
9
64
48
9
500
25
25
9
64
48
9
600
25
25
9
64
48
9
1050
28
28
13
64
48
31
5100
55
55
26
64
55
31
10050
88
88
43
88
88
43
15000
121
121
59
121
121
59
16050
128
128
63
128
128
63
58200(5G limit 20M) 409
409
203
52650(2.4G limit 20M) 372
372
185
27450(5G limit 40M) 204
204
101
24750(2.4G limit 40M) 186
186
92
ArubaOS 6.4| Reference Guide
rf dot11a-radio-profile | 609
Examples
The following command configures APs to operate in AM mode for the selected dot11a-radio-profile named
“samplea:”
(host) (config) #rf dot11a-radio-profile samplea mode am-mode
The following command configures APs to operate in high-throughput (802.11n) mode on the
5 Ghz frequency band for the selected dot11a-radio profile named “samplea” and assigns a high-throughout radio
profile named “default-a:”
(host) (config) #rf dot11a-radio-profile samplea
high-throughput-enable
ht-radio-profile default-a
The following command configures a primary channel number of 157 and a secondary channel number of 161 for 40
MHz mode of operation for the selected dot11a-radio profile named “samplea:”
(host) (config) #rf dot11a-radio-profile samplea
channel <157+>
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3.2
Introduced support for the high-throughput IEEE 802.11n standard.
ArubaOS 3.4
Support for the following parameters:
l Spectrum load balancing
l Spectrum load balancing domain
l RX Sensitivity Tuning Based Channel Reuse
l RX Sensitivity Threshold
l ARM/WIDS Override
ArubaOS 3.4.1
The maximum-distance parameter was introduced.
ArubaOS 3.4.2
The beacon-regulate parameter was introduced.
ArubaOS 6.0
Support for the following parameters:
l am-scan-profile
l cap-reg-eirp
l slb-mode
l slb-update-interval
ArubaOS 6.1
The spectrum-monitoring and slb-threshold parameters were introduced.
ArubaOS 6.1.3.2
The cell-size-reduction parameter was introduced.
ArubaOS 6.3
The very-high-throughput-enable parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
610 | rf dot11a-radio-profile
ArubaOS 6.4| Reference Guide
rf dot11g-radio-profile
rf dot11g-radio-profile <profile>
am-scan-profile <profile-name>
arm-profile <profile>
beacon-period <milliseconds>
beacon-regulate
cap-reg-eirp <cap-reg-eirp>
cell-size-reduction <cell-size-reduction>
channel <num|num+|num->
channel-reuse {static|dynamic|disable}
channel-reuse-threshold
clone <profile>
csa
csa-count <number>
disable-arm-wids-function
dot11b-protection
dot11h
high-throughput-enable
ht-radio-profile <profile>
interference-immunity
maximum-distance <maximum-distance>
mgmt-frame-throttle-interval <seconds>
mgmt-frame-throttle-limit <number>
mode {ap-mode|am-mode|spectrum-mode}
no ...
radio-enable
slb-mode channel|radio
slb-threshold
slb-update-interval <secs>
spectrum-load-bal-domain
spectrum-load-balancing
spectrum-monitoring
spectrum-profile
tpc-power <tpc-power>
tx-power <dBm>
Description
This command configures AP radio settings for the 2.4 GHz frequency band, including the Adaptive Radio
Management (ARM) profile and the high-throughput (802.11n) radio profile.
Syntax
Parameter
Description
Range
Default
<profile>
Name of this instance of the profile. The
name must be 1-63 characters.
—
“default”
am-scan-profile <profile-n
ame>
Configure an Air Monitor (AM) scanning
profile.
—
—
arm-profile
Configures Adaptive Radio Management
(ARM) feature. See rf arm-profile on page
592.
—
“default”
ArubaOS 6.4| Reference Guide
rf dot11g-radio-profile | 611
Parameter
Description
Range
Default
beacon-period
Time, in milliseconds, between successive
beacon transmissions. The beacon
advertises the AP’s presence, identity, and
radio characteristics to wireless clients.
60
(minimum)
100
millisecon
ds
beacon-regulate
Enabling this setting introduces randomness
in the beacon generation so that multiple
APs on the same channel do not send
beacons at the same time, which causes
collisions over the air.
—
disabled
cap-reg-eirp
<cap-reg-eirp>
Work around a known issue on Cisco 7921G
telephones by specifying a cap for a radio’s
maximum equivalent isotropic radiated
power (EIRP). When you enable this
parameter, even if the regulatory approved
maximum for a given channel is higher than
this EIRP cap, the AP radio using this profile
will advertise only this capped maximum
EIRP in its radio beacons.
1–31 dBm.
cell-size-reduction <cellsize-reduction>
The cell size reduction feature allows you
manage dense deployments and to increase
overall system performance and capacity by
shrinking an AP’s receive coverage area,
thereby minimizing co-channel interference
and optimizing channel reuse. This value
should only be changed if the network is
experiencing performance issues. The possible range of values for this feature is 0-55
dB. The default 0 dB reduction allows the
radio to retain its current default Rx sensitivity value.
1-5 5dB
0 dB
Depends on
regulatory
domain
—
Values from 1 dB - 55 dB reduce the power
level that the radio can hear by that amount.
If you configure this feature to use a nondefault value, you must also reduce the
radio’s transmission (Tx) power to match its
new received (Rx) power level. Failure to
match a device’s Tx power level to its Rx
power level can result in a configuration that
allows the radio to send messages to a
device that it cannot hear.
channel
612 | rf dot11g-radio-profile
Channel number for the AP
802.11g/802.11n.802.11ac physical layer.
The available channels depend on the
regulatory domain (country). Channel
number configuration options for 20 MHz, 40
MHz, and 80 Mhz modes:
l num: Entering a channel number
disables 40 MHz mode and activates 20
MHz mode for the entered channel.
l num+: Entering a channel number with a
plus (+) sign selects a primary and
secondary channel for
40 MHz and 80 Mhz modes. The number
entered becomes the primary channel
and the secondary channel is
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
determined by increasing the primary
channel number by 4. Example: 157+
represents 157 as the primary channel
and 161 as the secondary channel.
l num-: Entering a channel number with a
minus (-) sign selects a primary and
secondary channel for
40 MHz and 80 Mhz modes. The number
entered becomes the primary channel
and the secondary channel is
determined by decreasing the primary
channel number by 4. Example: 157represents 157 as the primary channel
and 153 as the secondary channel.
NOTE: 20 MHz clients are allowed to
associate when a primary and secondary
channel are configured; however, the client
will only use the primary channel.
clone
Name of an existing radio profile from which
parameter values are copied.
—
—
csa
Channel Switch Announcement (CSA), as
defined by IEEE 802.11h, allows an AP to
announce that it is switching to a new
channel before it begins transmitting on that
channel.
Clients must support CSA in order to track
the channel change without experiencing
disruption.
—
disabled
csa-count
Number of CSA announcements that are
sent before the AP begins transmitting on
the new channel.
1-16
4
channel
Channel number for the AP
802.11g/802.11n physical layer. The
available channels depend on the
regulatory domain (country). Channel
number configuration options for 20 MHz
and 40 MHz modes:
l num: Entering a channel number
disables 40 MHz mode and activates 20
MHz mode for the entered channel.
l num+: Entering a channel number with a
plus (+) sign selects a primary and
secondary channel for
40 MHz mode. The number entered
becomes the primary channel and the
secondary channel is determined by
increasing the primary channel number
by 4. Example: 157+ represents 157 as
the primary channel and 161 as the
secondary channel.
l num-: Entering a channel number with a
minus (-) sign selects a primary and
secondary channel for
40 MHz mode. The number entered
becomes the primary channel and the
secondary channel is determined by
decreasing the primary channel number
Depends on
regulatory
domain
—
ArubaOS 6.4| Reference Guide
rf dot11g-radio-profile | 613
Parameter
Description
Range
Default
by 4. Example: 157- represents 157 as
the primary channel and 153 as the
secondary channel.
NOTE: 20 MHz clients are allowed to
associate when a primary and secondary
channel are configured; however, the client
will only use the primary channel.
channel-reuse
When you enable the channel reuse feature,
it can operate in either of the following three
modes; static, dynamic or disable. (This
feature is disabled by default.)
l Static mode: This mode of operation is a
coverage-based adaptation of the Clear
Channel Assessment (CCA) thresholds.
In the static mode of operation, the CCA
is adjusted according to the configured
transmission power level on the AP, so
as the AP transmit power decreases as
the CCA threshold increases, and vice
versa.
l Dynamic mode: In this mode, the Clear
Channel Assessment (CCA) thresholds
are based on channel loads, and take
into account the location of the
associated clients. When you set the
Channel Reuse This feature is
automatically enabled when the wireless
medium around the AP is busy greater
than half the time. When this mode is
enabled, the CCA threshold adjusts to
accommodate transmissions between
the AP its most distant associated client.
l Disable mode: This mode does not
support the tuning of the CCA Detect
Threshold.
enabled
disabled
enabled
channel-reuse-threshold
RX Sensitivity Tuning Based Channel
Reuse Threshold, in -dBm.
If the Rx Sensitivity Tuning Based Channel
reuse feature is set to static mode, this
parameter manually sets the AP’s Rx
sensitivity threshold (in -dBm). The AP will
filter out and ignore weak signals that are
below the channel threshold signal strength.
If the value is set to zero, the feature will
automatically determine an appropriate
threshold.
depends on
regulatory
domain
—
disable-arm-wids-function
Disables Adaptive Radio Management
(ARM) and Wireless IDS functions. These
can be disabled if a small increase in packet
processing performance is desired. If a radio
is configured to operate in Air Monitor mode,
then these functions are always enabled
irrespective of this option. CAUTION: Use
carefully, since this effectively disables ARM
and WIDS
1-16
4
614 | rf dot11g-radio-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
dot11b-protection
Enable or disable protection for 802.11b
clients. This parameter is enabled by default.
Disabling this feature may improve
performance if there are no 802.11b clients
on the WLAN.
WARNING: Disabling protection violates the
802.11 standard and may cause
interoperability issues. If this feature is
disabled on a WLAN with 802.11b clients,
the 802.11b clients will not detect an
802.11g client talking and can potentially
transmit at the same time, thus garbling both
frames.
—
enabled
dot11h
Enable advertisement of 802.11d (Country
Information) and 802.11h (TPC or Transmit
Power Control) capabilities This parameter
is disabled by default.
—
disabled
high-throughput-enable
Enables high-throughput (802.11n) features
on a radio using the 2.4 GHz frequency
band.
—
enabled
ht-radio-profile
Name of high-throughput radio profile to use
for configuring high-throughput support on
the 5 GHz frequency band. See rf ht-radioprofile on page 624.
—
“default-a”
interference-immunity
Set a value for 802.11 Interference Immunity.
The default setting for this parameter is level
2. When performance drops due to
interference from non-802.11 interferers
(such as DECT or Bluetooth devices), the
level can be increased up to level 5 for
improved performance. However, increasing
the level makes the AP slightly “deaf” to its
surroundings, causing the AP to lose a small
amount of range.
The levels for this parameter are:
l Level-0: no ANI adaptation.
l Level-1: noise immunity only.
l Level-2: noise and spur immunity. This is
the default setting
l Level-3: level 2 and weak OFDM
immunity.
l Level-4: level 3 and FIR immunity.
l Level-5: disable PHY reporting.
NOTE: Do not raise the noise immunity
feature’s default setting if the channel-reusethreshold on page 604 feature is also
enabled. A level-3 to level-5 Noise Immunity
setting is not compatible with the Channel
Reuse feature.
Level-0 Level-5
Level-2
ArubaOS 6.4| Reference Guide
rf dot11g-radio-profile | 615
Parameter
Description
Range
Default
maximum-distance
Maximum distance between a client and an
AP or between a mesh point and a mesh
portal, in meters. This value is used to derive
ACK and CTS timeout times. A value of 0
specifies default settings for this parameter,
where timeouts are only modified for outdoor
mesh radios which use a distance of 16km.
0-24km
(40MHz
mode)
0 meters
0-54km
(20MHz
mode)
The upper limit for this parameter varies,
depending on the 20/40 MHz mode for a
2.4GHz frequency band radio:
l 20MHz mode: 54km
l 40MHz mode: 24km
Note that if you configure a value above the
supported maximum, the maximum
supported value will be used instead.
Values below 600m will use default settings.
mgmt-frame-throttleinterval
Averaging interval for rate limiting
management frames in seconds. Zero
disables rate limiting.
Note: This parameter only applies to AUTH
and ASSOC/RE-ASSOC management
frames.
0-60
1 second
interval
mgmt-frame-throttle-limit
Maximum number of management frames
allowed in each throttle interval.
NOTE: This parameter only applies to AUTH
and ASSOC/RE-ASSOC management
frames.
0-999999
20 frames
per
interval
mode
One of the operating modes for the AP.
ap-mode
Device provides transparent, secure, highspeed data communications between
wireless network devices and the wired
LAN.
am-mode
Device behaves as an air monitor to collect
statistics, monitor traffic, detect intrusions,
enforce security policies, balance traffic
load, self-heal coverage gaps, etc.
spectrum-mode
Device operates as an spectrum monitor,
and can send spectrum analysis data to a
desktop or laptop client.
For a list of APs that can be converted into a
spectrum monitor or hybrid AP, refer to the
Spectrum Analysis chapter of the ArubaOS
6.4 User Guide.
ap-mode
no
Negates any configured parameter.
—
—
radio-enable
Enables or disables radio configuration.
—
enabled
slb-mode channel|radio
SLB Mode allows control over how to
balance clients. Select one of the following
options:
l channel: Channel-based load-balancing
balances clients across channels. This is
616 | rf dot11g-radio-profile
channel
ArubaOS 6.4| Reference Guide
Parameter
Description
l
Range
Default
the default load-balancing mode
radio: Radio-based load-balancing
balances clients across APs
slb-threshold
If the spectrum load balancing feature is
enabled, this parameter controls the
percentage difference between number of
clients on a channel channel that triggers
load balancing. The default value is 20%,
meaning that spectrum load balancing is
activated when there are 20% more clients
on one channel than on another channel
used by the AP radio.
1-100%
20%
slb-update-interval <secs>
Specify how often spectrum load balancing
calculations are made (in seconds). The
default value is 30 seconds.
1214748364
7 seconds
30
seconds
spectrum-load-bal-domain
Define a spectrum load balancing domain to
manually create RF neighborhoods.
Use this option to create RF neighborhood
information for networks that have disabled
Adaptive Radio Management (ARM)
scanning and channel assignment.
l If spectrum load balancing is enabled in
a 802.11g radio profile but the spectrum
load balancing domain is not defined,
ArubaOS uses the ARM feature to
calculate RF neighborhoods.
l If spectrum load balancing is enabled in
a 802.11g radio profile and a spectrum
load balancing domain isalso defined,
AP radios belonging to the same
spectrum load balancing domain will be
considered part of the same RF
neighborhood for load balancing, and
will not recognize RF neighborhoods
defined by the ARM feature.
