ArubaOS6.5.1.x Command-LineInterface ReferenceGuideh20628. · Command Description l validate-reply mgmt-user TheStandardroleisintroduced. showapsystem-profile Thefollowingparametersareintroducedaspartoftheoutputofthis

ArubaOS 6.5.1.xCommand-Line Interface

Refe

renc

eG

uide

Revision 01 | October 2016 ArubaOS 6.5.1.x | Reference Guide

Copyright Information

© Copyright 2016 Hewlett Packard Enterprise Development LP.

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General PublicLicense, and/or certain other open source licenses. A complete machine-readable copy of the source codecorresponding to such code is available upon request. This offer is valid to anyone in receipt of this informationand shall expire three years following the date of the final distribution of this product version by HewlettPackard Enterprise Company. To obtain such source code, send a check or money order in the amount of US$10.00 to:

Hewlett Packard Enterprise CompanyAttn: General Counsel3000 Hanover StreetPalo Alto, CA 94304USA

Revision 01 | October 2016 ArubaOS 6.5.1.x | Reference Guide

Revision HistoryThe following table lists the revisions of this document.

Revision Change Description

Revision 01 Initial release.

Table 1: Revision History

ArubaOS 6.5.1.x | Reference Guide The ArubaOS Command-Line Interface | 4

The ArubaOS Command-Line Interface

The ArubaOS 6.5.x command-line interface (CLI) allows you to configure and manage Aruba controllers. TheCLI is accessible from a local console connected to the serial port on the controllers or through a Telnet orSecure Shell (SSH) session from a remote management console or workstation.

Telnet access is disabled by default. To enable Telnet access, enter the telnet CLI command from a serial connectionor an SSH session, or in the WebUI navigate to the Configuration > Management > General page.

What’s New in ArubaOS 6.5.xThis section lists the commands introduced, modified, or deprecated in ArubaOS 6.5.x.

Commands in ArubaOS 6.5.1.0

New CommandsThe following new commands are introduced in ArubaOS 6.5.1.0:

Command Description

aaa radius modifier This command configures the RADIUS modifier profile to customizethe attributes that are included, excluded and modified in the RADIUSrequest before it is sent to the authentication server.

openflow-profile This command configures OpenFlow profile on the mobility controller.

Show aaa radius modifier This command displays all the RADIUS modifier profiles.

show ap blacklist-protected Show a list of iOS clients that have received a deauth message fromthe ARM traffic steering feature..

IOS mobile devices such as an iPhone, iPad, or iPod automaticallyblacklist an SSID if that device receives more than twodeauthentication messages within a five-minute period. To protectiOS devices from blacklisting an SSID due to repeated traffic steeringattempts, ArubaOS can limit the number of traffic steering attemptsfor these devices to no more than one steering attempt every fiveminutes. For additional information, see Traffic Steering

show ap debug mu status This command displays the active number of MU-MIMO groupsformed and state per group.

show openflow The command displays the information such as flows, flow tables,system capabilities, and statistics related to OpenFlow on the mobilitycontroller.

show openflow-profile The command displays the OpenFlow profile information configuredon the mobility controller.

5| The ArubaOS Command-Line Interface ArubaOS 6.5.1.x | Reference Guide

Command Description

wlan hotspot h2qp-osu-prov-list-profile

This command defines a Hotspot 2.0 Query Protocol (H2QP) profilethat defines the settings for an Online Sign-Up (OSU) provider whichto be sent in the ANQP IE. When you configure one or more OSUprovider list profiles, a device that cannot complete802.1X authentication with the hotspot provider or any of its partnerproviders is provided a list of additional OSU providers with which itcan authenticate.

Modified CommandsThe following commands are modified in ArubaOS 6.5.1.0:

Command Description

aaa auth-survivability The valid range for the cache-lifetime parameter is now 1 to 168hours. Earlier, the range was 1 to 72 hours.

aaa authentication mgmt The Standard role is introduced.

aaa authentication-serverradius

The acct-modifier and auth-modifier parameters are introduced.

ap system-profile The following parameters are introduced:

l dscp-to-dot1p-priority-mapping

l ipm-enable

l ipm-power-reduction-step-prio

l mgmt-dscp

clear The stale-ap sub-parameter is introduced under gap-db parameter,to delete stale entries like access points that are shown as DOWN inthe show ap database command.

crypto ipsec The esp-null transform-set parameter is introduced.

crypto-local ipsec-map The any sub-parameter is introduced in dst-net, and src-netparameters.

ipv6 proxy-ra This proxy ra parameter enables IPV6 Proxy Router Advertisements.

logging The format cef parameter is introduced.

ping The following parameters are introduced:

l interval

l pattern

l timeout

l tos

l ttl

Command Description

l validate-reply

mgmt-user The Standard role is introduced.

show ap system-profile The following parameters are introduced as part of the output of thiscommand:

l IPM activation

l IPM power reduction steps with priorities

l Management DSCP

l IP DSCP to VLAN 802.1p priority mapping

show datapath The openflow parameter is introduced.

show mgmt-role The Standard role is introduced.

show license-usage The web-cc parameter is added to display license usage for web-content classification.

show vlan The output of this command is modified to include the Option-82column.

show web-cc The output of the show web-cc status command is enhanced toindicate if the cloud lookup and update features are available.

stm The purge-blacklist-protected parameter is introduced.

user-role The openflow-enable parameter is introduced.

wlan ssid-profile The traffic-steering parameter is introduced. ARM’s traffic steeringfeature encourages clients that support both Wi-Fi and 3G/4G cellularconnections to move from a Wi-Fi connection to a cellular connectionwhen the device moves out of a Wi-Fi coverage area, or when the Wi-Fi connection supports lower data rates than the cellular connection.

NOTE: This feature is intended for use in deployments where a singleoperator provides both the Wi-Fi and cellular network, and the useronboarding and accounting for both network types is managed by acommon set of RADIUS servers.

wlan hotspot hs2-profile This profiles includes the following new configuration parameters:

l hotspot-osen: This parameter indicates that the hotspot uses aOSU Server-only authenticated layer 2 Encryption Network (OSEN)network type.

l dscp-exception and dscp-ranges: These values support a serviceprovider's network QoS by mapping the service provider's Layer-3QoS priorities (defined via DHCP ) to an over-the-air Layer 2 UserPriority (UP).

l session-info-url: URL of a server that warns a user that their



Command Description

device's session is about to end, and can explain how to extendthat session.

l sub-deauth-reason-url: URL of a server that explains to a userwhy a device's session has ended or is about to end.

l sub-rem-server-url: If a mobile device is unable to authenticate tothe network using existing credentials, the device can receive theURL of a server that describes other available subscriptionoptions.

The roam-cons-len-1, roam-cons-len-2 and roam-cons-len-3parameters are deprecated. The roam-cons-oi-1, roam-cons-oi-2,and roam-cons-oi-3 parameters were renamed hotspot-roam-cons-oi-1, hotspot-roam-cons-oi-2, and hotspot-roam-cons-oi-3.

wlan virtual-ap The openflow-enable parameter is introduced.

Deprecated CommandsThe following commands are deprecated in ArubaOS 6.5.1.0:

Command Description

interface vlan The AP name and MAC sub-parameters under DHCP Option-82 areno longer supported. This option is now only used to enable DHCPOption-82.

show interface vlan The AP name and MAC sub-parameters under DHCP Option-82 areno longer supported. DHCP Option-82 displays only the status.

Commands in ArubaOS 6.5.0.0

New CommandsThe following new commands are introduced in ArubaOS 6.5.0.0:

Command Description

ap consolidated-provisioninfo

This command stores the consolidated AP-provisioned information ofall APs connected to a controller in the ap_provision_info.txt file.

block-redirect-url This command redirects the user session to an external splash pagewhen it encounters a webcc deny policy.

crypto-local isakmp allow-via-subnet-routes

This command allows the controller to accept the subnets publishedby VIA-clients. By default, this feature is disabled.

ip reputation This command blocks connectivity to IP addresses classified asmalicious.

Command Description

ip probe health-check This command configures WAN health-check ping-probes formeasuring WAN availability and latency on branch controller uplinks.

ntp standalone This command enables or disables controller to act as NTP server.

show ap consolidated-provision info

This command displays the consolidated AP-provisioned informationfor an access point connected to the controller.

show ip-reputation This command displays the IP Reputation status of various services.

show ip health-check Display the health-check status of the uplink interfaces of a branch-office controller.

show ucc dns-ip-learning This command displays the carrier’s evolved Packet Data Gateway(ePDG) IP address learned by the controller. This command is specificfor Wi-Fi calling clients.

show voice facetime This command displays the user configured pattern that is matchedagainst the User-Agent field of the SIP messages to determine if thesession is a Facetime session.

show voice wificalling This command displays the Wi-Fi Calling ALG configuration on thecontroller.

show web-proxy This command displays information about the port and serverconfigured for the web-proxy.

ssh This command initiate an SSH session from the controller to a remotehost.

telnet This command initiate a telnet session from the controller to aremote host.

voice facetime This command configures a pattern present in the user-agent field ofthe SIP signaling message header to determine if the media sessionis a Facetime session.

voice wificalling This command configures Wi-Fi Calling on the controller.

web-proxy server This command configures the web-proxy server related information.

