Not Your Device? Search For Manuals or Datasheets below:
File Info : application/pdf, 828 Pages, 12.95MB
Document Document DEVICE REPORTuser-guideAruba Central
User Guide
Copyright Information
© Copyright 2020 Hewlett Packard Enterprise Development LP.
Open Source Code
This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US $10.00 to:
Hewlett Packard Enterprise Company 6280 America Center Drive San Jose, CA 95002 USA
Contents
Contents
Contents
3
About this Guide
23
Intended Audience
23
Related Documents
23
Conventions
23
Terminology Change
23
Contacting Support
24
What is Aruba Central?
25
Key Features
25
Supported Web Browsers
26
Operational Modes and Interfaces
26
Supported Devices
27
Supported Instant APs
28
Supported Aruba Switch Platforms
31
Supported Aruba CX Platforms
32
Supported SD-Branch Components
33
Getting Started with Aruba Central
36
Key Terms and Concepts
36
Workflow Summary
37
Creating an Aruba Central Account
38
Zones and Sign Up URLs
38
Signing up for an Aruba Central Account
38
Accessing Aruba Central Portal
42
Login URLs
42
Logging in to Aruba Central
43
Changing Your Password
43
Logging Out of Aruba Central
44
Accessing Aruba Central Mobile Application
44
About the Network Operations App User Interface
44
Types of Dashboards in the Network Operations App
45
Navigating to the Switch, Access Point, or Gateway Dashboard
46
Workflow to Configure, Monitor, or Troubleshoot in the Network Operations App
46
The Standard Enterprise Mode
47
Launching the Network Operations App
48
Parts of the Network Operations App User Interface
48
Search Bar
50
Aruba Central | User Guide
3
Help Icon Account Home Icon User Icon Filter Time Range Filter Left Navigation Pane
The Health Bar
Viewing the Health Bar Dashboard Health Bar for the Global Dashboard Health Bar for the Group Dashboard Health Bar for the Site Dashboard Health Bar for the AP Dashboard Health Bar for the Switch Dashboard Health Bar Dashboard for the Gateway Dashboard Health Bar for the Wireless Client Dashboard Health Bar for the Wired Client Dashboard
Launching the Network Operations App for MSP
Parts of the Network Operations App for MSP Help Icon Account Home Icon User Icon Filter Time Range Filter The Global Dashboard in MSP Mode The Group Dashboard in MSP Mode
Starting Your Free Trial
Get Started with the Free Trial
Configuring Email Notifications for Software Upgrades
Enabling Email Notifications
Configuring Idle Timeout
Setting up Your Aruba Central Instance
Getting Started with Aruba Central Manually Adding Devices
Using the Search Bar
Client Search Terms
Device Search Terms
User Experience Search Terms
Site Search Terms
Network & Services Search Terms
Navigation Search Terms
Managing Subscriptions
Assigning Services Management Subscriptions Assigning Gateway Subscriptions
50 50 50 51 51 52
52
52 53 54 54 55 56 57 57 58
59
59 60 61 61 61 62 62 63
63
64
67
68
69
69
69 72
75
76
77
80
81
81
82
84
86 86
Contents | 4
Removing Subscriptions from Devices Acknowledging Subscription Expiry Notifications Renewing Subscriptions
Administering Aruba Central
Apps Global Settings
Managing Your Device Inventory
Viewing Devices Adding Devices to Inventory
Onboarding Devices
Adding Devices (Evaluation Account) Adding Devices (Paid Subscription) Manually Adding Devices
Managing Subscription Keys
Evaluation Subscription Key Paid Subscription Key Adding a Subscription Key Viewing Subscription Key Details
Managing Subscriptions
Assigning Services Management Subscriptions Assigning Gateway Subscriptions Removing Subscriptions from Devices Acknowledging Subscription Expiry Notifications Renewing Subscriptions
Users and Roles
Configuring System Users
Adding a System User Editing a User Deleting a User
Configuring User Roles
Predefined User Roles Custom Roles Module Permissions Viewing User Role Details Editing a User Role Deleting a User Role Two-Factor Authentication Support Access
Proximity Tracing
Pre-requisites Contact and Location Tracing Opt-Out Clients AirWaveServer Connection Signup Through Aruba Central Removing AirWave Connection Disabling Data Access
Groups for Device Configuration and Management
Group Operations
Aruba Central | User Guide
87 87 88
89
89 90
90
91 91
91
92 92 93
96
96 97 97 97
98
100 100 101 101 102
102
102
103 105 105
105
105 106 107 109 109 109 110 112
113
113 114 114 115 117 117
118
118
5
Group Configuration Modes Default Groups and Unprovisioned Devices Best Practices and Recommendations
Managing Groups
Creating a Group Assigning Devices to Groups Viewing Groups and Associated Devices Creating a New Group by Importing Configuration from a Device Cloning a Group Moving Devices between Groups Configuring Device Groups Configuring Groups in MSP Mode Deleting a Group
Assigning Devices to Groups
Assigning Instant APs to Groups Assigning Switches to Groups
Provisioning Devices Using UI-based Workflows
Provisioning Instant APs using UI-based Configuration Method Provisioning Switches Using UI-based Configuration Method Provisioning Aruba Gateways Using UI-based Configuration Method
Provisioning Devices Using Configuration Templates
Creating a Group with Template-Based Configuration Method Provisioning Devices Using Configuration Templates and Variable Definitions Managing Variable Files Backing Up and Restoring Configuration Templates
Managing Sites
Creating a Site Adding Multiple Sites in Bulk Assigning a Device to a Site Converting Existing Labels to Sites Editing a Site Deleting a Site
Managing Labels
Creating a Label Assigning a Label to a Device Detaching a Device from a Label Editing a Label Deleting a Label
Viewing Configuration Status
Viewing the Configuration Audit Page Applying Configuration Changes Viewing Configuration Overrides and Errors Backing up and Restoring Configuration Templates
Connecting Devices to Aruba Central
Connecting Instant APs to Aruba Central Connecting Aruba Switches to Aruba Central Connecting SD-WAN Gateways to Aruba Central
Certificates
119 119 120
120
120 121 122 122 123 123 123 124 124
124
124 125
125
126 127 128
129
130 130 130 136
140
140 141 141 141 142 142
143
143 143 144 144 144
144
145 145 148 151
152
156 156 156
158
Contents | 6
Uploading Certificates Managing Certificates on Instant APs Configured Using Templates
Managing Software Upgrades
Viewing Firmware Details Upgrading a Device Setting Firmware Compliance For Access Points Setting Firmware Compliance For Switches Setting Firmware Compliance For Gateways in Standalone Mode
Using Troubleshooting Tools
Troubleshooting Network Issues
Troubleshooting AP Connectivity Issues Troubleshooting Switch Connectivity Issues Troubleshooting Gateway Connectivity Issues Viewing the Device Output
Troubleshooting Device Issues
Advanced Device Troubleshooting
Troubleshooting Access Points Troubleshooting Switches Troubleshooting Gateways Filtering Commands Viewing the Device Output
Viewing Audit Trails in the Account Home Page
Viewing Audit Trail in the Standard Enterprise Mode
Classification of Audit Trails
Removing Devices
Removing a Device from the Device Inventory Page
The AI Insights Dashboard
Insights Context
Cards
Baselines
Access Points had a high number of reboots
Time Series Graph Cards
Access Points had an excessive number of channel changes
Insight Summary Time Series Graph Cards
Access Points had unusually high CPU utilization
Time Series Graph Cards
Access Points impacted by high 2.4 GHz usage
Aruba Central | User Guide
158 159
160
160 164 165 166 168
169
170
171 175 176 178
178
179
180 181 182 183 184
185
185
186
187
187
188
190
197
202
203
203 203
204
204 204 205
206
206 207
207
7
Insight Summary Time Series Graph Cards
Access Point radios changed their transmit power frequently
Insight Summary Time Series Graph Cards
Access Point transmit power can be optimized
Insight Summary Card
Access Points were impacted by high 5 GHz usage
Insight Summary Time Series Graph Cards
Access Points with unusually high memory usage were found
Time Series Graph Cards
Clients experienced high latency while roaming
Time Series Graph Cards
Clients had a significant number of Low SNR uplink minutes
Insight Summary Time Series Graph Cards
Clients had an unusual number of MAC authentication failures
Insight Summary Time Series Graph Cards
Clients had DHCP server connection problems
Insight Summary Time Series Graph Cards
Clients had excessive 802.1x authentication failures
Insight Summary Time Series Graph Cards
Clients had excessive Wi-Fi security key-exchange failures
Insight Summary Time Series Graph Cards
Clients roamed excessively
Time Series Graph Cards
Coverage Holes have been detected
Insight Summary
208 208 208
210
210 210 210
212
212 212
213
213 213 213
215
215 216
217
217 217
219
219 219 219
221
222 222 222
223
224 224 224
226
226 226 226
228
228 228 228
230
230 230
231
232
Contents | 8
Cards
Dual-band (2.4/5 GHz) capable clients primarily used 2.4 GHz
Insight Summary Time Series Graph Cards
DNS request/responses were significantly delayed
Time Series Graph Cards
DNS server(s) rejected a high number of queries
Insight Summary Time Series Graph Cards
Gateways had high Memory usage
Time Series Graph Cards
Gateways had unusually high CPU utilization
Time Series Graph Cards
Gateway tunnels failed to get established
Insight Summary Time Series Graph Cards
DNS queries failed to reach or return from the servers
Insight Summary Time Series Graph Cards
Information (telemetry) was not received from APs/Radios
Time Series Graph Cards
Outdoor clients are impacting Wi-Fi performance
Insight Summary Cards
Switches had an unusual number of port error
Insight Summary Time Series Graph Cards
Switches had excessive port flaps
Time Series Graph Cards
Switches had unusually high CPU utilization
Time Series Graph Cards
Switches had unusually high memory usage
Time Series Graph
Aruba Central | User Guide
232
233
233 233 234
235
235 235
236
237 237 237
239
239 239
240
241 241
242
242 242 243
245
245 245 245
246
247 247
248
248 248
249
250 250 250
251
252 252
253
253 254
255
255
9
Cards
255
Switch ports had a high number with Power-over-Ethernet problems
257
Time Series Graph
257
Cards
257
Instant APs
260
Supported Deployment Modes
260
Configuration and Management
260
Provisioning Instant APs
261
Viewing APs Configuration Tabs
261
Navigating to Virtual Controller Configuration Dashboard
262
Deploying a Wireless Network Using Instant APs
262
Setting Country Code
Country Code Configuration in Aruba Central from UI Setting Country Code at Group Level Setting Country Code at Device Level Country Code Configuration at Group Level from API
263
263 264 264 265
Configuring Device Parameters
266
Configuring Systems
273
Configuring External Antenna
273
EIRP and Antenna Gain
273
Configuring Antenna Gain
274
Adding an Instant AP
275
Deleting an Instant AP from the Network
275
Renaming an AP
275
Configuring Intelligent Power Monitoring
276
Points to Remember
278
Spectrum Scan Overview
278
Configuring System Parameters for an AP
278
Configuring VLAN Name and VLAN ID
283
Points to Remember
284
Configuring Dual 5 GHz Radio Bands on an Instant AP
284
Support for Dual 5 GHz AP
285
Configuring Network Profiles on Instant APs
Configuring Wireless Network Profiles on Instant APs Configuring Management Frames Protection Configuring Client Isolation Configuring Wireless Networks for Guest Users on Instant APs Configuring Wired Networks for Guest Users on Instant APs Configuring Downloadable Roles Configuring Wired Port Profiles on Instant APs Editing a WLAN Profile Editing an Access Point Port Profile
286
286 297 298 299 310 318 320 325 326
Contents | 10
Deleting a Network Profile
Configuring Mesh Instant AP
Mesh Network Overview Mesh Instant APs Automatic Mesh Role Assignment Setting up Instant Mesh Network Configuring Wired Bridging on Eth0 for Mesh Point Mesh Cluster Function
Configuring Time-Based Services for Wireless Network Profiles
Before You Begin Creating a Time Range Profile Associating a Time Range Profile to an SSID Associating a Time Range Profile to ACL
Configuring ARM and RF Parameters on Instant APs
ARM Overview Configuring ARM Features Configuring Radio Parameters
Configuring IDS Parameters on APs
Rogue APs Configuring Wireless Intrusion Detection and Protection Policies
Configuring Authentication and Security Profiles on Instant APs
Supported Authentication Methods Support for Multiple PSK in WLAN SSID Configuring WPA3 Encryption Authentication Servers for Instant APs Configuring External Authentication Servers for APs Configuring Users Accounts for the Instant AP Management Interface Configuring Guest and Employee User Profiles on Instant APs Configuring Intra VLAN Traffic Whitelist Configuring an MPSK Local Profile Configuring Roles and Policies on Instant APs for User Access Control Configuring User Roles for AP Clients Configuring Role Derivation Rules for AP Clients Configuring Firewall Parameters for Wireless Network Protection Configuring Firewall Parameters for Inbound Traffic
Configuring ACLs for Deep Packet Inspection
Configuring ACLs on APs for Website Content Classification
Configuring Custom Redirection URLs for Instant AP Clients
Creating a List of Error Page URLs Configuring ACL Rules to Redirect Users to a Specific URL Configuring Firewall Parameters for Inbound Traffic Enabling ALG Protocols on Instant APs Blacklisting Instant AP Clients
Configuring Instant APs for VPN Services
Instant AP VPN Overview Configuring Instant APs for VPN Tunnel Creation Configuring Routing Profiles for Instant AP VPN
Aruba Central | User Guide
326
327
327 327 328 328 329 329
330
330 330 331 332
333
333 334 338
340
340 340
345
345 350 352 354 356 360 362 363 365 366 369 370 373 373
376
378
380
380 380 380 384 384
386
386 387 392
11
Configuring DHCP Pools and Client IP Assignment Modes on Instant APs 393
Configuring DHCP Scopes on Instant APs
393
Configuring DHCP Server for Assigning IP Addresses to Instant AP Clients
400
Configuring Services
Configuring AirGroup Services Configuring an Instant AP for RTLS Support Configuring an Instant AP for ALE Support Managing BLE Beacons Support for BLE Asset Tracking Configuring OpenDNS Credentials on Instant APs Configuring CALEA Server Support on Instant APs Configuring Instant APs for Palo Alto Networks Firewall Integration
401
401 405 405 406 406 407 407 409
Configuring XML API Interface
409
Configuring SIP Phones with Source-NAT
410
Application Visibility and Deep Packet Inspection
411
Enabling Application Visibility Service on APs
411
Configuring Uplink Interfaces on Instant APs
412
Configuring Uplink Interfaces
412
Configuring Cellular Uplink Profiles
413
Configuring Uplink Preferences and Switching
416
Configuring Enterprise Domains
419
Configuring SNMP Parameters
420
SNMP Configuration Parameters
420
Configuring Community String for SNMP
421
Configuring SNMP Trap Receivers
422
Configuring Syslog and TFTP Servers for Logging Events
422
Configuring Syslog Server on Instant APs
423
Configuring TFTP Dump Server Instant APs
424
Configuring Mobility for Clients
424
Layer-3 Mobility
424
Configuring L3 Mobility Domain
425
Mapping Instant AP Certificates
426
Configuring HTTP Proxy on an Instant AP
426
Configuring APs Using Templates
427
Password Management in Configuration Templates for AP
432
Aruba Switches
434
Supported Aruba Switch Platforms
434
Supported Aruba CX Platforms
436
Getting Started with Aruba Switch Deployments
437
Provisioning Workflow
437
Provisioning a Factory Default Switch
437
Provisioning a Pre-configured or Locally-Managed Switch
437
Contents | 12
Group Assignment
438
Configuration and Management
438
Switch Monitoring
439
Troubleshooting and Diagnostics
439
Provisioning Factory Default Switches
439
Provisioning Pre-Configured Switches
443
Workflow 1--Pre-Provisioning a Switch
444
Workflow 2--Provisioning a Switch On-Demand
448
Managing Password in Configuration Templates
451
Password for Switches
452
Password for APs
452
Getting Started with Aruba CX Deployments
453
Provisioning Workflow
453
Provisioning a Factory Default Switch
453
Provisioning a Pre-configured or Locally-Managed Switch
454
Group Assignment
454
Configuration and Management
455
Switch Monitoring
455
Viewing VSX Details
456
Viewing Topology Map
456
Troubleshooting and Diagnostics
456
Configuration Audit
456
Troubleshooting Tools
456
Actions Drop-down
456
Limitations of Aruba CX Switch in Aruba Central
457
Provisioning Factory Default Aruba CX Switches
459
Provisioning Pre-Configured Aruba CX Switches
462
Workflow 1--Pre-Provisioning an Aruba CX Switch
463
Workflow 2--Provisioning an Aruba CX Switch On-Demand
466
Configuring Aruba Switches
468
CA Certificate Installation using API and Templates
469
Using Configuration Templates for Aruba Switch Management
469
Creating a Group for Template-Based Configuration
469
Creating a Configuration Template
469
Using Configuration Templates for Aruba CX Switch Management
475
Creating a Group for Template-Based Configuration
475
Creating a Configuration Template
475
Aruba Central | User Guide
13
Configuring or Viewing Switch Properties in UI Groups
Configuring or Viewing the Switch Properties Configuring Switch Ports on Aruba Switches Configuring PoE Settings on Aruba Switch Ports Configuring VLANs on Aruba Switches Configuring Trunk Groups on Aruba Switches in UI Groups Enabling Spanning Tree Protocol on Aruba Switches in UI Groups Configuring Loop Protection on Aruba Switch Ports Configuring Port Rate Limit on Aruba Switches in UI Groups Configuring RADIUS Server Settings on Aruba Switches Configuring Tunnel Node Server on Aruba Switches Configuring Authentication for Aruba Switches Configuring CDP on Aruba Switches Configuring Access Policies on Aruba Switches Configuring SNMP on Aruba Switches Configuring DHCP Pools on Aruba Switches Configuring DHCP Snooping on Aruba Switches Configuring IGMP on Aruba Switches Configuring QoS Settings on Aruba Switches Configuring Time Synchronization on Aruba Switches Configuring Routing on Aruba Switches Configuring Device Profile Automatic Rollback Configuration Configuring System Parameters for Aruba Switches
480
482 483 485 487 490 492 494 495 496 497 498 501 502 503 505 506 507 508 511 513 514 516 516
Aruba Switch Stack
Provisioning Switch Stacks in Aruba Central Assigning Labels and Sites Configuring Switch Stacks Monitoring Switch Stacks Viewing Switch Stacks in Site Topology Configuring Switch Stacks using Template Groups Configuring Switch Stacks using UI Groups Onboarding commander and members to Aruba Central for VSF stacking Onboarding commander and members to Aruba Central for BPS stacking Creating a switch stack Adding a stack member
519
519 520 520 520 520 520 521 522 523 523 525
Aruba CX VSF Stack
Aruba CX Switch Stacking Functions Supported in Aruba Central Aruba CX Switch Stacking Functions Not Supported in Aruba Central General Recommendations Configuring Aruba CX Switch Stacks Monitoring Aruba CX Switch Stacks Viewing Aruba CX Switch Stacks in Site Topology
527
527 528 528 528 529 529
Onboarding Aruba CX VSF Stack to Aruba Central
529
Replacing an Aruba CX VSF Stack Member (Same Model and Part Number)529
Replacing the Commander
529
Replacing the Standby or Other Members
530
Removing an Aruba CX VSF Stack Member
530
Aruba SD-Branch Solution
532
Why SD-WAN?
532
Contents | 14
Key Features and Benefits Understanding SD-WAN What are the Solution Requirements?
Monitoring Your Network
Network Overview
Monitoring Access Points
Monitoring Access Points in Summary View
Viewing the AP Summary Page
Monitoring Access Points in List View
Viewing the AP List Page
Rebooting an AP
Deleting an Offline AP
Thermal Shutdown Support in Instant AP
Thermal Shutdown Events
About Tri-Radio Mode
Viewing Tri-Radio Events
Access Point > Overview > Summary
Viewing the Overview > Summary Tab Actions Go Live
Access Point > Overview > AI Insights
Viewing Access Points > AI Insights AI Insights Categories
Access Point > Overview > Floor Plan
Viewing the Overview > Floor Plan Tab Actions Go Live
Access Point > Overview > Performance
Viewing the Overview > Performance Tab Actions Go Live
Access Point > Overview > RF
Viewing the Overview > RF Tab Actions Go Live
Access Point > Overview > Spectrum
Viewing the Overview > Spectrum Tab Actions Go Live
Access Point > Security > VPN
Viewing the Security > VPN Tab
Aruba Central | User Guide
532 533 534
536
536
536
536
537
537
537
540
541
541
542
542
543
543
544 547 547
547
548 548
549
549 549 550
550
550 550 551
551
551 552 552
552
553 555 555
555
556
15
Rebooting an Instant AP
Rebooting an Instant AP Cluster
Tech Support for an Instant AP
Opening a Remote Console
Resetting an AP through the Console
Enabling Live Instant AP Monitoring
Enabling and Disabling Go Live AP Details in Go Live Mode
Access Point > Clients > Clients
Viewing the Access Point > Clients > Clients Tab
Access Point > Alerts & Events > Alerts & Events
Viewing the Access Point > Alerts & Events > Alerts & Events Tab
Monitoring Switches and Switch Stacks
Monitoring Switches in List View
Viewing the Switches List Page Switches Table Assigning Uplink Ports Deleting an Offline Switch Downloading Switch Details
Monitoring Switches in Summary View
Viewing the Switches Summary Page Switch > Overview > Summary Switch > Overview > Hardware Switch > Overview > Routing Switch > Overview > AI Insights Switch > Clients > Clients Switch > Clients > Neighbours Switch > LAN > Ports Switch > LAN > PoE Viewing the LAN > PoE Tab Switch > LAN > VLAN Switch > VSX Rebooting Switches Opening Remote Console for Switch Troubleshooting Aruba Switches Enabling Unsupported Transceivers on Aruba Switches Troubleshooting Aruba CX Switch Onboarding Issues
Monitoring Gateway
Monitoring Gateways in List View
List View
Monitoring Gateways in Summary View
Summary View
Gateway > Overview > Summary
Viewing the Overview > Summary Tab
556
557
557
558
558
558
558 559
559
559
560
560
560
561
561 562 562 563 563
563
564 564 568 572 573 574 577 578 580 581 584 587 589 590 590 591 592
593
593
594
594
595
595
596
Contents | 16
Device Info WAN Summary Health Status Actions Go Live
Gateways > Overview > IDPS
Viewing the Overview > IDPS Tab Traffic Inspection Engine Status Traffic Inspection Engine CPU Usage Traffic Inspection Engine Memory Usage Dropped Packets Actions Go Live
Gateway > Overview > Routing
Viewing the Overview > Routing Tab
Gateway > Overview > Routing > Route Table
Viewing the Overview > Routing > Routes Table Tab Routes Summary Routes Actions Go Live
Gateway > Overview > Routing > BGP
Viewing the Overview > Routing > BGP Tab BGP Summary BGP Details Actions
Gateway > Overview > Routing > OSPF
Viewing the Overview > Routing > OSPF Tab OSPF Summary OSPF Details Actions Go Live
Gateway > Overview > Routing > Overlay
Viewing the Overview > Routing > Overlay Tab Overlay Summary Overlay Details Actions Go Live
Gateway > Overview > Routing > RIP
Viewing the Overview > Routing > RIP Tab RIP Summary RIP Details Actions Go Live
Gateway > Overview > Sessions
Viewing the Overview > Sessions Tab Session Summary Sessions
Aruba Central | User Guide
596 597 598 599 599
600
600 600 601 601 601 602 602
602
602
602
603 603 603 604 604
604
605 605 605 608
608
608 609 609 613 613
613
613 613 614 616 616
616
616 617 617 619 620
620
620 620 620
17
Gateway > Overview > AI Insights
Viewing Gateways > AI Insights AI Insights Categories
Gateway > WAN > Summary
Viewing the WAN > Summary Tab Port Status WAN Interfaces Actions Go Live
Gateway > WAN > Tunnels
Viewing the WAN > Tunnels Tab Tunnels Summary Tunnels Actions Go Live
Gateway > WAN > Path Steering
Viewing the WAN > Path Steering Tab Path Steering Summary Path Steering Details Actions Go Live
Gateway > LAN > Summary
Viewing the LAN > Summary Tab Port Status LAN Interfaces Summary Port Details pop-up Screen VLAN Interfaces Summary Actions Go Live
Gateway > LAN > DHCP
Viewing the LAN > DHCP Tab DHCP Pools Active Leases Actions Go Live
Gateway > Applications > Visibility
Applications Tab in List View Applications Tab in Summary View Websites Tab in List View Websites Tab in Summary View
Downloading Gateway Details
Deleting a Gateway
Rebooting a Gateway
Opening a Remote Console
Clearing IPSec SA
622
622 623
623
623 624 625 628 628
629
629 629 630 631 632
632
632 633 633 635 635
635
635 635 636 636 638 639 639
639
639 639 640 641 641
641
642 642 643 643
644
644
645
646
646
Contents | 18
Clearing ISAKMP SA
Enabling Gateway Logs
About RAPIDS
Viewing the RAPIDS Page Monitoring WIDS Events Configuring IDS Parameters Generating Alerts for Security Events Generating Reports for Security Events
Network Health Dashboard
Global--Summary
Viewing the Global Summary Page
Site Health Dashboard
Wi-Fi Connectivity
Connectivity Summary Bar Connection Experience AI Insights Connection Problems Connection Events
All Clients
Client Overview
Clients > Wireless Client > Overview
Viewing Clients Connected to Wireless Networks Overview Applications Live Events Events Tools Client Live Monitoring Disconnecting a Wireless Client from an AP Blocking a Wireless Client Unblocking a Wireless Client
Client Live Troubleshooting
Troubleshooting a Client Packet Capture
Clients > Wired Client > Overview
Viewing Clients Connected to Wired Networks Overview Applications Live Events Events Tools
Classifying Clients
Clients Page Insights
Application Visibility
Aruba Central | User Guide
647
647
649
649 649 650 650 651
651
653
654
654
657
657 658 658 659 660
661
665
666
667 667 671 672 672 673 673 673 674 674
675
675 676
677
677 678 681 681 681 682
682
682 683
684
19
Viewing Visibility Dashboard Applications Websites Blocked Traffic
About Floorplans
Floorplans Dashboard
Planning and Provisioning Devices
Creating a Floor Plan Importing a Floor Plan Modifying Floor Plan Properties Adding Devices to the Floor Plan
Customizing the Floorplans View
User Interface Elements of the Floorplans Dashboard Floorplans APIs Monitoring Sites in the Topology Tab
Alerts & Events
Alerts & Events Dashboard Viewing Alerts in List view Viewing Events in List view Viewing Alerts & Events in Summary view Configuring Alerts User Alerts Switch Alerts Gateway Alerts Access Point Alerts Connectivity Alerts Audit Alerts Site Alerts Adding Default Recipients Suppressing Alerts Viewing Enabled Alerts
Supported Access Point Events
Supported Client Events
Webhooks
Creating and Updating Webhooks Through the UI Refreshing Webhooks Token Through the UI Creating and Updating Webhooks Through the API Gateway List of Webhooks APIs Sample Webhooks Payload Format for Alerts
Access Point Alerts--Sample JSON
Switch Alerts--Sample JSON
Gateway Alerts--Sample JSON
Miscellaneous Alerts--Sample JSON
Reports
684 685 699 700
701
702
703
703 705 705 705
706
709 710 711
719
719 720 721 723 724 725 726 727 729 730 732 733 733 734 734
735
736
738
739 741 741 742 744
744
752
757
764
765
Contents | 20
Report Categories Creating a Report Editing a Report Viewing a Report Downloading a Report Deleting a Report Deleting Multiple Reports
Viewing Audit Trail
API Gateway
API Gateway and NB APIs Accessing API Gateway Viewing Swagger Interface List of Supported APIs
Creating Application and Token
Using OAuth 2.0 for Authentication
Access and Refresh Tokens
Obtaining Token Using Offline Token Mechanism
Obtaining Token Using OAuth Grant Mechanism
Step 1: Authenticate a User and Create a User Session Step 2: [Optional] Generating Client Credentials Step 3: Generate Authorization Code Step 4: Exchange Auth Code for a Token Step 5: Refreshing a Token Step 6: Deleting a Token
Viewing Usage Statistics
Guest Access
Guest Access Dashboard
Creating Apps for Social Login
Creating a Facebook App Creating a Google App Creating a Twitter App Creating a LinkedIn App
Configuring a Cloud Guest Splash Page Profile
Adding a Cloud Guest Splash Page Profile Customizing a Splash Page Design Previewing and Modifying a Splash Page Profile Associating a Splash Page Profile to an SSID
Creating a WiFi4EU Guest Network
Configuring Visitor Accounts
Adding a visitor Deleting Visitors Downloading Visitor Account Details
Presence Analytics
Aruba Central | User Guide
766 771 773 774 774 775 775
775
777
777 778 779 780
781
783
783
786
786
787 788 788 789 791 792
792
795
795
796
796 797 798 798
799
799 803 807 807
807
808
809 810 811
812
21
Enabling Presence Analytics
812
Using Presence Analytics
812
List
813
Summary
813
Configuration
814
Unified Communications
818
Heuristics Classification
818
Enabling Unified Communications
819
Enabling Retain Client QoS
819
Editing Protocol
819
Unified Communications Dashboard
820
Installation Management
823
Installation Management and Monitoring
823
Installation Management Workflow
823
Installer Workflow
824
Managing Site Deployments
Creating a Site Assigning Groups to a Site Adding an Installer and Assigning Sites for Installation Downloading the Installer Mobile App Registering as an Aruba Installer Installing Devices on a Site Monitoring and Troubleshooting Installation Issues
825
826 826 826 827 827 828 828
Contents | 22
Chapter 1 About this Guide
About this Guide
This user guide describes the features supported by Aruba Central and provides detailed instructions to set up and configure devices such as Instant APs, Aruba Switches, and Aruba SD-WAN Gateways.
Intended Audience
This guide is intended for system administrators who configure and monitor their networks using Aruba Central.
Related Documents
In addition to this document, the Aruba Central product documentation includes the following documents:
n Aruba Central Help Center n Aruba Central Getting Started Guide n Aruba Central Managed Service Provider User Guide n Aruba Central SD Branch Solution Guide
Conventions
The following conventions are used throughout this guide to emphasize important concepts:
Table 1: Typographical Conventions
Type Style
Description
Italics
This style is used to emphasize important terms and to mark the titles of books.
System items
This fixed-width font depicts the following: n Sample screen output n System prompts
The following informational icons are used throughout this guide:
nIndicates a risk of damage to your hardware or loss of data. nIndicates helpful suggestions, pertinent information, and important things to remember. nIndicates a risk of personal injury or death.
Terminology Change
As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products and publications may continue to include terminology that seemingly evokes bias against specific groups of
Aruba Central | User Guide
23
people. Such content is not representative of our HPE culture and moving forward, Aruba will replace racially insensitive terms and instead use the following new language:
Usage
Campus Access Points + Controllers
Instant Access Points
Switch Stack
Wireless LAN Controller
Firewall Configuration
Types of Hackers
Old Language Master-Slave
Master-Slave Master-Slave Mobility Master Blacklist, Whitelist Black Hat, White Hat
New Language Conductor-Member
Conductor-Member Conductor-Member Mobility Conductor Denylist, Allowlist Unethical, Ethical
Contacting Support
Table 2: Contact Information
Main Site
arubanetworks.com
Support Site
support.arubanetworks.com
Airheads Social Forums and Knowledge community.arubanetworks.com Base
North American Telephone
1-800-943-4526 (Toll Free) 1-408-754-1200
International Telephone
arubanetworks.com/support-services/contact-support/
Software Licensing Site
lms.arubanetworks.com
End-of-life Information
arubanetworks.com/support-services/end-of-life/
Security Incident Response Team
Site: arubanetworks.com/support-services/security-bulletins/ Email: [email protected]
Contacting Support | 24
Chapter 2 What is Aruba Central?
What is Aruba Central?
Aruba Central offers unified network management, AI-based analytics, and IoT device security for wired, wireless, and SD-WAN networks. All of these capabilities are combined into one easy-to-use platform, which includes the following apps:
n Network Operations--Provides unified network management by consolidating wired, wireless, and SDWAN deployment and management tasks, real-time diagnostics, and live monitoring, for simple and fast problem resolution.
n ClearPass Device Insight--Provides a single pane of glass for device visibility employing automated device discovery, machine learning (ML) based fingerprinting and identification. For more information, see Aruba ClearPass Device Insight Information Center.
This section includes the following topics:
n Key Features n What is Aruba Central? n Supported Web Browsers n Operational Modes and Interfaces
Key Features
Aruba Central offers the following key features and benefits:
n Streamlined configuration and deployment of devices--Leverages the ZTP capability of Aruba devices to bring up your network in no time. Aruba Central supports group configuration of devices, which allows you to provision and manage multiple devices with similar configuration requirements with less administrative overhead.
n Integrated wired, WAN, and wireless Infrastructure management--Offers a centralized management interface for managing wireless, WAN, and wired networks in distributed environments, and thus help organizations save time and improve efficiency.
n Advanced analytics and assurance--With continuous monitoring, AI-based analytics provide real-time visibility and insight into what's happening in the Wi-Fi network. The insights utilize machine learning that leverage a growing pool of network data and deep domain experience.
n Secure cloud-based platform--Offers a secure cloud platform with HTTPS connection and certificate based authentication.
n Interface for Managed Service Providers--Offers an additional interface for MSPs to provision and manage their respective tenant accounts. Using the MSP mode, service provider organizations can administer network infrastructure for multiple organizations in a single interface.
n SD-Branch Management--Offers a simplified solution for managing and monitoring SD Branch devices such as Branch Gateways, VPN Concentrators, Instant APs, and Aruba Switches. It also provides detailed dashboards showing WAN health and pictorial depictions of the branch setup. The Aruba SD-Branch solution extends the SD-WAN concepts to all elements in a branch setup to deliver a full-stack solution for managing WLAN, LAN and WAN connections. The SD-Branch solution provides a common cloudmanagement model that simplifies deployment, configuration, and management of all components of a
Aruba Central | User Guide
25
branch setup. The solution leverages the ZTP and cloud management capabilities of Aruba devices to integrate management and infrastructure for WAN, WLAN, and LAN and provide a holistic solution from access network to edge with end-to-end security. It also addresses all communications in distributed deployments, from micro branches to medium or large branches. For more information, see the Aruba SD-Branch Solution.
n Health and usage monitoring--Provides a comprehensive view of your network, device status and health, and application usage. You can monitor, identify, and address issues by using data-driven dashboards, alerts, reports, and troubleshooting workflows. Aruba Central also utilizes the DPI feature of the devices to monitor, analyze and block traffic based on application categories, application type, web categories and website reputation. Using this data, you can prioritize business critical applications, limit the use of inappropriate content, and enforce access policies on a per user, device or location basis.
n Guest Access--Allows you to manage access for your visitors with a secure guest Wi-Fi experience. You can create guest sponsor roles and social logins for your guest networks. You can also design your guest landing page with custom logos, color, and banner text.
n Presence Analytics--Offers a value added service for Instant AP based networks to get an insight into user presence and loyalty. The Presence Analytics dashboard allows you to view the presence of users at a specific site and the frequency of user visits at a given location or site. Using this data, you can make business decisions to improve customer engagement.
Supported Web Browsers
To view the Aruba Central UI, ensure that JavaScript is enabled on the web browser.
Table 3: Browser Compatibility Matrix
Browser Versions
Operating System
Google Chrome 39.0.2171.65 or later Windows and Mac OS
Mozilla Firefox 34.0.5 or later
Windows and Mac OS
Safari 7 or later
Mac OS
Operational Modes and Interfaces
Aruba offers the following variants of the Aruba Central web interface:
n Standard Enterprise Mode n Managed Service Provider Mode
Standard Enterprise Mode
The Standard Enterprise interface is intended for users who manage their respective accounts end-to-end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision devices and subscriptions to manage their respective accounts. The following figure illustrates a typical Standard Enterprise mode deployment.
What is Aruba Central? | 26
Figure 1 Standard Enterprise Mode
Managed Service Provider Mode
Aruba Central offers the MSP mode for managed service providers who need to manage multiple customer networks. The MSP administrators can provision tenant accounts, allocate devices, assign licenses, and monitor tenant accounts and their networks. The administrators can also drill down to a specific tenant account and perform administration and configuration tasks. Tenants can access only their respective accounts, and only those features and application services to which they have subscribed. The following figure illustrates a typical MSP mode deployment.
Figure 2 Managed Service Provider Mode
Supported Devices
This section provides the following information:
Aruba Central | User Guide
27
n Supported Instant APs n Supported Aruba Switch Platforms n Supported Aruba CX Platforms n Supported SD-Branch Components
Supported Instant APs
The following section discusses the supported Instant APs:
Supported Indoor APs
Aruba Central supports the following indoor APs:
n AP-555 n AP-535 n AP-534 n AP-515 n AP-514 n AP-505H n AP-505 n AP-504 n AP-345 n AP-344 n IAP-334/335 n IAP-324/325 n AP-318 n IAP-314/315 n IAP-304/305 n AP-303P n AP-303H n AP-303 n RAP-3WNP n IAP-228 n IAP-224/225 n IAP-214/215 n IAP-207 n IAP-205H n IAP-204/205 n AP-203R/AP-203RP n AP-203H n RAP-155/155P n IAP-134/135 n IAP-114/115 n RAP-108/109
Supported Devices | 28
n IAP-105 n IAP-104 n IAP-103
Supported Outdoor APs
Aruba Central supports the following outdoor APs:
n AP-577EX n AP-577 n AP-575EX n AP-575 n AP-574 n AP-518 n AP-387 n AP-377EX n AP-377 n AP-375EX n AP-375 n AP-374 n AP-367 n AP-365 n IAP-277 n IAP-274/275 n IAP-175
Supported Instant AP Firmware Versions
The current release of Aruba Central supports only the following Instant AP firmware versions:
n 8.7.0.0 n 8.6.0.4 n 8.6.0.3 n 8.6.0.2 n 8.5.0.9 n 8.5.0.8 n 8.5.0.7 n 8.5.0.6 n 8.5.0.5 n 8.4.0.6 n 8.3.0.12 n 8.3.0.11 n 6.5.4.17 n 6.5.4.16
Aruba Central | User Guide
29
n 6.5.4.15 n 6.5.1.5-4.3.1.9 n 6.4.4.8-4.2.4.16
RAP-155, RAP-155P, IAP-214, IAP-215, IAP-224, IAP-225, IAP-228, IAP-274, IAP-275, IAP-277 Instant APs are no longer supported from Aruba Instant 8.7.0.0 onwards. IAP-103, RAP-108, RAP-109, IAP-114, IAP-115, IAP-204, IAP-205, and IAP-205H Instant APs are no longer supported from Aruba Instant 8.3.0.0 onwards. By default, AP-318, AP-374, AP-375, and AP-377 access points have Eth1 as the uplink port and Eth0 as the downlink port. Aruba recommends that you not upgrade these access points to 8.5.0.0 or 8.5.0.1 firmware versions as the upgrade process changes the uplink port from Eth1 to Eth0 port thereby making the devices unreachable.
APs Supporting Power Draw
The following APs support Power Draw:
n AP-577EX n AP-577 n AP-575EX n AP-575 n AP-574 n AP-518 n AP-515 n AP-514 n AP-505H n AP-505 n AP-504 n AP-387 n AP-377 n AP-375 n AP-374 n AP-345 n AP-344 n IAP-335 n IAP-334 n AP-318 n IAP-314 n IAP-305 n IAP-304 n AP-303H
Supported Devices | 30
For more information about Aruba's End-of-life policy and the timelines for hardware and software products at the end of their lives, see: https://www.arubanetworks.com/support-services/end-of-life/. Data sheets and technical specifications for the supported AP platforms are available at: https://www.arubanetworks.com/products/networking/access-points/.
Supported Aruba Switch Platforms
Aruba Central uses the SSL certificate by GeoTrust Certificate Authority for device termination and web services. As the SSL certificate is about to expire, Aruba is replacing it with a new certificate from another trusted Certificate Authority. During the certificate upgrade window, all devices managed by Aruba Central will be disconnected. After the upgrade, the devices reconnect to Aruba Central and resume their services with Aruba Central. However, for Aruba switches to reconnect to Aruba Central after the certificate upgrade, you must ensure that the switches are upgraded to the recommended software version listed in Table 4. Aruba Central does not support switch software versions below 16.08 release for firmware upgrade. In addition, only the latest three switch software versions of all major release versions will be available for firmware upgrade from Aruba Central. For example, if the latest switch software version released is 16.10.0009, the following versions will be available for firmware upgrade: 16.10.0007, 16.10.0008 and 16.10.0009.
The following tables list the switch platforms, corresponding software versions supported in Aruba Central, and switch stacking details.
Table 4: Supported Aruba Switch Series, Software Versions, and Switch Stacking
Switch Platform
Supported Software Versions
Recommended Software Versions
Switch Stacking Support
Supported Stack Type (Frontplane (VSF) / Backplane (BPS))
Supported Configuration Group Type for Stacking (UI / Template)
Aruba
YA/YB.16.05.0008 YA/YB.16.10.0009 N/A
N/A
N/A
2530
or later
Switch
Series
Aruba
YC.16.03.0004 or YC.16.10.0009
N/A
N/A
N/A
2540
later
Switch
Series
Aruba 2920 Switch Series
WB.16.03.0004 or WB.16.10.0009 later
Yes
BPS
Switch
Software
Dependency:
WB.16.04.0008
or later
UI and Template
Aruba 2930F Switch Series
WC.16.03.0004 or WC.16.10.0009 later
Yes
VSF
Switch
Software
Dependency:
WC.16.07.0002
or later
UI and Template
Aruba Central | User Guide
31
Switch Platform
Supported Software Versions
Recommended Software Versions
Switch Stacking Support
Supported Stack Type (Frontplane (VSF) / Backplane (BPS))
Aruba 2930M Switch Series
WC.16.04.0008 or WC.16.10.0009 later
Yes
BPS
Switch
Software
Dependency:
WC.16.06.0006
or later
Aruba 3810 Switch Series
KB.16.03.0004 or KB.16.10.0009 later
Yes
BPS
Switch
Software
Dependency:
KB.16.07.0002
or later
Aruba 5400R Switch Series
KB.16.04.0008 or KB.16.10.0009 later
Yes
VSF
Switch
Software
Dependency:
KB.16.06.0008
or later
Supported Configuration Group Type for Stacking (UI / Template) UI and Template
UI and Template
Template only
Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central.
Table 5: Supported Aruba Mobility Access Switch Series and Software Versions
Mobility Access Switch Series Supported Software Versions
n S1500-12P n S1500-24P n S2500-24P n S3500-24T
ArubaOS 7.3.2.6 ArubaOS 7.4.0.3 ArubaOS 7.4.0.4 ArubaOS 7.4.0.5 ArubaOS 7.4.0.6
Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/networking/switches/
Supported Aruba CX Platforms
To manage your Aruba CX switches using Aruba Central, ensure that the switch software is upgraded to 10.05.0001 or a later version. Aruba CX switches with version 10.04.2000 or earlier might not connect to Aruba Central after ten days of operation. You must upgrade the Aruba CX switch to a recommended software version to connect to Aruba Central.
Supported Devices | 32
The following table lists the Aruba CX platforms, corresponding software versions supported in Aruba Central, and switch stacking details.
Table 6: Supported Aruba CX Switch Series, Software Versions, and Switch Stacking
Switch Platform
Supported Software Versions
Recommended Software Versions
Switch Stacking Support
Supported Stack Type
Maximum Number of Stack Members
Supported Configuration Group Type (UI / Template)
Aruba CX 10.04.1000 10.05.0010
Yes
VSF
8
6200
Switch
Switch
Software
Series
Dependency:
10.04.1000
Template only
Aruba CX 6300 Switch Series
10.04.0020
10.05.0010
Aruba CX 6405 Switch Series
Aruba CX 6410 Switch Series
Aruba CX 8320 Switch Series
Aruba CX 8325 Switch Series
10.04.1000 10.05.0001 10.05.0001 10.05.0001
10.05.0010 10.05.0010 10.05.0010 10.05.0010
Yes
VSF
Switch
Software
Dependency:
10.04.0020
-N/A-
-N/A-
-N/A-
-N/A-
-N/A-
-N/A-
-N/A-
-N/A-
10
Template only
-N/A-
Template only
-N/A-
Template only
-N/A-
Template only
-N/A-
Template only
Provisioning and configuring of Aruba CX switch series and switch stacks is supported only through configuration templates.
Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/networking/switches/.
Supported SD-Branch Components
The Aruba SD-WAN Gateway portfolio includes Aruba Gateways that function as Branch Gateways and VPN Concentrators. The following table lists the Aruba Gateway platforms and ArubaOS software versions that function as Branch Gateways:
Aruba Central | User Guide
33
Table 7: Supported Aruba Gateways
Platform
Minimum Supported Software Version
Aruba 9004-LTE
ArubaOS 8.5.0.0-2.1.0.0
Aruba 9012
ArubaOS 8.5.0.0-2.0.0.0
Aruba 9004
ArubaOS 8.5.0.0-1.0.7.0
Aruba 7210, 7220, and 7240XM
Aruba 7030
ArubaOS 8.5.0.0-2.0.0.0 ArubaOS 8.1.0.0-1.0.4.0
Aruba 7024
ArubaOS 8.1.0.0-1.0.4.0
Aruba 7010
ArubaOS 8.1.0.0-1.0.4.0
Aruba 7008
ArubaOS 8.1.0.0-1.0.4.0
Aruba 7005
ArubaOS 8.1.0.0-1.0.4.0
Latest Software Version
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.6.0.42.2.0.0
Recommended Software Version ArubaOS 8.5.0.0-2.1.0.0 ArubaOS 8.5.0.0-2.0.0.4 ArubaOS 8.5.0.0-2.0.0.4 ArubaOS 8.5.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4
ArubaOS 8.4.0.0-2.0.0.4
The following table lists the Aruba Gateway platforms and ArubaOS software versions that function as VPN Concentrators:
Table 8: Supported Aruba VPN Concentrators
Platform
Minimum Supported Software Version
Latest Software Version
Recommended Software Version
Aruba 7280
ArubaOS 8.4.0.0-1.0.6.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba 7240XM ArubaOS 8.1.0.0-1.0.4.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba 7220
ArubaOS 8.1.0.0-1.0.4.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Aruba 7210
ArubaOS 8.1.0.0-1.0.4.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
vGW-4G
ArubaOS 8.4.0.0-1.0.6.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
vGW-2G
ArubaOS 8.4.0.0-1.0.6.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.4.0.0-2.0.0.4
Supported Devices | 34
Table 8: Supported Aruba VPN Concentrators
Platform
Minimum Supported Software Version
vGW-500M
ArubaOS 8.4.0.0-1.0.6.0
Aruba 7030
ArubaOS 8.1.0.0-1.0.4.0
Aruba 7024
ArubaOS 8.1.0.0-1.0.4.0
Aruba 7010
ArubaOS 8.1.0.0-1.0.4.0
Latest Software Version
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.6.0.42.2.0.0
ArubaOS 8.6.0.42.2.0.0
Recommended Software Version ArubaOS 8.4.0.0-2.0.0.4
ArubaOS 8.4.0.0-2.0.0.4
ArubaOS 8.4.0.0-2.0.0.4
ArubaOS 8.4.0.0-2.0.0.4
Aruba Virtual Gateways also function as VPN Concentrators. The minimum supported software version for Virtual Gateways is ArubaOS 8.1.0.0-1.0.4.1.
Data sheets and technical specifications for the supported Gateways are available at: https://www.arubanetworks.com/products/networking/gateways-and-controllers/
The following table lists the hardware platforms and ArubaOS software versions for Aruba Switches and Instant APs that can be deployed in the branch:
Table 9: SD Branch Site Devices SD Branch Component Aruba Switches
Instant APs
Hardware Platforms
Minimum Software Version
Aruba 3810 Switch Series KB.16.05.0007 or later
Aruba 5400R Switch Series
KB.16.05.0007 or later
Aruba 2920 Switch Series WB.16.05.0007 or later
Aruba 2930F Switch Series
WC.16.05.0007 or later
Aruba 310 Series and 300 Series Instant APs
Aruba Instant 6.5.3.x Aruba Instant 8.3.0.0 or later
Aruba Central | User Guide
35
Chapter 3 Getting Started with Aruba Central
Getting Started with Aruba Central
Thank you for choosing Aruba Central as your network management solution! Before you get started with Aruba Central, we recommend that you review the Key capabilities of Aruba Central and the list of Aruba devices supported in Aruba Central.
Key Terms and Concepts
Take a few minutes to familiarize yourself with the key terms and concepts used in the help topics.
Cluster Zone
Refers to an Aruba Central deployment area within a specific region. In other words, cluster zones are regional grouping of one or more container instances on which Aruba Central is deployed. Cluster zones allow your deployments to restrict customer data to a specific region and plan time zone specific maintenance windows.
Each cluster zone has separate URLs for signing up for Aruba Central, accessing Aruba Central portal, and for allowing devices to communicate with Aruba Central.
To view the zone in Aruba Central UI, click the User Settings menu at the bottom of the left navigation pane.
Enterprise Mode
Refers to the Aruba Central solution deployment mode in which the customers provision, manage, and maintain their networks end-to-end for their respective organizations or businesses.
Managed Services Mode
Refers to the Aruba Central deployment mode in which the service providers, resellers, administrators, and retailers to centrally manage and monitor multiple tenant or end-customer accounts from a single management interface.
Subscription Refers to the license granted to a customer for using a product or service.
Evaluation Account
Refers to the Aruba Central account created for evaluating Aruba Central solution and its services.
Paid Subscriber
Refers to the customers who have purchased a subscription to obtain access to Aruba Central and its services.
Subscription Refers to the license key. A subscription key is a 14-character alphanumeric string; for example,
Key
PQREWD6ADWERAS.
Customer ID
Subscriber ID
Refers to the identity number of your Aruba Central account. To view your subscriber ID, click the User Settings menu at the bottom of the left navigation pane in the Aruba Central UI.
Zero Touch Provisioning
Refers to one of the following:
n Zero Touch Provisioning of Aruba Central accounts-- When you purchase a subscription key and add this subscription key in Aruba Central, Aruba Central queries the Aruba Activate database to retrieve the devices mapped to your purchase order and add these devices to the inventory. This process is referred to as zero touch provisioning in Aruba Central.
n Zero Touch Provisioning of Devices--Most Aruba devices support self-provisioning; that is, when you connect a device to a provisioning network, it can automatically download provisioning parameters from the Activate server and connect to their management entity.
Aruba Central | User Guide
36
Onboarding Refers to the process of importing devices to Aruba Central's device inventory, activating subscriptions, and making devices available for management from Aruba Central.
Device Sync
Refers to the process of synchronizing devices from the Activate database. The device sync operation allows Aruba Central to retrieve devices from Activate and automatically add these devices to the device inventory in Aruba Central.
Provisioning Refers to the process of setting up a device for deploying networks as per the configuration requirements of your organization.
Group
Refers to the device configuration container in Aruba Central. You can combine devices with common configuration requirements into a single group and apply the same configuration to all the devices in that group.
Site
Refers to the physical locations where devices are installed. Organizing devices per sites allows
you to filter your dashboard view per site.
Label
Refers to the tags used for logically grouping devices based on various parameters such as ownership, specific areas within a site, departments, and so on.
Workflow Summary
The following illustration summarizes the steps required for getting started with Aruba Central:
Navigate through the following topics to know more about the onboarding and provisioning procedures: n Creating an Aruba Central Account on page 38 n Accessing Aruba Central Portal on page 42
Getting Started with Aruba Central | 37
n Starting Your Free Trial on page 63 n Setting up Your Aruba Central Instance on page 69
Creating an Aruba Central Account
To start using Aruba Central, you need to register and create an Aruba Central account. Both evaluating and paid subscribers require an account to start using Aruba Central.
Zones and Sign Up URLs
Aruba Central instances are available on multiple regional clusters. These regional clusters are referred to as zones. When you register for an Aruba Central account, Aruba creates an account for you in the zone that is mapped to the country you selected during registration.
If you access the Sign Up URL from the www.arubanetworks.com website, you are automatically redirected to the sign up URL. To create an Aruba Central account in the zone that is mapped to your country, use the following zone-specific sign up URLs.
Table 10: Sign Up URLs & Apps
Regional Cluster
Sign Up URL
Available Apps
US-1
https://portal.central.arubanetworks.com/signup
Network Operations
US-2
https://portal-prod2.central.arubanetworks.com/signup OR https://signup.central.arubanetworks.com/
n Network Operations n ClearPass Device Insight
Canada-1
https://portal-ca.central.arubanetworks.com/signup
Network Operations
China-1
https://portal.central.arubanetworks.com.cn/signup
Network Operations
EU-1
https://portal-eu.central.arubanetworks.com/signup
n Network Operations n ClearPass Device Insight
APAC-1
https://portal-apac.central.arubanetworks.com/signup
Network Operations
APAC-EAST1
https://portal-apaceast.central.arubanetworks.com/signup Network Operations
APAC-SOUTH1
https://portalapacsouth.central.arubanetworks.com/signup
Network Operations
Signing up for an Aruba Central Account
You can choose one of the following ways to start your Aruba Central account trail:
1. Go to http://www.arubanetworks.com/products/sme/eval/. n Click Start Demo and fill the form to start a product demo. n Click Got an Aruba AP? Start your trial here. The Registration page opens.
2. Enter your email address. Based on the email address you entered, the Registration page guides you to the subsequent steps:
Aruba Central | User Guide
38
Table 11: Registration Workflow
If...
Then...
If you are a new user:
The Registration page prompts you to create a password. To continue with the registration, enter a password in the Password and Confirm Password fields.
If you are an existing Aruba customer, but you do not have an Aruba Central account:
The Registration page displays the following message: Email already exists. Please enter the password below. To continue with registration, validate your account:
1. Enter the password. 2. Click Validate Account.
NOTE: If you do not remember the password, click Forgot Password to reset the password.
If your email account is already registered with Aruba, but you do not have an Aruba Central account:
If you are invited to join as a user in an existing Aruba Central customer account:
The Registration page displays the following message: An invitation email has already been sent to your email ID. Resend. To continue with the registration:
1. Go to your email box and check if you have received the email invitation. 2. If you have not received the email invitation, go to the Registration page and click Resend. A registration invitation will be sent your account. 3. Click the registration link. The user account is validated. 4. Complete the registration on the Sign Up page to sign in to Aruba Central.
Creating an Aruba Central Account | 39
Table 11: Registration Workflow
If...
Then...
If you are a registered user of Aruba Central and have not verified your email yet:
The Registration page displays the following message: You are an existing Aruba Central user. Please verify your account. Resend Verification email. To continue:
1. Go to your email box and check if you have received the email invitation. 2. If you have not received the email invitation, go to the Registration page and click Resend Verification email. A registration invitation will be sent your account. 3. Click the account activation link. 4. After the email verification is completed successfully, click Log in to access Aruba Central.
If you are already a registered user of Aruba Central and have verified your email:
The Registration page displays the following message: User has been registered and verified. Sign in to Central. Click Sign in to Central to skip the registration process and access the Aruba Central portal.
If your email address is in the arubanetworks.c om or hpe.com domain:
The Single Sign-On option is enabled. You can use your respective Aruba or HP Enterprise credentials to log in to your Aruba Central account after the registration.
Aruba Central | User Guide
40
Table 11: Registration Workflow
If...
Then...
3. To continue with registration, enter your first name, last name, company name, address, country, state, ZIP code, and phone details.
4. Specify if you are an Aruba partner.
5. Ensure that you select an appropriate zone. The Registration page displays a list of zones in which the Aruba Central servers are available for account creation. Based on the country you select, the Aruba Central server is automatically selected. If you want your account and Aruba Central data to reside on a server from another zone, you can select an Aruba Central server from the list of available servers.
6. From the Interested Apps section, select the app(s) that you want to pre-provision. You must select at least one app to continue: n Network Operations n ClearPass Device Insight
Creating an Aruba Central Account | 41
See Table 10 for the app(s) available in the zone in which you are signing up.
If you are interested in evaluating the Aruba Central MSP solution, select only the Network Operations app.
7. Select the I agree to the Terms and Conditions check box. 8. Set a preferred mode of communication for receiving notifications about Aruba products and
services. 9. Optionally, to read about the the privacy statement, click the HPE Privacy Statement link. To opt
out of marketing communication, you can either click the unsubscribe link available at the bottom of the email or click the link as shown in the following figure:
10. Click Sign Up. Your new account is created in the zone you selected and an email invitation is sent to your email address for account activation.
11. Access your email account and click the Activate Your Account link. After you verify your email, you can log in to Aruba Central.
Accessing Aruba Central Portal
After you create an Aruba Central account, the link to Aruba Central portal will be sent to your registered email address. You can use this link to log in to Aruba Central. If you are accessing the login URL from the www.arubanetworks.com website, ensure that you select the zone in which your account was created.
Login URLs
When you try to access Aruba Central portal, you are redirected to the Aruba Central URL that is mapped to your cluster zone.
Table 12: Cluster Zone-- Portal URLs Regional Cluster Sign Up URL
US-1
https://portal.central.arubanetworks.com/signup
Aruba Central | User Guide
42
Regional Cluster Sign Up URL
US-2
https://portal-prod2.central.arubanetworks.com/signup OR https://signup.central.arubanetworks.com/
Canada-1
https://portal-ca.central.arubanetworks.com/signup
China-1
https://portal.central.arubanetworks.com.cn/signup
EU-1
https://portal-eu.central.arubanetworks.com/signup
APAC-1
https://portal-apac.central.arubanetworks.com/signup
APAC-EAST1
https://portal-apaceast.central.arubanetworks.com/signup
APAC-SOUTH1
https://portal-apacsouth.central.arubanetworks.com/signup
Logging in to Aruba Central
To log in to Aruba Central: 1. Access the Aruba Central login URL for your zone. 2. Notice that the zone is automatically selected based on your geographical location. 3. Enter the email address and click Continue. 4. Log in using your credentials.
If your user credentials are stored in your organization's Identity Management server and SAML SSO authentication is enabled for your IdP on Aruba Central, complete the SSO authentication workflow.
5. Enter the password.
If you have forgotten password, you can click the Forgot Password and reset your password. The Forgot Password link resets only your Aruba Central account; hence, it is not available to SSO users.
6. Click Continue. The Initial Setup wizard opens. n If you have a paid subscription, click Get Started and set up your account. n If you are a trial user, click Evaluate Now and start your trial.
Changing Your Password
To change your Aruba Central account:
1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click Change Password. 3. Enter a new password. 4. Log in to Aruba Central using the new password.
Accessing Aruba Central Portal | 43
The Change Password menu option is not available for federated users who sign in to Aruba Central using their SSO credentials.
Logging Out of Aruba Central
To log out of Aruba Central:
1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click Logout.
Accessing Aruba Central Mobile Application
Aruba Central mobile application lets you manage, monitor, and optimize your Central account. You can log in to your Aruba Central account using your credentials from the mobile application. To download the Aruba Central application, visit the App Store on iOS devices running iOS 9.0 or later and Google Play Store on Android devices running android 5.0 Lollipop or later.
About the Network Operations App User Interface
The Network Operations app is one of the apps in Aruba Central that helps to manage, monitor, and analyze your network. Aruba offers the following variants of the Network Operations app user interface:
n Standard Enterprise mode-- This mode is intended for customers who manage their respective accounts end-to- end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision and manage their respective accounts.
n Managed Service Provider (MSP) mode-- This mode is for managed service providers who need to manage multiple customer networks. With MSP mode enabled, the MSP administrators can provision customer accounts, allocate devices, assign licenses, and monitor customer accounts and their networks. The administrators can also drill down to a specific tenant account and perform administration and configuration tasks. The tenants can access only their respective accounts, and only those features and application services to which they have subscribed.
The following image displays the navigational elements of the Network Operations app in the Standard Enterprise mode. However, the navigational elements also apply to the MSP mode.
Figure 3 Navigation Elements of the Network Operations App
Aruba Central | User Guide
44
Callout Number 1
2 3 4 5
6 7
8
9
Description
Filter to select an option under Groups, Labels, Sites. For all devices, select Global. A corresponding dashboard is displayed.
Item under the left navigation contextual menu. The menu is dependent on the filter selection.
First-level tab on the dashboard.
Second-level tab on the dashboard.
Dashboard content for the selected view and filter. For example, the current dashboard in the image displays the UCC tab under Manage > Applications in the List view for the Global filter.
Time range filter. This is displayed for selected dashboards only.
List view to display tabular data for the selected filter. This is displayed for selected dashboards only.
Summary view to display charts for the selected filter. This is displayed for selected dashboards only.
Config view to enable configuration options for the selected filter. This is displayed for selected dashboards only.
Types of Dashboards in the Network Operations App
The Network Operations app uses a filter to set the dashboard context for the app. The menu for the left navigation pane changes according to the selected filter value. Selecting any item on the left navigation pane displays a corresponding dashboard. Accordingly, for different values of the filter, the content displayed for the left navigation menu and the dashboard context differs.
The dashboard for any item on the left navigation menu can have a combination of the following views:
n Summary view-- Click the
Summary icon to display the summary dashboard. The summary
dashboard displays a number of charts. For example, for the global dashboard, under Manage, the
Overview > Network Health tab in Summary view displays a map of the available sites and their
corresponding health. If available, use the time range filter to change the time-lines for the charts.
n List view-- Click the
List icon to display tabular data for a selected dashboard. For example, for the
global dashboard under Manage, the Overview > Network Health tab in List view displays a list of
the available sites managed by Aruba Central. If available, use the time range filter to change the time-
lines for the tabular data.
n Config view-- Click the
Config icon to enable the configuration options for a specific dashboard.