—
—
spectrum-load-balancing
The Spectrum Load Balancing feature helps
optimize network resources by balancing
clients across channels, regardless of
whether the AP or the controller is
responding to the wireless clients' probe
requests.
If enabled, the controller compares whether
or not an AP has more clients than its
neighboring APs on other channels. If an
AP’s client load is at or over a
predetermined threshold as compared to its
immediate neighbors, or if a neighboring
Aruba AP on another channel does not have
any clients, load balancing will be enabled
on that AP. This feature is disabled by
default.
NOTE: The spectrum load balancing feature
available in ArubaOS 3.4.x and later
releases completely replaces the AP load
balancing feature available in earlier
versions of ArubaOS. When you upgrade to
—
disabled
ArubaOS 6.4| Reference Guide
rf dot11g-radio-profile | 617
Parameter
Description
Range
Default
ArubaOS 3.4.x or later, you must manually
configure the spectrum load balancing
settings, as the AP load balancing feature
can no longer be used, and any previous AP
load balancing settings will not be
preserved.
spectrum-monitoring
Issue this command to turn APs in ap-mode
into a hybrid AP. An AP in hybrid AP mode
will continue to serve clients as an access
point while it scans and analyzes spectrum
analysis data for a single radio channel.
For further details on using hybrid APs and
spectrum monitors to examine the radio
frequency (RF) environment in which the WiFi network is operating, refer to the Spectrum
Analysis chapter of the ArubaOS User
Guide.
For a list of APs that can be converted into a
spectrum monitor or hybrid AP, refer to the
Spectrum Analysis chapter of the ArubaOS
6.4 User Guide.
—
default
spectrum-profile <profile>
Specify the rf spectrum profile used by
hybrid APs and spectrum monitors. This
profile sets the spectrum band and device
ageout times used by a spectrum monitor or
hybrid AP radio. For details, see rf spectrumprofile on page 628.
—
default
tpc-power
The transmit power advertised in the TPC IE
of beacons and probe responses. Range: 051 dBm
0-51 dBm
15 dBm
tx-power
Sets the initial transmit power (dBm) on
which the AP operates, unless a better
choice is available through calibration.
This parameter can be set from 0 to 51 in .5
dBm increments, or set to the regulatory
maximum value of 127 dBm.
Transmission power may be further limited
by regulatory domain constraints and AP
capabilities.
0-51 dBm,
127 dBm
14 dBm
Usage Guidelines
This command configures radios that operate in the 2.4 GHz frequency band, which includes radios utilizing the
IEEE 802.11b/g or IEEE 802.11n standard. Channels must be valid for the country configured in the AP regulatory
domain profile (see ap regulatory-domain-profile on page 165).To view the supported channels, use the show ap
allowed-channels command.
APs initially start up with default ack-timeout, cts-timeout and slot-time values. When you modify the maximumdistance parameter in an rf dot11a radio profile or rf dot11g radio profile, new ack-timeout, cts-timeout and slottime values may be derived, but those values are never less then the default values for an indoor AP.
Mesh radios on outdoor APs have additional constraints, as mesh links may need to span long distances. For mesh
radios on outdoor APs, the effect of the default maximum-distance parameter on the ack-timeout, cts-timeout and
slot-time values depends on whether the APs are configured as mesh portals or mesh points. This is because mesh
618 | rf dot11g-radio-profile
ArubaOS 6.4| Reference Guide
portals use a default maximum-distance value of 16,050 meters, and mesh points use, by default, the maximum
possible maximum-distance value.
The maximum-distance value should be set correctly to span the largest link distance in the mesh network so that
when a mesh point gets the configuration from the network it will apply the correct ack-timeout, cts-timeout and
slot-time values.The values derived from the maximum-distance setting depend on the band and whether
20Mhz/40MHz mode of operation is in use.
The following table indicates values for a range of distances:
Timeouts[usec] --- 5GHz radio ----- 2.4GHz radio --Distance[m]
Ack
CTS
Slot
Ack
CTS
Slot
-------------------------------------------------------------------------0 (outdoor:16050m)
128
128
63
128
128
63
0 (indoor:600a,6450g) 25
25
9
64
48
9
200 (==default)
25
25
9
64
48
9
500
25
25
9
64
48
9
600
25
25
9
64
48
9
1050
28
28
13
64
48
31
5100
55
55
26
64
55
31
10050
88
88
43
88
88
43
15000
121
121
59
121
121
59
16050
128
128
63
128
128
63
58200(5G limit 20M) 409
409
203
52650(2.4G limit 20M) 372
372
185
27450(5G limit 40M) 204
204
101
24750(2.4G limit 40M) 186
186
92
Examples
The following command configures APs to operate in AM mode for the selected dot11g-radio-profile named
“sampleg:”
rf dot11g-radio-profile sampleg
mode am-mode
The following command configures APs to operate in high-throughput (802.11n) mode on the
2.4 Ghz frequency band for the selected dot11g-radio profile named “sampleg” and assigns a high-throughout radio
profile named “default-g:”
rf dot11g-radio-profile sampleg
high-throughput-enable
ht-radio-profile default-g
The following command configures a primary channel number of 1 and a secondary channel number of 5 for 40 MHz
mode of operation for the selected dot11g-radio profile named “sampleg:”
rf dot11g-radio-profile sampleg
channel <1+>
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3.2
Introduced protection for 802.11b clients and support for the high-throughput
IEEE 802.11n standard.
ArubaOS 3.4
Support for the following parameters:
l Spectrum load balancing
ArubaOS 6.4| Reference Guide
rf dot11g-radio-profile | 619
Release
Modification
l
l
l
l
Spectrum load balancing domain
RX Sensitivity Tuning Based Channel Reuse
RX Sensitivity Threshold
ARM/WIDS Override
ArubaOS 3.4.1
The maximum-distance parameter was introduced.
ArubaOS 3.4.2
The beacon-regulate parameter was introduced.
ArubaOS 6.0
The following parameteters were introduced
l am-scan-profile
l cap-reg-eirp
l slb-mode
l slb-update-interval
ArubaOS 6.1
The spectrum-monitoring and slb-threshold parameters were introduced.
ArubaOS 6.1.3.2
The cell-size-reduction parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
620 | rf dot11g-radio-profile
ArubaOS 6.4| Reference Guide
rf event-thresholds-profile
rf event-thresholds-profile <profile>
bwr-high-wm <percent>
bwr-low-wm <percent>
clone <profile>
detect-frame-rate-anomalies
fer-high-wm <percent>
fer-low-wm <percent>
ffr-high-wm <percent>
ffr-low-wm <percent>
flsr-high-wm <percent>
flsr-low-wm <percent>
fnur-high-wm <percent>
fnur-low-wm <percent>
frer-high-wm <percent>
frer-low-wm <percent>
frr-high-wm <percent>
frr-low-wm <percent>
no ...
Description
This command configures the event thresholds profile.
Syntax
Parameter
Description
Range
Default
<profile>
Name of this instance of the profile. The name
must be 1-63 characters.
—
“default”
bwr-high-wm
If bandwidth in an AP exceeds this value, a
bandwidth exceeded condition exists. The value
represents the percentage of maximum for a
given radio. (For 802.11b, the maximum
bandwidth is 7 Mbps. For 802.11 a and g, the
maximum is 30 Mbps.) The recommended value
is 85%.
0-100
0%
bwr-low-wm
After a bandwidth exceeded condition exists, the
condition persists until bandwidth drops below
this value. The recommended value is 70%.
0-100
0%
clone
Name of an existing radio profile from which
parameter values are copied.
—
—
detect-framerate-anomalies
Enable or disables detection of frame rate
anomalies.
—
disabled
fer-high-wm
If the frame error rate (as a percentage of total
frames in an AP) exceeds this value, a frame error
rate exceeded condition exists. The
recommended value is 16%.
0-100
0%
ArubaOS 6.4| Reference Guide
rf event-thresholds-profile | 621
Parameter
Description
Range
Default
fer-low-wm
After a frame error rate exceeded condition exists,
the condition persists until the frame error rate
drops below this value. The recommended value
is 8%.
0-100
0%
ffr-high-wm
If the frame fragmentation rate (as a percentage of
total frames in an AP) exceeds this value, a frame
fragmentation rate exceeded condition exists. The
recommended value is 16%.
0-100
16%
ffr-low-wm
After a frame fragmentation rate exceeded
condition exists, the condition persists until the
frame fragmentation rate drops below this value.
The recommended value is 8%.
0-100
8%
flsr-high-wm
If the rate of low-speed frames (as a percentage of
total frames in an AP) exceeds this value, a lowspeed rate exceeded condition exists. This could
indicate a coverage hole. The recommended
value is 16%.
0-100
16%
flsr-low-wm
After a low-speed rate exceeded condition exists,
the condition persists until the percentage of lowspeed frames drops below this value. The
recommended value is 8%.
0-100
8%
fnur-high-wm
If the non-unicast rate (as a percentage of total
frames in an AP) exceeds this value, a nonunicast rate exceeded condition exists. This value
depends upon the applications used on the
network.
0-100
0%
fnur-low-wm
After a non-unicast rate exceeded condition
exists, the condition persists until the non-unicast
rate drops below this value.
0-100
0%
frer-high-wm
If the frame receive error rate (as a percentage of
total frames in an AP) exceeds this value, a frame
receive error rate exceeded condition exists. The
recommended value is 16%.
0-100
16%
frer-low-wm
After a frame receive error rate exceeded
condition exists, the condition persists until the
frame receive error rate drops below this value.
The recommended value is 8%.
0-100
8%
frr-high-wm
If the frame retry rate (as a percentage of total
frames in an AP) exceeds this value, a frame retry
rate exceeded condition exists. The
recommended value is 16%.
0-100
16%
frr-low-wm
After a frame retry rate exceeded condition exists,
the condition persists until the frame retry rate
drops below this value. The recommended value
is 8%.
0-100
8%
no
Negates any configured parameter.
—
—
622 | rf event-thresholds-profile
ArubaOS 6.4| Reference Guide
Usage Guidelines
The event threshold profile configures Received Signal Strength Indication (RSSI) metrics. When certain RF
parameters are exceeded, these events can signal excessive load on the network, excessive interference, or faulty
equipment. This profile and many of the detection parameters are disabled (value is 0) by default.
Example
The following command configures an event threshold profile:
(host) (config) #rf event-thresholds-profile et1
detect-frame-rate-anomalies
Command History
This command was introduced in ArubaOS 3.0
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
rf event-thresholds-profile | 623
rf ht-radio-profile
rf ht-radio-profile <profile>
40MHz-intolerance
clone <profile>
diversity-spreading-workaround
honor-40MHz-intolerance
no
Description
This command configures high-throughput AP radio settings. High-throughput features use the IEEE 802.11n
standard.
Syntax
Parameter
Description
Range
Default
<profile>
Name of this instance of the profile. The
name must be 1-63 characters.
Default Options:
l “Default-a” is generally used in
association with high-throughput devices
running on the 5 GHz frequency band,
see rf dot11a-radio-profile on page 602.
l “Default-g” is generally used in
association with high-throughput devices
running on the 2.4 GHz frequency band,
see rf dot11g-radio-profile on page 611.
l “Default” is generally used when the
same ht-radio-profile is desired for use
with both frequency bands.
—
default-a
default-g
default
40MHzintolerance
Controls whether or not APs using this radio
profile will advertise intolerance of 40 MHz
operation. By default, 40 MHz operation is
allowed.
—
disabled
clone
Name of an existing high-throughput radio
profile from which parameter values are
copied.
—
—
honor-40MHzintolerance
When enabled, the radio will stop using the
40 MHz channels if the 40 MHz intolerance
indication is received from another AP or
station.
—
enabled
no
Negates any configured parameter.
—
—
diversity-spreading-workar
ound
When this feature is enabled, all legacy
transmissions will be sent using a single
antenna. This enables interoperability for
legacy or high-throughput stations that
cannot decode 802.11n cyclic shift diversity
(CSD) data.
This feature is disabled by default and
should be kept disabled unless necessary.
624 | rf ht-radio-profile
disabled
ArubaOS 6.4| Reference Guide
Usage Guidelines
The ht-radio-profile configures high-throughput settings for networks utilizing the IEEE 802.11n standard, which
supports 40 MHZ channels and operates in both the 2.4 GHZ and 5 GHZ frequency bands.
Most transmissions to high throughput (HT) stations are sent through multiple antennas using cyclic shift diversity
(CSD). When you enable the single-chain-legacydisable-diversity-spreadingparameter, CSD is disabled and only
one antenna transmits data, even if they are being sent to high-throughput stations. Use this feature to turn off
antenna diversity when the AP must support legacy clients such as Cisco 7921g VoIP phones, or older 802.11g
clients (e.g. Intel Centrino clients). Note, however, that enabling this feature can reduce overall throughput rates.
The ht-radio-profile you wish to use must be assigned to a dot11a and/or dot11g-radio-profile. You can assign the
same profile or different profiles to the 2.4 GHZ and 5 GHZ frequency bands. See rf dot11a-radio-profile on page 602
and rf dot11g-radio-profile on page 611.
Example
The following command configures an ht-radio-profile named “default-g” and enables 40MHz-intolerance:
(host) (config) #rf ht-radio-profile default-g
40MHz-intolerance
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.3.2
Support for the dsss-cck-40mhz parameterwas removed
ArubaOS 3.4
Introduced the single-chain-legacy parameter.
ArubaOS 6.2
The single-chain-legacy parameter was renamed to diversity-spreadingworkaround.
Command Information
Platforms
Licensing
Command Mode
All platforms, but operates
with IEEE 802.11n compliant
devices only
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
rf ht-radio-profile | 625
rf optimization-profile
rf optimization-profile <profile-name>
clone <profile>
handoff-assist
low-rssi-threshold <number>
no ...
rssi-check-frequency <number>
rssi-falloff-wait-time <seconds>
Description
This command configures the RF optimization profile.
Syntax
Parameter
Description
Range
Default
<profile-name>
Name of this instance of the profile. The
name must be 1-63 characters.
—
“default”
clone
Name of an existing optimization profile from
which parameter values are copied.
—
—
handoff-assist
Allows the controller to force a client off an
AP when the RSSI drops below a defined
minimum threshold.
—
disabled
low-rssi-threshold
Minimum RSSI, above which deauth should
never be sent.
1-255
0
no
Negates any configured parameter.
—
—
rssi-check-frequency
Interval, in seconds, to sample RSSI.
9-255
0
seconds
rssi-falloff-wait-time <seco
nds>
Time, in seconds, to wait with decreasing
RSSI before deauth is sent to the client. The
maximum value is 8 seconds.
0-8
0
seconds
Example
The following command configures an RF optimization profile:
(host) (config) #rf optimization-profile Angela1
(host) (RF Optimization Profile "Angela1") #rssi-falloff-wait-time 3
(host) (RF Optimization Profile "Angela1") #rssi-check-frequency 2
626 | rf optimization-profile
ArubaOS 6.4| Reference Guide
Command History
Version
Modification
ArubaOS 3.0
Command introduced
ArubaOS 3.4
The following parameters were deprecated:
l ap-lb-max-retries <number>
l ap-lb-user-high-wm <percent>
l ap-lb-user-low-wm <percent>
l ap-lb-util-high-wm <percent>
l ap-lb-util-low-wm <percent>
l ap-lb-util-wait-time <seconds
l ap-load-balancing
Use the command rf dot11a-radio-profile spectrum-load-balancing and rf
dot11g-radio-profile spectrum-load-balancing to enable the spectrum load
balancing feature.