Modified CommandsThe following commands are modified in ArubaOS 6.5.0.0:

Command Description

aaa authentication viaconnection-profile

The ocsp-responder enable sub-command is introduced.



Command Description

aaa profile The username-from-dhcp-opt12 parameter is introduced.

The verbose option is introduced.

ap regulatory-domain-profile The valid-11a-160mhz-channel-group parameter is introduced.

ap system-profile The following new parameters are introduced:

l ap-console-password

l ap-console-protection

l console-log-lvl

l disable-tftp-image-upgrade

l secondary-master

ap wired-port-profile The portfast and portfast-trunk parameters are introduced.

clear The port-security-error gigabitethernet //parameter is introduced. This clears the port-security error from agigabit Ethernet IEEE 802.3 interface.

copy The flash: parameter is introduced to copy files from an FTP server.

web-server profile The excludes security headers is introduced to exclude securityheaders from HTTP response.

firewall The ip-classification parameter is introduced.

interface fastethernet |gigabitethernet

The switchport port-security maximum command is modified toinclude level and interval sub-parameters. For level, the defaultvalue is logging.

ip access-list ip-geolocation The ip-geolocation parameter is introduced.

ip radius The nas-vlan parameter is introduced, which allows youto configure a RADIUS NAS IP for a branch controller with a VLAN ID.

ip probe default The jitter parameter is introduced.

mgmt-user The console-block parameter is introduced.

mgmt-user The name parameter is introduced.

rf arm-profile The following parameters are introduced.

l 160MHz-support

l interfering-ap-weight

Command Description

l dynamic-bw

l dynamic-bw-beacon-failed-thresh

l dynamic-bw-cca-ibss-thresh

l dynamic-bw-cca-intf-thresh

l dynamic-bw-clear-time

l dynamic-bw-wait-time

rf dot11a-radio-profile The upper limit for the beacon-period parameter is set to 2000milliseconds.

rf dot11g-radio-profile The upper limit for the beacon-period parameter is set to 2000milliseconds.

show ap arm history The Result column is introduced to the output of this command toindicate the status of the requested change in channel or EIRP byARM.

show ap debug port status The Portfast parameter is introduced.

show ap port status The Portfast parameter is introduced.

show ap regulatory-domain-profile

The Valid 802.11a 160MHz channel group parameter is introduced.

show ap system-profile The following parameters are introduced as part of the output of thiscommand:

l Secondary Master IP/FQDN

l Disable RAP Tftp Image Upgrade

l AP Console Protection

l AP Console Password

show crypto-local isakmp The allow-via-subnet-routes parameter is introduced.

show datapath The following IP Classification related parameters are introduced:

l ip-geolocation [counters]

l ip-reputation [counters|rtc]

l session ip-classification

show ip access-list The global-geolocation-acl is introduced.

show firewall The IP classification parameter is introduced.



Command Description

show rf arm-profile The following parameters are introduced as part of the output of thiscommand:

l 160MHz-support

l Interfering AP Weight

l Dynamic Bandwidth Switch

l Dynamic Bandwidth Switch Wait Time (sec)

l Dynamic Bandwidth Switch Triggering Indicator CCA ibssThreshold (%)

l Dynamic Bandwidth Switch Triggering Indicator BeaconFailed Threshold

l Dynamic Bandwidth Switch Triggering Indicator CCA intfThreshold (%)

l Dynamic Bandwidth Switch Clear Time (min)

show snmp trap-list The following parameters are introduced as part of the output of thiscommand:

l wlsxAPDown

l wlsxAPUp

show ucc call-info cdrs The WiFi-Calling application parameter is introduced.

show ucc client-info The WiFi-Calling application parameter is introduced.

show ucc statistics The WiFi-Calling application parameter is introduced.

show web-server The Exclude Security Headers from HTTP Response parameter isintroduced.

show wlan voip-cac-profile The Allow Idle VOIP Client parameter is introduced.

web-server profile The exclude-http-security parameter is introduced.

wlan virtual-ap The cellular-handoff-assist parameter is introduced. This settingcan now be applied to individual virtual APs via the wlan virtual-approfile, and can help a dual-mode, 3G/4G-capable Wi-Fi device suchas an iPhone, iPad, or Android client at the edge of Wi-Fi networkcoverage switch from Wi-Fi to an alternate 3G/4G radio that providesbetter network access.

wlan voip-cac-profile The allow-idle-voip-client parameter is introduced.

Deprecated CommandsThe following commands are deprecated in ArubaOS 6.5.0.0:

Command Description

ap system-profile The shell-passwd parameter is deprecated.

show ap system-profile The Shell Password parameter is deprecated from the output of thiscommand.

About this GuideThis guide describes the ArubaOS 6.5.1.x command syntax. The commands in this guide are listedalphabetically.

The following information is provided for each command:

l Command Syntax—The complete syntax of the command.

l Description—A brief description of the command.

l Syntax—A description of the command parameters, including license requirements for specific parametersif needed. The applicable ranges and default values, if any, are also included.

l Usage Guidelines—Information to help you use the command, including: prerequisites, prohibitions, andrelated commands.

l Example—An example of how to use the command.

l Command History—The version of ArubaOS in which the command was first introduced. Modifications andchanges to the command are also noted.

l Command Information—This table describes any licensing requirements, command modes and platformsfor which this command is applicable. For more information about available licenses, see the Licenseschapter of the ArubaOS 6.5.1.x User Guide.

Connecting to the ControllerThis section describes how to connect to the controller to use the CLI.

Serial Port ConnectionThe serial port is located on the front panel of the controller. Connect a terminal or PC/workstation running aterminal emulation program to the serial port on the controller to use the CLI. Configure your terminal orterminal emulation program to use the following communication settings.

Baud Rate Data Bits Parity Stop Bits Flow Control

9600 8 None 1 None

The Aruba 7200 Series controller supports baud rates between 9600 and 115200.

Telnet or SSH ConnectionTelnet or SSH access requires that you configure an IP address and a default gateway on the controller andconnect the controller to your network. This is typically performed when you run the Initial Setup on thecontroller, as described in the ArubaOS 6.5.1.x Quick Start Guide. In certain deployments, you can also configurea loopback address for the controller; see interface loopback on page 464 for more information.



Configuration changes on Master ControllersSome commands can only be issued when connected to a master controller. If you make a configurationchange on a master controller, all connected local controllers will subsequently update their configurations aswell. You can manually synchronize all of the controllers at any time by saving the configuration on the mastercontroller.

CLI AccessWhen you connect to the controller using the CLI, the system displays its host name followed by the loginprompt. Log in using the admin user account and the password you entered during the Initial Setup on thecontroller (the password displays as asterisks). For example:(host)User: adminPassword: *****

When you are logged in, the user mode CLI prompt displays. For example:(host) >

User mode provides only limited access for basic operational testing such as running ping and traceroute.

Certain management functions are available in enable (also called “privileged”) mode. To move from user modeto enable mode requires you to enter an additional password that you entered during the Initial Setup (thepassword displays as asterisks). For example:(host) > enablePassword: ******

When you are in enable mode, the > prompt changes to a pound sign (#):(host) #

Configuration commands are available in config mode. Move from enable mode to config mode by enteringconfigure terminal at the # prompt:(host) # configure terminalEnter Configuration commands, one per line. End with CNTL/Z

When you are in basic config mode, (config) appears before the # prompt:(host) (config) #

There are several other sub- command modes that allow users to configure individual interfaces, subinterfaces,loopback addresses, GRE tunnels and cellular profiles. For details on the prompts and the available commands foreach of these modes, see Appendix A: Command Modes on page 2400.

Command HelpYou can use the question mark (?) to view various types of command help.

When typed at the beginning of a line, the question mark lists all the commands available in your current modeor sub-mode. A brief explanation follows each command. For example:

(host) > ?

enable Turn on Privileged commandslogout Exit this session. Any unsaved changes are lost.ping Send ICMP echo packets to a specified IP address.traceroute Trace route to specified IP address.

When typed at the end of a possible command or abbreviation, the question mark lists the commands thatmatch (if any). For example:

(host) > c?

clear Clear configurationclock Configure the system clockconfigure Configuration Commandscopy Copy Files

If more than one item is shown, type more of the keyword characters to distinguish your choice. However, ifonly one item is listed, the keyword or abbreviation is valid and you can press tab or the spacebar to advanceto the next keyword.

