ArubaOS6.3.x Command-LineInterface Guide...

ArubaOS 6.3.xCommand-Line Interface

Reference

Guide

0511500-00v4 | October 2013 ArubaOS6.3.x | ReferenceGuide

Copyright Information

2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks, ArubaWireless Networks, the registered Aruba theMobile Edge Company logo, ArubaMobility Management System,Mobile Edge Architecture, PeopleMove. Networks Must Follow, RFProtect, Green Island. All rights reserved.All other trademarks are the property of their respective owners.

Open Source Code

Certain Aruba products includeOpen Source software code developed by third parties, including software codesubject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other OpenSource Licenses. Includes software fro Litech Systems Design. The IF-MAP client library copyright 2011 Infoblox,Inc. All rights reserved.This product includes software developed by Lars Fenneberg et al. TheOpen Source codeused can be found at this site

http://www.arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminateother vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation forthis action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against itwith respect to infringement of copyright on behalf of those vendors.

Warranty

This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information,refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.

Altering this device (such as painting it) voids the warranty.

ArubaOS6.3.x | ReferenceGuide The ArubaOSCommand-Line Interface | 3

The ArubaOS Command-Line Interface

The ArubaOS 6.3 command-line interface (CLI) allows you to configure andmanage your controllers. The CLI isaccessible from a local console connected to the serial port on the controllers or through a Telnet or Secure Shell(SSH) session from a remotemanagement console or workstation.

Telnet access is disabled by default. To enable Telnet access, enter the telnet CLI command from a serial connection oran SSH session, or in the WebUI navigate to the Configuration > Management > General page.

Whats New In ArubaOS 6.3.1.x

New Commands

The following commands are introduced in the ArubaOS 6.3.1.0 command line interface.

Command Description

mgmt-server profile Use this command to configure a management server profile on thecontroller for an AirWave management server or for an AnalyticsLocation Engine that should receive Advanced Monitoring (AMON)protocol messages filtered based on the profile settings.

show ap debug lacp Use this command to know if LACP is active on an AP from the num-ber of GRE packets sent and received on the two Ethernet ports.

Modified Commands

The following commands aremodified in ArubaOS 6.3.1.2

Command Description

aaa authentication dot1x The delete-keycache parameter was introduced. When enabled, thisfeature deletes the key cache entry when the user entry is deleted.

The following commands aremodified in ArubaOS 6.3.1.0

Command Description

aaa authentication vpn The export-route parameter was introduced. It lets you export a VPNIP address as a route to the external world.

ap system-profile The gre-striping-ip parameter is introduced.

mgmt-server type The xc parameter is changed to ale and a new profile parameter isintroduced for AMON message filtering.

show ip ospf The output of this command shows the link-state advertisement (LSA)types that are generated.

4 | The ArubaOSCommand-Line Interface ArubaOS6.3.x| ReferenceGuide

Command Description

show mgmt-server The profile parameter was introduced.

show mgmt-servers A management server configuration profile column is included in theoutput of this command.

web-server Under the web-lync-listen-port, the following two parameters areintroduced:l httpl https

Whats New In ArubaOS 6.3.0.0The following commands are introduced in the ArubaOS 6.3.0.0 command line interface.

Command Description

aaa log 6000, 3600, and 7200 Series controllers support per-user log filesfor AAA events. By default, logging is always enabled. Issue the noaaa log command to disable per-user logging and re-enable it againusing the command aaa log.

activate whitelist download This command synchronizes the remote APwhitelist on the con-troller with the Activate whitelist database.

activate-service-whitelist This command configures the profile that allows the controller tointegrate with the Activate cloud-based services.

airgroup Use this command to configure AirGroup on the controller.

airgroupservice This command defines an AirGroup service on the controller.

ap debug advanced-stats Issue this command under the supervision of Aruba technical sup-port to enable the collection and display of advanced AP debugginginformation.

ap debug client-trace start Use this command to trace management packets from a client MACaddress.

ap debug client-trace stop Use this command to stop tracing management packets from a clientMAC address.

ap debug dot 11r remove-key Use this command to remove an r1 key from an AP when the APdoes not have a cached r1 key during Fast BSS Transition roaming.

ap image image-preload The AP image preload feature minimizes the downtime required fora controller upgrade by allowing the APs associated to a 3400,3600, or M3 controller to download the new images before the con-troller actually starts running the new version.

app lync traffic-control This command allows the controller to recognize and prioritize a spe-cific type of Lync traffic in order to apply QoS through the Lync Applic-ation Layer Gateway (ALG).

perf-test Use this command under the guidance of Aruba technical support to

Command Description

launch an Iperf throughput test between the controller and the AP.

crypto-local isakmp disable-aggressive-mode

Use this command to disable the IKEv1 aggressive mode.

database synchronize The parameter rf-plan-data is deprecated.

ha This command configures the High Availability:Fast Failover featureby assigning controllers to a high-availability group, and defining thedeployment role for each controller.

ifmap This command is used in conjunction with ClearPass Policy Man-ager.

ipv6 dhcp pool This command configures a DHCPv6 pool on the controller.

ipv6 radius This command configures global parameters for configured IPv6RADIUS servers.

location-server-feed This command allows APs to send RSSI information to a locationmanagement server, which can use that information to compute thelocation of stations seen in the network.

show aaa debug vlan user This command displays user VLAN derivation related debug inform-ation.

show airgroup This command displays AirGroup global settings, domain, and act-ive-domain configurations on the controller.

show airgroupservice This command displays the service details of all AirGroup servicesin the controller.

show ap debug client-trace Use this command to show counts of different types of managementdata frames traced from a client MAC address

show ap debug dot11r This command displays all the r1 keys that are stored in an AP andthe hit/miss rate of r1 keys cached on an AP before a Fast BSSTransition roaming.

show ap image-preload-status Issue this command to display a list of APs in the AP image preloadlist, and monitor the download status of each AP.

show ap image-preload-status-summary

This command displays a status summary of APs using the imagepreload feature.

show ap vht-rates Show very-high-throughput (VHT) rates for an AP that supports802.11ac.

show app lync call-cdrs This command displays the Call Detail Record (CDR) for prioritizedLync calls in the controller.

show app lync call-quality This command displays the call quality information for Lync voiceand video calls.

show app lync client-status This command displays details of clients that are actively using



Command Description

Lync.

show app lync tracebuf This command is used to record activities of Lync data, voice, andvideo clients. Up to 256 entries are recorded.

show app lync traffic-control

This command displays which types of Lync sessions are recog-nized and prioritized by Lync ALG.

show perf-test reports Use this command under the guidance of Aruba technical support toview the results of an Iperf throughput test.

show ipv6 mld proxy-group This command displays the details of the MLD proxy group.

show ipv6 mld proxy-mobil-ity-group

This command displays the details of the MLD proxy mobility group.

show ipv6 mld proxy-mobil-ity-stats

This command displays the details of MLD proxy-mobility statistics.

show ipv6 mld proxy-stats This command displays the status of the MLD proxy.

show ipv6 dhcp This command displays the DHCPv6 server settings.

show license aggregate Displays the license limits sent from centralized licensing licensingclients to the licensing server.

show license client-table Displays the centralized license limits applied to each licensing cli-ent.

show license heartbeat stats Display the license heartbeat statistics between the centralizedlicensing server and the license client.

show license profile Displays the license profile to determine if centralized licensing isenabled on the controller.

show license server-table Displays the centralized licensing license table as it appears on thelicensing server.

show license server-redund-ancy

Displays information about a redundant server used by the cent-ralized licensing feature.

show tunnel-group Displays the operational status of the tunnel-groups configured onthe controller.

show upgrade status The output of this command shows the status of controllers using thecentralized upgrade feature.

show upgrade configuration The output of this command shows the current upgrade con-figuration, including profile settings, image files and targets.

show upgrade-profile The settings in the centralized image upgrade profile allow the mas-ter controller to automatically upgrade its associated local con-trollers by sending an image from an image server to one or morelocal controllers.