ArubaOS 5.0
The following parameters were deprecated:
l coverage-hole-detection hole-detection-interval
l hole-good-rssi-threshold
l hole-good-sta-ageout
l hole-idle-sta-ageout
l hole-poor-rssi-threshold
ArubaOS 6.0
The following parameters were deprecated:
l detect-association-failure
l detect-interference
l hole-detection-interval
l hole-good-rssi-threshold
l hole-good-sta-ageout
l hole-idle-sta-ageout
l hole-poor-rssi-threshold
l interference-baseline
l interference-exceed-time
l interference-threshold
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
rf optimization-profile | 627
rf spectrum-profile
rf spectrum-profile <profile-name>
age-out audio|bluetooth|cordless-ff-phone|cordless-fh-base|cordless-fh-network|generic-ff|g
eneric-fh|microwave|microwave-inverter|unknown|video|wifi|xbox
clone <source>
no ...
Description
Define the device ageout times used by a spectrum monitor, or hybrid AP radio.
Syntax
Parameter
Description
age-out
Use the age-out parameter to define the number
of seconds for which a specific device type must
stop sending a signal before the spectrum
monitor considers that device no longer active
on the network.
Range
Default
audio
Some audio devices such as wireless speakers
and microphones also use fixed frequency to
continuously transmit audio. These devices are
classified as Fixed Frequency (Audio).
5-65535
seconds
10 sec
bluetooth
Bluetooth devices. Note that this setting is
applicable to 2.4GHz spectrum monitor radios
only.
5-65535
seconds
25 sec
cordless-ff-phone
Some cordless phones use a fixed frequency to
transmit data (much like the fixed frequency
video devices). These devices are classified as
Fixed Frequency (Cordless Phones).
5-65535
seconds
10 sec
cordless-fh-base
Frequency hopping cordless phone base units
transmit periodic beacon-like frames at all times.
When the handsets are not transmitting (i.e., no
active phone calls), the cordless base is classified as Frequency Hopper (Cordless Base).
5-65535
seconds
240 sec
cordless-fh-network
When there is an active phone call and one or
more handsets are part of the phone
conversation, the device is classified as
Frequency Hopper (Cordless Network).
Cordless phones may operate in 2.4 GHz or 5
GHz bands. Some phones use both 2.4 GHz and
5 GHz bands (for example, 5 GHz for Base-tohandset and 2.4 GHz for Handset-to-base).
These phones may be classified as unique
Frequency Hopper devices on both bands..
5-65535
seconds
60 sec
generic-ff
All fixed frequency devices that do not fall into
one of the other categories are classified as
Fixed Frequency (Other). Note that the RF signatures of the fixed frequency audio, video and
cordless phone devices are very similar and that
5-65535
seconds
10 sec
628 | rf spectrum-profile
ArubaOS 6.4| Reference Guide
Parameter
Description
Range
Default
some of these devices may be occasionally classified as Fixed Frequency (Other).
generic-fh
When the classifier detects a frequency hopper
that does not fall into one of the above categories, it is classified as Frequency Hopper
(Other). Some examples include IEEE 802.11
FHSS devices, game consoles and cordless/hands-free devices that do not use one of
the known cordless phone protocols.
5-65535
seconds
25 sec
generic-interferer
Any non-frequency hopping device that does not
fall into one of the other categories described in
this table is classified as a Generic Interferer. For
example a Microwave-like device that does not
operate in the known operating frequencies
used by the Microwave ovens may be classified
as a Generic Interferer. Similarly wide-band interfering devices may be classified as Generic Interferers.
5-65535
seconds
30 sec
microwave
Common residential microwave ovens with a
single magnetron are classified as a Microwave.
These types of microwave ovens may be used in
cafeterias, break rooms, dormitories and similar
environments. Some industrial, healthcare or
manufacturing environments may also have
other equipment that behave like a microwave
and may also be classified as a Microwave
device. Note that this setting is applicable to
2.4GHz spectrum monitor radios only.
5-65535
seconds
15 sec
microwave-inverter
Some newer-model microwave ovens have the
inverter technology to control the power output
and these microwave ovens may have a duty
cycle close to 100%. These microwave ovens
are classified as Microwave (Inverter). Dual-magnetron industrial microwave ovens with higher
duty cycle may also be classified as Microwave
(Inverter). As in the Microwave category
described above, there may be other equipment
that behave like inverter microwaves in some
industrial, healthcare or manufacturing environments. Those devices may also be classified
as Microwave (Inverter).
5-65535
seconds
15 sec
video
Video transmitters that continuously transmit
video on a single frequency are classified as
Fixed Frequency (Video). These devices typically have close to a 100% duty cycle. These
types of devices may be used for video surveillance, TV or other video distribution, and similar applications.
5-65535
seconds
60 sec
wifi
Wi-Fi devices.
5-65535
seconds
600 sec
ArubaOS 6.4| Reference Guide
rf spectrum-profile | 629
Parameter
xbox
Description
Range
Default
The Microsoft Xbox device uses a frequency
hopping protocol in the 2.4 GHz band. These
devices are classified as Frequency Hopper
(Xbox). Note that this setting is applicable to
2.4GHz spectrum monitor radios only.
5-65535
seconds
25 sec
clone <source>
Make a copy of an existing spectrum profile.
no
Remove a spectrum profile or negate a
configured parameter.
600 sec
Usage Guidelines
The Spectrum Analysis software module provides visibility into RF coverage, allowing you to troubleshoot RF
interference and identify the 802.11 devices on the network. APs that gather spectrum data are called Spectrum
Monitors, or SMs, and reference a spectrum profile that determines the band monitored by that SM radio. Use this
profile to modify default device ageout times for spectrum monitors and hybrid APs using this profile.
For a list of APs that can be converted into a spectrum monitor or hybrid AP, refer to the Spectrum Analysis chapter
of the ArubaOS 6.4 User Guide.
Example
The following command creates the spectrum profile spectrum2.
(host) (config) #rf spectrum-profile spectrum2
Related Commands
show rf spectrum-profile
Command History
Release
Modification
ArubaOS 6.0
Command introduced
ArubaOS 6.2
The spectrum-band parameter was deprecated.
The following default ageout times were changed:
l cordless-fh-base default timeout is 240 seconds (was 25 sect in previous releases)
l cordless-fh-network default timeout is 60 sect (was 10 sect in previous releases)
l generic-interferer default timeout is 30 sect (was 25 sect in previous releases)
l video default timeout is 60 sect (was 10 sect in previous releases)
Command Information
Platforms
Licensing
Command Mode
All platforms
RF Protect license
Config mode on master and local
controllers
630 | rf spectrum-profile
ArubaOS 6.4| Reference Guide
router mobile
router mobile
Description
This command enables Layer-3 (IP) mobility.
Syntax
No parameters.
Usage Guidelines
Use this command to enable IP mobility on a controller. IP mobility is disabled by default on the controller. This
command must be executed on all controllers(master and local) that need to provide support for layer-3 roaming in a
mobility domain. You can enable or disable IP mobility on a virtual AP profile with the wlan virtual-ap command (IP
mobility is enabled by default in a virtual AP profile).
It is recommended to reboot the controller every time you enable or disable IP mobility.
Example
This command enables IP mobility:
(host) (config) #router mobile
Command History
Release
Modification
ArubaOS 3.0
Command introduced
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
router mobile | 631
router ospf
router ospf
aggregate-route rapng-vpn <addr>
area <area-id>
default-cost <cost>
nssa [default-information no-redistribution | no-summary]
stub [no-summary]
default-information originate always
redistribute
loopback
rapng-vpn
vlan [<vlan-ids> | add <vlan-ids> | remove <vlan-ids>]
router-id <rtr-id>
subnet exclude <addr> <mask>
Description
Global OSPF configuration for the upstream router.
Syntax
Parameter
Description
aggregate-route
Enter the aggregate route information.
area <area-id>
Enter the keyword area followed by the area identification, in
dotted decimal format, to configure an OSPF area.
default-cost <cost>
Set the summary cost of a NSSA/stub area (in route metric)
Range: 0 to 16777215
nssa
Set an area as a NSSA
default-information-originate
Originate Type 7 default into the NSSA area
no-redistribution
Set the NSSA area for no distribution into this NSSA area
no-summary
Do not send summary LSA into this NSSA area
stub [no-summary]
Set an area as a Total Stub Area and optionally do not send
summary LSA into this area
default-information originate alway
s
Control distribution of default information by distributing a
default route.
redistribute
Redistributes the route.
loopback
Redistributes loopback addresses.
rapng-vpn
Redistribute IAP-VPN addresses.
vlan <vlan-ids>
Redistribute the vlan user subnet.
add <vlan-ids>
632 | router ospf
Add the user VLANs to the list
ArubaOS 6.4| Reference Guide
Parameter
Description
Remove user VLANs to the list.
remove <vlan-ids>
router-id <rtr-id>
Enter the router ID in IP address format.
subnet exclude <addr> <mask>
Specify the subnet that OSPF will not advertise. Enter the
subnet and mask address in dotted decimal format (A.B.C.D).
Usage Guidelines
OSPFv2 is a dynamic Interior Gateway routing Protocol (IGP) based on IETF RFC 2328. The ArubaOS
implementation of OSPF allows controllers to deploy effectively in a Layer 3 topology. For more detailed information,
refer to the OSPF Chapter in the ArubaOS User Guide.
Example
By default OSPF will advertise all the user VLAN subnet addresses in the router LSA (Link-State Advertisement). To
control the OSPF advertisement, execute the following command:
(host) (config) # router ospf subnet exclude 75.1.1.0 255.255.0.0
With the above command, any user VLAN subnet matching 75.1/16 will not be advertised in the router LSA. To
return to the default advertisement, execute the command:
(host) (config) # no router ospf subnet exclude 75.1.1.0 255.255.0.0
Related Commands
Command
Description
show ip ospf
View OSPF configuration
Command History
Release
Modification
ArubaOS 3.4
Command introduced
ArubaOS 6.0
Added the options:
area, default-cost, nssa, and default-information originate always
ArubaOS 6.3
The aggregate-route and rapng-vpn parameters were introduced.
Command Information
Platforms
Licensing
Command Mode
All Platforms
Base operating system
Configuration Mode (config)
ArubaOS 6.4| Reference Guide
router ospf | 633
service
service [dhcp] [network-storage] [print-server]
Description
This command enables the DHCP server on the controller.
Syntax
Parameter
Description
Default
dhcp
Enables the DHCP server
disabled
network-storage
Enables the NAS service
disabled
print-server
Enables the printer service
disabled
Usage Guidelines
You can enable and configure DHCP, DHCPv6, network-storage or print server in the controller to provide the
following:
l
DHCP: IP addresses to wireless clients if an external DHCP server is not available.
l
Network-storage: To provide access to the storage devices attached to the controller.
l
Printer-server: To provide access to printers attached to the controller.
Example
The following command enables the DHCP server in the controller:
(host) (config) #service dhcp
The following command enables the NAS services in the controller:
(host) (config) #service network-storage
The following command enables the printer services in the controller:
(host) (config) #service print-server
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 3.4
The network-storage and print-server options were introduced.
Command Information
634 | service
Platforms
Licensing
Command Mode
All platforms
Base operating system
Config mode on master controllers
ArubaOS 6.4| Reference Guide
show aaa authentication all
show
show aaa authentication all
Description
Show authentication statistics for your controller, including authentication methods, successes and failures.
Usage Guidelines
This command displays a general overview of authentication statistics. To view authentication information for
specific profiles such as a captive-portal, MAC or 801.x authentication profile, issue the commands specific to those
features.
Example
The output of this command displays an authentication overview for your controller, including the authentication
methods used, and the numbers of successes or failures for each method. This example shows the numbers of
authentication successes and failures for a controller using TACACS+ and RADIUS authentication methods.
(host) #show aaa authentication all
Auth Method Statistics
---------------------Method Success Failures
------ ------- -------tacacs
12
2Radius
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master and
local controllers
ArubaOS 6.4| Reference Guide
show aaa authentication all | 635
9
show aaa authentication captive-portal
show aaa authentication captive-portal [<profile-name>]
Description
This command shows configuration information for captive portal authentication profiles.
Syntax
Parameter
Description
<profile-name>
The name of an existing captive portal authentication profile.
Usage Guidelines
Issue this command without the <profile-name> parameter to display the entire Captive Portal Authentication
profile list, including profile status and the number of references to each profile. Include a profile name to display
detailed configuration information for that profile.
If you do not yet have any captive portal authentication profiles defined, use the command aaa authentication
captive-portal to configure your captive portal profiles.
Examples
This first example shows that there are three configured captive portal profiles in the Captive Profile Authentication
Profile List. The References column lists the number of other profiles with references to a captive portal
authentication profile, and the Profile Status column indicates whether the profile is predefined. User-defined
profiles will not have an entry in the Profile Status column.
(host) #show aaa authentication captive-portal
Captive Portal Authentication Profile List
-----------------------------------------Name
References Profile Status
------------- -------------c-portal
2
remoteuser
portal1
1
1
Total: 4
Include a captive portal profile name to display a complete list of configuration settings for that profile. The example
below shows settings for the captive portal profile portal1.
Captive Portal Authentication Profile "portal1"
-----------------------------------------------Parameter
--------Default Role
Default Guest Role
Server Group
Redirect Pause
User Login
Guest Login
Logout popup window
Use HTTP for authentication
636 | show aaa authentication captive-portal
Value
----guest
guest
default
10 sec
Enabled
Disabled
Enabled
Disabled
ArubaOS 6.4| Reference Guide
Logon wait minimum wait
Logon wait maximum wait
logon wait CPU utilization threshold
Max Authentication failures
Show FQDN
Authentication Protocol
Login page
Welcome page
Show Welcome Page
Add switch IP address in the redirection URL
Adding user vlan in redirection URL
Add a controller interface in the redirection URL
Allow only one active user session
White List
Black List
Show the acceptable use policy page
User idle timeout
Redirect URL
Bypass Apple Captive Network Assistant
URL Hash Key
5 sec
10 sec
60 %
0
Disabled
PAP
/auth/index.
/auth/welcom
Yes
Disabled
Disabled
N/A
Disabled
N/A
N/A
Disabled
N/A
N/A
Disabled
********
The output of this command includes the following parameters:
Parameter
Description
Default Role
Role assigned to the captive portal user upon login.
Default Guest Role
Guest role assigned to the captive portal user upon login.
Server Group
Name of the group of servers used to authenticate captive
portal users.
Redirect Pause
Time, in seconds, that the system remains in the initial
welcome page before redirecting the user to the final web
URL. If set to 0, the welcome page displays until the user
clicks on the indicated link.