When typed in place of a parameter, the question mark lists the available options. For example:

(host) # write ?erase Erase and start from scratchfile Write to a file in the file systemmemory Write to memoryterminal Write to terminal

The indicates that the command can be entered without additional parameters. Any other parameters areoptional.

Command CompletionTo make command input easier, you can usually abbreviate each key word in the command. You need typeonly enough of each keyword to distinguish it from similar commands. For example:(host) # configure terminal

could also be entered as:(host) # con t

Three characters (con) represent the shortest abbreviation allowed for configure. Typing only c or co wouldnot work because there are other commands (like copy) which also begin with those letters. The configurecommand is the only one that begins with con.

As you type, you can press the spacebar or tab to move to the next keyword. The system then attempts toexpand the abbreviation for you. If there is only one command keyword that matches the abbreviation, it isfilled in for you automatically. If the abbreviation is too vague (too few characters), the cursor does notadvance and you must type more characters or use the help feature to list the matching commands.

Deleting Configuration SettingsUse the no command to delete or negate previously-entered configurations or parameters.

l To view a list of no commands, type no at the enable or config prompt followed by the question mark. Forexample:(host) (config) # no?

l To delete a configuration, use the no form of a configuration command. For example, the followingcommand removes a configured user role:(host) (config) # no user-role

l To negate a specific configured parameter, use the no parameter within the command. For example, thefollowing commands delete the DSCP priority map for a priority map configuration:(host) (config) # priority-map (host) (config-priority-map) # no dscp priority high



Saving Configuration ChangesEach Aruba controller contains two different types of configuration images.

l The running-config holds the current controller configuration, including all pending changes which have yetto be saved. To view the running-config, use the following command:(host) # show running-config

l The startup config holds the configuration which will be used the next time the controller is rebooted. Itcontains all the options last saved using the write memory command. To view the startup-config, use thefollowing command:(host) # show startup-config

When you make configuration changes via the CLI, those changes affect the current running configurationonly. If the changes are not saved, they will be lost after the controller reboots. To save your configurationchanges so they are retained in the startup configuration after the controller reboots, use the followingcommand in enable mode:(host) # write memorySaving Configuration...Saved Configuration

Both the startup and running configurations can also be saved to a file or sent to a TFTP server for backup ortransfer to another system.

Commands That Reset the Controller or APIf you use the CLI to modify a currently provisioned and running radio profile, those changes take placeimmediately; you do not reboot the controller or the AP for the changes to affect the current runningconfiguration. Certain commands, however, automatically force the controller or AP to reboot. You may wantto consider current network loads and conditions before issuing these commands, as they may cause amomentary disruption in service as the unit resets. Note also that changing the lms-ip parameter in an APsystem profile associated with an AP group will cause all APs in that AP group to reboot.

Commands that Reset an AP Commands that Reset aController

l ap-regroup

l ap-rename

l apboot

l provision-ap

l ap wired-ap-profile forward-mode {bridge|split-tunnel|tunnel}

l wlan virtual-ap {aaa-profile |forward-mode {tunnel|bridge|split-tunnel|decrypt-tunnel} |ssid-profile |vlan...}

l ap system-profile {bootstrap-threshold |lms-ip |}

l wlan ssid-profile {battery-boost|deny-bcast|essid|opmode|strict-svp |wepkey1 |wepkey2 |wepkey3 |wepkey4|weptxkey |wmm |wmm-be-dscp |wmm-bk-dscp |wmm-ts-min-inact-int |wmm-vi-dscp |wmm-vo-dscp|wpa-hexkey |wpa-passphrase }

l wlan dotllk {bcn-measurement-mode|dot11k-enable|force-dissasoc

l reload

Table 2: Reset Commands

Typographic ConventionsThe following conventions are used throughout this manual to emphasize important concepts:

Type Style Description

Italics This style is used to emphasize important terms andto mark the titles of books.

Boldface This style is used to emphasize command namesand parameter options when mentioned in the text.

Commands This fixed-width font depicts command syntax andexamples of commands and command output.

In the command syntax, text within angle bracketsrepresents items that you should replace withinformation appropriate to your specific situation.For example:

ping

Table 3: Text Conventions



Type Style Description

In this example, you would type “ping” at the systemprompt exactly as shown, followed by the IP addressof the system to which ICMP echo packets are to besent. Do not type the angle brackets.

[square brackets] In the command syntax, items enclosed in bracketsare optional. Do not type the brackets.

{Item_A|Item_B} In the command examples, single items withincurled braces and separated by a vertical barrepresent the available choices. Enter only onechoice. Do not type the braces or bars.

{ap-name }|{ipaddr } Two items within curled braces indicate that bothparameters must be entered together. If two ormore sets of curled braces are separated by avertical bar, like in the example to the left, enter onlyone choice Do not type the braces or bars.

Command Line EditingThe system records your most recently entered commands. You can review the history of your actions, orreissue a recent command easily, without having to retype it.

To view items in the command history, use the up arrow key to move back through the list and the down arrowkey to move forward. To reissue a specific command, press Enter when the command appears in thecommand history. You can even use the command line editing feature to make changes to the command priorto entering it. The command line editing feature allows you to make corrections or changes to a commandwithout retyping. Table 1 lists the editing controls. To use key shortcuts, press and hold the Ctrl button whileyou press a letter key.

Key Effect Description

Ctrl A Home Move the cursor to the beginning of the line.

Ctrl B or theleft arrow

Back Move the cursor one character left.

Ctrl D Delete Right Delete the character to the right of the cursor.

Ctrl E End Move the cursor to the end of the line.

Ctrl F or theright arrow

Forward Move the cursor one character right.

Ctrl K Delete Right Delete all characters to the right of the cursor.

Table 4: Line Editing Keys

Key Effect Description

Ctrl N or thedown arrow

Next Display the next command in the commandhistory.

Ctrl P orup arrow

Previous Display the previous command in thecommand history.

Ctrl T Transpose Swap the character to the left of the cursorwith the character to the right of the cursor.

Ctrl U Clear Clear the line.

Ctrl W Delete Word Delete the characters from the cursor up toand including the first space encountered.

Ctrl X Delete Left Delete all characters to the left of the cursor.

Specifying Addresses and Identifiers in CommandsThis section describes addresses and other identifiers that you can reference in CLI commands.

Address/Identifier Description

IP address For any command that requires entry of an IP address to specify a networkentity, use IPv4 network address format in the conventional dotted decimalnotation (for example, 10.4.1.258).

Netmask address For subnet addresses, specify a netmask in dotted decimal notation (forexample, 255.255.255.0).

Media AccessControl (MAC)address

For any command that requires entry of a device’s hardware address, use thehexadecimal format (for example, 00:05:4e:50:14:aa).

Service Set Identifier(SSID)

A unique character string (sometimes referred to as a network name),consisting of no more than 32 characters. The SSID is case-sensitive (forexample, WLAN-01).

Table 5: Addresses and Identifiers



Address/Identifier Description

Basic Service SetIdentifier (BSSID)

This entry is the unique hard-wireless MAC address of the AP. A unique BSSIDapplies to each frequency— 802.11a and 802.11g—used from the AP. Use thesame format as for a MAC address.

Extended ServiceSet Identifier (ESSID)

Typically the unique logical name of a wireless network. If the ESSID includesspaces, you must enclose the name in quotation marks.

Fast Ethernet orGigabit Ethernetinterface

Any command that references a Fast Ethernet or Gigabit Ethernet interfacerequires that you specify the corresponding port on the controller in theformat //.

Use the show port status command to obtain the interface informationcurrently available from a controller.

Contacting Support

Main Site arubanetworks.com

Support Site support.arubanetworks.com

Airheads Social Forums andKnowledge Base

community.arubanetworks.com

North American Telephone 1-800-943-4526 (Toll Free)

1-408-754-1200

International Telephone arubanetworks.com/support-services/contact-support/

Software Licensing Site licensing.arubanetworks.com

End-of-life Information arubanetworks.com/support-services/end-of-life/

Security Incident Response Team Site: arubanetworks.com/support-services/security-bulletins/

Email: [email protected]

Table 6: Contact Information


http://www.arubanetworks.com/https://support.arubanetworks.com/http://community.arubanetworks.com/http://www.arubanetworks.com/support-services/contact-support/https://licensing.arubanetworks.com/http://www.arubanetworks.com/support-services/end-of-life/http://www.arubanetworks.com/support-services/security-bulletins/http://www.arubanetworks.com/support-services/security-bulletins/mailto:[email protected]

aaa alias-groupaaa alias-group

clone no ...set vlan condition essid|location equals set-value

DescriptionThis command configured an aaa alias with set of VLAN derivation rules that could speed up user rulederivation processing for deployments with a very large number of user derivation rules.

Command History

Version Description

ArubaOS 6.3 Command introduced.