Command Description

show vlan-assignment-auth Displays the VLAN IDs that are configured along with the current cli-ent count that uses this VLAN ID.

show whitelist-db rap View detailed information for the remote AP whitelist database.

show whitelist-db rap-local-switch-list

Display the list of localcontrollers using the remote AP whitelist.

show whitelist-db rap-mas-ter-switch-list

Display the list of master controllers using the remote AP whitelist.

show whitelist-db rap-status Display aggregate status information APs in the remote AP whitelist.

show wlan dot11r-profile Displays a list of all 802.11r profiles configured and the con-figuration details.

tunnel-group This command creates a tunnel-group to group a set of tunnels.

upgrade Verify that a image file is a valid image that can be distributed usingthe centralized image upgrade feature, and define a list of local con-trollers to be automatically upgraded.

upgrade-profile The settings in this centralized image upgrade profile allow the mas-ter controller to automatically upgrade its associated local con-trollers by sending an image from a image server to one or morelocal controllers.

whitelist-db rap-local-switch-list

Delete a local controller from the local switch table used by theremote AP whitelist

whitelist-db rap-master-switch-list

Delete a master controller from the master switch table used by theremote AP whitelist

Modified Commands

The following commands aremodified in ArubaOS 6.3

Command Parameter Description

aaa authentication captive-portal

The user-idle-timeout parameter is introduced.

aaa authentication via auth-profile

The auth-protocol parameter is introduced. A new authenticationprotocol MSCHAPv2 is introduced for VIA authentication. Prior tothis release only PAP protocol was supported.

aaa authentication via con-nection-profile

The user-idle-timeout parameter is introduced.

aaa authentication vpn The user-idle-timeout parameter is introduced.

aaa authentication-serverradius

l The mac-delimiter parameter is introduced.l The enable-ipv6 and nas-ip6 parameters are introduced. You

can now specify an IPv6 host address for the host parameter.




aaa authentication-servertacacs

IPv6 support is added for TACACS server. You can now specifyan IPv6 host address for the host parameter.

aaa profile The user-idle-timeout parameter is introduced.

ap system-profile l The include-unassoc-sta and heartbeat-in parameters wereintroduced. The include-unassoc-sta parameter allows RTLSstation reports to include information about clients notassociated to any AP. The heartbeat-in parameter configuresthe frequency that the AP sends heartbeats to the controller.

l The spanning-tree parameter is introduced.l The ip parameters under Aerscout server and RTLS server

are modified to ip-or-dns.

ap wired-port-profile The spanning-tree parameter is introduced.

crypto dynamic-map The set security-association lifetime kilobytes and Diffie-Hell-man group 14 parameters are introduced.

crypto isakmp policy The Diffie-Hellman group 14 parameter is introduced.

crypto-local ipsec-map The set security-association lifetime kilobytes and Diffie-Hell-man group 14 parameters are introduced.

clear l The airgroup parameter is introduced.l The dhcp binding parameter under IPv6 is introduced.

firewall l The disable-stateful-sips-processing is introduced configurethe controller to read SIP signaling messages sent by Lyncclients on port 5061.

l The enable-jumbo-frames parameter is added to enablejumbo frame functionality.

l The deny-source-routing parameter is introduced to disallowforwarding of IP frames with source routing options set.

The following commands have been deprecated:

l session-mirror-destination ip-addressl firewall session-mirror-ipsec

firewall cp The following parameters are introduced:

l ipv4l ipv6

ids general-profile The wired-containment-susp-l3-rogue parameter is introduced tosupport enhanced containment for suspected Layer-3 rogue APs.

ids unauthorized-device-pro-file

The following parameters are introduced to enable enhancedprotection from wireless hosted networks and adhoc networks .l protect-adhoc-enhancedl detect-wireless-hosted-networkl wireless-hosted-network-quiet-timel protect-wireless-hosted-network

interface fastethernet | gig-abitethernet

The jumbo parameter was added to enable or disable jumboframes MTUs configured on a port.


interface port-channel The jumbo parameter was added to enable or disable jumboframes MTUs configured on a port channel.

interface vlan The proxy parameter was introduced to enable MLD proxy in aVLAN.

interface vlan ipv6 The dhcp server parameter is introduced.

ip access-list session The any tcp source parameter is introduced.

ip mobile proxy The following parameters are deprecated:l block-dhcp-releasel dhcp aggressive-transactionl dhcp ignore-optionsl dhcp max-requests l dhcp transaction-hold l dhcp transaction-timeout l stand-alone-AP

logging level l A new subcategory amon is added in the logging levelcommand to account for AMON related logging messages.

l A new process mdns is added to view mDNS debugmessages.

license The following commands are introduced to support thecentralized licensing feature:l profile centralized-licensing-enablel server-ip l server-redundancy {license-vrrp }|[peer-ip-address }

mgmt-server type The xc parameter was added, allowing the controllerto associateto a location management server.

packet-capture The following parameters are added to provide more packetcapture options to enhance debugging:l controlpathl datapath ipsec and datapath wifi-clientl copy-to-flashl reset-pcapl no has replaced disableAdditionally,the following parameters are moved under thecontrolpath parameter:l interprocessl otherl sysmsgl tcpl udp

ping The following parameters are added to provide additionalrefinement to the ping tool:l countl df-flagl packet-sizel source

provision-ap These commands include the cellular_nw_preference g-only|4g-




ap provisioning-profilepro-vision-ap

only|advanced|auto parameters to configure a 3G/4G multimodeUSBmodem.

The sierrausbnet parameter is introduced to support SIERRA Dir-ect IP Driver for 4G device.

rf arm-profile The 80MHz support parameter is introduced to support 802.11acAPs. The aggressive-scanning, channel-quality-aware, channel-quality-threshold and channel-quality-wait-time parameterswere introduced, and the noise-wait-time,and noise-thresholdparameters were deprecated.

The following parameters are introduced to support the ARMclient match feature and Very High Throughput (VHT) 802.11acAPs.l cm-blist-timeoutl cm-lb-client-threshl cm-lb-snr-threshl cm-lb-threshl cm-max-steer-failsl cm-stale-agel cm-sticky-check_intvll cm-sticky-check_snrl cm-sticky-min-signall cm-sticky-snr-threshl cm-update-intervall very-high-throughput-enable

rf dot11a-radio-profile

rf dot11g-radio-profile

The very-high-throughput-enable parameter is introduced toenable or disable support for Very High Throughput (802.11ac)on the radio.

router ospf The aggregate-route and rapng-vpn parameters were intro-duced.

service The dhcpv6 command was introduced.

show ap arm rf-summary A new column util(Qual) is added to the output to indicate thechannel quality.

show ap monitor debug The following parameters are added to the RTLSconfigurationans State table:

l Rpt-Tagsl Tag-Mcast-Addrl Tags-Sentl Rpt-Stal Incl-Unassoc-Stal Sta-Sent

show ap debug port status A new column STP displays the spanning tree state of the wiredport.

show ap port status A new column STP displays the spanning tree state of the wiredport.

show audit-trail The login parameter has been added.


show boot The history parameter has been added.

show configuration A new parameter, diff, has been added to display the list of suc-cessfully executed configuration commands since the last writememory operation.

show crypto-local ipsec-map A new parameter,Security association lifetime kilobytes, is displayed.

show crypto-local isakmp The disable-aggressive-mode parameter is added to indicate ifthis mode is enabled or disabled.

show datapath The following parameters are introduced:l amsdul mobilityl tunnel-groupThe output of the bridge ap-name parameter, displays a new flagb - blocked by STP.

show firewall The output of this command is extended to include the status ofjumbo frame globally.

show iap table The long parameter is introduced to display the branches con-nected to the controller in detailed view.

show interface gigabitethernet The output of this command is extended to include Jumbo Framestatus on a port.

show interface port-channel The output of this command is extended to include Jumbo Framestatus on a port channel.

show ip dhcp The output of the statistics command is extended to display moredetails such as DHCPv6 server statistics.

show ip mobile The multicast-vlan-table parameter is introduced.

show ip ospf The redistribute and rapng-vpn aggregate-routes para-meters were introduced.

show ip route The counters parameter is introduced.

show ipv6 route The counters parameter is introduced.

show ipv6 user-table The optional log parameter is introduced to display log files forevents triggered by a specific user.

show license-usage The client parameter is added to display license usage by cent-ralized licensing clients.

show mgmt-server The wms process is introduced to track the Advanced Monitoring(AMON) message counters.

show packet-capture Controlpath-pcap and datapath-pcap parameters are added.

show rf arm-profile The channel quality configuration parameters were added to theoutput.




show voice call-cdrs Using the detail parameter now displays the following additionalfields:

l Call Typel Src portl Dest portl DSCPl WMM AC

Under the proto parameter, the lync protocol is introduced.

