ArubaOS8.4.0.x Command-LineInterface Guide Reference · 2019-03-18 · Command Description showapprovisioning-rule Thiscommandisintroducedtodisplaytheinformationofan APprovisioningruleduringAuto-provisioning

ArubaOS 8.4.0.xCommand-Line Interface

Refe

renc

eG

uide

Revision 03 | March 2019 ArubaOS 8.4.0.x | Reference Guide

Copyright Information

© Copyright 2019 Hewlett Packard Enterprise Development LP.

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General PublicLicense, and/or certain other open source licenses. A complete machine-readable copy of the source codecorresponding to such code is available upon request. This offer is valid to anyone in receipt of this informationand shall expire three years following the date of the final distribution of this product version by HewlettPackard Enterprise Company. To obtain such source code, send a check or money order in the amount of US$10.00 to:

Hewlett Packard Enterprise CompanyAttn: General Counsel3000 Hanover StreetPalo Alto, CA 94304USA


Revision HistoryThe following table lists the revisions of this document.

Revision Change Description

Revision 03 Added commands to enable telnet session on the managed devices in theArubaOS Command-Line Interface chapter.

Revision 02 Updated the rf_dot11a_radio_profile and rf_dot11g_radio_profilecommands to reflect the correct default values.Removed ble-token and ble-url parameters from the apsystem-profile command.

Revision 01 Initial release.

Table 1: Revision History

ArubaOS 8.4.0.x | Reference Guide ArubaOS Command-Line Interface | 4

ArubaOS Command-Line Interface

The ArubaOS 8.4.0.0 CLI allows you to configure and manage Mobility Master and managed devices. The CLI isaccessible from a local console connected to the serial port on the Mobility Master or through a Telnet orSecure Shell (SSH) session from a remote management console or workstation.

Telnet access is disabled by default. Do one of the following to enable Telnet access on the Mobility Master,

n Enter the telnet CLI command from a serial connection or an SSH session.n In the WebUI, navigate to theConfiguration > System > Admin page.

To manually enable telnet CLI on the managed devices, execute the following commands in the /md path ofeach managed device in the Mobility Master:(host) [mynode] (config) #firewall cp(host) [mynode] (config-submode) #ipv4 permit any proto 6 ports 23 23(host) [mynode] (config-submode) #!(host) [mynode] (config-submode) #exit(host) [mynode] (config) #exit

What's New in ArubaOS 8.4.0.0This section lists the commands introduced, modified, or deprecated in ArubaOS 8.4.0.0.

Commands in ArubaOS 8.4.0.0

New CommandsThe following new commands are introduced in ArubaOS 8.4.0.0:

Command Description

ap ble-configure This command is introduced to configure beacon attributesfor a specific AP.

ap deep-sleep This command is used to move the APs into deep-sleepmode.

ap provisioning-rule This command is introduced to configure a group of APs andthe subsequent actions to provision the APs.

ap provisioning-rules This command is introduced to define the priority of theprovisioning rules that are actively used by the Auto-provisioning feature in APs.

ap wake-up This command is used to wake up APs from the deep-sleepmode.

ap zeroize-tpm-keys This command is introduced to erase the TPM content andrender an AP permanently inoperable.

iapvpn-backward-compatible This command is used to enable the older Instant APs tosend register requests on the older HTTP port of 80.

5 | ArubaOS Command-Line Interface ArubaOS 8.4.0.x | Reference Guide

Command Description

iot radio-profile This command is introduced to configure IoT radio profile.

ip domain redirect This command is introduced to enable the DNS redirectfeature.

ip domain-redirect This command is introduced to redirect DNS query matchingcorporate domain to a dedicated corporate IPv4 DNS server.

ipv6 domain-redirect This command is introduced to redirect the domain to adedicated DNS server in the IPv6 domain.

lc-cluster schedule upgrade This command is introduced to schedule a cluster upgrade.

lc-cluster re-schedule upgrade This command is introduced to reschedule a scheduledcluster upgrade.

lc-cluster abort schedule upgrade This command is introduced to delete or abort a scheduledcluster upgrade.

password-recovery-disable This command is introduced to disable the default passwordrecovery feature.

password-recovery-user This command is introduced to create an alternate passwordrecovery user.

rf dot11-60GHz-radio-profile This command is introduced to configure AP radio settingsfor the 60 GHz frequency band, including the ARM profile forstandalone controllers and the high-throughput (802.11ad)radio profile.

sesimagotag-esl-channel This command is introduced to configure the radio channelof SES-imagotag ESL system.

sesimagotag-esl-serverip This command is introduced to configure the IP address ofSES-imagotag ESL server.

show ap analytics recommendations This command is introduced to display the EIRPrecommendations, channel-bandwidth recommendations,and regulatory domain profile recommendations to an AP.

show ap ble-ibeacon-info This command displays the BLE ibeacon information for anAP.

show ap debug esl-status This command displays the values for ESL Server,ESL Channel, ESL Radio, Configuration Status, and theESL Dongle ID of an AP.

show ap debug ses-esl-log This command displays the SES-Imagotog’s ESL daemondebug logs for an AP.

show ap greenap This command displays all the pending APs in the per-md list,sends the AP_INFO AMON message for a particular AP, andtrack Green AP related counters.

show ap mesh debug link-table This command is introduced to display the mesh link tableinformation for a remote mesh point or remote mesh portal.

Command Description

show ap provisioning-rule This command is introduced to display the information of anAP provisioning rule during Auto-provisioning..

show ap provisioning-rules This command is introduced to display the information forthe priority level of AP provisioning rules.

show iot radio-profile This command displays the status of IoT radio profle.

show provisioning-rule-info This command is introduced to display the information oneach auto-provisoning rule and the associated APs.

show rf dot11-60GHz-radio-profile This command displays an 802.11 60 GHz radio profile.

upgrade cancel-schedule This command cancels an already scheduled upgrade of themanaged devices.

upgrade reschedule This command reschedules the existing scheduled upgradeof the managed devices.

vpn-peer pass-code This command is introduced to configure authenticate codefor automatic whitelisting of managed device onVPN Concentrators.

wlan he-ssid-profile This command is introduced to configure a high-efficiency(802.11ax) SSID profile.

wmm-dscp-mapping This command is introduced to enable the WMM DSCP mapin the upstream direction of the decrypt-tunnel mode.

zeroize-tpm-keys This command is introduced to erase the TPM content andrender a controller permanently inoperable.

Modified CommandsThe following commands are modified in ArubaOS 8.4.0.0:

Command Description

aaa authentication captive-portal The ap-mac-in-redirection-url parameter isintroduced.

aaa authentication via connection-profile The l2-forwarding parameter is introduced.

ap-group The dot11-60GHz-radio-profile parameter isintroduced.

ap multizone-profile The following sub-parameters are introduced in thedatazone parameter:

n controller-ipv6 n description n max-nodes n max-vaps

The following sub-parameters are introduced in theprimaryzone parameter:

n max-nodes n max-vaps



Command Description

ap provisioning-profile The apdot1x-tls-suffix, apdot1x-tls-suffix-domain,mesh-auto, and preferred_uplink parameters areintroduced.

ap system-profile The following changes are introduced:n The IPv6 address support is added to the ip-or-dns parameter.

The following parameters are introduced:n ap-usb-power-moden wids-ampdu-optimizationn sesImagotag-esl-channeln sesImagotag-esl-serverip

The following parameters are introduced:n radio_5ghz_chain_4x4n radio_5ghz_chain_5x5n radio_5ghz_chain_6x6n radio_5ghz_chain_7x7

ap wired-ap-profile The wired-ap-mode parameter is introduced.

banner The enforce-accept parameter is introduced.

ble_relay The export-ap-ble-ibeacon-info parameterintroduced.

interface tunnel The vlan {add }|{remove }|sub-parameters are introduced to the trustedparameter.

interface vlan The pppoe-gateway-nat sub-parameter isintroduced.

iot transportProfile The following server types were introduced:n Assa-Abloyn Meridian-beacons-managementn Meridian-asset-trackingn Telemetry-httpsn Telemetry-websocketn ZF-openmatics

The following deviceClassFilters were introduced:n alln aruba-beaconsn aruba-tagsn assa-abloyn eddystonen enocean-sensorsn enocean-switchesn ibeaconn unclassifiedn zf-tags

The following parameters were renamed from:n endpointType to serverTypen endpointID to clientIDn endpointURL to serverURLn endpointToken to accessTokenn transportInterval to reportingIntervaln payloadContent to deviceClassFilter

Command Description

n filterAttribute to uuidFiltern namespaceFilter to uidNamespaceFiltern cellSize to cellSizeFiltern thresholdAttribute to movementFiltern outrangeAgeout to ageFilter

ip access-list session The output displays the use of source NAT to route thelocal traffic in AP datapath in Split-Tunnel forwardingmode for IPv6 clients.