ArubaOS 6.5.1.x | Reference Guide aaa alias-group | 21

aaa auth-survivabilityaaa auth-survivability

cache-lifetimeenableserver-cert

DescriptionThis command configures Authentication Survivability on a controller.

Syntax

Parameter Description Default

cache-lifetime This parameter specifies the lifetime in hours for thecached access credential in the local Survival Server. Whenthe specified cache-lifetime expires, the cached accesscredential is deleted from the controller.

The valid range is from 1 to 168 hours.

24 hours

enable This parameter controls whether to use the Survival Serverwhen no other servers in the server group are in-service.

This parameter also controls whether to store the useraccess credential in the Survival Server when it isauthenticated by an external RADIUS or LDAP server in theserver group. Authentication Survivability is enabled ordisabled on each controller.

NOTE: Authentication survivability will not activate if theAuthentication Server Dead Time is configured as 0

Disabled

server-cert This parameter allows you to view the name of the servercertificate used by the local Survival Server. The localSurvival Server is provided with a default server certificatefrom AOS. The customer server certificate must beimported into the controller first, and then you can assignthe server certificate to the local Survival Server.

NOTE: In the deployment environment, it is recommendedthat you switch to a customer server certificate.

—

Usage GuidelinesUse this command to configure authentication survivability on a standalone, local, or master controller.

To configure authentication survivability on a branch controller, you must use the Smart Config WebUI. On thebranch controller, navigate to Configuration > BRANCH > Smart Config.

Command History

Version Description

ArubaOS 6.4.3.0 Command introduced.

ArubaOS 6.5.1.x | Reference Guide aaa auth-survivability | 22

23| aaa auth-survivability ArubaOS 6.5.1.x | Reference Guide

Version Description

ArubaOS 6.5.1.0 The valid range for the cache-lifetime parameter is now 1 to 168 hours.Earlier, the range was 1 to 72 hours.

Command Information

Platforms Licensing Command Mode

7000 Series Base operating system Enable or Config mode on controllers

aaa authentication captive-portalaaa authentication captive-portal

apple-cna-bypassauth-protocol mschapv2|pap|chapblack-list clone default-guest-role default-role enable-welcome-pageguest-logonip-addr-in-redirection login-page logon-wait {cpu-threshold }|{maximum-delay }|{minimum-delay }logout-popup-windowmax-authentication-failures no ...protocol-httpredirect-pause redirect-url server-group show-acceptable-use-policyshow-fqdnsingle-sessionswitchip-in-redirection-url url-hash-key user-idle-timeoutuser-logonuser-vlan-in-redirection-url welcome-page white-list

DescriptionThis command configures a Captive Portal authentication profile.

Syntax

Parameter Description Range Default

apple-cna-bypass Enable this knob to bypass AppleCNA on iOS devices such as iPad,iPhone, and iPod. You need toperform Captive Portalauthentication from browser.

—

Name that identifies an instance ofthe profile. The name must be 1-63characters.

— “default”

authentication-protocolmschapv2|pap|chap

This parameter specifies the typeof authentication required by thisprofile, PAP is the defaultauthentication type.

mschapv2

pap

chap

pap

ArubaOS 6.5.1.x | Reference Guide aaa authentication captive-portal | 24

25| aaa authentication captive-portal ArubaOS 6.5.1.x | Reference Guide


black-list Name of an existing black list on anIPv4 or IPv6 network destination.The black list contains websites(unauthenticated) that a guestcannot access.

Specify a netdestination host orsubnet to add that netdestination tothe captive portal blacklist.

If you have not yet defined anetdestination, use the CLIcommand netdestination to definea destination host or subnet beforeyou add it to the blacklist.

— —

clone Name of an existing Captive Portalprofile from which parametervalues are copied.

— —

default-guest-role Role assigned to guest. — guest

default-role Role assigned to the Captive Portaluser when that user logs in. Whenboth user and guest logons areenabled, the default role applies tothe user logon; users logging inusing the guest interface areassigned the guest role.

— guest

enable-welcome-page

Displays the configured welcomepage before the user is redirectedto their original URL. If this option isdisabled, redirection to the webURL happens immediately after theuser logs in.

enabled/disabled

enabled

guest-logon Enables Captive Portal logonwithout authentication.

enabled/disabled

disabled

ipaddr-in-redirection-url

Sends the controller’s interface IPaddress in the redirection URLwhen external captive portalservers are used. An externalcaptive portal server candetermine the controller fromwhich a request originated byparsing the ‘switchip’ variable in theURL. This parameter requires thePublic Access license.

— —

login-page URL of the page that appears forthe user logon. This can be set toany URL.

— /auth/index.html


logon-wait Configure parameters for the logonwait interval.

1-100 60%

cpu-threshold CPU utilization percentage abovewhich the logon wait interval isapplied when presenting the userwith the logon page.

1-100 60%

maximum-delay Maximum time, in seconds, theuser will have to wait for the logonpage to pop up if the CPU load ishigh. This works in conjunction withthe Logon wait CPU utilizationthreshold parameter.

1-10 10 seconds

minimum-delay Minimum time, in seconds, the userwill have to wait for the logon pageto pop up if the CPU load is high.This works in conjunction with theLogon wait CPU utilizationthreshold parameter.

1-10 5 seconds

logout-popup-window

Enables a pop-up window with theLogout link that allows the user tolog out. If this option is disabled, theuser remains logged in until theuser timeout period has elapsed orthe station reloads.

enabled/disabled

enabled

max-authentication-failures

Maximum number ofauthentication failures before theuser is blacklisted.

0-10 0

no Negates any configuredparameter.

— —

protocol-http Use HTTP protocol on redirectionto the Captive Portal page. If youuse this option, modify the captiveportal policy to allow HTTP traffic.

enabled/disabled

disabled(HTTPS is used)

redirect-pause Time, in seconds, that the systemremains in the initial welcome pagebefore redirecting the user to thefinal web URL. If set to 0, thewelcome page displays until theuser clicks on the indicated link.

1-60 10 seconds

redirect-url URL to which an authenticated userwill be directed. This parametermust be an absolute URL thatbegins with either http:// orhttps://.

— —




server-group Name of the group of servers usedto authenticate Captive Portalusers. See aaa server-group onpage 114.

— —

show-fqdn Allows the user to see and selectthe fully-qualified domain name(FQDN) on the login page. TheFQDNs shown are specified whenconfiguring individual servers forthe server group used with captiveportal authentication.

enableddisabled

disabled

show-acceptable-use-policy Show the acceptable use policypage before the login page.

enableddisabled

disabled

single-session Allows only one active user sessionat a time.

— disabled

switchip-in-redirection-url Sends the controller’s IP address inthe redirection URL when externalcaptive portal servers are used. Anexternal captive portal server candetermine the controller fromwhich a request originated byparsing the ‘switchip’ variable in theURL.

enableddisabled

disabled

url-hash-key Issue this command to hash theredirection URL using the specifiedkey.

— disabled

user-idle-timeout The user idle timeout for thisprofile. Specify the idle timeoutvalue for the client in seconds. Validrange is 30-15300 in multiples of30 seconds. Enabling this optionoverrides the global settingsconfigured in the AAA timers. If thisis disabled, the global settings areused.

— disabled

user-logon Enables Captive Portal withauthentication of user credentials.

enableddisabled

enabled

user-vlan-in-redirection-url

Add the user VLAN in theredirection URL. This parameterrequires the Public Access license.

enabled

disabled

disabled

user-vlan-redirection-url Sends the user’s VLAN ID in theredirection URL when externalcaptive portal servers are used.

— —


welcome-page URL of the page that appears afterlogon and before redirection to theweb URL. This can be set to anyURL.

— /auth/welcome.html

white-list Name of an existing white list on anIPv4 or IPv6 network destination.The white list containsauthenticated websites that a guestcan access. If you have not yetdefined a netdestination, use theCLI command netdestination todefine a destination host or subnetbefore you add it to the whitelist.

— —

Usage GuidelinesYou can configure the Captive Portal authentication profile in the base operating system or with the NextGeneration Policy Enforcement Firewall (PEFNG) license installed. When you configure the profile in the baseoperating system, the name of the profile must be entered for the initial role in the AAA profile. Also, when youconfigure the profile in the base operating system, you cannot define the default-role.

ExampleThe following example configures a Captive Portal authentication profile that authenticates users against thecontroller’s internal database. Users who are successfully authenticated are assigned the auth-guest role.

To create the auth-guest user role shown in this example, the PEFNG license must be installed in the controller.aaa authentication captive-portal guestnet

default-role auth-guestuser-logonno guest-logonserver-group internal

Command History

Version Description


ArubaOS 6.0 The max-authentication-failures parameter no longer requires alicense.

ArubaOS 6.1 The sygate-on-demand, black-list and white-list parameters wereadded.