For example, for the global dashboard under Manage, the Applications > UCC tab in Config view
displays various configuration options for UCC.
About the Network Operations App User Interface | 45
Navigating to the Switch, Access Point, or Gateway Dashboard
In the Network Operations app, you can navigate to a device dashboard for a switch, access point, or gateway. The device dashboard enables you to monitor, troubleshoot, or configure a single device. In order to do this, complete the following steps:
1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Manage > Devices, select one of the following options: n To view an access point dashboard, click the Access Points tab. n To view a switch dashboard, click the Switches tab. n To view a gateway dashboard, click the Gateways tab. The list of devices is displayed in List view.
3. Click a device listed under Device Name. The dashboard context for the specific device is displayed. To exit the device dashboard, click the back arrow on the filter.
Workflow to Configure, Monitor, or Troubleshoot in the Network Operations App
The following image displays a flowchart to help you navigate the Network Operations app to complete any task.
Aruba Central | User Guide
46
Figure 4 Navigation Workflow for Network Operations App
The Standard Enterprise Mode
This section discusses the user interface for the Standard Enterprise mode for the Network Operations app. This mode is intended for customers who manage their respective accounts end-to- end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision and manage their respective accounts. The following topics are discussed in this section: n Launching the Network Operations App n Parts of the Network Operations App User Interface n Search Bar n Help Icon n Account Home Icon
The Standard Enterprise Mode | 47
n User Icon n Filter n Time Range Filter n Left Navigation Pane
Launching the Network Operations App
If the Network Operations app is the only app provisioned, the Network Operations app is displayed at each user login. If there are a number of apps provisioned such as Network Operations, ClearPass Device Insight and so on, the Account Home page is displayed at each user login. From the Account Home page, you can manage network inventory, subscriptions, and user access. In the event of multiple apps provisioned, perform the following steps to launch the Network Operations app:
1. Log in to the Account Home page. The Account Home page displays the apps and Global Settings For more information, see Accessing Aruba Central Portal.
2. Click Launch on the Network Operations tile. The Network Operations app is launched.
Figure 5 Launching the Network Operations App
Parts of the Network Operations App User Interface
After you launch the Network Operations app, the Standard Enterprise view is displayed.
Aruba Central | User Guide
48
Figure 6 Parts of the Network Operations App
Callout Number
Description
1
Filter to select an option under Groups, Labels, or Sites. For all devices, select Global.
To select a specific device, see Navigating to the Switch, Access Point, or Gateway Dashboard.
The example in the image shows the filter set to a group called "IAP_setup_GW".
For more information, see Filter.
2
Health Bar for the selected filter.
For more information, see The Health Bar.
3
First-level tab for the selected dashboard, corresponding to the selected item in the left navigation
pane.
The example in the image shows the first-level tab selection as Gateways under Manage > Devices
for the group dashboard.
4
Search bar.
For more information, see Search Bar.
5
Help icon.
For more information, see Help Icon.
6
Account Home icon
For more information, see Account Home Icon.
7
User settings icon.
For more information, see User Icon.
8
Menu item under left navigation contextual menu.
Menu is dependent on the filter selection.
For more information, see Types of Dashboards in the Network Operations App.
9
Second-level tab for the dashboard, corresponding to the selected first-level tab.
The example in the image shows the second-level tab selection as Gateways under Manage >
Devices > Gateways for the group dashboard.
10
Icon is for filtering the data of the selected column.
11
List icon.
Click the List icon to view a tabular representation of the data.
This icon is not available for all pages.
The Standard Enterprise Mode | 49
Callout Number
Description
12
Summary icon.
Click the Summary icon to view a graphical representation of the data.
This icon is not available for all pages.
13
Config icon.
Click the Config icon to enable configuration mode.
This icon is not available for all pages.
14
Icon is for downloading the data of the selected page in CSV format.
15
Icon is for selecting or resetting the column headers for the selected page.
Search Bar
The search bar enables users to look for help information.
Help Icon
The help icon contains the following options:
n Tutorials--Displays the Aruba Central product learning center. n Feedback--Allows you to provide feedback on the Aruba Central. You can choose the rating from the
range of 1 to 10, where 1 being extremely unlikely and 10 being extremely likely and type your comment into the box and click Submit to submit the feedback. n Documentation Center--Directs you to the online help documentation. n Get help on this page--Selecting this option changes the appearance of some of the text on the UI to green italics. On the UI, when you point to the text in green italics, a dialog box displays the help information for that text. To disable this option, click Done. n Airheads Community--Directs you to the Aruba support forum at https://community.arubanetworks.com/t5/Cloud-Managed-Networks/bd-p/CloudManagedNetworks. n View / Update Case--Enables you to view or edit an existing support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. n Open New Case--Enables you to create a new support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal.
Account Home Icon
The Account Home icon enables you to go to the Account Home page and switch to another app if you have one subscribed. Most of the apps require service subscriptions to be enabled on the devices. Contact your administrator or the Aruba Central Support team to obtain access to an application service.
User Icon
Aruba Central | User Guide
50
The user icon enables you to view user account details such as account name, domain, customer ID, and zone details. It also includes the following options for managing your accounts:
n Switch Customer--Enables you to switch to another account. This is especially required during troubleshooting scenarios.
n Change Password--Enables you to change the password of the account. n User Settings l Time Zone--Displays the zone, date, time, and time zone of the region. l Language--Administrators can set a language preference. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. l Idle Timeout--Administrators can set a timeout value for inactive user sessions in the Idle Timeout field. The value is in minutes. l Get system maintenance notifications--Administrators can select the check box to receive system maintenance notification on their registered email ID. Email notifications are sent before any scheduled maintenance activity or unplanned outage. l Get software update notifications--Administrators can select the check box to receive software update notification on their registered email ID. n Enable MSP--Enables MSP mode and switches the user interface to the MSP mode. This option changes
to Disable MSP when the MSP mode is enabled. You can select Disable MSP to switch to the Standard Enterprise interface. The MSP mode can be disabled only if there is no tenant data. The option is grayed out if there are any active tenant accounts. n Terms of Service--Displays the terms and conditions for using Aruba Central services. n Logout--Enables you to log out of from your account.
Filter
The filter enables you to set the dashboard context to a value under one of the following options:
n Groups--Sets the dashboard context to a group of devices. n Sites--Sets the dashboard context to all a site. n Labels--Sets the dashboard context to a label.
If no filter is applied, by default the filter is set to Global for all devices. Use the search box in the filter to enter an available group, site, or label name and then select the option to set the filter. Hovering over Groups, Labels, or Sites displays the associated config icon. Clicking on the config icon redirects you to Maintain > Organization in the global dashboard.
Time Range Filter
The time range filter enables you to set a time duration for showing monitoring and reports data. The option is displayed for selected dashboards only. You can set the filter to any of the following time ranges:
n 3 hours n 1 day n 1 week
The Standard Enterprise Mode | 51
n 1 month n 3 months
Left Navigation Pane
The left navigation pane is a contextual menu that displays a number of configuration, monitoring, and troubleshooting options depending on filter value.
The Health Bar
The Health Bar provides a snapshot of the overall health of the devices configured as part of the specific dashboard. The applicable dashboards include global, group, site, client, and device dashboards. The topic discusses the following:
n Health Bar for the Global Dashboard n Health Bar for the Group Dashboard n Health Bar for the Site Dashboard n Health Bar for the AP Dashboard n Health Bar for the Switch Dashboard n Health Bar Dashboard for the Gateway Dashboard n Health Bar for the Wireless Client Dashboard n Health Bar for the Wired Client Dashboard
Viewing the Health Bar Dashboard
To view the Health Bar, perform the following steps:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed. n To select a client: a. Set the filter to Global. b. Under Manage, click Clients. A list of clients is displayed in the List view. c. Click a client listed under Client Name. The dashboard context for the client is displayed. The Health Bar icon displays the overall health of the network of the selected filter as either online or offline.
Aruba Central | User Guide
52
2. In the selected filter, click the Health Bar icon to expand the Health Bar dashboard.
3. Use the
pin icon to pin the Health Bar dashboard to the Network Operations app display.
Health Bar for the Global Dashboard
The following image shows the health bar for the global dashboard. Figure 7 Expanded but Unpinned Health Bar in the Global Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a global dashboard. The health bar in a global dashboard is in the context of all devices.
Parameter Description
Access Points
Displays the number of access points that are online and the number of access points that are offline. The number in green indicates the number of access points that are online. Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. The number in red indicates the number of access points that are offline. Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view.
Switches
Displays the number of switches that are online and the number of switches that are offline. The number in green indicates the number of switches that are online. Clicking the number in green redirects you to Manage > Devices > Switches > Online in List view. The number in red indicates the number of switches that are offline. Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view.
Gateways
Displays the number of gateways that are online and the number of gateways that are offline. The number in green indicates the number of gateways that are online. Clicking the number in green redirects you to Manage > Devices > Gateways > Online in List view. The number in red indicates the number of gateways that are offline. Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List view.
Clients
Displays the number of clients that are connected and the number of clients that are failed. The number in green indicates the number of clients that are connected.
The Health Bar | 53
Parameter Description
The number in red indicates the number of clients that are failed. Clicking the numbers redirects you to Manage > Clients > Clients in List view.
Health Bar for the Group Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a group dashboard. The health bar in a group dashboard is in the context of all devices configured as part of that group.
Parameter Description
Access Points
Displays the number of access points that are online and the number of access points that are offline. The number in green indicates the number of access points that are online. Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. The number in red indicates the number of access points that are offline. Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view.
Switches
Displays the number of switches that are online and the number of switches that are offline. The number in green indicates the number of switches that are online. Clicking the number in green redirects you to Manage > Devices > Switches > Online in List view. The number in red indicates the number of switches that are offline. Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view.
Gateways
Displays the number of gateways that are online and the number of gateways that are offline. The number in green indicates the number of gateways that are online. Clicking the number in green redirects you to Manage > Devices > Gateways > Online in List view. The number in red indicates the number of gateways that are offline. Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List view.
Clients
Displays the number of clients that are connected and the number of clients that are failed. The number in green indicates the number of clients that are connected. The number in red indicates the number of clients that are failed. Clicking the numbers redirects you to Manage > Clients > Clients in List view.
Health Bar for the Site Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a site dashboard. The health bar in a site dashboard is in the context of all devices configured as part of that site.
Parameter Description
Access Points
Displays the number of access points that are online and the number of access points that are offline. The number in green indicates the number of access points that are online.
Aruba Central | User Guide
54
Parameter Description
Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. The number in red indicates the number of access points that are offline. Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view.
Switches
Displays the number of switches that are online and the number of switches that are offline. The number in green indicates the number of switches that are online. Clicking the number in green redirects you to Manage > Devices > Switches > Online in List view. The number in red indicates the number of switches that are offline. Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view.
Gateways
Displays the number of gateways that are online and the number of gateways that are offline. The number in green indicates the number of gateways that are online. Clicking the number in green redirects you to Manage > Devices > Gateways > Online in List view. The number in red indicates the number of gateways that are offline. Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List view.
Clients
Displays the number of clients that are connected and the number of clients that are failed. The number in green indicates the number of clients that are connected. The number in red indicates the number of clients that are failed. Clicking the numbers redirects you to Manage > Clients > Clients in List view.
AI Insights
Displays the number of insights categorized by status. The number in green indicates the insights impact is less than or equal to 1%. The number in yellow indicates the insights impact is more than 1% and less than or equal to 10%. The number in red indicates the insights impact is more than 10%. Clicking the numbers redirects you to Manage > Overview > AI Insights in List view.
Health Bar for the AP Dashboard
The following table includes information on the various parameters of the Health Bar displayed for an AP. If the AP is not online and running, not all of the following data is available.
Parameter Description
AP Status
Value can be Online Since, Offline, or Operating under Thermal Management. If the value is Online Since, it also displays the time period, in the format of days-hours-minutes, for which the AP has been online and running. When an AP operates under thermal management, the device health is displayed as Poor and the radios are in disabled mode. For more information, see Thermal Shutdown Support in Instant AP.
Device Health
Displays the performance of the AP in terms of the CPU and memory usage.
For example, the device health is Good when the CPU usage is less than or equal to 70% and the memory usage is less than or equal to 90%. If the value of the CPU and/or memory usage falls below the threshold, the device health is displayed as Poor. If the AP is down, the value is Offline. If the scenario is not applicable, a "-" sign is displayed.
The Health Bar | 55
Parameter Description
Hover over the Device Health status to get the exact percentage value of the memory and CPU usage.
Radio 2.4 GHz
Displays the performance of the AP in terms of the channel utilization and noise floor in the 2.4 GHz channel.
For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed.
Hover over the Radio 2.4 GHz status to get the exact value of the channel utilization and noise floor.
Radio 5 GHz
Displays the performance of the AP in terms of the channel utilization and noise floor in the 5 GHz channel.
For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed.
Hover over the Radio 5 GHz status to get the exact value of the channel utilization and noise floor.
Radio 5 GHz (Secondary)
Displays the performance of the AP in terms of the channel utilization and noise floor in the 5 GHz (Secondary) channel.
For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed.
Hover over the Radio 5 GHz (Secondary) status to get the exact value of the channel utilization and noise floor.
NOTE: In the Health Bar dashboard, the Radio 5 GHz (Secondary) data is available only for AP555 and only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode.
Virtual Controller
Indicates if the AP is connected to a virtual controller. If the AP is connected, clicking on the virtual controller name redirects you to the Manage > Overview > Summary page for the virtual controller.
Health Bar for the Switch Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a switch. If the switch is not online and running, not all of the following data is available.
Parameter Description
Switch Status
Displays the time period for which the switch has been online and running or its offline status.
Device Health
Displays the performance of the switch in terms of the CPU and memory usage. For example, the device health is Good when the CPU usage is less than or equal to 70% and the memory usage is less than or equal to 70%. If the value of the CPU and/or memory usage falls below the threshold, the device health is displayed as Poor.
Aruba Central | User Guide
56
Parameter Description
Hover over the Device Health status to get the exact percentage value of the memory and CPU usage.
Port Status
Displays the number of ports on the switch that are online and the number of ports that are offline. The number in green indicates the number of switch ports that are online. The number in red indicates the number of switch ports that are offline.
Port Alerts
Displays the total number of open alerts.
Health Bar Dashboard for the Gateway Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a gateway. If the gateway is not online and running, not all of the following data is available.
Parameter Description
Gateway Status
Displays the time period, in the format of days-hours-minutes, for which the gateway has been running or its offline status.
WAN
Displays the number of WAN ports as online or offline. The number in green indicates the number of WAN ports that are online. The number in red indicates the number of WAN ports that are offline. Clicking the numbers redirects you to Manage > WAN > Summary.
LAN
Displays the number of LAN ports as online or offline. The number in green indicates the number of LAN ports that are online. The number in red indicates the number of LAN ports that are offline. Clicking the numbers redirects you to Manage > LAN > Summary.
Tunnels
Displays the number of VPN tunnels as online or offline. The number in green indicates the number of VPN tunnels that are online. The number in red indicates the number of VPN tunnels that are offline. Clicking the numbers redirects you to Manage > WAN > Tunnels.
Path Steering
Displays the number of path steering policies that are compliant of the total number of policies. Clicking the numbers redirects you to Manage > WAN > Path Steering.
Alerts
Displays the total number of open alerts. Clicking the number redirects you to Analyze > Alerts & Events in List view.
Health Bar for the Wireless Client Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a wireless client.
Parameter Client Status
Description Displays the connection status of the client.
The Health Bar | 57
Parameter Description
Device Health
Displays the device health of the client.
Signal Quality
Displays the signal quality in dB.
Tx | Rx Rate Displays the transmit and receive rate in Mbps.
Connected To
Displays the device to which the wired client is connected. Clicking on the device redirects you to the Manage > Overview > Summary page for that device.
Refresh icon Refreshes the data on the Health Bar for the client.
Health Bar for the Wired Client Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a wired client.
Parameter Client Status Connected Port Connected To
Refresh icon
Description Displays the connection status of the client. Displays the port to which the client is connected.
Displays the device to which the wired client is connected. Clicking on the device redirects you to the Manage > Overview > Summary page for that device. Refreshes the data on the Health Bar for the client.
This topic discusses the Network Operations app in MSP mode. To know more about the Account Home page, see the online Aruba Central documentation.
The MSP mode is intended for the managed service providers who manage multiple distinct tenant accounts. The MSP mode allows MSP customers to provision and manage tenant accounts, assign devices to tenant accounts, manage subscription keys and other functions such as configuring network profiles and viewing alerts. The following topics are discussed:
n Launching the Network Operations App for MSP n Parts of the Network Operations App for MSP n Help Icon n Account Home Icon n User Icon n Filter n Time Range Filter
Aruba Central | User Guide
58
n The Global Dashboard in MSP Mode n The Group Dashboard in MSP Mode
Launching the Network Operations App for MSP
Aruba Central in MSP mode consists of the Network Operations app and the Account Home page. After you create an Aruba Central account, the link to Aruba Central portal will be sent to your registered email address. You can use this link to log in to Aruba Central. If you are accessing the login URL from the www.arubanetworks.com website, ensure that you select the zone in which your account was created. The Network Operations app is displayed at each user login to Aruba Central. From the Network Operations app, you can navigate to the Account Home page by clicking the Account Home icon . From the Account Home page, you can navigate to the Network Operations app by clicking the Launch button for the Network Operations tile. Figure 8 Launching the Network Operations App for MSP from Account Home
Parts of the Network Operations App for MSP
After you launch the Network Operations app, the MSP view opens.
Launching the Network Operations App for MSP | 59
Figure 9 Parts of the Aruba Central User Interface for MSP
Callout Number 1
2 3 4 5 6 7
8
9
Description
Filter to select a group or all groups. For more information, see Filter. Here, the global dashboard is displayed as the filter is set to All Groups.
Menu item under left navigation contextual menu. Menu is dependent on the filter selection.
First-level tab on dashboard. The dashboard may also have second and third-level tabs dependent on the filter selection.
Help icon. For more information, see Help Icon.
Account Home icon.
User Settings icon. For more information, see User Icon.
List view. Click the List icon to view a tabular representation of the data. Only applicable for the global dashboard.
Summary view. Click the Summary icon to view a graphical representation of the data. Only applicable for the global dashboard.
Config view. Click the Config icon to enable configuration mode.
Help Icon
The help icon contains the following options: n Get help on this page-- Selecting this option changes the appearance of some of the text on the UI to
green italics. On the UI, when you point to the text in green italics, a dialog box displays the help
Aruba Central | User Guide
60
information for that text. To disable this option, click Done. n Tutorials-- Displays the Aruba Central product learning center. n Feedback-- Allows you to provide feedback on the Aruba Central. You can choose the rating from the
range of 1 to 10, where 1 being extremely unlikely and 10 being extremely likely and type your comment into the box and click Submit to submit the feedback. n Documentation Center-- Directs you to the online help documentation. n Airheads Community-- Directs you to the Aruba support forum. n View / Update Case-- Enables you to view or edit an existing support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. n Open New Case-- Enables you to create a new support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal.
Account Home Icon
The Account Home icon enables you to go to the Account Home page.
User Icon
The user icon enables you to view user account details such as account name, domain, customer ID, and zone details. It also includes the following options for managing your accounts:
n Switch Customer-- Enables you to switch to another account. This is especially required during troubleshooting scenarios.
n Change Password-- Enables you to change the password of the account. n User Settings l Time Zone-- Displays the zone, date, time, and time zone of the region. l Language-- Administrators can set a language preference. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. l Idle Timeout-- Administrators can set a timeout value for inactive user sessions in the Idle Timeout field. The value is in minutes. l Get system maintenance notification-- Administrators can select the check box to get system maintenance notification. l Get software update notifications-- Administrators can select the check box to get software update notification. n Disable MSP-- Disables MSP mode and switches the user interface to the standard enterprise mode.
This option changes to Enable MSP when the MSP mode is disabled. You can select Enable MSP to switch to the MSP mode. The MSP mode can be disabled only if there is no tenant data. The option is grayed out if there are any active tenant accounts. n Terms of Service-- Displays the terms and conditions for using Aruba Central services. n Logout-- Enables you to log out of from your account.
Filter
The filter enables you to select by a group or All Groups for performing specific configuration and monitoring tasks. If no filter is applied, by default the filter is set to All Groups. When you set the filter to
Launching the Network Operations App for MSP | 61
All Groups, the Global dashboard is displayed and when you set the filter to a group, the group dashboard is displayed.
Time Range Filter
The time range filter enables you to set a time duration for showing monitoring and reports data. This time filter is not displayed when you view the configuration or device details. It is displayed only when you view monitoring data. You can set the filter to any of the following time ranges:
n 3 hours n 1 day n 1 week n 1 month n 3 months
The Global Dashboard in MSP Mode
In the Network Operations app in MSP mode, use the filter to select All Groups. The global dashboard is displayed. In the global dashboard under the left navigation pane, you can see a number of menu items divided under the following categories: Manage, Analyze, and Maintain. Figure 10 Launching the Global Dashboard for MSP
Selecting each menu item in the left navigation pane displays a corresponding dashboard with tabs. Each tab may support all or some of the following functions:
n Summary-- Click the icon to view a graphical representation of the data. Only applicable for the global dashboard.
Aruba Central | User Guide
62
n List-- Click the icon to view a tabular representation of the data. Only applicable for the global dashboard.
n Config-- Click the icon to enable configuration mode.
The Group Dashboard in MSP Mode
In the Network Operations app in MSP mode, use the filter to select a group. The group dashboard is displayed. Figure 11 Launching the Group Dashboard for MSP
Some tabs or options may not be seen in your dashboard view if you are not an administrator for the Aruba Central account.
In the group dashboard under the left navigation pane, you can see the Device and Guest options under Manage.
Selecting an option in the left navigation pane displays a corresponding dashboard with tabs. Each tab supports the Config view that enables the configuration mode. The next sections discuss the left navigation menu items in the group dashboard.
Starting Your Free Trial
Aruba Central offers a 90-day evaluation subscription for customers who want to try the solution for managing their networks. The evaluation subscription allows you to use the following functions:
Table 13: Evaluation features
Application
Function
Network Operations
n Device management lManage up to 10 Instant APs and/or switches lManage up to two SD-WAN Gateways
n Monitoring--Monitor your devices, network and client status n Guest Access--Set up guest Wi-Fi on your custom portals
Starting Your Free Trial | 63
Application
ClearPass Device Insight
Function
n Presence Analytics--Analyze consumer presence data for your stores n Troubleshooting--Run diagnostic checks and troubleshoot device issues
Discover, monitor, and automatically classify new and existing devices that connect to a network.
Figure 12 shows the steps required for getting started with your free trial. Figure 12 Getting Started Workflow for Free Trial
Get Started with the Free Trial
Complete the following steps to evaluate Aruba Central:
n Step 1: Getting Started with the Initial Setup on page 64 n Step 2: Adding Devices on page 65 n Step 3: Organize Your Devices into Groups on page 65 n Step 4: Assigning Sites and Labels (Optional) on page 66 n Step 5: Configure Your Network on page 66 n Step 6: Monitor Your Network and Devices on page 67 n Step 7: Evaluate Value Added Services (Optional) on page 67 n Step 8: Cancel or Upgrade Your Subscription (Optional)
Step 1: Getting Started with the Initial Setup
To get started with the trial:
1. Register for evaluating Aruba Central. 2. Log in to Aruba Central.
n If you signed up to evaluate only the Network Operations app, the Welcome to Aruba Central page is displayed.
l Click Evaluate Now. The Get Started With Aruba Central page guides you through the onboarding steps.
l Click through the steps to set up your account and start using Aruba Central. If you want to exit the wizard and complete the onboarding steps on your own, click Exit Workflow.
The Initial Setup wizard is displayed only when you log in to Aruba Central for the first time. The wizard is not available for Aruba Central users in the MSP mode.
n If you signed up to evaluate both Network Operations and ClearPass Device Insight, the
Aruba Central | User Guide
64
Network Operations page is displayed. For more information, see ClearPass Device Insight Information Center.
Step 2: Adding Devices
To manage devices from Aruba Central, trial users must manually add the devices to Aruba Central's device inventory. You can add up to 10 devices. The devices can be 10 Instant APs or 10 Switches, or a total of 10 Instant APs and switches. Use one of the following methods to add devices to Aruba Central:
Using the Initial Setup Wizard
1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number of MAC address of your devices.
You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. 3. Click Done. 4. Review the devices in your inventory.
Using the Device Inventory Page
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Click Add Devices. The Add Devices pop-up window is displayed.
3. Enter the serial number and the MAC address of each device. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware.
4. Click Done. 5. Review the devices in your inventory.
Step 3: Organize Your Devices into Groups
A group in Aruba Central functions as a configuration container for devices added in Aruba Central. Why Should You Use Groups? Groups allow you to create a logical subset of devices and simplify the configuration and device management tasks. Groups offer the following functions and benefits:
n Combining different types of devices under a group. For example, a group can have Instant APs and Switches. Aruba Central allows you to manage configuration of these devices in separate containers (wireless and wired management) within the same group. Any new device that is added to a group inherits the current configuration of the group.
n Assigning multiple devices to a single group. For example, a group can consist of multiple Instant AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration
Starting Your Free Trial | 65
updates to slave Instant AP in their respective clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location. n Cloning an existing group allows you to create a base configuration for the devices and customize it as per your network requirements.
You can also use groups for filtering your monitoring dashboard content, generating reports, and managing software upgrades.
A device can be part of only one group at any given time. Groups in Aruba Central are mutually exclusive (independent) and do not follow a hierarchical model.
For more information on groups and group configuration workflows, see Groups for Device Configuration and Management on page 118.
Assigning Devices to Groups After you successfully complete the onboarding workflow, the Initial Setup wizard prompts you to assign your devices to a group. You can click Assign Group and assign your devices to a group. You can also use one of the following methods to assign your devices to groups. To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory:
1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign. 4. Click Assign Device(s).
To assign a device to a group from the Groups page:
1. In the Network Operations app, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Maintain, click Organization. By default, the Groups page is displayed.
3. From the devices table on the right, select the device that you want to assign to a new group. 4. Drag and drop the device to the group to which you want to assign the device.
Step 4: Assigning Sites and Labels (Optional)
A site in Aruba Central refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Aruba Central allows you to use sites as a primary navigation element. For example, if your devices are deployed in a campus, you can create a site called CampusA. You can also tag the devices within CampusA using labels. If your campus consists of multiple buildings, the devices deployed in the campus can be labeled as Building1 or Lobby. For more information on sites and labels and how to assign devices to sites and labels, see Managing Sites on page 140 and Managing Labels on page 143.
Step 5: Configure Your Network
If you have added Instant APs as part of your evaluation, you can configure an employee and guest wireless network. If you have Switches or SD-WAN Gateways, configure wired access network or SD-WAN respectively.
Aruba Central | User Guide
66
Step 6: Monitor Your Network and Devices
Use monitoring dashboards to view the health of the device and network. You can also run reports, configure alerts, and view client details.
Step 7: Evaluate Value Added Services (Optional)
Enable Presence Analytics and Guest Access services on your Instant APs and review these services.
Step 8: Cancel or Upgrade Your Subscription (Optional)
During the trial period or after you complete your trial, if you want to continue using Aruba Central for managing your devices, contact Aruba Customer Support to upgrade your subscription. If you do not want to continue, contact Aruba support team to cancel your subscription or wait until the trial expires. When the trial period expires, your devices can no longer be managed from Aruba Central.
Upgrading to a Paid Account
If you have purchased a subscription, upgrade your account by completing the following steps: 1. On the respective app, click the link that shows the number of days left for the evaluation to expire:
The Add a New Subscription pop-up window opens. 2. Enter the new subscription key that you purchased from Aruba. 3. Click Add Subscription. After you upgrade your account, you can add more devices and enable services, and continue using Aruba Central.
Configuring Email Notifications for Software Upgrades
Aruba Central administrators would receive email notifications before software upgrades, scheduled maintenance activity, or any unplanned outage. By default, email notifications are enabled. The banner is updated in the Aruba Central UI seven days before the upgrade and an email notification is sent 72 hours
Configuring Email Notifications for Software Upgrades | 67
before the upgrade. In case of an unplanned outage, an email notification is sent immediately and the banner is also updated immediately in the Aruba Central UI. The email notification contains the following details:
n Start date and time. n Estimated end date and time. n Link to the What's New page where users can view the list of new features and enhancements included
in the release. n Impact of the outage.
Users can no longer check the status of Aruba Central using the following URLs:
n US--http://status.central.arubanetworks.com n Canada--http://ca-status.central.arubanetworks.com n APAC--http://apac-status.central.arubanetworks.com n APAC East--http://apaceast-status.central.arubanetworks.com n Europe--http://eu-status.central.arubanetworks.com
Enabling Email Notifications
By default, email notifications are enabled. However, if email notifications are disabled and you wish to enable system maintenance or software update email notifications, complete the following steps:
1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click User Settings. 3. In the User Settings pop-up window, do the following:
a. Select the Get system maintenance notifications check box to receive system maintenance notification on the registered email ID. Email notifications are sent before any scheduled maintenance activity or unplanned outage.
b. Select the Get software update notifications check box to receive software update notification on the registered email ID.
4. Click Save.
Aruba Central | User Guide
68
Figure 13 Email Notifications
Configuring Idle Timeout
Aruba Central allows you to set a timeout value for inactive user sessions. The value is in minutes and is the amount of time a user can be inactive before the user's session times out and closes. To configure idle timeout, complete the following steps:
1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click User Settings. 3. In the User Settings pop-up window, enter the timeout value in the Idle Timeout field. The value
must be within the range of 5 to 10080 minutes. 4. Click Save.
Setting up Your Aruba Central Instance
If you have purchased a subscription key to manage your devices and networks from Aruba Central, get started with steps described in this topic. Figure 14 illustrates the steps required for setting up your Aruba Central instance: Figure 14 Getting Started Workflow
Getting Started with Aruba Central
Complete the following steps to start using Aruba Central for managing your devices and setting your networks.
Configuring Idle Timeout | 69
n Step 1: Getting Started on page 70 n Step 2: Adding a Subscription Key on page 70 n Step 3: Adding Devices on page 70 n Step 4: Assigning Subscriptions on page 73 n Step 5: Organize Your Devices into Groups on page 74 n Step 6: Assigning Sites and Labels (Optional) on page 75 n Step 7: Configuring Users on page 75 n Step 8: Configuring and Managing Networks on page 75 n Step 9: Monitoring Your Network and Devices on page 75 n Step 10: Upgrading Software Images on Devices on page 75 n Step 11: Running Diagnostic Checks and Troubleshooting Issues on page 75
Step 1: Getting Started
To get started:
1. Sign up to create your Aruba Central account. 2. If you already have an Aruba Central account, log in to Aruba Central with your credentials. When you
log in for the first time, the Initial Setup wizard opens and guides you through the onboarding workflow. 3. Click Get Started. 4. Click through the wizard to complete the onboarding workflow. If you want to exit the wizard and complete the onboarding steps on your own, click Exit and go to Aruba Central.
The Initial Setup wizard is displayed only when you log in to Aruba Central for the first time. The wizard is not available for Aruba Central users in the MSP mode.
Step 2: Adding a Subscription Key
At your first login, the Initial Setup wizard prompts you add your subscription key. To continue with the onboarding workflow, add your subscription key in the Add Subscription Key tab. If you are not using the wizard, complete the following steps to add your subscription key. To add a subscription key:
1. In the Account Home page, under Global Settings, click Key Management. The Key Management page is displayed.
2. Enter your subscription key. 3. Click Add Subscription. The subscription key is added to Aruba Central and the contents of the
subscription key are displayed in the Manage Keys table. 4. Review the subscription details.
Step 3: Adding Devices
If you have a paid subscription, you can automatically import devices from the Activate database to the Aruba Central device inventory.
Aruba Central | User Guide
70
Setting up Device Sync for Automatic Device Addition
To set up device sync, use one of the following methods: n In the Initial Setup Wizard n From the Device Inventory Page
In the Initial Setup Wizard
1. Ensure that you have added a subscription key and click Next. 2. In the Add Devices tab, enter the serial number and MAC address of one device from your purchase
order. Most Aruba devices have the serial number and MAC address on the front or back of the hardware. 3. Click Add Device. Aruba Central imports all other devices mapped to your purchase order. 4. Review the devices in your inventory. 5. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number
of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the
Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support.
From the Device Inventory Page
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
Setting up Your Aruba Central Instance | 71
Aruba Central imports only devices associated with your Central account from Activate.
2. Do one of the following: n Click Sync Devices. Enter the serial number and MAC address and click Add Device. n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file.
Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page.
3. Review the devices in your inventory. 4. Perform the following options:
n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device.
n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices.
n Contact support--Contact Aruba Technical Support.
Manually Adding Devices
To add devices using MAC address and serial number, use one of the following methods:
n In the Initial Setup Wizard n From the Device Inventory Page
In the Initial Setup Wizard
If you are using the Initial Setup wizard:
1. In the Add Devices tab of the Initial Setup wizard. 2. Click Add Device. 3. Enter the serial number of MAC address of your device. 4. Click Done. 5. Review the list of devices.
From the Device Inventory Page
To add devices from the Device Inventory page:
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Do one of the following: n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file.
Aruba Central | User Guide
72
Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page.
3. Click Done. 4. Review the devices added to the inventory.
When you add the serial number and MAC address of one AP from a cluster or a switch stack member, Aruba Central imports all devices associated in the AP cluster and switch stack respectively.
For more information on adding devices, see Onboarding Devices on page 91.
Step 4: Assigning Subscriptions
Aruba Central supports the following types of subscriptions: n Device Management subscriptions--Allows you to manage and monitor your Access Points and Switches
from Aruba Central. The device management subscriptions can be assigned only to the devices managed by Aruba Central. n Services Management subscriptions--Allows you to enable value-added services on the APs managed from Aruba Central. n Gateway subscriptions--Allows you to manage and monitor SD-WAN Gateways from Aruba Central. You can either enable automatic assignment of subscription or manually assign subscriptions to your devices. By default, the automatic subscription assignment is disabled. Enabling Automatic Assignment of Subscriptions Use one of the following options to enable automatic assignment of subscriptions: In the Initial Setup Wizard 1. Verify that you have a valid subscription key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign Subscription tab, turn on the Auto Subscribe toggle switch. From the Subscription Assignment Page 1. In the Account Home page, under Global Settings, click Subscription Assignment. 2. Under Device Subscriptions, toggle the Auto Subscribe slider to ON. All the devices in your
inventory are selected for automatic assignment of subscriptions. You can edit the list by clearing the existing selection and re-selecting devices.
Manually Assigning Subscriptions In the Initial Setup Wizard
1. In the Assign Subscription tab, ensure that the Auto Subscribe toggle switch is turned off. 2. Select the devices in the list for which you want to manually assign subscriptions. 3. Click Update Subscription.
Setting up Your Aruba Central Instance | 73
From the Subscription Assignment Page
1. In the Account Home page, under Global Settings, click Subscription Assignment. 2. On the Subscription Assignment page, ensure that the Auto Subscribe toggle is turned off. 3. Select the devices to which you want to assign subscriptions. 4. Click Update Subscription.
For more information on subscriptions and how to assign network service and SD-WAN Gateway subscriptions. see Managing Subscriptions on page 98.
Step 5: Organize Your Devices into Groups
A group in Aruba Central functions as a configuration container for devices added in Aruba Central.
Why Should You Use Groups? Groups allow you to create a logical subset of devices and simplify the configuration and device management tasks. Groups offer the following functions and benefits:
n Combining different types of devices under a group. For example, a group can have Instant APs and Switches. Aruba Central allows you to manage configuration of these devices in separate containers (wireless and wired management) within the same group. Any new device that is added to a group inherits the current configuration of the group.
n Assigning multiple devices to a single group. For example, a group can consist of multiple Instant AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to slave Instant AP in their respective clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location.
n Cloning an existing group allows you to create a base configuration for the devices and customize it as per your network requirements.
You can also use groups for filtering your monitoring dashboard content, generating reports, and managing software upgrades.
A device can be part of only one group at any given time. Groups in Aruba Central are mutually exclusive (independent) and do not follow a hierarchical model.
For more information on groups and group configuration workflows, see Groups for Device Configuration and Management on page 118.
Assigning Devices to Groups After you successfully complete the onboarding workflow, the Initial Setup wizard prompts you to assign your devices to a group. You can click Assign Group and assign your devices to a group. You can also use one of the following methods to assign your devices to groups. To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory:
1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign. 4. Click Assign Device(s).
Aruba Central | User Guide
74
To assign a device to a group from the Groups page:
1. In the Network Operations app, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Maintain, click Organization. By default, the Groups page is displayed.
3. From the devices table on the right, select the device that you want to assign to a new group. 4. Drag and drop the device to the group to which you want to assign the device.
Step 6: Assigning Sites and Labels (Optional)
A site in Aruba Central refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Aruba Central allows you to use sites as a primary navigation element. For example, if your devices are deployed in a campus, you could create a site called CampusA. You can also tag the devices within CampusA using labels. If your campus consists of multiple buildings, the devices deployed in the campus can be labeled as Building1 or Lobby. For more information on sites and labels and how to assign devices to sites and labels, see Managing Sites on page 140 and Managing Labels on page 143.
Step 7: Configuring Users
Add system users, assign user roles, and configure role based access control. For more information, see Configuring System Users on page 102.
Step 8: Configuring and Managing Networks
To start configuring your network setup:
1. Connect your devices to Aruba Central. 2. Provision Instant APs, Switches, or Gateways to set up your WLAN, wired access and SD-
WAN network.
Step 9: Monitoring Your Network and Devices
Use the monitoring dashboards to view the health of the device and network. You can also run reports, configure alerts, and view client details.
Step 10: Upgrading Software Images on Devices
View software images available for the devices provisioned in your account, run a compliance check for the recommended software version, and upgrade devices. For more information and step-by-step instructions, see Managing Software Upgrades on page 160.
Step 11: Running Diagnostic Checks and Troubleshooting Issues
Run diagnostic checks and troubleshooting commands to analyze network connectivity and latency issues and debug device issues if any. For more information and step-by-step instructions, see Using Troubleshooting Tools.
Using the Search Bar
The search tool in the Network Operations app enables users to search for clients, devices, and infrastructure connected to the network. The tool also retrieves relevant documentation to help users
Using the Search Bar | 75
efficiently operate their networks. The search engine uses Natural Language Processing (NLP) to analyze queries and return relevant search results. From the search results, users can navigate to: n Various pages in the Network Operations app such as configuration pages, client or device monitoring
dashboards, or troubleshooting pages. n Help page in the Aruba Central Help Center.
To activate the search bar in the Aruba Central UI, press / (forward slash) on your computer keyboard.
Figure 15 Search Bar
Client Search Terms
The following table provides a list of recommended client search terms with the corresponding search results. Based on the displayed results, users can:
n Hover over a client to view more details. n Click the client name to open the Client Details page. n Click View to open the corresponding page in Aruba Central. For example, clicking the View button
corresponding to High DHCP Failures opens the AI Insights dashboard.
Table 14: Client Search Terms
Typical Queries
Search Terms
View client(s) facing issues in the network
n client issues n client anomalies n problem clients
View failed client (s)
n client failures n failed clients
Result
Returns client(s) that failed to connect and client(s) experiencing issues such as high DHCP failures, authentication failures, high roaming latency, and so on.
Returns client(s) that failed to connect to the network.
View client(s) running Windows operation system
list windows clients
Returns a list of client(s) running Windows operation system.
View client(s) running Android operation system
list android clients
Returns a list of client(s) running Android operation system.
View client(s) in a site
Enter list clients in site followed by the site name.
Example--list clients in site California
Returns a list of all client(s) in the site.
View offline client (s) in a site
Enter show offline clients in site followed by the site name.
Returns a list of offline client(s) in the site.
Aruba Central | User Guide
76
Table 14: Client Search Terms
Typical Queries
Search Terms
Result
Example--show offline clients in site California
View connected client(s) in a particular site
Enter show connected clients in site followed by the site name.
Example--show connected clients in site California
Returns a list of connected client(s) in the site.
Search by client name
Enter the name of the client. Example--myipad
Returns the client whose name matches the search term.
Search by client MAC address
Enter client followed by the MAC address. Example--client 00:01:00:10:9f:20
Returns the client whose MAC address matches the search term.
Device Search Terms
The following table provides a list of recommended search terms for all device types, with the corresponding search results. Based on the displayed results, users can:
n Hover over a device to view more details. n Click the device name to open the corresponding Device Details page. n Click View to open the corresponding page in Aruba Central. For example, clicking the View button
corresponding to Alerts & Events Overview opens the Alerts & Events page.
Table 15: Device Search Terms Typical Queries Access Point View AP(s) facing issues in the network
View AP(s) in a site
View a list of online AP(s)
Search Terms
Result
n AP issues n AP anomalies n problem APs
Returns a list of AP(s) that are offline, AP radios changing channels more frequently, AP (s) experiencing higher than normal channel utilization, AP(s) experiencing frequent transmit power changes, and AP(s) that missed sending telemetry data, and so on.
Enter list aps in site or show aps in site followed by the site name.
Example--list aps in site California
Returns a list of AP(s) in the site.
online aps
Returns a list of AP(s) that are online.
Device Search Terms | 77
Table 15: Device Search Terms Typical Queries View AP(s) belonging to a group
View AP(s) tagged with a particular label
View AP(s) by model number
Search by AP name Search by AP MAC address
Search by AP serial number
Switch View switch(es) facing issues in the network
View switch(es) in a site
View a list of online switch(es) View switch(es) belonging to a group
View switch(es) tagged with a label
Search Terms
Result
Enter list aps in group followed by group name. Example--list aps in group default
Returns a list of AP(s) that are belonging to the group.
Enter list aps in label followed by the label name.
Example--list aps in label lobby
Returns a list of AP(s) that are tagged with the label.
Enter show ap model followed by the model number.
Example--show ap model ap-105
Returns a list of AP(s) whose model number matches the search term.
Enter the name of the AP. Example--printer-room
Returns the AP whose name matches the search term.
Enter ap followed by the MAC address. Example--ap 94:b4:0f:d9:ba:cc
Returns the AP whose MAC address matches the search term.
Enter ap serial followed by the serial number. Example--ap serial CNJJKPN1G5
Returns the AP whose serial number matches the search term.
n switch issues n switch anomalies n problem switches
Returns a list of switch(es) that are offline, switch(es) experiencing high CPU and memory utilization, switch(es) facing PoE issues, and so on.
Enter list switches in site or show switches in site followed by the site name.
Example--list switches in site California
Returns a list of switch(es) in the site.
online switches
Returns a list of switch(es) that are online.
Enter list switches in group followed by group name.
Example--list switches in group default
Returns a list of switch(es) belonging to the group.
Enter list switches in label followed by the label name.
Returns a list of switch(es) that are tagged with the label.
Aruba Central | User Guide
78
Table 15: Device Search Terms Typical Queries
Search by switch name Search by switch MAC address
Search by switch serial number
Gateway View gateway(s) facing issues in the network
View gateway(s) in a site
Configure gateway(s) in a particular group
View a list of online gateway(s) View gateway(s) belonging to a group
View gateway(s) tagged with a label
Search Terms
Result
Example--list switches in label store
Enter the name of the switch. Example--store-switch
Returns the switch whose name matches the search term.
Enter switches followed by the MAC address. Example--switch f8:60:f0:b6:22:00
Returns the switch whose MAC address matches the search term.
Enter switch serial followed by the serial number.
Example--switch serial CN90HKX045
Returns the switch whose serial number matches the search term.
n gateway issues n gateway anomalies n problem gateways
Returns a list of gateway(s) that are down, gateway(s) experiencing high CPU and memory utilization, gateway tunnel(s) that are down, and so on.
Enter list gateways in site or show gateways in site followed by the site name.
Example--list gateways in site California
Returns a list of gateway(s) in the site.
Enter configure gateways in group followed by the site name.
Example--configure gateways in group default
Returns a link to the gateway configuration page.
online gateways
Returns a list of gateway(s) that are online.
Enter list gateways in group followed by group name.
Example--list gateways in group default
Returns a list of gateway(s) belonging to the group.
Enter list gateways in label followed by the label name.
Example--list gateways in label lobby
Returns a list of gateway(s) that are tagged with the label.
Device Search Terms | 79
Table 15: Device Search Terms
Typical Queries
Search Terms
Result
Search by gateway name
Enter the name of the gateway. Example--branch
Returns the gateway whose name matches the search term.
Search by gateway MAC address
Enter gateway followed by the MAC address. Example--gateway 00:0b:86:f9:0d:d2
Returns the gateway whose MAC address matches the search term.
Search by gateway serial number
Enter gateway serial followed by the serial number.
Example--gateway serial CZ0003248
Returns the gateway whose serial number matches the search term.
User Experience Search Terms
The following table provides a list of recommended search terms with the corresponding search results for gauging the network performance and identifying anomalies affecting user experience.
Table 16: User Experience Search Terms
Search Terms
Result
user experience issues
Returns the following links: n Client-related insights generated for the last three hours n Network Health dashboard
Click View to open the corresponding page.
user experience
Returns client-related insights generated for the last one month.
issues last month
client issues last week
Returns the following: n Client(s) that failed to connect to the network in the last one week n Client-related insights generated for the last one week
how is my network today
Returns the following links: n Wi-Fi Connectivity dashboard n Network Health > List page
Click View to open the corresponding page.
is everything ok
Returns a link to the AI Insights dashboard. Click View to open the AI Insights dashboard and review the insights triggered.
roaming issues
Returns links to the following insights: n Clients roamed excessively n Clients experienced high latency while roaming
Click View to open the corresponding insight and identify roaming anomalies.
authentication Issues
Returns links to the following insights: n Clients had excessive 802.1x authentication failures n Clients had an unusual number of MAC authentication failures
Click View to open the corresponding insight and identify authentication anomalies.
Aruba Central | User Guide
80
Table 16: User Experience Search Terms
Search Terms
Result
problem clients
Returns client(s) that failed to connect and client(s) experiencing issues such as high DHCP failures, authentication failures, high roaming latency, and so on.
coverage issues
Returns links to the following insights: n Clients had a significant number of Low SNR uplink minutes n Coverage Holes have been detected
Click View to open the corresponding insight and identify coverage anomalies.
Site Search Terms
The following table provides a list of recommended search terms with the corresponding search results for retrieving clients and devices or identifying issues at a site. Based on the displayed results, users can:
n Hover over the client or device to view more details. n Click the client or device name to open the Client Details or Device Details page. n Click View to open the corresponding page in Aruba Central.
Table 17: Site Search Terms
Typical Queries
Search Terms
Result
View problems in a site
Enter any problems in site followed by the site name. Example--any problems in site California
Returns the link to navigate to the AI Insights dashboard for the site.
View client(s) in a site
Enter list clients in site followed by the site name. Example--list clients in site California
Returns a list of all client(s) in the site.
View offline client (s) in a site
Enter show offline clients in site followed by the site name. Example--show offline clients in site California
Returns a list of offline client(s) in the site.
View connected client(s) in a site
Enter show connected clients in site followed by the site name. Example--show connected clients in site California
Returns a list of connected client(s) in the site.
View AP(s) in a site
Enter list aps in site or show aps in site followed by the site name. Example--list aps in site California
Returns a list of AP(s) in the site.
View switch(es) in a site
Enter list switches in site or show switches in site followed by the site name. Example--list switches in site California
Returns a list of switch(es) in the site.
View gateway(s) in a site
Enter list gateways in site or show gateways in site followed by the site name. Example--list gateways in site California
Returns a list of gateway(s) in the site.
Network & Services Search Terms
Site Search Terms | 81
The following table provides a list of recommended search terms with the corresponding search results for network and services.
Table 18: Network & Services Search Terms
Search Terms
Result
service issues
Returns the following links: n Wi-Fi Connectivity dashboard n AI Insights dashboard
Click View to open the corresponding page.
dhcp issues
Returns a link to the Clients had DHCP server connection problems insight. Click View to open the insight and identify the DHCP failures impacting the network.
dns issues
Returns links to the following insights: n DNS queries failed to reach or return from the servers n DNS request/responses were significantly delayed n DNS server(s) rejected a high number of queries
Click View to open the corresponding insight and identify DNS anomalies.
authentication Issues
Returns links to the following insights: n Clients had excessive 802.1x authentication failures n Clients had an unusual number of MAC authentication failures
Click View to open the corresponding insight and identify authentication anomalies.
Navigation Search Terms
The following table provides a list of recommended search terms with the corresponding search results for that can help users navigate through Aruba Central. Based on the displayed results, click View to open the corresponding page in Aruba Central.
Table 19: Navigation Search Terms
Search Terms
UI Page
network health
Network Health > List
n access points usage statistics n ap device summary
Devices > Access Points > Summary
list alerts
Global > Alerts & Events > Summary
client overview
Clients > Summary
bandwidth usage
Global > Overview > Summary
configure ssid
Group > Devices > Access Points > Config > WLANs > Wireless SSIDs
configure vpn
Group > Devices > Access Points > Config > VPN
n assign virtual controller n config ap ports
Group > Devices > Access Points > Interfaces > Wired
Aruba Central | User Guide
82
Table 19: Navigation Search Terms Search Terms radios profile manage firmware for virtual controller where can I configure switch configure switch stacks enable cdp for switches configuration conflicts for switches switch dhcp pools switch security dhcp how to configure switch igmp switch port priority manage switch ports configure VLANs configure gateways config audit gateway wan transport health wan performance show branch uplinks utilization virtual gateway settings how to upgrade gateway overlay route orchestrator topology topology n list all saas apps n saas express summary ssh threats current threat map configure presence analytics view wifi connected devices
UI Page Group > Devices > Access Points > Config > Radios Global > Firmware > Access Points
Devices > Switches > Config Devices > Switches > Stacks > Config Devices > Switches > System > CDP Devices > Switches > Configuration Audit Devices > Switches > IP Settings > DHCP Pools Devices > Switches > Security > DHCP Snooping Devices > Switches > IGMP Devices > Switches > Interface > PoE Devices > Switches > Interface > Ports Devices > Switches > Interface > VLANs Devices > Gateways > Config Devices > Gateways > Config > Advanced Mode > Config Audit Devices > Gateways > Summary Global > Overview > WAN Health > List Global > Overview > WAN Health > Summary Global > Network Services > Virtual Gateways Global > Firmware > Gateways Global > Network Services > SD-WAN Overlay > Route Site > Overview > Topology Global > Applications > SaaS Express > Map
Global > Security > Gateway IDS/IPS > Threats List Global > Security > Gateway IDS/IPS > Summary Global > Guests > Presence Analytics > Config Global > Guests > Presence Analytics > Summary
Navigation Search Terms | 83
Table 19: Navigation Search Terms
Search Terms setup guest access
setup guest network
n ucc settings n enable call prioritization for ucc
list ucc call
tutorials
UI Page Global > Guests > Guest Access Group > Guests > Config > Guest Networks Global > Applications > UCC > Config > Settings
Global > Applications > UCC > List WalkMe Menu for launching guided tutorials
Managing Subscriptions
Aruba Central supports the following types of subscriptions:
n Device Management subscriptions--Allows you to manage and monitor your Access Points and Switches from Aruba Central. The device management subscriptions can be assigned only to the devices managed by Aruba Central.
n Services Management subscriptions--Allows you to enable value-added services on the APs managed from Aruba Central.
n Gateway subscriptions--Allows you to manage and monitor SD-WAN Gateways from Aruba Central.
The following figure illustrates the supported subscription types and the assignment criteria:
Aruba Central | User Guide
84
Assigning Device Management Subscriptions
You can either enable automatic assignment of subscriptions or manually assign subscriptions for Access Points and Switches added in Aruba Central.
Automatically Assigning Device Management Subscriptions
To enable automatic assignment of subscriptions from the Initial Setup Wizard: 1. Verify that you have valid subscription key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign Subscription tab, turn on the Auto Subscribe toggle switch.
To enable automatic assignment of subscriptions from the Subscription Assignment page: 1. In the Account Home page, under Global Settings, click Subscription Assignment. The Subscription Management page is displayed. 2. Under Device Management Subscriptions, toggle the Auto Subscribe slider to ON. All the devices in your inventory are selected for automatic assignment of subscriptions. You can edit the list by clearing the existing selection and re-selecting devices.
Managing Subscriptions | 85
When a subscription assigned to a device expires or is canceled, Aruba Central checks for the available subscription tokens in your account and assigns the longest available subscription token to the device. If your account does not have an adequate number of subscriptions, you may have to manually assign subscriptions to as many devices as possible. To view the subscription utilization details and the number of subscriptions available in your account, go to the Account Home > Global Settings > Key Management page. To manually assign subscriptions, turn off the Auto Subscribe toggle.
Manually Assigning Device Management Subscriptions
To manually assign subscriptions to devices or override the current assignment:
1. In the Account Home page, under Global Settings, click Subscription Assignment. The Subscription Management page is displayed.
2. Ensure that the Auto Subscribe toggle is turned off. 3. Select the devices to which you want to assign subscriptions. 4. Click Update Subscription.
Assigning Services Management Subscriptions
To assign a services management subscription, complete the following steps:
1. In the Account Home page, under Global Settings, click Subscription Assignment. The Subscription Management page is displayed.
2. Select the service subscription that you want to enable on a device. The available services are: n Cloud Guest n UCC
3. Under Services Management Subscriptions, select the AP from the table on the right. 4. Drag and drop the device to the network service selected in the table on the left.
Important Points to Note
n Clarity service is deprecated. Wi-Fi Connectivity dashboard has replaced Clarity. Although you can assign or unassign Clarity service subscription, Clarity does not monitor deployments or detect network performance issues.
n Presence Analytics does not require a separate service subscription. n If you had assigned a service subscription for Presence Analytics prior to Aruba Central 2.5.2 release,
you can remove the service subscription and use the same subscription for either Cloud Guest or UCC.
Assigning Gateway Subscriptions
For Aruba Gateways to start functioning, you must onboard them to the device inventory in Aruba Central and ensure that a valid subscription is assigned to each Gateway. A valid subscription allows the Gateway to be managed by Aruba Central. For more information, see Aruba SD-WAN Solution User Guide.
Aruba Central | User Guide
86
Removing Subscriptions from Devices
To remove the subscriptions from the devices, complete the following actions:
Removing a Device Subscription from a Device
1. In the Account Home page, under Global Settings, click Subscription Assignment. Ensure that the Auto Subscribe toggle is turned off. The devices that have the subscriptions assigned are selected and highlighted in green.
2. Clear the Subscribed check box for the device from which you want to unassign the subscription and click Update Subscription. The Confirm Action pop-up window with the Do you want to modify the subscription for selected devices message opens.
3. Click Yes to confirm. The subscription is unassigned and the Subscribed status for the device is marked as No in the devices table.
Removing a Services Management Subscription from a Device
To remove network service subscription from a device: 1. In the Account Home page, under Global Settings, click Subscription Assignment. 2. Under Services Management Subscriptions, select a subscription from the table on the left. 3. From the table on the right, select the devices from which you want to unassign the subscription. 4. Click Batch Remove Subscriptions. The subscription is unassigned from the selected devices.
Acknowledging Subscription Expiry Notifications
In the Account Home page, under Global Settings, click Key Management. The Key Management page displays the expiration date for each subscription. As the subscriptions expiration date approaches, users receive expiry notifications. The users with evaluation subscription receive subscription expiry notifications on the 30th, 15th and 1 day before the subscription expiry and on day 1 after the subscription expires. The users with paid subscriptions receive subscription expiry notifications on the 90th, 60th, 30th, 15th, and 1 day before expiry and two notifications per day on the day 1 and day 2 after the subscription expiry.
Acknowledging Notifications through Email
If the user has multiple subscriptions, a consolidated email with the expiry notifications for all subscriptions is sent to the user. Users can acknowledge these notifications by clicking the Acknowledge All link in the email notification.
Acknowledging Notifications in the UI
If a subscription has already expired or is about to expire within 24 hours, a subscription expiry notification message is displayed in a pop-up window when the user logs in to Aruba Central. To prevent Aruba Central from generating expiry notifications, click Acknowledge.
Managing Subscriptions | 87
Renewing Subscriptions
To renew your subscription, contact your Aruba Central sales specialist.
Aruba Central | User Guide
88
Chapter 4 Administering Aruba Central
Administering Aruba Central
Aruba Central is a cloud-native network operations and assurance solution for wired, wireless, and SD-WAN networks. Aruba Central unifies traditional management with AI-based network and user insights, and IoT device profiling in a single interface for simplified and secure management and control.
Apps
From the Account Home page, you can manage network inventory, subscriptions, and user access. You can provision or launch the following apps: n Network Operations n ClearPass Device Insight The application(s) displayed in the Apps section of the page are dependent on the app(s) that you selected while signing up for Aruba Central. For more information, see Creating an Aruba Central Account on page 38. To provision an app, click Get Started. After the app is provisioned, click Launch to navigate to the corresponding application UI. If the app provisioning fails, you can retry or contact Aruba Technical Support. Figure 16 All Apps
Network Operations
Network Operations is a unified network operations, assurance and security platform that simplifies the deployment, management, and service assurance of wireless, wired and SD-WAN environments. Network Operations provides a cloud-based network management platform for managing your wireless, WAN, and wired networks with Aruba APs, Gateways, and Switches. Along with device and network management functions, the app also offers value-added services such as customized guest access, client presence, and service assurance analytics.
Aruba Central | User Guide
89
For more information, see Aruba Central Help Center.
ClearPass Device Insight
ClearPass Device Insight enables network and security administrators to discover, monitor, and automatically classify new and existing devices that connect to a network. You can identify devices that include loT devices, medical devices, printers, smart devices, laptops, VoIP phones, computers, gaming consoles, routers, servers, and switches. For more information, see Aruba ClearPass Device Insight Information Center.
Global Settings
In Aruba Central, most of the general administration tasks are grouped under Global Settings. The following table lists all the options and relevant app(s) to which the option is applicable:
Table 20: Options & Apps
Option
App(s)
User and Roles
n Network Operations n ClearPass Device Insight
Key Management
n Network Operations n ClearPass Device Insight
Device Inventory Network Operations
Subscription Assignment
Network Operations
Data Collectors
Data Collectors option appears only if the ClearPass Device Insight app is provisioned.
Audit Trail
Network Operations
Single Sign On
Network Operations
API Gateway
API Gateway option appears only if the Network Operations app is provisioned and if the API Gateway license is enabled.
Webhooks
Network Operations
Managing Your Device Inventory
After you add paid subscription key(s) to your Aruba Central account, device(s) purchased by you are automatically added to the device inventory in the respective Aruba Central account. For more information subscription keys, see Managing Subscription Keys.
If the device you purchased does not show up in the inventory, you can manually add it. Aruba Central allows you to add up to 32 devices manually by entering the valid MAC and serial number combination for each device.
Managing Your Device Inventory | 90
Users having roles with Modify permission can add devices. Users having roles with View Only permission can only view the Device Inventory module.
Viewing Devices
The devices provisioned in your account are listed in the Account Home > Global Settings > Device Inventory page. The following table describes the contents of the Device Inventory page.
Table 21: Device Details
Parameter Description
Serial Number
Serial number of the device.
MAC Address
MAC address of the device.
Type
Type of the device, for example Instant AP, switch, or gateway.
IP Address IP address of the device.
Name
Name of the device.
Model
Hardware model of the device.
Part Number
Part number of the device.
Group
Name of the group to which the device is assigned. This column is displayed only for the Aruba Central Standard Enterprise mode users.
Subscription Status of the subscription assignment
Adding Devices to Inventory
For information on adding devices, see Onboarding Devices.
Onboarding Devices
Aruba Central supports the following options for adding devices.
n If you are an evaluating user, you must manually add the serial number and MAC address of the devices that you want to manage from Aruba Central.
This section includes the following topics:
Aruba Central | User Guide
91
n Adding Devices (Evaluation Account) n Adding Devices (Paid Subscription) n Manually Adding Devices
Adding Devices (Evaluation Account)
Use one of the following methods to add devices to Aruba Central:
Using the Initial Setup Wizard
1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number of MAC address of your devices.
You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. 3. Click Done. 4. Review the devices in your inventory.
Using the Device Inventory Page
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Click Add Devices. The Add Devices pop-up window is displayed.
3. Enter the serial number and the MAC address of each device. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware.
4. Click Done. 5. Review the devices in your inventory.
Adding Devices (Paid Subscription)
If your devices are not added to your inventory, set up a device sync by adding one device from your purchase order. To set up device sync, use one of the following methods:
n In the Initial Setup Wizard n From the Device Inventory Page
In the Initial Setup Wizard
1. Ensure that you have added a subscription key and click Next. 2. In the Add Devices tab, enter the serial number and MAC address of one device from your purchase
order. Most Aruba devices have the serial number and MAC address on the front or back of the hardware. 3. Click Add Device. Aruba Central imports all other devices mapped to your purchase order. 4. Review the devices in your inventory.
Onboarding Devices | 92
5. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support.
From the Device Inventory Page
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
Aruba Central imports only devices associated with your Central account from Activate.
2. Do one of the following: n Click Sync Devices. Enter the serial number and MAC address and click Add Device. n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file.
Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page.
3. Review the devices in your inventory. 4. Perform the following options:
n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device.
n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices.
n Contact support--Contact Aruba Technical Support.
Manually Adding Devices
Aruba Central allows you to set up only manual sync of devices from Activate database using one of the following methods:
n Adding Devices Using MAC address and Serial Number on page 93 n Adding Devices Using Activate Account on page 94 n Adding Devices Using Cloud Activation Key on page 95
You can only set up only a manual sync for Aruba Central-managed folders such as the default, licensed, and non-licensed folders.
Adding Devices Using MAC address and Serial Number
You can find the serial number and MAC address of Aruba devices on the front or back of the hardware.
Aruba Central | User Guide
93
To add devices using MAC address and serial number, use one of the following methods: n In the Initial Setup Wizard n From the Device Inventory Page
In the Initial Setup Wizard
If you are using the Initial Setup wizard: 1. In the Add Devices tab of the Initial Setup wizard. 2. Click Add Device. 3. Enter the serial number of MAC address of your device. 4. Click Done. 5. Review the list of devices.