User Login
Shows whether the profile has enabled or disabled captive
portal with authentication of user credentials.
Guest Login
Shows whether the profile has enabled or disabled captive
portal guest login without authentication.
Logout popup window
Shows whether the profile has enabled or disabled a pop-up
window that allows a user to log out. If this is disabled, the
user remains logged in until the user timeout period has
elapsed or the station resets.
Use HTTP for authentication
Shows whether the profile has enabled or disabled the ability
to use the HTTP protocol to redirect users to the captive portal
page.
Logon wait minimum wait
Minimum time, in seconds, the user will have to wait for the
logon page to pop up if the CPU load is high.
Logon wait maximum wait
Maximum time, in seconds, the user will have to wait for the
logon page to pop up if the CPU load is high.
ArubaOS 6.4| Reference Guide
show aaa authentication captive-portal | 637
Parameter
Description
logon wait CPU utilization threshold
CPU utilization percentage above which the logon wait
interval is applied when directing a captive portal user with
the logon page.
Max Authentication failures
Maximum number of authentication failures before the user is
blacklisted.
Show FQDN
If enabled, the user can see and select the fully-qualified
domain name (FQDN) on the captive portal login page.
Authentication Protocol
This parameter specifies the type of authentication required
by this profile, PAP is the default authentication type
Login page
URL of the page that appears for the user logon.
Welcome page
URL of the page that appears after logon and before the user
is redirected to the web URL.
Add controller IP address in the red
irection URL
If enabled, this option sends he controller’s IP address in the
redirection URL when external captive portal servers are
used. An external captive portal server can determine the
controller from which a request originated by parsing the
‘switchip’ variable in the URL.
Adding user vlan in redirection URL
Shows the user’s VLAN ID sent in the redirection URL, if
enabled
Add a controller interface in the re
direction URL
Shows the IP address of a controller interface added to the
redirection URL, if enabled.
Allow only one active user session
If enabled, only one active user session is allowed at any
time. This feature is disabled by default.
White List
Shows the configured white list on an IPv4 or IPv6 network
destination. The white list contains authenticated websites
that a guest can access.
Black List
Shows the configured black list on an IPv4 or IPv6 network
destination. The black list contains websites
(unauthenticated) that a guest cannot access.
Show the acceptable use policy page
If enabled, the captive portal page will show the acceptable
use policy page before the user logon page. This feature is
disabled by default.
User Idle Timeout
The user idle timeout for this profile. The valid range is 3015300 in multiples of 30 seconds. Enabling this option
overrides the global settings configured in the AAA timers. If
this is disabled, the global settings are used.
redirect-url <url>
URL to which an authenticated user will be directed.
URL hash key
If this value is set, the redirection URL is hashed using the
defined hash key. The characters in the hash key are hidden
in the output of this command
638 | show aaa authentication captive-portal
ArubaOS 6.4| Reference Guide
Related Commands
Command
Description
Mode
aaa authentication captive-p
ortal
Use aaa authentication captive-portal to
configure the parameters displayed in the
output of this show command.
Config mode
Command History
This command was introduced in ArubaOS 3.0.
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The sygate-on-demand parameter was deprecated, and the white-list and
black-list parameters were added.
ArubaOS 6.2
the Authentication Protocol parameter was added, and the Use CHAP parameter was deprecated.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa authentication captive-portal | 639
show aaa authentication captive-portal customization
show aaa authentication captive-portal customization <profile-name>
Description
Display customization settings for a captive portal profile
Syntax
Parameter
Description
<profile-name>
The name of an existing captive portal authentication profile.
Usage Guidelines
The this command shows how a captive portal profile has been customized with non-default configuration settings. If
you do not yet have any captive portal authentication profiles defined, use the command aaa authentication captiveportal to configure your captive portal profiles
Example
The output of the following command shows how the captive portal profile c-portal has been customized. If an
individual parameter has not been changed from its default settings, its value entry will be blank.
(host) #show aaa authentication
Captive-Portal Customization
---------------------------Parameter
--------Login page design theme
Login page logo image
Login page text URL
Login policy text URL
Custom page background color
Custom page background image
captive-portal customization c-portal
Value
----3
/flash/upload/custom/ssu-guest-cp/logintext.html
/upload/custom/ssu-guest-cp/acceptableusepolicy.html
/upload/custom/default/auth-slider-1.gif
The output of this command includes the following parameters:
Parameters
Description
Login page design theme
Indicates whether the controller is using one of the two predefined login
page designs (1 or 2) or has a custom background (3).
Login page logo image
Path and filename for a custom captive portal logo. This option is only
available if the controller has a predefined login design.
Login page text
Path and filename of the page that appears for the user logon.
Login policy text
Path and filename of the page that displays user policy text.
Custom page background colo
r
Hexadecimal value for a custom background color. This option is only
available if the controller has a custom login page design theme.
Custom page background imag
e
Path and filename for a custom JPEG captive portal background image.
This option is only available if the controller has a custom login page
design theme.
640 | show aaa authentication captive-portal customization
ArubaOS 6.4| Reference Guide
Related Commands
Command
Description
Mode
aaa authentication captive-p
ortal
If you do not yet have any captive portal
profiles defined, use the command aaa
authentication captive-portal to configure
your captive portal profiles.
Config mode
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or
local controllers
ArubaOS 6.4| Reference Guide
show aaa authentication captive-portal customization | 641
show aaa authentication dot1x
show aaa authentication dot1x [<profile-name>|countermeasures]
Description
This command shows information for 802.1X authentication profiles.
Syntax
Parameter
Description
<profile-name>
The name of an existing 802.1X authentication profile.
countermeasures
Reports if WPA/WPA2 Countermeasures have been enabled for 802.1X profiles.
If enabled, the AP scans for message integrity code (MIC) failures in traffic
received from clients.
Usage Guidelines
Issue this command without the <profile-name > or countermeasures options to display the entire 802.1X
Authentication profile list, including profile status and the number of references to each profile. Include a profile name
to display detailed dot1x authentication configuration information for that profile. The countermeasures option
indicates whether the 802.1X profiles have been configured for WPA/WPS2 countermeasures. If countermeasures
have not been configured, the output for this command will be blank.
Examples
The following example lists all dot1x authentication profiles. The References column lists the number of other
profiles with references to a 802.1X authentication profile, and the Profile Status column indicates whether the
profile is predefined. User-defined 802.1X profiles will not have an entry in the Profile Status column.
(host) #show aaa authentication dot1x
802.1X Authentication Profile List
---------------------------------Name
References Profile Status
------------- -------------default
2
default-psk 1
Predefined (editable)
dot1x
5
dot1xtest
0
Total:4
To display a complete list of parameters for an individual profile, include the <profile> parameter. The example below
displays some of the profile details for the authentication profile pDotix.
(host) #show aaa authentication dot1x pDot1x
802.1X Authentication Profile "pDot1x"
-------------------------------------Parameter
--------Max authentication failures
Enforce Machine Authentication
642 | show aaa authentication dot1x
Value
----0
Disabled
ArubaOS 6.4| Reference Guide
Machine Authentication: Default Machine Role
Machine Authentication Cache Timeout
Blacklist on Machine Authentication Failure
Machine Authentication: Default User Role
Interval between Identity Requests
Quiet Period after Failed Authentication
Reauthentication Interval
Use Server provided Reauthentication Interval
Multicast Key Rotation Time Interval
Unicast Key Rotation Time Interval
...
guest
24 hrs
Disabled
guest
30 sec
30 sec
86400 sec
Disabled
1800 sec
900 sec
The output of the show aaa authentication dot1xcommand includes the following parameters:
Parameter
Value
Max authentication failures
Number of times a user can try to login with
wrong credentials after which the user is
blacklisted as a security threat. Blacklisting is
disabled if this parameter is set to 0.
Enforce Machine Authentication
Shows if machine authentication is enabled or
disabled for Windows environments. If enabled,
If enabled, either the machine-default-role or
the user-default-role is assigned to the user,
depending on which authentication is
successful.
Machine Authentication: Default Machine Role
Default role assigned to the user after
completing only machine authentication.
Machine Authentication Cache Timeout
The timeout period, in hours, for machine
authentication. After this period passes, the use
will have to re-authenticate.
Blacklist on Machine Authentication Failure
If enabled, the client is blacklisted if machine
authentication fails.
Machine Authentication: Default User Role
Default role assigned to the user after 802.1X
authentication.
Interval between Identity Requests
Interval, in seconds, between identity request
retries
Quiet Period after Failed Authentication
Interval, in seconds, following failed
authentication.
Reauthentication Interval
Interval, in seconds, between reauthentication
attempts.
Use Server provided Reauthentication Interval
If enabled, 802.1X authentication will use the
server-provided reauthentication period.
Multicast Key Rotation Time Interval
Interval, in seconds, between multicast key
rotations.
Unicast Key Rotation Time Interval
Interval, in seconds, between unicast key
rotations.
ArubaOS 6.4| Reference Guide
show aaa authentication dot1x | 643
Parameter
Value
Authentication Server Retry Interval
Server group retry interval, in seconds.
Authentication Server Retry Count
The number of server group retries.
Framed MTU
Shows the framed MTU attribute sent to the
authentication server.
Number of times ID-Requests are retried
Maximum number of times ID requests are sent
to the client.
Maximum Number of Reauthentication Attempts
Maximum number of reauthentication attempts.
Maximum number of times Held State can be bypa
ssed
Number of consecutive authentication failures
which, when reached, causes the controller to
not respond to authentication requests from a
client while the controller is in a held state after
the authentication failure.
Dynamic WEP Key Message Retry Count
Number of times unicast/multicast EAPOL key
messages are sent to the client.
Dynamic WEP Key Size
Dynamic WEP key size, either 40 or 128 bits.
Interval between WPA/WPA2 Key Messages
Interval, in milliseconds, between each WPA
key exchange. The allowed range of values is
1000-5000 msecs, and the default value is
1000 msecs.
Delay between EAP-Success and WPA2 Unicast Key
Exchange
Show the delay interval between EAP-Success
and unicast key exchanges, in msec.
Range: 0-2000msec. Default: 0 (no delay).
Delay between WPA/WPA2 Unicast Key and Group K
ey Exchange
Interval, in milliseconds, between unicast and
multicast key exchanges.
Time interval after which the PMKSA will be de
leted
Show the PMKSA cache interval. Time interval
in Hours. Range: 1-2000. Default: 8 hrs.
Delete Keycache upon user deletion Enabled
If enabled, the controller deletes the key cache
entry when the user entry is deleted.
WPA/WPA2 Key Message Retry Count
Number of times WPA/WPA2 key messages
are retried.
Multicast Key Rotation
Shows if multicast key rotation is enabled or
disabled.
Unicast Key Rotation
Shows if unicast key rotation is enabled or
disabled.
Reauthentication
If enabled, this option forces the client to do a
802.1X reauthentication after the expiration of
the default timer for reauthentication. (The
default value of the timer is 24 hours.)
644 | show aaa authentication dot1x
ArubaOS 6.4| Reference Guide
Parameter
Value
Opportunistic Key Caching
If enabled, a cached pairwise master key
(PMK) is derived with a client and an
associated AP and used when the client roams
to a new AP.
Validate PMKID
Shows if the Validate PMKID feature is
enabled or disabled. When this option is
enabled, the client must send a PMKID in the
associate or reassociate frame to indicate that it
supports OKC; otherwise, full 802.1X
authentication takes place. (This feature is
optional, since most clients that support OKC
do not send the PMKID in their association
request.)
Use Session Key
If enabled, the controller will use a RADIUS
session key as the unicast WEP key.
Use Static Key
If enabled, the controller will use a static key as
the unicast/multicast WEP key.
xSec MTU
Shows the size of the MTU for xSec.
Termination
Shows if 802.1X termination is enabled or
disabled on the controller.
Termination EAP-Type
Shows the current Extensible Authentication
Protocol (EAP) method, either EAP-PEAP or
EAP-TLS.
Termination Inner EAP-Type
When EAP-PEAP is the EAP method, this
parameter displays the inner EAP type.
Enforce Suite-B 128 bit or more security level
Authentication
Shows if Suite-B 128 bit or more security level
authentication enforcement is enabled or
disabled.
Enforce Suite-B 192 bit security level Authent
ication
Shows if Suite-B 192 bit or more security level
authentication enforcement is enabled or
disabled.
Token Caching
If this feature enabled (and EAP-GTC is
configured as the inner EAP method), token
caching allows the controller to cache the
username and password of each authenticated
user.
Token Caching Period
Timeout period, in hours, for the cached
information.
CA-Certificate
Name of the CA certificate for client
authentication loaded in the controller.
Server-Certificate
Name of the Server certificate used by the
controller to authenticate itself to the client.
TLS Guest Access
Shows if guest access for valid EAP-TLS users
is enabled or disabled.
ArubaOS 6.4| Reference Guide
show aaa authentication dot1x | 645
Parameter
Value
TLS Guest Role
User role assigned to EAP-TLS guest.
Ignore EAPOL-START after authentication
If enabled, the controller ignores EAPOLSTART messages after authentication.
Handle EAPOL-Logoff
Shows if handling of EAPOL-LOGOFF
messages is enabled or disabled.
Ignore EAP ID during negotiation
If enabled, the controller will Ignore EAP IDs
during negotiation.
WPA-Fast-Handover
Shows if WPA-fast-handover is enabled or
disabled. This feature is only applicable for
phones that support WPA.
Disable rekey and reauthentication for clients
on call
Shows if the rekey and reauthentication
features for voice-over-WLAN clients has been
enabled or disabled.
Check certificate common name against AAA serv
er
If enabled, this parameter verifies that the
certificate's common name exists in the server.
This parameter is disabled by default dot1x
profiles.
Related Commands
Command
Description
Mode
aaa authentication dot1
x
If you do not yet have any 802.1X authentication
profiles defined, use the command aaa
authentication dot1x to configure your 802.1X
profiles.
Config mode
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The Check certificate common name against AAA server, Enforce Suite-b-128
and Enforce Suite-b-192 parameters were introduced.
ArubaOS 6.3.1.2
The Delete Keycache upon user deletion parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
646 | show aaa authentication dot1x
ArubaOS 6.4| Reference Guide
show aaa authentication mac
show aaa authentication mac [<profile-name>]
Description
This command shows information for MAC authentication profiles.Issue this command without the
<profile-name> option to display the entire MAC Authentication profile list, including profile status and the number
of references to each profile. Include a profile name to display detailed MAC authentication configuration information
for that profile.
Syntax
Parameter
Description
<profile-name>
The name of an existing MAC authentication profile.
Examples
The output of the example below shows two MAC authentication profiles, default and macProfile1, which are
referenced three times by other profiles. the Profile Status columns are blank, indicating that these profiles are both
user-defined. (If a profile is predefined, the value Predefined appears in the Profile Status column.)