ArubaOS 6.2 the auth-protocol parameter was added, and the user-chap parameterwas deprecated.

ArubaOS 6.3 The user-idle-timeout parameter was introduced.

ArubaOS 6.4 The url-hash-key parameter was introduced.



Command Information


All platforms Base operating system, exceptfor noted parameters

Config mode on master controllers

aaa authentication dot1xaaa authentication dot1x {|countermeasures}

ca-cert cert-cn-lookupclearclone delete-keycacheeapol-logoffenforce-suite-b-128enforce-suite-b-192framed-mtu heldstate-bypass-counter ignore-eap-id-matchignore-eapolstart-afterauthenticationmachine-authentication blacklist-on-failure|{cache-timeout }|enable|{machine-default-role }|{user-default-role }

max-authentication-failures max-requests multicast-keyrotationno ...opp-key-cachingreauth-max reauth-server-termination-actionreauthenticationserver {server-retry |server-retry-period }server-cert termination {eap-type }|enable|enable-token-caching|{inner-eap-type (eap- gtc|eap-mschapv2)}|{token-caching-period }timer {idrequest_period }|{keycache-tmout }|{mkey-rotation-period}|{quiet-period }|{reauth-period }|{ukey-rotation-period}|{wpa- groupkey-delay }|{wpa-key-period }|wpa2-key-delay

tls-guest-accesstls-guest-role unicast-keyrotationuse-session-keyuse-static-keyvalidate-pmkidvoice-awarewep-key-retries wep-key-size {40|128}wpa-fast-handoverwpa-key-retries xSec-mtu

DescriptionThis command configures the 802.1X authentication profile.

ArubaOS 6.5.1.x | Reference Guide aaa authentication dot1x | 30

31| aaa authentication dot1x ArubaOS 6.5.1.x | Reference Guide

Syntax


Name that identifies aninstance of the profile. Thename must be 1-63characters.

— “default”

clear Clear the Cached PMK, Roleand VLAN entries. Thiscommand is available inenable mode only.

— —

countermeasures Scans for message integritycode (MIC) failures in trafficreceived from clients. If thereare more than 2 MIC failureswithin 60 seconds, the AP isshut down for 60 seconds.This option is intended to slowdown an attacker who ismaking a large number offorgery attempts in a shorttime.

— disabled

ca-cert CA certificate for clientauthentication. The CAcertificate needs to be loadedin the controller.

— —

cert-cn-lookup If you use client certificatesfor user authentication,enable this option to verifythat the certificate's commonname exists in the server.This parameter is disabled bydefault.

— —

delete-keycache Delete the key cache entrywhen the user entry is deleted.

— disabled

eapol-logoff Enables handling of EAPOL-LOGOFF messages.

— disabled

enforce-suite-b-128 Configure Suite-B 128 bit ormore security level

authentication enforcement

disabled

enforce-suite-b-192 Configure Suite-B 192 bit ormore security level

authentication enforcement

disabled


framed-mtu Sets the framed MTUattribute sent to theauthentication server.

500-1500

1100

heldstate-bypass-counter (This parameter is applicablewhen 802.1X authentication isterminated on the controller,also known as AAAFastConnect.) Number ofconsecutive authenticationfailures which, when reached,causes the controller to notrespond to authenticationrequests from a client whilethe controller is in a held stateafter the authenticationfailure. Until this number isreached, the controllerresponds to authenticationrequests from the client evenwhile the controller is in itsheld state.

0-3 0

ignore-eap-id-match

Ignore EAP ID duringnegotiation.

— disabled

ignore-eapolstart-afterauthentication

Ignores EAPOL-STARTmessages afterauthentication.

— disabled

machine-authentication (For Windows environmentsonly) These parameters setmachine authentication:

NOTE: This parameterrequires the PEFNG license.

blacklist-on-failure Blacklists the client if machineauthentication fails.

— disabled

cache-timeout The timeout, in hours, formachine authentication.

1-1000 24 hours(1 day)

enable Select this option to enforcemachine authenticationbefore user authentication. Ifselected, either the machine-default-role or the user-default-role is assigned to theuser, depending on whichauthentication is successful.

— disabled




machine-default-role Default role assigned to theuser after completing onlymachine authentication.

— guest

user-default-role Default role assigned to theuser after 802.1Xauthentication.

— guest

max-authentication-failures Number of times a user cantry to login with wrongcredentials after which theuser is blacklisted as asecurity threat. Set to 0 todisable blacklisting, otherwiseenter a non-zero integer toblacklist the user after thespecified number of failures.

0-5 0(disabled)

max-requests Maximum number of times IDrequests are sent to theclient.

1-10 5

multicast-keyrotation

Enables multicast key rotation — disabled


— —

opp-key-caching Enables a cached pairwisemaster key (PMK) derivedwith a client and anassociated AP to be usedwhen the client roams to anew AP. This allows clientsfaster roaming without a full802.1X authentication.

NOTE: Make sure that thewireless client (the 802.1Xsupplicant) supports thisfeature. If the client does notsupport this feature, the clientwill attempt to renegotiate thekey whenever it roams to anew AP. As a result, the keycached on the controller canbe out of sync with the keyused by the client.

— enabled

reauth-max Maximum number ofreauthentication attempts.

1-10 3

reauth-server-termination-action Specifies the termination-action attribute from theserver.


reauthentication Select this option to force theclient to do a 802.1Xreauthentication after theexpiration of the default timerfor reauthentication. (Thedefault value of the timer is24 hours.) If the user fails toreauthenticate with validcredentials, the state of theuser is cleared.

If derivation rules are used toclassify 802.1X-authenticatedusers, then thereauthentication timer perrole overrides this setting.

— disabled

reload-cert Reload Certificate for 802.1Xtermination. This command isavailable in enable mode only.

— —

server Sets options for sendingauthentication requests to theauthentication server group.

server-retry Maximum number ofauthentication requests thatare sent to server group.

0-3 3

server-retry-period Server group retry interval, inseconds.

5-65535 5seconds

server-cert Server certificate used by thecontroller to authenticateitself to the client.

— —

termination Sets options for terminating802.1X authentication on thecontroller.

eap-type The Extensible AuthenticationProtocol (EAP) method, eitherEAP-PEAP or EAP-TLS.

eap-peap/eap-tls

eap-peap

enable Enables 802.1X terminationon the controller.

— disabled




enable-token-caching

If you select EAP-GTC as theinner EAP method, you canenable the controller to cachethe username and passwordof each authenticated user.The controller continues toreauthenticate users with theremote authentication server,however, if the authenticationserver is not available, thecontroller will inspect itscached credentials toreauthenticate users.

— disabled

inner-eap-type eap-gtc|eap-mschapv2 When EAP-PEAP is the EAPmethod, one of the followinginner EAP types is used:

EAP-Generic Token Card(GTC): Described in RFC 2284,this EAP method permits thetransfer of unencryptedusernames and passwordsfrom client to server. Themain uses for EAP-GTC areone-time token cards such asSecureID and the use of LDAPor RADIUS as the userauthentication server. Youcan also enable caching ofuser credentials on thecontroller as a backup to anexternal authenticationserver.

EAP-Microsoft ChallengeAuthentication Protocolversion 2 (MS-CHAPv2):Described in RFC 2759, thisEAP method is widelysupported by Microsoftclients.

eap-gtc/eap-mschapv2

eap-mschapv2

token-caching-period If you select EAP-GTC as theinner EAP method, you canspecify the timeout period, inhours, for the cachedinformation.

(any) 24 hours

timer Sets timer options for 802.1Xauthentication:

idrequest-period

Interval, in seconds, betweenidentity request retries.

1-65535 5seconds


keycache-tmout Set the per BSSID PMKSAcache interval. Cache isdeleted within 2 hours of theinterval.

1-2000(hours)

8 hours

mkey-rotation-period Interval, in seconds, betweenmulticast key rotation.

60-864000

1800seconds

quiet-period Interval, in seconds, followingfailed authentication.

1-65535 30seconds

reauth-period Interval, in seconds, betweenreauthentication attempts, orspecify server to use theserver-providedreauthentication period.

60-864000

86400seconds(1 day)

ukey-rotation-period Interval, in seconds, betweenunicast key rotation.

60-864000

900seconds

wpa-groupkey-delay

Interval, in milliseconds,between unicast andmulticast key exchanges.

0-2000 0 ms(nodelay)

wpa-key-period Interval, in milliseconds,between each WPA keyexchange.

1000-5000

1000 ms

wpa2-key-delay Set the delay between EAP-Success and unicast keyexchange.

1-2000 0 ms(nodelay)

tls-guest-access Enables guest access for EAP-TLS users with validcertificates.

— disabled

tls-guest-role User role assigned to EAP-TLSguest.

NOTE: This parameterrequires the PEFNG license.