From the Device Inventory Page
To add devices from the Device Inventory page: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Do one of the following: n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file.
Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page.
3. Click Done. 4. Review the devices added to the inventory.
When you add the serial number and MAC address of one AP from a cluster or a switch stack member, Aruba Central imports all devices associated in the AP cluster and switch stack respectively.
Adding Devices Using Activate Account
Use this device addition method only when you want to migrate your inventory from Aruba AirWave or a standalone AP deployment to the Aruba Central management framework. Use this option with caution as it imports all devices from your Activate account to the Aruba Central device inventory. You can use this option only once. After the devices are added, Aruba Central does not allow you to modify or re-import the devices using your Aruba Activate credentials.
To add devices from your Activate account:
Onboarding Devices | 94
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Click Advanced and select Using Activate. 3. Enter the username and password of your Activate account. 4. Click Add. 5. Review the devices added to the inventory.
Adding Devices Using Cloud Activation Key
When you import devices using the Cloud Activation Key, all your devices from the same purchase order are added to your Aruba Central inventory.
Before adding devices using cloud activation key, ensure that you have noted the cloud activation key and MAC address of the devices to add.
Locating Cloud Activation Key and MAC Address To know the cloud activation key:
n For APs:
1. Log in to the WebUI or CLI. n If using the WebUI, go to the Maintenance > About. n If using the CLI, execute the show about command.
2. Note the cloud activation key and MAC address.
n For Aruba Switches:
1. Log in to the switch CLI. 2. Execute the show system | in Base and show system | in Serial commands. 3. Note the cloud activation key and MAC address in the command output.
n For Mobility Access Switches
1. Log in to the Mobility Access Switch UI or CLI. n If using the UI, go to the Maintenance > About. n If using the CLI, execute the show inventory | include HW and show version commands.
2. Note the cloud activation key and MAC address. The activation key is enabled only if the switch has access to the Internet.
Adding Devices Using Cloud Activation Key
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Click Advanced and select With Cloud Activation Key. The Cloud Activation Key pop-up window opens.
3. Enter the cloud activation key and MAC address of the device.
Aruba Central | User Guide
95
4. Click Add.
If a device belongs to another customer account or is used by another service, Aruba Central displays it as a blocked device. As Aruba Central does not support managing and monitoring blocked devices, you may have to release the blocked devices before proceeding with the next steps.
Managing Subscription Keys
A subscription key is a 14-character alphanumeric string; for example, PQREWD6ADWERAS. Subscription keys allow your devices to be managed by Aruba Central. To use Aruba Central for managing, profiling, analyzing, and monitoring your devices, you must ensure that you have a valid subscription key. You must either have an evaluation subscription key or a paid subscription key. The evaluation subscription key is valid for 91 days.
Evaluation Subscription Key
The evaluation subscription key is enabled for trial users by default. It allows you to add up to a total of 10 devices. The evaluation subscription also allows you to enable services such as Presence Analytics and Guest Access on your devices. The Account Home > Global Settings > Key Management page displays the subscription expiration date. You will receive subscription expiry notifications through email on the 30th, 15th and 1 day before the subscription expiry and on day 1 after the subscription expires. The number of days left for subscription expiry is also displayed in the respective app under the Apps section of the Account Home page.
Upgrading to a Paid Account
If you have purchased a subscription, upgrade your account by completing the following steps:
1. On the respective app, click the link that shows the number of days left for the evaluation to expire:
The Add a New Subscription pop-up window opens. 2. Enter the new subscription key that you purchased from Aruba. 3. Click Add Subscription.
Managing Subscription Keys | 96
After you upgrade your account, you can add more devices and enable services, and continue using Aruba Central.
Paid Subscription Key
If you have purchased a subscription key, you must ensure that your subscription key is added to Aruba Central. If you are logging in for the first time, Aruba Central prompts you to add your subscription key to activate your account. Ensure that you add the subscription key before onboarding devices to Aruba Central.
The Account Home > Global Settings > Key Management page displays the subscription expiration date. You will receive subscription expiry notifications through email on the 90th, 60th, 30th, 15th, and 1 day before expiry and two notifications per day on the day 1 and day 2 after the subscription expiry.
When you upgrade or renew your subscription, or purchase another subscription key, you must add the key details in the Account Home > Global Settings > Key Management page to avail the benefits of the new subscription.
Adding a Subscription Key
To add a subscription key:
1. In the Account Home page, under Global Settings, click Key Management. The Key Management page is displayed.
2. Enter your subscription key. 3. Click Add Subscription. The subscription key is added to Aruba Central and the contents of the
subscription key are displayed in the Manage Keys table. 4. Review the subscription details.
Viewing Subscription Key Details
To view subscription key details, in the Account Home page, under Global Settings, click Key Management. The following table describes the contents of the Manage Keys table:
Table 22: Subscription Key Details
Data Pane Item
Description
Keys
Subscription key number.
Type
Type of the subscription. Aruba Central supports the following types of subscriptions:
n Device subscriptions--The device subscription allows you to avail services such as device onboarding, configuration, management, monitoring, and reports. The device subscriptions can be assigned only to the devices managed by Aruba Central. n Service subscriptions--Aruba Central supports application services that you can run on the devices provisioned in your setup. For example, if you have Instant APs with 6.4.4.44.2.3.0 or later, you can assign a service subscription for Presence Analytics. n Gateway Subscriptions--Aruba Central supports a separate set of subscriptions for configuring and managing SD-WAN gateways. The Gateway subscriptions are marked as
Aruba Central | User Guide
97
Data Pane Item
Description
Foundation-<device>; for example, Foundation-70XX. n Virtual Gateways--Aruba Central supports a separate set of subscriptions for configuring and managing Virtual Gateways. The Virtual Gateway subscriptions are prefixed with a VGW-<bandwidth>; for example, VGW-500MB.
Expiration Expiration date for the subscription key. Date
Quantity
Number of license tokens available for a subscription. Each Aruba Central subscription holds a specific number of tokens. For example, when a subscription is assigned to a device, Aruba Central binds the device with a token from the existing pool of subscriptions.
Status
Status of the subscription key. For example, if you are a trial user, Aruba Central displays the status of subscription key as Evaluation.
Apps
Name of the application.
Managing Subscriptions
Aruba Central supports the following types of subscriptions:
n Device Management subscriptions--Allows you to manage and monitor your Access Points and Switches from Aruba Central. The device management subscriptions can be assigned only to the devices managed by Aruba Central.
n Services Management subscriptions--Allows you to enable value-added services on the APs managed from Aruba Central.
n Gateway subscriptions--Allows you to manage and monitor SD-WAN Gateways from Aruba Central.
The following figure illustrates the supported subscription types and the assignment criteria:
Managing Subscriptions | 98
Assigning Device Management Subscriptions
You can either enable automatic assignment of subscriptions or manually assign subscriptions for Access Points and Switches added in Aruba Central.
Automatically Assigning Device Management Subscriptions
To enable automatic assignment of subscriptions from the Initial Setup Wizard:
1. Verify that you have valid subscription key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign Subscription tab, turn on the Auto Subscribe toggle switch.
To enable automatic assignment of subscriptions from the Subscription Assignment page:
1. In the Account Home page, under Global Settings, click Subscription Assignment. The Subscription Management page is displayed.
2. Under Device Management Subscriptions, toggle the Auto Subscribe slider to ON. All the devices in your inventory are selected for automatic assignment of subscriptions. You can edit the list by clearing the existing selection and re-selecting devices.
Aruba Central | User Guide
99
When a subscription assigned to a device expires or is canceled, Aruba Central checks for the available subscription tokens in your account and assigns the longest available subscription token to the device. If your account does not have an adequate number of subscriptions, you may have to manually assign subscriptions to as many devices as possible. To view the subscription utilization details and the number of subscriptions available in your account, go to the Account Home > Global Settings > Key Management page. To manually assign subscriptions, turn off the Auto Subscribe toggle.
Manually Assigning Device Management Subscriptions
To manually assign subscriptions to devices or override the current assignment: 1. In the Account Home page, under Global Settings, click Subscription Assignment. The Subscription Management page is displayed. 2. Ensure that the Auto Subscribe toggle is turned off. 3. Select the devices to which you want to assign subscriptions. 4. Click Update Subscription.
Assigning Services Management Subscriptions
To assign a services management subscription, complete the following steps: 1. In the Account Home page, under Global Settings, click Subscription Assignment. The Subscription Management page is displayed. 2. Select the service subscription that you want to enable on a device. The available services are: n Cloud Guest n UCC 3. Under Services Management Subscriptions, select the AP from the table on the right. 4. Drag and drop the device to the network service selected in the table on the left.
Important Points to Note
n Clarity service is deprecated. Wi-Fi Connectivity dashboard has replaced Clarity. Although you can assign or unassign Clarity service subscription, Clarity does not monitor deployments or detect network performance issues.
n Presence Analytics does not require a separate service subscription. n If you had assigned a service subscription for Presence Analytics prior to Aruba Central 2.5.2 release,
you can remove the service subscription and use the same subscription for either Cloud Guest or UCC.
Assigning Gateway Subscriptions
For Aruba Gateways to start functioning, you must onboard them to the device inventory in Aruba Central and ensure that a valid subscription is assigned to each Gateway. A valid subscription allows the Gateway to be managed by Aruba Central. For more information, see Aruba SD-WAN Solution User Guide.
Managing Subscriptions | 100
Removing Subscriptions from Devices
To remove the subscriptions from the devices, complete the following actions:
Removing a Device Subscription from a Device
1. In the Account Home page, under Global Settings, click Subscription Assignment. Ensure that the Auto Subscribe toggle is turned off. The devices that have the subscriptions assigned are selected and highlighted in green.
2. Clear the Subscribed check box for the device from which you want to unassign the subscription and click Update Subscription. The Confirm Action pop-up window with the Do you want to modify the subscription for selected devices message opens.
3. Click Yes to confirm. The subscription is unassigned and the Subscribed status for the device is marked as No in the devices table.
Removing a Services Management Subscription from a Device
To remove network service subscription from a device:
1. In the Account Home page, under Global Settings, click Subscription Assignment. 2. Under Services Management Subscriptions, select a subscription from the table on the left. 3. From the table on the right, select the devices from which you want to unassign the subscription. 4. Click Batch Remove Subscriptions. The subscription is unassigned from the selected devices.
Acknowledging Subscription Expiry Notifications
In the Account Home page, under Global Settings, click Key Management. The Key Management page displays the expiration date for each subscription. As the subscriptions expiration date approaches, users receive expiry notifications. The users with evaluation subscription receive subscription expiry notifications on the 30th, 15th and 1 day before the subscription expiry and on day 1 after the subscription expires. The users with paid subscriptions receive subscription expiry notifications on the 90th, 60th, 30th, 15th, and 1 day before expiry and two notifications per day on the day 1 and day 2 after the subscription expiry.
Acknowledging Notifications through Email
If the user has multiple subscriptions, a consolidated email with the expiry notifications for all subscriptions is sent to the user. Users can acknowledge these notifications by clicking the Acknowledge All link in the email notification.
Acknowledging Notifications in the UI
If a subscription has already expired or is about to expire within 24 hours, a subscription expiry notification message is displayed in a pop-up window when the user logs in to Aruba Central. To prevent Aruba Central from generating expiry notifications, click Acknowledge.
Aruba Central | User Guide
101
Renewing Subscriptions
To renew your subscription, contact your Aruba Central sales specialist.
Users and Roles
Aruba Central users are broadly categorized as follows:
n Network Administrators--Network administrators manage, configure, and monitor devices in their respective network or organization using the Aruba Central Standard Enterprise interface.
n Service Provider Administrators--Service Provider administrators are referred to as the MSP administrators who create, manage, and monitor accounts for multiple organizations (tenants). For MSP accounts, the Network Operations app provides a separate interface called the MSP View, using which MSP administrators can provision and manage their respective tenant accounts. Tenant account users' access is limited to their respective account or network setup. For more information on creating tenant accounts, see the Aruba Central MSP User Guide.
Within each Aruba Central account, the admin users of the respective accounts can configure and manage the following types of users:
n System users--Users who authenticate to the Aruba SSO server (public cloud deployments) or LocalDB servers (private cloud deployments). System users can access both the UI and API interface with their Aruba Central login credentials. Access for the system users is determined by the role to which they are mapped. For more information on configuring system users, see Configuring System Users on page 102.
n External users--Users who log in to Aruba Central using an external authentication source. External user accounts are maintained by IT administrators of the respective organizations. External users are also referred to as federated users. To provide a secure and seamless sign-on experience for external users, Aruba Central supports a federation configuration module based on the SAML SSO framework. For more information on configuring the SAML SSO framework for federated users, see the Aruba Central SAML SSO Solution Guide.
The following table lists the tasks that you can perform from the Users and Roles page:
Table 23: Users and Roles--Tasks Task
For more information...
Create, modify, or delete users
Configuring System Users on page 102
Create, modify, or delete user roles
Configuring User Roles on page 105
Resend email invitation to users
Resend Email Invite on page 104
Enable Two-Factor Authentication (2FA) Two-Factor Authentication on page 110
Enable support access to debug issues Support Access on page 112
Configuring System Users
In the Account Home page, the Users & Roles option under Global Settings allows you to create, modify, and delete users.
This section describes the procedure for configuring users in an enterprise account. For information on how to configure system users in the MSP mode, see the Aruba Central Managed Service Provider User Guide.
Users and Roles | 102
Adding a System User
To add a user, complete the following steps:
1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed.
2. Click Add User. The New User window is displayed.
3. Configure the following parameters: n Username--Email ID of the user. Enter a valid email address. n Description--Description of the user role. You can enter up to a maximum of 32 characters including alphabets, numbers, and special characters in the text field. n Language--Select a language. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. n Account Home--Select a user role for the Account Home page. If there are common modules between Account Home and other app(s), the Account Home user role has higher precedence. For example, the Devices and Subscription module in the Network Operations app.
If an application is not provisioned, that application is not listed in the New User pop-up window.
n Network Operations--Select a user role for the Network Operations application. l If you assign the user role guestoperator, readonly, or readwrite, from the Select Groups drop-
down list, select group(s). By default, the admin user role has access to all groups. n ClearPass Device Insight--Select a user role for the ClearPass Device Insight application.
For more information on user roles, see Configuring User Roles. 4. Click Save. An email invite is sent to the user with a registration link. Users can use this link to access
Aruba Central.
The registration link in the email invite is valid for 15 days. The link expiry date is also mentioned in the registration email notification:
Aruba Central | User Guide
103
Resend Email Invite
If any user has not received the email invite, complete the following steps to resend the invite:
1. Click Actions and slide the Resend Invitation To Users toggle button to the right. 2. Enter the email ID and click Resend Invite.
Viewing User Details
In the Account Home page, under Global Settings, click Users & Roles. The Users tab is displayed. The List of Users table displays the following information:
n Email ID of the user. n Type of user. The user can be system user or external user. n Description of the user. n Role assigned for the Network Operations app. n Role assigned for the ClearPass Device Insight app. This option is displayed only if the ClearPass
Device Insight app is provisioned and if you have subscribed to the app. n Role assigned for the Account Home page. n Allowed groups for the user. n Last active time of the user. If the last active time cell is blank, the user has not logged in after the
product upgrade.
Configuring System Users | 104
Editing a User
To edit a user account, complete the following steps: 1. In the Account Home page, under Global Settings, click Users & Roles. The Users tab opens. 2. In the List of Users table, select the user and click the edit icon. 3. In the Edit User <"Username"> window, modify description, role, or allowed groups. 4. Click Save.
Deleting a User
To delete a user account: 1. In the Account Home page, under Global Settings, click Users & Roles. The Users tab opens. 2. In the List of Users table, select the user and click the delete icon. 3. Confirm user deletion in the Confirm Action dialog box.
Viewing Audit Trail Logs for Users
Audit logs are generated when a new user is created and an existing user is modified or deleted from the Aruba Central account. It also records the login and logout activities of users. To view audit logs for Aruba Central users:
1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page is displayed.
2. To view audit logs for user addition, modification, or deletion, click the filter in the Classification column, and select User Management.
3. To filter audit logs about user activity, click the filter in the Classification column, and select User Activity.
Configuring User Roles
A role refers to a logical entity used for determining user access to devices and application services in Aruba Central. Users are always tagged to roles that govern the level of user access to the Aruba Central applications and services.
Access control for federated users is determined by the attributes set in the IDP.
Aruba Central supports a set of predefined roles with different privileges and access permissions. You can also configure custom roles.
Predefined User Roles
The Users & Roles page allows you to configure the following types of users with system-defined roles:
Aruba Central | User Guide
105
Table 24: Predefined User Roles
Application User Role
Privilege
Account Home
admin
Administrator for the Account Home page. If there are common modules between Account Home and other app(s), the Account Home user role has higher precedence and the user is granted permission if the operation is initiated from the Account Home page.
readwrite
Can view and modify settings in the Account Home page and all Global Settings pages.
readonly
Can view the Account Home page and all Global Settings pages.
Network Operations
admin
Administrator for the Network Operations application. Has access to Account Home > Global Settings. This is applicable only if the Account Home role is not set or is not conflicting.
deny-access Cannot view the Network Operations application.
guestoperator Has guest operator access for the Network Operations application. User does not have access to Account Home > Global Settings.
readonly
Has read-only access to Account Home > Global Settings and the Network Operations application.
readwrite
Has read-write access to Account Home > Global Settings and the Network Operations application. Has access to view and modify data using the Aruba Central UI or APIs. However, the user cannot execute APIs to:
n Enable or disable MSP mode. n Perform operations in the following pages:
lAccount Home > Users & Roles lNetwork Operations application > Organization > Labels and Sites
ClearPass Device Insight
admin deny-access
Administrator for the ClearPass Device Insight application. Cannot view the ClearPass Device Insight application.
readonly
Can launch and view all the pages in the ClearPass Device Insight application.
Custom Roles
Along with the predefined user roles, Aruba Central also allows you to create custom roles with specific security requirements and access control. However, only users with the administrator role and privileges can create, modify, clone, or delete a custom role in Aruba Central. With custom roles, you can configure access control at the application level and specify access rights to view or modify specific application services or modules. For example, you can create a custom role that allows access to a specific applications like Guest Management or Network Management and assign it to a user.
MSP tenant account users cannot add, edit, or delete roles.
Adding a Custom Role
Configuring User Roles | 106
The following are the permissions that you can associate with a custom role:
n User roles with Modify permission can perform add, edit, or delete actions within the specific module. n User roles with View Only permission can only view the specific module. n User roles with Block permission cannot view that particular module.
To add a custom role, complete the following steps:
1. In the Account Home page, under Global Settings, click Users & Roles. 2. Click the Roles tab. 3. Click Add Role. The New Role window is displayed. 4. Specify a name for the role. 5. From the drop-down list, select one of the following:
n Account Home--To manage access to devices and subscriptions in Aruba Central. n Network Operations--To set permissions at the module level in the Network Operations
application. n ClearPass Device Insight--To set permissions at the module level in the ClearPass Device
Insight application. This option is displayed only if the ClearPass Device Insight app is provisioned and if you have subscribed to the app. 6. For Network Management and MSP modules, you can set access rights at the module level. To set view or edit permissions or block the users from accessing a specific module, complete the following steps:
a. Click Customize.
b. Select one of the following options for each module as required: n View Only n Modify n Block
7. Click Save. 8. Assign the role to a user account as required.
Module Permissions
Aruba Central allows you to define user roles with view or modify permissions. You can also block user access to some modules. For example, if the Guest Management module is blocked for a specific user role, the corresponding pages are not displayed in the UI. Aruba Central supports setting permissions for the following modules:
Table 25: Permissions Application
Module
Description
Account Home
Devices and Subscription
Aruba recommends users to add devices and assign keys and subscriptions to devices in the Account Home page.
Aruba Central | User Guide
107
Application Network Operations
Module
Description
MSP
Allows users with administrator role and privileges to define user access to MSP modules such as Customer Management and Portal Customization. The MSP tenant account user does not have access to the MSP application. Even if a tenant account user is assigned a custom role having MSP application privileges:
n Tenant account user does have access to the MSP application.
n MSP will not appear in the Account Home > Global Settings > Users & Roles > Roles > Allowed Applications list.
Group Management
Allows users to create, view, modify, and delete groups and assign devices to groups.
Devices and Subscription
Users cannot edit or set permissions for this module. Modify and Block options are disabled. By default, the View Only permission is set.
Network Management
Allows users to configure, troubleshoot, and monitor Aruba Central-managed networks.
Guest Management
Allows users to configure cloud guest splash page profiles.
AirGroup
Allows users to define or block user access to the AirGroup pages.
Presence Analytics
Allows users to access the Presence Analytics app and analyze user presence data.
VisualRF
Allows user to access VisualRF and RF heatmaps.
Unified
Allows users to access the Unified Communications pages.
Communications
Install Manager
Allows users to manage installer profiles and site installations.
Reports
Allows users to view and create reports.
Other Applications
Allows users to access other applications modules such as notifications and Virtual Gateway deployment service.
Configuring User Roles | 108
Application
Module
ClearPass Device Insight
NOTE: This option is displayed only if the ClearPass Device Insight app is provisioned and if you have subscribed to the app.
Classified devices
Generic devices
User classified devices
Discovery settings
Application settings
Reports
Other Applications
Description Allows users to view or modify system and user-classified devices. Allows users to view or modify devices which are not classified by system or user. Allows users to view or modify user-classified devices.
Allows users to view, create, modify, or delete discovery settings. Allows users to view or modify application level user settings
Allows users to view create and view reports
Allows users to define or block access to other applications.
Viewing User Role Details
To view the details of a user role, complete the following steps:
1. In the Account Home page, under Global Settings, click Users & Roles. 2. Click the Roles tab. The Roles tab displays the following information:
n Role Name--Name of the user role. n Allowed Applications--The application(s) to which the user account is subscribed to. n Assigned Users--Number of users assigned to a role.
Editing a User Role
To edit a user role, complete the following steps:
1. In the Account Home page, under Global Settings, click Users & Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the edit icon. 4. In the Edit Role <"Rolename"> window, modify the permissions set for module(s). 5. Click Save.
Deleting a User Role
To delete a user role, ensure that the role is not associated to any user and complete the following steps:
1. In the Account Home page, under Global Settings, click Users & Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the delete icon. 4. Confirm role deletion in the Confirm Action dialog box.
Aruba Central | User Guide
109
Two-Factor Authentication
Aruba Central now supports two-factor authentication for both computers and mobile phones to offer a second layer of security to your login, in addition to password. When two-factor authentication is enabled on a user account, the users can sign in to their Aruba Central account either through the mobile app or the web application, only after providing their password and the six-digit verification code displayed on their trusted devices. When two-factor authentication is enabled at the customer account level, all the users belonging to the customer account are required to complete the authentication procedure when logging in to Aruba Central. If a user account is associated with multiple customer accounts and if two-factor authentication is enabled on one of these accounts, the user must complete the two-factor authentication during the login procedure. If two-factor authentication is enabled on your accounts, you must install the Google Authenticator app on your devices such as mobile phones to access the Aruba Central application. When the users attempt to log in to Aruba Central with their credentials, the Google Authenticator app provides a six-digit verification code to complete the login procedure.
Installing the Google Authenticator App
For two-factor authentication, ensure that the Google Authenticator app is installed on your mobile device. During the registration process, the Aruba Central application shares a secret key with the mobile device of the user over a secure channel when the user logs in to Aruba Central. The key is stored in the Google Authenticator app and used for future logins to the application. This prevents unauthorized access to a user account as this authentication procedure involves two-levels for secure transaction. When you register your mobile device successfully, the Google Authenticator app generates a six-digit token for the second level authentication. The token is generated every thirty seconds.
Enabling Two-factor Authentication for User Accounts
To enable two-factor authentication, complete the following steps:
1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed.
2. From the Actions menu, slide the Two-Factor Authentication (2FA) toggle button to the right. The two-factor authentication is enabled for all the users associated with the account.
Two-factor Authentication for Aruba Central Web Application
When two-factor authentication is enabled for a customer account, the users associated with that customer account are prompted for two-factor authentication when they log in to Aruba Central. To complete two-factor authentication, perform the following actions:
1. Access the Aruba Central website. 2. Log in with your credentials. If two-factor authentication is enforced on your account, the two-factor
authentication page opens. 3. Install the Google Authenticator app on your mobile device if not already installed. 4. Click Next. 5. If this is your first login since two-factor authentication is enforced on your account, open Google
Authenticator on your mobile device.
Configuring User Roles | 110
6. Scan the QR Code. If you are unable to scan the QR code, perform the following actions: a. Click the Problem in Reading QR Code link. The secret key is displayed.
b. Enter this secret key in the Google Authenticator app.
c. Ensure that the Time-Based parameter is set. Aruba Central is added to the list of supported clients and a six-digit token is generated.
7. Click Next. 8. Enter the six-digit token. 9. Select the Remember 2FA for 30 Days check box if you want the authentication to expire only
after 30 days. 10. Click Finish.
Two-factor Authentication for the Aruba Central Mobile App
Two-factor authentication must first be enabled for your account. If two-factor authentication is not enabled, you log in to the application directly after a successful SSO authentication. To log in to Aruba Central app on your mobile device, perform the following actions:
1. Open the Aruba Central app on your mobile device. 2. Enter your username and password and click Log in. If the registration process is pending, an error
message is displayed:
Please register for two-factor authentication in our web app to ensure secured authentication.
3. Enter the token. On successful authentication, the Aruba Central app opens.
Registering a New Mobile Device
If you have changed your mobile device, you need to install Google Authenticator app on your new device and register again using a web browser on your Desktop for two-factor authentication. To register your new mobile device, complete the following steps:
1. Log in to Aruba Central web application. The two-factor authentication page is displayed. 2. Click the Changed Your Mobile Device? link. 3. To register your new device and receive a reset email with instructions, click Send 2FA Reset Email.
A reset email with instructions will be sent to your registered email address:
Aruba Central | User Guide
111
4. Follow the instructions in the email and complete the registration.
Support Access
Aruba technical support may ask you to enable Support Access to debug issues. After you enable Support Access, the Aruba support team can access your Aruba Central account remotely. Only users with administrator role can enable Support Access.
Enabling Support Access
To enable Support Access, complete the following steps: 1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed. 2. From the Actions menu, slide the Support Access toggle button to the right. 3. Set password expiry by selecting the number of days and click Get Password. A new password is generated. 4. Copy the password and share it with the Aruba technical support representative.
Disabling Support Access
After the remote support session is complete, do the following to disable Support Access:
Configuring User Roles | 112
1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed.
2. From the Actions menu, slide the Support Access toggle button to the left.
Proximity Tracing
Aruba has introduced a new feature, proximity tracing, to perform queries for contact and location tracing. Proximity tracing complements a host of other tools or techniques geared towards enabling customers to understand their users' movements and interactions, specifically with a focus on combating the COVID-19 pandemic. To increase the scope and help as many people as possible, proximity tracing is offered to both Aruba Central customers (Instant AP) and Airwave customers (Campus AP and Instant AP) including NetInsight campus customers. Proximity tracing tracks wireless client devices (stations) and associated stations they come into contact with, either directly or through connections to neighboring access points, as well as location tracing. Proximity tracing jobs from NetInsight process wireless client data connected to Instant AP through Aruba Central and wireless client data connected to AP through Airwave connection (AW8).
Proximity tracing efforts work best when devices have a static MAC address and are required to have a unique username. A random MAC address or a constantly changing username complicate the ability to locate an individual user or device and the users they may have come into contact with and may lessen the impact of this tool.
Proximity tracing can be done at global or customer (CID) level for duration of 14 days within the last 21 days. Customer can download the contact username list in a CSV file. The file downloaded shows additional details with username, MAC address, AP, duration, site, and date. To trace contact clients and location, see Contact and Location Tracing. The Opt-Out feature allows to ignore specific users from being traced. To ignore a set of users, add their MAC address in a TXT file and upload the file. User needs to specifically upload a latest list of MAC addresses which should be ignored. The latest list of MAC addresses should include the complete new set of updated entries including new entries, updated entries, or removed entries. When new file is uploaded, the opt-out clients is updated to a new list. To opt-out clients, see Opt-Out Clients.
Pre-requisites
Proximity tracing has the following pre-requisites for data coming from Airwave Server:
n AirWave Server connection signup should happen through Aruba Central account by creating a new customer account which does not have any Instant AP on-boarded. To signup AirWave Server connection through Aruba Central by creating a new customer account, see AirWaveServer Connection Signup Through Aruba Central.
n Devices (AP and wireless clients) should be present in customer network coming through Airwave. n The following terms are derived for proximity tracing: n If duplicate usernames exist, an imputed username is derived by taking the MAC address. n If a username has more than 5 wireless clients connected during the same hour, an imputed username
derived by taking the MAC address is used instead. n If the device generates random MAC address, it is mapped to the same username if it remains unique. n If a user inputs both username and MAC address, the search results is based on the username.
Aruba Central | User Guide
113
n If a username keeps changing in a network, the results are processed with the username that is used most in the day.
Contact and Location Tracing
To trace contact clients and location: 1. In the Network Operations app, set the filter to Global. 2. Under Analyze, click Tools > Proximity Tracing. 3. Enter the values for the parameters listed in the following table.
Enter either the username or MAC address.
Table 26: Contact Tracing
Mode
Description
Username
Client name.
MAC Address MAC address of the client.
Start Date
Start date within the last 21 days.
End Date
End date within the last 21 days. End date cannot be more than 14 days from start date.
4. Click Trace Contacts/Locations. The traced contacts are listed under Contact Usernames table and the location under Locations table.
If the username does not return any result, enter the MAC address. Contact and location tracing work best when devices have a static MAC address and are required to have a unique username. A random MAC address or a constantly changing username complicate the ability to locate an individual user or device and the users they may have come into contact with and may lessen the impact of this tool.
Optionally, click Download to download the traced contacts or locations as a CSV file.
The CSV file contains additional information than what is displayed in the Contact Usernames table and Locations table and can be used for advanced analysis.
Opt-Out Clients
To opt-out specific clients from being traced, save the MAC address of the clients as a TXT file and upload it to Aruba Central.
The uploaded opt-out list will overwrite the previous list of opt-out entries. The latest list of MAC addresses should include the complete new set of updated entries including new entries, updated entries, or removed entries.
In the opt-out clients TXT file, enter each MAC address on a new line in the following format: xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx, where x is a case-insensitive hexadecimal number.
Proximity Tracing | 114
For example: 00:1B:44:11:3A:B7 30-65-EC-6F-C4-58 f0c3717d06d1 To upload the opt-out clients file:
1. In the Network Operations app, set the filter to Global. 2. Under Analyze, click Tools > Proximity Tracing. 3. Click the configuration icon. 4. In the Opt-out Clients tab, click No file uploaded (text file only) and select the TXT file. 5. Click Upload.
To download the current opt-out list, click Download.
AirWaveServer Connection Signup Through Aruba Central
To signup AirWave Server connection through Aruba Central by creating a new customer account:
1. Navigate to Sign Up for Aruba Central site. 2. Under Account Details, enter an email address and password. Under Customer Details, enter the
requisite details. If you are already a Aruba Central user, it is recommended to use the same account. If you are a Aruba Central user and an AirWave user for Data center, create a new account for AirWave as both data sources are different. 3. Select an Aruba Central server based on your region. 4. Select Network Operations for Interested Apps. 5. Click I agree to the Terms and Conditions. 6. Click Sign Up. 7. An email is sent to the registered email address. In that email, click Activate your account here or click the URL provided to activate the account. 8. After the account is verified, you will be redirected to the Aruba Central Login site. Log in with the registered credentials. 9. In the Welcome to Aruba Central page, select Evaluate Now. 10. Click Exit Workflow. 11. In the Exit Workflow pop-up, click Exit Now. 12. In the Network Operations app, set the filter to Global. 13. Under Analyze, click Tools > Proximity Tracing. 14. Click the configuration icon. 15. Click Airwave Connection tab. Under Status: n Provision shows Not Provisioned n Connection shows Not Connected n Data Access shows Enabled These parameters cannot be modified while provisioning.
If you signed-in using a TID loaded with Instant AP, the Airwave Connection tab is not available.
Aruba Central | User Guide
115
16. Under Connection Settings, both Customer ID and Email Address are auto-filled and cannot be edited. The values for both are obtained from the logged in user. For Secret, enter a value or click Generate.
17. After a secret is entered or generated, click Copy to Clipboard. Paste and save the secret along with customer ID and email address securely. These are required during AW8 configuration.
18. Click Save. The page automatically refreshes and under Status: n Provision shows Provisioned n Connection shows Not Connected n Data Access shows Enabled
The Secret is hashed and cannot be viewed after it is saved.
19. After provisioning is completed, under Status: n Provision shows Provisioned n Connection shows Connected n Data Access shows Enabled
AirWave Configuration
To configure AirWave to send information to Aruba Central:
1. Log in to AirWave. 2. Select 3.
AirWave Management Platform 8.2.11.1.20200628.0336 on localhost.localdomain 1 Files > 2 Backups > 3 Configuration > 4 System > 5 Users > 6 Support > 7 Security > 8 Advanced > q >> Quit Your choice:3
3. Select 6.
Configuration 1 Configure Network Settings 2 Set Hostname 3 Set Timezone 4 Certificates > 5 SSHD > 6 CLT > b >> Back Your choice:6
Proximity Tracing | 116
4. Select 1.
CLT1 Configure CLT 2 Reconfigure CLT 3 Remove CLT 4 Test CLT GW connectivity b >> Back Your choice:1
Running Configure CLT
Before configuring AW8 for CLT, you are required to Sign Up on Central first. You will require Customer ID, Email and Secret used on Central during SignUp. You will also need to allow access from AW8 to https://nookgw.netinsight.arubanetworks.com/ on tcp-port 443. https://cltanalytics.s3-us-west-2.amazonaws.com on tcp-port 443
For more details, please refer to Installation Documents or contact your local SE.
Would you like to continue? (y/N) : y nter your Customer ID: <enter customer ID copied from Aruba Central> Enter your CLT email ID: <enter email address copied from Aruba Central> secret: <enter secret copied from Aruba Central> CLT configured successfully.
Hit return to continue ...
Removing AirWave Connection
When you remove a AirWave connection, the original provisioning information will be available for a maximum of 24 hours before it is removed. If the AirWave server was accidentally removed, it is recommended to wait for at least 24 hours before provisioning the AirWave server again and completing AirWave configuration. To remove AirWave connection from Aruba Central:
1. In the Network Operations app, set the filter to Global. 2. Under Analyze, click Tools > Proximity Tracing. 3. Click the configuration icon. 4. Click Airwave Connection tab. 5. Under Remove Airwave Connection, click Remove Airwave Connection. 6. In the Remove Airwave Connection pop-up, click Remove Airwave Connection.
Disabling Data Access
To disable access to proximity data:
1. In the Network Operations app, set the filter to Global. 2. Under Analyze, click Tools > Proximity Tracing. 3. Click the configuration icon.
Aruba Central | User Guide
117
4. Click Airwave Connection tab. 5. Slide the Enable Data Access toggle to the left.
Groups for Device Configuration and Management
Aruba Central simplifies the configuration workflow for managed devices by allowing administrators to combine a set of devices into groups. A group in Aruba Central is the primary configuration element that functions as a container for device management, monitoring, and maintenance. Groups enable administrators to manage devices efficiently by using either a UI-based configuration workflow or CLI-based configuration template. Groups provide the following functions and benefits: n Ability to provision multiple devices in a single group. For example, a group can consist of multiple
Instant AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to slave Instant APs in their respective Instant AP clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location. n Ability to provision different types of devices in a group. For example, a group can consist of Instant APs, Gateways, and Switches. n Ability to create a configuration base and add devices as necessary. When you assign a new device to a group, it inherits the configuration that is currently applied to the group. n Ability to create a clone of an existing group. If you want to build a new group based on an existing group, you can create a clone of the group and customize it as per your network requirements.
A device can be part of only one group at any given time. Groups in Aruba Central are mutually exclusive (independent) and do not follow a hierarchical model. The following figure illustrates a generic group deployment scenario in Aruba Central: Figure 17 Group Deployment
Group Operations
The following list shows the most common tasks performed at a group level:
Groups for Device Configuration and Management | 118
n Configuration-- Add, modify, or delete configuration parameters for devices in a group n User Management--Control user access to device groups and group operations based the type of user
role n Device Status and Health Monitoring--View device health and performance for devices in a specific
group. n Report Generation--Run reports per group. n Alerts and Notifications--View and configure notification settings per group. n Firmware Upgrades--Enforce firmware compliance across all devices in a group.
Group Configuration Modes
Aruba Central allows network administrators to manage device configuration using either UI workflows or configuration templates:
n UI-based configuration method--For device groups that use UI-based workflows, Aruba Central provides a set of UI menu options. You can use these UI menu options to configure devices in a group. You can also secure the UI-based device groups with a password and thus restrict user access.
n Template-based configuration method--For device groups that use a template-based workflow, Aruba Central allows you to manage devices using configuration templates. A device configuration template includes a set of CLI commands and variable definitions that can be applied to all other devices deployed in a group.
If your site or store has different types of devices, such as the Instant APs, Switches, and Gateways, and you want to manage these devices using different configuration methods, that is, either using the UI or template-based workflows, you can create a single group and define a configuration method to use for each type of device. This allows you to use a single group for both UI and template based configuration and eliminates the need for creating separate groups for each configuration method. For example, you can create a group with the name Group1 and within this group, you can enable templatebased configuration method for switches and UI-based configuration method for Instant APs and Gateways. Aruba Central identifies both these groups under a single name ( Group1). If a device type in the group is marked for template-based configuration method, the group name is prefixed with TG prefix is added (TG Group1. You can use Group1 as the group ID for workflows such as user management, monitoring, reports, and audit trail. When you add Instant APs, Gateways, and switches to a group, Aruba Central groups these devices based on the configuration method you chose for the device type, and displays relevant workflows when you try to access the respective configuration menu. For information on how to create a group, see Managing Groups on page 120.
Default Groups and Unprovisioned Devices
The default group is a system-defined group to which Aruba Central assigns all new devices with factory default configuration. When a new device with factory default configuration connects to Aruba Central, it is automatically added to the default group. If a device has customized configuration and connects to Aruba Central, Aruba Central marks the device as Unprovisioned. If you want to preserve the device configuration, you can create a new group and assign this device to the newly created group. If you want to overwrite the configuration, you can move the unprovisioned device to an existing group.
Aruba Central | User Guide
119
The unprovisioned state does not apply to Aruba Switches as only the factory-default switches can join Aruba Central. .
Best Practices and Recommendations
Use the following best practices and recommendations for deploying devices in groups:
n Determine the configuration method (UI or template-based) to use based on your deployment, configuration, and device management requirements.
n If there are multiple sites with similar characteristics--for example, with the same device management and configuration requirements--assign the devices deployed in these sites to a single group.
n Apply device-level or cluster-level configuration changes if necessary. n Use groups cloning feature if you need to create a group with an existing group configuration settings. n If the user access to a particular site must be restricted, create separate groups for each site.
Working with Groups
See the following topics for detailed information and step-by-step instructions on how to manage groups and provision devices assigned to a group:
n Managing Groups n Provisioning Devices Using UI-based Workflows n Provisioning Devices Using Configuration Templates
Managing Groups
The Groups page allows you to create, edit, or delete a group, view the list of groups provisioned in Aruba Central, and assign devices to groups. This section describes the following topics:
n Managing Groups on page 120 n Assigning Devices to Groups on page 121 n Creating a New Group by Importing Configuration from a Device on page 122 n Viewing Groups and Associated Devices on page 122 n Cloning a Group on page 123 n Moving Devices between Groups on page 123 n Configuring Device Groups on page 123 n Deleting a Group on page 124
Creating a Group
Aruba Central allows you to manage configuration for different types of devices, such as Aruba Instant APs, Gateways, and switches in your inventory. These devices can be configured using either UI workflows or configuration templates. You can define your preferred configuration method when creating a group. Aruba Central allows you to create a single group with different configuration methods defined for each device type. For example, you can create a group with the name Group1 and within this group, you can enable template-based configuration method for switches and UI-based configuration method for Instant APs and Gateways. Aruba Central identifies both these groups under a single name ( Group1). If a device
Managing Groups | 120
type in the group is marked for template-based configuration method, the group name is prefixed with TG, (TG Group1. You can use Group1 as the group ID for workflows such as user management, monitoring, reports, and audit trail. After you assign devices to group and when you access configuration containers, Aruba Central automatically displays relevant configuration options based on the configuration method you defined for the device group. To create a group:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. Click (+) New Group. The Create New Group pop-up window opens. 4. Enter a name for the group. The group name can be a maximum of 32 single byte ASCII characters if
you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports all special characters excluding the ">" character. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names.
By default, Aruba Central enables template-based configuration method for switches and UI-workflowbased configuration method for Instant AP and Gateway.
5. To enable template-based configuration method for all device categories: n For Instant APs or Gateways, select the IAP and Gateway check box. n For Switches, ensure that Switch check box is selected. The Switch check box is enabled by default.
6. To enable UI-based configuration method on all device categories: a. For Instant APs and Gateways, ensure that the IAP and Gateway checkbox is cleared. b. For switches, clear the Switch checkbox.
7. Assign a password. This password enables administrative access to the device interface. 8. Click Add Group.
You can also create a group that uses different provisioning methods for switch, and IAP and Gateway device categories. For example, you can create a group with template-based provisioning method for switches and UIbased provisioning method for Instant APs and Gateways.
Assigning Devices to Groups
To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory:
1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign. 4. Click Assign Device(s).
Aruba Central | User Guide
121
To assign a device to a group from the Groups page:
1. In the Network Operations app, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Maintain, click Organization. By default, the Groups page is displayed.
3. From the devices table on the right, select the device that you want to assign to a new group. 4. Drag and drop the device to the group to which you want to assign the device.
Viewing Groups and Associated Devices
To view the groups dashboard, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. The groups table on the left side of the page displays the following information: n Group Name--Name of the group. n Devices--Number of devices assigned to a group. n All Connected Devices--Total number of devices provisioned in Aruba Central. The devices
table on right side of the page shows all the devices provisioned in Aruba Central. n Unassigned Devices--Total number of devices that are yet to be assigned. The devices table on
the right shows the devices are not assigned any group.
The devices table is not available for MSP users as the devices are primarily assigned to tenant accounts. However, MSP administrators can drill down to a tenant account and view devices mapped to a group.
3. To view the devices assigned to a group, select the group from the table on the left. The devices table displays the following information: n Name--Name of the device. n Location--Physical location of the device. n Type--Type of the device such as Instant AP or Switch. n Serial--Serial number of the device. n MAC Address--MAC address of the device.
Creating a New Group by Importing Configuration from a Device
To import configuration from an existing device to a new group, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. Select the device from which you want to import the configuration. 4. Click Import Configuration to New Group. The Import Configuration pop-up window opens.
Managing Groups | 122
5. Enter a name for the group. 6. Configure a password for the group. 7. Click Import Configuration.
Cloning a Group
To clone a group, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. To create a clone of an existing group, select the group from the groups table and click Clone
Selected Group. 4. Enter a name for the cloned group. 5. Click Add Group.
When you clone a group, Aruba Central also copies the configuration templates applied to the devices in the group.
Moving Devices between Groups
To move a device from one group to another group:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. From the devices table on the right, select from the following device options that you want to move:
n Virtual Controller--Moving a Commander VC also moves the member IAP(s) to the new group. n Switch stack--Moving a commander stack also moves the member switches to the new group. n Standalone IAP--Moving a standalone IAP moves only that particular IAP to the new group. n Standalone switch--Moving a standalone switch moves only that particular switch to the new
group. n Gateways (MC)--Moving a standalone MC moves only that particular MC to the new group. 4. Drag and drop the device to group to which you want to assign the device. 5. Click Yes when the system prompts you to confirm device movement.
MSP mode does not support moving devices across different groups.
Configuring Device Groups
For information on provisioning devices in groups, see the following topics:
n Provisioning Devices Using UI-based Workflows on page 125 n Provisioning Devices Using Configuration Templates on page 129
Aruba Central | User Guide
123
Configuring Groups in MSP Mode
For information on using groups in the MSP mode and instructions on how to assign devices to MSP tenants, see the Aruba Central Managed Service Provider User Guide.
Deleting a Group
When you delete a group, Aruba Central removes all configuration, templates, and variable definitions associated with the group. Before deleting a group, ensure that there are no devices attached to the group.
To delete a group:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. From the list of groups, select the group that you want to delete. 4. Click the delete icon. 5. Confirm deletion.
Assigning Devices to Groups
In Aruba Central, devices are assigned to groups for configuration, monitoring, and management purposes. A group in Aruba Central is a primary configuration element that acts like a container. In other words, groups are a subset of one or several devices that share common configuration settings. Aruba Central supports assigning devices to groups for the ease of configuration and maintenance. For example, you can create a common group for Branch Gateways or Instant APs that have similar configuration requirements.
Assigning Instant APs to Groups
The Instant AP groups may consist of the configuration elements:
n Instant AP Cluster--Consists of a master Instant AP and a set of slave Instant APs in the same VLAN. n Virtual Controller--A virtual controller provides an interface for entire cluster. The slave Instant APs and
master Instant APs function together to provide a virtual interface. n Master Instant AP and Slave Instant AP--In a typical Instant AP deployment scenario, the first Instant AP
that comes up is elected as the master Instant AP. All other Instant APs joining the cluster function as the slave Instant APs. When a master Instant AP is elected, the slave Instant APs download the configuration changes.
The following table describes the group assignment criteria for Instant APs:
Table 27: Instant AP Group Assignment APs with Default Configuration
APs with Non-Default Configuration
If an Instant AP with factory default configuration joins Aruba Central, it is automatically assigned to the default group or to an existing group with similar configuration settings. The administrators can perform any of the following actions:
If an Instant AP with non-default or custom configuration joins Aruba Central, it is automatically assigned to an unprovisioned group.
Assigning Devices to Groups | 124
APs with Default Configuration
n Manually assign them to a pre-provisioned group. n Create a new group.
APs with Non-Default Configuration
The administrators can perform any of the following actions:
n Create a new group for the device and preserve device configuration. n Move the device to an existing group and override the device configuration.
To manually assign Instant AP(s) to a group:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. To view a list of unassigned devices, click Unassigned Devices.
A list of unassigned devices is displayed in the devices table. 4. Select the group to which you want to assign the devices. 5. From the devices table on the right, select Instant AP(s) to assign. 6. Drag and drop the Instant APs to the group that you selected.
Assigning Switches to Groups
Aruba Central allows switches to join groups only if the switches are running factory default configuration. Switches with factory default configuration are automatically assigned to the default group. Administrators can either move the switch to an existing group or create a new group.
Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central.
To manually assign switch(s) to a group:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. To view a list of unassigned devices, click Unassigned Devices. A list of unassigned devices is
displayed in the devices table. 4. Select the group to which you want to assign the devices. 5. From the devices table on the right, select the switch(s) to assign. 6. Drag and drop the switches to the group that you selected.
Provisioning Devices Using UI-based Workflows
This section describes the important points to consider when assigning devices to UI groups:
Aruba Central | User Guide
125
n Provisioning Instant APs using UI-based Configuration Method on page 126 n Provisioning Switches Using UI-based Configuration Method on page 127 n Provisioning Aruba Gateways Using UI-based Configuration Method on page 128
Provisioning Instant APs using UI-based Configuration Method
An Instant AP device group may consist of any of the following:
n Instant AP Cluster--Consists of a master Instant AP and slave Instant APs in the same VLAN. n VC--A virtual controller. VC provides an interface for entire cluster. The slave Instant APs and master
Instant APs function together to provide a virtual interface. n Master Instant AP and Slave Instant AP--In typical Instant AP deployment scenario, the first Instant AP
that comes up is elected as the master Instant AP. All other Instant APs joining the cluster function as the slave Instant APs. When a master Instant AP is configured, the slave Instant APs download the configuration changes. The master Instant AP may change as necessary from one device to another without impacting network performance.
Aruba Central allows configuration operations at the following levels for a device group with Instant APs.
n Per group configuration--Aruba Central allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all VCs within a group can have common SSID settings.
n Per VC Configuration--Any changes that need to applied at the Instant AP cluster level can be configured on a VC within a group. For example, VCs within a group can have different VLAN configuration for the SSIDs.
n Per Device Configuration--Although devices are assigned to a group, the users can maintain device specific configuration such as radio, power, or uplink settings for an individual AP within a group.
When the APs that are not pre-provisioned to any group join Aruba Central, they are assigned to groups based on their current configuration.
Table 28: Instant AP Provisioning APs with Default Configuration
APs with Non-Default Configuration
If an Instant AP with factory default configuration joins Aruba Central, it is automatically assigned to the default group or an existing group with similar configuration settings.
The administrators can perform any of the following actions: n Manually assign them to an existing group. n Create a new group.
If an Instant AP with non-default or custom configuration joins Aruba Central, it is automatically assigned to an unprovisioned group.
The administrators can perform any of the following actions:
n Create a new group for the device and preserve device configuration. n Move the device to an existing group and override the device configuration.
Ensure that the master Instant AP and slave Instant APs are assigned to the same group. You must convert the slave Instant AP to a standalone AP in order to move the slave Instant AP to another group independently.
Provisioning Devices Using UI-based Workflows | 126
In the following illustration, Instant APs from three different geographical locations are grouped under California, Texas, and New York states. Each state has unique SSIDs and can support devices from multiple locations in a state. As shown in Figure 18, the California group has devices from different locations and has the same SSID, while devices in the other states/groups have different SSIDs.
When a device with the factory default configuration connects to Aruba Central, it is automatically assigned to the default group. If the device has custom configuration, it is marked as unprovisioned. If you want to preserve the custom configuration, create a new group for the device. If you want to overwrite the custom configuration, you can assign the device to an existing group.
Figure 18 Instant AP provisioning
For more information on how to configure Instant APs using UI-based configuration workflows, see Deploying a Wireless Network Using Instant APs on page 262. To view local overrides and configuration errors, select a template group and navigate to Devices > Access Points > Settings > Configuration Audit page.
Provisioning Switches Using UI-based Configuration Method
Aruba Central allows switches to join UI groups only if the switches are running factory default configuration. Aruba Central assigns switches with factory default configuration to the default group. The administrators can either move the switch to an existing group or create a new group.
Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central.
Aruba Central allows the following configuration operations at the following levels for switches in a UI group:
n Per group configuration-- Aruba Central allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all switches within a group can have common VLAN settings.
n Per Device Configuration--Although the Switches inherit group configuration, the users can maintain device-specific configuration, for example, ports or DHCP pools.
Aruba Central | User Guide
127
For more information on how to configure switches using UI-based configuration workflows, see Configuring or Viewing Switch Properties in UI Groups on page 480. To view local overrides and configuration errors, select a template group and navigate to Devices > Switches > Settings > Configuration Audit page.
Provisioning Aruba Gateways Using UI-based Configuration Method
For SD-Branch deployments with Aruba Gateways, the following recommendations apply: n Combine Branch Gateways of identical characteristics and configuration requirements under a single
group. n Create groups according to your branch requirements. l You can create separate groups for the small, medium, and large sized branches. l You can also create separate groups for the branch sites in different geographical locations; for example, East Coast and West Coast branch sites. If these groups have similar characteristics with minor differences, you can create the first group and then clone it. l You can use either a single group for all their devices or deploy devices in multiple groups. For example, you can deploy 7008 controllers and Aruba 2930F Switch Series with 24 ports in a single group for every branch. l You can also deploy 7005 controller and Aruba 2930F Switch Series with 24 ports in one group and provision 7008 controller with Aruba 2930F Switch Series with 48 ports in another group.
Important Points to Note
n The groups in Aruba Central are not device-specific, however, Aruba recommends that you use the following guidelines for provisioning SD-WAN Gateways.
l Assign Branch Gateways and VPN Concentrators to separate groups. Because the configuration requirements for Branch Gateways and VPN Concentrators are different, the Branch Gateways and VPN Concentrators must be assigned to different groups.
l Ensure that the configuration group for SD-WAN Gateways consists of the same type of devices. For example, Branch Gateways assigned to a group must have the same number of ports. n Before assigning SD-WAN Gateways to groups, you must set the device persona or role as Branch Gateway or VPN Concentrator.
Example
The following figures shows a few sample group deployment scenarios for Aruba Branch Gateways and VPN Concentrators:
Provisioning Devices Using UI-based Workflows | 128
Figure 19 Branch Gateway Groups
Figure 20 VPN Concentrator Groups
For more information on how to configure Aruba using UI-based configuration workflows, see the SDBranch Configuration section in Aruba Central Help Center. To view local overrides and configuration errors, select a template group and navigate to Devices > Gateways > Settings > Configuration Audit page.
Provisioning Devices Using Configuration Templates
Aruba Central allows you to provision devices using UI-based or template-based configuration method. If you have groups with template-based configuration enabled, you can create a template with a common set of CLI scripts, configuration commands, and variables. Using templates, you can apply CLI-based configuration parameters to multiple devices in a group. If the template-based configuration method is enabled for a group, the UI configuration wizards for the devices in that group are disabled.
Aruba Central | User Guide
129
Creating a Group with Template-Based Configuration Method
To create a template group, complete the following steps: 1. In the Network Operations app, set the filter to Global. The dashboard context for selected filter is displayed. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. Click (+) New Group. The Create New Group window is displayed. 4. Enter the name of the group. 5. Select one of the following device types for which you want to create a template group: n IAP and Gateway n Switch 6. Enter the password and confirm the password. 7. Click Save.
If the group is set as a template group, a configuration template is required for managing device configuration.
Provisioning Devices Using Configuration Templates and Variable Definitions
For information on configuration template, see the following topics: n Configuring APs Using Templates on page 427 n Using Configuration Templates for Aruba Switch Management on page 469 n Managing Variable Files on page 130
Managing Variable Files
Aruba Central allows you to configure multiple devices in bulk using templates. However, in some cases, the configuration parameters may vary per device. To address this, Aruba Central identifies some customizable CLI parameters as variables and allows you to modify the definitions for these variables as per your requirements. You can download a sample file with variables for a template group or for the devices deployed in a template group, update the variable definitions, upload the file with the customized definitions, and apply these configuration changes in bulk.
Important Points to Note
n Variables are associated to a device and not to a group. If you move a device between groups, variables remain with the device.
Provisioning Devices Using Configuration Templates | 130
n Variables are displayed as part of the group to which the device belongs. After you upload the variables for a device, the association would stay in the system even if the device is moved to a UI group or template group.
n If the device is part of a UI group, variables are unused and not displayed in the UI. Aruba Central ignores the variables.
n If the device is moved to a template group, variables are displayed in the UI and used for configuration purposes.
Downloading a Sample Variables File
The sample variables file includes a set of sample variables that the users can customize. You can download the sample variables file in the JSON or CSV format. To download a sample variables file:
1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select one of the following formats to download the sample variables file:
n JSON--shows the file in JSON format. n CSV--Shows the variables in different columns. 6. Click Download Sample Variables File. The sample variables file is saved to your local directory.
Modifying a Variable File
The CSV file includes the following columns for which the variable definitions are mandatory:
n _sys_serial--Serial number of the device. n _sys_lan_mac--MAC address of the device. n modified--Indicates the modification status of the device. The value for this column is set to N in the
sample variables file. When you edit a variable definition, set the modified column to Y to allow Aruba Central to parse the modified definition.
Predefined Variables for Aruba Switches
The system defined variables in the sample variables files are indicated with sys prefix. Table 29 lists the predefined variables for switches.
Table 29: Predefined Variables Example
Variable Name
Description
_sys_gateway
Populates gateway IP address.
_sys_hostname
Maintains unique host name.
_sys_ip_address
Indicates the IP address of the device.
Variable Value 10.22.159.1 HP-2920-48G-POEP 10.22.159.201
Aruba Central | User Guide
131
Variable Name _sys_module_command _sys_netmask _sys_oobm_command
_sys_snmpv3_engineid _sys_stack_command
_sys_template_header
_sys_use_dhcp _sys_vlan_1_untag_command _sys_vlan_1_tag_command
Description
Variable Value
Populates module lines. module 1 type j9729a
Netmask of the device.
255.255.255.0
Represents Out of Band Management (OOBM) block.
oobm ip address dhcp-bootp exit
Populates engine ID.
00:00:00:0b:00:00:5c:b9:01:22:4c:00
Represents stack block.
stacking member 1 type "J9729A" mac-address 5cb901224c00 exit
Represents the first two lines of the configuration file. Ensure that this variable is the first line in the template.
; J9729A Configuration Editor; Created on release #WB.16.03.0003+ ; Ver #0f:3f.f3.b8.ee.34.79.3c.29.eb.9f.fc.f3.ff.37.ef:91
Indicates DHCP status
0
(true or false) of VLAN 1
Indicates untagged ports 1-28,A1-A2 of VLAN 1
Indicates tagged ports of 28-48 VLAN 1
The _sys_template_header_ and _sys_snmpv3 engineid are mandatory variables that must have the values populated, irrespective of their use in the template. If there is no value set for these variables, Aruba Central reimports the values for these mandatory variables when it processes the running configuration of the device.
Predefined Variables for APs
For APs, the sample variables file includes the _sys_allowed_ap variable for which you can specify a value to allow new APs to join the Instant AP cluster.
Conditions
The following conditions apply to the variable files:
n The variable names must be on the left side of condition and its value must be defined on the right side. For example, %if var=100% is supported and %if 100=var% is not supported.
n The < or <= or > or >= operators should have only numeric integer value on the right side. The variables used in these 4 operations are compared as integer after flooring. For example, if any float value is set as %if dpi_value > 2.8%, it is converted as %if dpi_value > 2 for comparison.
n The variable names should not include white space, and the & and % special characters. The variable names must match regular expression [a-zA-Z0-9_]. If the variables values with % are defined, ensure that the variable is surrounded by space. For example, wlan ssid-profile %ssid_name%.
n The first character of the variable name must be an alphabet. Numeric values are not accepted.
Provisioning Devices Using Configuration Templates | 132
n The values defined for the variable must not include spaces. If quotes are required, they must be included as part of the variable value. For example, if the intended variable name is wlan ssid-profile "emp ssid", then the recommended format for the syntax is "wlan ssid-profile %ssid_name%" and variable as "ssid_name": "\"emp ssid\"".
n If the configuration text has the percentage sign % in it--for example, "url "/portal/scope.cust5001098/Splash%20Profile%201/capture"--Aruba Central treats it as a variable when you save the template. To allow the use of percentage % as an escape character, use \" in the variable definition as shown in the following example: Template text
wlan external-captive-portal "Splash Profile 1_#guest#_"server naw1.cloudguest.central.arubanetworks.comport url %url%
Variable
"url": "\"/portal/scope.cust-5001098/Splash%20Profile%201/capture\""
n Aruba Central supports adding multiple lines of variables in Instant AP configuration templates. If you want to add multiple lines of variables, you must add the HAS_MULTILINE_VARIABLE directive at the beginning of the template. Example
#define HAS_MULTILINE_VARIABLE 1 %if allowed_aps% %allowed_aps% %endif%
Variable
"allowed_aps": "allowed-ap 24:de:c6:cb:76:4e\n allowed-ap ac:a3:1e:c5:db:d8\n allowed-ap 84:d4:7e:c4:8f:2c"
For Instant APs, you can configure a variable file with a set of values defined for a master AP in the network. When the variable file is uploaded, the configuration changes are applied to all Instant AP devices in the cluster.
Examples The following example shows the contents of a variable file in the JSON format for Instant APs:
{ "CK0036968": { "_sys_serial": "CK0036968", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:7a", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22",
Aruba Central | User Guide
133
"zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_1" }, "CJ0219729": { "_sys_serial": "CJ0219729", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:cb:04:92", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_2" }, "CK0112486": { "_sys_serial": "CK0112486", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c8:29:76", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_3" }, "CT0779001": { "_sys_serial": "CT0779001", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c5:c6:b0", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_4" }, "CM0640401": { "_sys_serial": "CM0640401", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c4:8f:2c", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_6" }, "CK0037015": { "_sys_serial": "CK0037015", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:d8",
Provisioning Devices Using Configuration Templates | 134
"vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_7" }, "CK0324517": { "_sys_serial": "CK0324517", "ssid": "s1", "_sys_lan_mac": "f0:5c:19:c0:71:24", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_8" } }
Figure 21 shows a sample variables file in the CSV format:
Figure 21 Variables File in the CSV Format
Uploading a Variable File
To upload a variable file, complete the following steps:
While uploading the variables file to Aruba Central in the CSV format, make sure to choose the default language in Microsoft Excel as English (United States).
1. Ensure that the _sys_serial and _sys_lan_mac variables are defined with the serial number and MAC address of the devices, respectively.
2. In the Network Operations app, set the filter to one of the template groups under Groups. 3. Under Manage, click Devices > Switches. 4. Click the Config icon. 5. Click Variables. 6. Click Upload Variables File and select the variable file to upload. 7. Click Open. The contents of the variable file is displayed in the Variables table. 8. To search for a variable, specify a search term and click Search icon. 9. To download variable file with device-specific definitions, click the download icon in the Variables
table.
Modifying Variables
To modify variables without downloading a variable file, modifying the variable file, and uploading the customized variable file:
Aruba Central | User Guide
135
1. In the Network Operations app, set the filter to one of the template groups under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select a device and variable. 6. Modify the value and click Add to Modifications. 7. Click Save.
Alternatively, to modify a single variable without downloading a variable file, modifying the variable file, and uploading the customized variable file:
1. In the Network Operations app, set the filter to one of the template groups under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Hover over a desired variable and click Edit. 5. Modify the value and click Save. 6. Click Save.