ip dhcp pool The switch-gw-ip sub-parameter is introduced.

ipv6 dhcp pool The switch-gw-ipv6 sub-parameter is introduced.

lc-cluster group-profile The parameter rapcluster is added.

mgmt-user The following sub-parameters are introduced in the parameter:

n max-concurrent-sessionsn old-password

The audit-period parameter is introduced.

provision-ap The apdot1x-tls-suffix, apdot1x-tls-suffix-domain,mesh-auto, and preferred_uplink parameters areintroduced.

rf dot11a-radio-profile The high-efficiency-enable parameter isintroduced.

rf dot11g-radio-profile The high-efficiency-enable parameter is introduced.

rf ht-radio-profile The bss-color parameter is introduced.

show airgroup apsThe output is modified to display the name of theneighbor AP, if available, in the Neighbor AP nameparameter.

show aaa authentication via connection-profile The output of this command is modified to display theUse l2 forwarding parameter.

show aaa radius-attributes The output of this command is modified to displayAruba-Captive-Portal-URL VSA attribute.

show amon-sender The following new parameters are added to supportSmart AMON feature:

n bundle countersn bundle parametersn cdt message-type

show ap database A new flag, p was introduced to show that the AP is indeep-sleep mode.

show ap debug multizone The output of this command is modified to include Vflags.

show ap details The following changes are introduced:n The output of the show ap details advanced



Command Description

ip-addr command is modified to displaya new field, Reason for disconnect.n The output of the show ap details advancedap-name command is modified todisplay Eirp (max, min, offset) information.

show ap-group The output of this command is modified to display the802.11 60GHz radio profile parameter and itscorresponding value.

show ap mesh debug forwarding-table The bssid parameter was introduced.

show ap monitor debug The following changes are introduced:n The ip6-addr parameter is added.n The output of the show ap monitor debugstatus command displays both IPv4 and IPv6addresses.n The output of the show ap monitor debugstatus command includes the new counters todifferentiate the distribution of DATA, MGMT,CTRL, and AGGR packets.

show ap monitor stats The output of the show ap monitor stats command ismodified to display the additional debug counterinformation.

show ap multizone-profile The output is modified to display the IPv6 Addressand Description columns.

show ap provisioning-profile The output is modified to include the followingparameters:

n AP dot1x EAP-TLS username suffixn AP dot1x EAP-TLS username suffix domainn USB power mode

show ap system-profile The following changes are introduced:n The output of the show ap system-profile | include USB commanddisplays the AP USB Power mode parameter.n The AeroScout RTLS Server and RTLS Serverconfiguration output parameter of the show apsystem-profile | include RTLScommand displays IPv6 address.

show audit-trail The output displays international characters in theESSID, in unicode format.

show datapath The following changes are introduced:n The output of the #show datapath tunnel ipv6command was modified to include B, G, and Yflags.n The outputs of the show datapath route ap-name ipv6 and show datapathroute-cache ap-name ipv6commands are modified to display IPv6 routeentries.n The web-cc and counters sub-parameters areadded to ipv6 parameter.

Command Description

n The output of the show datapath session ipv6web-cc command is modified to display WebCCrelated entries for IPv6 sessions.n The trusted-vlan and untrusted-vlan sub-parameters are introduced in the show datapathtunnel tunnel-id command.

show gsm debug The via_user and rap-pubic-ip sub-parameter isintroduced in the parameter.

show lc-cluster This scheduled-upgrades and rap-public-ipparameter is introduced.

show license-usage The Active MUX and Active PUTN parameters wereadded.

show mgmt-users The following parameters are introduced:n audit-infon console

The Max-concurrent-sessions parameter isintroduced in the output.

show provisioning-params The output is modified to include the followingparameters:

n AP dot1x EAP-TLS username suffixn AP dot1x EAP-TLS username suffix domain

show rights The output displays the IPv6 ACE entries of role-basedACL in Split-Tunnel forwarding mode.

show tpm The errorlog parameter is introduced.

show via The lastlogin parameter is introduced.

show interface tunnelThe trusted-vlan and untrusted-vlan sub-parameters are introduced.

show ip pppoe-info The output of the show ip pppoe-info command ismodified to display Gateway NAT and IP parameters.

show sapm cluster nodestate The Public IP address output column was added.

show web-cc The output of the show webcc-status commanddisplays the Connection mode for server parameter.

upgrade managed-devices The schedule parameter is introduced.

webcc The connectiontype ipv6 parameter is introduced.

wlan ssid-profile The enhanced-open, wpa3-aes-ccm-128, wpa3-cnsa,and wpa-sae-aes sub-parameters are introduced tothe opmode parameter and the opmode-transitionparameter is introduced.



About this GuideThis guide describes the ArubaOS 8.4.0.x command syntax. The commands in this guide are listedalphabetically.

The following information is provided for each command:

n Command Syntax—The complete syntax of the command.

n Description—A brief description of the command.

n Syntax—A description of the command parameters, including license requirements for specific parametersif needed. The applicable ranges and default values, if any, are also included.

n Usage Guidelines—Information to help you use the command, including: prerequisites, prohibitions, andrelated commands.

n Example—An example of how to use the command.

n Command History—The version of ArubaOS in which the command was first introduced. Modifications andchanges to the command are also noted.

n Command Information—This table describes any licensing requirements, command modes and platformsfor which this command is applicable. For more information about available licenses, refer tothe Aruba Mobility Master Licensing Guide.

Connecting to the Mobility Master or Managed DeviceThis section describes how to connect to the Mobility Master or Managed Device to use the CLI.

Serial Port ConnectionThe serial port is located on the front panel of the managed device. Connect a terminal or PC or workstationrunning a terminal emulation program to the serial port on the managed device to use the CLI. Configure yourterminal or terminal emulation program to use the following communication settings.

Baud Rate Data Bits Parity Stop Bits Flow Control

9600 8 None 1 None

The Aruba 7200 Series controller supports baud rates between 9600 and 115200.

Telnet or SSH ConnectionTelnet or SSH access requires that you configure an IP address and a default gateway on MobilityMaster/Managed Device and connect the Mobility Master/Managed Device to your network. This is typicallyperformed when you run the initial setup on the Mobility Master/Managed Device, as described in the ArubaOS8.4.0.x Quick Start Guide. In certain deployments, you can also configure a loopback address for the MobilityMaster/Managed Device; see interface loopback on page 557 for more information.

Configuration changes on Mobility MasterSome commands can only be issued when connected to Mobility Master. If you make a configuration changeon Mobility Master, all connected managed devices using that configuration will subsequently update theirsettings as well.

CLI AccessWhen you connect to the Mobility Master using the CLI, the system displays the login prompt. Log in using theadmin user account and the password you entered during the initial setup on the Mobility Master . Forexample:login as: [email protected]'s password:Last login: Sat Jun 25 01:17:11 2016 from 192.0.2.77

When you are logged in, the enable mode CLI prompt displays. For example:(host) [mynode] #

All show commands and certain management functions are available in the enable (also called “privileged”)mode.

Configuration commands are available in config mode. Move from enable mode to config mode by enteringconfigure terminal at the # prompt:(host) [mynode]# configure terminalEnter Configuration commands, one per line. End with CNTL/Z

When you are in basic config mode, (config) appears before the # prompt:(host) [mynode] (config) #

There are several other sub-command modes that allow users to configure individual interfaces, sub-interfaces,loopback addresses, GRE tunnels and cellular profiles. For details on the prompts and the available commands foreach of these modes, see Appendix A: Command Modes on page 2765.

Command HelpYou can use the question mark (?) to view various types of command help.

When typed at the beginning of a line, the question mark lists all the commands available in your current modeor sub-mode. A brief explanation follows each command. For example:(host) [mynode] #aaa ?authentication Authenticationinservice Bring authentication server into serviceipv6 Internet Protocol Version 6query-user Query Usertest-server Test authentication serveruser User commands

When typed at the end of a possible command or abbreviation, the question mark lists the commands thatmatch (if any). For example:(host) [mynode] #c?ccm-debug Centralized Configuration Module debug informationcd Change current config nodechange-config-node Change current config nodeclear Clear configurationclock Append clock to cli outputcluster-debug Cluster Debugconfigure Configuration Commandscopy Copy Filescopy-provisioning-par.. Copy a provisioning-ap-list entry to provisioning-paramscrypto Configure IPsec, IKE, and CA

If more than one item is shown, type more of the keyword characters to distinguish your choice. However, ifonly one item is listed, the keyword or abbreviation is valid and you can press tab or the spacebar to advanceto the next keyword.