— guest

unicast-keyrotation Enables unicast key rotation. — disabled

use-session-key Use RADIUS session key asthe unicast WEP key.

— disabled

use-static-key Use static key as theunicast/multicast WEP key.

— disabled




validate-pmkid This parameter instructs thecontroller to check thepairwise master key (PMK) IDsent by the client. When thisoption is enabled, the clientmust send a PMKID in theassociate or reassociateframe to indicate that itsupports OKC or PMK caching;otherwise, full 802.1Xauthentication takes place.(This feature is optional, sincemost clients that support OKCand PMK caching do not sendthe PMKID in their associationrequest.)

— disabled

voice-aware Enables rekey andreauthentication for VoWLANclients.

NOTE: The Next GenerationPolicy Enforced Firewalllicense must be installed.

— enabled

wep-key-retries Number of times WPA/WPA2key messages are retried.

1-5 3

wep-key-size Dynamic WEP key size, either40 or 128 bits.

40 or128

128 bits

wpa-fast-handover Enables WPA-fast-handover.This is only applicable forphones that support WPA andfast handover.

— disabled

wpa-key-retries Set the number of timesWPA/WPA2 Key Messages areretried. The supported rangeis 1-10 retries, and the defaultvalue is 3.

1-10 3

xSec-mtu Sets the size of the MTU forxSec.

1024-1500

1300bytes

Usage GuidelinesThe 802.1X authentication profile allows you to enable and configure machine authentication and 802.1Xtermination on the controller (also called “AAA FastConnect”).

In the AAA profile, specify the 802.1X authentication profile, the default role for authenticated users, and theserver group for the authentication.

ExamplesThe following example enables authentication of the user’s client device before user authentication. If machineauthentication fails but user authentication succeeds, the user is assigned the restricted “guest” role:aaa authentication dot1x dot1x

machine-authentication enablemachine-authentication machine-default-role computermachine-authentication user-default-role guest

The following example configures an 802.1X profile that terminates authentication on the controller, wherethe user authentication is performed with the controller’s internal database or to a “backend” non-802.1Xserver:aaa authentication dot1x dot1x

termination enable

Command History

Version Description


ArubaOS 6.1 The cert-cn-lookup, enforce-suite-b-128 and enforce-suite-b-192parameters were introduced.

ArubaOS 6.3.1.2 The delete-keycache parameter was introduced.

Command Information


All platforms Base operating system. Thevoice-aware parameterrequires the PEFNG license

Config mode on master controllers


aaa authentication macaaa authentication mac

case upper|lowerclone delimiter {colon|dash|none}max-authentication-failures no ...reauthenticationtimer reauth period {|server}

DescriptionThis command configures the MAC authentication profile.

Syntax


Name that identifies an instance of theprofile. The name must be 1-63 characters.

— “default”

case The case (upper or lower) used in the MACstring sent in the authentication request. Ifthere is no delimiter configured, the MACaddress in lower case is sent in the formatxxxxxxxxxxxx, while the MAC address inupper case is sent in the formatXXXXXXXXXXXX.

upperlower

lower

clone Name of an existing MAC profile fromwhich parameter values are copied.

— —

delimiter Delimiter (colon, dash, or none) used in theMAC string.

colondashnone

none


Number of times a client can fail toauthenticate before it is blacklisted. A valueof 0 disables blacklisting.

0-10 0(disabled)

no Negates any configured parameter. — —

reauthentication Use this parameter to enable or disable reau-thentication.

Disabled

timer reauth period|server

specifies the period between reau-thentication attempts in seconds. The serverparameter specifies the server-provided reau-thentication interval.

60-864000seconds

86400seconds (1day)

Usage GuidelinesMAC authentication profile configures authentication of devices based on their physical MAC address. MAC-based authentication is often used to authenticate and allow network access through certain devices while

ArubaOS 6.5.1.x | Reference Guide aaa authentication mac | 39

40| aaa authentication mac ArubaOS 6.5.1.x | Reference Guide

denying access to all other devices. Users may be required to authenticate themselves using other methods,depending upon the network privileges.

ExampleThe following example configures a MAC authentication profile to blacklist client devices that fail toauthenticate.aaa authentication mac mac-blacklist

max-authentication-failures 3

Command History

Release Modification

ArubaOS 3.0 Command introduced

ArubaOS 3.3.1.8 The max-authentication-failures parameter was allowed in the baseoperating system. In earlier versions of ArubaOS, the max-authentication-failures parameter required the Wireless Intrusion Protection license

ArubaOS 6.3 The reauthentication and timer reauth period parameters wereintroduced.

Command Information


All platforms Base operating system Config mode on master controllers

aaa authentication mgmtaaa authentication mgmt

default-role {guest-provisioning|location-api-mgmt|network-operations|no-access|read-only|root|standard}enableno ...server-group

DescriptionThis command configures authentication for administrative users.

Syntax


default-role Select a predefined management role toassign to authenticated administrativeusers:

— default

default Default superuser role — —

guest-provisioning Guest provisioning role — —

location-api-mgmt Location API role — —

network-operations Network operations role — —

no-access No commands are accessible for thisrole

— —

read-only Read-only role — —

Standard Standard role — —

enable Enables authentication foradministrative users.

enabled|disabled

disabled

mchapv2 Enable MSCHAPv2 enabled|disabled

disabled


server-group Name of the group of servers used toauthenticate administrative users. Seeaaa server-group on page 114.

— default

Usage GuidelinesIf you enable authentication with this command, users configured with the mgmt-user command must beauthenticated using the specified server-group.

ArubaOS 6.5.1.x | Reference Guide aaa authentication mgmt | 41

42| aaa authentication mgmt ArubaOS 6.5.1.x | Reference Guide

You can configure the management authentication profile in the base operating system or with the PEFNGlicense installed.

ExampleThe following example configures a management authentication profile that authenticates users against thecontroller’s internal database. Users who are successfully authenticated are assigned the read-only role.aaa authentication mgmt

default-role read-onlyserver-group internal

Command History

Release Modification

ArubaOS 3.0 Command introduced

ArubaOS 3.2 The network-operations role was introduced.

ArubaOS 3.3 The location-api-mgmt role was introduced.

ArubaOS 6.5.1 The Standard role was introduced.

Command Information



aaa authentication-server internalaaa authentication-server internal use-local-switch

DescriptionThis command specifies that the internal database on a local controller be used for authenticating clients.

Usage GuidelinesBy default, the internal database in the master controller is used for authentication. This command directsauthentication to the internal database on the local controller where you run the command.

Command HistoryThis command was available in ArubaOS 3.0.

Command Information


All platforms Base operating system Config mode on master or localcontrollers

ArubaOS 6.5.1.x | Reference Guide aaa authentication-server internal | 43

aaa authentication-server ldapaaa authentication-server ldap

admin-dn admin-passwd allow-cleartextauthport base-dn clone enablefilter host key-attribute max-connection no ...preferred-conn-type ldap-s|start-tls|clear-texttimeout

DescriptionThis command configures an LDAP server.

Starting with ArubaOS 6.4, a maximum of 128 LDAP servers can be configured on the controller.

Syntax


Name that identifies the server. — —

admin-dn Distinguished name for the admin userwho has read/search privileges across allof the entries in the LDAP database (theuser does not need write privileges butshould be able to search the database andread attributes of other users in thedatabase).

— —

admin-passwd Password for the admin user. — —

allow-cleartext Allows clear-text (unencrypted)communication with the LDAP server.

enabled|disabled

disabled

authport Port number used for authentication. Port636 will be attempted for LDAP over SSL,while port 389 will be attempted for SSLover LDAP, Start TLS operation and cleartext.

1-65535

389

base-dn Distinguished Name of the node whichcontains the entire user database to use.

— —

ArubaOS 6.5.1.x | Reference Guide aaa authentication-server ldap | 44

45| aaa authentication-server ldap ArubaOS 6.5.1.x | Reference Guide


clone Name of an existing LDAP serverconfiguration from which parametervalues are copied.

— —

enable Enables the LDAP server. —

filter Filter that should be applied to search ofthe user in the LDAP database. The defaultfilter string is (objectclass=*).

— (objectclass=*)

host IP address of the LDAP server, in dotted-decimal format.

— —

key-attribute Attribute that should be used as a key insearch for the LDAP server. For ActiveDirectory, the value is sAMAccountName.

— sAMAccountName

max-connection Maximum number of simultaneous non-admin connections to an LDAP server.

— —


preferred-conn-type Preferred connection type. The defaultorder of connection type is:

1. ldap-s

2. start-tls

3. clear-text

The controller will first try to contact theLDAP server using the preferredconnection type, and will only attempt touse a lower-priority connection type if thefirst attempt is not successful.