(host) #show aaa authentication dot1x pDot1x
802.1X Authentication Profile "pDot1x"
-------------------------------------Parameter
--------Max authentication failures
Enforce Machine Authentication
Machine Authentication: Default Machine Role
Machine Authentication Cache Timeout
Blacklist on Machine Authentication Failure
Machine Authentication: Default User Role
Interval between Identity Requests
Quiet Period after Failed Authentication
Reauthentication Interval
Use Server provided Reauthentication Interval
Multicast Key Rotation Time Interval
Unicast Key Rotation Time Interval
...
Value
----0
Disabled
guest
24 hrs
Disabled
guest
30 sec
30 sec
86400 sec
Disabled
1800 sec
900 sec
The following example displays configuration details for the MAC authentication profile “MacProfile1,” including the
delimiter and case used in the authentication request, and the maximum number of times a client can fail to
authenticate before it is blacklisted.
(host) #show aaa authentication mac MacProfile1
MAC Authentication Profile "MacProfile1"
---------------------------------------Parameter
Value
------------Delimiter
colon
Case
upperMax Authentication failures
ArubaOS 6.4| Reference Guide
3
show aaa authentication mac | 647
Related Commands
Command
Description
Mode
aaa authentication ma
c
Configure MAC authentication values on your
controller.
Config mode
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
648 | show aaa authentication mac
ArubaOS 6.4| Reference Guide
show aaa authentication mgmt
show aaa authentication mgmt
Description
This command displays administrative user authentication information, including management authentication roles
and servers.
Usage Guidelines
Issue this command to identify the default management role assigned to authenticated administrative users, and the
name of the group of servers used to authenticate these users.
Example
The output of the following example displays management authentication information for your controller.
(host) #show aaa authentication mgmt
Management Authentication Profile
--------------------------------Parameter
Value
------------Default Role root
Server Group ServerGroup1
Enable
Enabled
Parameter
Description
Default Role
This parameter shows which of the following roles the controller uses for
authentication management.
l root, the super user role (default).
l guest-provisioning, guest provisioning role.
l network-operations, network operator role.
l read-only, read only role.
l location-api-mgmt, location API management role.
l no-access, no commands are accessible.
Server Group
The name of a server group.
Enable
The Enable parameter indicates whether or not this feature is enabled or
disabled.
The output of the show aaa authentication mgmtcommand includes the following parameters:
Related Commands
Command
Description
Mode
aaa authentication mgmt
Configure management authentication settings.
Config mode
ArubaOS 6.4| Reference Guide
show aaa authentication mgmt | 649
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The Mode parameter in the command output was renamed Enable.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
650 | show aaa authentication mgmt
ArubaOS 6.4| Reference Guide
show aaa authentication stateful-dot1x
show aaa authentication stateful-dot1x [config-entries]
Description
This command displays configuration settings for 802.1X authentication for clients on non-Aruba APs.
Syntax
Parameter
Description
config-entries
Display details for the AP Server configuration list.
Usage Guidelines
Issue this command to identify the default role assigned to the 802.1X user group, name of the group of RADIUS
servers used to authenticate the 802.1X users, and the 802.1X authentication timeout period, in seconds.
Example
The output of the following example displays 802.1X authentication information for your controller.
(host) #show aaa authentication stateful-dot1x
Stateful 802.1X Authentication Profile
-------------------------------------Parameter
Value
------------Default Role guest
Server Group newgroup2
Timeout
10 sec
Mode
Enabled
Parameter
Description
Default Role
This parameter shows which role the controller uses for 802.1X authentication
management.
Server Group
The name of a server group.
Timeout
Timeout period for an authentication request, in seconds.
Mode
The Mode parameter indicates whether or not this feature is enabled or disabled.
The output of this command includes the following parameters:
When you include the config-entries parameter, the output shows the AP - Server Configuration List.
(host) #show aaa authentication stateful-dot1x config-entries
AP-Server Configuration List
---------------------------Cfg-Name AP-IP
ArubaOS 6.4| Reference Guide
Server
Shared-Secret
show aaa authentication stateful-dot1x | 651
-------cfg22
-----
-----10.3.14.6
Parameter
Description
Cfg-Name
is a auto-generated name
AP-IP
IP address of the AP.
Server
Name of the authentication server.
Shared-Secret
Shared authentication secret.
------------RADIUS1
secret-pwd
The output of this command includes the following parameters:
Related Commands
Command
Description
Mode
aaa authentication statefuldot1x
Use the command aaa authentication statefuldot1x to configure the settings displayed in the
output of this show command.
Config mode
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
652 | show aaa authentication stateful-dot1x
ArubaOS 6.4| Reference Guide
show aaa authentication stateful-ntlm
show aaa authentication stateful-ntlm
Description
This command displays configuration settings for the Stateful NTLM Authentication profile.Issue this command
without the <profile-name> option to display the entire Stateful NTLM Authentication profile list, including profile
status and the number of references to each profile. Include a profile name to display detailed Stateful NTLM
authentication configuration information for that profile.
Syntax
Parameter
Description
<profile-name>
The name of an existing Stateful NTLM authentication profile.
Usage Guidelines
Issue this command to identify the default role assigned to users who have successfully authenticated using the NT
LAN Manager (NTLM) authentication protocol, the name of the group of windows servers used to authenticate these
users, and the NTLM authentication timeout period, in seconds.
Examples
The output of the example below shows two stateful NTLM authentication profiles, default and NTLMprofile1,
which are each referenced one time by other profiles. the Profile Status columns are blank, indicating that these
profiles are both user-defined. (If a profile is predefined, the value Predefined appears in the Profile Status column.)
(host) #show aaa authentication stateful-ntlm
Stateful NTLM Authentication Profile List
----------------------------------------Name
References Profile Status
------------- -------------default
1
NTLMprofile1
1
Total:2
The following example displays configuration details for the stateful NTLM authentication profile “default”.
(host) #show aaa authentication stateful-ntlm default
Stateful NTLM Authentication Profile "default"
---------------------------------------------Parameter
Value
------------Default Role guest
Server Group default
Mode
Disabled
Timeout
10 sec
ArubaOS 6.4| Reference Guide
show aaa authentication stateful-ntlm | 653
Parameter
Description
Default Role
This parameter shows the role assigned to NTLM authenticated users.
Server Group
The name of a windows server group.
Mode
The Mode parameter indicates whether or not this authentication profile is
enabled or disabled.
Timeout
Timeout period for an authentication request, in seconds.
The output of this command includes the following parameters:
Related Commands
Command
Description
aaa authentication stateful-ntlm
Use the command aaa authentication stateful-ntlm to configure the
settings displayed in the output of this show command.
Command History
This command was introduced in ArubaOS 3.4.1.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
654 | show aaa authentication stateful-ntlm
ArubaOS 6.4| Reference Guide
show aaa authentication via auth-profile
show aaa authentication via auth-profile [<profile-name>]
Description
This command displays configuration settings for the VIA Authentication profile.Issue this command without the
<profile-name> option to display the entire VIA Authentication profile list, including profile status and the number of
references to each profile. Include a profile name to display detailed VIA authentication configuration information for
that profile.
Syntax
Parameter
Description
<profile-name>
The name of an existing VIA authentication profile.
Usage Guidelines
Issue this command without the <profile-name> parameter to display the entire VIA Authentication profile list,
including profile status and the number of references to each profile. Include a profile name to display detailed
configuration information for that profile.
If you do not yet have any VIA authentication profiles defined, use the command aaa authentication via authprofile to configure your VIA authentication profiles.
Examples
This first example shows that there are three configured captive portal profiles in the Captive Profile Authentication
Profile List. The References column lists the number of other profiles with references to a VIA authentication profile,
and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry
in the Profile Status column.
(host) #show aaa authentication via auth-profile
VIA Authentication Profile List
------------------------------Name
References Profile Status
------------- -------------default 0
via1
2
via2
1
Total:3
Include a VIA authentication profile name to display a complete list of configuration settings for that profile. The
example below shows settings for the VIA authentication profile via1.
VIA Authentication Profile "via1"
--------------------------------Parameter
Value
------------Default Role
default-via-role
Server Group
internal
Max Authentication failures 2
Description
VIA config for the MV office
ArubaOS 6.4| Reference Guide
show aaa authentication via auth-profile | 655
The output of this command includes the following parameters:
Parameter
Description
Default Role
Role assigned to the captive portal user upon login.
Server Group
Name of the group of servers used to authenticate captive portal users.
Max Authentication failur
es
Maximum number of authentication failures before the user is blacklisted.
Description
Description of the VIA authentication profile.
Related Commands
Command
Description
Mode
aaa authentication via auth-p
rofile
Use aaa authentication via auth-profile to
configure the parameters displayed in the
output of this show command.
Config mode
Command History
This command was introduced in ArubaOS 5.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
656 | show aaa authentication via auth-profile
ArubaOS 6.4| Reference Guide
show aaa authentication via connection-profile
show aaa authentication via connection-profile [<profile-name>]
Description
This command displays configuration settings for the VIA connection profile.Issue this command without the
<profile-name> option to display the entire VIA Connection profile list, including profile status and the number of
references to each profile. Include a profile name to display detailed VIA connection configuration information for that
profile.
Syntax
Parameter
Description
<profile-name>
The name of an existing VIA connection profile.
Usage Guidelines
Issue this command without the <profile-name> parameter to display the entire VIA connection profile list, including
profile status and the number of references to each profile. Include a profile name to display detailed configuration
information for that profile.
If you do not yet have any VIA connection profiles defined, use the command aaa authentication via connectionprofile to configure your VIA connection profiles.
Examples
This first example shows that there are three configured connection profiles in the Captive Profile Authentication
Profile List. The References column lists the number of other profiles with references to a VIA connection profile,
and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have an entry
in the Profile Status column.
(host) #show aaa authentication via connection-profile
VIA Connection Profile List
--------------------------Name
References Profile Status
------------- -------------connection_1 3
connection_2 1
default
0
Total:3
Include a connection profile name to display a complete list of configuration settings for that profile. The example
below shows settings for the captive portal profile connection_1.
VIA Connection Profile "default"
-------------------------------Parameter
--------VIA Servers
Client Auto-Login
VIA Authentication Profiles to provision
Allow client to auto-upgrade
ArubaOS 6.4| Reference Guide
Value
----N/A
Enabled
N/A
Enabled
show aaa authentication via connection-profile | 657
VIA tunneled networks
Enable split tunneling
VIA Client WLAN profiles
Allow client side logging
VIA IKE V2 Policy
VIA IKE Policy
Use Windows Credentials
Enable IKEv2
Use Suite B Cryptography
IKEv2 Authentication method
VIA IPSec V2 Crypto Map
VIA IPSec Crypto Map
Allow user to save passwords
Enable Supplicant
Enable FIPS Module
Auto-launch Supplicant
Lockdown All Settings
Domain Suffix in VIA Authentication
Enable Controllers Load Balance
Enable Domain Pre-connect
VIA Banner Message Reappearance Timeout(minutes)
VIA Client Network Mask
Validate Server Certificate
VIA Client DNS Suffix List
VIA max session timeout
VIA Logon Script
VIA Logoff Script
VIA Support E-Mail Address
Maximum reconnection attempts
VIA external download URL
Allow user to disconnect VIA
Content Security Gateway URL
Comma seperated list of HTTP ports to be inspected
(apart from default port 80)
Enable Content Security Services
Keep VIA window minimized
Block traffic until VPN tunnel is up
Block traffic rules
N/A
Disabled
N/A
Enabled
Default
Default
Enabled
Disabled
Disabled
user-cert
default-ikev2-dynamicmap/10000
default-dynamicmap/10000
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
60
255.255.255.255
Enabled
N/A
1440 min
N/A
N/A
N/A
3
N/A
Enabled
N/A
N/A
Disabled
Disabled
Disabled
N/A
The output of this command includes the following parameters:
Configuration Option
Description
VIA servers
Displays the following information about the VIA server:
l Controller Hostname/IP Address: This is the public IP address or the DNS
hostname of the VIA controller. Users will connect to remote server using this
IP address or the hostname.
l Controller Internal IP Address: This is the IP address of any of the VLAN
interface IP addresses belongs to this controller.
l Controller Description: This is a human-readable description of the controller.
Client Auto-Login
Enable or disable VIA client to auto login and establish a secure connection to
the controller.
Default: Enabled
VIA Authentication
Profiles to provision
This is the list of VIA authentication profiles that will be displayed to users in the
VIA client.
Allow client to autoupgrade
Enable or disable VIA client to automatically upgrade when an updated version
of the client is available on the controller.
658 | show aaa authentication via connection-profile
ArubaOS 6.4| Reference Guide
Configuration Option
Description
Default: Enabled
VIA tunneled networks
A list of network destination (IP address and netmask) that the VIA client will
tunnel through the controller. All other network destinations will be reachable
directly by the VIA client.
Enable split-tunnelin
g
Enable or disable split tunneling.
l If enabled, all traffic to the VIA tunneled networks will go through the
controller and the rest is just bridged directly on the client.
l If disabled, all traffic will flow through the controller.
Default: off
Allow client-side
logging
Enable or disable client side logging. If enabled, VIA client will collect logs that
can be sent to the support email-address for troubleshooting.
Default: Enabled
VIA Client WLAN
profiles
A list of VIA client WLAN profiles that needs to be pushed to the client machines
that use Windows Zero Config (WZC) to configure or manage their wireless
networks.
VIA IKEv2 Policy
A list of IPsec crypto maps that the VIA client uses to connect to the controller.
These IPsec Crypto Maps are configured in the CLI using the crypto-local
ipsec-map <ipsec-map-name> command.
VIA IKE Policy
List of IKE policies that the VIA Client has to use to connect to the controller.
Use Windows
Credentials
Enable or disable the use of the Windows credentials to login to VIA. If enabled,
the SSO (Single Sign-on) feature can be utilized by remote users to connect to
internal resources.
Default: Enabled
Enable IKEv2
Select this option to enable or disable the use of IKEv2 policies for VIA.
Use Suite B
Cryptography
Select this option to use Suite B cryptography methods. You must install the
Advanced Cryptography license to use the Suite B cryptography.
IKEv2 Authentication
method
List of all IKEv2 authentication methods.
VIA IPSec V2 Crypto
Map
List of all IPSec V2 that the VIA client uses to connect to the controller.
VIA IPsec Crypto Map
List of IPsec Crypto Map that the VIA client uses to connect to the controller.
These IPsec Crypto Maps are configured in CLI using the crypto-local
ipsec-map <ipsec-map-name> command.
Allow user to save
passwords
Enable or disable users to save passwords entered in VIA.
Default: Enabled
Enable Supplicant
If enabled, VIA starts in bSec mode using L2 suite-b cryptography. This option is
disabled by default.
Enable FIPS Module
Shows if the VIA (Federal Information Processing Standard) FIPS module is
enabled, so VIA checks for FIPS compliance during startup. This option is
disabled by default.
Auto-Launch
Supplicant
Select this option to automatically connect to a configured WLAN network.
ArubaOS 6.4| Reference Guide
show aaa authentication via connection-profile | 659
Configuration Option
Description
Lockdown All Settings
If enabled, all user options on the VIA client are disabled.
Domain Suffix in VIA
Authentication
Enables a domain suffix on VIA Authentication, so client credentials are sent as
domainname\username instead of just username.