When typed in place of a parameter, the question mark lists the available options. For example:



(host) [mynode] #write ?erase Erase and start from scratchmemory Write to memoryterminal Write to terminal

The indicates that the command can be entered without additional parameters. Any other parameters areoptional.

Command CompletionTo make command input easier, you can usually abbreviate each key word in the command. You need typeonly enough of each keyword to distinguish it from similar commands. For example:(host) [mynode] #configure terminal

could also be entered as:(host) [mynode] #con t

Three characters (con) represent the shortest abbreviation allowed for configure. Typing only c or cowouldnot work because there are other commands (like copy) which also begin with those letters. The configurecommand is the only one that begins with con.

As you type, you can press the spacebar or tab to move to the next keyword. The system then attempts toexpand the abbreviation for you. If there is only one command keyword that matches the abbreviation, it isfilled in for you automatically. If the abbreviation is too vague (too few characters), the cursor does notadvance and you must type more characters or use the help feature to list the matching commands.

Deleting Configuration SettingsUse theno command to delete or negate previously-entered configurations or parameters.

n To view a list of no commands, typeno at the enable or config prompt followed by the question mark. Forexample:(host) [mynode] (config) # no?

n To delete a configuration, use theno form of a configuration command. For example, the followingcommand removes a configured user role:(host) [mynode] (config) # no user-role

n To negate a specific configured parameter, use theno parameter within the command. For example, thefollowing commands delete the DSCP priority map for a priority map configuration:(host) [mynode] (config) # priority-map (host) [mynode] (config-priority-map) # no dscp priority high

Saving Configuration ChangesMobility Master has the running configuration images. The running-config holds the current controllerconfiguration, including all pending changes which have yet to be saved. To view the running-config, use thefollowing command:(host) [mynode]# show running-config

When you make configuration changes via the CLI, those changes affect the current running configurationonly. If the changes are not saved, they will be lost after the Mobility Master reboots. To save yourconfiguration changes so they are retained after the Mobility Master reboots, use the following command inthe enable or config mode:(host) ^[mynode]# write memorySaving Configuration...Saved Configuration

The running configuration can also be saved to a file or sent to a TFTP server for backup or transfer to anothersystem.

The ^ indicator appears between the (host) and [node] portions of the command prompt if the configurationcontains unsaved changes. ArubaOS includes the following command prompts:

n (host)^[mynode] – This indicates unsaved configuration.

n (host)*[mynode] – This indicates available crash information.

n (host) [mynode] – This indicates a saved configuration.

Commands That Reset the Mobility Master or APIf you use the CLI to modify a currently provisioned and running radio profile, those changes take placeimmediately; you do not reboot the Mobility Master or the AP for the changes to affect the current runningconfiguration. Certain commands, however, automatically force the Mobility Master or AP to reboot. You maywant to consider current network loads and conditions before issuing these commands, as they may cause amomentary disruption in service as the unit resets. Note also that changing the lms-ip parameter in an APsystem profile associated with an AP group will cause all APs in that AP group to reboot.

Commands that Reset an AP Commands that Reset a MobilityMaster

n ap-regroupn ap-renamen apbootn provision-apn ap wired-ap-profile {default | } forward-mode {bridge|split-tunnel|tunnel}n wlan virtual-ap {aaa-profile |forward-mode {tunnel|bridge|split-tunnel|decrypt-tunnel} |ssid-profile |vlan...}n ap system-profile {bootstrap-threshold |lms-ip |}n wlan ssid-profile {battery-boost|deny-bcast|essid|opmode|strict-svp |wepkey1 |wepkey2 |wepkey3 |wepkey4|weptxkey |wmm |wmm-be-dscp |wmm-bk-dscp |wmm-ts-min-inact-int |wmm-vi-dscp |wmm-vo-dscp|wpa-hexkey |wpa-passphrase }n wlan dotllk {bcn-measurement-mode|dot11k-enable|force-dissasoc

n reload

Table 2: Reset Commands



Typographic ConventionsThe following conventions are used throughout this manual to emphasize important concepts:

Type Style Description

Italics This style is used to emphasize important terms andto mark the titles of books.

Boldface This style is used to emphasize command names andparameter options when mentioned in the text.

Commands This fixed-width font depicts command syntax andexamples of commands and command output.

In the command syntax, text within angle bracketsrepresents items that you should replace withinformation appropriate to your specific situation. Forexample:ping In this example, you would type “ping” at the systemprompt exactly as shown, followed by the IP addressof the system to which ICMP echo packets are to besent. Do not type the angle brackets.

[square brackets] In the command syntax, items enclosed in bracketsare optional. Do not type the brackets.

{Item_A|Item_B} In the command examples, single items within curledbraces and separated by a vertical bar represent theavailable choices. Enter only one choice. Do not typethe braces or bars.

{ap-name }|{ipaddr } Two items within curled braces indicate that bothparameters must be entered together. If two or moresets of curled braces are separated by a vertical bar,like in the example to the left, enter only one choiceDo not type the braces or bars.

Table 3: Text Conventions

Command Line EditingThe system records your most recently entered commands. You can review the history of your actions, orreissue a recent command easily, without having to retype it.

To view items in the command history, use the up arrow key to move back through the list and the down arrowkey to move forward. To reissue a specific command, press Enter when the command appears in thecommand history. You can even use the command line editing feature to make changes to the command priorto entering it. The command line editing feature allows you to make corrections or changes to a commandwithout retyping. Table 4 lists the editing controls. To use key shortcuts, press and hold theCtrl button whileyou press a letter key.

Key Effect Description

Ctrl A Home Move the cursor to the beginning of the line.

Ctrl B or the left arrow Back Move the cursor one character left.

Ctrl D Delete Right Delete the character to the right of the cursor.

Ctrl E End Move the cursor to the end of the line.

Ctrl F or the right arrow Forward Move the cursor one character right.

Ctrl K Delete Right Delete all characters to the right of the cursor.

Ctrl N or the down arrow Next Display the next command in the commandhistory.

Ctrl P or up arrow Previous Display the previous command in the commandhistory.

Ctrl T Transpose Swap the character to the left of the cursor withthe character to the right of the cursor.

Ctrl U Clear Clear the line.

Ctrl W Delete Word Delete the characters from the cursor up to andincluding the first space encountered.

Ctrl X Delete Left Delete all characters to the left of the cursor.

Table 4: Line Editing Keys

Specifying Addresses and Identifiers in CommandsThis section describes addresses and other identifiers that you can reference in CLI commands.

Address orIdentifier Description

IP address For any command that requires entry of an IP address to specify a networkentity, use IPv4 network address format in the conventional dotted decimalnotation (for example, 10.4.1.258).

Netmask address For subnet addresses, specify a netmask in dotted decimal notation (forexample, 255.255.255.0).

MAC For any command that requires entry of a device’s hardware address, use thehexadecimal format (for example, 00:05:4e:50:14:aa).

SSID A unique character string (sometimes referred to as a network name),consisting of no more than 32 characters. The SSID is case-sensitive (forexample, WLAN-01).

Table 5: Addresses and Identifiers



Address orIdentifier Description

BSSID This entry is the unique hard-wireless MAC address of the AP. A unique BSSIDapplies to each frequency— 802.11a and 802.11g—used from the AP. Use thesame format as for a MAC address.

ESSID Typically the unique logical name of a wireless network. If the ESSID includesspaces, you must enclose the name in quotation marks.

Fast Ethernet orGigabit Ethernetinterface

Any command that references a Fast Ethernet or Gigabit Ethernet interfacerequires that you specify the corresponding port on the managed device in theformat //:Use the show port status command to obtain the interface informationcurrently available from a managed device.

Contacting Support

Main Site arubanetworks.com

Support Site support.arubanetworks.com

Airheads Social Forums and KnowledgeBase

community.arubanetworks.com

North American Telephone 1-800-943-4526 (Toll Free)1-408-754-1200

International Telephone arubanetworks.com/support-services/contact-support/

Software Licensing Site hpe.com/networking/support

End-of-life Information arubanetworks.com/support-services/end-of-life/

Security Incident Response Team Site: arubanetworks.com/support-services/security-bulletins/Email: [email protected]

Table 6: Contact Information

http://www.arubanetworks.com/https://support.arubanetworks.com/http://community.arubanetworks.com/http://www.arubanetworks.com/support-services/contact-support/https://h10145.www1.hpe.com/support/SupportLookUp.aspxhttp://www.arubanetworks.com/support-services/end-of-life/http://www.arubanetworks.com/support-services/security-bulletins/mailto:[email protected]

aaa alias-groupaaa alias-group

clone no ...set vlan condition essid|location equals set-value

DescriptionThis command configures a AAA alias with set of VLAN derivation rules that could speed up user rule derivationprocessing for deployments with a very large number of UDRs.