Using the cid parameter now displays Handoff Notification for theLync client moving from one AP to another for the specific CDR.

show voice client-status l Under the proto parameter, the lync protocol is introduced.l b Best Effort flag is introduced.l Using the ip or mac parameter now displays Handoff

Notification for the Lync client moving from one AP to another.

show voice msg-stats The lync parameter is introduced.

show voice real-time-analysis A new column, Forward mode is introduced in the output of thecommand.

show voice trace The lync parameter is introduced.

show voice call-density Under the proto parameter, the lync protocol is introduced.

show voice call-perf Under the proto parameter, the lync protocol is introduced.

show voice call-quality Under the proto parameter, the lync protocol is introduced.

show voice call-stats Under the proto parameter, the lync protocol is introduced.

show web-server The output of this command displays the WebUI access onHTTPS port 443 status and the Web Lync Listen Port.

web-server The following parameters are introduced:l web-https-port-443l web-lync-listen-port

wlan ht-ssid-profile The following parameters are introduced to support Very HighThroughput (VHT) features on 802.11ac-enabled APs.l 80-MHz-enablel very-high-throughput-enablel vht-supported-mcs-mapl vht-txbf-explicit-enablel vht-txbf-sounding-interval

wlan traffic-management-pro-file

The enforcement hard parameter is introduced to set a hard limiton Over the Air (OTA) bandwidth for a specific Service Set Iden-tifier (SSID). This new enhancement allows you to limit an SSIDto consume more bandwidth, when some unused bandwidth isavailable from other SSIDs. You can limit the bandwidth alloc-ation to low priority SSIDs and allot the bandwidth to other highpriority SSIDs.

Deprecated Commands

The following commands were deprecated in ArubaOS 6.3.x:

Command Description

vlan-name The pool parameter is deprecated.

About this GuideThis guide describes the ArubaOS 6.3.x command syntax. The commands in this guide are listed alphabetically.

The following information is provided for each command:

l Command SyntaxThe complete syntax of the command.

l DescriptionA brief description of the command.

l SyntaxA description of the command parameters, including license requirements for specific parameters ifneeded. The applicable ranges and default values, if any, are also included.

l UsageGuidelinesInformation to help you use the command, including: prerequisites, prohibitions, and relatedcommands.

l ExampleAn example of how to use the command.

l CommandHistoryThe version of ArubaOS in which the commandwas first introduced. Modifications andchanges to the command are also noted.

l Command InformationThis table describes any licensing requirements, commandmodes and platforms forwhich this command is applicable. For more information about available licenses, see the Licenses chapter of theArubaOS 6.3.x User Guide.

Connecting to the ControllerThis section describes how to connect to the controller to use the CLI.

Serial Port Connection

The serial port is located on the front panel of the controller. Connect a terminal or PC/workstation running a terminalemulation program to the serial port on the controller to use the CLI. Configure your terminal or terminal emulationprogram to use the following communication settings.

Baud Rate Data Bits Parity Stop Bits Flow Control

9600 8 None 1 None

The Aruba 7200 Series controller supports baud rates between 9600 and 115200.

Telnet or SSH Connection

Telnet or SSH access requires that you configure an IP address and a default gateway on the controller and connectthe controller to your network. This is typically performed when you run the Initial Setup on the controller, asdescribed in the ArubaOS 6.3.x Quick Start Guide. In certain deployments, you can also configure a loopbackaddress for the controller; see interface loopback on page 356 for more information.



Configuration changes on Master Controllers

Some commands can only be issued when connected to amaster controller. If youmake a configuration change onamaster controller, all connected local controllers will subsequently update their configurations as well. You canmanually synchronize all of the controllers at any time by saving the configuration on themaster controller.

CLI AccessWhen you connect to the controller using the CLI, the system displays its host name followed by the login prompt.Log in using the admin user account and the password you entered during the Initial Setup on the controller (thepassword displays as asterisks). For example:

(host)User: adminPassword: *****

When you are logged in, the user mode CLI prompt displays. For example:

(host) >

Usermode provides only limited access for basic operational testing such as running ping and traceroute.

Certain management functions are available in enable (also called privileged) mode. Tomove from user mode toenablemode requires you to enter an additional password that you entered during the Initial Setup (the passworddisplays as asterisks). For example:

(host) > enablePassword: ******

When you are in enablemode, the > prompt changes to a pound sign (#):

(host) #

Configuration commands are available in config mode. Move from enablemode to config mode by entering configureterminal at the # prompt:

(host) # configure terminalEnter Configuration commands, one per line. End with CNTL/Z

When you are in basic config mode, (config) appears before the # prompt:

(host) (config) #

There are several other sub- command modes that allow users to configure individual interfaces, subinterfaces,loopback addresses, GRE tunnels and cellular profiles. For details on the prompts and the available commands for eachof these modes, see Appendix A: Command Modes on page 1750.

Command Help

You can use the questionmark (?) to view various types of command help.

When typed at the beginning of a line, the questionmark lists all the commands available in your current mode orsub-mode. A brief explanation follows each command. For example:

(host) > ?

enable Turn on Privileged commandslogout Exit this session. Any unsaved changes are lost.ping Send ICMP echo packets to a specified IP address.traceroute Trace route to specified IP address.

When typed at the end of a possible command or abbreviation, the questionmark lists the commands that match (ifany). For example:

(host) > c?

clear Clear configurationclock Configure the system clockconfigure Configuration Commandscopy Copy Files

If more than one item is shown, typemore of the keyword characters to distinguish your choice. However, if only oneitem is listed, the keyword or abbreviation is valid and you can press tab or the spacebar to advance to the nextkeyword.

When typed in place of a parameter, the questionmark lists the available options. For example:

(host) # write ?erase Erase and start from scratchfile Write to a file in the file systemmemory Write to memoryterminal Write to terminal

The indicates that the command can be entered without additional parameters. Any other parameters areoptional.

Command Completion

Tomake command input easier, you can usually abbreviate each key word in the command. You need type onlyenough of each keyword to distinguish it from similar commands. For example:

(host) # configure terminal

could also be entered as:

(host) # con t

Three characters (con) represent the shortest abbreviation allowed for configure. Typing only c or co would notwork because there are other commands (like copy) which also begin with those letters. The configure command isthe only one that begins with con.

As you type, you can press the spacebar or tab tomove to the next keyword. The system then attempts to expandthe abbreviation for you. If there is only one command keyword that matches the abbreviation, it is filled in for youautomatically. If the abbreviation is too vague (too few characters), the cursor does not advance and youmust typemore characters or use the help feature to list thematching commands.

Deleting Configuration Settings

Use the no command to delete or negate previously-entered configurations or parameters.

l To view a list of no commands, type no at the enable or config prompt followed by the questionmark. Forexample:(host) (config) # no?

l To delete a configuration, use the no form of a configuration command. For example, the following commandremoves a configured user role:(host) (config) # no user-role

l To negate a specific configured parameter, use the no parameter within the command. For example, the followingcommands delete the DSCP priority map for a priority map configuration:(host) (config) # priority-map (host) (config-priority-map) # no dscp priority high



Saving Configuration ChangesEach Aruba controller contains two different types of configuration images.

l The running-config holds the current controller configuration, including all pending changes which have yet to besaved. To view the running-config, use the following command:(host) # show running-config

l The startup config holds the configuration which will be used the next time the controller is rebooted. It containsall the options last saved using the write memory command. To view the startup-config, use the followingcommand:(host) # show startup-config

When youmake configuration changes via the CLI, those changes affect the current running configuration only. Ifthe changes are not saved, they will be lost after the controller reboots. To save your configuration changes so theyare retained in the startup configuration after the controller reboots, use the following command in enablemode:

(host) # write memorySaving Configuration...Saved Configuration

Both the startup and running configurations can also be saved to a file or sent to a TFTP server for backup or transferto another system.

Commands That Reset the Controller or AP

If you use the CLI to modify a currently provisioned and running radio profile, those changes take place immediately;you do not reboot the controller or the AP for the changes to affect the current running configuration. Certaincommands, however, automatically force the controller or AP to reboot. Youmay want to consider current networkloads and conditions before issuing these commands, as they may cause amomentary disruption in service as theunit resets. Note also that changing the lms-ip parameter in an AP system profile associated with an AP group willcause all APs in that AP group to reboot.

Commands that Reset an AP Commands that Reset a Controller

l ap-regroupl ap-renamel apbootl provision-apl ap wired-ap-profile forward-mode {bridge|split-

tunnel|tunnel}l wlan virtual-ap {aaa-profile

|forward-mode {tunnel|bridge|split-tunnel|decrypt-tunnel}|ssid-profile |vlan ...}

l ap system-profile {bootstrap-threshold |lms-ip |}

l wlan ssid-profile {battery-boost|deny-bcast|essid|opmode|strict-svp |wepkey1 |wepkey2|wepkey3 |wepkey4 |weptxkey |wmm |wmm-be-dscp |wmm-bk-dscp|wmm-ts-min-inact-int |wmm-vi-dscp |wmm-vo-dscp |wpa-hexkey |wpa-passphrase }

l wlan dotllk {bcn-measurement-mode|dot11k-enable|force-dissasoc

l reload

Table 1: Reset Commands

Typographic ConventionsThe following conventions are used throughout this manual to emphasize important concepts:

Type Style Description

Italics This style is used to emphasize important terms and to markthe titles of books.