Enable Controllers
Load Balance
This option allows the VIA client to failover to the next available selected
randomly from the list as configured in the VIA Servers option. If disabled, VIA will
failover to the next in the sequence of ordered list of VIA Servers.
Enable Domain PreConnect
This option allows users with lost or expired passwords to establish a VIA
connection to corporate network. This option authenticates the user’s device and
establishes a VIA connection that allows users to reset credentials and continue
with corporate access.
VIA Banner
Reappearance Timeout
The maximum time (in minutes) allowed before the VIA login banner reappears.
Default: 1440 min
VIA Client Network
Mask
The network mask that has to be set on the client after the VPN connection is
established.
Default: 255.255.255.255
Validate Server
Certificate
Enable or disable VIA from validating the server certificate presented by the
controller.
Default: Enabled
VIA Client DNS Suffix
List
The DNS suffix list (comma separated) that has be set on the client once the VPN
connection is established.
Default: None.
VIA max session
timeout
The maximum time (minutes) allowed before the VIA session is disconnected.
Default: 1440 min
VIA Logon Script
Name of the logon script that must be executed after VIA establishes a secure
connection. The logon script must reside in the client computer.
VIA Logoff Script
Name of the log-off script that must be executed after the VIA connection is
disconnected. The logoff script must reside in the client computer.
VIA Support E-mail
Address
The support e-mail address to which VIA users will send client logs.
Default: None.
Maximum reconnection
attempts
The maximum number of re-connection attempts by the VIA client due to
authentication failures.
Default: 3
VIA external download
URL
End users will use this URL to download VIA on their computers.
Allow user to
disconnect VIA
Enable or disable users to disconnect their VIA sessions.
Default: Enabled
Content Security
Gateway URL
If split-tunnel forwarding is enabled, access to external (non-corporate) web sites
will be verified by the specified content security service provider.
Comma Separated List
of HTTP Ports
Traffic from the specified ports will be verified by the content security service
provider.
660 | show aaa authentication via connection-profile
ArubaOS 6.4| Reference Guide
Configuration Option
Description
Enable Content
Security Services
Select this checkbox to enable content security service. You must install the
Content Security Services licenses to use this option.
Keep VIA window
minimized
Enable this option to minimize the VIA client to system tray during the connection
phase. Applicable to VIA client installed in computers running Microsoft Windows
operating system.
Block traffic until
VPN tunnel is up
If enabled, this feature will block network access until the VIA VPN connection is
established.
Block traffic rules
Specify a hostname or IP address and network mask to define a whitelist of users
to which the Block traffic until VPN tunnel is up setting will not apply.
Related Commands
Command
Description
Mode
aaa authentication via connectio
n-profile
Use aaa authentication via connectionprofile to configure the parameters
displayed in the output of this show
command.
Config mode
Command History
This command was introduced in ArubaOS 5.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa authentication via connection-profile | 661
show aaa authentication via web-auth
show aaa authentication via web-auth [default]
Description
A VIA web authentication profile contains an ordered list of VIA authentication profiles. The web authentication
profile is used by end users to login to the VIA download page (https://<server-IP-address>/via) for downloading the
VIA client. Only one VIA web authentication profile is available. If more than one VIA authentication profile is
configured, users can view this list and select one during the client login.
Syntax
No parameters.
Usage Guidelines
Issue this command to view the authentication profiles associated with the default web authentication profile. Use it
without the profile name to see the list of authentication profiles.
Examples
(host) #show aaa authentication via web-auth
VIA Web Authentication List
--------------------------Name
References Profile Status
------------- -------------default 2
Total:1
(host) #show aaa authentication via web-auth default
VIA Web Authentication "default"
-------------------------------Parameter
Value
------------VIA Authentication Profiles via1
The output of this command includes the following parameters:
Parameter
Description
VIA Authentication Profil
es
This is the name of the VIA authentication profile. The value column displays
the order of priority in which the profiles are displayed in the VIA client login.
Related Commands
Command
Description
Mode
aaa authentication via webauth
Use aaa authentication via web-auth to
configure the parameters displayed in the
output of this show command.
Config mode
662 | show aaa authentication via web-auth
ArubaOS 6.4| Reference Guide
Command History
This command was introduced in ArubaOS 5.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa authentication via web-auth | 663
show aaa authentication vpn
show aaa authentication vpn [default|default-cap|default-rap]
Description
This command displays VPN authentication settings, including authentication roles and servers.
Usage Guidelines
Issue this command to identify the default role assigned to VPN users, the name of the group of servers used to
authenticate the VPN users, and the maximum number of authentication failures allowed before the user is
blacklisted.
Example
The following example displays configuration details for the VPN authentication profile default, default-cap and
default-rap.
(host) #show aaa authentication vpn default
VPN Authentication Profile "default"
-----------------------------------Parameter
Value
------------Default Role
default-vpn-role
Server Group
default
Max Authentication failures 2
(TechPubs) #show aaa authentication vpn default-cap
VPN Authentication Profile "default-cap" (Predefined)
----------------------------------------------------Parameter
Value
------------Default Role
ap-role
Server Group
internal
Max Authentication failures 0
(TechPubs) #show aaa authentication vpn default-rap
VPN Authentication Profile "default-rap" (Predefined (changed))
--------------------------------------------------------------Parameter
Value
------------Default Role
default-vpn-role
Server Group
default
Max Authentication failures 0
Parameter
Description
Default Role
The default role to be assigned to VPN users.
Server Group
The name of the server group that performs the authentication.
Max Authentication failures
Number of times a user attempted to authenticate, but failed.
664 | show aaa authentication vpn
ArubaOS 6.4| Reference Guide
Related Commands
Command
Description
Mode
aaa authentication via auth-prof
ile
Use the command aaa authentication via authprofile to configure the settings displayed in the
output of this show command.
Config mode
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 5.0
The default-cap and default-rap profiles were introduced.
ArubaOS 6.1
The Check certificate common name against AAA server parameter was
introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
The PEFV license and the base
operating system.
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa authentication vpn | 665
show aaa authentication wired
show aaa authentication wired
Description
View wired authentication settings for a client device that is directly connected to a port onthe controller.
Usage Guidelines
This command displays the name of the AAA profile currently used for wired authentication.
Example
The following example shows the current wired profile for the controller is a profile named “secure_profile_3.”
(host) #show aaa authentication wired
Wired Authentication Profile
---------------------------Parameter
Value
------------AAA Profile Secure_profile_3
Related Commands
Command
Description
Mode
aaa authentication wired
Use the command aaa authentication wired to
configure the settings displayed in the output of
this show command.
Config mode
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
666 | show aaa authentication wired
ArubaOS 6.4| Reference Guide
show aaa authentication wispr
show aaa authentication wispr <profile-name)
Description
This command shows information for a WISPr authentication profiles.Issue this command without the
<profile-name> option to display the entire WISPr Authentication profile list, including profile status and the number
of references to each profile. Include a profile name to display detailed WISPr authentication configuration
information for that profile.
Parameter
Description
<profile-name>
The name of an existing MAC authentication profile.
Examples
The output of the example below shows two WISPr authentication profiles, default and WISPR1, which are
referenced two times by other profiles. the Profile Status columns are blank, indicating that these profiles are both
user-defined. (If a profile is predefined, the value Predefined appears in the Profile Status column.)
(host) #show aaa authentication wispr
WISPr Authentication Profile List
------------------------------Name
References Profile Status
------------- -------------default
2
WISPr1 2
Total:2
(host) #show aaa authentication wispr WISPr1
WISPr Authentication Profile "WISPr1"
-------------------------------------Parameter
Value
------------Default Role
guest
Server Group
default
Logon wait minimum wait
5 sec
Logon wait maximum wait
10 sec
logon wait CPU utilization threshold 60 %
WISPr Location-ID ISO Country Code
US
WISPr Location-ID E.164 Country Code 1
WISPr Location-ID E.164 Area Code
408
WISPr Location-ID SSID/Zone
Corp1
WISPr Operator Name
MyCompany
WISPr Location Name
Sunnyvale
The following example displays configuration details for the WISPr authentication profile “WISPr1”.
(host) #show aaa authentication wispr WISPr1
WISPr Authentication Profile "WISPr1"
-------------------------------------Parameter
Value
ArubaOS 6.4| Reference Guide
show aaa authentication wispr | 667
--------Default Role
Server Group
Logon wait minimum wait
Logon wait maximum wait
logon wait CPU utilization threshold
WISPr Location-ID ISO Country Code
WISPr Location-ID E.164 Country Code
WISPr Location-ID E.164 Area Code
WISPr Location-ID SSID/Zone
WISPr Operator Name
WISPr Location Name
----guest
default
5 sec
10 sec
60 %
US
1
408
Corp1
MyCompany
Sunnyvale
The output of this command includes the following parameters:
Parameter
Description
Default Role
The default role to be assigned to users that have completed
WISPr authentication.
Server Group
The name of the server group that performs the authentication.
Logon wait minimum wait
If the controller’s CPU utilization has surpassed the Login wait
CPU utilization threshold value, the Logon wait minimum wait
parameter defines the minimum number of seconds a user will
have to wait to retry a login attempt. Range: 1-10 seconds.
Default: 5 seconds.
Logon wait maximum wait
If the controller’s CPU utilization has surpassed the logon wait
CPU utilization threshold value, the Logon wait maximum
wait parameter defines the maximum number of seconds a
user will have to wait to retry a login attempt. Range: 1-10
seconds. Default: 10 seconds.
WISPr Location-ID E.164 Area Code
The E.164 Area Code in the WISPr Location ID.
WISPr Location-ID E.164 Country Cod
e 1
The 1-3 digit E.164 Country Code in the WISPr Location ID.
WISPr Location-ID ISO Country Code
The ISO Country Code in the WISPr Location ID.
WISPr Location-ID SSID/Zone
The SSID/network name in the WISPr Location ID.
WISPr Location Name
A name identifying the hotspot location. If no name is defined,
the default ap-name is used.
WISPr Operator Name
A name identifying the hotspot operator.
Related Commands
Command
Description
Mode
aaa authentication wisp
r
Configure WISPr authentication values on your
controller.
Config mode on master or
local controllers.
Command History
This command was introduced in ArubaOS 3.4.1.
668 | show aaa authentication wispr
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa authentication wispr | 669
show aaa authentication-server all
show aaa authentication-server all
Description
View authentication server settings for both external authentication servers and the internal controller database.
Usage Guidelines
The output of this command displays statistics for the Authentication Server Table, including the name and address
of each server, server type and configured authorization and accounting ports.
Examples
The following command shows information for the internal Authentication server, and another RADIUS server
named RADIUS-1.
(host) #show aaa authentication-server all
Auth Server Table
----------------Name
Type
------Internal Local
server
Ldap
server
Radius
default
Tacacs
FQDN IP addr
AuthPort
---- -------------n/a
10.4.62.11 n/a
n/a
0.0.0.0
389
SRVR1 127.9.9.61 1812
n/a 127.9.10.61 49
AcctPort
-------n/a
n/a
1813
n/a
Status
-----Enabled
Enabled
Enabled
Enabled
Requests
-------0
0
0
0
The following data columns appear in the output of this command:
Parameter
Description
Name
Name of the authentication server.
Type
The type of authentication server. ArubaOS supports LDAP, RADIUS and
TACACS+ servers, in addition to its own local, internal authentication server.
FQDN
The Fully-Qualified Domain Name of the server, if configured.
IP addr
IP address of the server, in dotted-decimal format.
AuthPort
Port number used for authentication. An LDAP server uses port 636 for LDAP
over SSL, and port 389 for SSL over LDAP, Start TLS operation andclear text. The
default RADIUS authentication port is port 1812.
AcctPort
Accounting port on the server. The default RADIUS accounting port is port 1813.
AcctPort
Accounting port on the server.
Status
Shows whether the Authentication server is enable or disabled.
Requests
Number of authentication requests received by the server.
Command History
This command was introduced in ArubaOS 3.0.
670 | show aaa authentication-server all
ArubaOS 6.4| Reference Guide
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa authentication-server all | 671
show aaa authentication-server internal
show aaa authentication-server internal [statistics]
Description
View authentication server settings for the internal controller database.
Examples
The output of the command below shows that the internal authentication server has been disabled
(host) #show aaa authentication-server internal
Internal Server
--------------Host
IP addr
---------Internal 10.168.254.221
Retries
------3
Timeout
------5
Status
-----Disabled
The following data columns appear in the output of this command:
Parameter
Description
Host
Name of the internal authentication server.
IP addr
Address of the internal server, in dotted-decimal format.
Retries
Number of retries allowed before the server stops attempting to authenticate a
request.
Timeout
Timeout period, in seconds.
Status
Shows if the server is enabled of disabled
Include the statistics parameter to display additional details for the internal server.
(host) #show aaa authentication-server internal statistics
Internal Database Server Statistics
----------------------------------PAP Requests
8
PAP Accepts
8
PAP Rejects
0
MSCHAPv2 Requests
0
MSCHAPv2 Accepts
0
MSCHAPv2 Rejects
0
Mismatch Response
0
Users Expired
1
Unknown Response
0
Timeouts
1
AvgRespTime (ms)
0
Uptime (d:h:m)
4:3:32
SEQ first/last/free
1,255,255
The following data columns appear in the output of this command:
672 | show aaa authentication-server internal
ArubaOS 6.4| Reference Guide
Parameter
Description
PAP Requests
Number of PAP requests received by the internal server.
PAP Accepts
Number of PAP requests accepted by the internal server.
PAP Rejects
Number of PAP requests rejected by the internal server.
MSCHAPv2 Requests
Number of MSCHAPv2 requests received by the internal server.
MSCHAPv2 Accepts
Number of MSCHAPv2 requests accepted by the internal server.
MSCHAPv2 Rejects
Number of MSCHAPv2 requests rejected by the internal server.
Mismatch Response
Number of times the server received an authentication response to a request after
another request had been sent.
Users Expired
Number of users that were deauthenticated because they stopped responding.
Unknown Response
Number of times the server did not recognize the response, possibly due to
internal errors.
Timeouts
Number of times that the controller timed out an authentication request.
AvgRespTime (ms)
Time it takes the server to respond to an authentication request, in seconds.
Uptime (d:h:m)
Time elapsed since the last server reboot.
SEQ first/last/free
This internal buffer counter keeps track of the requests to the authentication
server.
Related Commands
Command
Description
Mode
aaa authentication-server intern
al
Issue the command aaa authentication-server
internal to use the internal database on a local
controller for authenticating clients.
Config mode
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa authentication-server internal | 673
show aaa authentication-server ldap
show aaa authentication-server ldap [<ldap_server_name>]
Description
Display configuration settings for your LDAP servers.
Syntax
Parameter
Description
<ldap_server_name>
Name that identifies an LDAP server.
Examples
The output of the example below displays the LDAP server list with the names of all the LDAP servers. The
References column lists the number of other profiles that reference an LDAP server, and the Profile Status column
indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status column.