Syntax

Parameter Description

Name of the alias group.

clone Copy data from another alias group.

set vlan conditionessid|location equals set-value

Specify rules to derive role and VLAN.

Command History

Release Modification

ArubaOS 8.0.0.0 Command introduced.

Command Information

Platforms License Command Mode

All platforms Base operating system. Config mode on Mobility Master.

ArubaOS 8.4.0.x | Reference Guide aaa alias-group | 18


aaa auth-survivabilityaaa auth-survivability

cache-lifetimeenableserver-cert

DescriptionThis command configures Authentication Survivability on a managed device.

Syntax

Parameter Description Default

cache-lifetime This parameter specifies the lifetime in hours for the cachedaccess credential in the local Survival Server. When thespecified cache-lifetime expires, the cached accesscredential is deleted from the managed device.The valid range is from 1 to 72 hours.

24 hours

enable This parameter controls whether to use the Survival Serverwhen no other servers in the server group are in-service.This parameter also controls whether to store the useraccess credential in the Survival Server when it isauthenticated by an external RADIUS or LDAP server in theserver group. Authentication Survivability is enabled ordisabled on each managed device.NOTE: Authentication survivability will not activate if theAuthentication Server Dead Time is configured as 0

Disabled

server-cert This parameter allows you to view the name of the servercertificate used by the local Survival Server. The local SurvivalServer is provided with a default server certificate from AOS.The customer server certificate must be imported into themanaged device first, and then you can assign the servercertificate to the local Survival Server.NOTE: In the deployment environment, it is recommendedthat you switch to a customer server certificate.

—

Usage GuidelinesUse this command to configure authentication survivability on Mobility Master mode in the managed devicenode.

Command History



Command Information




aaa auth-traceaaa auth-trace

loglevel

DescriptionThis command sets parameters for debug tracing in AUTH (light weight tracing).

Syntax


loglevel Specify the loglevel of syslogs that will be included in the trace.

alert Trace all logs equal or higher than LOG_ALERT.

critical Trace all logs equal or higher than LOG_CRIT.

debug Trace all logs equal or higher than LOG_DEBUG.

emergency Trace all logs equal or higher than LOG_EMERG.

error Trace all logs equal or higher than LOG_ERR.

info Trace all logs equal or higher than LOG_INFO.

notice Trace all logs equal or higher than LOG_NOTICE.

warn Trace all logs equal or higher than LOG_WARN.

Usage GuidelinesUse this command to set the parameters for debug tracing in AUTH (light weight tracing).

Command History

Version Description


Command Information

Platforms Licensing Command Mode

All platforms Base operating system. Config mode on Mobility Master in themanaged device node.


aaa authentication captive-portalaaa authentication captive-portal

apple-cna-bypassap-mac-in-redirection-urlauth-protocol mschapv2|pap|chapblack-list clone default-guest-role default-role enable-welcome-pageguest-logonip-addr-in-redirection login-page logon-wait {cpu-threshold }|{maximum-delay }|{minimum-delay }logout-popup-windowmax-authentication-failures no ...protocol-httpproxy port redirect-pause redirect-url server-group show-acceptable-use-policyshow-fqdnsingle-sessionswitchip-in-redirection-urlurl-hash-key user-idle-timeoutuser-logonuser-vlan-in-redirection-urlwelcome-page white-list

DescriptionThis command configures a Captive Portal authentication profile.

Syntax

Parameter Description Range Default

Name that identifies an instance ofthe profile. The name must be 1-63characters.

— default

apple-cna-bypass Enable this knob to bypass AppleCNA on iOS devices such as iPad,iPhone, and iPod. You need toperform Captive Portalauthentication from browser.

— —

authentication-protocolchap|mschapv2|pap

This parameter specifies the type ofauthentication required by thisprofile, PAP is the defaultauthentication type.

mschapv2papchap

pap



ap-mac-in-redirection-url This parameter adds the AP'sMAC address in the redirection URL.

— disabled

black-list Name of an existing black list on anIPv4 or IPv6 network destination.The black list contains websites(unauthenticated) that a guestcannot access.Specify a netdestination host orsubnet to add that netdestination tothe captive portal blacklist.If you have not yet defined anetdestination, use the CLIcommand netdestination to define adestination host or subnet beforeyou add it to the blacklist.

— —

clone Name of an existing Captive Portalprofile from which parametervalues are copied.

— —

default-guest-role Role assigned to guest. — guest

default-role Role assigned to the Captive Portaluser when that user logs in. Whenboth user and guest logons areenabled, the default role applies tothe user logon; users logging inusing the guest interface areassigned the guest role.

— guest

enable-welcome-page

Displays the configured welcomepage before the user is redirectedto their original URL. If this option isdisabled, redirection to the web URLhappens immediately after the userlogs in.

enabledordisabled

enabled

guest-logon Enables Captive Portal logonwithout authentication.

enabledordisabled

disabled

ipaddr-in-redirection-url Sends the interface IP address ofthe managed device in theredirection URL when externalcaptive portal servers are used. Anexternal captive portal server candetermine the managed devicefrom which a request originated byparsing the switchip variable in theURL.

— —

login-page URL of the page that appears forthe user logon. This can be set toany URL.

— /auth/index.html

logon-wait Configure parameters for the logonwait interval.

1-100 60%



cpu-threshold CPU utilization percentage abovewhich the logon wait interval isapplied when presenting the userwith the logon page.

1-100 60%

maximum-delay Maximum time, in seconds, the userwill have to wait for the logon pageto pop up if the CPU load is high.This works in conjunction with theLogon wait CPU utilization thresholdparameter.

1-10 10 seconds

minimum-delay Minimum time, in seconds, the userwill have to wait for the logon pageto pop up if the CPU load is high.This works in conjunction with theLogon wait CPU utilization thresholdparameter.

1-10 5 seconds

logout-popup-window

Enables a pop-up window with theLogout link that allows the user tolog out. If this option is disabled, theuser remains logged in until theuser timeout period has elapsed orthe station reloads.

enabledordisabled

enabled

max-authentication-failures

Maximum number of authenticationfailures before the user isblacklisted.

0-10 0

no Negates any configured parameter. — —

protocol-http Use HTTP protocol on redirection tothe Captive Portal page. If you usethis option, modify the captiveportal policy to allow HTTP traffic.

enabledordisabled

disabled(HTTPS is used)

proxy Update IP address of the proxy host. — —

redirect-pause Time, in seconds, that the systemremains in the initial welcome pagebefore redirecting the user to thefinal web URL. If set to 0, thewelcome page displays until theuser clicks on the indicated link.

1-60 10 seconds

redirect-url URL to which an authenticated userwill be directed. This parametermust be an absolute URL thatbegins with either http:// orhttps://.

— —

server-group Name of the group of servers usedto authenticate Captive Portalusers. See aaa server-group onpage 104.

— —



show-fqdn Allows the user to see and selectthe FQDN on the login page. TheFQDNs shown are specified whenconfiguring individual servers forthe server group used with captiveportal authentication.

enabledordisabled

disabled

single-session Allows only one active user sessionat a time.

— disabled

show-acceptable-use-policy Show the acceptable use policypage before the login page.

enabledordisabled

disabled

switchip-in-redirection-url Sends the IP address of themanaged device in the redirectionURL when external captive portalservers are used. An externalcaptive portal server can determinethe managed device from which arequest originated by parsing theswitchip variable in the URL.

enabledordisabled

disabled

url-hash-key Issue this command to hash theredirection URL using the specifiedkey.

— disabled

user-idle-timeout The user idle timeout for thisprofile. Specify the idle timeoutvalue for the client in seconds. Validrange is 30-15300 in multiples of 30seconds. Enabling this optionoverrides the global settingsconfigured in the AAA timers. If thisis disabled, the global settings areused.

— disabled

user-logon Enables Captive Portal withauthentication of user credentials.

enabledordisabled

enabled

user-vlan-in-redirection-url Add the user VLAN in theredirection URL.

enableddisabled

disabled

welcome-page URL of the page that appears afterlogon and before redirection to theweb URL. This can be set to anyURL.

— /auth/welcome.html

white-list Name of an existing white list on anIPv4 or IPv6 network destination.The white list containsauthenticated websites that a guestcan access. If you have not yetdefined a netdestination, use theCLI command netdestination todefine a destination host or subnetbefore you add it to the whitelist.

— —


Usage GuidelinesYou can configure the Captive Portal authentication profile in the base operating system or with the PEFNGlicense installed. When you configure the profile in the base operating system, the name of the profile must beentered for the initial role in the AAA profile. Also, when you configure the profile in the base operating system,you cannot define the default-role.