Boldface This style is used to emphasize command names andparameter options when mentioned in the text.

Commands This fixed-width font depicts command syntax andexamples of commands and command output.

In the command syntax, text within angle bracketsrepresents items that you should replace with informationappropriate to your specific situation. For example:ping In this example, you would type ping at the system promptexactly as shown, followed by the IP address of the systemto which ICMP echo packets are to be sent. Do not type theangle brackets.

[square brackets] In the command syntax, items enclosed in brackets areoptional. Do not type the brackets.

{Item_A|Item_B} In the command examples, single items within curledbraces and separated by a vertical bar represent theavailable choices. Enter only one choice. Do not type thebraces or bars.

{ap-name }|{ipaddr }

Two items within curled braces indicate that bothparameters must be entered together. If two or more sets ofcurled braces are separated by a vertical bar, like in theexample to the left, enter only one choice Do not type thebraces or bars.

Table 2: Text Conventions

Command Line EditingThe system records your most recently entered commands. You can review the history of your actions, or reissue arecent command easily, without having to retype it.

To view items in the command history, use the up arrow key tomove back through the list and the down arrow key tomove forward. To reissue a specific command, press Enter when the command appears in the command history.You can even use the command line editing feature tomake changes to the command prior to entering it. Thecommand line editing feature allows you tomake corrections or changes to a commandwithout retyping. Table 1lists the editing controls. To use key shortcuts, press and hold the Ctrl button while you press a letter key.



Key Effect Description

Ctrl A Home Move the cursor to the beginning of the line.

Ctrl B or theleft arrow

Back Move the cursor one character left.

Ctrl D Delete Right Delete the character to the right of the cursor.

Ctrl E End Move the cursor to the end of the line.

Ctrl F or theright arrow

Forward Move the cursor one character right.

Ctrl K Delete Right Delete all characters to the right of the cursor.

Ctrl N or thedown arrow

Next Display the next command in the commandhistory.

Ctrl P orup arrow

Previous Display the previous command in the commandhistory.

Ctrl T Transpose Swap the character to the left of the cursor withthe character to the right of the cursor.

Ctrl U Clear Clear the line.

Ctrl W Delete Word Delete the characters from the cursor up to andincluding the first space encountered.

Ctrl X Delete Left Delete all characters to the left of the cursor.

Table 3: Line Editing Keys

Specifying Addresses and Identifiers in CommandsThis section describes addresses and other identifiers that you can reference in CLI commands.

Address/Identifier Description

IP address For any command that requires entry of an IP address to specify a network entity,use IPv4 network address format in the conventional dotted decimal notation (forexample, 10.4.1.258).

Netmask address For subnet addresses, specify a netmask in dotted decimal notation (for example,255.255.255.0).

Media Access Control(MAC) address

For any command that requires entry of a devices hardware address, use thehexadecimal format (for example, 00:05:4e:50:14:aa).

Service Set Identifier(SSID)

A unique character string (sometimes referred to as a network name), consistingof no more than 32 characters. The SSID is case-sensitive (for example, WLAN-01).

Table 4: Addresses and Identifiers

Address/Identifier Description

Basic Service SetIdentifier (BSSID)

This entry is the unique hard-wireless MAC address of the AP. A unique BSSIDapplies to each frequency 802.11a and 802.11gused from the AP. Use thesame format as for a MAC address.

Extended Service SetIdentifier (ESSID)

Typically the unique logical name of a wireless network. If the ESSID includesspaces, you must enclose the name in quotation marks.

Fast Ethernet orGigabit Ethernetinterface

Any command that references a Fast Ethernet or Gigabit Ethernet interfacerequires that you specify the corresponding port on the controller in the format/: is always 1, except when referring to interfaces on the 6000 controller.Forthe 6000controller, the four slots are allocated as follows:l Slot 0: Contains an Aruba Multi-Service Mobility Module Mark I.l Slot 1: Contains an Aruba Multi-Service Mobility Module Mark I.l Slot 2: Contains an Aruba Multi-Service Mobility Module Mark I.l Slot 3: Can contain either a Aruba Multi-Service Mobility Module Mark I or a

line card. refers to the network interfaces that are embedded in the front panel of the3000 Series controller, Aruba Multi-Service Mobility Module Mark I, or a line cardinstalled in the 6000 controller. Port numbers start at 0 from the left-most position.Use the show port status command to obtain the interface information currentlyavailable from a controller.

Contacting Aruba Networks

Website Support

Main Site http://www.arubanetworks.com

Support Site https://support.arubanetworks.com

Airheads Social Forums and KnowledgeBase

http://community.arubanetworks.com

North American Telephone 1-800-943-4526 (Toll Free)

1-408-754-1200

International Telephone http://www.arubanetworks.com/support-services/aruba-support-program/contact-support/

Support Email Addresses

Americas and APAC [email protected]

EMEA [email protected]

Wireless Security Incident ResponseTeam (WSIRT)

.

[email protected]

Table 5: Contact Information


http://www.arubanetworks.com/https://support.arubanetworks.com/http://community.arubanetworks.com/http://www.arubanetworks.com/support-services/aruba-support-program/contact-support/mailto:[email protected]:[email protected]:[email protected]

aaa authentication captive-portalaaa authentication captive-portal

auth-protocol mschapv2|pap|chapblack-list clone default-guest-role default-role enable-welcome-pageguest-logonip-addr-in-redirection login-page logon-wait {cpu-threshold }|{maximum-delay }|{minimum-delay }logout-popup-windowmax-authentication-failures no ...protocol-httpproxy host port redirect-pause redirect-url server-group show-acceptable-use-policyshow-fqdnsingle-sessionswitchip-in-redirection-url user-idle-timeoutuser-logonuser-vlan-in-redirection-url welcome-page white-list

Description

This command configures a Captive Portal authentication profile.

Syntax

Parameter Description Range Default

Name that identifies an instance of theprofile. The name must be 1-63characters.

default

authentication-protocolmschapv2|pap|chap

This parameter specifies the type ofauthentication required by this profile,PAP is the default authentication type

mschapv2

pap

chap

pap

black-list Name of an existing black list on anIPv4 or IPv6 network destination. Theblack list contains websites(unauthenticated) that a guest cannotaccess.Specify a netdestination host or subnetto add that netdestination to the captiveportal blacklist.

ArubaOS6.3.x | ReferenceGuide aaa authentication captive-portal | 21

22 | aaa authentication captive-portal ArubaOS6.3.x| ReferenceGuide


If you have not yet defined anetdestination, use the CLI commandnetdestination to define a destinationhost or subnet before you add it to theblacklist.

clone Name of an existing Captive Portalprofile from which parameter values arecopied.

default-guest-role Role assigned to guest. guest

default-role Role assigned to the Captive Portaluser when that user logs in. When bothuser and guest logons are enabled, thedefault role applies to the user logon;users logging in using the guestinterface are assigned the guest role.

guest

enable-welcome-page

Displays the configured welcome pagebefore the user is redirected to theiroriginal URL. If this option is disabled,redirection to the web URL happensimmediately after the user logs in.

enabled/disabled

enabled

guest-logon Enables Captive Portal logon withoutauthentication.

enabled/disabled

disabled

switchip-in-redirection-url

Sends the controllers interface IPaddress in the redirection URL whenexternal captive portal servers are used.An external captive portal server candetermine the controller from which arequest originated by parsing theswitchip variable in the URL. Thisparameter requires the Public Accesslicense.

login-page URL of the page that appears for theuser logon. This can be set to any URL.

/auth/index.html

logon-wait Configure parameters for the logon waitinterval.

1-100 60%

cpu-threshold CPU utilization percentage abovewhich the logon wait interval is appliedwhen presenting the user with the logonpage.

1-100 60%

maximum-delay Maximum time, in seconds, the user willhave to wait for the logon page to popup if the CPU load is high. This works inconjunction with the Logon wait CPUutilization threshold parameter.

1-10 10 seconds


minimum-delay Minimum time, in seconds, the user willhave to wait for the logon page to popup if the CPU load is high. This works inconjunction with the Logon wait CPUutilization threshold parameter.

1-10 5 seconds

logout-popup-window

Enables a pop-up window with theLogout link that allows the user to logout. If this option is disabled, the userremains logged in until the user timeoutperiod has elapsed or the stationreloads.

enabled/disabled

enabled

max-authentication-failures

Maximum number of authenticationfailures before the user is blacklisted.

0-10 0

no Negates any configured parameter.

protocol-http Use HTTP protocol on redirection to theCaptive Portal page. If you use thisoption, modify the captive portal policyto allow HTTP traffic.

enabled/disabled

disabled(HTTPS isused)

redirect-pause Time, in seconds, that the systemremains in the initial welcome pagebefore redirecting the user to the finalweb URL. If set to 0, the welcome pagedisplays until the user clicks on theindicated link.