Backing Up and Restoring Configuration Templates
Aruba Central allows you to create a backup of configuration templates and variables that you can restore in the event of a failure or loss of data. The Configuration Backup and Restore feature is available in the Configuration Audit page for devices deployed using the template-based configuration method. The Configuration Backup and Restore feature enables administrators to perform the following functions:
n Back up templates and variable files applied to the devices, managed using the template-based configuration method.
n Restore an earlier known working combination of the configuration template and device variables in the event of a failure.
Important Points to Note
n The backup and restoration options are available for devices deployed using the template-based configuration method.
n When the backup or restore for a group is in progress, you cannot make configuration changes to that group.
n The restore operation restores the variables only for the devices that are currently provisioned or preprovisioned to the group.
n The restore operation is terminated if the firmware version running on any one device in the group does not match the firmware version in the backed up file that is being restored. For example, if the configuration file was backed up when a switch was running 16.03.0003 and was later upgraded to 16.04.0003, the restore operation fails for the group.
n The restore operation deletes any templates applied to the group before the restore. It also deletes and replaces device variables with the backed up version that is being restored.
n The details pertaining to the actions carried out during the backup and restore operations are logged in the Audit Trail page.
Provisioning Devices Using Configuration Templates | 136
Creating a Configuration Backup
To back up configuration templates and variables applied to devices:
1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click New Configuration Backup. The Create New
Backup window is displayed. 4. Enter a Backup Name. 5. Select Do Not Delete if you do not want the backed up file to be deleted by a new backup after the
threshold of 20 backups is exceeded.
You can create and maintain up to 20 backed up configuration files. If the number of backup files exceed 20, the old backed up configuration files are overwritten. However, if the backed up files are marked as Do not Delete, Aruba Central does not overwrite the backed up configuration files.
6. Click OK. The Confirm Backup window is displayed. 7. Read through the information. Select the check box to confirm that configuration changes to the
group cannot be done when the backup is in progress. 8. Click Proceed. The backup for the group configuration is created.
Viewing Contents of a Backed Up Configuration
To view the contents of a backed up configuration:
1. Click the Manage Backup option. 2. Download the backup and untar the downloaded file. The following example shows the tree
structure of a typical backup download.
<backup-name_timestamp> templates <hppctemplate1.tmpl> <iaptemplate1.tmpl> template_meta.json variables
HPPC_variables_1.json IAP_variables_1.json devices_meta.json
The variables are stored according the device type, such as, Instant APs and Aruba Switches. For example, for all Instant APs, the variables are aggregated and stored together. The aggregated file can include variables for up to 80 devices or up to 5 MB of variables data, based on whichever condition is met first. When the number of variables or the data size exceeds this limit, new aggregate files are created and added to the backup until all the variables in the selected group are backed up. The variable data limit applies only to the aggregated files. Aruba Central does not impose any limit on the number of devices or the device variables that can be backed up.
The following details are available for a backed up configuration snapshot:
Aruba Central | User Guide
137
n Backups--provides details of the number of available and allowed backup and allows you to perform the following actions:
l Manage group configuration backups l Create new configuration backups l Modify backup delete protection
n Last Backup--provides details of the status and the timestamp of the last backup. n Last Restore--provides details of the status and the timestamp of the last restore.
Restoring a Backed Up Configuration
To restore a backed up configuration snapshot:
1. In the Network Operations app, use the filter to select a group that uses template-based configuration method.
2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click Restore Configuration Backup. The Restore
from Backup window is displayed. 4. Select the backup name that you want to restore, from the Backup Name drop-down list. 5. Select the required device type from the Device Type drop-down list.
Selecting a device type allows you to restore the backed up configuration by the specific device type, for example, Instant APs, Aruba Switch. By default, All is selected. When the device type is set to All, configuration restore does not follow any specific order.
6. Click OK. The Confirm Configuration Restore window is displayed. 7. Read the instructions and select the check boxes to confirm your action for configuration restore. 8. Click Proceed. The selected backup configuration is restored.
Aruba recommends that the administrators take a backup of the current configuration of the group before the restore operation.
Managing Backups
To manage the backed up configuration files:
1. In the Network Operations app, use the filter to select a group that uses template-based configuration method.
2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click Manage Backup. The Last <#> Backups
window is displayed. 4. View the backup details such as date and time of backup, backup name, username, and the delete
protection status for each configuration backup. 5. Click Close. 6. Click Last Backup Log to view the details of the latest backup. The Last Backup Log window
displays the following details: n Group name n Backup name
Provisioning Devices Using Configuration Templates | 138
n Username that initiated the configuration backup n Details on whether templates and device variables are being saved, and completion of the
configuration backup process. 7. To get the status of the last restore, click Last Restore Log. To get the error log for a restore error
event, click Last Restore Error Log.
Backing Up and Restoring Templates and Variables Using APIs
Aruba Central supports the following NB APIs for the backup and restore feature:
n Create new configuration backup for group [POST] /configuration/v1/groups/snapshot/{group}
n Create backups for multiple groups associated with a customer account [POST]/configuration/v1/groups/snapshot/create_backups
Aruba Central creates a backup of configuration template and variables only for the groups included in the API request payload. You can use the include or exclude parameters to create backups for specific list of groups.
The following table describes the API response based on the inputs provided in the parameters:
Table 30: API Functionality for Backup Creation
include_groups
exclude_groups
API Functionality
No groups specified
No groups specified
Raises an exception to either include or exclude groups.
group names
group names
Raises an exception to include or exclude groups.
[]
No groups specified
Raises an exception to provide valid values for the
include groups parameter.
group names
No groups specified
Includes selected groups for the backup operation.
No groups specified
ALL_GROUPS
Creates a backup for all groups.
No groups specified
group names
Does not create backup for the excluded groups.
n Restore a backed up version of the configuration template for all devices in a group: [POST] /configuration/v1/groups/<group_name>/snapshots/<snapshot_name>/restore The API restores a specific version of the backup snapshot for the group specified in the API request.
n Restore a backed up version of the configuration template by device type: The [POST]/configuration/v1/groups/{group}/snapshots/{snapshot}/restore API provides you an option to restore the configuration by device type. By selecting a specific device type, you can control the order in which the configuration is restored by device type. This minimizes the impact of the configuration restore activity on the network.
Aruba Central | User Guide
139
If monitor mode is enabled at the device level, the selected device functions in the monitor mode. If the monitor mode is enabled at the group level, all devices in the group inherit this setting. If a device managed by Aruba Central displays a configuration sync issue and persistently fails to receive configuration updates from Aruba Central, contact Aruba Central Technical Support.
Managing Sites
The Sites page allows you to create sites, view the list of sites configured in your setup, and assign devices to sites. The Sites page includes the following functions:
Table 31: Sites Page Name Contents of the Table
Convert Labels to Sites
Allows you to convert existing labels to sites. To convert labels, download the CSV file with the list of labels configured in your setup, add the site information, and upload the CSV file. For more information, see Creating a Site on page 140.
Sites table
Displays a list of sites configured. It provides the following information: n Site Name--Name of the site. n Address--Physical address of the site. n Device Count--Number of devices assigned to a site.
The table also includes the following sorting options to reset the table view on the right: n All Devices--Displays all the devices provisioned in Aruba Central. n Unassigned--Displays the list of devices that are not assigned to any site.
You can also use the filter and sort icons on the Sites and Address columns to filter and sort sites respectively.
New Site
Allows you to create a new site.
Bulk upload
Allows you to add sites in bulk from a CSV file.
Devices table
Displays a list of devices provisioned. It provides the following information: n Name--Name of the device n Group--Group to which the device is assigned. n Type--Type of the device.
Creating a Site
To create a site, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. To add a new site, click (+) New Site. The Create New Site pop-up window opens. 6. In the Create New Site pop-up window, enter the following details:
a. Site Name--Name of the site. The site name can be a maximum of 255 single byte characters. Special characters are allowed.
b. Street Address--Address of the site.
Managing Sites | 140
c. City--City in which the site is located. d. Country--Country in which the site is located. e. State/Province--State or province in which the site is located. f. ZIP/Postal Code--(Optional) ZIP or postal code of the site. 7. Click Add. The new site is added to the Sites table.
Adding Multiple Sites in Bulk
To import site information from a CSV file in bulk, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Click (+) Bulk upload. The Bulk Upload pop-up opens. 6. Download a sample file. 7. Fill the site information and save the CSV file in your local directory.
The CSV file for bulk upload of sites must include the mandatory information such as the name, address, city, state, and country details.
8. In the Aruba Central UI, click Browse and add the file from your local directory. 9. Click Upload. The sites from the CSV file are added to the site table.
Assigning a Device to a Site
To assign devices to a site, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Select Unassigned. The list of devices that are not assigned to any site is displayed. 6. Select device(s) from the list of devices. 7. Drag and drop the devices to the site on the left. A pop-up window opens and prompts you to
confirm the site assignment. 8. Click Yes.
Converting Existing Labels to Sites
To convert existing labels to sites, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab.
Aruba Central | User Guide
141
4. Set the toggle switch to Site(s). 5. Click Convert Labels to Sites. The Confirm Conversion pop-up window opens. 6. To download a CSV file with the list of labels configured in your setup, click Download a File. A CSV
file with a list of all the labels in your setup is downloaded to your local directory. 7. Enter address, city, state, country, and ZIP code details for the labels that you want to convert to
sites.
In the CSV file, you must enter the following details: address, city, state, and country.
8. Save the CSV file. 9. On the Confirm Conversion pop-up window, click Browse and select the CSV file with the list of
labels to convert. 10. Click Upload. 11. Click Convert. The labels are converted to sites.
Points to Note
n If the conversion process fails for some labels, Aruba Central generates and opens an Excel file showing a list of labels that could not be converted to sites. Verify the reason for the errors, update the CSV file, and re-upload the file.
n Aruba Central does not allow conversion of sites to labels. If the existing labels are converted to sites, you cannot revert these sites to labels.
n When the existing labels are converted to sites, Aruba Central retains only the historical data for these labels. Aruba Central displays the historical data for these labels only in reports and on the monitoring dashboard.
Editing a Site
To modify site details, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Select the site to edit and click the edit icon. 6. Modify the site information and click Update.
Deleting a Site
To delete a site, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Select the site to delete and click the delete icon. 6. Confirm deletion.
Managing Sites | 142
Managing Labels
The Labels page allows you to create labels, view a list of labels, and assign devices to labels. The page includes two tables. The table on the left lists the labels, whereas the table on the right lists the devices. These tables provide the following information:
Table 32: Labels Name Contents of the Table
Labels
Displays a list of labels configured. The table provides the following information: n Name of the label n Number of devices assigned to a label
The table also includes the following sorting options to reset the table view on the right: n All Devices--Displays all the devices provisioned in Aruba Central. n Unassigned--Displays the list of devices that are not assigned to any label.
Devices
Displays a list of devices provisioned. The table provides the following information about the devices: n Name--Name of the device n Group--Group to which the device is assigned n Type--Type of the device n Labels--Number of labels assigned to a device
Creating a Label
To create a label, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. To add a new label, click (+) Add Label. The Create New Label pop-up window opens. 6. Enter a name for the label. The label name can be a maximum of 255 single byte characters. Special
characters are allowed. 7. Click Add. The new label is added to the All Labels table.
Assigning a Label to a Device
To assign a label to a device, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Locate the label to which you want to assign a device. 6. In the table that lists the labels, you can perform one of the following actions:
n Click All Devices to view all devices. n Click Unassigned to view all the devices that are not assigned to any labels. 7. Select Unassigned. The list of devices that are not assigned to any label is displayed. 8. Select device(s) from the list of devices.
Aruba Central | User Guide
143
9. Drag and drop the selected device(s) to a specific label. A pop-up window asking you to confirm the label assignment opens.
10. Click Yes.
Aruba Central allows you to assign up to five label tags per device.
Detaching a Device from a Label
To remove a label assigned to a device, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Select the device from the table on the right. 6. Click the delete icon. 7. To detach labels from the multiple devices at once, select the devices, and click Batch Remove Labels. 8. Confirm deletion.
Editing a Label
To edit a label, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Select the label to edit. 6. Click the edit icon. 7. Edit the label and click Update.
Deleting a Label
To delete one or several labels, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Select the label to delete. 6. Click the delete icon. 7. Confirm deletion.
Viewing Configuration Status
Viewing Configuration Status | 144
Aruba Central provides an audit dashboard for reviewing configuration changes for the devices provisioned in UI and template groups. The Configuration Audit page is available for Instant APs, switches, and gateways.
Viewing the Configuration Audit Page
To view the Configuration Audit page, complete the following steps:
n For Instant APs: a. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Access Points. c. Click the Config icon. The tabs to configure access points are displayed. d. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed.
Aruba Central now constantly displays the default tabs under the Show Advanced and Hide Advanced option in the Devices > Access Points page. When you click the Show Advanced or Hide Advanced option and navigate out of the page, the respective default tabs under Show Advanced or Hide Advanced option are still displayed when you visit the page next time.
n For Aruba switches: a. In the Network Operations app, set the filter to a group that contains at least one switch. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon. The tabs to configure switches are displayed. d. Click Configuration Audit. The Configuration Audit details page is displayed.
n For Aruba gateways: a. In the Network Operations app, set the filter to a group that contains at least one Branch Gateway. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Gateways. c. Click the Config icon. The tabs to configure gateways are displayed. d. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed.
Applying Configuration Changes
Aruba Central supports a two-staged configuration commit workflow for Instant APs and switches. Aruba Central now supports the auto commit feature at a group level. When auto commit state is enabled for a group, the configuration changes are instantly applied to all devices where auto commit state is enabled.
Aruba Central | User Guide
145
In the Configuration Audit page of the group, the Auto Commit State section allows administrators to switch their preference for committing configuration changes to the devices within the group. n To enable auto commit, click Change to Auto commit state ON. When auto commit state is enabled
for a group, the configuration changes are instantly applied to all devices where auto commit state is enabled. n To disable auto commit, click Change to Auto commit state OFF. When auto commit state is disabled for a group, an administrator can build a candidate configuration, save it on cloud, review it, and then commit the configuration changes to all devices within the group.
Aruba Central resets the auto commit state, when a device moves to another group. The device inherits the auto commit state of the group to which the device is moved. When auto commit state is disabled for a group, Aruba Central restricts modification to the auto commit state at a device level. When auto commit state is enabled for a group, Aruba Central allows modification to the auto commit state at a device level. The auto commit at a group level is not applicable for Aruba MAS switches and Aruba gateways in the Configuration Audit page. Auto commit state is always enabled for Aruba MAS switches and Aruba gateways.
Viewing and Editing
To modify the auto commit state of devices within the group, when Auto Commit State for a group is enabled, complete the following steps:
1. Click the View & Edit link under Auto Commit State: ON tile. 2. Select a device name, click Disable Auto Commit, and then click OK. 3. Click Yes in the Confirm Action dialog box. To modify the auto commit state of devices within the group, when Auto Commit State for a group is disabled, complete the following steps: 1. Click the View & Edit link under Auto Commit State: OFF tile. 2. Select a device name, click Enable Auto Commit, and then click OK. 3. Click Yes in the Confirm Action dialog box.
When auto commit state for a group is disabled, the View & Edit link is disabled to restrict modifications to the auto commit state of the devices within the group. When auto commit state for a group is enabled, the View & Edit link allows you to modify the auto commit state of the devices within the group.
Auto Commit Workflow
To enable Aruba Central to commit configuration changes instantly, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP and a switch. The dashboard context for the selected group is displayed.
Viewing Configuration Status | 146
2. Under Manage, click Devices > Access Points.
In Aruba Central, the auto commit workflow for a group can be implemented either from the switch configuration audit page or Instant AP configuration audit page. Alternatively, you can navigate to Devices > Switches.
3. Click the Config icon. The tabs to configure access points are displayed.
4. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed.
5. Ensure that the Auto Commit State for the group is set to ON. 6. Based on configuration mode set for the devices in the group, use either the UI workflows or a
configuration template to complete the configuration workflow and save the changes. Aruba Central automatically commits the configuration changes to all devices where auto commit state is enabled. 7. View the Local Overrides and Configuration Sync Issues, if any.
Aruba Central does not support the two-staged configuration commit workflow for Aruba MAS switches and Aruba gateways. The tenant accounts in the MSP deployments do not inherit the Auto Commit State configured at the MSP level. The tenant account users can enable or disable Auto Commit state for the devices in their respective accounts.
Manual Commit Workflow
To build configuration and review it before committing the configuration changes, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP and a switch. The dashboard context for the selected group is displayed.
2. Under Manage, click Devices > Access Points.
In Aruba Central, the manual commit workflow for a group can be implemented either from the switch configuration audit page or Instant AP configuration audit page. Alternatively, you can navigate to Devices > Switches.
3. Click the Config icon. The tabs to configure access points are displayed.
4. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed.
5. Ensure that the Auto Commit State for the group is set to OFF. 6. Based on configuration mode set for the device, use either the UI workflows or a configuration
template to complete the configuration workflow and save the changes. When you try to save the save changes, Aruba Central displays the following warning message:
Aruba Central | User Guide
147
7. When the auto commit state for a group is set to OFF, and changes are configured to the devices at a group level, Aruba Central displays the following warning message when you try to save the changes:
8. View the Local Overrides and Configuration Sync Issues, if any. 9. Click Commit Now to commits the configuration changes to all devices within the group.
Viewing Configuration Overrides and Errors
The Configuration Audit page allows you to view the configuration push errors, template synchronization errors, configuration sync, and device level configuration overrides. Some of notable status indicators available on the page includes:
n Failed/Pending Changes--Provides details of the number of devices with configuration sync errors. To view the devices with configuration sync errors, click the Failed/Pending config changes link. The Config Difference pop-up window opens. You can view configuration differences for each device within the group.
n Local Overrides--Provides details of the number of devices with local overrides. To view a complete list of overrides, click the Manage Local Overrides link. The Local Overrides pop-up window opens. You can view configuration differences for each device within the group. To preserve the overrides, click Close. To remove the overrides, select the group name with local override, click Remove and click OK.
n Configuration Conflicts--Provides details of the number of devices with configuration conflict errors. To view a complete list of configuration conflicts, click the Manage Configuration Conflicts link. The Configuration Conflict pop-up window opens. To resolve the configuration conflicts, enable the checkbox against each conflict, and then click Remove to remove the conflict.
n Template Errors--Provides the details of the number of devices with template errors. To view a complete list of configuration template errors, click the View Template Errors link. The Template Errors pop-up window opens. You can view a list of templates with errors.
n Move Failures--Aruba Central supports moving a device from one group to another. If the move operation fails, Aruba Central logs such instances as Move Failures.
Viewing Configuration Status for Devices at the Group Level (Template Configuration Mode)
When you select a template group from the filter, the Configuration Audit page displays the following information:
Table 33: Configuration Audit Status for a Template Group
Data Pane Content
Description
Template Errors
Provides details of the number of devices with template errors for the selected template group.
Viewing Configuration Status | 148
Table 33: Configuration Audit Status for a Template Group
Data Pane Content
Description
Devices deployed in the template group are provisioned using configuration templates. If there are errors in the templates or variable definitions, the configuration push to the devices fails. Aruba Central records such failed instances as template errors and displays these errors on the Configuration Audit page.
To view a complete list of errors, click View Template Errors. The Template Errors pop-up window allows you to view and resolve the template errors issues if any.
Failed/Pending Changes
Provides details of the number of devices with configuration sync errors for the selected template group. To view and resolve the configuration sync errors, click the Failed/Pending config changes link.
Configuration Backup & Restore
Allows you to create a backup of templates and variables applied to the devices in the template group. For more information, see Backing Up and Restoring Configuration Templates.
n New Configuration Backup--Allows you to create a new backup of templates and variables applied to the devices in the template group.
All Devices
The All Devices table provides the following device information for the selected group:
n Name--The name of the device. n Type--The type of the device. n Auto Commit--The status of the auto commit state for all the devices within the group. n Config Sync--Indicator showing configuration sync errors. n Template Errors--Indicator showing configuration template errors for the devices deployed in template groups.
Viewing Configuration Status for a Device (Template Configuration Mode)
When you select a device that is provisioned in a template group, the Configuration Audit page displays the following information:
Table 34: Configuration Audit Status for Devices in Template Groups
Data Pane Content
Description
Template Applied
Displays the template that is currently applied on the selected device.
Aruba Central | User Guide
149
Table 34: Configuration Audit Status for Devices in Template Groups
Data Pane Content
Description
Template Errors
Displays the number of template errors for the selected device. To view a complete list of errors, click View Template Errors.
Failed/Pending Changes
Displays the configuration sync errors for the selected device. To view and resolve the configuration sync errors, click the Failed/Pending config changes link.
Config Comparison Tool
Allows you to view the difference between the current configuration and the configuration that is yet to be pushed to the device (pending configuration).
To view the current and pending configuration changes side by side, click View.
Viewing Configuration Status for Devices at the Group Level (UIbased Configuration Mode)
When you select an UI group, the Configuration Audit page displays the following information:
Table 35: Configuration Audit Status for a UI Group
Data Pane Content
Description
Failed/Pending Changes
Displays the number of devices with configuration sync errors for the selected UI group.
To view and resolve the configuration sync errors, click the Failed/Pending config changes link.
Local Overrides
Displays the number of devices with local overrides. To view a complete list of overrides, click the Manage Local Overrides link. The Local Overrides pop-up window opens.
n To preserve the overrides, click Close.
n To remove the overrides, select the group name with local override, click Remove and then click OK.
All Devices
The All Devices table provides the following device information for the selected group:
n MAC Address--MAC address of the device. n Name--The name of the device. n IP Address--IP address of the device. n Site--Name of the site to which the device is assigned. n Type--The type of the device.
Viewing Configuration Status | 150
Table 35: Configuration Audit Status for a UI Group
Data Pane Content
Description
n Auto Commit--The status of the auto commit state for all the devices within the group.
n Config Sync/Config Status-- Indicator showing configuration sync errors.
n Local Overrides--Indicator showing configuration overrides for the devices deployed in the UI groups.
NOTE: The MAC Address, IP Address, Site, and Config Status columns are available only for groups in which Aruba gateways are provisioned (Manage > Device > Gateways, click the Config icon. The gateway configuration page is displayed. Navigate to Configuration Audit).
Viewing Configuration Status for a Device (UI-based Configuration Mode)
When you select a device assigned to a UI group, the Configuration Audit page displays the following information:
Table 36: Configuration Audit Status for a Device Assigned to a UI Group
Data Pane Content
Description
Failed/Pending Changes
Displays the number of devices with configuration sync errors for the selected device. To view and resolve the configuration sync errors, click the Failed/Pending config changes link.
Local Overrides
Displays the number of local overrides. To view a complete list of overrides, click the Manage Local Overrides link. The Local Overrides pop-up window opens.
n To preserve the overrides, click Close. n To remove the overrides, click Remove, and then click OK.
Backing up and Restoring Configuration Templates
Aruba Central allows you to back up configuration templates assigned to the devices deployed in a template group. The Configuration Audit pages for Instant AP, switch, and gateway configuration containers allow you to create and manage backed up files and restore these files when required. For more information, see Backing Up and Restoring Configuration Templates.
Aruba Central | User Guide
151
If monitor mode is enabled at the device level, the selected device functions in the monitor mode. If the monitor mode is enabled at the group level, all devices in the group inherit this setting. If a device managed by Aruba Central displays a configuration sync issue and persistently fails to receive configuration updates from Aruba Central, contact Aruba Central Technical Support.
Connecting Devices to Aruba Central
Aruba devices support automatic provisioning, also known as ZTP. In other words, Aruba devices can download provisioning parameters from Aruba Activate and connect to their management entity once they are powered on and connected to the network. Although most of the communication between devices on the remote site and Aruba Central server in the cloud is carried out through HTTPS (TCP 443), you may want to open the following ports for devices to communicate over network firewall. This section includes the following topics:
n Domain names for Aruba Central Portal Access on page 152 n Domain Names for Device Communication with Aruba Central on page 152 n Domain Names for Device Communication with Aruba Activate on page 153 n Cloud Guest Server Domains for Guest Access Service on page 153 n Domain Names for OpenFlow on page 154 n Other Domain Names on page 155
Domain names for Aruba Central Portal Access
Table 37: Domain Names and URLs for Aruba Central Portal Access
Region
Domain Name
Protocol
US-1
portal.central.arubanetworks.com
HTTPS TCP port 443
US-2
portal-prod2.central.arubanetworks.com
HTTPS TCP port 443
EU-1
portal-eu.central.arubanetworks.com
HTTPS TCP port 443
Canada-1
portal-ca.central.arubanetworks.com
HTTPS TCP port 443
China-1
portal.central.arubanetworks.com.cn
HTTPS TCP port 443
APAC-1
portal-apac.central.arubanetworks.com
HTTPS TCP port 443
APAC-EAST1
portal-apaceast.central.arubanetworks.com
HTTPS TCP port 443
APAC-SOUTH1 portal-apacsouth.central.arubanetworks.com HTTPS TCP port 443
Domain Names for Device Communication with Aruba Central
Connecting Devices to Aruba Central | 152
Table 38: Domain Names for Device Communication with Aruba Central
Regi on
Aruba Central URL
URL for Device Connectivity
Proto col
FQDNs for SD-WAN Orchestrator Service
US-1
app.central.arubanetworks.co m
app1.central.arubanetworks.c om
HTTPS TCP port 443
app1h2.central.arubanetworks. com
US-2
appprod2.central.arubanetworks. com
deviceprod2.central.arubanetworks. com
HTTPS TCP port 443
device-prod2h2.central.arubanetworks. com
EU-1
app2eu.central.arubanetworks.co m
deviceeu.central.arubanetworks.co m
HTTPS TCP port 443
device-euh2.central.arubanetworks. com
Cana da-1
appca.central.arubanetworks.co m
deviceca.central.arubanetworks.co m
HTTPS TCP port 443
device-cah2.central.arubanetworks. com
Chin a-1
app.central.arubanetworks.co m.cn
device.central.arubanetworks. com.cn
HTTPS TCP port 443
deviceh2.central.arubanetworks. com.cn
APAC1
app2ap.central.arubanetworks.co m
app1ap.central.arubanetworks.co m
HTTPS TCP port 443
app1-aph2.central.arubanetworks. com
APACEAST 1
appapaceast.central.arubanetwor ks.com
deviceapaceast.central.arubanetwor ks.com
HTTPS TCP port 443
device-apaceasth2.central.arubanetworks. com
APACSOUT H1
appapacsouth.central.arubanetw orks.com
deviceapacsouth.central.arubanetw orks.com
HTTPS TCP port 443
device-apacsouthh2.central.arubanetworks. com
Domain Names for Device Communication with Aruba Activate
Table 39: Domain Names for Device Communication with Aruba Activate
Domain Name
Protocol
device.arubanetworks.com devices-v2.arubanetworks.com
HTTPS TCP port 443
Cloud Guest Server Domains for Guest Access Service
Aruba Central | User Guide
153
Table 40: Domain Names for Cloud Guest Server Access
Region
Domain Name
Protocol
US-1
nae1.cloudguest.central.arubanetworks.com
TCP port 2083 TCP port 443
nae1-elb.cloudguest.central.arubanetworks.com
TCP port 443
US-2
naw2.cloudguest.central.arubanetworks.com
TCP port 2083 TCP port 443
naw2-elb.cloudguest.central.arubanetworks.com
TCP port 443
EU-1
euw1.cloudguest.central.arubanetworks.com
TCP port 2083 TCP port 443
euw1-elb.cloudguest.central.arubanetworks.com
TCP port 443
Canada-1
ca.cloudguest.central.arubanetworks.com
TCP port 2083 TCP port 443
ca-elb.cloudguest.central.arubanetworks.com
TCP port 443
APAC-1
ap1.cloudguest.central.arubanetworks.com
TCP port 2083 TCP port 443
ap1-elb.cloudguest.central.arubanetworks.com
TCP port 443
APAC-EAST1 apaceast.cloudguest.central.arubanetworks.com
TCP port 2083 TCP port 443
apaceast-elb.cloudguest.central.arubanetworks.com TCP port 443
APAC-SOUTH1 apacsouth.cloudguest.central.arubanetworks.com
TCP port 2083 TCP port 443
apacsouth-elb.cloudguest.central.arubanetworks.com TCP port 443
Domain Names for OpenFlow
Table 41: Domain Names for OpenFlow
Region
Domain Name
US-1
https://app2-ofc.central.arubanetworks.com
US-2
https://ofc-prod2.central.arubanetworks.com
EU-1
https://app2-eu-ofc.central.arubanetworks.com
Canada-1
https://ofc-ca.central.arubanetworks.com
China-1
https://ofc.central.arubanetworks.com.cn
APAC-1
https://app2-ap-ofc.central.arubanetworks.com
Connecting Devices to Aruba Central | 154
Region
Domain Name
APAC-EAST1 https://ofc-apaceast.central.arubanetworks.com
APAC-SOUTH1 https://ofc-apacsouth.central.arubanetworks.com
Other Domain Names
Table 42: Other Domain Names Domain Name
Protocol Description
sso.arubanetworks.com
TCP port 443
Allows users to access their accounts on the internal server.
internal.central.arubanetworks.com TCP port internal2.central.arubanetworks.com 443
Allows users to access the Aruba Central Internal portal.
pool.ntp.org
activate.arubanetworks.com pqm.arubanetworks.com
images.arubanetworks.com http://h30326.www3.hpe.com
d2vxf1j0rhr3p0.cloudfront.net rcs-m.central.arubanetworks.com (For all other regions) central-eurcs.central.arubanetworks.com (For Europe region) cloud.arubanetworks.com
aruba.brightcloud.com
bcap15-dualstack.brightcloud.com
UDP port 123
Allows users to update the internal clock and configure time zone when a factory default device comes up. By default, the Aruba devices contact pool.ntp.org and use NTP to synchronize their system clocks.
TCP port 443
Allows users to configure provisioning rules in Activate.
ICMP or UDP port 4500
Allows users to check the health of WAN uplinks configured on Branch Gateways.
TCP port 80
Allows users to access the server that hosts software images available for upgrading devices.
TCP port 80
Allows users to access the Aruba switch software images. To view the URL for software updates, use the show activate software-update command.
TCP port 80
Allows users to access the CloudFront server for locating Instant AP software images.
TCP port 443
Allows users to access a device console through SSH.
TCP port 80
TCP port 443
TCP port 443
Allows users to open the Aruba Central evaluation sign-up page.
Enables devices to access the Webroot Brightcloud server for application, application categories, and website content classification.
Allows Aruba devices to look up the Webroot Brightcloud server for Website categories.
Aruba Central | User Guide
155
Domain Name
Protocol Description
api-dualstack.bcti.brightcloud.com
TCP port Allows Aruba devices to access the IP Reputation and IP
443
Geolocation service on the Webroot Brightcloud server.
database-dualstack.brightcloud.com TCP port Allows Aruba devices to download the website classification
443
database from the Webroot Brightcloud server.
When configuring ACLs to allow traffic over a network firewall, use the domain names instead of the IP addresses. For Branch Gateways to set up IPsec tunnel with the VPN concentrators, the UDP 4500 port must be open.
Connecting Instant APs to Aruba Central
To bring up Instant APs in Aruba Central: 1. Connect the Instant AP to a provisioning network. 2. Ensure that Instant AP is operational and is connected to the Internet. 3. Ensure that the Instant AP has a valid DNS server address either through DHCP or static IP configuration. 4. Ensure that NTP server is running and Instant AP system clock is configured.
Connecting Aruba Switches to Aruba Central
Note the following points about automatic provisioning of switches: Pre-configured switches can now join Aruba Central. You can also import configuration from these switches to generate a template. For more information, see Creating a Configuration Template.
If the switches ship with a version lower than the minimum supported firmware version, a factory reset may be required, so that the switch can initiate a connection to Aruba Central. For information, on the minimum firmware versions supported on the switches, see Supported Aruba Switch Platforms on page 434.
During Zero Touch Provisioning, the Aruba switches can join Aruba Central only if they are running the factory default configuration, and have a valid IP address and DNS settings from a DHCP server.
The provisioning of the Aruba Mobility Access Switch fails when the provisioning process is interrupted during the initial booting and if the switch has a static IP address with no DNS server configured.
Connecting SD-WAN Gateways to Aruba Central
The Aruba gateways have the ability to automatically provision themselves and connect to Aruba Central once they are powered on. The gateways also support multiple active uplinks for ZTP (also referred to as automatic provisioning). The supported ZTP ports for different hardware platforms are listed in the following table. All these ZTP ports are assigned to VLAN 4094.
Connecting Devices to Aruba Central | 156
Table 43: ArubaOS Hardware Platforms and Supported ZTP Ports
ArubaOS Hardware Platform Supported ZTP Ports
Aruba 7005 Gateway
ALL ports except 0/0/1
Aruba 7008 Gateway
ALL ports except 0/0/1
Aruba 7010 Gateway
ALL ports except 0/0/1
Aruba 7030 Gateway
ALL ports except 0/0/1
Aruba 7024 Gateway
ALL ports except 0/0/1
Aruba 7210 Gateway
ALL ports except 0/0/1
Aruba 7220 Gateway
ALL ports except 0/0/1
Aruba 7240 Gateway
ALL ports except 0/0/1
Aruba 7280 Gateway
ALL ports except 0/0/1
Aruba 9004 Gateway
ALL ports except 0/0/1
Aruba 9004-LTE Gateway
ALL ports except 0/0/1
Aruba 9012 Gateway
ALL ports except 0/0/1
To know the minimum software version required for the gateways, see Supported SD-Branch Components. To automatically provision the gateways:
1. Connect your gateway to the provisioning network. 2. Wait for the device to obtain an IP address through DHCP. Gateways support multiple uplink ports.
The first port to receive the DHCP IP connects to the Activate server and completes the provisioning procedure: n If the device has factory default configuration, it receives an IP address through DHCP, connects
to Aruba Activate, and downloads the provisioning parameters. When a device identifies Aruba Central as its management entity, it automatically connects to Aruba Central. n If the device is running a software version that does not have the SD-WAN image, the devices are automatically upgraded to a supported SD-WAN software version. 3. Observe the LED indicators. Table 2 describes the LED behavior.
Table 44: LED Indicators
LED Indicator
LCD Text Description
Solid Amber
Getting DHCP IP
Indicates that the uplink connection is UP, but DHCP IP is yet to be retrieved.
Blinking Amber
Activate Wait
Indicates that the device was able to reach the DHCP server and the connection to the Activate server is yet to be established.
Solid Green
Activate OK
Indicates that the device was able to retrieve provisioning parameters from the Activate server.
Aruba Central | User Guide
157
Table 44: LED Indicators
LED Indicator
LCD Text Description
Alternating Solid Green and Amber
Activate Error
Indicates that the device was not able to retrieve provisioning parameters.
After successfully connecting to Aruba Central, the gateways download the configuration from Aruba Central and reload.
The gateways also include service ports that the technicians can use for manually provisioning devices in the event of ZTP failure. For more information on ports available for Aruba 7000 Series Mobility Controllers and Aruba 7200 Series Mobility Controllers, see ArubaOS User Guide.
Certificates
By default, Aruba Central includes a self-signed certificate that is available on the Certificates page. The default certificate is not signed by a root certificate authority (CA). For devices to validate and authorize Aruba Central, administrators must upload a valid certificate signed by a root CA.
Aruba devices use digital certificates for authenticating a client's access to user-centric network services. Most devices such as controllers and Instant APs include a server certificate by default for captive portal server authentication. However, Aruba recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CA. Certificates can be stored locally on the devices and used for validating device or user identity during authentication.
Aruba Central-managed devices such as Instant AP and switches support the following root CA certificates:
Instant APs
n AddTrust n GeoTrust n VeriSign n Go Daddy
Switches
n Comodo n GeoTrust
Uploading Certificates
To upload certificates, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Select the Certificates tab.
The Certificates page opens. 4. Click the plus icon to add the certificate to the certificate store.
Certificates | 158
5. In the Add Certificate dialog box, do the following: a. In the Name text box, specify the certificate name.
b. Select the type of certificate. You can select any one of the following certificates: n CA --Digital certificates issued by the CA. n Server--Server certificates required for communication between devices and authentication servers. n CRL--Certificate Revocation List that contains the serial numbers of certificates that have been revoked. This certificate is required for performing a certificate revocation check. n OCSP Responder Cert--OCSP responder certificates. n OCSP Signer Cert--OCSP Response Signing Certificate. OCSP certificates are required for OCSP server authentication.
c. From the Format drop-down list, select a certificate format; for example, PEM, DER, and PKCS12.
d. In the Passphrase text box, enter a passphrase.
e. In the Retype Passphrase text box, retype the passphrase for confirmation.
The Passphrase and Retype Passphrase text boxes are displayed only when you select Server Certificate from the Type drop-down list.
f. In the Certificate File field, click Browse and select the certificate files.
g. Click Add. The certificate is added to the Certificate Store.
Managing Certificates on Instant APs Configured Using Templates
Aruba Central supports uploading multiple certificates to Instant APs configured using templates. You can manage certificates either from the Aruba Central UI or through the API Gateway. For more information about APIs, see API Documentation. To push certificates to Instant APs configured using templates:
1. Upload certificate(s) through one of the following methods: n UI--See Uploading Certificates on page 158. n API--Use the [POST] /configuration/v1/certificates API.
2. Get the certificate name and MD5 checksum through one of the following methods: n UI--In the Network Operations app, filter All Devices. Under Maintain, click Organization and select the Certificates tab. The Certificate Store table displays these details. n API--Use the [GET] /configuration/v1/certificates API.
3. In the template, anywhere before the per-ap settings block, depending on your requirement, add one or more of the following commands:
ca-cert-checksum <ca_cert_checksum/ca_cert_name> cp-cert-checksum <captive_portal_cert_checksum/captive_portal_cert_name> radsec-ca-checksum <radsed_ca_checksum/radsed_ca_name> radsec-cert-checksum <radsed_cert_checksum/radsed_cert_name> server-cert-checksum <server_cert_checksum/server_cert_name>
Aruba Central | User Guide
159
You can either use the certificate name or the checksum value in the command. Or, you can set it as a variable and enter the variable value for the Instant AP. Aruba recommends using the certificate name.
Example 1
ca-cert-checksum my_default_cert
Example 2
ca-cert-checksum %ca_cert_name% variable: {
"ca_cert_name": "my_default_cert" }
Managing Software Upgrades
The Firmware page provides an overview of the latest firmware version supported on the device, details of the device, and the option to upgrade the device. This section includes the following topics: n Viewing Firmware Details n Upgrading a Device n Setting Firmware Compliance For Access Points n Setting Firmware Compliance For Switches n Setting Firmware Compliance For Gateways in Standalone Mode
Viewing Firmware Details
To view the firmware details for devices provisioned in Aruba Central: 1. In the Network Operations app, select one of the following options: n To select a group in the filter, set the filter to one of the options under Group. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed. c. Click a device listed under Device Name. The dashboard context for the device is displayed.
Managing Software Upgrades | 160
2. Under Maintain, click Firmware. The Firmware dashboard displays the following information: n The following image displays the Firmware dashboard at the global level:
Table 45: Firmware Maintenance
Data Pane Item
Description
Set
Allows you to set firmware compliance for devices within a group. Click Set Compliance to view
Compliance a list of supported firmware versions for each device in a group in the Manage Firmware
Compliance page.
Set Compliance for Access Points: To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page:
n Groups--Select the group for which the compliance must be set. Select the specific group to set compliance at group level. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. Select None to clear the compliance. n Upgrade Type--Select any one of the following upgrade type:
lStandard--Recommended for operations during maintenance windows. lLive--Recommended for operations during working hours. n When --Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time. lNow--To set the compliance to be carried out immediately. lLater Date--To set at the later date and time.
Click Save and Upgrade button to save the firmware compliance with the above settings.
Set Compliance for Switches: To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page:
n Groups--Select the group for which the compliance must be set. Select the specific group to set compliance at group level. n AOS-S Firmware Version--Select the AOS-S firmware version number from the dropdown list to which the compliance is required to be set. n CX Firmware Version--Select the Aruba CX switch version number from the drop-down list to which the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When --Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time.
lNow--To set the compliance to be carried out immediately.
Aruba Central | User Guide
161
Table 45: Firmware Maintenance
Data Pane Item
Description
lLater Date--To set at the later date and time. Click Save and Upgrade button to save the firmware compliance with the above settings.
NOTE: Aruba Central lists all available Aruba CX switches software versions. Select the software version that is applicable to the Aruba CX switch to which compliance is required to be set. For example, version 10.04.0020 is not applicable to Aruba CX 6200 and 6400 switch series.
Set Compliance for Gateways in Standalone Mode: To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page:
n Groups--Select the group for which the compliance must be set. Select the specific group to set compliance at group level. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. Select None to clear the compliance. n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When --Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time.
lNow--To set the compliance to be carried out immediately. lLater Date--To set at the later date and time.
Click Save and Upgrade button to save the firmware compliance with the above settings.
Upgrade All
Allows you to simultaneously upgrade firmware for all devices. Click Upgrade All to view a list of supported firmware versions for each device.
To Upgrade all Access Points: Click Upgrade All and complete the following parameters in the Upgrade Access Points Firmware page:
n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. Select None for none of the firmware versions. n Upgrade Type--Select any one of the following upgrade type:
lStandard--Recommended for operations during maintenance windows. lLive--Recommended for operations during working hours. n When --Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time. lNow--To set the compliance to be carried out immediately. lLater Date--To set at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade.
To Upgrade all Switches: Click Upgrade All and complete the following parameters in the Upgrade Switch Firmware page:
n AOS-S Firmware Version--Select the AOS-S firmware version number from the dropdown list to which the compliance is required to be set. n CX Firmware Version--Select the CX switch firmware version number from the dropdown list to which the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When --Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time.
lNow--To set the compliance to be carried out immediately. lLater Date--To set at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings.
Managing Software Upgrades | 162
Table 45: Firmware Maintenance
Data Pane Item
Description
n Cancel--Click this button to cancel the upgrade.
To Upgrade all Gateways in Standalone Mode: click Upgrade All and complete the following parameters in the Upgrade Gateway Firmware page:
n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time.
lNow--To set the compliance to be carried out immediately. lLater Date--To set at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade.
Search Filter
Allows you to define a filter criterion for searching devices based on the following properties: n Common to all devices--Name, Firmware Version, Recommended Version and Upgrade Status of the device. n Specific to switches and gateways--MAC address and Model.
Column Filter
Clicking icon enables you to customize the table columns or set it to the default view.
Access Points
Displays the following information: n Name--Name of the AP. Clicking on the AP name opens a window with connected APs and allows you to select and view the device Summary page. For more information, see Clients > Wireless Client > Overview. n APs--Number of APs associated to VC. n Firmware Version--The current firmware version running on the AP. n Recommended Version--The version to which the AP is recommended for upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: lShow All lNew firmware available lScheduled lIn progress lFailed lFirmware up to date n Compliance Status--Status of the firmware compliance setting. The value displayed in this column is either Set, Not Set, Set<date and time>, or Compliance scheduled on. The Compliance scheduled on displays the date and time that is set in the Manage Firmware Compliance Setting page.
NOTE: Clicking on the device name and APs from the Name and APs columns, opens a window with connected APs and allows you to select and view the device Summary page. For more information, see Clients > Wireless Client > Overview.
Aruba Central | User Guide
163
Table 45: Firmware Maintenance
Data Pane Item
Description
Switch-MAS Switches
Displays the following details about Aruba switches managed through Aruba Central: n Name--Host name of the switch. n Family--Displays the following types of switches: lAOS-S lCX
This information is only available for Aruba switch and Aruba CX switches. n MAC Address--MAC address of the switch. n Model--Hardware model of the switch. n Firmware Version--The current firmware version running on the switch. n Recommended Version--The version to which the switch is recommended for upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: lShow All lNew firmware available lScheduled lIn progress lFailed lFirmware up to date n Compliance Status--Status of the firmware compliance setting. The value displayed in this column is either Set, Not Set, Set<date and time>, or Compliance scheduled on. The Compliance scheduled on displays the date and time that is set in the Manage Firmware Compliance Setting page.
NOTE: The Switch-MAS tab is only available for accounts with MAS switches.
NOTE: The Switches tab displays details of both Aruba switch and Aruba CX switches.
Continue
Cancel Upgrade
Cancel All
Allows you to continue with firmware upgrade. Cancels a scheduled upgrade.
Cancels a scheduled upgrade for all devices.
Upgrading a Device
To check for a new version, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a group in the filter, set the filter to one of the options under Group. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed. c. Click a device listed under Device Name. The dashboard context for the device is displayed.
2. Under Maintain, click Firmware.
Managing Software Upgrades | 164
3. To upgrade firmware for devices in a specific group, select a group from the group selection filter. 4. Select one or several devices to upgrade. 5. Click Upgrade icon at the bottom of the page or hover over one of the selected device. To upgrade all
the devices, click Upgrade All option next to Set Compliance. The Upgrade <Device> Firmware pop-up window opens. 6. Select a firmware version. You can either select a recommended version or manually choose a specific firmware version.
To obtain custom build details, contact Aruba Central Technical Support.
7. Select Auto Reboot if you want Aruba Central to automatically reboot after device upgrade.
The Auto Reboot option is available for Mobility Access Switches, Aruba Switch, Aruba CX switches, and Branch Gateways.
8. Specify if the upgrade must be carried out immediately or at a later date and time. 9. Click Upgrade. The device downloads the image from the server, saves it to flash, and reboots.
Depending on the progress and success of the upgrade, one of the following messages is displayed: n Upgrading--While image upgrade is in progress. n Upgrade failed--When the upgrade fails. 10. If the upgrade fails, retry upgrading your device.
After upgrading a switch, click Reboot.
Setting Firmware Compliance For Access Points
Aruba Central allows you to run a firmware compliance check and force firmware upgrade for all APs in a group. To force a specific firmware version for all APs in a group, complete the following steps:
1. In the Global dashboard, under Maintain, click Firmware. The Access Points tab is selected by default.
2. Verify the firmware upgrade status for all APs. 3. Click Set Compliance at the top right. The Manage Firmware Compliance window opens. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. In the Upgrade Type, select one of the following options:
n Standard n Live 7. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful device upgrade.
The Auto Reboot option is available for Mobility Access Switches, Aruba Switch, Aruba CX switches, and Branch Gateways.
Aruba Central | User Guide
165
8. Select one of the following as required: n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time.
9. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed.
The following image displays the Manage Firmware Compliance window for Access Points:
Setting Firmware Compliance For Switches
To force a specific firmware version for all MAS switches in a group, complete the following steps: 1. In the Global dashboard, under Maintain, click Firmware > Switch-MAS tab. 2. Verify the firmware upgrade status for all MAS switches. 3. Click Set Compliance at the top right. The Manage Firmware Compliance window opens. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list.
Managing Software Upgrades | 166
6. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful device upgrade.
7. Select one of the following as required: n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time.
8. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed.
The following image displays the Manage Firmware Compliance window for MAS switches:
To force a specific firmware version for all Aruba switches in a group, complete the following steps:
1. In the Global dashboard, under Maintain, click Firmware > Switches tab. 2. Verify the firmware upgrade status for all switches. 3. Click Set Compliance at the top right. The Manage Firmware Compliance window opens. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a AOS-S firmware version from the AOS-S Firmware Version drop-down list. 6. Select a CX firmware version from the CX Firmware Version drop-down list. 7. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful
device upgrade. 8. Select one of the following as required:
n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 9. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is display
Aruba Central | User Guide
167
The following image displays the Manage Firmware Compliance window for Aruba switches:
Setting Firmware Compliance For Gateways in Standalone Mode
To force a specific firmware version for all gateways in standalone mode, complete the following steps: 1. In the Global dashboard, under Maintain, click Firmware > Gateways tab. All the gateways with standalone mode is displayed. 2. Verify the firmware upgrade status for all gateways. 3. Click Set Compliance at the top right. The Manage Firmware Compliance window opens. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful device upgrade. 7. Select one of the following as required: n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 8. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. The following image displays the Manage Firmware Compliance window for gateways:
Managing Software Upgrades | 168
Using Troubleshooting Tools
In the Network Operations app, use the filter to select a group, label, site, or a device and then, select Tools menu option under Analyze. The Tools menu allows network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. Users with admin role and custom roles that allow edit access to the troubleshooting module can troubleshoot network and device issues. For more information on user roles, see Configuring User Roles on page 105.
The Tools menu option is not visible to users who do not have troubleshooting permission. Aruba Central does not support performing diagnostic checks on offline devices.
The Tools page is divided into the following tabs:
n Network Check--Allows you to run diagnostic checks on networks and troubleshoot client connectivity issues. You must have admin privileges or read-write privileges to perform network checks.
n Device Check--Allows you to run diagnostic checks and troubleshoot switches. You must have admin privileges or read-write privileges to perform device checks.
n Commands--Allows you to perform network health check on devices at an advanced level using command categories. Read-only users can also perform advance checks.
This section includes the following topics:
n Troubleshooting Network Issues on page 170 n Enabling Gateway Logs
Aruba Central | User Guide
169
n Troubleshooting Device Issues on page 178 n Advanced Device Troubleshooting on page 179
Troubleshooting Network Issues
Network check aims to identify, diagnose, and debug issues detected in an Aruba Central-managed network. The Network Check tab on the Tools page captures the troubleshooting utilities that are used to test a network entity and collect results based on your selection. To perform a diagnostic check on the Aruba Central-managed network, complete the following procedure:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed.
2. Under Analyze > Tools, click the Network Check tab. The Network Check page is displayed.
3. Select a device. You can run diagnostic checks on the following types of devices managed by Aruba Central: n Access Points n Switches n Gateways
Table 46 lists the tests available for each device type:
Table 46: Tests and Devices
Test
Access Point Switch
Gateway
Ping Test Available
Available Available
Traceroute Available
Available Available
HTTP Test Available
NA
NA
HTTPS Test Available
NA
NA
TCP Test
Available
NA
NA
Speed Test Available
NA
NA
Devices which are already running commands shall not execute newly added commands.
Troubleshooting Network Issues | 170
Troubleshooting AP Connectivity Issues
The following tests are available to diagnose issues pertaining to WLAN network connections:
Ping Test
Sends ICMP echo packets to the hostname or IP addresses of the selected devices to check for latency issues. To perform a ping test on APs:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. n The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name for which you want to perform diagnostic test. The dashboard context for the access point is displayed.
2. Under Analyze > Tools, click Network Check. 3. From the Device Type drop-down list, select Access Point. 4. From the Test drop-down list, select Ping Test. 5. From the Sources drop-down list, select source(s). You can select multiple APs. 6. From the Destination Type drop-down list, select one of the following:
n Hostname/IP Address--Enter the hostname or IP address. n Client--Select a client. 7. Enter the count in the range as mentioned in the field. The count should be a number between 1 to 300. 8. Click Run. The output is displayed in the Device Output section.
Traceroute
Tracks the packets routed from a network host. To perform a traceroute test on APs:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Group, Label, or Site. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.
Aruba Central | User Guide
171
n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name for which you want to perform diagnostic test. The dashboard context for the access point is displayed.
2. Under Analyze > Tools, click Network Check. 3. From the Device Type drop-down list, select Access Point. 4. From the Test drop-down list, select Traceroute. 5. From the Sources drop-down list, select source(s). You can select multiple APs. 6. Enter the hostname or IP address. 7. Click Run. The output is displayed in the Device Output section.
HTTP Test
Sends packets to the HTTP URL and tries to establish a connection and exchange data. If the HTTP website returns a response, the issue could be isolated to the client device. To perform an HTTP test on APs:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Group, Label, or Site. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name for which you want to perform diagnostic test. The dashboard context for the access point is displayed.
2. Under Analyze > Tools, click Network Check. 3. From the Device Type drop-down list, select Access Point. 4. From the Test drop-down list, select HTTP Test. 5. From the Sources drop-down list, select source(s). You can select multiple APs. 6. Enter the HTTP URL for which you want to perform the HTTP test, in the URL field, For example,
http://hostname or http://ipaddress. 7. Enter the timeout value in seconds. The value should be between 1 to 10 seconds. The default
timeout value is 1 second. 8. Click Run. The test output is displayed in the Device Output section.
Important Points to Note
n HTTP test is supported only from version 8.3.0.0 or above. n The test supports only IPv4 address or domain name in the URL field.
Troubleshooting Network Issues | 172
HTTPS Test
Sends packets to the HTTPS URL and tries to establish a connection and exchange data. If the HTTPS website returns a response, the issue could be isolated to the client device. HTTPS is a performance test to identify the time taken to load a web page. To perform an HTTPS URL test on APs:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Group, Label, or Site. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name for which you want to perform diagnostic test. The dashboard context for the access point is displayed.
2. Under Analyze > Tools, click Network Check. 3. From the Device Type drop-down list, select Access Point. 4. From the Test drop-down list, select HTTPS Test. 5. From the Sources drop-down list, select source(s). You can select multiple APs. 6. Enter the HTTPS URL for which you want to perform the HTTPS test, in the URL field, For example,
https://URL or https://IPv4. 7. Enter the timeout value in seconds. The value should be between 1 to 10 seconds. The default
timeout value is 1 second. 8. Click Run. The test output is displayed in the Device Output section.
Important Points to Note
n HTTPS test is supported only from version 8.4.0.0 or above. n The test supports only IPv4 address or domain name in the URL field.
TCP Test
Sends packets to the host, for example, FTP server, and tries to establish a connection and exchange data. If the FTP server returns a response, the issue could be isolated to the client device. To perform a TCP test on APs:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Group, Label, or Site. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
Aruba Central | User Guide
173
c. Click an access point listed under Device Name for which you want to perform diagnostic test. The dashboard context for the access point is displayed.
2. Under Analyze > Tools, click Network Check. 3. From the Device Type drop-down list, select Access Point. 4. From the Test drop-down list, select TCP Test. 5. From the Sources drop-down list, select source(s). You can select multiple APs. 6. Enter a valid IPv4 address in the Host field. Hostname is not supported. 7. Enter the port number., in the Port field. The port number should be between 1 to 65535. 8. Enter the timeout value in seconds, in the Timeout field. The value should be between 1 to 10
seconds. The default timeout value is 5 seconds. 9. Click Run. The output is displayed in the Device Output section.
Important Point to Note
n TCP test is supported only from version 8.3.0.0 or above.
Speed Test
Performs a speed test to measure network speed and bandwidth. The speed test diagnostic tool is available only for Instant AP. To perform a speed test, you must provide the iPerf server address, protocol type, and speed test options such as bandwidth. To execute a speed test on APs:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Group, Label, or Site. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name for which you want to perform diagnostic test. The dashboard context for the access point is displayed.
2. Under Analyze > Tools, click Network Check. 3. From the Device Type drop-down list, select Access Point. 4. From the Test drop-down list, select Speed Test. 5. From the Sources drop-down list, select source(s). You can select multiple APs. 6. In the Host field, enter a valid hostname. 7. From the Protocol drop-down list, select the protocol. The available options are TCP or UDP. 8. In the Options field, enter the option. For example, bandwidth. 9. Click Run. The test output is displayed in the Device Output section.
Troubleshooting Network Issues | 174
While performing troubleshooting on APs, a maximum of 20 APs are listed in the drop-down list. If there are more than 20 APs, use the Search option to search for an AP on which you would like to perform diagnostic checks. If you navigate from the device details page, the Tools page appears, where the device context is already set and the Source field is automatically populated based on your selection.
Troubleshooting Switch Connectivity Issues
The following tests are available to diagnose issues related to wired network connections:
Ping Test
Sends ICMP echo packets to the IP address of the selected switch to check for latency issues. To perform a ping test on switches, complete the following procedure:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a switch in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name for which you want to perform diagnostic test. The dashboard context for the switch is displayed.
2. Under Analyze > Tools, click Network Check. 3. From the Device Type drop-down, select Switch. 4. From the Test drop-down, select Ping Test. 5. From the Sources drop-down, select source(s). You can select multiple switches.
You can select Aruba Switch or Mobility Access Switch from the Sources drop-down.
6. From the Destination Type drop-down, select one of the following: n Hostname/IP Address--Enter the hostname or IP address in the Hostname/IP Address field. n Client--Select a client from the Client drop-down.
7. In the Repetitions field, enter the repetition value. The value should be between 1 to 10000. 8. In the Data Size field, enter the data size. The value should be between 0 to 65471.
Mobility Access Switches do not support repetition and data size.
9. Select the Use Management Interface option if you want to use VRF Management interface. To use VRF Default interface, clear this option, which is the default.
Use Management Interface option is available only for Aruba CX switches.
10. Click Run. The test output is displayed in the Device Output section.
Aruba Central | User Guide
175
Traceroute
Tracks the packets routed from a network host. To perform a traceroute test on switches, complete the following procedure:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Group, Label, or Site. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a switch in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name for which you want to perform diagnostic test. The dashboard context for the switch is displayed.
2. Under Analyze > Tools, Network Check. 3. From the Device Type drop-down, select Switch. 4. From the Test drop-down list, select Traceroute. 5. From the Sources drop-down, select source(s). You can select multiple switches. 6. Enter the hostname or IP address in the Hostname/IP Address field. 7. Select the Use Management Interface option if you want to use VRF Management interface. To
use VRF Default interface, clear this option, which is the default.
Use Management Interface option is available only for Aruba CX switches.
8. Click Run. The output is displayed in the Device Output section. For information about viewing and downloading the output, see Viewing the Device Output.
If you navigate from the device details page, the Tools page appears, where the device context is already set and the Source field is automatically populated based on your selection.
Troubleshooting Gateway Connectivity Issues
The following tests are available to diagnose issues pertaining to WAN or SD-WAN network connections:
Ping Test
Sends ICMP echo packets to the IP addresses of the selected devices to check for latency issues. To perform a ping test on Gateways:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.
Troubleshooting Network Issues | 176
n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Gateways. A list of gateways is displayed in the List view. c. Click a gateway listed under Device Name for which you want to perform diagnostic test. The dashboard context for the gateway is displayed.
2. Under Analyze > Tools, click Network Check. 3. From the Device Type drop-down list, select Gateway. 4. From the Test drop-down list, select Ping Test. 5. From the Sources drop-down list, select source(s). You can select multiple Gateways. 6. From the Destination Type drop-down list, select one of the following:
n Hostname/IP Address--Enter the hostname or IP address. n Client--Select a client. n VPNC--Select the VPN Concentrator. 7. In the Packet Size field, enter the packet size to capture and store the data packet to analyze network issues at a later stage. The range is from 10 to 2000 Bytes. 8. In the Count field, enter the count. The value should be between 1 to 100. 9. Click Run. The output is displayed in the Device Output section.
Traceroute
Tracks the packets routed from a network host. To perform a traceroute test on Gateways:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Group, Label, or Site. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Gateways. A list of gateways is displayed in the List view. c. Click a gateway listed under Device Name for which you want to perform diagnostic test. The dashboard context for the gateway is displayed.
2. Under Analyze > Tools, click Network Check. 3. From the Device Type drop-down list, select Gateway. 4. From the Test drop-down list, select Traceroute. 5. From the Sources drop-down list, select source(s). You can select multiple Gateways. 6. Enter the hostname or IP address. 7. Click Run. The output is displayed in the Device Output section.
If you navigate from the device details page, the Tools page appears, where the device context is already set and the Source field is automatically populated based on your selection.
Aruba Central | User Guide
177
Viewing the Device Output
After you execute troubleshooting commands on the devices, Aruba Central displays the output in the Device Output section of the Tools page. The output pane displays a list of devices on which the troubleshooting commands were executed, the test type, initial timestamp, source, and target. It also shows the status of the tests as, in progress, complete, and the buffer time. If there are multiple devices, select the device for which you want to view the output.
Output history of device with buffer space issues shall be automatically cleared.
You can perform the following tasks from the Device Output section:
n Click Clear to clear the output. You can clear the output for a single device or for all devices. The Clear option is disabled for read-only users.
n Click the Search icon to search for text in the output. n Click the Email icon and click Send to send the output as an email. You can also add email recipients in
the CC field. n Click the Download icon to export the command output as a zip file. n Click the maximize icon to maximize the device output pane.
For more information on the output displayed for the CLI commands, see the following documents:
n Aruba Instant CLI Reference Guide for Instant AP CLI command output n HPE ArubaOS-Switch Management and Configuration Guide for Aruba Switch CLI command output n ArubaOS 7.4.x CLI Reference Guide for Mobility Access Switches CLI command output n ArubaOS CLI Reference Guide for SD-WAN Gateway CLI command output
Troubleshooting Device Issues
Device check aims to identify, diagnose, and debug issues on your device. The Device Check tab in the Tools page can be used to perform troubleshooting check for Aruba Switches and Aruba CX switches only. When a troubleshooting operation is initiated, Aruba Central establishes a session with the switch selected for the troubleshooting operation and displays the output in the Device Output section. To perform a device check on a switch, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a switch in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name for which you want to perform diagnostic test. The dashboard context for the switch is displayed.
2. Under Analyze > Tools, click the Device Check tab. The Device Check page is displayed.
Troubleshooting Device Issues | 178
By default, the Device Type is set to Switch if a switch is configured in the data path, else a warning is displayed. Multiple device selection is not allowed at this level. Devices which are already running commands shall not execute newly added commands.
3. From the Sources drop-down, select a switch. 4. From the Test drop-down, select one of the following tests to perform diagnostic checks on the
selected switch: n Cable Test--Enables testing of the electrical connections in the switch cable. It checks whether
the cabling is conformed to the cabling plans and is of expected quantity. It is useful for production and maintenance.
Cable Test is supported in Aruba Switches only from version 16.05.000 or above. Cable Test is not supported in Aruba CX switches.
n Interface Bounce--Restarts the port interface and forces a client to re-initiate a DHCP request. This option is available only for Aruba Switches.
n PoE Bounce--Restarts the PoE port and the device that is either connected to the PoE port or powered by it. This option is available only for Aruba Switches.