ExampleThe following example configures a Captive Portal authentication profile that authenticates users against theinternal database. Users who are successfully authenticated are assigned the auth-guest role.

To create the auth-guest user role shown in this example, the PEFNG license must be installed in the MobilityMaster.(host)^[md] (config) #aaa authentication captive-portal guestnet

(host) ^[md] (Captive Portal Authentication Profile "guestnet") #default-role auth-guest(host) ^[md] (Captive Portal Authentication Profile "guestnet") #user-logon(host) ^[md] (Captive Portal Authentication Profile "guestnet") #no guest-logon(host) ^[md] (Captive Portal Authentication Profile "guestnet") #server-group internal

Command History


ArubaOS 8.4.0.0 ap-mac-in-redirection-url parameter was introduced.


Command Information


All platforms Base operating system, exceptfor noted parameters.

Config mode on managed devices.


aaa authentication dot1xaaa authentication dot1x {|countermeasures}

ca-cert cert-cn-lookupclearclone delete-keycacheeap-frag-mtu eapol-logoffenforce-suite-b-128enforce-suite-b-192framed-mtu heldstate-bypass-counter ignore-eap-id-matchignore-eapolstart-afterauthenticationkey-cache clearmachine-authentication blacklist-on-failure|{cache-timeout }|enable|{machine-default-role }|{user-default-role }

max-authentication-failures max-requests multicast-keyrotationno ...opp-key-cachingreauth-max reauth-server-termination-actionreauthenticationreload-certserver {server-retry |server-retry-period }server-cert termination {eap-type }|enable|enable-token-caching|{inner-eap-type (eap- gtc|eap-mschapv2)}|{token-caching-period }timer {idrequest_period }|{keycache-tmout }|{mkey-rotation-period}|{quiet-period }|{reauth-period }|{ukey-rotation-period}|{wpa- groupkey-delay }|{wpa-key-period }|wpa2-key-delay

tls-guest-accesstls-guest-role unicast-keyrotationuse-session-keyuse-static-keyvalidate-pmkidwep-key-retries wep-key-size {40|128}wpa-fast-handoverwpa-key-retries xSec-mtu

DescriptionThis command configures the 802.1X authentication profile.


Syntax


Name that identifies an instance ofthe profile. The name must be 1-63 characters.

— default

clear Clear the Cached PMK, Role andVLAN entries. This command isavailable in enable mode only.

— —

countermeasures Scans for message integrity codefailures in traffic received fromclients. If there are more than 2message integrity code failureswithin 60 seconds, the AP is shutdown for 60 seconds. This option isintended to slow down an attackerwho is making a large number offorgery attempts in a short time.

— disabled

ca-cert CA certificate for clientauthentication. The CA certificateneeds to be loaded in the MobilityMaster.

— —

ca-cert-name Name of the CA certificate. — —

cert-cn-lookup If you use client certificates foruser authentication, enable thisoption to verify that the CN of thecertificate exists in the server. Thisparameter is disabled by default.

— —

delete-keycache Delete the key cache entry whenthe user entry is deleted.

— disabled

eap-frag-mtu Enables EAP-TLS fragmentationfor the configured IP MTU.NOTE: If configured, the EAP-TLSfragmentation is applied to allauthentication servers. If theIP MTU is different for eachauthentication servers, configurethe minimum IP MTU.

— —

eapol-logoff Enables handling of EAPOL-LOGOFF messages.

— disabled

enforce-suite-b-128 Configure Suite-B 128 bit or moresecurity levelauthentication enforcement.

— disabled

enforce-suite-b-192 Configure Suite-B 192 bit or moresecurity levelauthentication enforcement

— disabled



framed-mtu Sets the framed MTU attributesent to the authentication server.

500-1500 1100

heldstate-bypass-counter

This parameter is applicable when802.1X authentication isterminated on the Mobility Master,also known as AAA FastConnect.Number of consecutiveauthentication failures which,when reached, causes the MobilityMaster to not respond toauthentication requests from aclient while the Mobility Master isin a held state after theauthentication failure. Until thisnumber is reached, the MobilityMaster responds to authenticationrequests from the client evenwhile the Mobility Master is in itsheld state.

0-3 0

ignore-eap-id-match

Ignore EAP ID during negotiation. — disabled

ignore-eapolstart-afterauthentication

Ignores EAPOL-START messagesafter authentication.

— disabled

key-cache clear Clears the Cached PMK, Role andVLAN.

— —

machine-authentication This parameter is applicable inWindows environments only.These parameters set machineauthentication.NOTE: This parameter requiresthe PEFNG license.

— —

blacklist-on-failure Blacklists the client if machineauthentication fails.

— disabled

cache-timeout The timeout, in hours, for machineauthentication.

1-1000 24 hours

enable Select this option to enforcemachine authentication beforeuser authentication. If selected,either the machine-default-role orthe user-default-role is assigned tothe user, depending on whichauthentication is successful.

— disabled

machine-default-role

Default role assigned to the userafter completing only machineauthentication.

— guest

user-default-role

Default role assigned to the userafter 802.1X authentication.

— guest




Number of times a user can try tologin with wrong credentials afterwhich the user is blacklisted as asecurity threat. Set to 0 to disableblacklisting, otherwise enter a non-zero integer to blacklist the userafter the specified number offailures.

0-5 0(disabled)

max-requests Maximum number of times IDrequests are sent to the client.

1-10 5

multicast-keyrotation

Enables multicast key rotation — disabled

no Negates any configuredparameter.

— —

opp-key-caching Enables a cached PMK derivedwith a client and an associated APto be used when the client roamsto a new AP. This allows clientsfaster roaming without a full802.1X authentication.NOTE: Make sure that thewireless client (the 802.1Xsupplicant) supports this feature. Ifthe client does not support thisfeature, the client will attempt torenegotiate the key whenever itroams to a new AP. As a result, thekey cached on the manageddevice can be out of sync with thekey used by the client.

— enabled

reauth-max Maximum number ofreauthentication attempts.

1-10 3

reauth-server-termination-action

Specifies the termination-actionattribute from the server.

reauthentication Select this option to force theclient to do a 802.1Xreauthentication after theexpiration of the default timer forreauthentication. (The defaultvalue of the timer is 24 hours.) Ifthe user fails to reauthenticatewith valid credentials, the state ofthe user is cleared.If derivation rules are used toclassify 802.1X-authenticatedusers, then the reauthenticationtimer per role overrides thissetting.

— disabled

reload-cert Reload certificate for 802.1Xtermination. This command isavailable in enable mode only.

— —



server Sets options for sendingauthentication requests to theauthentication server group.

server-retry Maximum number ofauthentication requests that aresent to server group.

0-5 3

server-retry-period Server group retry interval, inseconds.

2-65535 5 seconds

server-cert Server certificate used by themanaged device to authenticateitself to the client.

— —

termination Sets options for terminating802.1X authentication on themanaged device.

eap-type The EAP method, either EAP-PEAPor EAP-TLS.

eap-peap oreap-tls

eap-peap

enable Enables 802.1X termination on themanaged device.

— disabled

enable-token-caching

If you select EAP-GTC as the innerEAP method, you can enable theMobility Master to cache theusername and password of eachauthenticated user. The MobilityMaster continues toreauthenticate users with theremote authentication server,however, if the authenticationserver is not available, the MobilityMaster will inspect its cachedcredentials to reauthenticateusers.

— disabled

inner-eap-typeeap-gtc|eap-mschapv2

When EAP-PEAP is the EAPmethod, one of the following innerEAP types is used:EAP-GTC: Described in RFC 2284,this EAP method permits thetransfer of unencryptedusernames and passwords fromclient to server. The main uses forEAP-GTC are one-time token cardssuch as SecureID and the use ofLDAP or RADIUS as the userauthentication server. You canalso enable caching of usercredentials on the Mobility Masteras a backup to an externalauthentication server.EAP-MSCHAPv2: Described in RFC2759, this EAP method is widelysupported by Microsoft clients.

eap-gtc oreap-mschapv2

eap-mschapv2



token-caching-period

If you select EAP-GTC as the innerEAP method, you can specify thetimeout period, in hours, for thecached information.

(any) 24 hours

timer Sets timer options for 802.1Xauthentication:

idrequest-period

Interval, in seconds, betweenidentity request retries.

1-65535 5 seconds

keycache-tmout Set the per BSSID PMKSA cacheinterval. Cache is deleted within 2hours of the interval.

1-2000(hours)

8 hours

mkey-rotation-period

Interval, in seconds, betweenmulticast key rotation.

60-864000 1800seconds

quiet-period Interval, in seconds, followingfailed authentication.