1-60 10 seconds

redirect-url URL to which an authenticated user willbe directed. This parameter must be anabsolute URL that begins with eitherhttp:// or https://.

server-group Name of the group of servers used toauthenticate Captive Portal users. Seeaaa server-group on page 92.

show-fqdn Allows the user to see and select thefully-qualified domain name (FQDN) onthe login page. The FQDNs shown arespecified when configuring individualservers for the server group used withcaptive portal authentication.

enabled/disabled

disabled

show-acceptable-use-policy Show the acceptable use policy pagebefore the logon page.

enabled/disabled

disabled

single-session Allows only one active user session at atime.

disabled

switchip-in-redirection-url Sends the controllers IP address in theredirection URL when external captiveportal servers are used. An externalcaptive portal server can determine thecontroller from which a requestoriginated by parsing the switchipvariable in the URL.

enabled/disabled

disabled


24 | aaa authentication captive-portal ArubaOS6.3.x| ReferenceGuide


user-idle-timeout The user idle timeout for this profile.Specify the idle timeout value for theclient in seconds. Valid range is 30-15300 in multiples of 30 seconds.Enabling this option overrides theglobal settings configured in the AAAtimers. If this is disabled, the globalsettings are used.

disabled

user-logon Enables Captive Portal withauthentication of user credentials.

enabled/disabled

enabled

user-vlan-in-redirection-url

Add the user VLAN in the redirectionURL. This parameter requires thePublic Access license.

enableddisabled

disabled

user-vlan-redirection-url Sends the users VLAN ID in theredirection URL when external captiveportal servers are used.

welcome-page URL of the page that appears afterlogon and before redirection to the webURL. This can be set to any URL.

/auth/welcome.html

white-list Name of an existing white list on anIPv4 or IPv6 network destination. Thewhite list contains authenticatedwebsites that a guest can access. If youhave not yet defined a netdestination,use the CLI command netdestination todefine a destination host or subnetbefore you add it to the whitelist

Usage Guidelines

You can configure the Captive Portal authentication profile in the base operating system or with the Next GenerationPolicy Enforcement Firewall (PEFNG) license installed. When you configure the profile in the base operatingsystem, the name of the profile must be entered for the initial role in the AAA profile. Also, when you configure theprofile in the base operating system, you cannot define the default-role.

Example

The following example configures a Captive Portal authentication profile that authenticates users against thecontrollers internal database. Users who are successfully authenticated are assigned the auth-guest role.

To create the auth-guest user role shown in this example, the PEFNG licensemust be installed in the controller.

aaa authentication captive-portal guestnetdefault-role auth-guestuser-logonno guest-logonserver-group internal

Command History

Version Description

ArubaOS 3.0 Command introduced.

ArubaOS 6.0 The max-authentication-failures parameter no longer requires a license.

ArubaOS 6.1 The sygate-on-demand, black-list and white-list parameters were added.

ArubaOS 6.2 the auth-protocol parameter was added, and the user-chap parameter wasdeprecated.

ArubaOS 6.3 The user-idle-timeout parameter was introduced.

Command Information

Platforms Licensing Command Mode

All platforms Base operating system, exceptfor noted parameters

Config mode on master controllers


26 | aaa authentication dot1x ArubaOS6.3.x| ReferenceGuide

aaa authentication dot1xaaa authentication dot1xcountermeasureskey-cache clear

ca-cert cert-cn-lookupclearclone delete-keycacheeapol-logoffenforce-suite-b-128enforce-suite-b-192framed-mtu heldstate-bypass-counter ignore-eap-id-matchignore-eapolstart-afterauthenticationkey-cachemachine-authentication blacklist-on-failure|{cache-timeout }|enable|{machine-default-role }|{user-default-role }

max-authentication-failures max-requests multicast-keyrotationno ...opp-key-cachingreauth-max reauthenticationserver {server-retry |server-retry-period }server-cert termination {eap-type }|enable|enable-token-caching|{inner-eap-type (eap-gtc|eap-mschapv2)}|{token-caching-period }timer {idrequest_period }|{mkey-rotation-period }|{quiet-period }|{reauth-period }|{ukey-rotation-period }|{wpa-groupkey-delay }|{wpa-key-period }|wpa2-key-delay tls-guest-accesstls-guest-role unicast-keyrotationuse-session-keyuse-static-keyvalidate-pmkidvoice-awarewep-key-retries wep-key-size {40|128}wpa-fast-handoverwpa-key-retries xSec-mtu

reload-cert

Description

This command configures the 802.1X authentication profile.

Syntax


countermeasures Scans for message integrity code (MIC)failures in traffic received from clients. If thereare more than 2 MIC failures within 60seconds, the AP is shut down for 60 seconds.This option is intended to slow down anattacker who is making a large number offorgery attempts in a short time.

disabled

key-cache clear

Clear the cached PMK, Role and VLANentries. This command is available in enablemode only.

Name that identifies an instance of the profile.The name must be 1-63 characters.

default

ca-cert CA certificate for client authentication. The CAcertificate needs to be loaded in the controller.

cert-cn-lookup If you use client certificates for userauthentication, enable this option to verify thatthe certificate's common name exists in theserver. This parameter is disabled by default.

delete-keycache Delete the key cache entry when the userentry is deleted.

disabled

eapol-logoff Enables handling of EAPOL-LOGOFFmessages.

disabled

enforce-suite-b-128 Configure Suite-B 128 bit or more securitylevelauthentication enforcement

disabled

enforce-suite-b-192 Configure Suite-B 192 bit or more securitylevelauthentication enforcement

disabled

framed-mtu Sets the framed MTU attribute sent to theauthentication server.

500-1500

1100

heldstate-bypass-counter

(This parameter is applicable when 802.1Xauthentication is terminated on the controller,also known as AAA FastConnect.) Number ofconsecutive authentication failures which,when reached, causes the controller to notrespond to authentication requests from aclient while the controller is in a held stateafter the authentication failure. Until thisnumber is reached, the controller responds toauthentication requests from the client evenwhile the controller is in its held state.

0-3 0

ignore-eap-id-match

Ignore EAP ID during negotiation. disabled

ArubaOS6.3.x | ReferenceGuide aaa authentication dot1x | 27



ignore-eapolstart-afterauthentication

Ignores EAPOL-START messages afterauthentication.

disabled

machine-authentication (For Windows environments only) Theseparameters set machine authentication:NOTE: This parameter requires the PEFNGlicense.

blacklist-on-failure Blacklists the client if machine authenticationfails.

disabled

cache-timeout The timeout, in hours, for machineauthentication.

1-1000 24 hours(1 day)

enable Select this option to enforce machineauthentication before user authentication. Ifselected, either the machine-default-role orthe user-default-role is assigned to the user,depending on which authentication issuccessful.

disabled

machine-default-role Default role assigned to the user aftercompleting only machine authentication.

guest

user-default-role Default role assigned to the user after 802.1Xauthentication.

guest


Number of times a user can try to login withwrong credentials after which the user isblacklisted as a security threat. Set to 0 todisable blacklisting, otherwise enter a non-zero integer to blacklist the user after thespecified number of failures.

0-5 0(disabled)

max-requests Maximum number of times ID requests aresent to the client.

1-10 5

multicast-keyrotation

Enables multicast key rotation disabled


opp-key-caching Enables a cached pairwise master key (PMK)derived with a client and an associated AP tobe used when the client roams to a new AP.This allows clients faster roaming without a full802.1X authentication.NOTE: Make sure that the wireless client (the802.1X supplicant) supports this feature. If theclient does not support this feature, the clientwill attempt to renegotiate the key whenever itroams to a new AP. As a result, the keycached on the controller can be out of syncwith the key used by the client.

enabled

reauth-max Maximum number of reauthenticationattempts.

1-10 3


reauthentication Select this option to force the client to do a802.1X reauthentication after the expiration ofthe default timer for reauthentication. (Thedefault value of the timer is 24 hours.) If theuser fails to reauthenticate with validcredentials, the state of the user is cleared.If derivation rules are used to classify 802.1X-authenticated users, then the reauthenticationtimer per role overrides this setting.

disabled

reload-cert Reload Certificate for 802.1X termination. Thiscommand is available in enable mode only.

server Sets options for sending authenticationrequests to the authentication server group.

server-retry Maximum number of authentication requeststhat are sent to server group.