If you select Cable Test, PoE Bounce, or Interface Bounce, you must enter the port number or the port number range as mentioned in the example text. If you navigate to the Tools page from the Clients page, under Device Check the client context is already set and the port number is auto filled based on the client selected.
n Chassis Locate--Activates the Switch locator LED. The locator LED indicates the physical location where an Aruba Switch is currently installed. Important Point to Note
Interface Bounce, PoE Bounce, and Chassis Locate tests are supported only from the following versions in switches:
nAruba Switches: 16.04.0000 or above nAruba CX: See Supported Aruba CX Platforms on page 436.
5. Click Run. The output is displayed in the Device Output section. For information about viewing and downloading the output, see Viewing the Device Output. Unlike the other tests, for Cable Test, the output is displayed in a tabular format, and you cannot download, email, or export the output.
Advanced Device Troubleshooting
Advanced device check aims to identify, diagnose, and debug issues on your device at an advanced level using commands. The Commands tab on the Tools page lists commands specific to a particular device to test the device entity and collect results based on your selection. When a troubleshooting operation is initiated, Aruba Central establishes a session with the devices selected for the troubleshooting operation and displays the output in the Device Output section. To perform advanced troubleshooting on devices, complete the following steps:
Aruba Central | User Guide
179
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed.
2. Under Analyze > Tools, click the Commands tab. The Commands page is displayed.
3. Select a device. Network administrators can perform advanced troubleshooting on the following types of devices managed by Aruba Central: n Access Points n Switches n Gateways
Devices which are already running shall not execute newly added commands.
To perform advanced troubleshooting on APs, the minimum software version required on Instant APs is 6.4.3.14.2.0.3. To perform advanced troubleshooting on Mobility Access Switches, the minimum version support is 7.4.0.6.
Troubleshooting Access Points
To troubleshoot APs at an advanced level:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name for which you want to perform diagnostic test. The dashboard context for the access point is displayed.
2. Under Analyze > Tools, click Commands. 3. In the Commands tab, select the device type as Access Point. 4. From the Available Devices drop-down list, select the AP. You can select multiple APs.
Advanced Device Troubleshooting | 180
5. Select any command category and the Commands pane displays the associated commands. 6. Click Add> to add the selected commands to the Selected Commands pane. 7. If you have selected a command marked with either '*' or '+', enter the filtration parameters as
displayed in the Additional Filters dialog box. For more information on filtering commands, see Filtering Commands on page 183. 8. (Optional) Select command(s) and click <Remove to remove selected command(s) or click <Remove All to clear the Selected Commands pane. 9. (Optional) To set a frequency for automatically executing the troubleshooting commands: a. Click the Repeat check box.
b. Specify an interval for executing the troubleshooting commands. You can also specify how frequently the commands must be executed during a given interval.
c. Click Reset to modify the values in all the fields, and Cancel All for canceling all the repeats. Click the stop icon to stop a particular repeat.
10. Click Run. The output is displayed in the Device Output section.
To perform advanced troubleshooting on APs, the minimum software version required on Instant APs is 6.4.3.14.2.0.3. To perform advanced troubleshooting on Mobility Access Switches, the minimum version support is 7.4.0.6. If you navigate from the device details page, the Tools page appears, where the device context is already set and the Source field is automatically populated based on your selection.
Troubleshooting Switches
To troubleshoot switches at an advanced level:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a switch in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name for which you want to run a diagnostic test. The dashboard context for the switch is displayed.
2. Under Analyze > Tools, click Commands. The Commands page is displayed.
3. From the Device Type drop-down, select Switch. 4. From the Available Devices drop-down, select the switch. You can select multiple switches. 5. Select any command category in the Categories pane and the Commands pane displays the
associated commands.
Aruba CX switches support only the show tech and show running-config commands.
Aruba Central | User Guide
181
6. Click Add > to add the selected commands to the Selected Commands pane. 7. If you have selected a command marked with either '*' or '+', enter the filtration parameters as
displayed in the Additional Filters dialog box. For more information on filtering commands, see Filtering Commands on page 183. 8. (Optional) Select command(s) and click < Remove to remove selected command(s) or click < Remove All to clear the Selected Commands pane. 9. (Optional) To set a frequency for automatically executing the troubleshooting commands: a. Click the Repeat check box. b. Specify an interval for executing the troubleshooting commands. You can also specify how
frequently the commands must be executed during a given interval. c. Click Reset to modify the values in all the fields, and Cancel All for canceling all the repeats.
Click the stop icon to stop a particular repeat. 10. Click Run. The output is displayed in the Device Output section.
For information about viewing and downloading the output, see Viewing the Device Output.
Troubleshooting Gateways
To troubleshoot Gateways at an advanced level:
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Gateways. A list of gateways is displayed in the List view. c. Click a gateway listed under Device Name for which you want to perform diagnostic test. The dashboard context for the gateway is displayed.
2. Under Analyze > Tools, click Commands. 3. In the Commands tab, select the device type as Gateway. 4. From the Available Devices drop-down list, select the gateway. You can select multiple gateways. 5. Select any command category and the Commands pane displays the associated commands. 6. Click Add> to add the selected commands to the Selected Commands pane. 7. If you have selected a command marked with either '*' or '+', enter the filtration parameters as
displayed in the Additional Filters dialog box. For more information on filtering commands, see Filtering Commands on page 183. 8. (Optional) Select command(s) and click <Remove to remove selected command(s) or click <Remove All to clear the Selected Commands pane.
Advanced Device Troubleshooting | 182
9. (Optional) To set a frequency for automatically executing the troubleshooting commands: a. Click the Repeat check box. b. Specify an interval for executing the troubleshooting commands. You can also specify how frequently the commands must be executed during a given interval. c. Click Reset to modify the values in all the fields, and Cancel All for canceling all the repeats. Click the stop icon to stop a particular repeat.
10. Click Run. The output is displayed in the Device Output section.
Filtering Commands
In order to streamline the debug process and avoid huge data generation while troubleshooting, few commands enable Client MAC address, IP Address, and Port filtration.
1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed.
2. Under Analyze > Tools, click Commands. The Commands page is displayed.
3. Select the device type, Access Point, Switch, or Gateway as required from the drop-down list. 4. Select any command category and the Commands pane displays the associated commands.
If you navigate from the device details page, the Tools page appears, where the device context is already set and the Source field is automatically populated based on your selection.
Mandatory filters-- Commands marked with '*'
1. Select a command marked with '*' and click Add. The Additional Filters dialog box appears.
2. Enter the parameters such as, Client MAC address, IP address, port number, port list, or policy name as required. The parameters are generated based on the commands selected.
Aruba Central | User Guide
183
3. Click Apply.
In case of mandatory filter commands, if you do no enter the filtering parameters in the additional filters dialog box, the command does not get added to the selected command pane and you cannot perform the troubleshooting.
4. (Optional) Click Edit All to reset the filtration parameters for all the commands added in the selected command pane.
Optional filters-- Commands marked with '+'
1. Select a command marked with '+' and click Add. The Additional Filters dialog box appears.
2. (Optional) Enter the parameters such as, Client MAC address, IP address, port number, port list, or policy name as required. The parameters are generated based on the commands selected.
3. Click Apply.
In case of optional filter commands, if you do no enter the filtering parameters in the additional filters dialog box, the command still gets added to the selected command pane and you can perform your troubleshooting.
4. (Optional) Click Edit All to reset the filtration parameters for all the commands added in the selected command pane.
Viewing the Device Output
After you execute troubleshooting commands on the devices, Aruba Central displays the output in the Device Output section of the Tools page. If there are multiple devices, select the device for which you want to view the output. It shows the status of the tests as, in progress, complete, and the buffer time.
Output history of device with buffer space issues shall be automatically cleared.
You can perform the following tasks from the Device Output section: n Click Clear to clear the output. You can clear the output for a single device or for all devices. The Clear
option is disabled for read-only users. n Click the Search icon to search for text in the output. n Click the Email icon and click Send to send the output as an email. You can also add email recipients in
the CC field. n Click the Download icon to export the command output as a zip file. n Click the maximize icon to maximize the device output pane. For more information on the output displayed for the CLI commands, see the following documents: n Aruba Instant CLI Reference Guide for Instant AP CLI command output n HPE ArubaOS-Switch Management and Configuration Guide for Aruba Switch CLI command output
Advanced Device Troubleshooting | 184
n ArubaOS 7.4.x CLI Reference Guide for Mobility Access Switches CLI command output n ArubaOS CLI Reference Guide for SD-WAN Gateway CLI command output
Viewing Audit Trails in the Account Home Page
The Audit Trail page shows the logs for all the device management, configuration, and user management events triggered in Aruba Central. To view audit trail logs:
1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page opens.
2. From the Select App drop-down list, select one of the following: n All Apps--Displays audit trail logs for all apps. n Network Operations--Displays audit trail logs for the Network Operations app. n ClearPass Device Insight--Displays audit trail logs for the ClearPass Device Insight app. The following table describes the fields displayed in the Audit Trail table:
Table 47: Audit Trail Details Parameter Description
Occurred On
Time stamp of the events for which the audit trails are shown.
IP Address IP address of the client device.
Username Username of the admin user who applied the changes.
Target
Group or device to which the changes were applied.
Source
Tenant account in which the changes occurred. NOTE: This column is applicable only in the MSP mode.
Category
Type of modification and the affected device management category.
Description
A short description of the changes such as subscription assignment, firmware upgrade, and
configuration updates. Click to view the complete details of the event. For example, if an event was not successful, click the ellipsis to view the reason for the failure.
Viewing Audit Trail in the Standard Enterprise Mode
The Audit Trail page in the Standard Enterprise Portal shows the total number logs generated for all the device management, configuration, and user management events triggered in Aruba Central. You can search or filter the audit trail records based on any of the following columns:
n Occurred on (Custom Range) n Username n IP Address n Category
Aruba Central | User Guide
185
n Description n Target
To view the audit trail log details in Aruba Central:
1. In the Network Operations app, select one of the following options: n To select a group or all devices in the filter, set the filter to Group. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed.
2. Under Analyze, click Audit Trail. The Audit Trail table is displayed with the following details: n Occurred On-- Timestamp of the audit log. Use the sort option to sort the audit logs by date and time. Use the filter option to select a specific time range to display the audit logs. n IP Address--IP address of the client device. n Username--Username of the admin user who applied the changes. n Target--The group or device to which the changes were applied. n Category--Type of modification and the affected device management category. n Description--A short description of the changes such as subscription assignment, firmware upgrade, and configuration updates. Click to view the complete details of the event. For example, if an event was not successful, clicking the ellipsis displays the reason for the failure.
To customize the Audit Trail table, click the eclipses icon to select the required columns, or click Reset to default to set the table to the default columns.
Classification of Audit Trails
The audit trail is classified according to the type of modification and the affected device management category. The category can be one of the following:
n Configuration n Firmware Management n Reboot n Device Management n Templates n User Management n Variables n Label Management n MSP
Viewing Audit Trail in the Standard Enterprise Mode | 186
n Guest n Groups n Subscription Management n API Gateway n RBAC n Sites Management n SAML Profile n User Activity n Federated User Activity n Alert Configuration n Install Manager n Tools
Removing Devices
The device monitoring dashboards allow you to remove an offline device. However, you will not be able to remove a device completely from Aruba Central database, because the device entry remains in the Device Inventory page. The devices appearing in the Device Inventory page shows the hardware devices that belong to your account or purchase order. For information on removing an offline device, see the following topics:
n Deleting an Offline AP n Deleting an Offline Switch n Deleting a Gateway
Removing a Device from the Device Inventory Page
You cannot remove a device completely from Aruba Central, but you can unsubscribe the device. After you unsubscribe, the device status changes to Unsubscribed in the Device Inventory page. If you have more than one Aruba Central account and if another Aruba Central user adds this unsubscribed device to another Aruba Central account, the device entry is removed from the Device Inventory page in your Aruba Central account.
Aruba Central | User Guide
187
Chapter 5 The AI Insights Dashboard
The AI Insights Dashboard
In an environment of rapidly changing business and user expectations driven by an explosion of connectivity requirements from the edge to the cloud, a new approach to network management is required. Aruba AIOps (Artificial Intelligence for IT operations) is the next generation of AI-powered solutions that integrates proven Artificial Intelligence solutions with recommended and automated action to provide both fast response to identified problems, along with proactive prediction and prevention. With data collected from over 750,000 access points, switches, and gateways, Aruba Central and built-in AI Insights proactively identifies and solves issues, and provides pinpoint configuration recommendations. As the data is stored in the cloud, it is easy to view the network performance across all locations from a single pane of glass. Utilizing the cloud also provides the ability to anonymously compare a network with a peer network or the baselines for a broader perspective and optimization. All of this comes from Aruba's advantage in accessing an enormous volume and variety of data that is factored into insights. Aruba does not collect or process personal data. In this release the insights are classified under three categories:
n Connectivity--Issues related to the wireless connectivity in the network. n Wireless Quality--Issues related to the RF Info or RF Health in the network. n Availability--Issues related to the health of your network infrastructure and the devices in the network
such as, APs, switches, and gateways.
The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level for the selected time range. Each insight provides specific details on the occurrences of these events for easy debugging. To launch the AI Insights dashboard, complete the following steps:
1. In the Network Operations app, set the filter to Global.The dashboard context for the selected filter is displayed.
2. Under Manage, click Overview > AI Insights. The Insights table is displayed. AI Insights listed in the dashboard are sorted from high priority to low priority.
3. Click the arrow against each insight to view the further details.
Aruba Central | User Guide
188
Figure 22 Insight Details
Callout Number
Description
1
Click this arrow to expand any specific insight to view further details.
2
Displays the insight severity, using the following colors:
Red--High priority
Orange--Medium priority
Yellow--Low priority
NOTE: The following three configuration insights are marked in blue color ( column:
lAccess Point transmit power can be optimized lCoverage Holes have been detected lOutdoor clients are impacting Wi-Fi performance
) in the severity
3
Short description of the insight.
4
Insight Summary displays the reason why the insight was generated along with recommendation. It
also shows the number and percentage of failures that occurred against each failure reason. The
reasons are classified into:
n Static--These reasons rely on Aruba's domain expertise.
n Dynamic--These reasons are generated based on error codes that is received from
infrastructure devices.
5
Time Series graph is a graphical representation of the failure percentage or failure events that
occurred for the selected time range.
6
Category of the insight.
7
Short description of the impact.
8
Cards display additional information specific to each insight. Cards might vary for each insight
based on the context the insight is accessed from.
For more information, see Cards.
The AI Insights Dashboard | 189
All AI Insights generated are listed in the Global > AI Insights dashboard. Alternatively, AI Insights for a specific site, device, or client can be viewed by selecting the respective context. For more information on available insights and the context, see Insights Context.
AI Insights are displayed for a selected time period based on the time selected in the Time Range Filter ( ). You can select one of the following: 3 Hours, 1 Week, 1 Day, or 1 Month.
Figure 23 AI Insights Dashboard
Insights Context
Insights can be accessed from different contexts such as Global, Site, Clients, and Device. The following table lists the different types of insights generated by Aruba Central and the path from where it can be accessed.
In this release, all AI Insights are available irrespective of the user role or Aruba Central subscription. In the upcoming Aruba Central release, AI Insights marked as Advanced in the user interface would require an advanced subscription.
Table 48: Navigating Insights
Insights
Access Points had unusually high CPU utilization
Category
Availability -- Access Point
Context Navigation
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Aruba Central | User Guide
190
Insights
Access Points with unusually high memory usage were found
Category
Availability -- Access Point
Information (telemetry) was not received from APs/Radios
Availability -- Access Point
Access Points had a high number of reboots
Availability -- Access Point
Switches had excessive port flaps
Availability -- Switch
Switches had an unusual number of port error
Availability -- Switch
Switch ports had a high number with Power-over-Ethernet problems
Availability -- Switch
Context Navigation
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights
Insights Context | 191
Insights
Switches had unusually high CPU utilization
Category
Availability -- Switch
Switches had unusually high memory usage
Availability -- Switch
Gateway tunnels failed to get established
Availability -- Gateway
Gateways had unusually high CPU utilization
Availability -- Gateway
Gateways had high Memory usage Availability -- Gateway
Context Navigation
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Gateways Network Operations > Global > Devices > Gateways > Device Name > AI Insights
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Gateways Network Operations > Global > Devices > Gateways > Device Name > AI Insights
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Gateways Network Operations > Global > Devices > Gateways > Device Name > AI Insights
Aruba Central | User Guide
192
Insights Clients roamed excessively
Clients experienced high latency while roaming
DNS request/responses were significantly delayed
Category Context Navigation
Global
Connectivity
-- Wi-Fi
Site
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Clients
Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights
Connectivity Global -- Wi-Fi
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Clients
Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights
Connectivity -- Wi-Fi
Global Site
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Clients
Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights
Insights Context | 193
Insights DNS server(s) rejected a high number of queries
Clients had DHCP server connection problems
DNS queries failed to reach or return from the servers
Clients had an unusual number of MAC authentication failures
Category Context Navigation
Connectivity -- Wi-Fi
Global Site
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Clients
Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights
Connectivity -- Wi-Fi
Global Site
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Clients
Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights
Connectivity -- Wi-Fi
Global Site
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Global
Connectivity
-- Wi-Fi
Site
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Clients
Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights
Aruba Central | User Guide
194
Insights Clients had excessive Wi-Fi security key-exchange failures
Clients had excessive 802.1x authentication failures
Access Point transmit power can be optimized
Category Context Navigation
Connectivity Global -- Wi-Fi
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Clients
Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights
Connectivity -- Wi-Fi
Global Site
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Clients
Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights
Wireless Quality
Global
Network Operations > Global > Overview > AI Insights
Access Points impacted by high 2.4 GHz usage
Wireless Quality
Access Points were impacted by high 5 GHz usage
Wireless Quality
Global
Site
Access Points
Global
Site
Access Points
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Insights Context | 195
Insights
Dual-band (2.4/5 GHz) capable clients primarily used 2.4 GHz
Category
Wireless Quality
Clients had a significant number of Low SNR uplink minutes
Wireless Quality
Coverage Holes have been detected
Wireless Quality
Context Navigation
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Clients
Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights
Global
Network Operations > Global > Overview > AI Insights
Site
Network Operations > Sites > Overview >
AI Insights
Access Points
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Clients
Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights
Global
Network Operations > Global > Overview > AI Insights
Access Points had an excessive number of channel changes
Wireless Quality
Access Point radios changed their transmit power frequently
Wireless Quality
Outdoor clients are impacting Wi-Fi Wireless
performance
Quality
Global
Site
Access Points
Global
Site
Access Points
Global
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Network Operations > Global > Overview > AI Insights
Aruba Central | User Guide
196
Cards
All the insights in Aruba Central display certain cards with additional information specific to that insight. The top view of each card usually shows the top 5 data in a pie chart or a bar graph view. For few cards there is further drill down available in form of a drop-down list. The cards might vary for each insight based on the context the insight is accessed from.
The following table displays the cards available in different insights:
Table 49: Cards
Card
Card Details
Description
The Site card displays the number of sites impacted by an insight. Click the
arrow to expand the card and view the top 5 sites where the issue occurred.
The Access Point card displays the number of APs impacted by an insight.
Click the arrow to expand the card and view the top 5 APs where the issue occurred. You can also click the dropdown list to view further details about the impacted access points.
The Client card displays the number of clients impacted by an insight. Click the arrow to expand the card and view the top 5 clients where the issue occurred.
Cards | 197
Card
Card Details
Description
The Server card displays the number of servers impacted by an insight. Click the
arrow to expand the card and view the top 5 servers where the issue occurred.
The RF Info card displays the number of channels impacted by an insight. Click
the arrow to expand the card and view the top 5 bands where the issue occurred. You can also click the dropdown list to view further details about the impacted RF bands.
The Switch card displays the number of switches impacted by an insight. Click
the arrow to expand the card and view the top 5 switches where the issue occurred. You can also click the dropdown list to view further details about the impacted switches.
Aruba Central | User Guide
198
Card
Card Details
Description
The Wired Client card displays the number of wired clients impacted by an
insight. Click the arrow to expand the card and click the drop-down list to view further details about the impacted wired clients.
The Roam card displays the percentage of client latency roams. Click the arrow
to expand the card and click the drop-down list to view further details about the roaming latency and band.
The Tunnel card displays the number of gateway tunnels down. Click the arrow
to expand the card and view the reasons for the cause of tunnel down.
Cards | 199
Card
Card Details
Description
The Gateway card displays the number of gateways impacted by an insight.
Click the arrow to expand the card and view the top 5 gateways where the issue occurred. You can also click the drop-down list to view further details about the impacted gateways.
Aruba Central | User Guide
The VPNC card displays the number of VPNC gateways on which the tunnels are down. Click the arrow to expand the card and view the reasons for the cause of VPNC tunnel down.
The Client Minutes card is available only for Outdoor Clients Impacting Wi-Fi Performance insight and it displays the percentage of avoided outdoor clients minutes and the effected indoor client minutes in a network. Click the arrow to expand the card and view graphical representation of the data. The Port card is available for the switch port health insights and it displays the number of ports experiencing excessive flaps or errors. Click the arrow to expand the card and view the top 5 ports where the issue occurred.
200
Card
Card Details
Description
The CPU card is available at the device (Gateways and Switches) context and displays the number of gateways and switches impacted by high CPU utilization in the network. Click the arrow
to expand the card and view graphical representation of the data.
The Memory card is available at the device (Gateways and Switches) context and displays the number of gateways and switches impacted by high memory utilization in the network. Click the arrow
to expand the card and view graphical representation of the data.
The Power card displays the number of power changes in access points in the
network. Click the arrow to expand the card and click the drop-down list to view further details about the impacted access points.
The Channel card displays the number of channels changes per channel for a specific access point in the network. Click the arrow to expand the card and click the drop-down list to view further details about the impacted channels.
Cards | 201
Card
Card Details
Description
If you click on the number displayed on each card, further details specific to that card is displayed in a tabular format. Few columns are displayed by default whereas, there are few columns which does not appear in the table by default.
To customize a table, click the ellipses icon to select the required columns, or click Reset to default to set the table to the default columns.
Baselines
Baseline enables you to compare your network performance with similar peer groups. Baseline is calculated on a weekly basis and is available in the trend chart for insights in the Site context only. Baseline is displayed as a blue line in the trend chart. The following two baselines are available in Aruba Central:
n Class baseline--Provides a comparison with similar peer groups in the networks. Peer group classification is done based on various parameters such as number of access points, neighboring devices information, and so on.
n Company baseline--Provides a comparison of the network within the entire customer ID (CID).
Baseline is supported for the following insights:
n Clients had an unusual number of MAC authentication failures n Clients had excessive Wi-Fi security key-exchange failures n Clients had excessive 802.1x authentication failures n Clients had DHCP server connection problems n DNS queries failed to reach or return from the servers n DNS server(s) rejected a high number of queries n DNS request/responses were significantly delayed n Access Points had unusually high CPU utilization n Access Points with unusually high memory usage were found n Access Points had a high number of reboots n Information (telemetry) was not received from APs/Radios n Access Points had an excessive number of channel changes n Access Points impacted by high 2.4 GHz usage
Aruba Central | User Guide
202
n Access Points were impacted by high 5 GHz usage n Access Point transmit power can be optimized n Dual-band (2.4/5 GHz) capable clients primarily used 2.4 GHz n Clients had a significant number of Low SNR uplink minutes
Access Points had a high number of reboots
The Access Points had a high number of reboots insight can be accessed from the Global, Site, and Access Points context. This insight provides information about APs that have been rebooted the maximum times and is categorized under availability as the clients connected to these APs experience connectivity drops. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
This bar graph displays the number of AP reboots that occurred during the selected time period. Hover your mouse over each bar graph to see the exact number of reboots. The following graph shows data trend for the last 30 days (1 Month).
Figure 24 Excessive AP Reboots Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 50: Cards Context
Cards
Context
Site
Global
Access Point Global, Site
Site
Lists the number of sites where the APs experience excessive reboots. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n APs with Excessive Reboots--Number of APs that experience expressive reboots in each site. n Reboot Count--Number reboots that occurred in each AP in a specific site.
Access Points had a high number of reboots | 203
Access Point
Lists the number and details of reboots observed in an AP. Click the arrow to view the pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list, to view the following:
n Time Series--Pictorial graph of the AP reboots that occurred on different dates but similar timestamp. n FW Version--Pictorial graph of AP reboots classified by AP firmware versions. n AP Model--Pictorial graph of AP reboots classified by AP models.
Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of the AP. n AP Serial--Serial number of the AP. n Firmware--Version of the firmware running on each AP. n AP Model--Model number of each AP. n Site--Name of the site where the AP resides. n Reboot Count--Number of reboots over time.
Access Points had an excessive number of channel changes
The Access Points had an excessive number of channel changes insight can be accessed from the Global, Site, and Access Points context. This insight provides information about AP radios on the network that changed channels excessively in the network. It is categorized under wireless quality as the connected clients might have to reconnect after an AP changes channel for a better network performance. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the APs changed channels on the network. n Recommendation--Displays the recommendation against each failure to resolve the same. n Channel Changes--Displays the exact number and percentage of failures that occurred against each
failure reason.
Time Series Graph
This bar graph displays the number of channel changes per channel for a specific AP during the selected time period. Hover your mouse on each bar graph to see the exact number of channel changes. The following graph shows data trend for seven days (1 Week).
Aruba Central | User Guide
204
Figure 25 Excessive AP Radio Channel Changes Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 51: Cards Context
Cards
Context
Site
Global
Access Point Global, Site
Client
Global, Site, Device
Channel
Global, Site, Device
Site
Lists the number of sites that experience excessive AP radio channel changes in the network. Click the arrow
to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Impacted Session Count--Number of times the insight is triggered on each site. n Total Session Count--Total number of session count in each site. n Total Channel Changes--Total number of channel changes in each site. n Impacted Radio Count--Number of radios with high airtime. n Total Radios--Total number of radios in each site.
Access Point
Lists the number and details of APs that experience excessive AP radio channel changes in the network. Click
the arrow to view the pictorial graph of the Top 5 impacted access points. Click the Access Point dropdown list, to view the following:
n Model--Pictorial graph of the channel changes classified by AP models. n FW Version--Pictorial graph of channel changes classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n Name--Name of the access points and link to the Access Point Details page. n Model--Model number of each AP.
Access Points had an excessive number of channel changes | 205
n Band--Bandwidth where each AP dwells. n Channel Change Count--Number of channel changes on each AP. n Impacted Session Count--Number of times the insight is triggered on each AP. n Total Session Count--Total number of session count in each AP.
Client
Lists the MAC Address, name, host name, auth ID, and the corresponding number of channel changes for
each client. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the number displayed on the Clients card, to view a detailed description of the impacted clients: n Name--Name of the impacted client. n Impacted Count--Number of channels changed on each client.
Channel
Number of channel changes per channel for a specific AP during the selected time period. Click the arrow to expand the card and view the pictorial graph of the channel changes. Click the Channel drop-down
list to view the following:
n Band-- Pictorial graph of the channel changes based on both 2.4 GHz and 5 GHz. n Channel--Pictorial graph of the number of channel changes per channel for a specific AP during the
selected time period. It shows a comparison of the channel change between the peer network and AP.
Click the number displayed on the Channel card to view a detailed description of the impacted channels:
n Channel--Total number of channels. n Number of Channel Changes--Number of channels that experienced excessive changes.
Access Points had unusually high CPU utilization
The Access Points had unusually high CPU utilization insight can be accessed from the Global, Site, and Access Points context. This insight provides information about APs that have higher than normal CPU utilization and is categorized under availability as the clients connected to these APs experience intermittent connectivity drops. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
This bar graph displays the number of APs that experience high CPU utilization in the network during the selected time period. Hover your mouse on each bar graph to see the exact number of APs. The following graph shows data trend for 3 hours in a day. Figure 26 APs with High CPU Utilization Data
Aruba Central | User Guide
206
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 52: Cards Context
Cards
Context
Site
Global
Access Point Global, Site
Site
Lists the number of sites where the APs experience high CPU utilization. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n APs with High CPU--Number of APs that experience high CPU utilization in each site. n Minutes with High CPU--Time range of high CPU utilization in each site.
Access Point
Lists the number and details of APs that experience high CPU utilization in the network. Click the arrow to view the pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list, to view the following:
n AP Model--Pictorial graph of CPU utilization classified by AP models. n FW Version--Pictorial graph of CPU utilization classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of the AP. n AP Serial--Serial number of the AP. n Firmware--Version of the firmware running on each AP. n AP Model--Model number of each AP. n Site--Name of the site where the AP resides. n Minutes with High CPU--Time range of high CPU utilization on each AP. n Minutes with High CPU (%)--Percentage of high CPU utilization on each AP.
Access Points impacted by high 2.4 GHz usage
The Access Points impacted by high 2.4 GHz usage insight can be accessed from the Global, Site, and Access Points context. This insight provides information about AP radios whose Wi-Fi channel utilization deviated from the normal utilization range, as compared to other APs broadcasting in the same location, RF
Access Points impacted by high 2.4 GHz usage | 207
band, and time of day. It is categorized under wireless quality as the connected clients experience poor Wi-Fi performance. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the APs experience higher airtime utilization in the network.
n Recommendation--Displays the possible recommendation against each failure to resolve the same.
Time Series Graph
This bar graph displays the number of APs that experience high 2.4 GHz airtime utilization in the network during the selected time period. Hover your mouse on each bar graph to see the exact number of APs. The following graph shows data trend for 3 hours in a day. Figure 27 APs with High 2.4 GHz Utilization Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 53: Cards Context
Cards
Context
Site
Global
Access Point Global, Site
Client
Global, Site, Device
RF Info
Global, Site, Device
Site
Lists the number of sites that experience high 2.4 GHz airtime utilization in the network. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
Aruba Central | User Guide
208
n Site--Name of the site impacted by the insight. n Duration (mins)--Time range that an AP in each site experienced high airtime utilization. n Clients Impacted--Number of clients impacted by the insight. n APs Impacted--Number of APs impacted by the insight in each site. n Reasons--Cause of the high 2.4 GHz airtime utilization in each site.
Access Point
Lists the number and details of APs that experience high 2.4 GHz airtime utilization in the network. Click the
arrow to view the pictorial graph of the Top 5 impacted access points. Click the Access Point dropdown list, to view the following:
n Model--Pictorial graph of the high 2.4 GHz airtime utilization percentage classified by AP models. n Click the number displayed on the Access Point card to view a detailed description of the impacted
access points: n AP Name--Name of the access points and link to the Access Point Details page. n MAC--MAC address of the AP. n Serial--Serial number of the AP. n Consumed Airtime (mins)--Time range of the consumed airtime in each AP. n Duration (mins)--Time range that the AP experienced high airtime utilization. n Reasons--Cause of the high 2.4 GHz airtime utilization in each AP. n Clients Impacted--Number of clients impacted by the insight connected to each AP. n Avg Channel Utilization (%)--Average percentage of the airtime utilization in each AP. n AP Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC Address, name, host name, auth ID, and the corresponding percentage of high 2.4 GHz
airtime utilization of each client. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the client impacted by the insight. n MAC--MAC address of the client. n Duration (mins)--Time range that the client experienced high airtime utilization. n Reason--Cause of the high 2.4 GHz airtime utilization for each client. n Site--Name of the site where the client exists.
RF Info
Number of channels impacted by high 2.4 GHz airtime utilization. Click the arrow to view the pictorial graph of the impacted band. Click the RF Info drop-down list to view the following:
n Channel--Chart of AP radio channels that experienced excessive AP airtime utilization. It displays the channels impacted by this issue over the selected time period, sorted by airtime utilization score, which is calculated from the severity of the utilization level and the duration of time that the channel was over
Access Points impacted by high 2.4 GHz usage | 209
utilized. n Reason--Pictorial graph of the percentage of causes for high 2.4 GHz airtime utilization in a channel. n Utilization--Pictorial graph of the airtime utilization in each AP on a specific date and time. n Power Distribution--Pictorial graph of Tx Power distribution (dBm) for both the 2.4 GHz and 5 GHz
band during the time it is transmitting signal to the client. n Hour of Day--Pictorial graph of which hours of the day the network was most impacted by excessive AP
airtime utilization. n SNR Percentile--Pictorial graph of the average Signal-to-Noise Ratio of the AP in different percentiles
(25th, 50th, 75th, 90th, 99th) in 2.4 GHz band and 5 GHz band. n Click the number displayed on the RF Info card to view a detailed description of the impacted channels: n Channel--Number of channels that experienced excessive AP airtime utilization. n Airtime (mins)--Time range of the consumed airtime in each client.
Access Point radios changed their transmit power frequently
The Access Point radios changed their transmit power frequently insight can be accessed from the Global, Site, and Access Points context. This insight provides information on AP radios that frequently changed transmission power levels in the network. It is categorized under wireless quality since the connected clients experience frequent throughput fluctuations. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the APs experience frequent transmit power changes in the network.
n Recommendation--Displays the recommendation against each failure to resolve the same.
Time Series Graph
This bar graph displays the number of AP power changes in the network during the selected time period. Hover your mouse on each bar graph to see the exact number of power changes. The following graph shows data trend for 3 hours in a day.
Figure 28 Frequent AP Transmit Power Changes Data
Cards
Aruba Central | User Guide
210
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 54: Cards Context
Cards
Context
Site
Global
Access Point Global, Site
Power
Global, Site, Device
Site
Lists the number of sites that experience power transmit changes in the network. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Power Changes--Number of power changes occurred in each site. n Radio--Number of AP radios in each site that changed transmission power level.
Access Point
Lists the number and details of APs that experience power transmit changes in the network. Click the arrow
to view the pictorial graph of the Top 5 impacted access points. Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n Name--Name of the access points and link to the Access Point Details page. n MAC--MAC address of the AP. n Serial--Serial number of the AP. n Power Changes--Number of power changes occurred in each AP. n Model--Model number of each AP. n Firmware--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Power
Displays the number of power changes that occurred in APs in the network. Click the arrow pictorial graph of the impacted band. Click the Power drop-down list to view the following:
to view the
n Power Changes over Time--Pictorial graphs of power transmit changes observed across time for 2.4 GHz and 5 GHz radio.
n Power Distribution--Pictorial graph of the percentage of time spent across power levels for the time period in the 2.4 GHz and 5 GHz band.
n Band--Pictorial graph of the percent of number of changes observed in the 2.4 GHz and 5 GHz bands. n Variance--Pictorial graph of the percentage of variance in transmission power across number of APs in
that power variance for the 2.4 GHz and 5 GHz band.
Click the number displayed on the Power card to view a detailed description of the impacted channels:
Access Point radios changed their transmit power frequently | 211
n Band--Number of power changes observed in the 2.4 GHz and 5 GHz bands. n Changes--Number of power changes that occurred in each band.
Access Point transmit power can be optimized
The Access Point transmit power can be optimized insight can be accessed only at the Globalcontext. This insight generates when the transmit power is not set optimally on the radios of access points existing in the network. This insight detects that wireless clients are experiencing a poor Wi-Fi connectivity due to the transmit power settings of the access points. It is categorized under wireless quality as the clients connected to these APs can communicate with the APs well but, the APs have difficulty to communicate with the clients in return. This insight displays the following information: n Insight Summary n Card
Insight Summary
The insight summary provides the following details: n Reason--Displays the possible causes for which the transmit power of APs are not set optimally. n Recommendation--Displays the possible recommendation against each failure to resolve the same.
Card
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 55: Cards Context
Cards Context
RF Info Global
Power Global
RF Info
Number of channels in the APs impacted by transmit power setting in the network. Click the arrow to view the pictorial graph of the impacted band. Click the RF Info drop-down list to view the following: n Band--Pictorial graph of power changes in both the frequency bands by the AP (2.4 GHz or 5 GHz). n SSID--Pictorial graph of the percent of AP dwell bands (2.4 GHz or 5 GHz) sorted by SSIDs.
Power
Displays the number of power changes that occurred in a specific access point. Click the arrow to expand the card to view the pictorial graph of the band and power distribution in the network. Click the Power drop-down list, to view the following:
Aruba Central | User Guide
212
n Power Distribution--Pictorial graph of the percentage of time spent across power levels for the time period in the 2.4 GHz and 5 GHz band.
n Band--Graph of the percent of number of changes observed in the 2.4 GHz and 5 GHz bands. Click the number displayed on the Power card, to view a detailed description of the impacted clients: n Band--Band where the maximum power changes occurred. n Changes--Number of power changes that occurred in each band.
Access Points were impacted by high 5 GHz usage
The Access Points were impacted by high 5 GHz usage insight can be accessed from the Global, Site, and Access Points context. This insight provides information about AP radios whose Wi-Fi channel utilization deviated from the normal utilization range, as compared to other APs broadcasting in the same location, RF band, and time of day. Access Points were impacted by high 5 GHz usage is categorized under wireless quality as the connected clients experience poor Wi-Fi performance. This insight displays the following information: n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details: n Reason--Displays the possible causes for which the APs experience higher airtime utilization in the
network. n Recommendation--Displays the possible recommendation against each failure to resolve the same.
Time Series Graph
This bar graph displays the number of APs that experience high 5 GHz airtime utilization in the network during the selected time period. Hover your mouse on each bar graph to see the exact number of APs. The following graph shows data trend for 3 hours in a day. Figure 29 APs with High 5 GHz Utilization Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Access Points were impacted by high 5 GHz usage | 213
Table 56: Cards Context
Cards
Context
Site
Global
Access Point Global, Site
Client
Global, Site, Device
RF Info
Global, Site, Device
Site
Lists the number of sites that experience high 5 GHz airtime utilization in the network. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Duration (mins)--Time range that an AP in each site experienced high airtime utilization. n APs--Number of APs impacted by the insight in each site. n Clients--Number of clients impacted by the insight. n Reason--Cause of the high 5 GHz airtime utilization in each site.
Access Point
Lists the number and details of APs that experience high 5 GHz airtime utilization in the network. Click the
arrow to view the pictorial graph of the Top 5 impacted access points. Click the Access Point dropdown list, to view the following:
n Model--Pictorial graph of the high 5 GHz airtime utilization percentage classified by AP models. Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n MAC--MAC address of the AP. n Serial--Serial number of the AP. n Consumed Airtime (mins)--Time range of the consumed airtime in each AP. n Duration (mins)--Time range that the AP experienced high airtime utilization. n Reason--Cause of the high 5 GHz airtime utilization in each AP. n Clients Impacted--Number of clients impacted by the insight connected to each AP. n Avg Channel Utilization (%)--Average percentage of the airtime utilization in each AP. n AP Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Aruba Central | User Guide
214
Lists the MAC Address, name, host name, auth ID, and the corresponding percentage of high 5 GHz airtime
utilization for each client. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the client impacted by the insight. n MAC--MAC address of the client. n Duration (mins)--Time range that the client experienced high airtime utilization. n Reason--Cause of the high 5 GHz airtime utilization for each client. n Site--Name of the site where the client exists.
RF Info
Number of channels impacted by high 5 GHz airtime utilization. Click the arrow to view the pictorial graph of the impacted band. Click the RF Info drop-down list to view the following:
n Channel--Chart of AP radio channels that experienced excessive AP airtime utilization. It displays the channels impacted by this issue over the selected time period, sorted by airtime utilization score, which is calculated from the severity of the utilization level and the duration of time that the channel was over utilized.
n Reason--Pictorial graph of the percentage of causes for high 5 GHz airtime utilization in a channel. n Utilization--Pictorial graph of the airtime utilization in each AP on a specific date and time. n Power Distribution--Pictorial graph of Tx Power distribution (dBm) for both the 2.4 GHz and 5 GHz
band during the time it is transmitting signal to the client. n Hour of Day--Pictorial graph of which hours of the day the network was most impacted by excessive AP
airtime utilization. n SNR Percentile--Pictorial graph of the average Signal-to-Noise Ratio of the AP in different percentiles
(25th, 50th, 75th, 90th, 99th) in 5 GHz band. n Click the number displayed on the RF Info card to view a detailed description of the impacted channels: n Channel--Number of channels that experienced excessive AP airtime utilization. n Airtime (mins)--Time range of the consumed airtime in each client.
Access Points with unusually high memory usage were found
The Access Points with unusually high memory usage were found insight can be accessed from the Global, Site, and Access Pointscontext. This insight provides information about APs that have higher than normal memory utilization and is categorized under availability as the clients connected to these APs experience intermittent connectivity drops. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
This bar graph displays the number of APs that experience high memory utilization in the network during the selected time period. Hover your mouse on each bar graph to see the exact number of APs. The following graph shows data trend for 3 hours in a day.
Access Points with unusually high memory usage were found | 215
Figure 30 APs with High Memory Utilization Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 57: Cards Context
Cards
Context
Site
Global
Access Point Global, Site
Site
Lists the number of sites where the APs experience high memory utilization. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n APs with High Memory--Number of APs that experience high memory utilization in each site. n Minutes with High Memory--Time range of high memory utilization in each site.
Access Point
Lists the number and details of APs that experience high memory utilization in the network. Click the arrow
to view the pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list, to view the following:
n AP Model--Pictorial graph of memory utilization classified by AP models. n FW Version--Pictorial graph of memory utilization classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of the AP. n AP Serial--Serial number of the AP. n Firmware--Version of the firmware running on each AP. n AP Model--Model number of each AP. n Site--Name of the site where the AP resides. n Minutes with High Memory--Time range of high memory utilization on each AP. n Minutes with High Memory (%)--Percentage of high memory utilization on each AP.
Aruba Central | User Guide
216
Clients experienced high latency while roaming
The Clients experienced high latency while roaming insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides reports on wireless clients that have experienced long roam times to the target AP. The threshold to detect a delayed and long client roaming is set to 50 ms and all the data and analysis pattern is perceived from the target AP issues if you access this insight from the global, site, or client context. When you access this insight from device context, data is received from the home AP issues. Clients experienced high latency while roaming is categorized under connectivity since it helps the network administrators to take necessary actions if there are any clients experiencing long delays to roam between APs. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
This bar graph displays the total number of roams and the percentage of high latency roams that occurred in the network during the selected time period. Hover your mouse on each bar graph to see the exact number and percentage of roams. The following graph shows data trend for 3 hours in a day.
Figure 31 Clients with High Roaming Latency
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 58: Cards Context
Cards
Context
Site
Global
Access Point Global, Site, Client
Client
Global, Site, Device
Roam
Global, Site, Device, Client
Site
Lists the number of sites where the clients have experience high roaming latency in the network. Click the
arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
Clients experienced high latency while roaming | 217
n Site--Name of the site impacted by the insight. n High Latency Roams (%)--Number and percentage of high latency roams in each site. n Impacted Clients Count--Number of clients impacted with high roaming latency in each site.
Access Point
Lists the number and details of APs where the clients have experience high roaming latency. Click the arrow
to view the pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list, to view the following:
n Model--Pictorial graph of high roaming latency classified by AP models. n FW Version--Pictorial graph of high roaming latency classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n Serial--Serial number of the AP. n High Latency Roams (%)--Number and percentage of high latency roams in each AP. n Clients From--Number of clients that roamed in each AP. n Latency (min/avg/max) msec--The minimum, average, and maximum latency that occurred in each
AP. n AP MAC--MAC address of the impacted AP and link to the Access Point Details page. n IP--IP address of the impacted AP. n Model-- Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC Address, name, host name, auth ID, and the number of clients that have experience high roaming latency. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted clients and link to the Client Details page. n Client MAC--MAC address of the impacted client and link to the Client Details page. n High Latency Roams (%)--Number and percentage of high latency roams in each client. n Top AP-- AP where the client roamed maximum as compared to other APs in the network.
Roam
Displays the percentage of client latency roams in the network. This card includes the raw telemetry feed sorted based on latency at each context.
Click the arrow to expand the Roam card and click the drop-down list, to view the following:
n Latency--Pictorial graph of latency versus concurrences. n Band--Pictorial graph of clients roaming trends between 2.4 GHz and 5 GHz.
Click the number displayed on the Roam card, to view a detailed description of the impacted clients:
Aruba Central | User Guide
218
n Timestamp--Timestamp of the event received. n Latency (msec)--Latency value in microsecond per client. n From AP--Name of the home AP from the where the client roamed to the target AP. n To AP--Name of the target AP to where the client roamed from the home AP. n From Channel--Number of channel the client roamed from. n Roaming Type--Type of the roam that occurred in each client. n From AP MAC--MAC address of the home AP from the where the client roamed to the target AP. n From AP Serial--Serial number of the home AP from the where the client roamed to the target AP. n To AP MAC--MAC address of the target AP to where the client roamed from the home AP. n To AP Serial--Serial number of the target AP to where the client roamed from the home AP. n RSSI (dBm)--Received Signal Strength Indicator (RSSI) value of the client. n To Channel--Number of channels the client roamed to.
Clients had a significant number of Low SNR uplink minutes
The Clients had a significant number of Low SNR uplink minutes insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information about access points that have a low-quality signal-strength connection and is categorized under wireless quality as the clients connecting at a Low SNR have low throughput and high retransmissions. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the APs experience low-quality SNR connection in the network.
n Recommendation--Displays the possible recommendation against each failure to resolve the same.
Time Series Graph
This bar graph displays the number of clients with low SNR uplinks AP during the selected time period. Hover your mouse on each bar graph to see the number of SNR links. The following graph shows data trend for 3 hours in a day.
Figure 32 Clients with Low SNR Uplink Connections
Cards
Clients had a significant number of Low SNR uplink minutes | 219
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 59: Cards Context
Cards
Context
Site
Global
Access Point Global, Site, Client
Client
Global, Site, Device
RF Info
Global, Site, Device
Site
Lists the number of sites where the APs and clients experience low signal connection. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n APs with Low SNR--Number of APs with low signal connection. n Clients with Low SNR--Number of clients with low signal connection. n Uplink Minutes of Low SNR--Duration of uplink with low signal connection in each site. n Downlink Minutes of Low SNR--Duration of downlink with low signal connection in each site.
Access Point
Lists the number and details of APs that experience low signal connection in the network. Click the arrow
to view the pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list, to view the following: n TX Power--Pictorial graph of the percentage of Tx Power distribution (dBm) in both the 2.4 GHz and 5
GHz band during the time it is transmitting signal to the client. Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of the AP and link to the Access Point Details page. n AP Serial--Serial number of the AP n AP Model--Model number of each AP. n Clients with Low SNR--Number of clients that experience low signal connection in each AP. n Uplink Minutes of Low SNR--Duration of uplink with low signal connection in each AP. n Uplink Low SNR Minutes in 2.4 GHz--Duration of uplink with low signal connection in 2.4 GHz band
during the time it is transmitting signal to the AP. n Uplink Low SNR Minutes in 5 GHz--Duration of uplink with low signal minutes in 5 GHz band during
the time it is transmitting signal to the AP. n Downlink Minutes of Low SNR--Duration of downlink with low signal connection in each AP.
Aruba Central | User Guide
220
n Downlink 2.4 GHz Dwell Minutes--Duration of downlink with low signal connection in 2.4 GHz band during the time it is transmitting signal to the AP.
n Downlink 5 GHz Dwell Minutes--Duration of downlink with low signal connection in 5 GHz band during the time it is transmitting signal to the AP.
Client
Lists the MAC Address, name, host name, auth ID, and the number of clients experiencing low signal quality.
Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the Client drop-down list, to view the following: n Client Type--Pictorial graph of the number and percentage of low SNR clients classified by vendors. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Number of the impacted client and link to the Client Details page. n Client MAC--MAC address of the client and link to the Client Details page. n Device Type--Device type of the client. n Uplink Minutes of Low SNR--Duration of uplink with low signal connection in each client. n Uplink 2.4 GHz Dwell Minutes--Duration of uplink with low signal connection in 2.4 GHz band during
the time it is transmitting signal to the client. n Uplink 5 GHz Dwell Minutes--Duration of uplink with low signal connection in 5 GHz band during the
time it is transmitting signal to the client. n Downlink Minutes of Low SNR--Duration of downlink with low signal connection in each client. n Downlink 2.4 GHz Dwell Minutes--Duration of downlink with low signal connection in 2.4 GHz band
during the time it is transmitting signal to the client. n Downlink 2.4 GHz Dwell Minutes--Duration of downlink with low signal connection in 5 GHz band
during the time it is transmitting signal to the client.
RF Info
Number of channels impacted by low-quality signal-strength connection in the network. Click the arrow to view the pictorial graph of the impacted band. Click the RF Info drop-down list to view the following:
n Band-- Pictorial graph of devices experiencing a low signal-quality link using 2.4 GHz or 5 GHz radio bands.
n Good vs Bad--Pictorial graph of the amount of time (minutes) with Low SNR (Bad) and High SNR (Good) for all the clients.
Click the number displayed on the RF Info card to view a detailed description of the impacted channels:
n Band--Number of channel changes between 2.4 GHz and 5 GHz. n Number of Power Changes--Number of power changes.
Clients had an unusual number of MAC authentication failures
The Clients had an unusual number of MAC authentication failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive MAC authentication failures observed in the network and is categorized under connectivity as the users are
Clients had an unusual number of MAC authentication failures | 221
unable to connect to the Wi-Fi network. It also helps in order to identify the rogue users in a network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
This bar graph displays the number of MAC authentication failures that occurred during the selected time period. Hover your mouse over each bar graph to see the exact number of failures. The following graph shows data trend for the last 24 hours (1 Day). Figure 33 MAC Authentication Failure Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 60: Cards Context
Cards
Context
Site
Global
Access Point Global, Site, Client
Client
Global, Site, Device
Site
Lists the number of sites that experienced MAC authentication failures in the network. Click the arrow to view a pictorial graph with the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
Aruba Central | User Guide
222
n Site--Name of the site impacted by the insight. n Failures--Number of failures occurred in each site. n Total--Total number of MAC authentication in each site.
Access Point
Lists the number and the details of APs that faced the MAC authentication failures in the network. Click the arrow to view a pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list to view the following:
n SSID--Pictorial graph of the percentage of MAC authentication failures sorted by SSIDs. n Model--Pictorial graph of the percentage of MAC authentication failures sorted by AP models. n FW Version--Pictorial graph of the percentage of MAC authentication failures sorted by AP firmware
version.
Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n Name--Name of the access points and link to the Access Point Details page. n MAC--MAC address of the AP and link to the Access Point Details page. n Failures--Number of failures occurred in each AP. n Total--Total number of MAC authentication in each AP. n Serial--Serial number of the AP n IP--IP address of each AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC address, name, host name, and auth ID of clients that failed MAC authentication. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Name--Name of the impacted client. n MAC--MAC address of the client and link to the Client Details page. n Failures--Number of failures occurred in each client. n IP--IP address of each client. n OS--OS type of the device.
Clients had DHCP server connection problems
The Clients had DHCP server connection problems insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive client to AP DHCP failures observed in the network. This insight occurs when Wi-Fi clients attempt to acquire a DHCP IP address multiple times but fails to do so. It is insight is categorized under connectivity since the users fail to get an IP address and are unable to connect to the Wi-Fi network. It displays the following information:
Clients had DHCP server connection problems | 223
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
This bar graph displays the number of DHCP failures that occurred during the selected time period. Hover your mouse over each bar graph to see the exact number of failures. The following graph shows data trend for the 3 hours in a day. Figure 34 High DHCP Failures Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 61: Cards Context
Cards
Context
Site
Global
Server
Global, Site, Device, Client
Access Point Global, Site, Client
Client
Global, Site, Device
Site
Lists the number of sites that experience DHCP server connection problems in the network. Click the arrow
to view a pictorial graph with the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
Aruba Central | User Guide
224
n Site--Name of the site impacted by the insight. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of DHCP requests.
Server
Lists the number of DHCP servers involved in this insight. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Name--Name of server impacted by this insight. n Failures--Number of failures occurred in each server. n Total--Total number of DHCP requests.
Access Point
Lists the number and the details of the DHCP server connection problems observed in an AP. Click the arrow to view a pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list to view the following:
n SSID--Pictorial graph of the percentage of DHCP failures sorted by SSIDs. n Model--Pictorial graph of the percentage of DHCP failures sorted by AP models. n FW Version--Pictorial graph of the percentage of DHCP failures sorted by AP firmware version.
Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n Name--Name of the access points and link to the Access Point Details page. n MAC--MAC address of the AP and link to the Access Point Details page. n Failures--Number of failures occurred in each AP. n Serial--Serial number of the AP n IP--IP address of each AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Site name of the AP where the failure occurred.
Client
Lists the MAC address, host name, and auth ID of clients that failed DHCP handshake. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Name--Name of the impacted client. n MAC--MAC address of the client and link to the Client Details page. n Failures--Number of failures occurred in each client. n Total--Total number of DHCP requests. n IP--IP address of each client. n OS--OS type of the device.
Clients had DHCP server connection problems | 225
Clients had excessive 802.1x authentication failures
The Clients had excessive 802.1x authentication failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive 802.1X authentication failures observed in the network. It is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
This bar graph displays the number of 802.1X authentication failures observed in the network during the selected time period. Hover your mouse over each bar graph to see the exact number of failures. The following graph shows data trend for 3 hours in a day. Figure 35 802.1x Authentication Failure Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 62: Cards Context
Cards
Context
Site
Global
Server
Global, Site, Device, Client
Access Point Global, Site, Client
Client
Global, Site, Device
Site
Aruba Central | User Guide
226
Lists the number of sites that experienced 802.1X authentication failures in the network. Click the arrow to view a pictorial graph with the Top 5 impacted sites. Click the number displayed on the Site card, to
view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of 802.1X authentication in each site.
Server
Lists the number of servers that failed 802.1X authentication in the network. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Name--IP address of each server. n Failures--Number of 802.1X authentication failures in each server. n Total--Total number of 802.1X authentication.
Access Point
Lists the number and the details of APs that failed 802.1X authentication in the network. Click the arrow to view a pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list to
view the following:
n SSID--Pictorial graph of the percentage of 802.1X authentication failures sorted by SSIDs. n Model--Pictorial graph of the percentage of 802.1X authentication failures sorted by AP models. n FW Version--Pictorial graph of the percentage of 802.1X authentication failures sorted by AP firmware
version.
Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n Name--Name of the access points and link to the Access Point Details page. n MAC--MAC address of the AP. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC address, name, host name, and auth ID of clients that failed 802.1X authentication. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
Clients had excessive 802.1x authentication failures | 227
n Name--Name of the impacted client. n MAC--MAC address of the client. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n IP--IP address of the client. n OS--OS type of the device.
Clients had excessive Wi-Fi security key-exchange failures
The Clients had excessive Wi-Fi security key-exchange failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive Wi-Fi security key-exchange failures observed in the network. When this failure occurs, users connecting to Wi-Fi using PSK or 802.1x authentication, experience higher EAPOL Key exchange failures. This insight is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes of Wi-Fi security key-exchange failure in the network. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
This bar graph displays the number of Wi-Fi security key-exchange failures that occurred in the network during the selected time period. Hover your mouse on each bar graph to see the exact number of failures. The following graph shows data trend for 3 hours in a day.
Figure 36 4-Way Handshake (EAPOL Key) Failures Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Aruba Central | User Guide
228
Table 63: Cards Context
Cards
Context
Site
Global
Access Point Global, Site, Client
Client
Global, Site, Device
Site
Lists the number of sites that experienced excessive Wi-Fi security key-exchange failures in the network.
Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of failures in each site.
Access Point
Lists the number APs that experienced Wi-Fi security key-exchange failures in the network. Click the arrow
to view the pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list, to view the following:
n SSID: Pictorial graph of 4-way handshake authentication failures sorted by SSIDs. n Model: Pictorial graph of 4-way handshake failures classified by AP models. n FW Version: Pictorial graph of 4-way handshake failures classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n Name--Name of the access points and link to the Access Point Details page. n MAC--MAC address of the AP. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site Name--Name of the site where the AP resides.
Client
Lists the MAC Address, name, host name, and auth ID of clients that failed Wi-Fi security key-exchange
authentication. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
Clients had excessive Wi-Fi security key-exchange failures | 229
n Name--Name of the impacted client. n MAC--MAC address of the client. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n IP--IP address of the client. n OS--OS type of the device.
Clients roamed excessively
The Clients roamed excessively insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides reports on wireless clients that roam to the target APs more than normal from the home AP. This insight is categorized under connectivity since this helps to reduce the frequency of roaming clients in the customer network. It also helps network administrators to eliminate anonymous users and deploy additional access points in case the users get effected due to poor network performance. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
This bar graph displays the total number of roams and the percentage of excessive roams that occurred in the network during the selected time period. Hover your mouse on each bar graph to see the exact number and percentage of roams. The following graph shows data trend for 3 hours in a day.
Figure 37 Clients that Roam Excessively
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 64: Cards Context
Cards
Context
Site
Global
Access Point Global, Site, Client
Client
Global, Site, Device
Site
Aruba Central | User Guide
230
Lists the number of sites where the clients have experience excessive roams in the network. Click the arrow
to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Impacted Clients--Number and percentage of clients impacted with excessive roaming in each site.
Access Point
Lists the number and details of APs where the clients have experience excessive roams. Click the arrow to view the pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list, to view the following:
n Model--Pictorial graph of excessive roams classified by AP models. n FW Version--Pictorial graph of excessive roams classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n From AP--The AP name from where the client roamed excessively. n Impacted Clients (%)--Clients impacted by excessive roams in each AP. n AP MAC--MAC address of the APs and link to the Access Point Details page. n Serial--Serial number of the AP. n IP--IP Address of each AP. n Model-- Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC Address, name, host name, auth ID, and the number of clients that have experience high
roaming latency. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the clients impacted by the insight and link to the Client Details page. n MAC--MAC address of the client impacted by the insight and link to the Client Details page. n Excessive Roams--Number of excessive roams for each client. n Delayed Roams--Number of delayed roams by the client. n Top AP--AP where the client roamed maximum as compared to other APs in the network.
Coverage Holes have been detected
The Coverage Holes have been detected insight can be accessed only at the Global context. This insight determines the connection status of Wi-Fi clients with the APs due to poor Wi-Fi coverage. Machine learning determines when a relatively large proportion of the client minutes that consistently have low SNR links. The exact location of the coverage hole can be identified from the location of the clients listed with poor coverage and implies that there is a need to deploy one more AP which will avoid the low SNR clients in the network. Coverage Holes have been detected is categorized under wireless quality since the clients in coverage holes have poor or intermittent Wi-Fi connectivity causing loss of productivity. This insight displays the following information:
Coverage Holes have been detected | 231
n Insight Summary n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the clients experience poor Wi-Fi coverage in the network.
n Recommendation--Displays the recommendation against each failure to resolve the same.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 65: Cards Context
Cards
Context
Site
Global
Access Point Global
Client
Global
Site
Lists the sites where the clients experience poor Wi-Fi coverage in the network. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Number of APs--Number of APs that experience coverage hole in each site. n Coverage Holes--Total number APs that needs to be deployed in the network due to coverage holes.
Access Point
Lists the number and details of APs which has clients with poor connections due to a coverage hole in the network. This is measured by the amount of time the client experiences poor vs good connectivity. Click the
arrow to view the pictorial graph of the Top 5 impacted access points. Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of each AP and link to the Access Point Details page. n AP Serial--Serial number of each AP. n Firmware--Version of the firmware running on each AP. n Model--Model number of each AP.
Aruba Central | User Guide
232
n Number of Clients--Number of clients with poor Wi-Fi coverage in each AP. n Poor Coverage (mins, %)--Time range of the coverage hole detected in each AP.
Client
Lists the MAC Address, name, host name, auth ID, and the number of connected clients affected by poor connections determined by the total number of minutes spend in the coverage hole. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the client and link to Client Details page. n Client MAC--MAC address of the client and link to the Client Details page. n OS--Operating system of the client. n Average SNR (dB)--Average SNR of the client on the AP. n Poor Coverage (mins, %)--Time range of the coverage hole detected in each client.
Dual-band (2.4/5 GHz) capable clients primarily used 2.4 GHz
The Dual-band (2.4/5 GHz) capable clients primarily used 2.4 GHz insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provide reports on Dual band capable clients that spent more airtime on 2.4 GHz band instead of 5 GHz band. Dual-band (2.4/5 GHz) capable clients primarily used 2.4 GHz is categorized under wireless quality since the 2.4 GHz band has more interference, more clients, and less bandwidth capabilities than the 5 GHz band. Dual-band clients have a better user experience when they are on the 5 GHz band. This insight displays the following information: n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details: n Reason--Displays the possible causes for which the client is excessively dwelling in the 2.4 GHz band in
the network. n Recommendation--Displays the recommendation against each cause to resolve the same.
Time Series Graph
This bar graph displays the percentage of clients over dwelling in the 2.4 GHz band in the network during the selected time period. Hover your mouse on each bar graph to see the exact percentage of the dwelling time. The following graph shows data trend for 3 hours in a day. Figure 38 Clients with Excessive 2.4 GHz Dwell Time Data
Dual-band (2.4/5 GHz) capable clients primarily used 2.4 GHz | 233
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 66: Cards Context
Cards
Context
Site
Global
Access Point Global, Site
Client
Global, Site, Device
Site
Lists the number of sites where the clients are dwelling excessively in the 2.4 GHz band. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Clients Impacted--Number of clients in each site that is excessively dwelling in the 2.4 GHz band. n APs Impacted--Number of APs impacted by the insight in each site.
Access Point
Lists the number and details of APs where the clients are dwelling excessively in the 2.4 GHz band. Click the
arrow to view the pictorial graph of the Top 5 impacted access points. Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of the AP. n AP Serial--Serial number of the AP. n AP Model--Model number of each AP. n Site--Name of the site where the AP resides. n Total Clients--Total number of clients connected to each AP. n Clients with Excess 2.4 GHz Dwell--Number of clients that is dwelling excessively on 2.4 GHz band.