1-65535 30seconds

reauth-period Interval, in seconds, betweenreauthentication attempts, orspecify server to use the server-provided reauthentication period.

60-864000 86400seconds(1 day)

ukey-rotation-period

Interval, in seconds, betweenunicast key rotation.

60-864000 900seconds

wpa-groupkey-delay

Interval, in milliseconds, betweenunicast and multicast keyexchanges.

0-2000 0 ms(no delay)

wpa-key-period

Interval, in milliseconds, betweeneach WPA key exchange.

10-5000 1000 ms

wpa2-key-delay

Set the delay between EAP-Success and unicast key exchange.

1-2000 0 ms(no delay)

tls-guest-access Enables guest access for EAP-TLSusers with valid certificates.

— disabled

tls-guest-role User role assigned to EAP-TLSguest.NOTE: This parameter requiresthe PEFNG license.

— guest

unicast-keyrotation Enables unicast key rotation. — disabled

use-session-key Use RADIUS session key as theunicast WEP key.

— disabled

use-static-key Use static key as the unicast ormulticast WEP key.

— disabled



validate-pmkid This parameter instructs theMobility Master to check the PMKID sent by the client. When thisoption is enabled, the client mustsend a PMK ID in the associate orreassociate frame to indicate thatit supports OKC or PMK caching;otherwise, full 802.1Xauthentication takes place. (Thisfeature is optional, since mostclients that support OKC and PMKcaching do not send the PMKID intheir association request.)

— disabled

wep-key-retries Number of times WPA or WPA2key messages are retried.

1-3 2

wep-key-size Dynamic WEP key size, either 40or 128 bits.

40 or 128 128 bits

wpa-fast-handover Enables WPA-fast-handover. Thisis only applicable for phones thatsupport WPA and fast handover.

— disabled

wpa-key-retries Set the number of times WPA orWPA2 Key Messages are retried.The supported range is 1-10retries, and the default value is 3.

1-10 3

xSec-mtu Sets the size of the MTU for xSec. 1024-1500 1300 bytes

Usage GuidelinesThe 802.1X authentication profile allows you to enable and configure machine authentication and 802.1Xtermination on the managed device (also called AAA FastConnect).

In the AAA profile, specify the 802.1X authentication profile, the default role for authenticated users, and theserver group for the authentication.

ExamplesThe following example enables authentication of the user’s client device before user authentication. If machineauthentication fails but user authentication succeeds, the user is assigned the restricted guest role:(host) ^[md] (config) #aaa authentication dot1x dot1x(host) ^[md] (802.1X Authentication Profile "dot1x") machine-authentication enable(host) ^[md] (802.1X Authentication Profile "dot1x") machine-authentication machine-default-role computer(host) ^[md] (802.1X Authentication Profile "dot1x") machine-authentication user-default-roleguest

The following example configures an 802.1X profile that terminates authentication on the managed device,where the user authentication is performed with the internal database of the managed device or to a“backend” non-802.1X server:(host) ^[md] (config) #aaa authentication dot1x dot1x(host) ^[md] (802.1X Authentication Profile "dot1x") #termination enable


Command History


ArubaOS 8.4.0.0 Added eap-frag-mtu parameter.


Command Information


All platforms Base operating system. Thevoice-aware parameterrequires the PEFNG license.

Config mode on Mobility Master.


aaa authentication macaaa authentication mac

case upper|lowerclone delimiter {colon|dash|none}max-authentication-failures no ...reauthenticationtimer reauth period {|server}

DescriptionThis command configures the MAC authentication profile.

Syntax


Name that identifies an instance of theprofile. The name must be 1-63 characters.

— default

case The case (upper or lower) used in the MACstring sent in the authentication request. Ifthere is no delimiter configured, the MACaddress in lower case is sent in the formatxxxxxxxxxxxx, while the MAC address inupper case is sent in the formatXXXXXXXXXXXX.

upperlower

lower

clone Name of an existing MAC profile from whichparameter values are copied.

— —

delimiter Delimiter (colon, dash, none, oui-nic) used inthe MAC string.

colondashnoneoui-nic

none


Number of times a client can fail toauthenticate before it is blacklisted. A valueof 0 disables blacklisting.

0-10 0(disabled)


reauthentication Use this parameter to enable or disablereauthentication.

— Disabled

timer reauth period|server

specifies the period betweenreauthentication attempts in seconds. Theserver parameter specifies the server-provided reauthentication interval.

60-864000seconds

86400seconds (1day)

Usage GuidelinesMAC authentication profile configures authentication of devices based on their physical MAC address. MAC-based authentication is often used to authenticate and allow network access through certain devices whiledenying access to all other devices. Users may be required to authenticate themselves using other methods,depending upon the network privileges.


ExampleThe following example configures a MAC authentication profile to blacklist client devices that fail toauthenticate.(host) ^[md] (config) #aaa authentication mac mac-blacklist(host) ^[md] (MAC Authentication Profile "mac-blacklist") #max-authentication-failures 3

Command History



Command Information




aaa authentication mgmtaaa authentication mgmt

default-role {ap-provisioning|guest-provisioning|location-api-mgmt|nbapi-mgmt|network-operations|no-access|read-only|root|standard}enablemchapv2no ...server-group

DescriptionThis command configures authentication for administrative users.

Syntax


default-role Select a predefined management role toassign to authenticated administrativeusers:

— default

ap-provisioning AP provisioning role. — —

guest-provisioning Guest provisioning role. — —

location-api-mgmt Location API management role. — —

nbapi-mgmt NBAPI management role. — —

network-operations Network operator role. — —

read-only Read-only role. — —

root Default role or superuser role. — —

standard Standard role — —

enable Enables authentication for administrativeusers.

enabled|disabled

disabled

mchapv2 Enable MSCHAPv2. enabled|disabled

disabled


server-group Name of the group of servers used toauthenticate administrative users. Seeaaa server-group on page 104.

— default

Usage GuidelinesIf you enable authentication with this command, users configured with themgmt-user command must beauthenticated using the specified server-group.

You can configure the management authentication profile in the base operating system or with the PEFNGlicense installed.


ExampleThe following example configures a management authentication profile that authenticates users against theinternal database of the Mobility Master. Users who are successfully authenticated are assigned the read-onlyrole.(host) [mynode] (config) aaa authentication mgmt

default-role read-onlyserver-group internal

Command History


ArubaOS 8.2.0.0 The standard parameter was added.


Command Information




aaa authentication-server internalaaa authentication-server internal use-local-switch

DescriptionThis command specifies that the internal database on a managed device be used for authenticating clients.

Usage GuidelinesBy default, the internal database in the Mobility Master is used for authentication. This command directsauthentication to the internal database on the local managed device where you run the command.

Command History



Command Information


All platforms Base operating system. Config mode on Mobility Masterexecuted on the managed device node.


aaa authentication-server ldapaaa authentication-server ldap

admin-dn admin-passwd allow-cleartextauthport base-dn clone enablefilter host key-attribute max-connection no ...preferred-conn-type ldap-s|start-tls|clear-texttimeout

DescriptionThis command configures an LDAP server.

A maximum of 128 LDAP servers can be configured on the Mobility Master.

Syntax


Name that identifies the server. — —

admin-dn DN for the admin user who has read orsearch privileges across all of the entries inthe LDAP database (the user does not needwrite privileges but should be able to searchthe database and read attributes of otherusers in the database).

— —

admin-passwd Password for the admin user. — —

allow-cleartext Allows clear-text (unencrypted)communication with the LDAP server.

enabled|disabled

disabled

authport Port number used for authentication. Port636 will be attempted for LDAP over SSL-LDAP, while port 389 will be attempted forSSL over LDAP, Start TLS operation andclear text.

1-65535 389

base-dn DN name of the node which contains theentire user database to use.

— —

chase-referrals Chase referrals anonymously.

clone Name of an existing LDAP serverconfiguration from which parameter valuesare copied.

— —



enable Enables the LDAP server. —

filter Filter that should be applied to search of theuser in the LDAP database. The default filterstring is (objectclass=*).

— (objectclass=*)

host IP address of the LDAP server, in dotted-decimal format.

— —

key-attribute Attribute that should be used as a key insearch for the LDAP server. For PAP, thevalue is sAMAccountName. For EAP-TLStermination the value is userPrincipalName.

— sAMAccountName

max-connection Maximum number of simultaneous non-admin connections to an LDAP server.