0-3 3

server-retry-period Server group retry interval, in seconds. 5-65535

5seconds

server-cert Server certificate used by the controller toauthenticate itself to the client.

termination Sets options for terminating 802.1Xauthentication on the controller.

eap-type The Extensible Authentication Protocol (EAP)method, either EAP-PEAP or EAP-TLS.

eap-peap/eap-tls

eap-peap

enable Enables 802.1X termination on the controller. disabled

enable-token-caching

If you select EAP-GTC as the inner EAPmethod, you can enable the controller tocache the username and password of eachauthenticated user. The controller continues toreauthenticate users with the remoteauthentication server, however, if theauthentication server is not available, thecontroller will inspect its cached credentials toreauthenticate users.

disabled

inner-eap-type eap-gtc|eap-mschapv2

When EAP-PEAP is the EAP method, one ofthe following inner EAP types is used:EAP-Generic Token Card (GTC): Describedin RFC 2284, this EAP method permits thetransfer of unencrypted usernames andpasswords from client to server. The mainuses for EAP-GTC are one-time token cardssuch as SecureID and the use of LDAP orRADIUS as the user authentication server.You can also enable caching of usercredentials on the controller as a backup to anexternal authentication server.EAP-Microsoft Challenge AuthenticationProtocol version 2 (MS-CHAPv2): Describedin RFC 2759, this EAP method is widelysupported by Microsoft clients.

eap-gtc/eap-mschapv2

eap-mschapv2




token-caching-period

If you select EAP-GTC as the inner EAPmethod, you can specify the timeout period, inhours, for the cached information.

(any) 24 hours

timer Sets timer options for 802.1X authentication:

idrequest-period

Interval, in seconds, between identity requestretries.

1-65535

5seconds

mkey-rotation-period

Interval, in seconds, between multicast keyrotation.

60-864000

1800seconds

quiet-period Interval, in seconds, following failedauthentication.

1-65535

30seconds

reauth-period Interval, in seconds, between reauthenticationattempts, or specify server to use the server-provided reauthentication period.

60-864000

86400seconds(1 day)

ukey-rotation-period

Interval, in seconds, between unicast keyrotation.

60-864000

900seconds

wpa-groupkey-delay

Interval, in milliseconds, between unicast andmulticast key exchanges.

0-2000 0 ms(nodelay)

wpa-key-period

Interval, in milliseconds, between each WPAkey exchange.

1000-5000

1000 ms

wpa2-key-delay

Set the delay between EAP-Success andunicast key exchange.

1-2000 0 ms(nodelay)

tls-guest-access Enables guest access for EAP-TLS users withvalid certificates.

disabled

tls-guest-role User role assigned to EAP-TLS guest.NOTE: This parameter requires the PEFNGlicense.

guest

unicast-keyrotation Enables unicast key rotation. disabled

use-session-key Use RADIUS session key as the unicast WEPkey.

disabled

use-static-key Use static key as the unicast/multicast WEPkey.

disabled

validate-pmkid This parameter instructs the controller to checkthe pairwise master key (PMK) ID sent by theclient. When this option is enabled, the clientmust send a PMKID in the associate orreassociate frame to indicate that it supportsOKC or PMK caching; otherwise, full 802.1Xauthentication takes place. (This feature isoptional, since most clients that support OKCand PMK caching do not send the PMKID intheir association request.)

disabled


voice-aware Enables rekey and reauthentication forVoWLAN clients.NOTE: The Next Generation Policy EnforcedFirewall license must be installed.

enabled

wep-key-retries Number of times WPA/WPA2 key messagesare retried.

1-5 3

wep-key-size Dynamic WEP key size, either 40 or 128 bits. 40 or128

128 bits

wpa-fast-handover Enables WPA-fast-handover. This is onlyapplicable for phones that support WPA andfast handover.

disabled

wpa-key-retries Set the number of times WPA/WPA2 KeyMessages are retried. The supported range is1-10 retries, and the default value is 3.

1-10 3

xSec-mtu Sets the size of the MTU for xSec. 1024-1500

1300bytes

reload-cert Reload the certificate used for 802.1X ter-mination. This command is available in enablemode only.

Usage Guidelines

The 802.1X authentication profile allows you to enable and configuremachine authentication and 802.1X terminationon the controller (also called AAA FastConnect).

In the AAA profile, specify the 802.1X authentication profile, the default role for authenticated users, and the servergroup for the authentication.

Examples

The following example enables authentication of the users client device before user authentication. If machineauthentication fails but user authentication succeeds, the user is assigned the restricted guest role:

aaa authentication dot1x dot1xmachine-authentication enablemachine-authentication machine-default-role computermachine-authentication user-default-role guest

The following example configures an 802.1X profile that terminates authentication on the controller, where the userauthentication is performed with the controllers internal database or to a backend non-802.1X server:

aaa authentication dot1x dot1xtermination enable

Command History

Version Description


ArubaOS 6.1 The cert-cn-lookup, enforce-suite-b-128 and enforce-suite-b-192 parameterswere introduced.

ArubaOS 6.3.1.2 The delete-keycache parameter was introduced.



Command Information


All platforms Base operating system. Thevoice-aware parameter requiresthe PEFNG license

Config mode on master controllers

aaa authentication macaaa authentication mac

case upper|lowerclone delimiter {colon|dash|none}max-authentication-failures no ...

Description

This command configures theMAC authentication profile.

Syntax


Name that identifies an instance of the profile.The name must be 1-63 characters.

default

case The case (upper or lower) used in the MACstring sent in the authentication request. Ifthere is no delimiter configured, the MACaddress in lower case is sent in the formatxxxxxxxxxxxx, while the MAC address inupper case is sent in the formatXXXXXXXXXXXX.

upper|lower

lower

clone Name of an existing MAC profile from whichparameter values are copied.

delimiter Delimiter (colon, dash, or none) used in theMAC string.

colon|dash|none

none


Number of times a client can fail toauthenticate before it is blacklisted. A value of0 disables blacklisting.

0-10 0(disabled)


Usage Guidelines

MAC authentication profile configures authentication of devices based on their physical MAC address. MAC-basedauthentication is often used to authenticate and allow network access through certain devices while denying accessto all other devices. Users may be required to authenticate themselves using other methods, depending upon thenetwork privileges.

Example

The following example configures aMAC authentication profile to blacklist client devices that fail to authenticate.

aaa authentication mac mac-blacklistmax-authentication-failures 3

ArubaOS6.3.x | ReferenceGuide aaa authenticationmac | 33

34 | aaa authenticationmac ArubaOS6.3.x| ReferenceGuide

Command History

Release Modification

ArubaOS 3.0 Command introduced

ArubaOS 3.3.1.8 The max-authentication-failures parameter was allowed in the base operatingsystem. In earlier versions of ArubaOS, the max-authentication-failuresparameter required the Wireless Intrusion Protection license

Command Information


All platforms Base operating system Config mode on master controllers

aaa authentication mgmtaaa authentication mgmt

default-role {guest-provisioning|location-api-mgmt|network-operations|no-access|read-only|root}enableno ...server-group

Description

This command configures authentication for administrative users.

Syntax


default-role Select a predefined management role toassign to authenticated administrativeusers:

default

default Default superuser role

guest-provisioning Guest provisioning role

location-api-mgmt Location API role

network-operations Network operations role

no-access No commands are accessible for this role

read-only Read-only role

enable Enables authentication for administrativeusers.

enabled|disabled

disabled

mchapv2 Enable MSCHAPv2 enabled|disabled

disabled


server-group Name of the group of servers used toauthenticate administrative users. See aaaserver-group on page 92.

default

Usage Guidelines

If you enable authentication with this command, users configured with themgmt-user commandmust beauthenticated using the specified server-group.

You can configure themanagement authentication profile in the base operating system or with the PEFNG licenseinstalled.

Example

The following example configures amanagement authentication profile that authenticates users against thecontrollers internal database. Users who are successfully authenticated are assigned the read-only role.

ArubaOS6.3.x | ReferenceGuide aaa authenticationmgmt | 35

36 | aaa authenticationmgmt ArubaOS6.3.x| ReferenceGuide

aaa authentication mgmtdefault-role read-onlyserver-group internal

Command History

Release Modification

ArubaOS 3.0 Command introduced

ArubaOS 3.2 The network-operations role was introduced.

ArubaOS 3.3 The location-api-mgmt role was introduced.

Command Information



aaa authentication-server internalaaa authentication-server internal use-local-switch

Description

This command specifies that the internal database on a local controller be used for authenticating clients.

Usage Guidelines

By default, the internal database in themaster controller is used for authentication. This command directsauthentication to the internal database on the local controller where you run the command.

Command History

This commandwas available in ArubaOS 3.0.

Command Information


All platforms Base operating system Config mode on master or localcontrollers

ArubaOS6.3.x | ReferenceGuide aaa authentication-server internal | 37

38 | aaa authentication-server ldap ArubaOS6.3.x| ReferenceGuide

aaa authentication-server ldapaaa authentication-server ldap

admin-dn admin-passwd allow-cleartextauthport base-dn clone enablefilter host key-attribute max-connection no ...preferred-conn-type ldap-s|start-tls|clear-texttimeout

Description

This command configures an LDAP server.