Client
Lists the MAC Address, name, host name, auth ID, and the corresponding percentage of time spent for each
client in the radio bands. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the Client drop-down list, to view the following: n Client Type--Pictorial graph of the percent of clients dwelling in the 2.4 GHz band sorted by client
device type. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
Aruba Central | User Guide
234
n Client Name--Name of the client impacted by the insight. n Client MAC--MAC address of the client impacted by the insight and link to the Client Details page. n Device Type--Clients dwelling in the 2.4 GHz band sorted by client device type. n Site--Name of the site where the client resides. n 2.4 GHz Dwell Minutes--Duration of each client dwelling in the 2.4 GHz band. n 5 GHz Dwell Minutes--Duration of each client dwelling in the 5 GHz band. n Total Dwell Minutes--Total duration of each client dwelling on both the bands. n Dwell Time in 2.4 GHz (%)--Percentage of the time of each client dwelling on 2.4 GHz band.
DNS request/responses were significantly delayed
The DNS request/responses were significantly delayed insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on significant delays in response from the DNS servers. It is categorized under connectivity since there is a high delay in response from the DNS server. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
This bar graph displays the number of delays from the DNS server that occurred during the selected time. Hover your mouse on each bar graph to see the exact number of delays. The following graph shows data trend for seven days (1 Week).
Figure 39 Excessive DNS Delays Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 67: Cards Context
Cards
Context
Site
Global
Server
Global, Site, Device
Access Point Global, Site
Site
DNS request/responses were significantly delayed | 235
Lists the number sites that experience delays from the DNS server in the network. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Min (ms)--Packet latency (delay) is measured. The lowest value of delay in the measurement interval is
the minimum response delay. n Avg (ms)--Packet latency (delay) is measured. The average value of delay in the measurement interval is
the minimum response delay. n Max (ms)--Packet latency (delay) is measured. The maximum value of delay in the measurement
interval is the maximum response delay.
Server
Lists the number of DNS servers that is impacted by this insight. Click the arrow to view the pictorial graph of the Top 5 impacted servers. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Server IP--IP address of each server. n Avg (ms)--Packet latency (delay) is measured. The average value of delay in the measurement interval is
the minimum response delay. n Min (ms)--Packet latency (delay) is measured. The lowest value of delay in the measurement interval is
the minimum response delay. n Max (ms)--Packet latency (delay) is measured. The maximum value of delay in the measurement
interval is the maximum response delay.
Access Point
Lists the number and details of APs that has the most DNS response delays. Click the arrow to view the pictorial graph of the Top 5 impacted access points. Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of the AP and link to the Access Point Details page. n AP Serial--Serial number of the AP. n Avg (ms)--Packet latency (delay) is measured. The average value of delay in the measurement interval is
the minimum response delay. n Min (ms)--Packet latency (delay) is measured. The lowest value of delay in the measurement interval is
the minimum response delay. n Max (ms)--Packet latency (delay) is measured. The maximum value of delay in the measurement
interval is the maximum response delay. n Servers--Server ID where the AP resides. n Model--Model number of each AP. n Firmware--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
DNS server(s) rejected a high number of queries
Aruba Central | User Guide
236
The DNS server(s) rejected a high number of queries insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive request failures from the DNS servers. It is categorized under connectivity since there is a high number of request failures. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
This bar graph displays the number of request failures from the DNS server that occurred during the selected time. Hover your mouse on each bar graph to see the exact number of failures. The following graph shows data trend for 3 hours in a day. Figure 40 Excessive DNS Request Failures Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 68: Cards Context
Cards
Context
Site
Global
Server
Global, Site, Device
Access Point Global, Site
Site
Lists the number sites that experience request failures from the DNS server in the network. Click the arrow
to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
DNS server(s) rejected a high number of queries | 237
n Site--Name of the site impacted by the insight. n Total Failures(%)--Total number of failure packets at the site multiplied by 100. n Query Attempts--Number of query attempts sent to the DNS server in a site. n Query Success(%)--Percentage of successful DNS queries in a site. n Query Format Error--Error in the DNS query format sent to the DNS server in a site. n Request Failed to Complete--DNS request failed to complete, and the server responds with an error
code. n Domain Name Does Not Exist--Domain name sent to the DNS server does not exist and the server
responds with an error code n Function Not Implemented--Function is not implemented on the DNS server and the server responds
with an error code. n Server Refused to Answer Query--Server refused to answer the query and responds with an error
code.
Server
Lists the number of servers that has the most number of DNS request rejections. Click the arrow to view the pictorial graph of the Top 5 impacted servers. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Server IP--IP address of each server. n Total Failures(%)--Total number of failure packets at the site multiplied by 100. n Query Attempts--Number of query attempts sent to the DNS server. n Query Success(%)--Percentage of successful DNS queries. n Query Format Error--Error in the DNS query format sent to the DNS server in a site. n Request Failed to Complete--DNS request failed to complete, and the server responds with an error
code. n Domain Name Does Not Exist--Domain name sent to the DNS server does not exist and the server
responds with an error code n Function Not Implemented--Function is not implemented on the DNS server and the server responds
with an error code. n Server Refused to Answer Query--Server refused to answer the query and responds with an error
code.
Access Point
Lists the number and details of access points that has the most number of DNS request rejections. Click the
arrow to view a pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list to view the following: n Success Rate--Graphical representation of the total failures and total successful requests that occurred
at the server. Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of the AP and link to the Access Point Details page. n AP Serial--Serial number of the AP.
Aruba Central | User Guide
238
n Total Failures(%)--Total number of failure packets at the site multiplied by 100. n Query Attempts--Number of query attempts sent to the DNS server in each AP. n Query Success(%)--Percentage of successful DNS queries in each AP. n Query Format Error--Error in the DNS query format sent to the DNS server in each AP. n Request Failed to Complete--DNS request failed to complete, and the server responds with an error
code. n Domain Name Does Not Exist--Domain name sent to the DNS server does not exist and the server
responds with an error code n Function Not Implemented--Function is not implemented on the DNS server and the server responds
with an error code. n Server Refused to Answer Query--Server refused to answer the query and responds with an error
code. n Site--Name of the site where the AP resides.
Gateways had high Memory usage
The Gateways had high Memory usage insight can be accessed from the Global, Site, and Gateways context. This insight provides information about gateways that have higher than normal memory utilization. It is categorized under availability since the clients connected to these gateways experience intermittent connectivity drops. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
This bar graph displays the percentage of impacted in the network during the selected time period. Hover your mouse on each bar graph to see the percentage of impacted gateways. The following graph shows data trend for 3 hours in a day.
Figure 41 Gateways with High Memory Utilization Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 69: Cards Context
Cards Context
Site
Global
Gateway Global, Site
Gateways had high Memory usage | 239
Cards Context
Memory Device
Site
Lists the number of sites where the gateways experience high memory utilization. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Number of Gateways--Number of gateways that experience high memory utilization in each site. n Duration (mins)--Amount of time (minutes) high memory utilization observed in each site.
Gateway
Lists the number and details of gateways that experience high memory utilization in the network. Click the
arrow to view the pictorial graph of the Top 5 impacted access points. Click the Gateway drop-down list, to view the following:
n Gateway Model--Pictorial graph of memory utilization classified by gateway models. n FW Version--Pictorial graph of memory utilization classified by gateway firmware versions. n Mode--Operational mode of the gateway.
Click the number displayed on the Gateway card to view a detailed description of the impacted gateways:
n Serial--Serial number of each gateway and link to the Gateway Details page. n Gateway Name--Name of the gateway that experience high memory utilization. n Mode--Operational mode of the mode. n Max Memory--Maximum memory consumed by the gateway. n Minutes with High Memory--Amount of time (minutes) high memory utilization observed in each
gateway. n Model--Model number of each gateway. n Firmware--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides.
Memory
Memory card is displayed only when this insight is accessed from the device context. Click the arrow to expand the card and view the graphical representation of the time series of memory utilization percentage in the selected gateway.
Gateways had unusually high CPU utilization
The Gateways had unusually high CPU utilization insight can be accessed from the Global, Site, and Gateways context. This insight provides information about gateways that have higher than normal CPU utilization. It is categorized under availability since the clients connected to these gateways experience intermittent connectivity drops. This insight displays the following information:
Aruba Central | User Guide
240
n Time Series Graph n Cards
Time Series Graph
This bar graph displays the percentage of impacted gateways in the network during the selected time period. Hover your mouse on each bar graph to see the percentage of impacted gateways. The following graph shows data trend for 3 hours in a day. Figure 42 Gateways with High CPU Utilization Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 70: Cards Context
Cards Context
Site
Global
Gateway Global, Site
CPU
Device
Site
Lists the number of sites where the gateways experience high CPU utilization. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Number of Gateways--Number of gateways that experience high CPU utilization in each site. n Duration (mins)--Amount of time (minutes) high CPU utilization observed in each site.
Gateway
Lists the number and details of gateways that experience high CPU utilization in the network. Click the
arrow to view the pictorial graph of the Top 5 impacted access points. Click the Gateway drop-down list, to view the following:
n Gateway Model--Pictorial graph of CPU utilization classified by gateway models. n FW Version--Pictorial graph of CPU utilization classified by gateway firmware versions. n Mode--Operational mode of the gateway.
Gateways had unusually high CPU utilization | 241
Click the number displayed on the Gateway card to view a detailed description of the impacted gateways:
n Serial--Serial number of each gateway and link to the Gateway Details page. n Gateway Name--Name of the gateway that experience high CPU utilization. n Mode--Operational mode of the gateway. n Max CPU--Rate of maximum CPU utilization observed in each gateway. n Minutes with High CPU--Amount of time (minutes) high CPU utilization observed in each gateway. n Model--The hardware model of each gateway. n Firmware--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides.
CPU
CPU card is displayed only when this insight is accessed from the device context. Click the arrow to expand the card and view the graphical representation of the time series of CPU utilization percentage in the selected gateway.
Gateway tunnels failed to get established
The Gateway tunnels failed to get established insight can be accessed from the Global, Site, and Gateways context. This insight provides information about gateway tunnels that are marked down in the network. It is categorized under availability since the clients connected to these gateways experience connectivity drops.
Gateway Tunnels Down insight is available for branch and VPNC gateways in the network.
Tunnels are marked down in the network based on the following scenarios:
n If Aruba Central receives telemetry from branch gateway that a specific tunnel is down n If Aruba Central receives telemetry from the VPNC that a specific tunnel is down n Lack of telemetry from both branch and VPNC gateway
This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for tunnel down in the network. n Minutes Down--Displays the exact number and percentage of tunnel down that occurred against each
failure reason.
Time Series Graph
Aruba Central | User Guide
242
This bar graph displays the percentage and number of tunnels down in the network during the selected time period. Hover your mouse on each bar graph to see the exact percentage of tunnels down. The following graph shows data trend for 3 hours in a day.
Figure 43 Gateway Tunnels Down Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 71: Cards Context
Cards Context
Site
Global
Gateway Global, Site
VPNC
Global, Site, Device
Tunnel Global, Site, Device
Site
Lists the number of sites where the gateways experience tunnel down. Click the arrow to expand the card and click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Number of Down Tunnels--Number of tunnels down in each site that experience high memory
utilization in each site. n Total Tunnels--Total number of gateway tunnels in each site. n Number of Impacted Gateways--Number of gateways impacted by tunnel down in each site. n Number of Impacted VPNC--Number of VPNC gateways that experience tunnel down in each site.
Gateway
Lists the number and the reason for the cause of tunnel down in gateways. Click the arrow to expand the card and click the number displayed on the Gateway card to view a detailed description of the impacted gateways:
n Serial--Serial number of each gateway and link to the Gateway Details page. n Gateway Name--Name of the gateway that experience tunnel down. n Mode--Operational mode of the gateway. n Number of Tunnels--Number of tunnels down in each gateway. n Total Tunnels--Total number tunnels in each gateway.
Gateway tunnels failed to get established | 243
n Duration (mins)--Time range of tunnel down in each gateway. n Model--The hardware model number of the gateway. n Firmware--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides.
VPNC
Displays the total number of VPNC gateways experiencing tunnel down. Click the arrow to expand the card and view the amount of time (minutes) and the reasons for the cause of down tunnels on the VPNC gateways. Click the number displayed on the VPNC card to view a detailed description of the impacted VPNC gateways:
n Serial--Serial number of each gateway and link to the Gateway Details page. n Gateway Name--Name of the gateway that experience tunnel down. n Mode--Operation mode of the VPNC. n Total Number of Tunnels Down--Number of tunnels down in each gateway. n Total Number of Tunnels--Number of tunnels down in each gateway. n Number of Gateways--Number of gateways impacted by tunnel down. n Number of Sites--Number of site impacted by tunnel down. n Duration (mins)--Time range of tunnel down in each gateway. n Model--The hardware model number of the gateway. n Firmware--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides.
Tunnel
Displays the total number of gateways experiencing tunnel down. Click the arrow to expand the card to view the amount of time (minutes) and the reasons for the cause of tunnel down in the network. Click the number displayed on the Tunnel card to view a detailed description of the impacted tunnels:
n Site Name--Name of the site where the tunnel resides. n Gateway IP--IP address of the impacted gateway. n VPNC IP--IP address of the impacted VPNC gateway. n Duration (mins)--Time range of tunnel down. n Gateway VLAN--VLAN ID of the gateway. n VPNC VLAN--VLAN ID of the VPNC. n Gateway Name--Name of the gateway where the tunnel is down. n Gateway MAC--MAC address of the impacted gateway. n VPNC Name--Name of the VPNC gateway where the tunnel is down. n VPNC MAC--MAC address of the impacted VPNC gateway. n Gateway Serial--Serial number of the gateway and link to the Gateway Details page. n VPNC Serial--Serial number of VPNC gateway.
Aruba Central | User Guide
244
DNS queries failed to reach or return from the servers
The DNS queries failed to reach or return from the serverinsight can be accessed from the Global, Site, and Access Points context. This insight provides information about wireless APs that experience a higher than normal number of connection failures with the DNS server. It is categorized under connectivity since the wireless clients are unable to reach the destination URL. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same.
Time Series Graph
This bar graph displays the number of connection loss with the DNS server that occurred during the selected time. Hover your mouse on each bar graph to see the exact number of loss. The following graph shows data trend for 3 hours in a day. Figure 44 High Number DNS Loss Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 72: Cards Context
Cards
Context
Site
Global
Server
Global, Site, Device
Access Point Global, Site
Site
DNS queries failed to reach or return from the servers | 245
Lists the number sites that experience connection loss with the DNS server in the network. Click the arrow
to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Lost DNS Queries (%)--Total count of the DNS packets that get lost in the network. DNS server does
not receive these packets. n Total Queries--Total number of successful DNS queries, denied DNS queries, and lost queries in the
DNS server.
Server
Lists the number of servers that have higher number of DNS connection failures in the network. Click the
arrow to view the pictorial graph of the Top 5 impacted servers. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Server IP--IP address of each server. n Lost DNS Queries (%)--Total count of the DNS packets that get lost in the network. DNS server does
not receive these packets. n Total Queries--Total number successful DNS queries, denied DNS queries, and lost queries in the DNS
server.
Access Point
Lists the number and details of APs that have higher number of DNS connection failures in the network.
Click the arrow to view a pictorial graph of the Top 5 impacted access points. Click the Access Point drop-down list to view the following: n Success RateGraphical representation of the total failures and total successful requests that occurred
at the AP. Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of the AP and link to the Access Point Details page. n AP Serial--Serial number of the AP. n Lost DNS Queries (%)--Total count of the DNS packets that get lost in the network. DNS server does
not receive these packets. n Total Queries--Total number successful DNS queries, denied DNS queries, and lost queries in the DNS
server. n Model--Model number of each AP. n Firmware--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Information (telemetry) was not received from APs/Radios
The Information (telemetry) was not received from APs/Radios insight can be accessed from the Global and Site, and Access Points context. This insight provides information about AP radios that missed
Aruba Central | User Guide
246
sending telemetry data to Aruba Central, and is categorized under availability since AI insights loses visibility of the APs. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
This bar graph displays the number of 2.4 GHz and 5 GHz radios that failed to send telemetry data during the selected time period. Hover your mouse over each bar graph to see the exact number of missing radios. The following graph shows data trend for 3 hours in a day. Figure 45 APs with Missing Telemetry Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 73: Cards Context
Cards
Context
Site
Global
Access Point Global, Site
Site
Lists the number of sites where the APs experience missing telemetry. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Radios Impacted--Number radio channels that missed telemetry data. n Minutes Missing--Time range of missing telemetry in each site. n Hours Missing--Hourly data of the missing telemetry in each site.
Access Point
Lists the number and details of APs that experience missing telemetry. Click the arrow to view the pictorial graph of the Top 5 impacted access points. Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of the AP and link to the Access Point Details page.
Information (telemetry) was not received from APs/Radios | 247
n AP Serial--Serial number of the AP. n Firmware--Version of the firmware running on each AP. n AP Model--Model number of each AP. n Site Name--Name of the site where the AP resides. n Minutes Missing in 2.4 GHz--Time range (minutes) of missing telemetry in 2.4 GHz band. n Hours missing in 2.4 GHz--Time range (hours) of missing telemetry in 2.4 GHz band. n Minutes missing in 5 GHz--Time range (minutes) of missing telemetry in 5 GHz band. n Hours missing in 5 GHz--Time range (hours) of missing telemetry in 5 GHz band.
Outdoor clients are impacting Wi-Fi performance
The Outdoor clients are impacting Wi-Fi performance insight can be accessed only at the Global context. The intention of this insight is to understand which outdoor clients are affecting the performance of the indoor AP. Outdoor clients are impacting Wi-Fi performance insight provides information about the optimum Probe/Auth SNR Threshold value and recommended config value for Probe/Auth SNR Threshold below which APs ignore Probe Requests and Authentication Requests from far away clients. It is triggered when the Probe SNR threshold is not set optimally. Following are the recommendation scenarios:
n If the SNR Threshold value is below 8dBm, it is set back to 8dBm n If the SNR Threshold value is anything higher than 16dBm, it is set back to 16dBm n If the SNR Threshold is between 8dBm and 16dBm, no recommendation is provided n If the recommended threshold value is in the range of +3 or -3, no recommendation will be provided
since there might be very few clients in the network or there might be some genuine users in that range
This insight is categorized under wireless quality as low SNR clients (outdoor) experience poor Wi-Fi connectivity and this in return affects other clients on the AP, which have good SNR connections. This insight displays the following information:
n Insight Summary n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Clients connected to the wireless network at low SNR. n Recommendation--Change the Probe RSSI threshold and the Auth RSSI threshold to the
recommended value to improve the indoor Wi-Fi client experience.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Aruba Central | User Guide
248
Table 74: Cards Context
Cards
Context
Client
Global
Client Minute Global
Client
Lists the MAC Address, name, host name, auth ID, and the total number of clients below the proposed SNR
threshold. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Number of the impacted client and link to the Client Details page. n Client MAC--MAC address of the impacted client. n OS--OS type of the device. n Site--Name of the site where the client resides. n Duration (mins)--Number of minutes client was outside below the recommended Probe SNR/ Auth
threshold.
Client Minute
Displays the percentage of avoided outdoor clients minutes and effected indoor client minutes in a chart. The graph also shows current and the recommended threshold (dBm) for each client type in the network. In order to rectify the issue, the Probe SNR threshold must be set to the recommended value. This frees up airtime and AP resources for indoor users.
Figure 46 Probe SNR Threshold Graph
Switches had an unusual number of port error
The Switches had an unusual number of port errors insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that experience excessive port errors confined to the Layer1 and Layer2 in the network. This insight is categorized under availability since the wired devices connected to the affected ports experience connectivity issues. This insight displays the following information:
Switches had an unusual number of port error | 249
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the recommendation against each failure to resolve the same. n Errors--Displays the exact number and percentage of failures that occurred against each failure reason.
Time Series Graph
In Global and Site context this bar graph displays the count of switches experiencing port errors in the network during the selected time period. Hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this bar graph displays the severity level of the selected switch experiencing port errors during the selected time period. The following graph shows data trend for 3 hours in a day at the Global level: Figure 47 Switch Excessive Port Errors
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 75: Cards Context
Cards Context
Site
Global
Switch Global, Site
Port Global, Site, Device
Site
Lists the number of sites where switches have port errors. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site where the impacted switch resides and link to the Site page. n Switches with Port Errors--Number of the switches experiencing port errors.
Aruba Central | User Guide
250
n Number of Errors--Number of errors in each site. n Number of Ports--Number of ports experiencing errors in each site.
Switch
Lists the number of switches that experience excessive port errors in the network. Click the arrow to view the pictorial graph of the Top 5 impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of port errors classified by switch models. n FW Version--Pictorial graph of port errors classified by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing port errors and link to the Switch Details page. n Serial--Serial number of the impacted switch and link to the Switch Details page. n Stack ID--Stack ID of the impacted switch. n Number of Errors--Number of port errors in each switch. n Number of Ports--Number of ports experiential excessive errors. n Model--Model number of the impacted switch. n Firmware--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Port
Number of ports experiencing excessive errors. Click the arrow to view the pictorial graph of the Top 5 impacted ports. Click the number displayed on the Port card, to view a detailed description of the impacted ports:
n Switch Name--Name of the switch experiencing power issues and link to the Switch Details page. n Serial--Serial number of the impacted switch and link to the Switch Details page. n Stack ID--Stack ID of the impacted switch. n Port Number--Port number of the switch. n Number of Errors--Number of port errors in each port. n Status--Status of the impacted switch. n Connected Device--MAC address of the connected device. n Connected Device MAC--MAC address of the client device. n Connected Device Description--An overview of the connected devices, including the OS type, model
,and version.
Switches had excessive port flaps
The Switches had excessive port flaps insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that experience port flaps in the network. It is categorized under availability since this causes connectivity drops and also triggers the reboot of PoE devices. This insight displays the following information:
Switches had excessive port flaps | 251
n Time Series Graph n Cards
Time Series Graph
In Global and Site context this bar graph displays the count of switches experiencing port flaps in the network during the selected time period. Hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this bar graph displays the severity level of the selected switch experiencing port flaps during the selected time period. The following graph shows data trend for 3 hours in a day at the Global level:
Figure 48 Switch Excessive Port Flaps Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 76: Cards Context
Cards Context
Site
Global
Switch Global, Site
Port
Global, Site, Device
Site
Site card is accessible only when this insight is accessed from the global context. It lists the number of sites
where switches have port flaps. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site where the impacted switch resides and link to the Site page. n Switches with Excessive Flaps--Number of the switches experiencing port flaps. n Number of Flaps--Number of errors in each site. n Number of Ports--Number of ports experiencing flaps in each site.
Switch
Lists the number of switches that experience excessive port flaps in the network. Click the arrow to view the pictorial graph of the Top 5 impacted switches. Click the Switch drop-down list to view the following:
Aruba Central | User Guide
252
n Switch Model--Pictorial graph of port flaps classified by switch models. n FW Version--Pictorial graph of port flaps classified by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing port flaps and link to the Switch Details page. n Serial--Serial number of the impacted switch and link to the Switch Details page. n Stack ID--Stack ID of the impacted switch. n Number of Flaps--Number of port flaps in each switch. n Number of Ports--Number of ports effected by excessive flaps. n Model--Model number of the impacted switch. n Firmware--Version of the firmware running on each switch. n Site Name--Name of the site where the switch exists.
Port
Number of ports experiencing excessive flaps. Click the arrow to view the pictorial graph of the Top 5 impacted ports. Click the number displayed on the Port card, to view a detailed description of the impacted ports:
n Switch Name--Name of the switch experiencing power issues and link to the Switch Details page. n Serial--Serial number of the impacted switch and link to the Switch Details page. n Stack ID--Stack ID of the impacted switch. n Port Number--Port number of the switch. n Number of Flaps--Number of port flaps in each port. n Status--Status of the impacted switch. n Connected Device--MAC address of the connected device. n Connected Device MAC--MAC address of the client device. n Connected Device Description--An overview of the connected devices, including the OS type, Model ,
and Version.
Switches had unusually high CPU utilization
The Switches had unusually high CPU utilization insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches experiencing higher than normal CPU utilization. It is categorized under availability since the impacted switches and the associated devices experience connectivity issues. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
In Global and Site context this bar graph displays the count of switches experiencing high CPU utilization in the network during the selected time period. Hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this bar graph displays the severity level of the selected switch experiencing high CPU utilization during the selected time period. The following graph shows data trend for 3 hours in a day at the Global level:
Switches had unusually high CPU utilization | 253
Figure 49 Switch with High CPU Utilization Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 77: Cards Context
Cards Context
Site
Global
Switch Global, Site
CPU Device
Site
Lists the number of sites where the switches experience high CPU utilization. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Switches with High CPU--Number of switches experiencing high CPU utilization in each site. n Minutes with High CPU--Amount of time (minutes) high CPU utilization observed in each site.
Switch
Lists the number of switches that experience high CPU utilization. Click the arrow to view the pictorial graph of the Top 5 impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of the high CPU utilization sorted by switch models. n FW Version--Pictorial graph of high CPU utilization sorted by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing high CPU utilization and link to the Switch Details page.
n Serial--Serial number the switch and link to the Switch Details page. n Stack ID--Stack ID of the impacted switch. n Max CPU--Maximum utilization of the CPU in each switch. n Minutes with High CPU--Time range of high CPU utilization on each switch. n Model--Model number of each switch.
Aruba Central | User Guide
254
n Firmware--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
CPU
Lists the time series of CPU utilization percentage for a switch. Click the arrow to expand the card and view the graphical representation of the data in the selected switch. Click the number displayed on the CPU card to view a detailed description of the impacted switch: n Switch Name--Name of the switch experiencing high memory utilization. n Max CPU--Maximum utilization of the CPU in a specific switch. n Total Metrics--Total metrics of the utilization. n Percentage Metrics--Percentage metrics of the utilization. n Model--Model number of each switch. n Firmware--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Switches had unusually high memory usage
The Switches had unusually high memory usage insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches experiencing higher than normal memory utilization, and is categorized under availability since the impacted switches and the associated devices experience connectivity issues. This insight displays the following information: n Time Series Graph n Cards
Time Series Graph
In Global and Site context this bar graph displays the count of switches experiencing high memory utilization in the network during the selected time period. Hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this bar graph displays the severity level of the selected switch experiencing high memory utilization during the selected time period. The following graph shows data trend for 3 hours in a day at the Global level: Figure 50 Switch with High Memory Utilization Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Switches had unusually high memory usage | 255
Table 78: Cards Context
Cards Context
Site
Global
Switch
Global, Site
Memory Device
Site
Lists the number of sites where the switches experience memory utilization. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Switches with High Memory--Number of switches experiencing high memory utilization in each site. n Minutes with High Memory--Amount of time (minutes) high memory utilization observed in each
site.
Switch
Lists the number of switches that experience high memory utilization. Click the arrow to view the pictorial graph of the Top 5 impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of the high memory utilization sorted by switch models. n FW Version--Pictorial graph of high memory utilization sorted by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing high memory utilization and link to the Switch Details page.
n Serial--Serial number the switch and link to the Switch Details page. n Stack ID--Stack ID of the impacted switch. n Max Memory--Maximum utilization of memory in each switch. n Minutes with High Memory--Time range of high memory utilization on each switch. n Model--Model number of each switch. n Firmware--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Memory
Lists the time series of memory utilization percentage for a switch. Click the arrow to expand the card and view the graphical representation of the data in the selected switch. Click the number displayed on the Memory card to view a detailed description of the impacted switch:
n Switch Name--Name of the switch experiencing high memory utilization. n Max Memory--Maximum utilization of memory in a specific switch.
Aruba Central | User Guide
256
n Avg Memory--Average utilization of memory in a specific switch. n Total Metrics--Total metrics of the utilization. n Percentage Metrics--Percentage metrics of the utilization. n Model--Model number of each switch. n Firmware--Version of the firmware running on each switch. n Site Name--Name of the site where the switch exists.
Switch ports had a high number with Power-overEthernet problems
The Switch ports had a high number with Power-over-Ethernet problems insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that have not received required power from PoE devices connected to them. PoE issues occur in switches when power is denied, or power is demoted from the device connected to them. It is categorized under availability since the impacted switches are unable to receive sufficient power. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
In Global and Site context this bar graph displays the count of switches experiencing power issues in the network during the selected time period. Hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this bar graph displays the severity level of the selected switch experiencing power issues during the selected time period. The following graph shows data trend for 3 hours in a day at the Global level:
Figure 51 Switch PoE Issues Data
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 79: Cards Context
Cards
Context
Site
Global
Switch
Global, Site
Wired Clients Global, Site
Site
Switch ports had a high number with Power-over-Ethernet problems | 257
Lists the number of sites where switches have PoE issue. Click the arrow to view the pictorial graph of the Top 5 impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site where the impacted switch resides. n Switches with Port Issues--Number of the switches experiencing port issues. n Events--Number of events generated pertaining to PoE failures in each site. n Ports--Number of ports for which power is denied. n Switches--Number of switches for which power is denied. n Impact--Number of POE failures in each site.
Switch
Lists the number of switches that experience PoE issues in the network. Click the arrow to view the pictorial graph of the Top 5 impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of PoE issues classified by switch models. n FW Version--Pictorial graph of PoE issues classified by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing power issues and link to the Switch Details page. n Serial--Serial number of the impacted switch and link to the Switch Details page. n Events--Number of events generated pertaining to PoE failures in each switch. n Wired Clients--Number of clients impacted by the PoE failures. n Duration (mins)--Amount of time (minutes) for which power is denied in each switch. n Stack ID--Stack ID of the impacted switch. n Number of Events--Number of events generated pertaining to PoE failures in each switch. n Model--Model number of the impacted switch. n Firmware--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Wired Clients
Lists the MAC Address, name, host name, and auth ID of the clients connected to a switch that experience
PoE issues. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the Wired Clients drop-down list to view the following:
n Model--Pictorial graph of all the device types models connected to the impacted switch. n Vendor--Pictorial graph of the device type vendors connected to the impacted switch.
Click the number displayed on the Wired Clients card to view a detailed description of the impacted switches:
n Switch Name--Name of the impacted switch where the client resides and link to the Switch Details page.
n Serial--Serial number of the impacted switch and link to the Switch Details page. n Stack ID--Stack ID of the impacted switch where the client resides. n Port Number--Port number of the switch the client device is connected to.
Aruba Central | User Guide
258
n Power Requested/Offered--PoE consumption for each client. n Reason--Cause of the denied PoE power in each client. n Status--Status of client. n Model--Hardware model of the impacted switch where the client resides. n Vendor--Vendor of the wired client. n Connected Device--MAC address of the connected device. n Connected Device MAC--MAC address of the client device. n Connected Device Description--An overview of the connected devices, including the OS type, model,
and version. n Site--Name of the site where the client resides.
Switch ports had a high number with Power-over-Ethernet problems | 259
Chapter 6 Instant APs
Instant APs
Instant APs offer an enterprise-grade networking solution with a simple setup. The WLAN solution with Instant APs supports simplified deployment, configuration, and management of Wi-Fi networks. Instant APs run the Aruba Instant software that virtualizes Aruba Mobility Controller capabilities on 802.11 APs and offers a feature-rich enterprise-grade Wi-Fi solution. Instant APs are often deployed as a cluster. An Instant AP cluster includes a master AP and set of other APs that act as slave APs. In an Instant deployment scenario, only the first AP or the master AP that is connected to a provisioning network is configured. All other Instant APs in the same VLAN join the master AP inherit the configuration changes. The Instant AP clusters are configured through a common interface called Virtual Controller. A Virtual Controller represents the combined intelligence of the Instant APs in a cluster.
Supported Deployment Modes
Aruba Instant APs can be deployed in the following modes in Aruba Central:
n Cluster mode--In this mode, several Instant APs form a cluster when connected to a provisioning network and an master Instant AP is elected. In the cluster mode, new Instant AP onboarded to Aruba Central can join an existing Instant AP cluster.
n Standalone mode--In this mode, individual Instant APs are provisioned in groups and managed from Aruba Central.
Configuration and Management
Network administrators can manage Instant APs through the Aruba Instant UI, Aruba Central, or AirWave management system. For information on how to configure Instant APs using the Aruba Instant UI, see the Aruba Instant User Guide. For more information on how to deploy, provision, manage, and monitor Instant APs from Aruba Central, see the following topics:
n Supported Instant APs on page 28 n Provisioning Instant APs on page 261 n Configuring Device Parameters on page 266 n Configuring Network Profiles on Instant APs on page 286 n Configuring Time-Based Services for Wireless Network Profiles on page 330 n Configuring ARM and RF Parameters on Instant APs on page 333 n Configuring IDS Parameters on APs on page 340 n Configuring Authentication and Security Profiles on Instant APs on page 345 n Configuring Instant APs for VPN Services on page 386 n Configuring DHCP Pools and Client IP Assignment Modes on Instant APs on page 393 n Configuring Services on page 401
Aruba Central | User Guide
260
n Configuring Uplink Interfaces on Instant APs on page 412 n Configuring Enterprise Domains on page 419 n Configuring Syslog and TFTP Servers for Logging Events on page 422 n Opening a Remote Console on page 558 n Mapping Instant AP Certificates on page 426 n Configuring APs Using Templates on page 427 n Managing Variable Files on page 130 n Viewing APs Configuration Tabs on page 261
Provisioning Instant APs
The following figure illustrates the procedure for bringing up Instant APs and configuring a basic WLAN setup. To view a detailed description of the tasks, click the task link in the flowchart.
When you click a task in the flowchart, the linked topic opens in a pop-up window. After you browse through the topic, click outside the pop-up window to return to this page.
Figure 52 Getting Started--Instant APs
Viewing APs Configuration Tabs
Provisioning Instant APs | 261
Aruba Central now constantly displays the default tabs under the Show Advanced and Hide Advanced options in the Devices > Access Points page. When you click the Show Advanced or Hide Advanced option, a set of default configuration tabs are displayed. The respective default tabs under these two options are still displayed when you navigate out of the page, and visit the same page next time. Following are the default tabs displayed when you navigate to Devices > Access Points page and click the Config icon:
n WLANs n Access Points n Radios
When you click the Show Advanced option, the following tabs are displayed:
n WLANs n Access Points n Radios n Interfaces n Security n VPN n Services n System n Configuration Audit
Navigating to Virtual Controller Configuration Dashboard
To navigate to the virtual controller configuration dashboard, complete the following steps:
1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. In the Virtual Controller column, click on the virtual controller to navigate to the Access Points > List view of the virtual controller.
4. Click the Config icon. The default tabs to configure the virtual controller are displayed.
5. Click Show Advanced to view advanced configuration options. For more information about the various configuration options, see Deploying a Wireless Network Using Instant APs.
Deploying a Wireless Network Using Instant APs
This section describes how to configure WLAN SSIDs, radio profiles, DHCP profiles, VPN routes, security and firewall settings, uplink interfaces, logging servers on Instant APs. For more information on Instant AP configuration, see the following topics:
Aruba Central | User Guide
262
n Configuring Device Parameters n Configuring Network Profiles on Instant APs n Configuring Time-Based Services for Wireless Network Profiles n Configuring ARM and RF Parameters on Instant APs n Configuring IDS Parameters on APs n Configuring Authentication and Security Profiles on Instant APs n Configuring Instant APs for VPN Services n Configuring DHCP Pools and Client IP Assignment Modes on Instant APs n Configuring Services n Configuring Systems n Configuring Uplink Interfaces on Instant APs n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Viewing APs Configuration Tabs n Opening a Remote Console n Mapping Instant AP Certificates
Setting Country Code
The initial Wi-Fi setup of an Instant AP requires you to specify the country code for the country in which the Instant AP operates. This configuration sets the regulatory domain for the radio frequencies that the Instant AP uses. The available 20 MHz, 40 MHz, or 80 MHz channels are dependent on the specified country code.
Country Code Configuration in Aruba Central from UI
If you provision a new Instant AP without the country code, Aruba Central exhibits the following behavior:
Table 80: Instant AP Provisioned To Aruba Central
Country Code Configured at Instant AP
Country Code Configured in Group
Behavior
No
Yes
The country code of the group is pushed to the newly added Instant AP.
No
No
Aruba Central displays the Country Code not set. Config not updated
message in Audit Trail. A notification is also displayed at the bottom of the
main window to set the country code of the new Instant AP.
To set the country code, perform the following actions:
1. Click Set Country Code now link on the notifications pane. The Set
Country Code pop up is displayed.
2. In the Device(s) without country code table, click the edit icon.
3. Specify a country code from the Country Code drop-down list.
4. Click Save.
Setting Cory Code At Group Level
Setting Country Code | 263
If an Instant AP has a country code and joins Aruba Central using ZTP configuration, then the country code of the Instant AP is retained. In this case, Aruba Central will not push the group country code.
Setting Country Code at Group Level
To set the country code of the Instant AP at the group level, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click General. 6. In the Set Country code for group drop-down list, select the country code for Instant AP. 7. Click Save Settings. 8. Reboot Instant AP for changes to take effect.
By default, the value corresponding to the Set Country code for group field is empty. This indicates that any Instant AP with different country codes can be a part of the group. When the Set Country code for group field is set, the field cannot revert to the default value. When the country code of the group is changed, the country code of the already connected Instant AP also will be updated.
Setting Country Code at Device Level
To set the country code of the Instant AP at the device level, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click General. 6. In the Virtual Controller pane, select an Instant AP, and then click the edit icon. 7. Select the new country code from the Country Code drop-down list.
Aruba Central | User Guide
264
8. Click OK. 9. Reboot Instant AP for changes to take effect.
Aruba Central now constantly displays the default tabs under the Show Advanced and Hide Advanced option in the Devices > Access Points page, When you click the Show Advanced or Hide Advanced option and navigate out of the page, the respective default tabs under Show Advanced or Hide Advanced option are still displayed when you visit the page next time. By default, the value corresponding to the Country code is the country code set at the group level which can be then modified at the device level from the drop-down list. The country code of the Instant AP will always be the most recently set country code at the group level or device level. The auto If there is a discrepancy in country code configuration, Aruba Central displays it as an override in the Configuration Audit page. .
Country Code Configuration at Group Level from API
Aruba Central provides an option to set and get the country code at group level through the APIs in API Gateway. To set or get the country code at group level through API, complete the following steps:
1. In the Account Home page, click API Gateway. The API Gateway page is displayed.
2. Click the Authorized Apps & Tokens tab and generate a token key.
The token key is valid only for 2 hours from the time it was generated.
3. Download and copy the generated token. 4. In the All Published APIs window, click the url link listed under the Documentation column.
The Central Network Management APIs page is displayed. 5. On the left navigation pane, select Configuration from the URL drop-down list. 6. Paste the token key in the Token field and press enter. 7. Click NB UI Group Configuration.
The following options are displayed: n Set country code at group level ([PUT]/configuration/v1/country)--This API allows to set
country code for multiple groups at once. Aruba Central currently allows country codes of up to 50 Instant AP device groups to be configured simultaneously. To set the country codes of multiple groups, enter the group names and country code as inputs corresponding to the groups and country labels respectively in the script { "groups": [ "string" ], "country": "string" } within the set_ group_config_ country_ code text box. n Get country code set for group ([GET]/configuration/v1/{group}/country)--This API allows to retrieve the country code set for a specific Instant AP group. To get the country code information of the Instant AP group, enter the name of the group for which the country code is being queried corresponding to the country label in the script { "country": "string"} within the group text box.
Setting Country Code | 265
The APIs for setting and retrieving country code information are not available for the Instant AP devices deployed in template groups.
The following are the response messages displayed in the Set country code at group level and Get country code set for group sections:
Table 81: Response Messages
Set country code at group level
Get country code set for group
n 201 - Successful operation n 400 - Bad Request n 401 - Unauthorized access, authentication required n 403 - Forbidden, do not have write access for group n 413 - Request-size limit exceeded n 417 - Request-size limit exceeded n 429 - API Rate limit exceeded n 500 - Internal Server Error n 503 - Service unavailable, configuration update in progress
n 400 - Bad Request n 401 - Unauthorized access authentication required n 403 - Forbidden, do not have read access for group n 413 - Request-size limit exceeded n 417 - Request-size limit exceeded n 429 - API Rate limit exceeded n 500 - Internal Server Error n 503 - Service unavailable, configuration update in progress
For further details on APIs, see https://app1-apigw.central.arubanetworks.com/swagger/central.
Configuring Device Parameters
To configure device parameters on an Instant AP, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to one of the options under Groups. Ensure that the filter selected contains at least one active access point. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. n To select an access point in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name. The dashboard context for the access point is displayed. d. Under Manage, click Devices > Access Point.
2. Click the Config icon. The tabs to configure access points are displayed.
3. Click the Access Points tab. The Access Points table is displayed.
Aruba Central | User Guide
266
4. To edit an AP, select an AP in the Access Points table, and then click the edit icon.
Configuring Device Parameters | 267
5. Configure the parameters described below:
Aruba Central | User Guide
268
Table 82: Access Points Configuration Parameters
UI
Parameters Description
Basic Info Name
Configures a name for the Instant AP. For Instant APs running 8.7.0.0 or later versions, you can enter up to 128 ASCII or non-ASCII characters. For Instant APs running 8.6.0.0 or earlier versions, you can enter up to 32 ASCII or non-ASCII characters.
Configuring Device Parameters | 269
UI
Parameters Description
AP Zone
Configures the Instant AP zone. For Instant APs running firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple AP zones by adding zone names as comma separated values.
Aruba recommends that you do not configure zones in both SSID and in the Per AP settings of an Instant AP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide.
RF Zone
Allows you to create an RF zone for the AP. With RF zone, you can configure different power transmission settings for APs in different zones or sections of a deployment site. For example, you can configure power transmission settings to make Wi-Fi available only for the devices in specific areas of a store.
You can also configure separate RF zones for the 2.4 GHz and 5 GHz radio bands for the Instant APs in a cluster. For more information, see Configuring Radio Parameters on page 338.
Aruba recommends that you configure RF zone for either individual AP or for the cluster. Any discrepancy in the RF zone names may lead to configuration errors.
Swarm Mode
Allows to set one of the following operation modes: Cluster--Allows Instant AP join an Instant AP cluster. Standalone--Allows Instant AP to function in the standalone mode. After changing the AP operation mode, ensure that you reboot the AP.
Preferred Master
Turn on the toggle switch to provision the Instant AP as a master Instant AP.
IP Address for Access Point
Select one of the following options: n Get IP Address from DHCP server--Allows IP to get an IP address from the DHCP server. By default, the Instant APs obtain IP address from a DHCP server. n Static--You can also assign a static IP address to the Instant AP. To specify a static IP address for the Instant AP, complete the following steps: Enter the new IP address for the Instant AP in the IP Address text-box. Enter the subnet mask of the network in the Netmask text-box. Enter the IP address of the default gateway in the Default Gateway text-box. Enter the IP address of the DNS server in the DNS Server text-box.
NOTE: You can configure up to two DNS servers separated by a comma. If the first DNS server goes down, the second DNS server takes control of resolving the domain name.
Enter the domain name in the Domain Name text-
Aruba Central | User Guide
270
UI Radio
Parameters Description
box.
Enable Radio Select the Enable Radio check-box under 2.4GHz Band and 5 GHz Band to enable and disable the radio.
Mode
Select any of the following options:
n Access--In the Access mode, the Instant AP serves clients, while also monitoring for rogue Instant APs in the background.
n Monitor--In the Monitor mode, the Instant AP acts as a dedicated monitor, scanning all channels for rogue Instant APs and clients.
n Spectrum--In the Spectrum mode, the Instant AP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference, whether from the neighboring Instant APs or from non-Wi-Fi devices such as microwaves and cordless phones. For more information, see Spectrum Scan Overview.
NOTE: In the Monitor and Spectrum modes, the Instant APs do not provide access services to clients.
NOTE: In the dual 5 GHz band, the Mode remains as Access and is non-editable. This dual 5 GHz band is only supported on AP-344 and AP-345 that runs on Instant AP 8.3.0.0. For more information, see the Configuring Dual 5 GHz Radio Bands on an Instant AP.
NOTE: To get accurate monitoring details and statistics, it is highly recommended to reboot the Instant APs once the Instant APs are toggled from the 2.4/5 GHz mode to dual 5 GHz radio mode or vice-versa.
Adaptive radio management assigned
You can configure a radio profile on an Instant AP either manually or by configuring the Adaptive radio management assigned option.
NOTE: Adaptive Radio Management (ARM) feature is enabled on Aruba Central by default. It automatically assigns appropriate channel and power settings for the Instant APs.
Administrator assigned
You can also assign an administrator by using the Administrator assigned option and selecting the number of channels in the Channel drop-down list. In the Transmit Power field, enter the signal strength measured in dBm.
Configuring Device Parameters | 271
UI
Parameters Description
External Antenna
Antenna Gain
If the Instant AP has external antenna connectors, you need to configure the transmit power of the system. You can also measure or calculate additional attenuation between the device and the antenna before configuring the antenna gain. For more information, see Configuring External Antenna
Antenna Polarization Type
The wireless bridge's integrated antenna sends a radio signal that is polarized in a particular direction. The antenna's receive sensitivity is also higher for radio signals that have the same polarization. To maximize the performance of the wireless link, both antennas must be set to the same polarization direction. To maximize the performance of the wireless link, both antennas must be set to the same polarization direction.
Installation Installation
Type
Type
Configure the Installation Type of the Instant AP you have selected. The Installation Type drop-down consists of the following options:
n Indoor n Outdoor You can either select the Indoor option to change the installation to Indoor mode or select the Outdoor option to change the installation to the Outdoor mode. The options in the Installation Type drop-down are listed based on the Instant AP model.
Uplink
Uplink Management VLAN
The uplink traffic on Instant AP is carried out through a management VLAN. However, you can configure a nonnative VLAN as an uplink management VLAN. After an Instant AP is provisioned with the uplink management VLAN, all management traffic sent from the Instant AP is tagged to the management VLAN.
To configure a non-native uplink VLAN, click Uplink and specify the VLAN in Uplink Management VLAN.
Eth0 Bridging
If you want to convert the Eth0 uplink port to a downlink port, enable Eth0 Bridging. Enable this option to support wired bridging on the Ethernet 0 port of an Instant AP.
USB Port
Enable the USB port if you do not want to use the cellular uplink or 3G/4G modem in your current network setup.
PEAP User
Create the PEAP user credentials for certificate based authentication. Enter the user name, password, and retype password in the Username, Password, and Retype Password field for creating the PEAP user.
Aruba Central | User Guide
272
UI Mesh
Parameters Mesh enable
Clusterless mesh name Clusterless mesh key Retype
Description
Enable this option to allow mesh access points to form mesh network. The mesh feature ensures reliability and redundancy by allowing the network to continue operating even when an Instant AP is non-functional or if the device fails to connect to the network. For more information, see Configuring Mesh Instant AP
Enter the name of mesh access points that do not belong to any cluster. The Clusterless mesh name field is disabled when the Mesh enable option is enabled.
Enter the key of the mesh access points that do not belong to any cluster. The Clusterless mesh key field is disabled when the Mesh enable option is enabled.
Re-enter the clusterless mesh key. The Retype is disabled when the Mesh enable option is enabled.
6. Click Save Settings and reboot the Instant AP.
Configuring Systems
This section describes how to configure the General, Administrator, Time-Based Services, DHCP, Layer-3 Mobility, Enterprise Domains, Logging, SNMP, WISPr, Proxy, and Named VLAN Mapping parameters on an Instant AP.
n Configuring System Parameters for an AP n Configuring Users Accounts for the Instant AP Management Interface n Configuring Time-Based Services for Wireless Network Profiles n Configuring DHCP Pools and Client IP Assignment Modes on Instant APs n Configuring Mobility for Clients n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Configuring SNMP Parameters n Supported Authentication Methods n Configuring HTTP Proxy on an Instant AP n Configuring VLAN Name and VLAN ID
Configuring External Antenna
If the Instant AP has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system's EIRP is in compliance with the limit specified by the regulatory authority of the country in which the Instant AP is deployed. You can also measure or calculate additional attenuation between the device and antenna before configuring the antenna gain. To know, if the Instant AP device supports external antenna connectors, see the Installation Guide that is shipped along with the Instant AP device.
EIRP and Antenna Gain
Configuring Systems | 273
The following formula can be used to calculate the EIRP limit related RF power based on selected antennas (Antenna Gain) and feeder (Coaxial Cable Loss): EIRP = Tx RF Power (dBm)+GA (dB) - FL (dB) The following table describes this formula:
Table 83: Formula Variable Definitions
Formula Element
Description
EIRP
Limit specific for each country of deployment.
Tx RF Power
RF power measured at RF connector of the unit.
GA
Antenna gain
FL
Feeder loss
Configuring Antenna Gain
To configure antenna gain for Instant APs with external connectors, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to one of the options under Groups. Ensure that the filter selected contains at least one active access point. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
n To select an access point in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name. The dashboard context for the access point is displayed. d. Under Manage, click Device > Access Point.
2. Click the Config icon. The tabs to configure access points are displayed.
3. Click the Access Points tab. The Access Points table is displayed.
4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click the Radio tab and select External Antenna to configure the antenna gain value. This option is
available only if the selected AP supports external antennas. 6. Enter the Antenna Gain values in dBm for the 2.4GHz Band and 5GHz Band. 7. Click Save Settings.
Aruba Central | User Guide
274
Adding an Instant AP
To add an Instant AP to Aruba Central, assign an IP address and a subscription. After an Instant AP is connected to the network and if the Auto Join Mode feature is enabled, the Instant AP inherits the configuration from the virtual controller and is listed in the Access Points tab.
Deleting an Instant AP from the Network
To delete an Instant AP, complete the following steps:
1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. In the Access Points table, hover over the offline AP that you want to delete.
4. Click the delete icon.
Renaming an AP
You can change the name of an AP provisioned in Aruba Central. The AP can be online or offline. When you rename an AP or a VC, the AP or VC does not reboot, and the client traffic is not affected. The new name must be a character string of upto 32 ASCII or non-ASCII characters, including spaces. To rename an AP, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to one of the options under Groups. Ensure that the filter selected contains at least one active access point. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. n To select an access point in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name. The dashboard context for the access point is displayed. d. Under Manage, click Device > Access Point.
2. Click the Config icon. The tabs to configure access points are displayed.
3. Click the Access Points tab. The Access Points table is displayed.
Configuring External Antenna | 275
4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Under Basic Info, modify the AP or VC name in the Name field. 6. Click Save Settings.
The AP name is updated on the AP immediately. It may take up to 1 minute for the new AP name to get reflected in Aruba Central.Renaming an AP depends on various privileges and access permissions that are assigned to each user to make configuration changes. For more information, see Users and Roles.
Configuring Intelligent Power Monitoring
The Intelligent Power Monitoring (IPM) feature actively measures the power utilization of an AP and dynamically adapts to the power resources. IPM allows you to define the features that must be disabled to save power, allowing the APs to operate at a lower power consumption without hampering the performance of the related features. This feature constantly monitors the AP power consumption and adjusts the power saving IPM features within the power budget. IPM dynamically limits the power requirement of an AP as per the available power resources. IPM applies a sequence of power reduction steps as defined by the priority definition until the AP functions within the power budget. This happens dynamically as IPM constantly monitors the AP power consumption and applies the next power reduction step in the priority list if the AP exceeds the power threshold. To manage this prioritization, you can create IPM policies to define a set of power reduction steps and associate them with a priority. The IPM policies, when applied to the AP, are based on IPM priorities, where the IPM policy can be configured to disable or reduce certain features in a specific sequence to reduce the AP power consumption below the power budget. IPM priority settings are defined by integer values, where the lower values have the highest priority and are implemented first.
The Intelligent Power Monitoring feature is available only on AP devices running Aruba Instant 8.6.0.3.
To configure Intelligent Power Monitoring, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the IPM accordion. 6. Select the IPM Activation check box to enable IPM. 7. Click the + icon in the IPM Power Reduction Steps With Priorities pane.
The IPM Power Reduction Steps With Priorities window is displayed. 8. In the IPM Step Priority field, enter a value from 1 to 16 to define IPM priority.
Aruba Central | User Guide
276
9. From the IPM Step drop-down list, select a setting as described in the following table:
Table 84: Intelligent Power Monitoring Step Parameters
Parameters
Description
cpu_throttle_25
Reduces CPU frequency to 25% of normal.
cpu_throttle_50
Reduces CPU frequency to 50% of normal.
cpu_throttle_75
Reduces CPU frequency to 75% of normal.
disable_alt_eth
Disables the second Ethernet port.
disable_pse
Disables Power Sourcing Equipment (PSE).
disable_usb
Disables USB.
radio_2ghz_chain_1
Reduces 2 GHz chains to 1x1.
radio_2ghz_chain_2
Reduces 2 GHz chains to 2x2.
radio_2ghz_chain_3
Reduces 2 GHz chains to 3x3.
radio_2ghz_power_3dB
Reduces 2 GHz radio power by 3 dB from the maximum value.
radio_2ghz_power_6dB
Reduces 2 GHz radio power by 6 dB from the maximum value.
radio_5ghz_chain_1
Reduces 5 GHz chains to 1x1.
radio_5ghz_chain_2
Reduces 5 GHz chains to 2x2.
radio_5ghz_chain_3
Reduces 5 GHz chains to 3x3.
radio_5ghz_power_3dB
Reduces 5 GHz radio power by 3 dB from the maximum value.
radio_5ghz_power_6dB
Reduces 5 GHz radio power by 6 dB from the maximum value.
10. Click OK. The IPM Power Reduction Steps With Priorities table in the IPM section lists all the IPM settings.
11. Click Save Settings. 12. Reboot Instant AP for changes to take effect.
The following figure shows the IPM steps and priorities listed in the IPM Power Reduction Steps With Priorities table:
Configuring Intelligent Power Monitoring | 277
Figure 53 IPM Steps and Priorities
Setting a low-priority value for a power reduction step reduces the power level sooner than setting a highpriority value for a power reduction step. However, if the power reduction step is of the same type but different level, the smallest reduction should be allocated the lowest priority value so that the power reduction step takes place earlier. For example, the cpu_throttle_25 or radio_2ghz_power_3dB parameter should have a lower priority level than the cpu_throttle_50 or radio_2ghz_power_6dB, respectively, so that Intelligent Power Monitoring reduces the CPU throttle or power usage based on the priority list.
Points to Remember
n By default, Intelligent Power Monitoring is disabled. n When enabled, IPM enables all Instant AP functionality initially. IPM then proceeds to shut down or
restrict functionality if the power usage of the AP goes beyond the power budget of the Instant AP.
Spectrum Scan Overview
Wireless networks operate in environments with electrical and RF devices that can interfere with network communications. Microwave ovens, cordless phones, and even adjacent Wi-Fi networks are all potential sources of continuous or intermittent interference. The spectrum monitor (SM) software modules on Instant APs can examine the RF environment in which the Wi-Fi network is operating, identify interference, and classify its sources. An analysis of the results can then be used to quickly isolate issues associated with packet transmission, channel quality, and traffic congestion caused by contention with other devices operating in the same band or channel. SMs are Instant AP radios that gather spectrum data but do not service clients. Each SM scans and analyzes the spectrum band used by the SMs radio (2.4 GHz or 5 GHz). The recorded spectrum is not reported to the virtual controller. A spectrum alert is sent to the virtual controller when a non-Wi-Fi interference device is detected. For more information on the Spectrum tab, see Access Point > Overview > Spectrum.
In Aruba Central, the Spectrum Scan feature is available only on Instant AP devices running Aruba Instant firmware version 8.5.0.1 and later.
Configuring System Parameters for an AP
To configure system parameters for an AP, complete the following steps:
Aruba Central | User Guide
278
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
Aruba Central now constantly displays the default tabs under the Show Advanced and Hide Advanced option in the Devices > Access Points page. When you click the Show Advanced or Hide Advanced option and navigate out of the page, the respective default tabs under Show Advanced or Hide Advanced option are still displayed when you visit the page next time.
5. Click the General accordion and configure the following parameters:
Table 85: System Parameters Data Pane Item Description
Virtual Controller
This parameter configuration is only applicable for APs that operate in a cluster deployment environment.
To configure the virtual controller name and IP address, click edit icon and update the name and IP address. The IP address serves as a static IP address for the multiAP network. When configured, this IP address is automatically provisioned on a shadow interface on the AP that takes the role of a virtual controller. The AP sends three ARP messages with the static IP address and its MAC address to update the network ARP cache.
Name--Name of the virtual controller.
IP address--IPv4 address configured for the virtual controller. The IPv4 address uses the 0.0.0.0 notation.
IPv6 address--IPv6 address configured for the virtual controller. You can configure IPv6 address for the virtual controller only if the Allow IPv6 Management feature is enabled.
IPv6 is the latest version of IP that is suitable for large-scale IP networks. IPv6 supports a 128-bit address to allow 2128, or approximately 3.4×1038 addresses while IPv4 supports only 232 addresses.
The IP address of the IPv6 host is always represented as eight groups of four hexadecimal digits separated by colons. For example 2001:0db8:0a0b:12f0:0000:0000:0000:0001. However, the IPv6 notation can be abbreviated to compress one or more groups of zeroes or to compress leading or trailing zeroes; for example 2001:db8:a0b:12f0::0:0:1.
Set Country code for group
To configure a country code for the AP at the group level, select the country code from the Set Country code for group drop-down list. By default, no country code is configured for the AP device groups.
When a country code is configured for the group, it takes precedence over the country code setting configured t the device level.
Timezone
To configure a time zone, select a time zone from the Timezone drop-down list. If the selected time zone supports DST, the UI displays the "The selected country observes Daylight Savings Time" message.
Configuring System Parameters for an AP | 279
Table 85: System Parameters Data Pane Item Description
Preferred Band
Assign a preferred band by selecting an appropriate option from the Preferred Band drop-down list. Reboot the AP after modifying the radio profile for changes to take effect.
NTP Server
This parameter allows you to configure NTP servers for the Instant AP. Up to four NTP servers can be configured for the AP, each one separated by a comma. To facilitate communication between various elements in a network, time synchronization between the elements and across the network is critical. Time synchronization allows you to:
lTrace and track security gaps, network usage, and troubleshoot network issues.
lValidate certificates.
lMap an event on one network element to a corresponding event on another.
lMaintain accurate time for billing services and similar. NTP helps obtain the precise time from a server and regulate the local time in each network element. Connectivity to a valid NTP server is required to synchronize the AP clock to set the correct time. If NTP server is not configured in the AP network, an AP reboot may lead to variation in time data. By default, the AP tries to connect to pool.ntp.org to synchronize time. The NTP server can also be provisioned through the DHCP option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server pool.ntp.org is used if no NTP server is configured or provisioned through DHCP option 42. To configure an NTP server, enter the IP address or the URL of the NTP server and reboot the AP to apply the configuration changes.
Virtual Controller Netmask Virtual Controller Gateway Virtual Controller DNS Virtual Controller VLAN
This parameter configuration is only applicable for APs that operate in a cluster deployment environment. The IP configured for the virtual controller can be in the same subnet as AP or can be in a different subnet. Ensure that you configure the virtual controller VLAN, gateway, and subnet mask details only if the virtual controller IP is in a different subnet. Ensure that virtual controller VLAN is not the same as native VLAN of the AP.
DHCP Option 82 XML
The DHCP Option 82 XML is not applicable for cloud APs.
DHCP Option 82 XML can be customized to cater to the requirements of any ISP using the master AP. To facilitate customization using a XML definition, multiple parameters for Circuit ID and Remote ID options of DHCP Option 82 XML are introduced. The XML file is used as the input and is validated against an XSD file in the master AP. The format in the XML file is parsed and stored in the DHCP relay which is used to insert Option 82 related values in the DHCP request packets sent from the client to the server. From the drop-down list, select one of the following XML files:
n default_dhcpopt82_1.xml n default_dhcpopt82_2.xml For more information, see Configuring DHCP Scopes on Instant APs.
Aruba Central | User Guide
280
Table 85: System Parameters Data Pane Item Description
Dynamic CPU Utilization
APs perform various functions such as wired and wireless client connectivity and traffic flows, wireless security, network management, and location tracking. If an AP is overloaded, prioritize the platform resources across different functions. Typically, the APs manage resources automatically in real time. However, under special circumstances, if dynamic resource management needs to be enforced or disabled altogether, the dynamic CPU management feature settings can be modified.
To configure dynamic CPU management, select any of the following options from Dynamic CPU Utilization.
Automatic--When selected, the CPU management is enabled or disabled automatically during run-time. This decision is based on real time load calculations taking into account all different functions that the CPU needs to perform. This is the default and recommended option.
Always Disabled in all APs--When selected, this setting disables CPU management on all APs, typically for small networks. This setting protects user experience.
Always Enabled in all APs--When selected, the client and network management functions are protected. This setting helps in large networks with high client density.
Auto-Join Mode
When enabled, APs can automatically discover the virtual controller and join the network. The Auto-Join Mode feature is enabled by default.
APs allowed for Auto-Join Mode
Displays the number of APs allowed for Auto-Join Mode. n Click View Allowed APs to view the details of AP allowed for Auto-Join mode. n Click Hide Allowed APs to hide the details of AP allowed for Auto-Join mode.
When Auto-Join Mode is enabled, the APs are automatically discovered and are allowed to join the cluster. When the Auto-Join Mode is disabled on the AP, the list of allowed APs on Aruba Central may not be synchronized or up-to-date. In such cases, you can manually add a list of APs that can join the AP cluster in the Aruba Central UI. To manually add the list of allowed AP devices, complete the following steps:
Under View Allowed APs, click + in the Allowed APs pane. In the Add Allowed AP window, enter the MAC address of the AP in the MAC Address field. Click Save.
Allow IPv6 Management
Enables IPv6 address configuration for the virtual controller. You can configure an IPv6 address for a virtual controller IP only when Allow IPv6 Management feature is enabled.
Uplink switch native VLAN
Allows you to specify a VLAN ID, to prevent the AP from sending tagged frames for clients connected on the SSID that uses the same VLAN as the native VLAN of the switch.
By default, the AP considers the native VLAN of the upstream switch, to which it is connected, as the VLAN ID 1.
Terminal Access When enabled, the users can access the AP CLI through SSH.
Login Session Timeout
Allows you to set a timeout for login session.