— —


preferred-conn-type Preferred connection type. The defaultorder of connection type is:1. ldap-s2. start-tls3. clear-textThe Mobility Master will first try to contactthe LDAP server using the preferredconnection type, and will only attempt to usea lower-priority connection type if the firstattempt is not successful.NOTE: You enable the allow-cleartextoption before you select clear-text as thepreferred connection type. If you set clear-text as the preferred connection type but donot allow clear-text, the Mobility Master willonly use ldap-s or start-tls to contact theLDAP server.

ldap-sstart-tlsclear-text

ldap-s

timeout Timeout period of a LDAP request, inseconds.

1-30 20 seconds

Usage GuidelinesYou configure a server before you can add it to one or more server groups. You create a server group for aspecific type of authentication (see aaa server-group on page 104).

ExampleThe following command configures and enables an LDAP server:(host) ^[md] (config) #aaa authentication-server ldap ldap1(host) ^[md] (LDAP Server "ldap1") #host 10.1.1.243(host) ^[md] (LDAP Server "ldap1") #base-dn cn=Users,dc=1m,dc=corp,dc=com(host) ^[md] (LDAP Server "ldap1") #admin-dn cn=corp,cn=Users,dc=1m,dc=corp,dc=com(host) ^[md] (LDAP Server "ldap1") #admin-passwd abc10(host) ^[md] (LDAP Server "ldap1") #key-attribute sAMAccountName(host) ^[md] (LDAP Server "ldap1") #filter (objectclass=*)(host) ^[md] (LDAP Server "ldap1") #enable


Command History



Command Information




aaa authentication-server radiusaaa authentication-server radius

acct-modifier acctport authport auth-modifier called-station-id type

{ap-group | ap-macaddr | ap-name | ipaddr | macaddr | vlan-id}[delimiter {colon | dash | none}] [include-ssid {enable |disable}]

clone cppm username password enableenable-ipv6enable-radsechost |key mac-delimiter [colon | dash | none | oui-nic]mac-lowercasenas-identifier nas-ip nas-ip6 noradsec-client-cert-name radsec-port radsec-trusted-cacert-name radsec-trusted-servercert-name retransmit service-type-framed-usersource-interface vlan ip6addr timeout use-ip-for-calling-stationuse-md5

DescriptionThis command configures a RADIUS server.

Syntax



acct-modifier Attributes modifier for accounting-request.

— —

acctport Accounting port on the server. 1-65535 1813

authport Authentication port on the server 1-65535 1812

auth-modifier Attributes modifier for access-request.

— —

called-station-id type{ap-group | ap-macaddr | ap-name|

Configure this parameter to besent with the RADIUS attributeCalled Station ID for authenticationand accounting requests.

— macaddr



ipaddr | macaddr | vlan-id} The called-station-id parametercan be configured to include APgroup, AP MAC address, AP name,Mobility Master IP, Mobility MasterMAC address, or user vlan.The default value is MobilityMaster MAC address.

clone Name of an existing RADIUS serverconfiguration from whichparameter values are copied.

— —

cppm username password

Configure the ClearPass PolicyManager username and password.The Mobility Master authenticatingto ClearPass Policy Manager isenhanced to use configurableusername and password instead ofsupport password. The supportpassword is vulnerable to attacksas the server certificate presentedby ClearPass Policy Managerserver is not validated.

— —

enable Enables the RADIUS server. — —

enable-ipv6 Enables the RADIUS server in IPv6mode.

— —

enable-radsec Enables RadSec for RADIUS datatransport over TCP and TLS.

— —

host Identify the RADIUS server eitherby its IP address or FQDN.

— —

IPv4 or IPv6 address of the RADIUSserver.

— —

FQDN of the RADIUS server. Themaximum supported length is 63characters.

— —

key Shared secret between theMobility Master and theauthentication server. Themaximum length is 128 characters.

— —

mac-delimiter[colon | dash | none | oui-nic]

Send MAC address with user-defined delimiter.

— none

mac-lowercase Send MAC addresses aslowercase.

— —

nas-identifier NAS identifier to use in RADIUSpackets.

— —



nas-ip The NAS IP address to be sent inRADIUS packets from that server. Ifyou define a local NAS IP settingusing this command and alsodefine a global NAS IP using thecommand ip radius nas-ip , the global NAS IP addresstakes precedence.

— —

nas-ip6 NAS IPv6 address to send inRADIUS packets.You can configure a global NASIPv6 address that the MobilityMaster uses for communicationswith all RADIUS servers. If you donot configure a server-specific NASIPv6, the global NAS IPv6 is used.To set the global NAS IPv6, enterthe ipv6 radius nas-ip6 command.

— —

no Negates any configuredparameter.

— —

radsec-client-cert

Configures a RadSec clientcertificate on the RADIUS server toidentify and authenticate clients.

— —

radsec-port Designates a RadSec port forRADIUS data transport.

1-65535 2083

radsec-trusted-cacert-name

Designates a CA to sign RadSeccertificates.

— —

radsec-trusted-servercert-name

Designates a trusted RadSecserver certificate.

— —

retransmit Maximum number of retries sentto the server by the MobilityMaster before the server ismarked as down.

0-3 3

service-type-framed-user Send the service-type as FRAMED-USER instead of LOGIN-USER. Thisoption is disabled by default.

— disabled

source-interface vlan ip6addr

This option associates a VLANinterface with the RADIUS server toallow the server-specific sourceinterface to override the globalconfiguration.

n If you associate a SourceInterface (by entering a VLANnumber) with a configuredserver, then the source IPaddress of the packet will bethat interface’s IP address.n If you do not associate theSource Interface with aconfigured server (leave the

— —



field blank), then the IP addressof the global Source Interfacewill be used.n If you want to configure anIPv6 address for the SourceInterface, specify the IPv6address for the ip6addrparameter.

timeout Maximum time, in seconds, thatthe Mobility Master waits beforetiming out the request andresending it.

1-30 5 seconds

use-ip-for-calling-station Use an IP address instead of aMAC address for calling stationIDs. This option is disabled bydefault.

— disabled

use-md5 Use MD5 hash of cleartextpassword.

— disabled


ExampleThe following command configures and enables a RADIUS server:(host) [md] (config) #aaa authentication-server radius radius(host) [md] (RADIUS Server "radius") #host 10.1.1.244(host) [md] (RADIUS Server "radius") #key qwERtyuIOp(host) [md] (RADIUS Server "radius") #enable

Command History


ArubaOS 8.1.0.0 The acct-modifier and auth-modifier parameters were introduced.


Command Information




aaa authentication-server tacacsaaa authentication-server tacacs

clone enablehost key no ...retransmit session-authorizationsource-interfacetcp-port timeout

DescriptionThis command configures a TACACS+ server.

A maximum of 128 TACACS servers can be configured on the Mobility Master.

Syntax



clone Name of an existing TACACS serverconfiguration from which parameter valuesare copied.

— —

enable Enables the TACACS server. —

host IPv4 or IPv6 address of the TACACS server. — —

key Shared secret to authenticate communicationbetween the TACACS client and server.

— —


retransmit Maximum number of times a request isretried.

0-3 3

session-authorization Enables TACACS+ authorization. Session-authorization turns on the optionalauthorization session for admin users.

— disabled

source-interface Select source address of outgoing TACACSrequests to the server.

— —

vlan Select VLAN of outgoing TACACS requests tothe server.

1-4094 —

tcp-port TCP port used by the server. 1-65535 49

timeout Timeout period of a TACACS request, inseconds.

1-30 20 seconds



ExampleThe following command configures, enables a TACACS+ server and enables session authorization:(host) ^[md] (config) #aaa authentication-server tacacs tacacs1(host) ^[md] (TACACS Server "tacacs1")clone default(host) ^[md] (TACACS Server "tacacs1")host 10.1.1.245(host) ^[md] (TACACS Server "tacacs1")key qwERtyuIOp(host) ^[md] (TACACS Server "tacacs1")enable(host) ^[md] (TACACS Server "tacacs1")session-authorization

Command History


ArubaOS 8.2.0.0 The source-interface parameter was added.


Command Information


All platforms Base operating system Config mode on Mobility Master


aaa authentication-server windowsaaa authentication-server windows

clone domain enablehost no

DescriptionThis command configures a windows server for stateful-NTLM authentication.

Syntax


Name of the windows server. You will use this name when you add thewindows server to a server group.

clone Name of a Windows Server from which you want to make a copy.

domain The Windows domain for the authentication server.

enable Enables the Windows server.

host IP address of the Windows server.

no Delete command.

Usage GuidelinesYou must define a Windows server before you can add it to one or more server groups. You create a servergroup for a specific type of authentication (see aaa server-group on page 104). Windows servers are used forstateful-NTLM authentication.