Syntax


Name that identifies the server.

admin-dn Distinguished name for the admin user who hasread/search privileges across all of the entries inthe LDAP database (the user does not need writeprivileges but should be able to search thedatabase and read attributes of other users in thedatabase).

admin-passwd

Password for the admin user.

allow-cleartext Allows clear-text (unencrypted) communication withthe LDAP server.

enabled|disabled

disabled

authport Port number used for authentication. Port 636 willbe attempted for LDAP over SSL, while port 389 willbe attempted for SSL over LDAP, Start TLSoperation and clear text.

1-65535 389

base-dn Distinguished Name of the node which contains theentire user database to use.

clone Name of an existing LDAP server configurationfrom which parameter values are copied.

enable Enables the LDAP server.

filter Filter that should be applied to search of the user inthe LDAP database. The default filter string is(objectclass=*).

(objectclass=*)


host IP address of the LDAP server, in dotted-decimalformat.

key-attribute

Attribute that should be used as a key in search forthe LDAP server. For Active Directory, the value issAMAccountName.

sAMAccountName

max-connection Maximum number of simultaneous non-admin con-nections to an LDAP server.


preferred-conn-type Preferred connection type. The default order ofconnection type is:1. ldap-s2. start-tls3. clear-textThe controller will first try to contact the LDAPserver using the preferred connection type, and willonly attempt to use a lower-priority connection typeif the first attempt is not successful.NOTE: You enable the allow-cleartext optionbefore you select clear-text as the preferredconnection type. If you set clear-text as thepreferred connection type but do not allow clear-text, the controller will only use ldap-s or start-tls tocontact the LDAP server.

ldap-sstart-tlsclear-text

ldap-s

timeout Timeout period of a LDAP request, in seconds. 1-30 20 seconds

Usage Guidelines

You configure a server before you can add it to one or more server groups. You create a server group for a specifictype of authentication (see aaa server-group on page 92).

Example

The following command configures and enables an LDAP server:

aaa authentication-server ldap ldap1host 10.1.1.243base-dn cn=Users,dc=1m,dc=corp,dc=comadmin-dn cn=corp,cn=Users,dc=1m,dc=corp,dc=comadmin-passwd abc10key-attribute sAMAccountNamefilter (objectclass=*)enable

Command History

This commandwas available in ArubaOS 3.0.

Command Information



ArubaOS6.3.x | ReferenceGuide aaa authentication-server ldap | 39

40 | aaa authentication-server radius ArubaOS6.3.x| ReferenceGuide

aaa authentication-server radiusaaa authentication-server radius

acctport authport clone enableenable-ipv6host |key mac-delimiter [colon|dash | none | oui-nic]mac-lowercasenas-identifier nas-ip nas-ip6 no ...retransmit service-type-framed-usersource-interface vlan ip6addr timeout use-ip-for-calling-stationuse-md5

Description

This command configures a RADIUS server.

Syntax



acctport Accounting port on the server. 1-65535 1813

authport Authentication port on the server 1-65535 1812

clone Name of an existing RADIUS serverconfiguration from which parametervalues are copied.

enable Enables the RADIUS server.

enable-ipv6 Enables the RADIUS server in IPv6mode.

host Identify the RADIUS server either by itsIP address or fully qualified domainname.

IPv4 or IPv6 address of the RADIUSserver.

Fully qualified domain name (FQDN) ofthe RADIUS server. The maximumsupported length is 63 characters.


key Shared secret between the controllerand the authentication server. Themaximum length is 128 characters.

mac-delimiter [colon|dash | none| oui-nic]

Send MAC address with user-defineddelimiter.

none

mac-lowercase Send MACaddresses as lowercase.

nas-identifier Network Access Server (NAS) identifierto use in RADIUS packets.

nas-ip NAS IP address to send in RADIUSpackets.You can configure a global NAS IPaddress that the controller uses forcommunications with all RADIUSservers. If you do not configure a server-specific NAS IP, the global NAS IP isused. To set the global NAS IP, enterthe ip radius nas-ip command.

nas-ip6 NAS IPv6 address to send in RADIUSpackets.You can configure a global NAS IPv6address that the controller uses forcommunications with all RADIUSservers. If you do not configure a server-specific NAS IPv6, the global NAS IPv6is used. To set the global NAS IPv6,enter the ipv6 radius nas-ip6 command.


retransmit Maximum number of retries sent to theserver by the controller before theserver is marked as down.

0-3 3

service-type-framed-user Send the service-type as FRAMED-USER instead of LOGIN-USER. Thisoption is disabled by default

dis-abled

source-interface vlan ip6addr

This option associates a VLAN interfacewith the RADIUS server to allow theserver-specific source interface tooverride the global configuration.l If you associate a Source Interface

(by entering a VLAN number) with aconfigured server, then the sourceIP address of the packet will be thatinterfaces IP address.

l If you do not associate the SourceInterface with a configured server(leave the field blank), then the IPaddress of the global SourceInterface will be used.

l If you want to configure an IPv6address for the Source Interface,

ArubaOS6.3.x | ReferenceGuide aaa authentication-server radius | 41

42 | aaa authentication-server radius ArubaOS6.3.x| ReferenceGuide


specify the IPv6 address for theip6addr parameter.

timeout Maximum time, in seconds, that thecontroller waits before timing out therequest and resending it.

1-30 5seconds

use-ip-for-calling-station Use an IP address instead of a MACaddress for calling station IDs. Thisoption is disabled by default.

disabled

use-md5 Use MD5 hash of cleartext password. disabled

Usage Guidelines


Example

The following command configures and enables a RADIUS server:

aaa authentication-server radius radius1host 10.1.1.244key qwERtyuIOpenable

Command History

Version Modification


ArubaOS 6.0 RADIUS server can be identified by its qualified domain name (FQDN).

ArubaOS 6.1 The source-interface parameter was added.

ArubaOS 6.3 l The mac-delimiter parameter was introduced.l The enable-ipv6 and nas-ip6 parameters were introduced. An IPv6 host

address can be specified for the host parameter.

Command Information



aaa authentication-server tacacsaaa authentication-server tacacs

clone enablehost key no ...retransmit session-authorizationtcp-port timeout

Description

This command configures a TACACS+ server.

Syntax



clone Name of an existing TACACS server configurationfrom which parameter values are copied.

enable Enables the TACACS server.

host IPv4 or IPv6 address of the TACACS server.

key Shared secret to authenticate communicationbetween the TACACS+ client and server.


retransmit Maximum number of times a request is retried. 0-3 3

session-authorization

Enables TACACS+ authorization.Session-authorization turns on the optional authorizationsession for admin users.

disabled

tcp-port TCP port used by the server. 1-65535 49

timeout Timeout period of a TACACS request, in seconds. 1-30 20 seconds

Usage Guidelines


Example

The following command configures, enables a TACACS+ server and enables session authorization:

aaa authentication-server tacacs tacacs1clone defaulthost 10.1.1.245

ArubaOS6.3.x | ReferenceGuide aaa authentication-server tacacs | 43

44 | aaa authentication-server tacacs ArubaOS6.3.x| ReferenceGuide

key qwERtyuIOpenablesession-authorization

Command History

Version Description


ArubaOS 6.0 session-authorization parameter was introduced.

ArubaOS 6.3 IPv6 support was added for TACACS server. You can now specify an IPv6 hostaddress for the host parameter.

Command Information



aaa authentication-server windowsaaa authentication-server windows

clone domain enablehost no

Description

This command configures a windows server for stateful-NTLM authentication.

Syntax

Parameter Description

Name of the windows server. You will use this name when you add thewindows server to a server group.

clone Name of a Windows Server from which you want to make a copy.

domain The Windows domain for the authentication server.

enable Enables the Windows server.

host IP address of the Windows server.

no Delete command.

Usage Guidelines

Youmust define aWindows server before you can add it to one or more server groups. You create a server group fora specific type of authentication (see aaa server-group on page 92). Windows servers are used for stateful-NTLMauthentication.

Example

The following command configures and enables a windows server:

aaa authentication-server windows IAS_1host 10.1.1.245enable

Command History

This commandwas available in ArubaOS 3.4.1

Command Information



ArubaOS6.3.x | ReferenceGuide aaa authentication-server windows | 45

46 | aaa authentication stateful-dot1x ArubaOS6.3.x| ReferenceGuide

aaa authentication stateful-dot1xaaa authentication stateful-dot1x

default-role enableno ...server-group timeout

Description

This command configures 802.1X authentication for clients on non-Aruba APs.