NOTE: You enable the allow-cleartextoption before you select clear-text as thepreferred connection type. If you set clear-text as the preferred connection type butdo not allow clear-text, the controller willonly use ldap-s or start-tls to contact theLDAP server.

ldap-s

start-tls

clear-text

ldap-s

timeout Timeout period of a LDAP request, inseconds.

1-30 20 seconds

Usage GuidelinesYou configure a server before you can add it to one or more server groups. You create a server group for aspecific type of authentication (see aaa server-group on page 114).

ExampleThe following command configures and enables an LDAP server:aaa authentication-server ldap ldap1

host 10.1.1.243base-dn cn=Users,dc=1m,dc=corp,dc=comadmin-dn cn=corp,cn=Users,dc=1m,dc=corp,dc=comadmin-passwd abc10key-attribute sAMAccountNamefilter (objectclass=*)enable

Command HistoryThis command was available in ArubaOS 3.0.

Command Information



ArubaOS 6.5.1.x | Reference Guide aaa authentication-server ldap | 46

aaa authentication-server radiusaaa authentication-server radius

acct-modifier acctport authport auth-modifier called-station-id type

{ap-group | ap-macaddr | ap-name | ipaddr | macaddr | vlan-id}[delimiter {colon | dash | none}] [include-ssid {enable |disable}]

clone cppm username password enableenable-ipv6enable-radsechost |key mac-delimiter [colon | dash | none | oui-nic]mac-lowercasenas-identifier nas-ip nas-ip6 noradsec-client-cert-name radsec-port radsec-trusted-cacert-name radsec-trusted-servercert-name retransmit service-type-framed-usersource-interface vlan ip6addr timeout use-ip-for-calling-stationuse-md5

DescriptionThis command configures a RADIUS server.

Starting with ArubaOS 6.4, a maximum of 128 RADIUS servers can be configured on the controller.

Syntax



acct-modifier Attributes modifier foraccounting-request.

— —

acctport Accounting port on the server. 1-65535 1813

authport Authentication port on the server 1-65535 1812

ArubaOS 6.5.1.x | Reference Guide aaa authentication-server radius | 47

48| aaa authentication-server radius ArubaOS 6.5.1.x | Reference Guide


auth-modifier Attributes modifier for access-request.

— —

called-station-id type{ap-group | ap-macaddr | ap-name|ipaddr | macaddr | vlan-id}

Configure this parameter to besent with the RADIUS attributeCalled Station ID forauthentication and accountingrequests.

The called-station-id parametercan be configured to include APgroup, AP MAC address, APname, controller IP, controllerMAC address, or user vlan.

The default value is controllerMAC address.

— macaddr

clone Name of an existing RADIUSserver configuration from whichparameter values are copied.

— —

cppm username password

Configure the CPPM usernameand password. The controllerauthenticating to CPPM isenhanced to use configurableusername and password insteadof support password. The supportpassword is vulnerable to attacksas the server certificatepresented by CPPM server is notvalidated.

— —

enable Enables the RADIUS server. — —

enable-ipv6 Enables the RADIUS server inIPv6 mode.

— —

enable-radsec Enables RadSec for RADIUS datatransport over TCP and TLS.

— —

host Identify the RADIUS server eitherby its IP address or fully qualifieddomain name.

— —

IPv4 or IPv6 address of theRADIUS server.

— —

Fully qualified domain name(FQDN) of the RADIUS server. Themaximum supported length is 63characters.

— —


key Shared secret between thecontroller and the authenticationserver. The maximum length is128 characters.

— —

mac-delimiter[colon | dash | none | oui-nic]

Send MAC address with user-defined delimiter.

— none

mac-lowercase Send MAC addresses aslowercase.

— —

nas-identifier Network Access Server (NAS)identifier to use in RADIUSpackets.

— —

nas-ip The NAS IP address to be sent inRADIUS packets from that server.If you define a local NAS IP settingusing this command and alsodefine a global NAS IP using thecommand ip radius nas-ip , the global NAS IP addresstakes precedence.

— —

nas-ip6 NAS IPv6 address to send inRADIUS packets.

You can configure a “global” NASIPv6 address that the controlleruses for communications with allRADIUS servers. If you do notconfigure a server-specific NASIPv6, the global NAS IPv6 is used.To set the global NAS IPv6, enterthe ipv6 radius nas-ip6 command.


— —

radsec-client-cert

Configures a RadSec clientcertificate on the RADIUS serverto identify and authenticateclients.

— —

radsec-port Designates a RadSec port forRADIUS data transport.

1-65535 2083

radsec-trusted-cacert-name

Designates a Certificate Authorityto sign RadSec certificates.

— —


50| aaa authentication-server radius ArubaOS 6.5.1.x | Reference Guide


radsec-trusted-servercert-name

Designates a trusted RadSec servercertificate.

— —

retransmit Maximum number of retries sentto the server by the controllerbefore the server is marked asdown.

0-3 3

service-type-framed-user Send the service-type asFRAMED-USER instead of LOGIN-USER. This option is disabled bydefault

— disabled

source-interface vlan ip6addr

This option associates a VLANinterface with the RADIUS serverto allow the server-specificsource interface to override theglobal configuration.

l If you associate a SourceInterface (by entering a VLANnumber) with a configuredserver, then the source IPaddress of the packet will bethat interface’s IP address.

l If you do not associate theSource Interface with aconfigured server (leave thefield blank), then the IPaddress of the global SourceInterface will be used.

l If you want to configure anIPv6 address for the SourceInterface, specify the IPv6address for the ip6addrparameter.

— —

timeout Maximum time, in seconds, thatthe controller waits before timingout the request and resending it.

1-30 5 seconds

use-ip-for-calling-station Use an IP address instead of a MACaddress for calling station IDs. Thisoption is disabled by default.

— disabled

use-md5 Use MD5 hash of cleartextpassword.

— disabled


ExampleThe following command configures and enables a RADIUS server:

aaa authentication-server radius radius1host 10.1.1.244key qwERtyuIOpenable

Command History

Version Modification


ArubaOS 6.0 RADIUS server can be identified by its qualified domain name (FQDN).

ArubaOS 6.1 The source-interface parameter was added.

ArubaOS 6.3 l The mac-delimiter parameter was introduced.

l The enable-ipv6 and nas-ip6 parameters were introduced. An IPv6host address can be specified for the host parameter.

l The ipv6 addr parameter was added.

ArubaOS 6.4 The called-station-id parameter was introduced.

ArubaOS 6.4.2.5 The cppm parameter was introduced.

ArubaOS 6.4.3.0 l The enable-radsec parameter was introduced.

l The radsec-client-cert, radsec-port, and radsec-trusted-caparameters were introduced.

ArubaOS 6.5.1 The acct-modifier and auth-modifier parameters introduced.

Command Information




aaa authentication-server tacacsaaa authentication-server tacacs

clone enablehost key no ...retransmit session-authorizationtcp-port timeout

DescriptionThis command configures a TACACS+ server.

Starting with ArubaOS 6.4, a maximum of 128 TACACS servers can be configured on the controller.

Syntax



clone Name of an existing TACACS serverconfiguration from which parameter valuesare copied.

— —

enable Enables the TACACS server. —

host IPv4 or IPv6 address of the TACACS server. — —

key Shared secret to authenticate communicationbetween the TACACS+ client and server.

— —


retransmit Maximum number of times a request isretried.

0-3 3

session-authorization Enables TACACS+ authorization.Session-authorization turns on the optionalauthorization session for admin users.

— disabled

tcp-port TCP port used by the server. 1-65535 49

timeout Timeout period of a TACACS request, inseconds.

1-30 20 seconds

ArubaOS 6.5.1.x | Reference Guide aaa authentication-server tacacs | 52

53| aaa authentication-server tacacs ArubaOS 6.5.1.x | Reference Guide


ExampleThe following command configures, enables a TACACS+ server and enables session authorization:

aaa authentication-server tacacs tacacs1clone defaulthost 10.1.1.245key qwERtyuIOpenablesession-authorization

Command History

Version Description


ArubaOS 6.0 session-authorization parameter was introduced.

ArubaOS 6.3 IPv6 support was added for TACACS server. You can now specify an IPv6host address for the host parameter.

Command Information



aaa authentication-server windowsaaa authentication-server windows

clone domain enablehost no

DescriptionThis command configures a windows server for stateful-NTLM authentication.

Syntax

Parameter Description

Name of the windows server. You will use this name when you add thewindows server to a server group.

clone Name of a Windows Server from which you want to make a copy.

domain The Windows domain for the authentication server.

enable Enables the Windows server.

host IP address of the Windows server.

no Delete command.

Usage GuidelinesYou must define a Windows server before you can add it to one or more server groups. You create a servergroup for a specific type of authentication (see aaa server-group on page 114). Windows servers are used forstateful-NTLM authentication.