ExampleThe following command configures and enables a windows server:(host) ^[md] (config) #aaa authentication-server windows IAS_1(host) ^[md] (Windows Server "IAS_1") #host 10.1.1.245(host) ^[md] (Windows Server "IAS_1") #enable

Command History



Command Information




aaa authentication stateful-dot1xaaa authentication stateful-dot1x

default-role enableno ...server-group timeout

DescriptionThis command configures 802.1X authentication for clients on non-Aruba APs.

Syntax


default-role Role assigned to the 802.1X user upon login.NOTE: The PEFNG license must be installed.

— guest

enable Enables 802.1X authentication for clients onnon-Aruba APs. Use no enable to disablestateful 8021.X authentication.

— enabled


server-group Name of the group of RADIUS servers used toauthenticate the 802.1X users. See aaa server-group on page 104.

— —

timeout Timeout period, in seconds. 1-20 10 seconds

Usage GuidelinesThis command configures 802.1X authentication for clients on non-Aruba APs. The Mobility Master maintainsuser session state information for these clients.

ExampleThe following command assigns the employee user role to clients who successfully authenticate with the servergroup corp-rad:(host) ^[md] (config) aaa authentication stateful-dot1x

default-role employeeserver-group corp-rad

Command History




Command Information




aaa authentication stateful-dot1x clearaaa authentication stateful-dot1x clear

DescriptionThis command clears automatically-created control path entries for 802.1X users on non-Aruba APs.

SyntaxNo parameters.

Usage GuidelinesRun this command after changing the configuration of a RADIUS server in the server group configured with theaaa authentication stateful-dot1x command. This causes entries for the users to be created in the controlpath with the updated configuration information.

Command History



Command Information


All platforms Base operating system. Config mode on Mobility Master in themanaged device node.


aaa authentication stateful-kerberosaaa authentication stateful-kerberos

clonedefault-role noserver-group timeout

DescriptionThis command configures stateful Kerberos authentication.

Syntax


clone Create a copy of an existing statefulKerberos profile

— —

default-role Select an existing role to assign toauthenticated users.

— guest


server-group Name of a server group. — default

timeout Amount of time, in seconds, before therequest times out.

1-20seconds

10 seconds

Example(host) ^[md] (config) #aaa authentication stateful-kerberos default(host) ^[md] (Stateful Kerberos Authentication Profile "default") #default-role guest(host) ^[md] (Stateful Kerberos Authentication Profile "default") #timeout 10(host) ^[md] (Stateful Kerberos Authentication Profile "default") #server-group internal

Command History



Command Information




aaa authentication stateful-ntlmaaa authentication stateful-ntlm

clonedefault-role enablenoserver-group timeout

DescriptionThis command configures stateful NTLM authentication.

Syntax


clone Create a copy of an existing stateful NTLMprofile

— —

default-role Select an existing role to assign toauthenticated users.

— guest

enable Enables stateful ntlm authentication profilefor clients. Use no enable to disablestateful ntlm authentication.

— enabled


server-group Name of a server group. — default

timeout Amount of time, in seconds, before therequest times out.

1-20seconds

10 seconds

Usage GuidelinesNTLM is a suite of Microsoft authentication and session security protocols. You can use a stateful NTLMauthentication profile to configure a managed device to monitor the NTLM authentication messages betweenclients and an authentication server. The managed device can then use the information in the SMB headers todetermine the username and IP address of the client, the server IP address and the current authenticationstatus client. If the client successfully authenticates via an NTLM authentication server, the managed devicecan recognize that the client has been authenticated and assign that client a specified user role. When the userlogs off or shuts down the client machine, the user will remain in the authenticated role until the user’sauthentication is aged out.

The stateful NTLM Authentication profile requires that you specify a server group which includes the serversperforming NTLM authentication, and a default role to be assigned to authenticated users. For details ondefining a windows server used for NTLM authentication, see aaa authentication-server windows.

ExampleThe following example configures a stateful NTLM authentication profile that authenticates clients via theserver group “Windows1.” Users who are successfully authenticated are assigned the “guest2” role.(host) ^[md] (config) #aaa authentication stateful-ntlm ntlm1(host) ^[md] (Stateful NTLM Authentication Profile "ntlm1") #default-role guest2


(host) ^[md] (Stateful NTLM Authentication Profile "ntlm1") #server-group Windows1

Command History



Command Information




aaa authentication via auth-profileaaa authentication via auth-profile

auth-protocol {mschapv2|pap}cert-cn-lookupclient-cert-enableclone default-role desc max-authentication-failures nopan-integrationradius-accounting rfc-3576-server server-group

DescriptionThis command configures the VIA authentication profile.

Syntax


auth-protocol {mschapv2|pap} Authentication protocol support for VIAauthentication; MSCHAPv2 or PAP

PAP

cert-cn-lookup Check certificate CN against AAA server. Enabled

client-cert-enable If selected, this option enables clientcertificate-based authentication for VPNprofile download.

Disabled

clone Name of an existing profile from whichconfiguration values are copied.

—

default-role Name of the default VIA authenticationprofile.

—

desc Description of this profile for reference. —


Number of times VIA will prompt user to logindue to incorrect credentials. After themaximum authentication attempts failuresVIA will exit.

0

pan-integration Requires IP mapping at Palo Alto Network. —

radius-accounting Server group for RADIUS accounting. —

rfc-3576-server Configures the RFC 3576 server. —

server-group Server group against which the user isauthenticated.

—

Usage GuidelinesUse this command to create VIA authentication profiles and associate user roles to the authentication profile.


Example(host) [md] (config) #aaa authentication via auth-profile default(host) [md] (VIA Authentication Profile "default") #auth-protocol mschapv2(host) [md] (VIA Authentication Profile "default") #default-role example-via-role(host) [md] (VIA Authentication Profile "default") #desc "Default VIA Authentication Profile"(host) [md] (VIA Authentication Profile "default") #server-group "via-server-group"

Command History



Command Information




aaa authentication via connection-profileaaa authentication via connection-profile

admin-logoff-scriptadmin-logon-scriptallow-user-disconnectallow-whitelist-trafficauth-profileauth_domain_suffixauto-launch-supplicantauto-loginauto-upgradebanner-message-reappear-timeout block-dest-trafficblock-destination-traffic-selectorcertificate-criteriaclient-loggingclient-netmaskclient-wlan-profile position clone controllers-load-balancecsec-gateway-url csec-http-ports dn-profiledns-suffix-list domain-pre-connectDPC-generate-profileenable-csecenable-fipsenable-supplicantext-download-url ike-policy ikev2-policyikev2-protoikev2authipsec-cryptomap map number ipsecv2-cryptomapl2-forwardinglockdown-all-settingsmax-reconnect-attempts max-timeout minimizednoocsp-respondersave-passwordsserversplit-tunnelingsuiteb-cryptosupport-emailtos-dscp {0-63}tunneluser-idle-timeoutvalidate-server-certwhitelistwindows-credentials

DescriptionThis command configures the VIA connection profile.


Syntax


admin-logoff-script Enables VIA logoff script. Disabled

admin-logon-script Enables VIA logon script. Disabled

allow-user-disconnect Enable or disable users todisconnect their VIAsessions.

Enabled

allow-whitelist-traffic If enabled, this feature willblock network access untilthe VIA VPN connection isestablished.

Disabled

auth-profile This is the list of VIAauthentication profiles thatwill be displayed to users inthe VIA client.

—

auth_domain_suffix Enables a domain suffix onVIA Authentication, so clientcredentials are sent asdomainname\usernameinstead of just username.

—

auto-launch-supplicant Allows you to connectautomatically to a configuredWLAN network.

Disabled

auto-login Enable or disable VIA clientto auto login and establish asecure connection to themanaged device.

Enabled

auto-upgrade Enable or disable VIA clientto automatically upgradewhen an updated version ofthe client is available on themanaged device.

Enabled

banner-message-reappear-timeout Timeout value, in minutes,after which the user sessionwill end and the VIA Loginbanner message reappears.

1440 minutes

block-destination-traffic-selector-ON Turn ON feature to blockDestination Traffic .

—

block-dest-traffic-address Destination Traffic selector. —



certificate-criteria Allows admin users to filterthe certificates that can beused to establish the IPsecconnection when a usercertificate or EAP-TLS is usedas the authenticationmethod. Use the followingcertificate attributes or OIDsto set the certificate criteria:

n commonName (OID2.5.4.3)n

organizationalUnitName (OID 2.5.4.11)n organizationName(OID 2.5.4.10)n subjectAltName(OID 2.5.29.17)n certificateIssuer (OID2.5.29.29)n userPrincipalName(OID1.3.6.1.4.1.311.

Documents

ArubaOS8.4.0.x Command-LineInterface Guide Reference · 2019-03-18 · Command Description showapprovisioning-rule Thiscommandisintroducedtodisplaytheinformationofan APprovisioningruleduringAuto-provisioning