Console Access
When enabled, the users can access AP through the console port.
WebUI Access
If an AP is connected to Aruba Central, you can use this option to disable AP Web UI access and any communication via HTTPS or SSH. If you enable this feature, you can manage the AP only from Aruba Central.
Configuring System Parameters for an AP | 281
Table 85: System Parameters Data Pane Item Description
Telnet Server
When enabled, the users can start a Telnet session with the AP CLI.
LED Display
Enables or disables the LED display for all APs in a cluster. The LED display is always enabled during the AP reboot.
Extended SSID
Extended SSID is enabled by default in the factory default settings of APs. This disables mesh in the factory default settings.
For AP devices that support Aruba Instant 8.4.0.0 firmware versions and above, you can configure up to 14 SSIDs. By enabling Extended SSID, you can create up to 16 networks.
Advanced Zone
Turn on the Advanced Zone toggle switch to broadcast the same ESSIDs on APs that are part of the same AP zone in a cluster.
NOTE: When the advanced-zone feature is enabled and a zone is already configured with 16 SSIDs, ensure to remove the zone from two WLAN SSID profiles if you want to disable extended SSID.
Deny Inter User Bridging
If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same AP on the same VLAN. When inter-user bridging is denied, the clients can connect to the Internet but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision.
To disable inter-user bridging, turn off the Deny Inter User Bridging toggle switch.
Deny Local Routing
If you have security and traffic management policies defined in upstream devices, you can disable routing traffic between two clients connected to the same AP on different VLANs. When local routing is disabled, the clients can connect to the Internet but cannot communicate with each other, and the routing traffic between the clients is sent to the upstream device to make the forwarding decision.
To disable local routing, move the slider to the right.
Dynamic RADIUS Proxy
If your network has separate RADIUS authentication servers (local and centralized servers) for user authentication, you may want to enable Dynamic RADIUS proxy to route traffic to a specific RADIUS server. When Dynamic RADIUS proxy is enabled, the IP address of the virtual controller is used for communication with external RADIUS servers.
To enable Dynamic RADIUS Proxy, you must configure an IP address for the Virtual Controller and set it as a NAS client in the RADIUS server profile.
Dynamic TACACS Proxy
If you want to route traffic to different TACACS servers, enable Dynamic TACACS Proxy. When enabled, the AP cluster uses the IP address of the Virtual Controller for communication with external TACACS servers.
If an IP address is not configured for the Virtual Controller, the IP address of the bridge interface is used for communication between the AP and TACACS servers. However, if a VPN tunnel exists between the Instant AP and TACACS server, the IP address of the tunnel interface is used.
Cluster Security
This parameter is required to be set only for APs that operate in a cluster deployment environment.
Enables or disables the cluster security feature. When enabled, the control plane communication between the AP cluster nodes is secured. The Disallow Non-DTLS Slaves toggle switch appears. Turn on the toggle switch to allow slave APs to join a DTLS enabled cluster.
Aruba Central | User Guide
282
Table 85: System Parameters Data Pane Item Description
For secure communication between the cluster nodes, the Internet connection must be available, or at least a local NTP server must be configured. After enabling or disabling cluster security, ensure that the configuration is synchronized across all devices in the cluster, and then reboot the cluster. The Disallow Non-DTLS Slaves feature is only supported in AP devices supporting Aruba Instant 8.4.0.0 firmware versions and above.
Low Assurance PKI
Turn on the toggle switch to allow low assurance devices that use non-TPM chip, in the network. To enable the cluster security feature, turn on the Low Assurance PKI toggle switch. For more information on Low Assurance PKI, refer to Cluster Security section in Aruba Instant User Guide. The Low Assurance PKI toggle switch is supported in AP devices running Aruba Instant 6.5.3.0 firmware versions and later.
Mobility Access Switch Integration
Turn on the toggle switch to enable LLDP protocol for Mobility Access Switch integration. With this protocol, APs can instruct the switch to turn off ports where rogue access points are connected, as well as take actions such as increasing PoE priority and automatically configuring VLANs on ports where APs are connected.
URL Visibility
Turn on the toggle switch to enable URL data logging for client HTTP and HTTPS sessions and allows APs to extract URL information and periodically log them on ALE for DPI and application analytics.
6. Click Save Settings.
Configuring VLAN Name and VLAN ID
Aruba Central allows you to map VLAN name to a VLAN ID for the ease of identifying the existing VLANs. To map a VLAN name to a VLAN ID, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the Named VLAN Mapping accordion. 6. Click the + icon in the VLAN Name to VLAN ID Mapping pane.
The VLAN Name to VLAN ID Mapping window is displayed. 7. In the VLAN Name to VLAN ID Mapping window, enter the VLAN Name and VLAN ID. 8. Click OK.
The VLAN Name to VLAN ID Mapping table in the Named VLAN Mapping section lists all the mapped VLAN.
Configuring VLAN Name and VLAN ID | 283
You can find the Named VLAN Mapping feature applied in the following fields of corresponding UI pages of Aruba Central:
n The VLAN ID field in the VLANs tab, when for when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during WLAN SSID creation. For more information, see Creating a Wireless Network Profile.
n The VLAN ID field in the VLANs tab, when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during wired port profile creation. For more information, see Configuring Wired Port Profiles on Instant APs.
n The Access rules page in the Interfaces > Access tab and the WLANs > Access tab, when you add rules for selected roles. Select VLAN Assignment as the rule type in the Access rules page to find the mapped VLAN name in the VLAN ID field.
You can also map VLAN ID to a VLAN name when you customize the Client VLAN Assignment configuration in VLANs tab during network profile creation. For more information, see VLANs Parameters.
Points to Remember
n The maximum number of Named VLAN ID Mapping allowed in Aruba Central is 32. n VLAN mapping cannot be performed if the VLAN name does not exist. n The VLAN mapping record is deleted from the VLAN Name to VLAN ID Mapping table when the VLAN
name is deleted. n You can only map a single VLAN id to a VLAN name. n The VLAN name field is not case-sensitive.
Configuring Dual 5 GHz Radio Bands on an Instant AP
Aruba Central provides an option to retrieve the radio numbers of Instant AP through the APIs. It also provides an option to filter AP details using radio numbers in the AP monitoring dashboard.
For regular Instant APs with non-dual band, Central automatically assigns Radio 1 to 2.4 GHz band and Radio 0 to 5 GHz band respectively.
To retrieve the radio numbers through API, complete the following steps:
1. In the Account Home page, click API Gateway. The API Gateway page is displayed.
2. Click the APIs tab.
The token key is valid only for 2 hours from the time it was generated.
3. In the All Published APIs window, click the url link listed under the Documentation column. The Central Network Management APIs page is displayed.
4. On the left navigation pane, select Monitoring from the URL drop-down list. 5. Click API Reference > AP.
The following APIs allow you to retrieve the radio number for the total number of clients connected:
Aruba Central | User Guide
284
Table 86: APIs to Get Radio Number in APs
API
Description
[GET]/monitoring/v1/aps/ {serial}/neighbouring_clients
Allows you to filter data of neighbouring clients for a specific radio number in a given time period.
When there is no radio number entered in the radio_number field, the API filters the data of neighbouring clients for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the data of neighboring clients for a specific radio number.
[GET]/monitoring/v1/aps/rf_ summary
Retrieves information on RF summary such as channel utilization and noise floor in positive, errors, drops for a given time period.
This API can also be used to filter RF health statistics for a specific radio number in a given time period.
When there is no radio number entered in the radio_number field, the API filters the RF health statistics for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the RF health statistics for a specific radio number.
[GET]/monitoring/v1/aps/bandwith_ usage
This API can also be used to filter out bandwidth usage data for a specific radio number in a given time period.
When there is no radio number entered in the radio_number field, the API filters the bandwidth usage for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the bandwidth usage for a specific radio number.
6. On the left navigation pane, click API Reference > Client. The following APIs allow you to retrieve the radio number for the total number of clients connected:
Table 87: APIs to Get Radio Number in Connected Clients
API
Description
[GET]/monitoring/v1/clients/count
This API is used to filter out the data for connected clients for a specific radio number of AP in a given time period.
When there is no radio number entered in the radio_number field, the API filters the clients count for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the total count of clients for a specific radio number.
For further details on APIs, see https://app1-apigw.central.arubanetworks.com/swagger/central.
Support for Dual 5 GHz AP
Aruba Central supports automatic opmode selection for dual 5 GHz AP. When the opmode is set to automatic, AirMatch determines whether to convert a radio in an AP to 5 GHz operation instead of the 2.4 GHz and 5 GHz dual band operation. Automatic is the default dual 5G mode where Airmatch detects what is an optimal mode for the radios dual band or dual 5G and updates the running opmode without requiring an AP reboot between the mode changes. Manual setting of dual band and dual 5G is possible and the manual setting overrides the automatic mode and explicitly enables or disables the dual 5G mode. In this scenario, the AP immediately switches to the specified mode without a reboot and AirMatch maintains the specified channel and power assignments in the specified mode.
Support for Dual 5 GHz AP | 285
Automatic mode is not supported on AP-344. By default, AP-344 assumes the automatic mode to be the same as dual 5G disabled and operates in the dual band mode. To switch AP-344 to dual 5G mode, explicitly enable the dual 5G mode.
The following procedure describes how to configure automatic opmode selection for dual 5 GHz AP:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure APs are displayed. 4. Click the Access Points tab. The Access Points table is displayed. 5. To edit an AP, click the edit icon for that AP. The edit pane for modifying the Instant AP parameters is
displayed. 6. Click Radio. The Radio page is displayed. 7. Set Dual 5G Mode to Automatic. 8. Optionally, specify the manual channel by setting Channel Assignment to Manual. 9. Optionally, specify the transmit power by setting Transmit Power Assignment to Manual.
Configuring Network Profiles on Instant APs
This section describes the following procedures:
n Configuring Wireless Network Profiles on Instant APs n Configuring Wireless Networks for Guest Users on Instant APs n Configuring Wired Port Profiles on Instant APs n Editing a WLAN Profile n Deleting a Network Profile
Configuring Wireless Network Profiles on Instant APs
You can configure up to 14 SSIDs. By enabling Extended SSID in the System > General accordion, you can create up to 16 networks.
If more than 16 SSIDs are assigned to a zone and the extended zone option is disabled, an error message is displayed.
This section describes the following topics:
n Creating a Wireless Network Profile n Configuring VLAN Settings for Wireless Network n Configuring Security Settings for Wireless Network n Configuring ACLs for User Access to a Wireless Network n Viewing Wireless SSID Summary
Creating a Wireless Network Profile
To configure WLAN settings, complete the following steps:
Aruba Central | User Guide
286
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs tab, click + Add SSID. The Create a New Network pane is displayed.
6. In General tab, enter a name that is used to identify the network in the Name (SSID) text-box. 7. Under Advanced Settings, configure the following parameters:
Table 88: Advanced Settings Parameters
Parameter
Description
Broadcast/Multicast
Broadcast filtering
Select any of the following values: n All--The Instant AP drops all broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols. n ARP--The Instant AP drops broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols. Additionally, it converts ARP requests to unicast and sends frames directly to the associated clients. By default, the Instant AP is configured to ARP mode. n Unicast ARP Only--This option enables Instant AP to convert ARP requests to unicast frames thereby sending them to the associated clients. n Disabled--The Instant AP forwards all the broadcast and multicast traffic is forwarded to the wireless interfaces.
DTIM Interval
The DTIM Interval indicates the DTIM period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the Instant AP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode. Range is 1 to 10 beacons.
The default value is 1, which means the client checks for buffered data on the Instant AP at every beacon. You can also configure a higher DTIM value for power saving.
Multicast Transmission Optimization
Select the check-box if you want the Instant AP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients. When this option is enabled, multicast traffic can be sent up to a rate of 24 Mbps.
The default rate for sending frames for 2.4 GHz is 1 Mbps and that for 5 GHz is 6 Mbps. This option is disabled by default.
Dynamic Multicast Optimization (DMO)
Select the check-box to allow Instant AP to convert multicast streams into unicast streams over the wireless link. Enabling DMO enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients.
NOTE: When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN.
Configuring Network Profiles on Instant APs | 287
Parameter
DMO channel utilization threshold
Description
Specify a value to set a threshold for DMO channel utilization. With DMO, the Instant AP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the Instant AP sends multicast traffic over the wireless link.
NOTE: This option will be enabled only when Dynamic Multicast Optimization is enabled.
Transmit Rates (Legacy Only)
2.4 GHz
If the 2.4 GHz band is configured on the Instant AP, specify the minimum and maximum transmission rates. The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps.
5 GHz
If the 5 GHz band is configured on the Instant AP, specify the minimum and maximum transmission rates. The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps.
Zone
Zone
Specify the zone for the SSID. If a zone is configured in the SSID, only the Instant AP in that zone broadcasts this SSID. If there are no Instant APs in the zone, SSID is broadcast.
If the Instant AP cluster has devices running Aruba Instant firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple AP zones by adding zone names as comma separated values.
NOTE: Aruba recommends that you do not configure zones in both SSID and in the device specific settings of an Instant AP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide.
Bandwidth Control
Airtime
Select this to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage.
Downstream
Enter the downstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per User check-box.
NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level.
Upstream
Enter the upstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per user check-box.
NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level.
Each Radio
Select this to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients. The value ranges from 1 through 65535.
Aruba Central | User Guide
288
Parameter Enable 11n
Description
When this option is selected, there is no disabling of High-Throughput (HT) on 802.11n devices for the 5 GHz radio band. If HT is enabled for the 5 GHz radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, HT is enabled on all SSIDs.
NOTE: If you want the 802.11ac Instant APs to function as 802.11n Instant APs, clear this check-box to disable VHT on these devices.
Enable 11ac
When this option is selected, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, VHT is enabled on all SSIDs.
NOTE: If you want the 802.11ac Instant APs to function as 802.11n Instant APs, clear this check-box to disable VHT on these devices.
Enable 11ax
When this option is selected, VHT is enabled on the 802.11ax devices. If VHT is enabled for a radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, VHT is enabled on all SSIDs.
WiFi Multimedia
Background Wifi Multimedia Share
Allocates bandwidth for background traffic such as file downloads or print jobs. Specify the appropriate DSCP mapping values within a range of 063 for the background traffic in the corresponding DSCP mapping text-box. Enter up to 8 values with no white space and no duplicate single DHCP mapping value.
Best Effort Wifi Multimedia Share
Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS. Specify the appropriate DSCP mapping values within a range of 063 for the best effort traffic in the corresponding DSCP mapping text-box.
Video Wifi Multimedia Share
Allocates bandwidth for video traffic generated from video streaming. Specify the appropriate DSCP mapping values within a range of 063 for the video traffic in the corresponding DSCP mapping text-box.
Voice Wifi Multimedia Share
Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication. Specify the appropriate DSCP mapping values within a range of 063 for the voice traffic in the corresponding DSCP mapping text-box.
NOTE: In a non-WMM or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best Effort Wifi Multimedia share and Voice Wifi Multimedia Share to allocate a higher bandwidth to clients transmitting best effort and voice traffic.
Traffic Specification (TSPEC)
TSPEC Bandwidth
Spectralink Voice Protocol (SVP)
Select this check-box to set if you want the TSPEC for the wireless network. The term TSPEC is used in wireless networks supporting the IEEE 802.11e Quality of Service standard. It defines a series of parameters, characteristics and Quality of Service expectations of a traffic flow.
Enter the bandwidth for the TSPEC.
Select this check-box to opt for SVP protocol.
Configuring Network Profiles on Instant APs | 289
Parameter
Description
WiFi Multimedia Power Save (UAPSD)
Select this check-box to enable WiFi Multimedia Power Save (U-APSD). The U-APSD is a power saving mechanism that is an optional part of the IEEE amendment 802.11e, QoS.
Miscellaneous
Band
Select a value to specify the band at which the network transmits radio signals in the Band drop-down list. You can set the band to 2.4 GHz, 5 GHz, or All. The All option is selected by default.
Content Filtering Select this check-box to route all DNS requests for the non-corporate domains to OpenDNS on this network.
Primary Usage
Based on the type of network profile, select one of the following options:
n Mixed Traffic--Select this option to create an employee or guest network profile. The employee network is used by the employees in an organization and it supports passphrase-based or 802.1X-based authentication methods. Employees can access the protected data of an enterprise through the employee network after successful authentication. The guest network is created for guests, visitors, contractors, and any non-employee users who use the enterprise Wi-Fi network. The VC assigns the IP address for the guest clients. Captive portal or passphrase-based authentication methods can be set for this wireless network. Typically, a guest network is an unencrypted network. However, you can specify the encryption settings when configuring a guest network.
n Voice Only--Select this option to configure a network profile for devices that provide only voice services such as handsets or applications that require voice traffic prioritization.
NOTE: When a client is associated with the voice network, all data traffic is marked and placed into the high priority queue in QoS.
Inactivity timeout
Specify an interval for session timeout. If a client session is inactive for the specified duration, the session expires and the users are required to log in again. You can specify a value within the range of 603600 seconds. The default value is 1000 seconds.
Hide SSID
Select this check-box if you do not want the SSID to be visible to users.
Disable Network Select this check-box if you want to disable the SSID. When selected, the SSID is disabled, but is not removed from the network. By default, all SSIDs are enabled.
Max clients threshold
Specify the maximum number of clients that can be configured for each BSSID on a WLAN. You can specify a value within the range of 0255. The default value is 64.
Local Probe Request Threshold
Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests if required. You can specify a RSSI value within range of 0100 dB.
Min RSSI for auth request
Enter the minimum RSSI threshold for authentication requests.
Deauth inactive clients
Select this option to allow the Instant AP to send a de-authentication frame to the inactive client and the clear client entry.
Can be used without uplink
Select this check-box if you do not want the SSID profile to use the uplink.
Aruba Central | User Guide
290
Parameter
Description
Deny inter user bridging
Disables bridging traffic between two clients connected to the same SSID on the same VLAN. When this option is enabled, the clients can connect to the Internet, but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision.
Enable SSID when
Select an option from the drop-down list and specify the time period.
Disable SSID when
Select an option from the drop-down list and specify the time period.
Deny Intra VLAN Traffic
Disables intra VLAN traffic to enable the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. For more information, see Configuring Client Isolation.
Management Frame Protection
Turn on the Management Frames Protection toggle switch to provide high network security by maintaining data confidentiality of management frames. The Management Frame Protection (MFP) establishes encryption keys between the client and Instant AP using 802.11i framework. For more information, see Configuring Management Frames Protection.
Fine Timing Measurement (802.11mc) Responder Mode
Turn on the toggle switch to enable the fine timing measurement (802.11mc) responder mode.
Time Range Profiles
Time Range Profiles
Ensure that the NTP server connection is active. Select a time range profile from the Time Range Profiles list and apply a status form the drop-down list. Click + New Time Range Profile to create a new time range profile. For more information, see Configuring Time-Based Services for Wireless Network Profiles.
Configuring VLAN Settings for Wireless Network
To configure VLANs settings for an SSID, complete the following steps:
1. In the VLANs tab, select any of the following options for Client IP Assignment: n Instant AP assigned--When selected, the client obtains the IP address from the VC. n External DHCP server assigned--When selected, the client obtains the IP address from the network.
Configuring Network Profiles on Instant APs | 291
2. Based on the type of client IP assignment mode selected, configure the following parameters:
Table 89: VLANs Parameters Parameter Description
Instant AP assigned
When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet and VLAN on the Instant AP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on Instant APs.
If this option is selected, specify any of the following options in Client VLAN Assignment:
n Internal VLAN--Assigns IP address to the client in the same subnet as the Instant APs. By default, the client VLAN is assigned to the native VLAN on the wired network.
n Custom--Allows you to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. When this option is selected, select the scope from the VLAN ID drop-down list.
External DHCP server assigned
When this option is selected, specify any of the following options in Client VLAN Assignment:
n Static--In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. To show or hide the Named VLANs, click Show Named VLANs.Click the Show Named VLANs, to view the Named VLAN table. To add a new Named VLAN, complete the following steps:
lClick +Add Named VLAN. The Add Named VLAN window is displayed. lEnter the VLAN Name and VLAN details, and then click OK. n Dynamic--Assigns the VLANs dynamically from a DHCP server. To add a new VLAN assignment rule, complete the following steps: lClick + Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed. lEnter the Attribute, Operator, String, and VLAN details, and then click OK. To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules window, and then click the delete icon. To show or hide the Named VLANs, click Show Named VLANs.Click the Show Named VLANs, to view the Named VLAN table. To add a new Named VLAN, complete the following steps: lClick + Add Named VLAN. The Add Named VLAN window is displayed. lEnter the VLAN Name and VLAN details, and then click OK. To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon. n Native VLAN--Assigns the client VLAN is assigned to the native VLAN.
3. Click Next.
Configuring Security Settings for Wireless Network
To configure security settings for mixed traffic or voice network, complete the following steps:
1. In the Security tab, specify any one of the following options in the Security Level: n Enterprise--On selecting Enterprise security level, the authentication options applicable to the network are displayed. n Personal--On selecting Personal security level, the authentication options applicable to the personalized network are displayed.
Aruba Central | User Guide
292
n Captive Portal--On selecting Captive Portal security level, the authentication options applicable to the captive portal is displayed. For more information on captive portal, see Configuring Wireless Networks for Guest Users on Instant APs.
n Open--On selecting Open security level, the authentication options applicable to an open network are displayed.
The default security setting for a network profile is Personal.
2. Based on the security level specified, configure the following basic parameters:
Table 90: Basic WLAN Security Parameters
Data Pane Item
Description
Key Management
For Enterprise security level, select an encryption key from Key Management dropdown list:
n WPA-2 Enterprise--Select this option to use WPA-2 security. The WPA-2 Enterprise requires user authentication and requires the use of a RADIUS server for authentication. n WPA Enterprise--Select this option to use both WPA Enterprise. n Both (WPA-2 & WPA)--Select this option to use both WPA-2 and WPA security. n Dynamic- WEP with 802.1X--If you do not want to use a session key from the RADIUS Server to derive pairwise unicast keys, turn on the Use Session Key for LEAP toggle switch. This is required for old printers that use dynamic WEP through LEAP authentication. The Use Session Key for LEAP feature is Disabled by default. n WPA-3 Enterprise(CNSA)--Select this option to use WPA-3 security employing CNSA encryption. n WPA-3 Enterprise(CCM 128)--Select this option to use WPA-3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text. n WPA-3 Enterprise(GCM 256)--Select this option to use WPA-3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text. When WPA-2 Enterprise and Both (WPA2-WPA) encryption types are selected and if 802.1x authentication method is configured, OKC is enabled by default. If OKC is enabled, a cached PMK is used when the client roams to a new AP. This allows faster roaming of clients without the need for a complete 802.1x authentication. OKC roaming can be configured only for the Enterprise security level.
For Personal security level, select an encryption key from Key Management dropdown list. For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 Personal keys, specify the following parameters:
n Passphrase Format--Select a passphrase format. The options available are 863 alphanumeric characters and 64 hexadecimal characters. n Passphrase--Enter a passphrase in n Retype--Retype the passphrase to confirm. For Static WEP, specify the following parameters: n WEP Key Size--Select an appropriate value for WEP key size from the dropdown list. Select an appropriate value from the Tx Key drop-down list. n WEP Key--Enter an appropriate WEP key. n Retype WEP Key--Retype the WEP key to confirm. For MPSK-AES, select a primary server from the drop-down list. For MPSK-LOCAL, select a Mpsk Local server from the drop-down list.
Configuring Network Profiles on Instant APs | 293
Data Pane Item
Description
For Captive Portal security level, select an encryption key from Key Management. For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 Personal keys, specify the following parameters: Passphrase Format--Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters.
n Passphrase--Enter a passphrase in n Retype--Retype the passphrase to confirm. For Static WEP, specify the following parameters: n WEP Key Size--Select an appropriate value for WEP key size from the dropdown list. Select an appropriate value from the Tx Key drop-down list. n WEP Key--Enter an appropriate WEP key. n Retype WEP Key--Retype the WEP key to confirm. For information on configuring captive portal, see Configuring Wireless Networks for Guest Users on Instant APs on page 299.
For Open security level, the Key Management includes Open and Enhanced Open options.
EAP offload
This option is applicable to Enterprise security levels only. To terminate the EAP portion of 802.1X authentication on the Instant AP instead of the RADIUS server, turn on the EAP offload toggle switch. Enabling EAP offload can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the Instant AP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the Instant AP acts as a relay for this exchange. When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. It can also reduce the number of exchange packets between the Instant AP and the authentication server.
Instant supports the configuration of primary and backup authentication servers in an EAP termination-enabled SSID.
If you are using LDAP for authentication, ensure that Instant AP termination is configured to support EAP.
Authentication Server
Configure the following parameters: MAC Authentication--Turn on the MAC Authentication toggle switch to allow MAC address based authentication for Personal, Captive Portal, and Open security levels. Primary Server--Set a primary authentication server. The Primary Server option appears only for Enterprise security level, internal and external captive portal types. Select one of the following options from the drop-down list: Internal Server--To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs. Aruba Central allows you to configure an external RADIUS server, TACACS or LDAP server, and External Captive Portal for user authentication. Secondary Server--To add another server for authentication, configure another authentication server. Authentication Survivability--If an external server is configured for authentication, you can enable authentication survivability. Specify a value in hours for Cache Timeout to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours. By default, authentication survivability is disabled.
Aruba Central | User Guide
294
Data Pane Item
Users
Description
Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring External Authentication Servers for APs.
Click Users to add the users. The registered users of Employee type will be able to access the users of Enterprise network. To add a new user, click + Add User and enter the new user in the Add Userpane. The Primary Server option appears only for Enterprise security level, Internal Captive Portal, and External Captive Portal.
3. Based on the security level specified, specify the following parameters in the Advanced Settings section:
Table 91: Advanced WLAN Security Parameters
Data pane item
Description
Use Session Key for LEAP
Turn on the toggle switch to use the session key for Lightweight Extensible Authentication Protocol. This option is available only for Enterprise level.
Opportunistic Key Caching (OKC)
Turn on the Opportunistic key caching (OKC) toggle switch to reduce the time needed for authentication. When OKC is used, multiple APs can share Pairwise Master Keys (PMKs) among themselves, and the station can roam to a new access points that has not visited before and reuse a PMK that was established with the current AP. OKC allows the station to roam quickly to an access point it has never authenticated to, without having to perform pre-authentication. OKC is available specifically on WPA2 SSIDs only.
MAC Authentication for Enterprise Networks
To enable MAC address based authentication for Personal and Open security levels, turn on the toggle switch to enable MAC Authentication. For Enterprise security level, the following options are available:
n Perform MAC authentication before 802.1X--Select this to use 802.1X authentication only when the MAC authentication is successful. n MAC Authentication Fail-Through--On selecting this, the 802.1X authentication is attempted when the MAC authentication fails. If MAC Authentication is enabled, configure the following parameters: n Delimiter Character--Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the Instant AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. n Uppercase Support--Turn on the toggle switch to allow the Instant AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
Reauth Interval
Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. If the re-authentication interval is configured:
n On an SSID performing L2 authentication (MAC or 802.1X authentication): When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If
Configuring Network Profiles on Instant APs | 295
Data pane item
Description
re-authentication fails, the client retains the pre-authentication role.
n On an SSID performing both L2 and L3 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.
n On an SSID performing only L3 authentication (captive portal authentication): When re-authentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through captive portal to regain access.
Blacklisting
By default, this option is disabled. To enable blacklisting of the clients with a specific number of authentication failures, select Blacklisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically blacklisted. By default, the Blacklisting option is disabled.
Enforce DHCP
Enforces WLAN SSID on Instant AP clients. When DHCP is enforced: n A layer-2 user entry is created when a client associates with an Instant AP. n The client DHCP state and IP address are tracked. n When the client obtains an IP address from DHCP, the DHCP state changes to complete. n If the DHCP state is complete, a layer-3 user entry is created. n When a client roams between the Instant APs, the DHCP state and the client IP address is synchronized with the new Instant AP.
WPA3 Transition
Enable this option to allow transition from WPA3 to WPA2 and vice versa. The WPA3 Transition appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level.
Legacy Support
Enable this option to allow backward compatibility of encryption modes in networks. The Legacy Support appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level.
Use IP for Calling Station ID
Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed:
n Called Station ID Type--Select any of the following options for configuring called station ID:
lAccess Point Group--Uses the VC ID as the called station ID. lAccess Point Name--Uses the host name of the Instant AP as the called station ID. lVLAN ID--Uses the VLAN ID of as the called station ID. lIP Address--Uses the IP address of the Instant AP as the called station ID. lMAC address--Uses the MAC address of the Instant AP as the called station ID. n Called Station ID Include SSID--Appends the SSID name to the called station ID.
NOTE: The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled.
n Called Station ID Delimiter--Sets delimiter at the end of the called station ID. n Max Authentication Failures--Sets a value for the maximum allowed authentication failures.
Aruba Central | User Guide
296
Data pane item Delimiter Character
Uppercase Support
Fast Roaming
Description
Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the Instant AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
Select this option to allow the Instant AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
Enable the following fast roaming features as per your requirement: n 802.11k--Turn on the 802.11k toggle switch to enable 802.11k roaming. The 802.11k protocol enables Instant APs and clients to dynamically measure the available radio resources. When 802.11k is enabled, Instant APs and clients send neighbor reports, beacon reports, and link measurement reports to each other. n 802.11v--Turn on the 802.11v toggle switch to enable 802.11v based BSS transition. The 802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows the client devices to exchange information about the network topology and RF environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam.
4. Click Next.
Configuring ACLs for User Access to a Wireless Network
You can configure up to 64 access rules for a wireless network profile. To configure access rules for a network, complete the following steps:
1. In the Access tab, turn on the Downloadable Role toggle switch to allow downloading of preexisting user roles. For more information, see Configuring Downloadable Roles.
The Downloadable Role feature is optional. The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8. At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for Instant APs
2. Click the action corresponding to the server. The Edit Server page is displayed.
Viewing Wireless SSID Summary
In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Save Settings to complete the network profile creation and save the settings.
Configuring Management Frames Protection
Configuring Network Profiles on Instant APs | 297
Aruba Central supports the Management Frame Protection (MFP) feature in networks that include Aruba Instant 8.5.0.0 firmware version and later. This feature protects networks against forged management frames spoofed from other devices that might otherwise disrupt a valid user session. The MFP increases the security by providing data confidentiality of management frames. MFP uses 802.11i framework that establishes encryption keys between the client and Instant AP.
Enabling Management Frames Protection for Wireless Networks in Aruba Central
To enable the MFP feature, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANspage, click + Add SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
6. In the General tab, click Advanced Settings. 7. Expand Miscellaneous. 8. Turn on the Management Frames Protection toggle switch to enable the MFP feature. 9. Click Next. 10. Click Save Settings.
The MFP configuration is a per-SSID configuration. The MFP feature can be enabled only on WPA2-PSK and WPA2-Enterprise SSIDs. The 802.11r fast roaming option will not take effect when the MFP is enabled.
Configuring Client Isolation
Aruba Central supports the Client Isolation feature isolates clients from one another and disables all peerto-peer communication within the network. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. Client Isolation can only be configured through the CLI. When Client Isolation is configured, the Instant AP learns the IP, subnet mask, MAC, and other essential information of the gateway and the DNS server. A subnet table of trusted destinations is then populated with this information. Wired servers used in the network should be manually configured into this subnet table to serve clients. The destination MAC of data packets sent by the client is validated against this subnet table and only the data packets destined to the trusted addresses in the subnet table are forwarded by the Instant AP. All other data packets are dropped.
Client Isolation feature is supported only in IPv4 networks. This feature does not support AirGroup and affects Chromecast and Airplay services.
Aruba Central | User Guide
298
Enabling Client Isolation for Wireless Networks in Aruba Central
To enable the Client Isolation feature, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs page, click + Add SSID. The Create a New Network page is displayed.
6. Click Advanced Settings and expand Miscellaneous. 7. Turn on the Deny Intra VLAN Traffic toggle switch. 8. Click Next.
Configuring Wireless Networks for Guest Users on Instant APs
Instant APs support the captive portal authentication method in which a webpage is presented to the guest users, when they try to access the Internet in hotels, conference centers, or Wi-Fi hotspots. The webpage also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well. The captive portal solution for an Instant AP cluster consists of the following:
n The captive portal web login page hosted by an internal or external server. n The RADIUS authentication or user authentication against internal database of the AP. n The SSID broadcast by the Instant AP.
The Instant AP administrators can create a wired or WLAN guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise WiFi network. Administrators can also create guest accounts and customize the captive portal page with organization-specific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URL through HTTP or HTTPS, the captive portal webpage prompts the user to authenticate with a user name and password.
Splash Page Profiles
Instant APs support the following types of splash page profiles:
n Internal Captive portal--Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication:
l Internal Authenticated--When Internal Authenticated is enabled, a guest user who is pre-provisioned in the user database has to provide the authentication details.
Configuring Network Profiles on Instant APs | 299
l Internal Acknowledged--When Internal Acknowledged is enabled, a guest user has to accept the terms and conditions to access the Internet. n External Captive portal--Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication. n Cloud Guest--Select this splash page to use the cloud guest profile configured through the Guest Management tab. n None--Select to disable the captive portal authentication.
To create splash page profiles, see the following sections:
n Creating a Wireless Network Profile for Guest Users n Configuring an Internal Captive Portal Splash Page Profile n Configuring an External Captive Portal Splash Page Profile n Configuring a Cloud Guest Splash Page Profile n Configuring a Cloud Guest Splash Page Profile n Configuring ACLs for Guest User Access n Configuring Captive Portal Roles for an SSID n Disabling Captive Portal Authentication
Creating a Wireless Network Profile for Guest Users
To create an SSID for guest users, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs page, click + Add SSID. The Create a New Network pane is displayed.
6. Under General, enter a network name in the Name (SSID) text-box. 7. If configuring a wireless guest profile, set the required WLAN configuration parameters described in
Table 1. 8. Click Next.
The VLANs details are displayed. 9. Under VLANs, select any of the following options for Client IP Assignment:
Aruba Central | User Guide
300
Table 92: VLANs Assignment Parameter Instant AP assigned
External DHCP server assigned
Description
When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet and VLAN on the Instant AP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on Instant APs. If this option is selected, specify any of the following options in Client VLAN Assignment:
n Internal VLAN--Assigns IP address to the client in the same subnet as the Instant APs. By default, the client VLAN is assigned to the native VLAN on the wired network. n Custom--Allows you to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. When this option is selected, select the scope from the VLAN ID drop-down list.
When this option is selected, specify any of the following options in Client VLAN Assignment:
n Static--In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. To show or hide the Named VLANs, click Show Named VLANs.Click the Show Named VLANs, to view the Named VLAN table. To add a new Named VLAN, complete the following steps:
lClick +Add Named VLAN. The Add Named VLAN window is displayed. lEnter the VLAN Name and VLAN details, and then click OK. n Dynamic--Assigns the VLANs dynamically from a DHCP server. To add a new VLAN assignment rule, complete the following steps: lClick + Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed. lEnter the Attribute, Operator, String, and VLAN details, and then click OK. To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules window, and then click the delete icon. To show or hide the Named VLANs, click Show Named VLANs.Click the Show Named VLANs, to view the Named VLAN table. To add a new Named VLAN, complete the following steps: lClick +Add Named VLAN. The Add Named VLAN window is displayed. lEnter the VLAN Name and VLAN details, and then click OK. To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon. n Native VLAN--Assigns the client VLAN is assigned to the native VLAN. For more information, see Configuring VLAN Assignment Rule.
Configuring an Internal Captive Portal Splash Page Profile
To configure an internal captive portal profile, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
Configuring Network Profiles on Instant APs | 301
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon. 6. Under Security tab, in the Security Level, select Captive Portal and configure the following
parameters:
Table 93: Internal Captive Portal Configuration Parameters
Parameter
Description
Captive Portal Type
Select Internal from the drop-down list.
Captive Portal Location Select Acknowledged or Authenticated from the drop-down list.
Customize Captive Portal
Under Splash Page, when Customize Captive Portal is clicked, use the editor to specify text and colors for the initial page that is displayed to the users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type (Authenticated or Acknowledged) for which you are customizing the splash page design. Complete the following steps to customize the splash page design.
n Top banner title--Enter a title for the banner. n Header fill color--Specify a background color for the header. n Welcome text--To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters. n Policy text--To change the policy text, click the second square in the splash page, enter the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters. n Page fill color--To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. n Redirect URL--To redirect users to another URL, specify a URL in Redirect URL. n Logo image--To upload a custom logo, click Choose Fileto upload. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete Logo. To preview the captive portal page, click preview_splash_page. To configure a captive portal proxy server or global proxy server to match your browser configuration, enter the IP address and port number in the Captive-portal proxy server IP and Captive Portal Proxy Server Port fields.
Encryption
By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters:
n Key Management--Specify an encryption and authentication key. n Passphrase format--Specify a passphrase format. n Passphrase--Enter a passphrase. n Retype--Retype the passphrase to confirm.
Key Management
Select Open or Enhanced Open from the drop-down list.
Aruba Central | User Guide
302
Table 93: Internal Captive Portal Configuration Parameters
Parameter
Description
Advanced Settings
Captive Portal Proxy Server IP
Specify the IP address of the Captive Portal proxy server.
Captive Portal Proxy Server Port
Specify the port number of the Captive Portal proxy server.
MAC Authentication
Configure the following parameters: n MAC Authentication--To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch. lTo use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. lTo add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs on page 356. n Secondary Server--To add another server for authentication, configure another authentication server. n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring DHCP Server for Assigning IP Addresses to Instant AP Clients.
Reauth Interval
Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.
Accounting
Select an accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client disconnects. This is applicable for WLAN SSIDs only.
Blacklisting
If you are configuring a wireless network profile, turn on the Blacklisting toggle switch to blacklist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Max Authentication Failures
If you are configuring a wireless network profile, turn on the Blacklisting toggle switch to blacklist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Enforce DHCP
If you are configuring a wireless network profile, turn on the Blacklisting toggle switch to blacklist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
WPA3 Transition
If you are configuring a wireless network profile, turn on the Blacklisting toggle switch to blacklist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Configuring Network Profiles on Instant APs | 303
Table 93: Internal Captive Portal Configuration Parameters
Parameter
Description
Called Station ID Include SSID
If you are configuring a wireless network profile, turn on the Blacklisting toggle switch to blacklist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Uppercase Support
If you are configuring a wireless network profile, turn on the Blacklisting toggle switch to blacklist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Disable if uplink type is
To exclude uplink(s), expand Disable if uplink type is, and turn on the toggle switch for the uplink type(s). For example, Ethernet, Wi-Fi, and 3G/4G.
7. Click Save Settings.
Configuring an External Captive Portal Splash Page Profile
You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles and associate these profiles with an SSID or a wired profile. You can configure up to eight external captive portal profiles. When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNS and DHCP traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted. To configure an external captive portal profile, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon. 6. Under Security tab, in the Security Level, select Captive Portal. 7. Select the Splash Page type as External. 8. If required, configure a captive portal proxy server or a global proxy server to match your browser
configuration by specifying the IP address and port number in the Captive Portal Proxy Server IP and Captive Portal Proxy Server Port fields.
Aruba Central | User Guide
304
9. Select a captive portal profile. To add a new profile, click + and configure the following parameters:
Table 94: External Captive Portal Profile Configuration Parameters Data Pane Item Description
Name
Enter a name for the profile.
Type
Select any one of the following types of authentication: n Radius Authentication--Select this option to enable user authentication against a RADIUS server. n Authentication Text--Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
IP or Hostname
Enter the IP address or the host name of the external splash page server.
URL
Enter the URL of the external captive portal server.
Port
Enter the port number that is used for communicating with the external captive portal server.
Use HTTPS
Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.
Captive Portal Failure
This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.
Server Offload
Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
Prevent Frame Overlay
Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
Automatic URL Whitelisting
On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically whitelisted.
Auth Text
If the External Authentication splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.
Redirect URL
Specify a redirect URL if you want to redirect the users to another URL.
10. Click Save. 11. On the external captive portal splash page configuration page, specify encryption settings if required. 12. Specify the following authentication parameters under Advanced Settings:
n MAC Authentication--To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch.
n Primary Server--Sets a primary authentication server.
l To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users.
l To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs.
Configuring Network Profiles on Instant APs | 305
n Secondary Server--To add another server for authentication, configure another authentication server.
n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers.
13. If required, under Walled Garden, create a list of domains that are blacklisted and also a white list of websites that the users connected to this splash page profile can access.
14. To exclude uplink, select an uplink type. 15. If MAC authentication is enabled, you can configure the following parameters:
n Delimiter Character--Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the Instant AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
n Uppercase Support--Turn on the toggle switch to enable to allow the Instant AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
16. Configure the Reauth Interval. Specify a value for Reauth Interval. When set to a value greater than zero, Instant APs periodically re-authenticate all associated and authenticated clients.
17. If required, enable blacklisting. Set a threshold for blacklisting clients based on the number of failed authentication attempts.
18. Click Save Settings.
Configuring a Cloud Guest Splash Page Profile
To create a cloud guest network profile, see Configuring a Cloud Guest Splash Page Profile
Associating a Cloud Guest Splash Page Profile to a Guest SSID
To use the Cloud Guest splash page profile for the guest SSID, ensure that the Cloud Guest splash Page profile is configured through the Guest Access app. To associate a Cloud Guest splash page profile to a guest SSID, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. 6. Click the Security tab.
a. Under Splash Page, select Cloud Guest from the Captive Portal Type drop-down list.
b. Select the splash page profile name from the Guest Captive Portal Profile list, and then click Next.
Aruba Central | User Guide
306
c. To enable encryption, turn on the Encryption toggle switch and configure the following encryption parameters:
d. Key Management--Specify an encryption and authentication key. e. Passphrase format--Specify a passphrase format. f. Passphrase--Enter a passphrase. g. Retype--Retype the passphrase to confirm. h. To exclude uplink, expand Disable if uplink type is and select an uplink type. For example,
Ethernet, Wi-Fi, and 3G/4G. i. Click Next. 7. Click Save Settings.
Configuring ACLs for Guest User Access
To configure access rules for a guest network, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. 6. Click the Access tab. 7. Under Access rules, select any of the following types of access control: n Unrestricted--Select this to set unrestricted access to the network. n Network Based--Select Network Based to set common rules for all users in a network. By default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps: n Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields. n Click Save. n Role Based--Select Role Based to enable access based on user roles.
For role-based access control, complete the following steps: 1. To create a user role:
a. Click + Add Role in Role pane. b. Enter a name for the new role and click OK.
Configuring Network Profiles on Instant APs | 307
2. To create access rules for a specific user role: a. Click + Add Rule in Access Rules for Selected Roles, and select appropriate options for Rule Type, Service, Action, Destination, and Options fields.
b. Click Save.
3. To create a role assignment rule: a. Under Role Assignment Rules, click + Add Role Assignment. The New Role Assignment Rule pane is displayed.
b. Select appropriate options in Attribute, Operator, String, and Role fields.
c. Click Save.
4. To assign pre-authentication role, select the Assign Pre-Authentication Role check-box and select a pre-authentication role from the drop-down list.
5. Click Save Settings.
Configuring Captive Portal Roles for an SSID
You can configure an access rule to enforce captive portal authentication for SSIDs with 802.1X authentication enabled. You can configure rules to provide access to an external captive portal, internal captive portal, so that some of the clients using this SSID can derive the captive portal role. The following conditions apply to the 802.1X and captive portal authentication configuration:
n If captive portal settings are not configured for a user role, the captive portal settings configured for an SSID are applied to the client's profile.
n If captive portal settings are not configured for a SSID, the captive portal settings configured for a user role are applied to the client's profile.
n If captive portal settings are configured for both SSID and user role, the captive portal settings configured for a user role are applied to the profile of the client.
To create a captive portal role for the Internal and External splash page types:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. 6. Click the Access tab. 7. Under Access rules, select Role Based.
Aruba Central | User Guide
308
8. Click + Add Rule in Access Rules for Selected Roles. 9. In the Add Rules window, specify the following parameters.
Table 95: Access Rule Configuration Parameters
Data Pane Item
Description
Rule Type
Select Captive Portal from the drop-down list.
Splash Page Type
Select a splash page type from the drop-down list.
Internal
If Internal is selected as Splash Page Type drop-down list, complete the following steps: n Top banner title--Enter a title for the banner. To preview the page with the new banner title, click Preview splash page. n Header fill color--Specify a background color for the header. n Welcome text--To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters. n Policy text--To change the policy text, click the second square in the splash page, enter the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters. n Page fill color--To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. n Redirect URL--To redirect users to another URL, specify a URL in Redirect URL. n Logo image--To upload a custom logo, click Choose Fileto upload. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete Logo.
To preview the captive portal page, click preview_splash_page.
External
If External is selected as Splash Page Type drop-down list, complete the following steps: n Captive Portal Profile--Select a profile from the drop-down list.
To create a profile, click the + icon and enter the following information in the External Captive Portal window.
n Name n Authentication Type--From the drop-down list, select either RADIUS Authentication (to enable user authentication against a RADIUS server) or Authentication Text (to specify the authentication text to returned by the external server after a successful user authentication). n IP OR Hostname--Enter the IP address or the hostname of the external splash page server. n URL--Enter the URL for the external splash page server. n Port--Enter the port number for communicating with the external splash page server. n Captive Portal Failure--This field allows you to configure Internet access for the guest clients when the external captive portal server is not available. From the drop-down list, select Deny Internet to prevent clients from using the network, or Allow Internet to allow the guest clients to access Internet when the external captive portal server is not available. n Automatic URL Whitelisting--Turn on the toggle switch to enable or disable automatic whitelisting of URLs. On selecting this for the external captive portal authentication, the URLs allowed for the unauthenticated users to access are automatically whitelisted. The automatic URL whitelisting is disabled by default. n Server offload--Turn on the toggle switch to offload the server. n Prevent Frame Overlay--Turn on the toggle switch to prevent frame overlay. n Use VC IP in Redirect URL--Turn on the toggle switch to use the virtual controller IP
Configuring Network Profiles on Instant APs | 309
Table 95: Access Rule Configuration Parameters
Data Pane Item
Description
address as a redirect URL. n Auth TEXT--Indicates the authentication text returned by the external server after a successful user authentication. n Redirect URL--Specify a redirect URL to redirect the users to another URL. To edit a profile, click the edit icon and modify the parameters in the External Captive Portal window.
10. Click Save. The enforce captive portal rule is created and listed as an access rule. 11. Click Save Settings.
The client can connect to this SSID after authenticating with user name and password. After the user logs in successfully, the captive portal role is assigned to the client.
Disabling Captive Portal Authentication
To disable captive portal authentication, perform the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon. 6. Under Security tab, in the Security Level, select Captive Portal. 7. Under Splash Page, select None from the Captive Portal Type drop-down list. 8. Click Save Settings.
Configuring Wired Networks for Guest Users on Instant APs
Instant APs support the captive portal authentication method in which a webpage is presented to the guest users, when they try to access the Internet in hotels, conference centres, or Wi-Fi hotspots. The webpage also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well. The captive portal solution for an Instant AP cluster consists of the following:
n The captive portal web login page hosted by an internal or external server. n The RADIUS authentication or user authentication against internal database of the AP. n The SSID broadcast by the Instant AP.
Aruba Central | User Guide
310
The Instant AP administrators can create a wired or WLAN guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise WiFi network. Administrators can also create guest accounts and customize the captive portal page with organization-specific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URL through HTTP or HTTPS, the captive portal webpage prompts the user to authenticate with a user name and password.
Splash Page Profiles
Instant APs support the following types of splash page profiles:
n Internal Captive portal--Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication:
l Internal Authenticated--When Internal Authenticated is enabled, a guest user who is pre-provisioned in the user database has to provide the authentication details.
l Internal Acknowledged--When Internal Acknowledged is enabled, a guest user has to accept the terms and conditions to access the Internet. n External Captive portal--Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication. n Cloud Guest--Select this splash page to use the cloud guest profile configured through the Guest Management tab. n None--Select to disable the captive portal authentication.
For information on how to create splash page profiles, see the following sections:
n Creating a Wired Network Profile for Guest Users n Configuring an Internal Captive Portal Splash Page Profile n Configuring an External Captive Portal Splash Page Profile n Configuring a Cloud Guest Splash Page Profile n Disabling Captive Portal Authentication
Creating a Wired Network Profile for Guest Users
To create a wired SSID for guest access, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed.
5. Click the Wired accordion. 6. To create a new wired SSID profile, click + Add Port Profile.
The Create a New Network pane is displayed.
Configuring Network Profiles on Instant APs | 311
7. Under General, enter the following information: a. Name--Enter a name. b. ports--Select port(s) form the drop-down list.
8. Click Next to configure the VLANs settings. The VLANs details are displayed.
9. In the VLANs tab, select a type of mode from the Mode drop-down list. 10. Select any of the following options for Client IP Assignment:
Table 96: VLANs Parameters Parameter Instant AP assigned
External DHCP server assigned
Description
Select this option to allow the Virtual Controller to assign IP addresses to the wired clients. When the Virtual Controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The Virtual Controller can also assign a guest VLAN to a wired client. If this option is selected, specify any of the following options in Client VLAN Assignment:
n Default--When the client VLAN must be assigned to the native VLAN on the network. n Custom--To customize the client VLAN assignment to a specific VLAN, or a range of VLANs.
Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the New button to create a VLAN is displayed. Create a new VLAN if required.
Configuring an Internal Captive Portal Splash Page Profile
To configure internal captive portal profile, complete the following steps:
Aruba Central | User Guide
312
1. Open the guest SSID to edit and configure the following parameters in the Ports > Security page.
Table 97: Internal Captive Portal Configuration Parameters
Parameter
Description
Captive Portal Type
Select any of the following from the drop-down list: n Internal - Authenticated--When Internal Authenticated is selected, the guest users are required to authenticate in the captive portal page to access the Internet. The guest users who are required to authenticate must already be added to the user database. n Internal - Acknowledged--When Internal Acknowledged is selected, the guest users are required to accept the terms and conditions to access the Internet. n External--When External is selected, the guest users are required to enter the proxy server details such as IP address and captive portal proxy server port details. Also enter the details in Walled Garden, and Advanced section. n Cloud Guest--When Cloud Guest is selected, the guest users are required to select the Guest Captive Portal Profile. n None--Select this option if you do not want to set any splash page.
Captive Portal Location
Select Acknowledged or Authenticated from the drop-down list.
Splash Page Properties
) for which you are customizing the splash page design. Perform the following steps to customize the splash page design.
n Top Banner Title--Enter a title for the banner. To preview the page with the new banner title, click Preview Splash Page. n Header fill color--Specify a background color for the header. n Welcome Text--To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome Text box, and click OK. Ensure that the welcome text does not exceed 127 characters. n Policy Text--To change the policy text, click the second square in the splash page, enter the required text in the Policy Text box, and click OK. Ensure that the policy text does not exceed 255 characters. n Page Fill Color--To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. n Redirect URL--To redirect users to another URL, specify a URL in Redirect URL. n Logo Image--To upload a custom logo, click Upload, browse the image file, and click upload image. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete. To preview the captive portal page, click Preview splash page. To configure a captive portal proxy server or global proxy server to match your browser configuration, enter the IP address and port number in the Captive-portal proxy server IP and Captive Portal Proxy Server Port fields.
Encryption
By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters:
n Key Management--Specify an encryption and authentication key. n Passphrase format--Specify a passphrase format. n Passphrase--Enter a passphrase and retype to confirm.
Authentication
Configure the following parameters:Configure the following parameters: n MAC Authentication--To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch.
Configuring Network Profiles on Instant APs | 313
Table 97: Internal Captive Portal Configuration Parameters
Parameter
Description
lTo use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. lTo add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs on page 356.
n Secondary Server--To add another server for authentication, configure another authentication server.
n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring DHCP Server for Assigning IP Addresses to Instant AP Clients.
Users
Create and manage users in the captive portal network. Only registered users of type Guest Employee will be able to access this network.
Advanced Settings > MAC To enable MAC address based authentication for Personal and Open
Authentication
security levels, turn on the MAC Authentication toggle switch.
Advanced Settings > Reauth Interval
Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.
Advanced Settings > Blacklisting
If you are configuring a wireless network profile, turn on the Blacklisting toggle switch to blacklist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Advanced Settings >
To exclude uplink, select an uplink type.
Disable If Uplink Type Is
2. Click Save Settings.
Configuring an External Captive Portal Splash Page Profile
You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles in the Security > External Captive Portal data pane and associate these profiles with an SSID or a wired profile. You can also create a new captive portal profile under the Security tab of the WLAN wizard or a Wired Network pane. You can configure up to eight external captive portal profiles. When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNS and DHCP traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted. To configure an external captive portal profile, complete the following steps:
1. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. The Create a New Network pane is displayed.
2. Under Security tab, in the Security Level, select Captive Portal and configure the following parameters under Splash Page:
Aruba Central | User Guide
314
3. Select the Splash Page type as External. 4. If required, configure a captive portal proxy server or a global proxy server to match your browser
configuration by specifying the IP address and port number in the Captive Portal Proxy Server IP and Captive Portal Proxy Server Port fields. 5. Select a captive portal profile. To add a new profile, click + and configure the following parameters:
Table 98: External Captive Portal Profile Configuration Parameters Data Pane Item Description
Name
Enter a name for the profile.
Type
Select any one of the following types of authentication: n Radius Authentication--Select this option to enable user authentication against a RADIUS server. n Authentication Text--Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
IP or Hostname
Enter the IP address or the host name of the external splash page server.
URL
Enter the URL of the external captive portal server.
Port
Enter the port number that is used for communicating with the external captive portal server.
Use HTTPS
Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.
Captive Portal Failure
This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.
Server Offload
Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
Prevent Frame Overlay
Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
Automatic URL Whitelisting
On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically whitelisted.
Auth Text
If the External Authentication Splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.
Redirect URL
Specify a redirect URL if you want to redirect the users to another URL.
6. Click Save. 7. On the external captive portal splash page configuration page, specify encryption settings if required. 8. Specify the following authentication parameters in Advanced Settings:
n MAC Authentication--To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch.
Configuring Network Profiles on Instant APs | 315
n Primary Server--Sets a primary authentication server. l To use an internal server, select Internal server and add the clients that are required to authenticate
with the internal RADIUS Server. Click Users to add the users. l To add a new server, click +. For information on configuring external servers, see Configuring External
Authentication Servers for APs. n Secondary Server--To add another server for authentication, configure another authentication
server. n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS
authentication servers, to balance the load across these servers. 9. If required, under Walled Garden, create a list of domains that are blacklisted and also a white list of
websites that the users connected to this splash page profile can access. 10. To exclude uplink, select an uplink type. 11. If MAC authentication is enabled, you can configure the following parameters:
n Delimiter Character--Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the Instant AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
n Uppercase Support--Turn on the toggle switch to enable, to allow the Instant AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
12. Configure the Reauth Interval. Specify a value for Reauth Interval. When set to a value greater than zero, Instant APs periodically re-authenticate all associated and authenticated clients.
13. If required, enable blacklisting. Set a threshold for blacklisting clients based on the number of failed authentication attempts.
14. Click Save Settings.
Configuring a Cloud Guest Splash Page Profile
For information on how to create a cloud guest network profile, see Configuring a Cloud Guest Splash Page Profile
Associating a Cloud Guest Splash Page Profile to a Guest SSID
To use the Cloud Guest Splash page profile for the guest SSID, ensure that the Cloud Guest Splash Page profile is configured through the Guest Access app. To associate a Cloud Guest splash page profile to a guest SSID, complete the following steps:
1. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. The Create a New Network pane is displayed.
2. Click the Security tab.
a. Select Cloud Guest from the Splash Page Type list.
b. Select the splash page profile name from the Guest Captive Portal Profile list, and then click Next.
c. To enable encryption, turn on the Encryption toggle switch and configure the encryption parameters.
Aruba Central | User Guide
316
d. To exclude uplink, select 3G/4G, Wi-Fi, or Ethernet option from Disable If Uplink Type Is accordion.
e. Click Next. 3. Click Save Settings.
Configuring ACLs for Guest User Access
To configure access rules for a guest network, complete the following steps: 1. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. The Create a New Network pane is displayed. 2. Click the Access tab. 3. Under Access, select any of the following types of access control: n Unrestricted--Select this to set unrestricted access to the network. n Network Based--Select Network Based to set common rules for all users in a network. By default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps: a. Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields. b. Click Save.
n Role Based--Select Role Based to enable access based on user roles. For role-based access control: 1. Create a user role: a. Click New in Role pane. b. Enter a name for the new role and click OK.
2. Create access rules for a specific user role: a. Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields. b. Click Save.
3. Create a role assignment rule. a. Under Role Assignment Rule, click New. The New Role Assignment Rule pane is displayed. b. Select appropriate options in Attribute, Operator, String, and Role fields. c. Click Save.
1. Click Save Settings.
Disabling Captive Portal Authentication
To disable captive portal authentication, complete the following steps:
Configuring Network Profiles on Instant APs | 317
1. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. The Create a New Network pane is displayed.
2. Click the Security tab. 3. Under Security, select None for Splash Page Type. 4. Click Save Settings.
Configuring Downloadable Roles
Aruba Central allows you to download pre-existing user roles when you create network profiles.
The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
Aruba Instant and ClearPass Policy Manager include support for centralized policy definition and distribution. When ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. If the role is not defined on the Instant AP, the role attributes can also be downloaded automatically. In order to provide highly granular per-user level access, user roles can be created when a user has been successfully authenticated. During the configuration of a policy enforcement profile in ClearPass Policy Manager, the administrator can define a role that should be assigned to the user after successful authentication. In RADIUS authentication, when ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. If the role is not defined on the Instant AP, the role attributes can also be downloaded automatically. This feature supports roles obtained by the following authentication methods:
n 802.1X (WLAN and wired users) n MAC authentication n Captive Portal
This section describes the following topics:
n ClearPass Policy Manager Certificate Validation for Downloadable Role n Enabling Downloadable Role Feature for Wireless Networks in Aruba Central n Enabling Downloadable Role Feature for Wired Networks in Aruba Central
ClearPass Policy Manager Certificate Validation for Downloadable Role
When a ClearPass Policy Manager server is configured as the domain for RADIUS authentication for downloading user roles, in order to validate the ClearPass Policy Manager customized CA, Instant APs are required to publish the root CA for the HTTPS server to the well-known URL (http://<clearpassfqdn>/.wellknown/ aruba/clearpass/https-root.pem). The Instant AP must ensure that an FQDN is defined in the above URL for the RADIUS server and then attempt to fetch the trust anchor by using the RADIUS FQDN. Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the Instant AP tries to retrieve the CA from the above well-known URL and store it in flash memory. However, if there is more than one ClearPass Policy Manager server configured for authentication, the CA must be uploaded manually.
Aruba Central | User Guide
318
Enabling Downloadable Role Feature for Wireless Networks in Aruba Central
To enable the Downloadable Role feature, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs tab, click + Add SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
6. In the Security tab, select the RADIUS server in Primary Server field.
At least one radius server must be configured to apply the Downloadable User Roles feature. For more information on configuring radius server, see Authentication Servers for Instant APs
7. Click Next. 8. The Access tab is displayed. 9. Turn on the Downloadable Role toggle switch to allow downloading of pre-existing user roles. The
CPPM Settings table with Name, CPPM Username, and Actions columns related to the radius servers are displayed.
The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8. At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for Instant APs
10. Click the action corresponding to the radius server listed in the CPPM Settings table. The Edit Server page is displayed.
The Edit Server page displays the name of the radius server name. The Name field is non-editable.
11. Enter the following details: n CPPM Username--Enter the ClearPass Policy Manager admin username. n Password--Enter the password. n Retype--Retype the password.
12. Click OK.
Enabling Downloadable Role Feature for Wired Networks in Aruba Central
To enable the Downloadable Role feature, perform the following steps:
Configuring Network Profiles on Instant APs | 319
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed.
5. Click the Wired accordion. 6. Under Wired, click + Add Port Profile. To modify an existing profile, select the network that you
want to edit in the Wired Port Profiles pane, and then click the edit icon. 7. In the Security tab, select the RADIUS server in Primary Server field.
At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for Instant APs
8. Click Next. 9. The Access tab is displayed. 10. Enable the Downloadable Role option to allow downloading of pre-existing user roles. The CPPM
Settings table with Name, CPPM Username, and Actions columns related to the radius servers are displayed.
The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8. At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for Instant APs
11. Click the action corresponding to the radius server listed in the CPPM Settings table. The Edit Server page with the radius server name is displayed.
The Edit Server page displays the radius server name. The Name field is non-editable.
12. Enter the following details: n CPPM Username--Enter the ClearPass Policy Manager admin username. n Password--Enter the password. n Retype--Retype the password.
13. Click OK.
Configuring Wired Port Profiles on Instant APs
If the wired clients must be supported on the Instant APs, configure wired port profiles and assign these profiles to the ports of an Instant AP. The wired ports of an Instant AP allow third-party devices such as VoIP phones or printers (which support only wired port connections) to connect to the wireless network. You can also configure an ACL for additional security on the Ethernet downlink. To configure wired port profiles on Instant AP, complete the following steps:
Aruba Central | User Guide
320
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed.
5. Click the Wired accordion. 6. To create a new wired port profile, click + Add Port Profile.
The Create a New Network pane is displayed.
Complete the configuration for each of the tabs in the Create a New Network page as described in the below sections:
Configuring General Network Profile Settings
To configure general network profile settings, complete the following steps in the General tab:
1. Under General, enter the following information: a. Name--Enter a name. b. ports--Select port(s) form the drop-down list.