(host) #aaa authentication-server ldap
LDAP Server List
---------------Name
References
------------ldap1 5
ldap2
3
ldap3
1
Profile Status
--------------
Total:3
Include the <ldap_server_name> parameter to display additional details for an individual server.
(host) #show aaa authentication-server ldap ldap1
LDAP Server "ldap1"
------------------Parameter
--------Host
Admin-DN
Admin-Passwd
Allow Clear-Text
Auth Port
Base-DN
Filter
Key Attribute
Timeout
Mode
Preferred Connection Type
Value
----10.1.1.234
cn=corp,cn=Users,dc=1m,dc=corp,dc=com
********
Disabled
389
cn=Users,dc=1m,dc=corp,dc=com
(objectclass=*)
sAMAccountName
20 sec
Enabled
ldap-s
The output of this command includes the following parameters:
674 | show aaa authentication-server ldap
ArubaOS 6.4| Reference Guide
Parameter
Description
host
IP address of the LDAP server
Admin-DN
Distinguished name for the admin user who has read/search privileges across
all of the entries in the LDAP database.
Admin Passwd
Password for the admin user.
Allow Clear-Text
If enabled, this parameter allows clear-text (unencrypted) communication with
the LDAP server.
Auth Port
Port number used for authentication. Port 636 will be attempted for LDAP over
SSL, while port 389 will be attempted for SSL over LDAP, Start TLS operation
and clear text.
Base-DN
Distinguished Name of the node which contains the required user database.
Filter
Filter that should be applied to search of the user in the LDAP database
(default filter string is: ì(objectclass=*)î ).
Key attribute
Attribute that should be used as a key in search for the LDAP server.
Timeout
Timeout period of a LDAP request, in seconds.
Mode
Shows whether this server is Enabled or Disabled.
Preferred Connection Ty
pe
l
Preferred type of connection to the server. Possible values are
Clear text
l LDAP-S
l START-TLS
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa authentication-server ldap | 675
show aaa authentication-server radius
show aaa authentication-server radius [<rad_server_name>|statistics]
Description
Display configuration settings for your RADIUS servers.
Syntax
Parameter
Description
<rad_server_name>
Name that identifies a RADIUS server.
statistics
Displays the statistics for all RADIUS servers.
Usage Guidelines
Timeouts information in the output of this command includes RADIUS accounting requests. Timeouts
are kept track for every request the controllersends to the RADIUS server,so each retry is counted
towards a timeout.
Examples
The output of the example below displays the RADIUS server list with the names of all the RADIUS servers. The
References column lists the number of other profiles that reference a RADIUS server, and the Profile Status
column indicates whether the profile is predefined. User-defined servers will not have an entry in the Profile Status
column.
(host) #aaa authentication-server radius
RADIUS Server List
-----------------Name
References
------------myserver
3
radius
0
servername 0
Profile Status
--------------
Total:3
Include the <rad_server_name> parameter to display additional details for an individual server.
(host) #show aaa authentication-server radius SMOKERAD
RADIUS Server "SMOKERAD"
----------------------Parameter
--------Host
Key
Auth Port
Acct Port
Retransmits
Timeout
676 | show aaa authentication-server radius
Value
----192.0.2.1
********
1812
1813
3
5 sec
ArubaOS 6.4| Reference Guide
NAS ID
NAS IP
Enable IPv6
NAS IPv6
Source Interface
Use MD5
Use IP address for calling station ID
Mode
Lowercase MAC addresses
MAC address delimiter
Service-type of FRAMED-USER
N/A
N/A
Disabled
N/A
N/A
Disabled
Disabled
Enabled
Disabled
none
Disabled
The output of this command includes the following information:
Parameter
Description
host
IP address of the RADIUS server
Key
Shared secret between the controller and the authentication server.
Auth port
Authentication port on the server.
Acct Port
Accounting port on the server.
Retransmits
Maximum number of retries sent to the server by the controller before the
server is marked as down.
Timeout
Maximum time, in seconds, that the controller waits before timing out the
request and resending it.
NAS ID
Network Access Server (NAS) identifier to use in RADIUS packets.
NAS IP
NAS IP address to send in RADIUS packets. If you do not configure a serverspecific NAS IP, the global NAS IP is used.
Enable IPv6
Shows if the RADIUS server is enabled in IPv6 mode.
NAS IPv6
IPv6 address for the global NAS IP which the controller uses to communicate
with all the RADIUS servers.
Source Interface
The source interface VLAN ID number.
Use MD5
If enabled, the RADIUS server will use a MD5 hash of cleartext password.
Use IP address for calling station ID
If enabled, the RADIUS server will use an IP address instead of a MAC
address for calling station IDs.
Mode
Shows whether this server is Enabled or Disabled.
Lowercase MAC addresses
If this feature is enabled, the server will send MAC addresses in lowercase letters.
MAC address of
delimiter
The character used as a MAC address delimiter. If no character is specified,
the RADIUS server will use a colon (:) by default.
Service-type of FRAMEDUSER
If this option is enabled, the server sends the service-type as FRAMED-USER
instead of LOGIN-USER. This option is disabled by default
Include the optional statistics parameter in this command to display the following statistics for all RADIUS servers:
ArubaOS 6.4| Reference Guide
show aaa authentication-server radius | 677
Parameter
Description
Server
Name of the RADIUS server.
Acct Rq
Accounting requests. This reports of the number of accounting messages (for
example, start/stop/interim update) sent by the controller to a RADIUS server.
This counter increments whenever the controller sends one of these messages.
Raw Rq
Raw requests. Number of raw authentication requests the controller sent to a
RADIUS server.
PAP Rq
Pap Requests. Number of PAP authentication requests the controller sent to a
RADIUS server.
CHAP Rq
CHAP requests. Number of CHAP authentication requests the controller sent to a
RADIUS server.
MSCHAP Rq
MSCHAP requests. Number of MS-CHAP authentication requests the controller
sent to a RADIUS server.
MSCHAPv2 Rq
MSCHAPv2 requests. Number of MS-CHAPv2 requests the controller sent to a
RADIUS server.
Mismatch Rsp
Mismatch responses. Number of responses from a RADIUS server for which the
controller does not have the proper request context.
Bad Auth
Bad authenticator. Number of responses from the RADIUS server with an invalid
secret or bad reply digest.
Acc
Access accept. Number of responses from the RADIUS server with invalid secret
or bad reply digest.
Rej
Access reject. Number of responses from the RADIUS server that indicate that client authentication failed.
Acct Rsp
Accounting response. Number of responses sent from the RADIUS server in
response to accounting requests sent from the controller.
Chal
Access challenge. Number of responses from the RADIUS server containing a
challenge for the client (to complete authentication).
Ukn Rsp
Unknown Response code. Number of responses from the RADIUS server that
were not understood by the controller due to the purpose or type of the response
Tmout
Timeouts. Number of messages sent by the controller for which the controller did
not receive a response before the message timed out.
NOTE: Timeouts include RADIUS accounting requests. Every request controller
sends to the RADIUS server is monitored for a timeout, so each retry increments
this counter.
AvgRspTme
Average response time. Time taken, on an average, for the RADIUS server to
respond to a message from the controller.
Tot Rq
Total errors. This counter reflects the total number of requests sent to the RADIUS
server (auth and accounting requests).
Tot Rsp
This counter reflects the total number of responses received by the RADIUS
server (auth and accounting responses).
678 | show aaa authentication-server radius
ArubaOS 6.4| Reference Guide
Parameter
Description
Rd Err
Read errors. This counter reflects the total number of errors encountered while
reading off socket corresponding to that RADIUS server.
Uptime
Amount of for which the RADIUS server has been active/up. The RADIUS server
is considered to have an UP status if the server is active and serving requests.
The RADIUS server is considered to be DOWN if the server is not responding.
For example, if the RADIUS server does not respond for (<no of retries> *<
timeout>) seconds, the controller takes the RADIUS server down. It brings the
radius server back into service after the dead timeout.
SEQ
Information corresponding to the sequence number of requests. SEQ total corresponds to the total number of sequence numbers that can be used to communicate with the RADIUS server. SEQ free corresponds to the free/available/not
in use sequence numbers for a particular RADIUS server.
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The Source Interface parameter was introduced.
ArubaOS 6.3
The enable-ipv6 and nas-ip6 fields were added to the output of this command.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa authentication-server radius | 679
show aaa authentication-server tacacs
show aaa authentication-server tacacs [<tacacs_server_name>]|statistics
Description
Display configuration settings for your TACACS+ servers.
Syntax
Parameter
Description
<tacacs_server_name>
Name that identifies an TACACS+ server.
statistics
Displays accounting, authorization, and authentication request and response
statistics for the TACACS server.
Examples
The output of the example below displays the TACACS+ server list with the names of all the TACACS+ servers.
The References column lists the number of other profiles that reference a TACACS+ server, and the Profile Status
column indicates whether the profile is predefined. User-defined profiles will not have an entry in the Profile Status
column.
(host) #aaa authentication-server tacacs
TACACS Server List
---------------Name
---LabAuth
TACACS1
References
---------5
3
Profile Status
--------------
Total:2
Include the <tacacs_server_name> parameter to display additional details for an individual server
(host) #show aaa authentication-server tacacs tacacs1
TACACS Server "tacacs1"
--------------------Parameter
Value
------------Host
10.1.1.16
Key
********
TCP Port
49
Retransmits 3
Timeout
20 sec
Mode
Enabled
Parameter
Description
host
IP address of the TACACS+ server
Key
Shared secret between the controller and the authentication server.
680 | show aaa authentication-server tacacs
ArubaOS 6.4| Reference Guide
Parameter
Description
TCP Port
TCP port used by the server.
Retransmits
Maximum number of retries sent to the server by the controller before the server is
marked as down.
Timeout
Maximum time, in seconds, that the controller waits before timing out the request
and resending it.
Mode
Shows whether this server is Enabled or Disabled.
The output of this command includes the following parameters:
Command History
Release
Modification
ArubaOS 3.0
Command introduced
ArubaOS 6.0
The Statistics parameter was introduced.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa authentication-server tacacs | 681
show aaa authentication-server windows
show aaa authentication-server windows [<windows_server_name>]
Description
Display configuration settings for your Windows servers.
Syntax
Parameter
Description
<windows_server_nam
e>
Name that identifies a Windows server.
Examples
The output of the example below displays the Windows server list with the names of all the Windows servers used
for NTLM authentication. The References column lists the number of other profiles that reference a Windows
server, and the Profile Status column indicates whether the profile is predefined. User-defined profiles will not have
an entry in the Profile Status column.
(host) #aaa authentication-server tacacs
Windows Server List
---------------Name
References
------------NTLM
1
Windows2
1
Profile Status
--------------
Total:2
Include the <windows_server_name> parameter to display additional details for an individual server.
(host) #show aaa authentication-server windows Windows2
Windows Server "windows"
-----------------------Parameter
Value
------------Host
172.21.18.170
Mode
Enabled
Windows Domain MyCompanyDomain
The output of this command includes the following parameters:
Parameter
Description
host
IP address of the Windows server
Mode
Shows whether this server is Enabled or Disabled.
Windows Domain
Name of the Windows domain to which this server is assigned.
682 | show aaa authentication-server windows
ArubaOS 6.4| Reference Guide
Command History
This command was introduced in ArubaOS 3.4.1.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa authentication-server windows | 683
show aaa bandwidth-contracts
show aaa bandwidth-contracts [<bwname>]
Description
This command shows the contract names, ID numbers and Rate limits for your bandwidth contracts.
Syntax
Parameter
Description
<bwname>
(Optional) Name of a bandwidth contract.
Example
Specify a bandwidth contract name to view information for a specific bandwidth contract, or omit that parameter to
veiw information for all configured bandwidth contracts. The output of the following command shows that the
bandwidth contract VLAN has a configured rate of 6 Mbps, and the contract User has a rate of 2048 Kbps.
(host) #show aaa bandwidth-contracts VLAN
Bandwidth ContractInstances
------------------Contract
Id Rate (bits/second)
--------- -----------------VLAN
1
6000000
User
2
2048000
Total contracts = 2
Per-user contract total = 4096
Per-user contract usage = 0
Related Commands
Command
Description
Mode
aaa bandwidth-contract
Use this command to define contracts to limit
traffic for a user or VLAN.
Config mode
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
684 | show aaa bandwidth-contracts
ArubaOS 6.4| Reference Guide
show aaa debug vlan user
show aaa debug vlan user [ip <ip addr>|ipv6 <ipv6addr>|mac <macaddr>]
Description
Display user VLAN derivation related debug information.
Syntax
Parameter
Description
ip <ip addr>
User identification based on IPv4 address.
ipv6 <ipv6addr>
User identification based on IPv6 address.
mac <macaddr>
User identification based on MAC address.
Example
The output of the example below displays the VLAN derivation debug information of an user with IPv4 address.
(host) #show aaa debug vlan user ip 192.0.2.1
VLAN types present for this User
================================
Default VLAN
:
Initial Role Contained
:
User Dot1x Role Contained
:
Dot1x Server Rule
:
3
1
5
5
VLAN Derivation History
=======================
VLAN Derivation History Index : 8
1. VLAN 1
for Default VLAN
2. VLAN 1
for Current VLAN updated
3. VLAN 0
for Reset VLANs for Station up
4. VLAN 3
for Default VLAN
5. VLAN 1
for Initial Role Contained
6. VLAN 5
for Dot1x Server Rule
7. VLAN 5
for User Dot1x Role Contained
8. VLAN 5
for Current VLAN updated
Current VLAN : 5 (Dot1x Server Rule)
Command History
Release
Modification
ArubaOS 6.3
Command introduced.
ArubaOS 6.4| Reference Guide
show aaa debug vlan user | 685
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
686 | show aaa debug vlan user
ArubaOS 6.4| Reference Guide
show aaa derivation-rules
show aaa derivation-rules [server-group <group-name>|user <name>]
Syntax
Parameter
Description
<group-name>
Name of a server group
<name>
Name of a user rule group
Description
Show derivation rules based on user information or configured for server groups.
Example
The output of the following command shows that the server group group1 has the internal database configured as its
authentication server, and that there is a single rule assigned to that group. You can omit the <group-name>
parameter to show a table of all your server groups.
(host) #show aaa derivation-rules server-group group1
Server Group
Name
---Internal
Inservice trim-FQDN
--------- --------Yes
No
Server Rule Table
----------------Priority Attribute
-------- --------1
Filter-Id
Rule Entries: 1
Operation
--------equals
match-FQDN
----------
Operand
------nsFilter
Action
-----set vlan
Value
----111
Total Hits
---------24
New Hits
--------
The following data columns appear in the output of this command:
Parameter
Description
Name
Name of the authentication server assigned to this server group
Inservice
Specifies if the server is in service or out-of-service.
trim-FDQN
If enabled, user information in an authentication request is edited before the
request is sent to the server.
match-FDQN
If enabled, the authentication server is associated with a specified domain.
Priority
The priority in which the rules are applied. Rules at the top of the list are applied
before rules at the bottom.