ExampleThe following command configures and enables a windows server:aaa authentication-server windows IAS_1

host 10.1.1.245enable

Command HistoryThis command was available in ArubaOS 3.4.1

Command Information



ArubaOS 6.5.1.x | Reference Guide aaa authentication-server windows | 54

aaa authentication stateful-dot1xaaa authentication stateful-dot1x

default-role enableno ...server-group timeout

DescriptionThis command configures 802.1X authentication for clients on non-Aruba APs.

Syntax


default-role Role assigned to the 802.1X user upon login.

NOTE: The PEFNG license must be installed.

— guest

enable Enables 802.1X authentication for clients onnon-Aruba APs. Use no enable to disablestateful 8021.X authentication.

— enabled


server-group Name of the group of RADIUS servers used toauthenticate the 802.1X users. See aaaserver-group on page 114.

— —

timeout Timeout period, in seconds. 1-20 10 seconds

Usage GuidelinesThis command configures 802.1X authentication for clients on non-Aruba APs. The controller maintains usersession state information for these clients.

ExampleThe following command assigns the employee user role to clients who successfully authenticate with the servergroup corp-rad:aaa authentication stateful-dot1x

default-role employeeserver-group corp-rad

Command HistoryThis command was introduced in ArubaOS 3.0.

ArubaOS 6.5.1.x | Reference Guide aaa authentication stateful-dot1x | 55

56| aaa authentication stateful-dot1x ArubaOS 6.5.1.x | Reference Guide

Command Information



aaa authentication stateful-dot1x clearaaa authentication stateful-dot1x clear

DescriptionThis command clears automatically-created control path entries for 802.1X users on non-Aruba APs.

SyntaxNo parameters.

Usage GuidelinesRun this command after changing the configuration of a RADIUS server in the server group configured with theaaa authentication stateful-dot1x command. This causes entries for the users to be created in the controlpath with the updated configuration information.

Command HistoryThis command was introduced in ArubaOS 3.0.

Command Information


All platforms Base operating system Enable mode on master controllers

ArubaOS 6.5.1.x | Reference Guide aaa authentication stateful-dot1x clear | 57

aaa authentication stateful-kerberosaaa authentication stateful-kerberos

clonedefault-role enableserver-group timeout

DescriptionThis command configures stateful Kerberos authentication.

Syntax


clone Create a copy of an existing statefulKerberos profile

— —

default-role Select an existing role to assign toauthenticated users.

— guest

server-group Name of a server group. — default

timeout Amount of time, in seconds, before therequest times out.

1-20seconds

10seconds

Example(host)(config) # aaa authentication stateful-kerberos default

default-role guesttimeout 10server-group internal

Command HistoryCommand introduced in ArubaOS 3.4.3

Command Information



ArubaOS 6.5.1.x | Reference Guide aaa authentication stateful-kerberos | 58

aaa authentication stateful-ntlmaaa authentication stateful-ntlm

clonedefault-role enableserver-group timeout

DescriptionThis command configures stateful NT LAN Manager (NTLM) authentication.

Syntax


clone Create a copy of an existing stateful NTLMprofile

— —

default-role Select an existing role to assign toauthenticated users.

— guest


server-group Name of a server group. — default

timeout Amount of time, in seconds, before therequest times out.

1-20seconds

10seconds

Usage GuidelinesNT LAN Manager (NTLM) is a suite of Microsoft authentication and session security protocols. You can use astateful NTLM authentication profile to configure a controller to monitor the NTLM authentication messagesbetween clients and an authentication server. The controller can then use the information in the ServerMessage Block (SMB) headers to determine the client's username and IP address, the server IP address and theclient's current authentication status. If the client successfully authenticates via an NTLM authenticationserver, the controller can recognize that the client has been authenticated and assign that client a specified userrole. When the user logs off or shuts down the client machine, the user will remain in the authenticated roleuntil the user’s authentication is aged out.

The Stateful NTLM Authentication profile requires that you specify a server group which includes the serversperforming NTLM authentication, and a default role to be assigned to authenticated users. For details ondefining a windows server used for NTLM authentication, see aaa authentication-server windows.

ExampleThe following example configures a stateful NTLM authentication profile that authenticates clients via theserver group “Windows1.” Users who are successfully authenticated are assigned the “guest2” role.aaa authentication stateful-ntlm

default-role guest2server-group Windows1

ArubaOS 6.5.1.x | Reference Guide aaa authentication stateful-ntlm | 59

60| aaa authentication stateful-ntlm ArubaOS 6.5.1.x | Reference Guide

Command HistoryCommand introduced in ArubaOS 3.4.1

Command Information



aaa authentication via auth-profileaaa authentication via auth-profile

auth-protocol {mschapv2|pap}cert-cn-lookupclone default-role desc max-authentication-failures nopan-integrationradius-accounting rfc-3576-server server-group

DescriptionThis command configures the VIA authentication profile.

Syntax


auth-protocol {mschapv2|pap} Authentication protocol support for VIAauthentication; MSCHAPv2 or PAP

PAP

cert-cn-lookup Check certificate common name againstAAA server.

Enabled

clone Name of an existing profile from whichconfiguration values are copied.

-

default-role Name of the default VIA authenticationprofile.

-

desc Description of this profile for reference. -


Number of times VIA will prompt user tologin due to incorrect credentials. Afterthe maximum authentication attemptsfailures VIA will exit.

3

pan-integration Requires IP mapping at Palo AltoNetwork.

-

ArubaOS 6.5.1.x | Reference Guide aaa authentication via auth-profile | 61

62| aaa authentication via auth-profile ArubaOS 6.5.1.x | Reference Guide


radius-accounting Server group for RADIUS accounting. -

rfc-3576-server Configures the RFC 3576 server. -

server-group Server group against which the user isauthenticated.

-

Usage GuidelinesUse this command to create VIA authentication profiles and associate user roles to the authentication profile.

Example(host) (config) #aaa authentication via auth-profile default(host) (VIA Authentication Profile "default") #auth-protocol mschapv2(host) (VIA Authentication Profile "default") #default-role example-via-role(host) (VIA Authentication Profile "default") #desc "Default VIA Authentication Profile"(host) (VIA Authentication Profile "default") #server-group "via-server-group"

Command History

Version Description


ArubaOS 6.3 The auth-protocol parameter was added.

Command Information


All platforms Base operating system Config mode on master or localcontrollers

aaa authentication via connection-profileaaa authentication via connection-profile

admin-logoff-scriptadmin-logon-scriptallow-user-disconnectallow-whitelist-trafficauth_domain_suffixauth-profile auth_doman_suffixauto-launch-supplicantauto-loginauto-upgradebanner-message-reappear-timeout client-loggingclient-netmask client-wlan-profile position clonecontrollers-load-balancecsec-gateway-url csec-http-ports dns-suffix-list domain-pre-connectenable-csecenable-fipsenable-supplicantext-download-url ike-policy ikev2-policyikev2-protoikev2authipsec-cryptomap map number ipsecv2-cryptomaplockdown-all-settingsmax-reconnect-attempts minimizedmax-timeout minimizednoocsp-reponder {enable|fallback }save-passwordsserversplit-tunnelingsuiteb-cryptosupport-emailtunneluser-idle-timeoutvalidate-server-certwhitelistwindows-credentials

DescriptionThis command configures the VIA connection profile.

ArubaOS 6.5.1.x | Reference Guide aaa authentication via connection-profile | 63

64| aaa authentication via connection-profile ArubaOS 6.5.1.x | Reference Guide

Syntax


admin-logoff-script Enables VIA logoff script. Disabled

admin-logon-script Enables VIA logon script. Disabled

allow-user-disconnect Enable or disable users todisconnect their VIAsessions.

Enabled

allow-whitelist-traffic If enabled, this feature willblock network access untilthe VIA VPN connection isestablished.

Disabled

auth_domain_suffix Enables a domain suffix onVIA Authentication, so clientcredentials are sent asdomainname\usernameinstead of just username.

—

auto-launch-supplicant Allows you to connect auto-matically to a configuredWLAN network.

Disabled

auth-profile This is the list of VIAauthentication profilesthat will be displayed tousers in the VIA client.

—

admin-logoff-script Specify the name of thescript that must beexecuted when the VIAconnection isdisconnected. The scriptmust reside on the user /client system.

—

admin-logon-script Specify the name of thescript that must beexecuted when the VIAconnection is established.The script must reside onthe user / client system.

—

auto-login Enable or disable VIAclient to auto login andestablish a secureconnection to thecontroller.

Enabled


auto-upgrade Enable or disable VIAclient to automaticallyupgrade when anupdated vers

Documents

ArubaOS6.5.1.x Command-LineInterface ReferenceGuideh20628. · Command Description l validate-reply mgmt-user TheStandardroleisintroduced. showapsystem-profile Thefollowingparametersareintroducedaspartoftheoutputofthis