Syntax


default-role Role assigned to the 802.1X user upon login.NOTE: The PEFNG license must be installed.

guest

enable Enables 802.1X authentication for clients on non-Aruba APs. Use no enable to disable stateful8021.X authentication.

enabled


server-group

Name of the group of RADIUS servers used toauthenticate the 802.1X users. See aaa server-group on page 92.

timeout Timeout period, in seconds. 1-20 10 seconds

Usage Guidelines

This command configures 802.1X authentication for clients on non-Aruba APs. The controller maintains user sessionstate information for these clients.

Example

The following command assigns the employee user role to clients who successfully authenticate with the servergroup corp-rad:

aaa authentication stateful-dot1xdefault-role employeeserver-group corp-rad

Command History

This commandwas introduced in ArubaOS 3.0.

Command Information



aaa authentication stateful-dot1x clearaaa authentication stateful-dot1x clear

Description

This command clears automatically-created control path entries for 802.1X users on non-Aruba APs.

Syntax

No parameters.

Usage Guidelines

Run this command after changing the configuration of a RADIUS server in the server group configured with the aaaauthentication stateful-dot1x command. This causes entries for the users to be created in the control path with theupdated configuration information.

Command History

This commandwas introduced in ArubaOS 3.0.

Command Information


All platforms Base operating system Enable mode on master controllers

ArubaOS6.3.x | ReferenceGuide aaa authentication stateful-dot1x clear | 47

48 | aaa authentication stateful-ntlm ArubaOS6.3.x| ReferenceGuide

aaa authentication stateful-ntlmaaa authentication stateful-ntlm

clonedefault-role enableserver-group timeout

Description

This command configures stateful NT LAN Manager (NTLM) authentication.

Syntax


clone Create a copy of an existing stateful NTLM profile

default-role Select an existing role to assign to authenticatedusers.

guest


server-group

Name of a server group. default

timeout Amount of time, in seconds, before the requesttimes out.

1-20seconds

10seconds

Usage Guidelines

NT LAN Manager (NTLM) is a suite of Microsoft authentication and session security protocols. You can use astateful NTLM authentication profile to configure a controller to monitor the NTLM authenticationmessages betweenclients and an authentication server. The controller can then use the information in the Server Message Block (SMB)headers to determine the client's username and IP address, the server IP address and the client's currentauthentication status. If the client successfully authenticates via an NTLM authentication server, the controller canrecognize that the client has been authenticated and assign that client a specified user role. When the user logs off orshuts down the client machine, the user will remain in the authenticated role until the users authentication is agedout.

The Stateful NTLM Authentication profile requires that you specify a server group which includes the serversperforming NTLM authentication, and a default role to be assigned to authenticated users. For details on defining awindows server used for NTLM authentication, see aaa authentication-server windows.

Example

The following example configures a stateful NTLM authentication profile that authenticates clients via the servergroup Windows1. Users who are successfully authenticated are assigned the guest2 role.

aaa authentication stateful-ntlmdefault-role guest2server-group Windows1

Command History

Command introduced in ArubaOS 3.4.1

Command Information



ArubaOS6.3.x | ReferenceGuide aaa authentication stateful-ntlm | 49

50 | aaa authentication via auth-profile ArubaOS6.3.x| ReferenceGuide

aaa authentication via auth-profileaaa authentication via auth-profile

auth-protocol {mschapv2|pap}cert-cn-lookupclone default-role desc max-authentication-failures noserver-group

Description

This command configures the VIA authentication profile.

Syntax

Parameter Description Default

auth-protocol {mschapv2|pap} Authentication protocol support for VIAauthentication; MSCHAPv2 or PAP

PAP

cert-cn-lookup Check certificate common nameagainst AAA server.

Enabled

clone Name of an existing profile from whichconfiguration values are copied.

-

default-role Name of the default VIA authenticationprofile.

-

desc Description of this profile for reference. -


Number of times VIA will prompt user tologin due to incorrect credentials. Afterthe maximum authentication attemptsfailures VIA will exit.

3

server-group Server group against which the user isauthenticated.

-

Usage Guidelines

Use this command to create VIA authentication profiles and associate user roles to the authentication profile.

Example(host) (config) #aaa authentication via auth-profile default(host) (VIA Authentication Profile "default") #auth-protocol mschapv2(host) (VIA Authentication Profile "default") #default-role example-via-role(host) (VIA Authentication Profile "default") #desc "Default VIA Authentication Profile"(host) (VIA Authentication Profile "default") #server-group "via-server-group"

Command History

Version Description


ArubaOS 6.3 The auth-protocol parameter was added.

Command Information


All platforms Base operating system Config mode on master or localcontrollers

ArubaOS6.3.x | ReferenceGuide aaa authentication via auth-profile | 51

52 | aaa authentication via connection-profile ArubaOS6.3.x| ReferenceGuide

aaa authentication via connection-profileaaa authentication via connection-profile

admin-logoff-scriptadmin-logon-scriptallow-user-disconnectallow-whitelist-trafficauth_domain_suffixauth-profile auth_doman_suffixauto-launch-supplicantauto-loginauto-upgradebanner-message-reappear-timeout client-loggingclient-netmask client-wlan-profile position clonecontrollers-load-balancecsec-gateway-url csec-http-ports dns-suffix-list domain-pre-connectenable-csecenable-fipsenable-supplicantext-download-url ike-policy ikev2-policyikev2-protoikev2authipsec-cryptomap map number ipsecv2-cryptomaplockdown-all-settingsmax-reconnect-attempts minimizedmax-timeout minimizednosave-passwordsserversplit-tunnelingsuiteb-cryptosupport-emailtunneluser-idle-timeoutvalidate-server-certwhitelistwindows-credentials

Description

This command configures the VIA connection profile.

Syntax


admin-logoff-script Enables VIAlogoff script. Disabled

admin-logon-script Enables VIA logon script. Disabled

allow-user-disconnect Enable or disable users to disconnect theirVIA sessions.

Enabled

allow-whitelist-traffic If enabled, this feature will block networkaccess until the VIA VPN connection isestablished.

Disabled

auth_domain_suffix Enables a domain suffix on VIA Authentic-ation, so client credentials are sent asdomainname\username instead of just user-name.

auto-launch-supplicant Allows you to connect automatically to aconfigured WLAN network.

Disabled

auth-profile This is the list of VIA authentication profilesthat will be displayed to users in the VIAclient.

admin-logoff-script Specify the name of the script that must beexecuted when the VIA connection isdisconnected. The script must reside on theuser / client system.

admin-logon-script Specify the name of the script that must beexecuted when the VIA connection isestablished. The script must reside on theuser / client system.

auto-login Enable or disable VIA client to auto loginand establish a secure connection to thecontroller.

Enabled

auto-upgrade Enable or disable VIA client toautomatically upgrade when an updatedversion of the client is available on thecontroller.

Enabled

banner-message-reappear-timeout Timeout value, in minutes, after which theuser session will end and the VIA Loginbanner message reappears.

1440minutes

client-logging Enable or disable VIA client to auto loginand establish a secure connection to thecontroller.

Enabled

client-netmask The network mask that has to be set on theclient after the VPN connection isestablished.

255.255.255.255

ArubaOS6.3.x | ReferenceGuide aaa authentication via connection-profile | 53

54 | aaa authentication via connection-profile ArubaOS6.3.x| ReferenceGuide


client-wlan-profile

A list of VIA client WLAN profiles that needsto be pushed to the client machines thatuse Windows Zero Config (WZC) toconfigure or manage their wirelessnetworks.

position

clone Create a copy of connection profile from ananother VIA connection profile.

controllers-load-balance Enable this option to allow the VIA client tofailover to the next available selected ran-domly from the list as configured in the VIAServers option. If disabled, VIA will failoverto the next in the sequence of ordered list ofVIA Servers.

Disabled

server l Address: This is the public IP address orthe DNS hostname of the VIA controller.Users will connect to remote serverusing this IP address or the hostname.

l Internal IP Address: This is the IPaddress of any of the VLAN interface IPaddresses belongs to this controller.

l Description: This is a human-readabledescription of the controller.

addr


ext-download-url End users will use this URL to downloadVIA on their computers.

ike-policy List of IKE policies that the VIA Client has touse to connect to the controller.

ikev2-policy List of IKE V2 policies that the VIA Clienthas to use to connect to the controller

ikev2-proto Enable this to use IKEv2 protocol toestablish VIA sessions.

Disabled

ikev2auth Use this option to set the IKEv2authentication method. By default usercertificate is used for authentication. Theother supported methods are EAP-MSCHAPv2, EAP

ArubaOS6.3.x Command-LineInterface Guide...

Documents

Transcript of ArubaOS6.3.x Command-LineInterface Guide...