Attribute
This is the attribute returned by the authentication server that is examined for
Operation and Operand match
ArubaOS 6.4| Reference Guide
show aaa derivation-rules | 687
Parameter
Description
Operation
This is the match method by which the string in Operand is matched with the
attribute value returned by the authentication server.
l contains – The rule is applied if and only if the attribute value contains the
string in parameter Operand.
l starts-with – The rule is applied if and only if the attribute value returned starts
with the string in parameter Operand.
l ends-with – The rule is applied if and only if the attribute value returned ends
with the string in parameter Operand.
l equals – The rule is applied if and only if the attribute value returned equals
the string in parameter Operand.
l not-equals – The rule is applied if and only if the attribute value returned is not
equal to the string in parameter Operand.
l value-of – This is a special condition. What this implies is that the role or VLAN
is set to the value of the attribute returned. For this to be successful, the role
and the VLAN ID returned as the value of the attribute selected must be
already configured on the controller when the rule is applied.
Operand
This is the string to which the value of the returned attribute is matched.
Action
This parameter identifies whether the rule sets a server group role (set role) or a
VLAN (set vlan).
Value
Sets the user role or VLAN ID to be assigned to the client if the condition is met.
Total Hits
Number of times the rule has been applied since the last server reboot.
New Hits
Number of times the rule has been applied since the show aaa derivation-rules
command was last issued.
To display derivation rules for a user group, include the user <name> parameter. You can also display a table of all
user rules by including the user parameter, but omitting the <name> parameter
(host) #show aaa derivation-rules user user44
User Rule Table
--------------Priority Attribute Operation Operand Action
ion
-------- --------- --------- ------- -----1
location
equals
ap23
Value
Total Hits
New Hits
-----
----------
--------
set role
guestrole1
-----guest
56
The following data columns appear in the output of this command:
Parameter
Description
Priority
The priority in which the rules are applied. Rules at the top of the list are applied
before rules at the bottom.
Attribute
This is the attribute returned by the authentication server that is examined for
Operation and Operand match.
Operation
This is the match method by which the string in Operand is matched with the
attribute value returned by the authentication server.
l contains – The rule is applied if and only if the attribute value contains the
string in parameter Operand.
l starts-with – The rule is applied if and only if the attribute value returned starts
with the string in parameter Operand.
688 | show aaa derivation-rules
ArubaOS 6.4| Reference Guide
Parameter
Description
l
l
l
l
ends-with – The rule is applied if and only if the attribute value returned ends
with the string in parameter Operand.
equals – The rule is applied if and only if the attribute value returned equals
the string in parameter Operand.
not-equals – The rule is applied if and only if the attribute value returned is not
equal to the string in parameter Operand.
value-of – This is a special condition. What this implies is that the role or VLAN
is set to the value of the attribute returned. For this to be successful, the role
and the VLAN ID returned as the value of the attribute selected must be
already configured on the controller when the rule is applied.
Operand
This is the string to which the value of the returned attribute is matched.
Action
This parameter identifies whether the rule sets a server group role (set role) or a
VLAN (set vlan).
Value
Sets the user role or VLAN ID to be assigned to the client if the condition is met.
Total Hits
Number of times the rule has been applied since the last server reboot.
New Hits
Number of times the rule has been applied since the show aaa derivation-rules
command was last issued.
Description
This optional parameter describes the rule. If no description was configured then
it does not appear when you view the User Table.
Related Commands
Command
Description
Mode
aaa derivation-rules
Use aaa derivation-rules to define the parameters
displayed in the output of this show command.
Config mode
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
ArubaOS 6.4| Reference Guide
show aaa derivation-rules | 689
show aaa dns-query-interval
show aaa dns-query-interval <minutes>
Description
View the configured interval between DNS requests sent from the controller to the DNS server.
Syntax
No parameters
Usage Guidelines
If you define a RADIUS server using the FQDN of the server rather than its IP address, the controller will periodically
generate a DNS request and cache the IP address returned in the DNS response. By default, DNS requests are sent
every 15 minute, but the interval can be changed using the aaa dns-query-period command. Issue the show aaa
dns-query-period command to view the current DNS query interval.
Example
This command shows that the controller will send a DNS query every 30 minutes
(host) # show aaa dns-query-period
DNS Query Interval = 30 minutes
Related Commands
To configure the DNS query interval, issue the command aaa dns-query-interval.
Command History
This command was available in ArubaOS 6.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config mode on local and
master controllers
690 | show aaa dns-query-interval
ArubaOS 6.4| Reference Guide
show aaa fqdn-server-names
show aaa fqdn-server-names
Description
Show a table of IP addresses that have been mapped to fully qualified domain names (FQDNs).
Syntax
No parameters.
Usage Guidelines
If you define a RADIUS server using the FQDN of the server rather than its IP address, the controller will periodically
generate a DNS request and cache the IP address returned in the DNS response. Issue this command to view the IP
addreses that currently correlate to each RADIUS server FQDN.
Example
The output of this command shows the IP addresses for two RADIUS servers.
(host) #show aaa fqdn-server-names
Auth Server FQDN names
--------------------FQDN
---myhost1.example.com
2myhost2.example.com
IP Address
---------192.0.2.3
192.0.2.5
IPv6 Address
--------
Refcount
-------3
Related Commands
To configure a RADIUS authentication server using that server’s fully qualified domain name, use the command aaa
authentication-server radius.
Command History
This command was available in ArubaOS 6.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable and Config mode on local and
master controllers
ArubaOS 6.4| Reference Guide
show aaa fqdn-server-names | 691
show aaa load-balance statistics
show aaa load-balance statistics server-group <sg_name>
Description
Display the load balancing statistics for RADIUS servers.
Syntax
Parameter
Description
<sg_name>
Name of the server group.
Example
(host) #show aaa load-balance statistics server-group dot1x-test-apsim
Statistics for Radius Servers in Server Group
--------------------------------------------Server
Acct Rq Raw Rq PAP Rq CHAP Rq MSCHAP Rq MSCHAPv2 Rq Mismatch Rsp Bad Aut
h Acc Rej Acct Rsp Chal Ukn Rsp Tmout Tot Rq Tot Rsp Rd Err Outstanding Auths
------------ ------ ------ ------- --------- ----------- ------------ ------- --- --- -------- ---- ------- ----- ------ ------- ------ ----------------abc _RADIUS
0
0
0
0
0
26
0
0
26
0
0
0
0
0
26
26
0
0
AUTOMATIONRAD 0
0
0
0
0
207
0
0
207 0
0
0
0
0
207
207
0
0
Parameter
Description
Server
Name of the RADIUS server.
Acct Rq
Accounting requests. This reports of the number of accounting messages (for
example, start/stop/interim update) sent by the controller to a RADIUS server.
This counter increments whenever the controller sends one of these messages.
Raw Rq
Raw requests. Number of raw authentication requests the controller sent to a
RADIUS server.
PAP Rq
Pap Requests. Number of PAP authentication requests the controller sent to a
RADIUS server.
CHAP Rq
CHAP requests. Number of CHAP authentication requests the controller sent to a
RADIUS server.
MSCHAP Rq
MSCHAP requests. Number of MS-CHAP authentication requests the controller
sent to a RADIUS server.
MSCHAPv2 Rq
MSCHAPv2 requests. Number of MS-CHAPv2 requests the controller sent to a
RADIUS server.
Mismatch Rsp
Mismatch responses. Number of responses from a RADIUS server for which the
controller does not have the proper request context.
Bad Auth
Bad authenticator. Number of responses from the RADIUS server with an invalid
692 | show aaa load-balance statistics
ArubaOS 6.4| Reference Guide
Parameter
Description
secret or bad reply digest.
Acc
Access accept. Number of responses from the RADIUS server with invalid secret
or bad reply digest.
Rej
Access reject. Number of responses from the RADIUS server that indicate that client authentication failed.
Acct Rsp
Accounting response. Number of responses sent from the RADIUS server in
response to accounting requests sent from the controller.
Chal
Access challenge. Number of responses from the RADIUS server containing a
challenge for the client (to complete authentication).
Ukn Rsp
Unknown Response code. Number of responses from the RADIUS server that
were not understood by the controller due to the purpose or type of the response
Tmout
Timeouts. Number of messages sent by the controller for which the controller did
not receive a response before the message timed out.
NOTE: Timeouts include RADIUS accounting requests. Every request controller
sends to the RADIUS server is monitored for a timeout, so each retry increments
this counter.
AvgRspTme
Average response time. Time taken, on an average, for the RADIUS server to
respond to a message from the controller.
Tot Rq
Total errors. This counter reflects the total number of requests sent to the RADIUS
server (auth and accounting requests).
Tot Rsp
This counter reflects the total number of responses received by the RADIUS
server (auth and accounting responses).
Rd Err
Read errors. This counter reflects the total number of errors encountered while
reading off socket corresponding to that RADIUS server.
Uptime
Amount of for which the RADIUS server has been active/up. The RADIUS server
is considered to have an UP status if the server is active and serving requests.
The RADIUS server is considered to be DOWN if the server is not responding.
For example, if the RADIUS server does not respond for (<no of retries> *<
timeout>) seconds, the controller takes the RADIUS server down. It brings the
radius server back into service after the dead timeout.
SEQ
Information corresponding to the sequence number of requests. SEQ total corresponds to the total number of sequence numbers that can be used to communicate with the RADIUS server. SEQ free corresponds to the free/available/not
in use sequence numbers for a particular RADIUS server.
Outstanding Auths
This value keeps track of the number of clients that are currently getting authenticated against this authentication server, i.e. clients for which the controller has
sent Access-Request but has not yet received Access-Accept or Access-Reject
and also the Access-Request has not timed out completely.
ArubaOS 6.4| Reference Guide
show aaa load-balance statistics | 693
Command History
Version
Description
ArubaOS 3.0
Command introduced.
ArubaOS 6.1
The Source Interface parameter was introduced.
ArubaOS 6.3
The enable-ipv6 and nas-ip6 fields were added to the output of this command.
ArubaOS 6.4
The Outstanding Auths parameter was added to the output of this command.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
694 | show aaa load-balance statistics
ArubaOS 6.4| Reference Guide
show aaa main-profile
show aaa main-profile summary
Description
Show a summary of all AAA profiles.
Example
The output of the show aaa main-profile summary command shows roles, server group settings, and wire-towireless-roaming statistics for each AAA profile.
(host) #show aaa main-profile summary
AAA Profile summary
------------------Name
---aaa_dot1x
default
default
guest
role
---logon
logon
guest
mac-auth
-------macprof2
macprof2
macprof1
dot1xauth
-----dot1x
dot1x
default
radacct
---RADIUS
RADIUS
RADIUS
XML-api
------10.3.1.15
10.3.1.15
10.3.1.15
RFC3576
------10.3.15.2
10.3.15.2
10.3.15.2
group
----Usr1
Usr1
Usr2
UDRwwenforce
roam
devtype -dhcp
---------- ------Disable enabled disabled
Disable enabled disabled
Disable enabled disabled
The following data columns appear in the output of this command:
Parameter
Description
Name
Name of the AAA profile.
role
Role for unauthenticated users.
mac-auth
Name of the server group used for MAC authentication.
dot1x-auth
Name of the server group used for dot1x authentication.
rad-act
Name of the server group used for RADIUS authentication.
XML-api
IP address of a configured XML API server.
RFC3576
IP address of a RADIUS server that can send user disconnect and change-ofauthorization messages, as described in RFC 3576.
UDR-group
Name of the user derivation rule profile.
ww-roam
Shows if wired-to-wireless roaming is enabled or disabled.
devtype
Shows if the device identification feature is enabled or disabled. When devtypeclassification parameter is enabled, the output of the show user and show usertable commands shows each client’s device type, if that client device can be
identified.
enforce-dhcp
When this option is enabled, clients must complete a DHCP exchange to obtain
an IP address. Best practices are to enable this option when you use the aaa
derivation-rules command to create a rule with the DHCP-Option rule type. This
parameter is disabled by default.
ArubaOS 6.4| Reference Guide
show aaa main-profile | 695
Related Commands
Command
Description
Mode
aaa profile
Use aaa profile define the parameters displayed in the
output of this show command.
Config mode
Command History
This command was introduced in ArubaOS 3.0.
Command Information
Platforms
Licensing
Command Mode
All platforms
Base operating system
Enable or Config mode on master or local
controllers
696 | show aaa main-profile
ArubaOS 6.4| Reference Guide
show aaa password-policy mgmt
show aaa password-policy mgmt [statistics]
Description
Show the current password policy for management users.
Syntax
Parameter
Description
statistics
Include this optional parameter to show the numbers of failed login attempts and
any lockout periods for management user accounts.
Examples
The output of the show aaa password-policy mgmt command below shows that the current password policy
requires a management user to have a password with a minimum of 9 characters, including one numeric character
and one special character
(host) #show aaa password-policy mgmt
Mgmt Password Policy
-------------------Parameter Value
--------- ----Enable password policy
Yes
Minimum password length required
9
Minimum number of Upper Case characters
0
Minimum number of Lower Case characters
0
Minimum number of Digits
1
Minimum number of Special characters (!, @, #, $, %, ^, &, *, <, >, {, }, [, ], :, ., comma, |
, +, ~, `)
1
Username or Reverse of username NOT in Password
No
Maximum Number of failed attempts in 3 minute window to lockout user
0
Time duration to lockout the user upon crossing the "lock-out" threshold
Maximum consecutive character repeats
0
The following data columns appear in the output of this command:
Parameter
Description
Enable password policy
Shows if the defined policy has been enabled
Minimum password length
required
Minimum number of characters required for a management user password. The
default setting is 6 characters.
Minimum number of Upper
Case characters
The maximum number of uppercase letters required for a management user
password. By default, there is no requirement for uppercase letters in a password,
and the parameter has a default value of 0.
ArubaOS 6.4| Reference Guide
show aaa password-policy mgmt | 697
3
Parameter
Description
Minimum number of Lower
Case characters
The maximum number of lowercase letters required for a management user
password. By default, there is no requirement for lowercase letters in a password,
and the parameter has a default value of 0.
Minimum number of Digits
Minimum number of numeric digits required in a management user password. By
default, there is no requirement for digits in a password, and the parameter has a
default value of 0.
Minimum number of
Special characters
Minimum number of special characters required in a management user password.
By default, there is no requirement for special characters in a password, and the
parameter has a default value of 0.
Username or Reverse of
username NOT in
Password
If Yes, a management user’s password cannot be the user’s username or the
username spelled backwards. If No, the password can be the username or
username spelled backwards.
Maximum Number of failed
attempts in 3 minute
window to lockout user
Number of times a user can unsuccessfully attempt to log in to the controller
before that user gets locked out for the time period specified by the lock-out
threshold below. By default, the password lockout feature is disabled, and the
default value of this parameter is 0 attempts.
Time duration to lockout
the user upon crossing the
"lock-out" threshold
Amount of time a management user will be “locked out” and prevented from
logging into the controller after exceeding the maximum number of failed attempts
setting show above. The default lockout time is 3 minutes.
Maximum consecutive
character repeats
The maximum number of consecutive repeating characters allowed in a
management user password.
By default, there is no limitation on the numbers of character that can repeat within
a password, and the