2. Under Advanced Settings section, configure the following parameters: a. Speed/Duplex--Select the appropriate value from the Speed and Duplex drop-down list. Contact your network administrator if you need to assign speed and duplex parameters. b. Port Bonding--Turn on the Port Bonding toggle switch to enable port bonding. c. Power over Ethernet--Turn on the Power over Ethernet toggle switch to enable PoE. d. Admin Status--The Admin Status indicates if the port is up or down. e. Content Filtering--Turn on the Content Filtering toggle switch to ensure that all DNS requests to non-corporate domains on this wired port network are sent to OpenDNS. f. Uplink--Turn on the toggle switch to configure uplink on this wired port profile. If the Uplink toggle switch is turned on and this network profile is assigned to a specific port, the port is enabled as an uplink port. g. Spanning Tree--Turn on the toggle switch to enable STP on the wired port profile. STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports, regardless of forwarding mode. STP does not operate on uplink ports and is supported only on Instant APs with three or more ports. By default, STP is disabled on wired port profiles. h. Inactivity Timeout--Enter the time duration after which an inactive user needs to be disabled from the network. The user must undergo the authentication process to re-join the network. i. 802.3az--Turn on the toggle switch to enable, to support 802.3az Energy Efficient Ethernet (EEE) standard on the device. This option allows the device to consume less power during periods of low data activity. This setting can be enabled for provisioned APs or AP groups through the
Configuring Network Profiles on Instant APs | 321
wired port network. If this feature is enabled for an AP group, APs in the group that do not support 802.3.az ignore this setting. This option is available for Instant APs that support a minimum of Aruba Instant 8.4.0.0 firmware version.
j. Deny Intra VLAN Traffic--Turn on the toggle switch to disable intra VLAN traffic. It enables the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities.
3. Click Next. The VLANs details page is displayed.
Configuring VLAN Network Profile Settings
To configure VLAN settings, complete the following steps in the VLANs tab:
1. Mode--Specify any of the following modes: n Access--Select this mode to allow the port to carry a single VLAN specified as the native VLAN. If the Access mode is selected, perform one of the following options:
l If the Client IP Assignment is set to Virtual Controller Assigned, proceed to step 6. l If the Client IP Assignment is set to Network Assigned, specify a value for Access VLAN to
indicate the VLAN carried by the port in the Access mode. n Trunk--Select this mode to allow the port to carry packets for multiple VLANs specified as allowed
VLANs. If the Trunk mode is selected: n Specify the Allowed VLAN, enter a list of comma separated digits or ranges, for example 1, 2, 5, or
1-4, or all. The Allowed VLAN refers to the VLANs carried by the port in Access mode. n If the Client IP Assignment is set to Network Assigned, specify a value for Native VLAN. A
VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN. You can specify a value within the range of 1-4093.
2. Client IP Assignment--specify any of the following values: n Instant AP Assigned--Select this option to allow the virtual controller to assign IP addresses to the wired clients. When the virtual controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The virtual controller can also assign a guest VLAN to a wired client. In the Client VLAN Assignment section, select Default when the client VLAN must be assigned to the native VLAN on the network. Select Custom to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. Click the Show Named VLANs section to view all the named VLANs mapped to VLAN ID. Click + Add Named VLAN and enter the VLAN Name and VLAN ID that is required to be mapped. Clicking OK populates the named VLAN in the VLAN Name to VLAN ID Mapping table. n External DHCP server Assigned--Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the New button to create a VLAN is displayed. Create a new VLAN if required.
3. Click Next. The Security details page is displayed.
Configuring Security Settings
To configure security-specific settings, complete the following steps in the Security tab:
Aruba Central | User Guide
322
1. On the Security pane, select the following security options as per your requirement: n 802.1X Authentication--Set the toggle button to enable 802.1X Authentication. Configure the basic parameters such as the authentication server, and MAC Authentication Fail-Through. Select any of the following options for authentication server:
l New--On selecting this option, an external RADIUS server must be configured to authenticate the users. For information on configuring an external server, see Configuring External Authentication Servers for APs on page 356.
l Internal Server--If an internal server is selected, add the clients that are required to authenticate with the internal RADIUS server. Click the Users link to add the users.
l Load Balancing--Set the toggle button to enable, if you are using two RADIUS authentication servers, so that the load across the two RADIUS servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Authentication Servers on page 356. n MAC Authentication--To enable MAC authentication, enable the toggle button. The MAC authentication is disabled by default. n Captive Portal--Set the toggle button to enable captive portal authentication. For more information on configuring security on captive portal, see Configuring Wired Networks for Guest Users on Instant APs. n Open--Set the toggle button to enable, to set security for open network.
2. Enable the Port Type Trusted option to connect uplink and downlink to a trusted port only. 3. In the Primary Server field, perform one of the following steps:
n Internal Server--To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs on page 356.
n Secondary Server--To add another server for authentication, configure another authentication server.
l Load Balancing--Set the toggle button to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Authentication Servers on page 356.
4. MAC Authentication Fail-Thru--Set the toggle button to enable, to attempt 802.1X authentication is attempted when the MAC authentication fails.
5. Under the Advance Settings section, configure the following options: n Use IP for Calling Station ID--Set the toggle button to enable, to configure client IP address as calling station ID. n Called Station ID Type--Select one of the following options:
l Access Point Group--Uses the VC ID as the called station ID. l Access Point Name--Uses the host name of the Instant AP as the called station ID. l VLAN ID--Uses the VLAN ID of as the called station ID. l IP Address--Uses the IP address of the Instant AP as the called station ID. l MAC address--Uses the MAC address of the Instant AP as the called station ID.
The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled.
Configuring Network Profiles on Instant APs | 323
n Reauth Interval--Specify the interval at which all associated and authenticated clients must be re-authenticated.
6. Click Next. The Access pane is displayed.
Configuring Access Settings
To configure access-specific settings, complete the following steps:
1. In the Access tab, turn on the Downloadable Role toggle switch to allow downloading of preexisting user roles. or more information, see Configuring Downloadable Roles.
The Downloadable Role feature is optional. The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8. At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for Instant APs
2. Click the action corresponding to the server. The Edit Server page is displayed.
The Edit Server page displays the radius server name. The Name field is non-editable.
3. Enter the CPPM username along with the CPPM authentication credentials for the radius server. 4. Click Ok. 5. Under Access Rules, configure the following access rule parameters:
a. Select any of the following types of access control: n Role-based--Allows the users to obtain access based on the roles assigned to them. n Unrestricted--Allows the users to obtain unrestricted access on the port. n Network-based--Allows the users to be authenticated based on access rules specified for a network.
b. If the Role-based access control is selected: n Under Role, select an existing role for which you want to apply the access rules, or click New and add the required role. To add a new access rule, click Add Rule under Access Rules For Selected Roles.
The default role with the same name as the network is automatically defined for each network. The default roles cannot be modified or deleted.
n Configure role assignment rules. To add a new role assignment rule, click New under Role Assignment Rules. Under New Role Assignment Rule:
c. Select an attribute. d. Specify an operator condition. e. Select a role. f. Click Save.
Aruba Central | User Guide
324
6. Click Finish to create the wired port profile successfully.
Configuring Network Port Profile Assignment
To map the wired port profile to ethernet ports, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed. 5. Click the Wired accordion. The Wired Port Profiles page is displayed. 6. In the Port Profiles Assignments section, assign wired port profiles to Ethernet ports: a. Select a profile from the Ethernet 0/0drop down list. b. Select the profile from the Ethernet 0/1 drop down list. c. If the Instant AP supports Ethernet 2, Ethernet 3 and Ethernet 4 ports, assign profiles to these ports by selecting a profile from the Ethernet 0/2, Ethernet 0/3, and Ethernet 0/4 dropdown list respectively. 7. Click Save Settings.
Viewing Wired Port Profile Summary
In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Save Settings to complete the network profile creation and save the settings.
Editing a WLAN Profile
To edit a network profile, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select the network that you want to edit, and then click the edit icon
Configuring Network Profiles on Instant APs | 325
under the Actions column. 6. Modify the profile and click Save Settings.
You can directly edit the SSID name under the Display Name column of the Wireless SSIDs table. Double-click the relevant SSID that you want to rename, and type the new name. Press Enter to complete the process.
Editing an Access Point Port Profile
To edit a network profile, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure access points are displayed. 4. Click Show Advanced, and click the Interfaces tab.
The Interfaces details page is displayed.
When you click the Show Advanced option, the Devices > Access Points page displays the WLANs, Access Points, Radios, Interfaces, Security, VPN, Services, System, and Configuration Audit tabs as the default configuration tabs.
5. Click the Wired accordion. 6. In the Wired Port Profiles pane, select the network that you want to edit, and then click the edit
icon under the Actions column. 7. Modify the profile and click Save Settings.
When you click the Hide Advanced option, the Devices > Access Points tab displays only the WLANs, Access Points, and Radio tabs as the default configuration tabs. Aruba Central now constantly displays the default tabs under the Show Advanced and Hide Advanced option in the Devices > Access Points page. When you click the Show Advanced or Hide Advanced option and navigate out of the page, the respective default tabs under Show Advanced or Hide Advanced option are still displayed when you visit the page next time.
Deleting a Network Profile
To delete a network profile, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
Aruba Central | User Guide
326
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select the network that you want to delete, and then click the delete icon under the Actions column.
6. Click Yes in the confirmation dialog box.
Configuring Mesh Instant AP
Mesh Network Overview
The mesh solution effectively expands and configures network coverage for outdoor and indoor enterprises in a wireless environment. The mesh network automatically reconfigures broken or blocked paths when traffic traverses across mesh Instant AP. This feature provides increased reliability by allowing the network to continue operating even when an Instant AP is non-functional or if the device fails to connect to the network.
A mesh network requires at least one valid wired or 3G uplink connection. The mesh network must be provisioned by plugging into the wired network for the first time.
Mesh Instant APs
The Instant APs that are configured for mesh can either operate as mesh portals or as mesh points based on the uplink type.
Instant AP as Mesh Portal
Any provisioned Instant AP that has a valid wired or 3G uplink connection functions as a mesh portal. A mesh portal acts as a gateway between the wireless mesh network and the enterprise wired LAN. The mesh roles are automatically assigned based on the Instant AP configuration. The mesh portal can also act as a virtual controller.
The mesh portal reboots after 5 minutes, when it loses its uplink connectivity to a wired network.
Instant AP as Mesh Point
The Instant AP without an ethernet link functions as a mesh point. The mesh point establishes an allwireless path to the mesh portal and provides traditional WLAN services such as client connectivity, IDS capabilities, user role association, and QoS for LAN-to-mesh communication to the clients, and performs mesh backhaul or network connectivity. The mesh points authenticate to the mesh portal and establish a secured link using AES encryption.
A mesh point also supports LAN bridging by connecting any wired device to the downlink port of the mesh point. In the case of single ethernet port platforms such as Instant AP-105, you can convert the Eth0 uplink port to a downlink port by enabling Eth0 Bridging. Redundancy is observed in a mesh network when two Instant APs have valid uplink connections, and most mesh points try to mesh directly with one of the two portals.
Configuring Mesh Instant AP | 327
There can be a maximum of eight mesh points per mesh portal in a mesh network. When mesh Instant APs boot up, they detect the environment to locate and associate with their nearest neighbor. The mesh Instant APs determine the best path to the mesh portal ensuring a reliable network connectivity.
In a dual-radio Instant AP, the 2.4 GHz radio is always used for client traffic, and the 5 GHz radio is always used for both mesh-backhaul and client traffic.
Automatic Mesh Role Assignment
Aruba Central supports enhanced role detection during Instant AP boot-up and Instant AP running time. When a mesh point discovers that the Ethernet 0 port link is up, it sends loop detection packets to check the availability of Ethernet 0 link. If the Ethernet 0 link is available, the mesh point reboots as a mesh portal. Else, the mesh point does not reboot.
Mesh Role Detection during System Boot-Up
If the ethernet link is down during Instant AP boot-up, the Instant AP acts as a mesh point. If the ethernet link is up, the Instant AP continues to detect if the network is reachable in the following scenarios:
n In a static IP address scenario, the Instant AP acts as a mesh portal if it successfully pings the gateway. Otherwise, it acts as a mesh point.
n In case of DHCP, the Instant AP acts as a mesh portal when it obtains the IP address successfully. Otherwise, it acts as a mesh point.
n In case of IPv6, Instant APs do not support the static IP address but only support DHCP for detection of network reachability.
If the Instant AP has a 3G or 4G USB modem plugged, it always acts as a mesh portal. If the Instant AP is set to Ethernet 0 bridging, it always acts as a mesh point.
Mesh Role Detection during System Running Time
The mesh point uses the Loop Protection for Secure Jack Port feature to detect the loop when the ethernet is up. If the loop is detected, the Instant AP reboots. Otherwise, the Instant AP does not reboot and the mesh role continues to act as a mesh point.
Setting up Instant Mesh Network
To provision Instant APs as mesh Instant APs, complete the following steps:
n Connect the Instant APs to a wired switch. n Ensure that the virtual controller key is synchronized and the country code is configured. n Ensure that a valid SSID is configured on the Instant AP. n If the Instant AP has a factory default SSID (Instant SSID), delete the SSID. n If an ESSID is enabled on the virtual controller, disable it and reboot the Instant AP cluster. n Disconnect the Instant APs that you want to deploy as mesh points from the switch, and place the
Instant APs at a remote location. The Instant APs come up without any wired uplink connection and function as mesh points. The Instant APs with valid uplink connections function as mesh portals.
Aruba Central | User Guide
328
Configuring Wired Bridging on Eth0 for Mesh Point
Aruba Central supports wired bridging on the Eth0 port of an Instant AP. You can configure wired bridging, if the Instant AP is configured to function as a mesh point. To configure support for wired bridging on the Eth0 port of an Instant AP from Aruba Central UI, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to one of the options under Groups. Ensure that the filter selected contains at least one active access point. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. n To select an access point in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name. The dashboard context for the access point is displayed. d. Under Manage, click Device > Access Point.
2. Click the Config icon. The tabs to configure access points are displayed.
3. Click the Access Points tab. The Access Points table is displayed.
4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click the Uplink tab. 6. To configure a non-native uplink VLAN, specify the number of VLANs in the Uplink Management
VLAN text-box. 7. Turn on the Eth0 Bridging toggle switch. 8. Click OK and reboot the Instant AP.
Mesh Cluster Function
Aruba Central introduces the mesh cluster function for easy deployments of Instant APs. You can configure the ID, password, and also provision Instant APs to a specific mesh cluster. In a cluster-based scenario, you can configure unlimited mesh profiles in a network. When an Instant AP boots up, it attempts to find a mesh cluster configuration. The Instant AP fetches a pre-existing mesh cluster configuration, if any. Otherwise, it uses the default mesh configuration in which the SSID, password, and cluster name are generated by the virtual controller key.
Configuring Mesh Instant AP | 329
Instant APs that belong to the same mesh network can establish mesh links with each other. The Instant APs can establish a mesh link in a standalone scenario also. However, the network role election does not take place in a standalone environment. Users can set the same mesh cluster configuration to establish mesh links with other networks. For more information on mesh cluster configuration, refer to the Mesh Instant AP Configuration chapter of Aruba Instant User Guide.
Configuring Time-Based Services for Wireless Network Profiles
Aruba Central allows you to configure the availability of a WLAN SSID at a particular time of the day. You can now create a time range profile and assign it to a WLAN SSID, so that you can enable or disable access to the SSID and thus control user access to the network during a specific time period. Instant APs support the configuration of both absolute and periodic time range profiles. You can configure an absolute time range profile to execute during a specific time frame, or create a periodic profile to execute at regular intervals based on the periodicity specified in the configuration. This section describes the following topics:
n Creating a Time Range Profile n Associating a Time Range Profile to an SSID n Associating a Time Range Profile to ACL
Before You Begin
Before you configure time-based services, ensure that the NTP server connection is active.
Creating a Time Range Profile
To create a time range profile, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the Time-Based Services accordion. 6. Click + in the Time Based Profiles table.
The New Profile window for creating a time range profile is displayed. 7. Configure the parameters that are listed in the following table:
Aruba Central | User Guide
330
Table 99: Time Range Profile Configuration Parameters
Parameter
Description
Name
Specify a name for the time range profile.
Type
Select the type of time range profile: n Periodic--Allows you configure a specific periodicity and recurrence pattern for a time range profile. n Absolute--Allows you to configure an absolute day and time range.
Repeat Day Range
Specify the frequency for the periodic time range profile: n Daily--Enables daily recurrence. n Weekly--Allows you define a specific time range with specific start and end days in a week.
Absolute For an absolute time range profile, this field allows you to specify the start day and end day, both in mm/dd/yyyy format. You can also use the calendar to specify the start and end days.
Start Time
Periodic For a periodic time range profile, the following Day Range options are available:
n For daily recurrence--If the Repeat option is set to Daily, this field allows you to select the following time ranges:
lMonday--Sunday (All Days) lMonday--Friday (Weekdays) lSaturday--Sunday (Weekend)
For example, if you set the Repeat option to Daily and then select Monday--Friday (Weekday) for Day Range, and Start Time as 1 and End time as 2, the applied time range will be Monday to Friday from 1 am to 2 am; that is, on Monday at 3 am, the profile will not be applied or disabled.
n For weekly occurrence--If the Repeat option is set to Weekly, this field allows you to select the start and end days of a week and time range.
For example, if you set Start Day as Monday and End Day as Friday, and Start Time as 1 and End Time as 2, the applied time range profile is Monday 1 am to Friday 2 am every week; that is, on Monday at 3 am, the profile will be applied or enabled.
Select the start time for the time range profile from the Hours and Minutes dropdown lists, respectively.
End Time
Select the end time for the time range profile from the Hours and Minutes dropdown lists, respectively.
Visualization Graph for The Visualization graph (approximated to the hour) provides a visual display of the
Time
selected time range (Day Range, Start Time, and End Time) for periodic profiles.
Associating a Time Range Profile to an SSID
To apply a time range profile to an SSID, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
Configuring Time-Based Services for Wireless Network Profiles | 331
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a network profile for which you want to apply the time range profile, and then click the edit icon. You can also add a time range profile when configuring an SSID.
6. In General, click Time Range Profiles under Advanced Settings. 7. In the Time Range Profiles section, enter the following information:
n Select a time range profile from the Time Range Profile list. n Select a value from the Status drop-down list. n When a time range profile is enabled on SSID, the SSID is made available to the users for the
configured time range. For example, if the specified time range is 12:00 to 13:00, the SSID becomes available only between 12 PM to 1 PM on a given day. n If a time range is disabled, the SSID becomes unavailable for the configured time range. For example, if configured time-range is 14:00 to 17:00, the SSID is made unavailable from 2 PM to 5 PM on a given day. 8. Click Save.
To create a time range profile, click + New Time Range Profile. The New Profile window for creating a time range profile is displayed.
Associating a Time Range Profile to ACL
Aruba Central allows you to configure time-based services for specific ACL. To apply a time range profile to an access rule, complete the following procedure:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click Show Advanced, and click the Security tab. The Security details page is displayed. 5. In the Roles accordion, click the edit icon listed for access rules under Access Rules For Selected Roles to which you want to apply the time range profile. 6. The Access Rule page is displayed. 7. In the Options section, select the Time Range check-box and select the time range profile from the drop-down list. n When a time range profile is associated with an ACL, the configured time range is applied on all the
WLAN SSID with the specific ACL. n If a time range is disabled or if the time range profile is deleted for an ACL, all WLAN SSID with the
specific ACL will be able to access the network without any time constraint. 8. Click Save. For more information on time range configuration, see the Aruba Instant User Guide.
Aruba Central | User Guide
332
Configuring ARM and RF Parameters on Instant APs
This section provides the following information:
n ARM Overview n Configuring ARM Features n Configuring Radio Parameters
ARM Overview
ARM is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.11 channel and transmitting power for each Instant AP in its current RF environment. ARM works with all standard clients, across all operating systems, while remaining in compliance with the IEEE 802.11 standards. It does not require any proprietary client software to achieve its performance goals. ARM ensures low-latency roaming, consistently high performance, and maximum client compatibility in a multi-channel environment. By ensuring the fair distribution of available Wi-Fi bandwidth to mobile devices, ARM ensures that data, voice, and video applications have sufficient network resources at all times. ARM allows mixed 802.11a, b, g, n, and ac client types to inter operate at the highest performance levels. When ARM is enabled, an Instant AP dynamically scans all 802.11 channels within its 802.11 regulatory domain at regular intervals and sends reports on WLAN coverage, interference, and intrusion detection to the virtual controller. ARM computes coverage and interference metrics for each valid channel, chooses the best performing channel, and transmit power settings for each Instant AP RF environment. Each Instant AP gathers other metrics on its ARM-assigned channel to provide a snapshot of the current RF health state. Instant APs support the following ARM features:
n Channel or Power Assignment--Assigns channel and power settings for all the Instant APs in the network according to changes in the RF environment.
n Voice Aware Scanning--Improves voice quality by preventing an Instant AP from scanning for other channels in the RF spectrum during a voice call and by allowing an Instant AP to resume scanning when there are no active voice calls.
n Load Aware Scanning--Dynamically adjusts the scanning behavior to maintain uninterrupted data transfer on resource intensive systems when the network traffic exceeds a predefined threshold.
n Band Steering--Assigns the dual-band capable clients to the 5 GHz band on dual-band Instant APs thereby reducing co-channel interference and increasing the available bandwidth for dual-band clients.
n Client Match--Continually monitors the RF neighborhood of the client to support the ongoing band steering and load balancing of channels, and enhanced Instant AP reassignment for roaming mobile clients.
When Client Match is enabled on 802.11n capable Instant APs, the Client Match feature overrides any settings configured for the legacy band steering, station hand-off assist or load balancing features. The 802.11ac capable Instant APs do not support the legacy band steering, station hand off or load balancing settings, so these Instant APs must be managed using Client Match.
n Airtime Fairness--Provides equal access to all clients on the wireless medium, regardless of client type, capability, or operating system to deliver uniform performance to all clients.
n For more information on ARM features supported by the APs, see the Aruba Instant User Guide.
Configuring ARM and RF Parameters on Instant APs | 333
Configuring ARM Features
To configure the ARM features, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the Radios tab. The Radios details page is displayed.
5. Under RF > Adaptive Radio Management (ARM), the Client Control section displays the following components: n Band Steering Mode n Airtime Fairness Mode n ClientMatch n ClientMatch Calculating Interval n ClientMatch Neighbor Matching n ClientMatch Threshold n ClientMatch Key n Spectrum Load Balancing Mode
6. For Band Steering Mode, configure the following parameters:
Table 100: Band Steering Mode Configuration Parameters
Data pane item
Description
Prefer 5 GHz
Enables band steering in the 5 GHz mode. On selecting this, the Instant AP steers the client to the 5 GHz band (if the client is 5 GHz capable), but allows the client connection on the 2.4 GHz band if the client persistently attempts for 2.4 GHz association.
Force 5 Enforces 5 GHz band steering mode on the Instant APs. GHz
Balance Bands
Allows the Instant AP to balance the clients across the two radios to best utilize the available 2.4 GHz bandwidth. This feature takes into account the fact that the 5 GHz band has more channels than the 2.4 GHz band, and that the 5 GHz channels operate in 40 MHz, while the 2.5 GHz band operates in 20 MHz.
Disable Allows the clients to select the band to use.
Aruba Central | User Guide
334
7. For Airtime Fairness Mode, specify any of the following values:
Table 101: Airtime Fairness Mode Configuration Parameters
Data Pane Item
Description
Default Access
Allows access based on client requests. When Airtime Fairness Mode is set to Default Access option, per user and per SSID bandwidth limits are not enforced.
Fair Access
Allocates air time evenly across all the clients.
Preferred Access Sets a preference where 802.11n clients are assigned more air time than 802.11a/11g. The 802.11a/11g clients get more airtime than 802.11b. The ratio is 16:4:1.
8. For ClientMatch, configure the following parameters:
Table 102: Additional ARM Configuration Parameters
Data Pane Item Description
Client Match
Turn on the toggle switch to enable the Client Match feature on APs. When enabled, client count is balanced among all the channels in the same band. When Client Match is enabled, ensure that the Scanning option is enabled. For more information, see AP Control Configuration Parameters.
NOTE: When Client Match is disabled, channels can be changed even when the clients are active on a BSSID. The Client Match option is disabled by default.
ClientMatch Calculating Interval
ClientMatch Neighbor Matching
ClientMatch Threshold
ClientMatch Key
Configures a value for the calculating interval of Client Match. The interval is specified in seconds and the default value is 3 seconds. You can specify a value within the range of 10-600.
Configures the calculating interval of Client Match. This number takes into account the least similarity percentage to be considered as in the same virtual RF neighborhood of Client Match. You can specify a percentage value within the range of 20-100. The default value is 60%.
Configures a Client Match threshold value. This number takes acceptance client count difference among all the channels of Client Match. When the client load on an AP reaches or exceeds the threshold in comparison, Client Match is enabled on that AP. You can specify a value within range of 1-20. The default value is 5.
Enables the Client Match feature to work across different standalone Instant APs in the same management VLAN. All such standalone Instant APs must be set with the same Client Match key.
Configuring ARM and RF Parameters on Instant APs | 335
Data Pane Item
Spectrum Load Balancing Mode
Description
Client Match uses the wired layer 2 protocol to synchronize information exchanged between Instant APs. Users have an option to configure the Client Match keys. Instant APs verify if the frames that they broadcast contain a common Client Match key. Instant APs that receive these frames verify if the sender belongs to the same network or if the sender and receiver both have the same Client Match key. You can specify a value within the range of 1 2147483646.
Enables the Spectrum Load Balancing mode to determine the balancing strategy for Client Match. The following options are available:
n Channel n Radio n Channel + Radio
9. Click Access Point Control, and configure the following parameters:
Table 103: AP Control Configuration Parameters
Data pane item Description
Customize Valid Channels
Allows you to select a custom list of valid 20 MHz and 40 MHz channels for 2.4 GHz and 5 GHz bands. By default, the AP uses valid channels as defined by the Country Code (regulatory domain). On selecting Customize Valid Channels, a list of valid channels for both 2.4 GHz and 5 GHz are displayed. The valid channel customization feature is disabled by default.
The valid channels automatically show in the Static Channel Assignment pane
Min Transmit Power
Allows you to configure a minimum transmission power within a range of 3 to 33 dBm in 3 dBm increments. If the minimum transmission EIRP setting configured on an AP is not supported by the AP model, this value is reduced to the highest supported power setting. The default value for minimum transmit power is 18 dBm.
Max Transmit Power
Allows you to configure the maximum transmission power within a range of 3 to 33 dBm in 3 dBm increments. If the maximum transmission EIRP configured on an AP is not supported by the local regulatory requirements or AP model, the value is reduced to the highest supported power settings.
Client Aware
Allows ARM to control channel assignments for the Instant APs with active clients. When the Client Match mode is disabled, an Instant AP may change to a more optimal channel, which disrupts current client traffic. The Client Aware option is enabled by default.
Scanning
Allows the Instant AP to dynamically scan all 802.11 channels within its 802.11 regulatory domain at regular intervals. This scanning report includes WLAN coverage, interference, and intrusion detection data.
NOTE: For Client Match configuration, ensure that Scanning is enabled.
Aruba Central | User Guide
336
Data
Description
pane item
Wide Channel Bands
Allows the administrators to configure 40 MHz channels in the 2.4 GHz and 5.0 GHz bands. 40 MHz channels are two 20 MHz adjacent channels that are bonded together. The 40 MHz channel effectively doubles the frequency bandwidth available for data transmission. For high performance, you can select 5 GHz. If the AP density is low, enable in the 2.4 GHz band.
80 MHz Support
Enables or disables the use of 80 MHz channels on APs. This feature allows ARM to assign 80 MHz channels on APs with 5 GHz radios, which support a very high throughput. This setting is enabled by default.
NOTE: Only the APs that support 802.11ac can be configured with 80 MHz channels.
10. Click Channel Control, and configure the following parameters:
Table 104: Channel Control Configuration Parameters
Data pane item
Description
Backoff Time
Allows you to configure the time within a range of 10 to 3600 seconds, when an Instant AP backs off after requesting a new channel or power. It can increase the time window of channel interference check, and the time window of power check. The default value for minimum back off time is 240 seconds.
Free Channel Index
Allows you to check the difference in threshold in the channel interference index between the new channel and the existing channel. An Instant AP only moves to a new channel if the new channel has a lower interference index value than the current channel. This parameter specifies the required difference between the two interference index values before the Instant AP moves to the new channel. The lower this value, the more likely the Instant AP moves to the new channel. It has a default value of 25.
Ideal Coverage Index
Allows you to specify the ideal coverage index in the range of 2 to 20, which an Instant AP tries to achieve on its channel. The denser the Instant AP deployment, the lower this value should be. It has a default value of 10.
Channel Quality Aware Arm Disable
Allows ARM to ignore the internally calculated channel quality metric and initiates channel changes based on thresholds defined in the profile. ARM chooses the channel based on the calculated interference index value. The option Channel Quality Aware Arm Disable is disabled by default.
Channel Quality Threshold
Allows you to specify the channel quality percentage within a range of 0 to 100, below which ARM initiates a channel change. It has a default value of 70%.
Channel Quality Wait Time
Specifies the time that the channel quality is below the channel quality threshold value to initiate a channel change. It has a range of 1 to 3600 seconds, with a default value of 120 seconds.
NOTE: If current channel quality is below the specified channel quality threshold for this wait time period, ARM initiates a channel change.
Configuring ARM and RF Parameters on Instant APs | 337
11. Click Error Rate, and configure the following parameters:
Table 105: Error Rate Configuration Parameters
Data Pane Item
Description
Error Rate Configures the minimum percentage of errors in the channel that triggers a channel Threshold change. It has a range of 0 to 100 % with a default value of 70%.
Error Rate Wait Time
Configures the time that the error rate has to be at least equal to the error rate threshold to trigger a channel change. The error rate must be equal to or more than the error rate threshold to trigger a channel change. It has a range of 1 to 3600 seconds, with a default value of 90 seconds.
12. Click Save Settings.
Configuring Radio Parameters
To configure RF parameters for the 2.4 GHz and 5 GHz radio bands on an Instant AP, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the Radios tab. The Radios details page is displayed.
5. Expand the Radio accordion in the RF dashboard. 6. Under 2.4 GHz band, 5 GHz band, or both, configure the following parameters by clicking the +
sign.
Table 106: Radio Configuration Parameters
Data Pane Item
Description
Zone
Allows you to configure a zone per radio band for Instant APs in a cluster. You can also configure an RF zone per Instant AP.
NOTE: Aruba recommends that you configure RF zone for either individual AP or for the cluster. Any discrepancy in the RF zone names may lead to configuration errors.
Legacy Only
Turn on the Legacy Only toggle switch. When enabled, the Instant AP runs the radio in the non-802.11n mode. This option is disabled by default.
Aruba Central | User Guide
338
Table 106: Radio Configuration Parameters
Data Pane Item
Description
802.11d / 802.11h
Turn on the 802.11d / 802.11h toggle switch. When enabled, the radios advertise their 802.11d (Country Information) and 802.11h (Transmit Power Control) capabilities. This option is disabled by default.
Beacon Interval
Configures the beacon period for the Instant AP in milliseconds. This indicates how often the 802.11 beacon management frames are transmitted by the AP. You can specify a value within the range of 60500. The default value is 100 milliseconds.
Interference Immunity Level
Configures the immunity level to improve performance in high-interference environments. The default immunity level is 2.
n Level 0--No ANI adaptation. n Level 1--Noise immunity only. This level enables power-based packet detection by controlling the amount of power increase that makes a radio aware that it has received a packet. n Level 2--Noise and spur immunity. This level also controls the detection of OFDM packets, and is the default setting for the Noise Immunity feature. n Level 3--Level 2 settings and weak OFDM immunity. This level minimizes false detects on the radio due to interference, but may also reduce radio sensitivity. This level is recommended for environments with a high-level of interference related to 2.4 GHz appliances such as cordless phones. n Level 4--Level 3 settings, and FIR immunity. At this level, the AP adjusts its sensitivity to in-band power, which can improve performance in environments with high and constant levels of noise interference. n Level 5--The AP completely disables PHY error reporting, improving performance by eliminating the time the Instant AP spends on PHY processing.
NOTE: Increasing the immunity level makes the AP lose a small amount of range.
Channel Switch Announcement Count
Configures the number of channel switching announcements to be sent before switching to a new channel. This allows the associated clients to recover gracefully from a channel change.
Background Spectrum Monitoring
Turn on the Background Spectrum Monitoring toggle switch. When enabled, the APs in the access mode continue with their normal access service to clients, while performing additional function of monitoring RF interference (from both neighboring APs and non Wi-Fi sources such as, microwaves and cordless phones) on the channel they are currently serving the clients.
Customize ARM Power Range
Configures a minimum (Min Power) and maximum (Max Power) power range value for the 2.4 GHz and 5 GHz band frequencies. The default value is 3 dBm. Unlike the configuration in the ARM profile, the transmit power of all radios in the Radio profile do not share the same configuration.
Enable 11ac
Turn on the Enable 11ac toggle switch. When enabled, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, VHT is enabled on all SSIDs.
NOTE: If you want the 802.11ac Instant APs to function as 802.11n Instant APs, clear this check box to disable VHT on these devices.
Configuring ARM and RF Parameters on Instant APs | 339
Table 106: Radio Configuration Parameters
Data Pane Item
Description
Smart antenna
Turn on the Smart antenna toggle switch to combine an antenna array with a digital signal-processing capability to transmit and receive in an adaptive, spatially sensitive manner.
ARM/WIDS Override
When ARM/WIDS Override is disabled, the Instant AP will always process frames for WIDS. WIDS is an application that detects the attacks on a wireless network or wireless system. purposes even when it is heavily loaded with client traffic. When ARM/WIDS Override is enabled, the Instant AP will stop processing frames for WIDS.
7. Click Save Settings.
Configuring IDS Parameters on APs
Aruba Central supports the IDS feature that monitors the network for the presence of unauthorized APs and clients. It also logs information about the unauthorized APs and clients, and generates reports based on the logged information.
Rogue APs
The IDS feature in the Aruba Central network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations. A rogue AP is an unauthorized AP plugged into the wired side of the network. An interfering AP is an AP seen in the RF environment, but it is not connected to the wired network. While the interfering AP can potentially cause RF interference, it is not considered a direct security threat, because it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP.
The built-in IDS scans for APs that are not controlled by the VC. These are listed and classified as either Interfering or Rogue, depending on whether they are on a foreign network or your network.
Configuring Wireless Intrusion Detection and Protection Policies
To configure a Wireless Intrusion Detection and Protection policy:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced. 5. Click Security. The Security details page is displayed. 6. Click the Wireless IDS/IPS accordion.
The following three sections are displayed:
Aruba Central | User Guide
340
n Detection n Protection n Firewall Settings
You can configure the following options in the above mentioned sections:
n Infrastructure Detection Policies--Specifies the policy for detecting wireless attacks on APs. n Client Detection Policies--Specifies the policy for detecting wireless attacks on clients. n Infrastructure Protection Policies--Specifies the policy for protecting APs from wireless
attacks. n Client Protection Policies--Specifies the policy for protecting clients from wireless attacks. n Firewall Policies--Specifies the policies to set a firewall for a secured network access. n Containment Methods--Prevents unauthorized stations from connecting to your Aruba Central
network.
Each of these options contains several default levels that enable different sets of policies. An administrator can customize enable or disable these options accordingly.
Detection
The detection levels can be configured using the Detection section. The following levels of detection can be configured in the WIP Detection page:
n High n Medium n Low n Off n Custom
The following table describes the detection policies enabled in the Infrastructure Detection field.
Table 107: Infrastructure Detection Policies
Detection level
Detection policy
Off
All detection policies are disabled.
Low
n Detect Windows Bridge n Signature Deassociation Broadcast n Signature Deauthentication Broadcast n Detect AP Spoofing
Medium
n Detect Windows Bridge n Signature Deassociation Broadcast n Signature Deauthentication Broadcast n Detect AP Spoofing n Detect adhoc using VALID SSID n Detect malformed large duration
High
n Detect Windows Bridge n Signature Deassociation Broadcast n Signature Deauthentication Broadcast n Detect AP Spoofing
Configuring IDS Parameters on APs | 341
Table 107: Infrastructure Detection Policies
Detection level
Detection policy
n Detect adhoc using VALID SSID n Detect malformed large duration n Detect Overflow EAPOL key n Detect Invalid Address Combination n Detect AP Impersonation n Detect AP Flood n Detect Beacon Wrong Channel n Detect ht Greenfield n Detect Overflow IE n Detect RTS Rate Anomaly n Detect Malformed HT IE n Detect CTS Rate Anomaly n Detect Malformed Frame Auth. n Detect devices with invalid MAC OUI n Detect Malformed Association Request n Detect Bad WEP n Detect Wireless Bridge n Detect HT 40 MHz intolerance n Detect Valid SSID Misuse n Detect Adhoc Network n Detect Client Flood
Custom
Allows you to select custom detection policies. To select, click the check box of respective detection policy.
The following table describes the detection policies enabled in the Client Detection field.
Table 108: Client Detection Policies
Detection level
Detection policy
Off
All detection policies are disabled.
Low
Detect Valid Station Misassociation
Medium
n Detect Valid Station Misassociation n Detect Hotspotter Attack n Detect Power Save DOS Attack n Detect Omerta Attack n Detect Disconnect Station n Detect unencrypted Valid n Detect Block ACK Attack n Detect FATA-Jack
High
n Detect Valid Station Mis-association n Detect Hotspotter Attack n Detect Power Save DOS Attack n Detect Omerta Attack n Detect Disconnect Station n Detect unencrypted Valid n Detect Block ACK Attack
Aruba Central | User Guide
342
Detection level
Detection policy
n Detect FATA-Jack n Detect Rate Anomaly n Detect Chop Chop Attack n Detect EAP Rate Anomaly n Detect TKIP Replay Attack n Signature -- Air Jack n Signature -- ASLEAP
Custom
Allows you to select custom detection policies. To select, click the check box of respective detection policy.
Protection
The following levels of detection can be configured in the WIP Protection page:
n Off n Low n High n Custom
The following table describes the protection policies that are enabled in the Infrastructure Protection field.
Table 109: Infrastructure Protection Policies
Protection level
Protection policy
Off
All protection policies are disabled
Low
n Protect SSID n Rogue Containment
High
n Protect SSID n Rogue Containment n Protect AP Impersonation n Protect from Adhoc Networks
Custom
Allows you to select custom detection policies. To select, click the check box of respective protection policy.
The following table describes the detection policies that are enabled in the Client Protection field.
Table 110: Client Protection Policies
Protection level
Off
Low
Protection policy All protection policies are disabled Protect Valid Station
Configuring IDS Parameters on APs | 343
Protection level High
Custom
Protection policy
n Protect Valid Station n Protect Windows Bridge
Allows you to select custom detection policies. To select, click the check box of respective protection policy.
Containment Methods
You can enable wired and wireless containment measures to prevent unauthorized stations from connecting to your Aruba Central network. Aruba Central supports the following types of containment mechanisms:
n Wired containment -- When enabled, APs generate ARP packets on the wired network to contain wireless attacks.
n Wireless containment -- When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified AP.
l None -- Disables all the containment mechanisms. l Deauthenticate only -- With deauthentication containment, the AP or client is contained by disrupting the
client association on the wireless interface. l Tarpit containment -- With tarpit containment, the AP is contained by luring clients that are attempting to
associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the AP being contained. l Tarpit all stations
The FCC and some third parties have alleged that under certain circumstances, the use of containment functionality violates 47 U.S.C. §333. Before using any containment functionality, ensure that your intended use is allowed under the applicable rules, regulations, and policies. Aruba is not liable for any claims, sanctions, or other direct, indirect, special, consequential or incidental damages related to your use of containment functionality.
Protection Against Wired Attacks
In the Protection Against Wired Attacks section, enable the following options:
n Drop Bad ARP--Drops the fake ARP packets. n Fix Malformed DHCP--Fixes the malformed DHCP packets. n ARP Poison Check--Triggers an alert on ARP poisoning caused by the rogue APs.
Firewall Settings
To configure firewall settings by specifying the policies for a secured network access, see Configuring Firewall Parameters for Wireless Network Protection.
For all subnets, a deny rule is created by default as the last rule. If at least one rule is configured, the deny all rule is applied to the upstream traffic by default. Management access to the Instant AP is allowed irrespective of the inbound firewall rule. The inbound firewall is not applied to traffic coming through the GRE tunnel.CustomHigh
Aruba Central | User Guide
344
Configuring Authentication and Security Profiles on Instant APs
This section describes the authentication and security parameters to configure on an Instant AP:
n Supported Authentication Methods n Authentication Servers for Instant APs n Configuring External Authentication Servers for APs n Configuring Users Accounts for the Instant AP Management Interface n Configuring Guest and Employee User Profiles on Instant APs n Configuring Roles and Policies on Instant APs for User Access Control n Enabling ALG Protocols on Instant APs n Blacklisting Instant AP Clients n Configuring an MPSK Local Profile n Configuring Intra VLAN Traffic Whitelist
Supported Authentication Methods
Authentication is a process of identifying a user through a valid username and password. Clients can also be authenticated based on their MAC addresses. The authentication methods supported by the Instant APs managed through Aruba Central are described in the following sections.
802.1X Authentication
802.1X is a method for authenticating the identity of a user before providing network access to the user. The Aruba Central network supports internal RADIUS server and external RADIUS server for 802.1X authentication. For authentication purpose, the wireless client can associate to a NAS or RADIUS client such as a wireless Instant AP. The wireless client can pass data traffic only after successful 802.1X authentication.
The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network first connects to the NAS.
Configuring 802.1X Authentication for a Network Profile
To configure 802.1X authentication for a wireless network profile, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a network profile for which you want to enable 802.1X authentication, and then click the edit icon.
Configuring Authentication and Security Profiles on Instant APs | 345
You can directly edit the SSID name under the Display Name column in the Wireless SSIDs table. Double-click the relevant SSID that you want to rename, and type the new name. Press Enter to complete the process.
6. Under Security, for the Enterprise security level, select the preferred option from Key Management.
7. To terminate the EAP portion of 802.1X authentication on the Instant AP instead of the RADIUS server, set Termination to Enabled. For 802.1X authorization, by default, the client conducts an EAP exchange with the RADIUS server, and the AP acts as a relay for this exchange. When Termination is enabled, the Instant AP itself acts as an authentication server, terminates the outer layers of the EAP protocol, and only relays the innermost layer to the external RADIUS server.
8. Specify the type of authentication server to use. 9. Click Save Settings.
MAC Authentication
MAC authentication is used for authenticating devices based on their physical MAC addresses. MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses. This authentication method is not recommended for scalable networks and the networks that require stringent security settings. MAC authentication can be used alone or it can be combined with other forms of authentication such as WEP authentication.
Configuring MAC Authentication for a Network Profile
To configure MAC authentication for a wireless profile, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs tab, select a network profile for which you want to enable MAC authentication and click the edit icon.
6. In Security, turn on the MAC Authentication toggle switch to enable Personal or Open security level.
7. Specify the type of authentication server to use. 8. Click Save Settings.
MAC Authentication with 802.1X Authentication
The administrators can enable MAC authentication for 802.1X authentication. MAC authentication shares all the authentication server configurations with 802.1X authentication. If a wireless or wired client connects to the network, MAC authentication is performed first. If MAC authentication fails, 802.1X authentication does
Aruba Central | User Guide
346
not trigger. If MAC authentication is successful, 802.1X authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X authentication role. If 802.1X authentication fails, the client is assigned a deny-all role or mac-auth-only role. You can also configure the following authentication parameters for MAC+802.1X authentication:
n MAC authentication only--Allows you to create a mac-auth-only role to allow role-based access rules when MAC authentication is enabled for 802.1X authentication. The mac-auth-only role is assigned to a client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication is successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients.
n L2 authentication fall-through--Allows you to enable the l2-authentication-fallthrough mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled, 802.1X authentication is not allowed. The l2-authentication-fallthrough mode is disabled by default.
Configuring MAC Authentication with 802.1X Authentication
To configure MAC authentication with 802.1X authentication for wireless network profile, configure the following parameters:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs tab, select a network profile for which you want to enable MAC and 802.1X authentication and click the edit icon.
6. Turn on the Perform MAC Authentication Before 802.1X toggle switch to use 802.1X authentication only when the MAC authentication is successful.
7. Turn on the MAC Authentication Fail Through toggle switch to use 802.1X authentication even when the MAC authentication fails.
8. Click Save Settings.
Captive Portal Authentication
Captive portal authentication is used for authenticating guest users. For more information, see Configuring Wireless Networks for Guest Users on Instant APs.
MAC Authentication with Captive Portal Authentication
The following conditions apply to a network profile with MAC authentication and Captive Portal authentication enabled:
n If the captive portal splash page type is Internal-Authenticated or External-RADIUS Server, MAC authentication reuses the server configurations.
n If the captive portal splash page type is Internal-Acknowledged or External-Authentication Text
Configuring Authentication and Security Profiles on Instant APs | 347
and MAC authentication is enabled, a server configuration page is displayed. n If the captive portal splash page type is None, MAC authentication is disabled.
The MAC authentication with captive portal authentication supports the mac-auth-only role.
Configuring MAC Authentication with Captive Portal Authentication
To configure the MAC authentication with captive portal authentication for a network profile, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs tab, select an existing wireless profile for which you want to enable MAC authentication with captive portal authentication, and then click the edit icon.
6. Under Access, specify the following parameters for a network with Role Based rules:
a. Turn on the Enforce Machine Authentication toggle switch, when MAC authentication is enabled for captive portal. If the MAC authentication fails, the captive portal authentication role is assigned to the client.
b. For wireless network profile, turn on the Enforce MAC Auth Only Role toggle switch, when MAC authentication is enabled for captive portal. After successful MAC authentication, the MAC Auth Only role is assigned to the client.
7. Click Next.
802.1X Authentication with Captive Portal Authentication
This authentication method allows you to configure different captive portal settings for clients on the same SSID. For example, you can configure an 802.1X SSID and create a role for captive portal access, so that some of the clients using the SSID derive the captive portal role. You can configure rules to indicate access to external or internal Captive portal, or none. For more information on configuring captive portal roles for an SSID with 802.1X authentication, see Configuring Wireless Networks for Guest Users on Instant APs.
WISPr Authentication
WISPr authentication allows a smart client to authenticate on the network when they roam between wireless Internet service providers, even if the wireless hotspot uses an ISP with whom the client may not have an account. If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the Internet at that hotspot, the WISPr AAA server configured for the ISP authenticates the client directly and allows the client to access the network. If the client only has an account with a partner ISP, the WISPr AAA server forwards the client's credentials to the partner ISPs WISPr AAA server for authentication. When the client is authenticated on the partner ISP, it is also authenticated on your hotspot own ISP as per their
Aruba Central | User Guide
348
service agreements. The Instant AP assigns the default WISPr user role to the client when your ISP sends an authentication message to the Instant AP. Instant APs support the following smart clients:
n iPass n Boingo
These smart clients enable client authentication and roaming between hotspots by embedding iPass Generic Interface Specification (GIS) redirect, authentication, and logoff messages within HTML messages that are sent to the Instant AP.
Configuring WISPr Authentication
To configure WISPr authentication, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the WISPr accordion. 6. Under WISPr, configure the following parameters:
n ISO Country Code--The ISO Country Code for the WISPr Location ID. n E.164 Area Code--The E.164 Area Code for the WISPr Location ID. n Operator Name--The operator name of the hotspot. n E.164 Country Code--The E.164 Country Code for the WISPr Location ID. n SSID/Zone--The SSID/Zone for the WISPr Location ID. n Location Name--Name of the hotspot location. If no name is defined, the name of the Instant
AP, to which the user is associated, is used. 7. Click Save Settings.
The WISPr RADIUS attributes and configuration parameters are specific to the RADIUS server used by your ISP for the WISPr authentication. Contact your ISP to determine these values. You can find a list of ISO and ITU country and area codes at the ISO and ITU websites (www.iso.org and http://www.itu.int).
A Boingo smart client uses a NAS identifier in the format <CarrierID>_<VenueID> for location identification. To support Boingo clients, ensure that you configure the NAS identifier parameter in the RADIUS server profile for the WISPr server.
Walled Garden
On the Internet, a walled garden typically controls access to web content and services. The Walled garden access is required when an external captive portal is used. For example, a hotel environment where the unauthenticated users are allowed to navigate to a designated login page (for example, a hotel website) and all its contents. The users who do not sign up for the Internet service can view the allowed websites (typically hotel property websites). The website names must be DNS-based and support the option to define wildcards. When a user
Configuring Authentication and Security Profiles on Instant APs | 349
attempts to navigate to other websites that are not in the whitelist of the walled garden profile, the user is redirected to the login page. Instant AP supports Walled Garden only for the HTTP requests. For example, if you add yahoo.com in Walled Garden whitelist and the client sends an HTTPS request (https://yahoo.com), the requested page is not displayed and the users are redirected to the captive portal login page. In addition, a blacklisted walled garden profile can also be configured to explicitly block the unauthenticated users from accessing some websites.
Configuring Walled Garden Access
To configure walled garden access, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab. The Security details page is displayed.
5. Click the Walled Garden accordion. 6. To allow access to a specific set of websites, click + under Whitelist, enter the domain name in the
window. This allows access to a domain while the user remains unauthenticated. Specify a POSIX regular expression (regex(7)). For example: n yahoo.com matches various domains such as news.yahoo.com, travel.yahoo.com and
finance.yahoo.com n www.apple.com/library/test is a subset of www.apple.com site corresponding to path
/library/test/* n favicon.ico allows access to /favicon.ico from all domains. 7. To deny users access to a domain, click + under Blacklist, and enter the domain name in the window. This prevents the unauthenticated users from viewing specific websites. When a URL specified in the blacklist is accessed by an unauthenticated user, Instant AP sends an HTTP 403 response to the client with an error message. 8. Click Save Settings.
Support for Multiple PSK in WLAN SSID
Aruba Central allows you to configure multiple PSK (MPSK) in WLAN network profiles that include APs running a minimum of Aruba Instant 8.4.0.0 firmware version and later. MPSK enhances the WPA2 PSK mode by allowing device-specific or group-specific passphrases, which are generated by ClearPass Policy Manager and sent to the Instant AP. WPA2 PSK-based deployments generally consist of a single passphrase configured as part of the WLAN SSID profile. This single passphrase is applicable for all clients that associate with the SSID. Starting from Aruba Instant 8.4.0.0, multiple PSKs in conjunction with ClearPass Policy Manager are supported for WPA and WPA2 PSK-based deployments. Every client connected to the WLAN SSID can have its own unique PSK. A MPSK passphrase requires MAC authentication against a ClearPass Policy Manager server. The MPSK passphrase works only with wpa2-psk-aes encryption and not with any other PSK-based encryption. The Aruba-MPSK-Passphrase radius VSA is added and the ClearPass Policy Manager server populates this VSA with the encrypted passphrase for the device.
Aruba Central | User Guide
350
The workflow is as follows:
1. A user registers the device on a ClearPass Policy Manager guest-registration or device-registration webpage and receives a device-specific or group-specific passphrase.
2. The device associates with the SSID using wpa2-psk-aes encryption and uses MPSK passphrase. 3. The Instant AP performs MAC authentication of the client against the ClearPass Policy Manager
server. On successful MAC authentication, the ClearPass Policy Manager returns Access-Accept with the VSA containing the encrypted passphrase. 4. The Instant AP generates a PSK from the passphrase and performs 4-way key exchange. 5. If the device uses the correct per-device or per-group passphrase, authentication succeeds. If the ClearPass Policy Manager server returns Access-Reject or the client uses incorrect passphrase, authentication fails. 6. The Instant AP stores the MPSK passphrase in its local cache for client roaming. The cache is shared between all the Instant APs within a single cluster. The cache can also be shared with standalone Instant APs in a different cluster provided the APs belong to the same multicast VLAN. Each Instant AP first searches the local cache for the MPSK information. If the local cache has the corresponding MPSK passphrase, the Instant AP skips the MAC authentication procedure, and provides access to the client.
When multiple PSK is enabled on the wireless SSID profile, make sure that MAC authentication is not configured for RADIUS authentication. Multiple PSK and MAC authentication are mutually exclusive and follows a special procedure which does not require enabling MAC authentication in the WLAN SSID manually. Also, ensure that the RADIUS server configured for the wireless SSID profile is not an internal server.
Points to Remember
The following configurations are mutually exclusive with MPSK for the WLAN SSID profile and does not require to be configured manually:
n MPSK and MAC authentication n MPSK and Blacklisting n MPSK and internal RADIUS server
Configuring Multiple PSK for Wireless Networks
To configure multiple PSK for wireless networks, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure access points are displayed. 4. Click WLANs tab.
The WLANs detail page is displayed. 5. Click + Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the
Wireless SSIDs table and then click the edit icon. 6. Click the Security tab.
Configuring Authentication and Security Profiles on Instant APs | 351
7. Select Personal from the Security Level. The authentication options applicable to the Enterprise network are displayed.
8. From the Key Management drop-down list, select the MPSK-AES option. 9. From the Primary Server drop-down list, select a server. The radius server selected from the list is
the CPPM server. 10. Click Save Settings.
Enabling MPSK Local for Wireless Networks
To configure MPSK Local for wireless networks, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure access points are displayed. 4. Click WLANs tab.
The WLANs detail page is displayed. 5. Click + Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the
Wireless SSIDs table and then click the edit icon. 6. Click the Security tab. 7. Select Personal from the Security Level.
The authentication options applicable to the personal network are displayed. 8. From the Key Management drop-down list, select the Mpsk Local option. 9. From the Mpsk Local drop-down list, select an MPSK Local profile.
MPSK Local feature is supported for 8.7.0.0 or later versions. You cannot select an MPSK Local profile from the Mpsk Local drop-down list if the AP version is less than 8.7.0.0.
10. Click Save Settings.
Configuring WPA3 Encryption
Aruba Central supports WPA3 encryption for security profiles in SSID creation for networks that include APs running Aruba Instant 8.4.0.0 firmware version and above. The WPA3 security provides robust protection with unique encryption per user session thereby ensuring a highly secured connection even on a public Wi-Fi hotspot. The following are the WPA3 encryptions based on the Enterprise, Personal, or Open network types:
n WPA-3 Personal when the security level is Personal. n Enhanced Open when the security level is Open.
WPA3 Enterprise
WPA3-Enterprise enforces top secret security standards for an enterprise Wi-Fi in comparison to secret security standards. Top secret security standards includes:
Aruba Central | User Guide
352
n Deriving at least 384-bit PMK/MSK using Suite B compatible EAP-TLS. n Securing pairwise data between STA and authenticator using AES-GCM-256. n Securing group addressed data between STA and authenticator using AES-GCM-256. n Securing group addressed management frames using BIP-GMAC-256.
Aruba Instant supports WPA3-Enterprise only in non-termination 802.1X and tunnel-forward modes. WPA3Enterprise compatible 802.1x authentication occurs between STA and CPPM.
WPA3-Enterprise advertises or negotiates the following capabilities in beacons, probes response, or 802.11 association:
n AKM Suite Selector as 00-0F-AC:12 n Pairwise Cipher Suite Selector as 00-0F-AC:9 n Group data cipher suite selector as 00-0F-AC:9 n Group management cipher suite (MFP) selector as 00-0F-AC:12
If WPA3-Enterprise is enabled, STA is successfully associated only if it uses one of the four suite selectors for AKM selection, pairwise data protection, group data protection, and group management protection. If a STA mismatches any one of the four suite selectors, the STA association fails.
Configuring WPA3 for Wireless Network
To configure WPA3 for enterprise security, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure access points are displayed. 4. Click WLANs tab.
The WLANs detail page is displayed. 5. Click + Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the
Wireless SSIDs table, and then click the edit icon. 6. Click the Security tab. 7. Select Enterprise from the Security Level.
The authentication options applicable to the Enterprise network are displayed. 8. Select one of the following from the Key Management drop-down list:
n WPA-3 Enterprise(GCM 256)--Select this option to use WPA-3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text.
n WPA-3 Enterprise(CCM 128)--Select this option to use WPA-3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text.
9. Click Save Settings.
Configuring WPA3 for Personal Security
To configure WPA3 for personal security, complete the following steps:
Configuring Authentication and Security Profiles on Instant APs | 353
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure access points are displayed. 4. Click WLANs tab.
The WLANs detail page is displayed. 5. Click + Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the
Wireless SSIDs table and then click the edit icon. 6. Click the Security tab. 7. Select Personal from the Security Level.
The authentication options applicable to the Personal network are displayed. 8. Select WPA-3 Personal from the Key Management drop-down list. 9. Click Save Settings.
Authentication Servers for Instant APs
Based on the security requirements, you can configure internal or external RADIUS servers. This section describes the types of authentication servers and authentication termination, that can be configured for a network profile.
External RADIUS Server
In the external RADIUS server, the IP address of the VC is configured as the NAS IP address. Aruba Central RADIUS is implemented on the VC, and this eliminates the need to configure multiple NAS clients for every Instant AP on the RADIUS server for client authentication. Aruba Central RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server. The RADIUS server responds to the authentication request with an Access-Accept or Access-Reject message, and users are allowed or denied access to the network depending on the response from the RADIUS server. When you enable an external RADIUS server for the network, the client on the Instant AP sends a RADIUS packet to the local IP address. The external RADIUS server then responds to the RADIUS packet. Aruba Central supports the following external authentication servers:
n RADIUS n LDAP
To use an LDAP server for user authentication, configure the LDAP server on the VC, and configure user IDs and passwords. To use a RADIUS server for user authentication, configure the RADIUS server on the VC.
RADIUS Server Authentication with VSA
An external RADIUS server authenticates network users and returns to the Instant AP the VSA that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA.
Internal RADIUS Server
Aruba Central | User Guide
354
Each Instant AP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server option for the network, the client on the Instant AP sends a RADIUS packet to the local IP address. The internal RADIUS server listens and replies to the RADIUS packet. The following authentication methods are supported in the Aruba Central network:
n EAP-TLS--The EAP-TLS method supports the termination of EAP-TLS security using the internal RADIUS server. The EAP-TLS requires both server and CA certificates installed on the Instant AP. The client certificate is verified on the virtual controller (the client certificate must be signed by a known CA), before the username is verified on the authentication server.
n EAP-TTLS (MSCHAPv2)--The EAP-TTLS method uses server-side certificates to set up authentication between clients and servers. However, the actual authentication is performed using passwords.
n EAP-PEAP (MSCHAPv2)--EAP-PEAP is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.
n LEAP--LEAP uses dynamic WEP keys for authentication between the client and authentication server.
To use the internal database of an AP for user authentication, add the names and passwords of the users to be authenticated.
Aruba does not recommend the use of LEAP authentication because it does not provide any resistance to network attacks.
RADIUS Communication over TLS (RadSec)
RADIUS over TLS, also known as RadSec, is a RADIUS protocol that uses TLS protocol for end-to-end secure communication between the RADIUS server and Instant AP. RadSec wraps the entire RADIUS packet payload into a TLS stream. Enabling RadSec increases the level of security for authentication that is carried out across the cloud network. When configured, this feature ensures that the RadSec protocol is used for safely transmitting the authentication and accounting data between the Instant AP and the RadSec server. The following conditions applies to RadSec configuration:
n The RADIUS packets go through the tunnel when TLS tunnel is established. n By default, the TCP port 2083 is assigned for RadSec. Separate ports are not used for authentication,
accounting, and dynamic authorization changes. n Aruba Central supports dynamic CoA (RFC 3576) over RadSec and the RADIUS server uses an existing TLS
connection opened by the Instant AP to send the request. n By default, the Instant AP uses its device certificate to establish a TLS connection with RadSec server. You
can also upload your custom certificates on to Instant AP. For more information on uploading certificates, see Certificates.
Authentication Termination on Instant AP
Aruba Central allows EAP termination for PEAP-Generic Token Card (PEAP-GTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2 (PEAP-MSCHAPv2). PEAPGTC termination allows authorization against an LDAP server and external RADIUS server while PEAPMSCHAPv2 allows authorization against an external RADIUS server. This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft Active Directory server with LDAP authentication.
Configuring Authentication and Security Profiles on Instant APs | 355
n EAP-GTC--This EAP method permits the transfer of unencrypted usernames and passwords from client to server. The EAP-GTC is mainly used for one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the Instant AP to an external authentication server for user data backup.
n EAP-MSCHAPv2--This EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.
Dynamic Load Balancing between Authentication Servers
You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers. Load balancing of authentication servers ensures that the authentication load is split across multiple authentication servers and enables the Instant APs to perform load balancing of authentication requests destined to authentication servers such as RADIUS or LDAP.
The load balancing in Instant AP is performed based on the outstanding authentication sessions. If there are no outstanding sessions and if the rate of authentication is low, only primary server will be used. The secondary is used only if there are outstanding authentication sessions on the primary server. With this, the load balance can be performed across asymmetric capacity RADIUS servers without the need to obtain inputs about the server capabilities from the administrators.
Configuring External Authentication Servers for APs
You can configure an external RADIUS server, TACACS, and LDAP server for user authentication. You can configure guest network using External Captive Portal profile for external authentication. To configure a server, complete the following procedure:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure APs are displayed. 4. Click Show Advanced, and click the Security tab.
The Security details for the selected group or the device are displayed. 5. In the Authentication Server panel, click + to create a new server. 6. Select any of the following server types and configure the parameters for your deployment scenario.
Table 111: Authentication Server Configuration Type of Server Parameters
RADIUS
Name
Name of the external RADIUS server.
IP Address
IP address or the FQDN of the external RADIUS server.
Radsec
Set Radsec to Enabled to enable secure communication between the RADIUS server and Instant AP by creating a TLS tunnel between the Instant AP and the server.
If Radsec is enabled, the following configuration options are
Aruba Central | User Guide
356
Type of Server Parameters
displayed: lRadsec Port--Communication port number for RadSec TLS connection. By default, the port number is set to 2083. lNAS Identifier lNAS IP Address lService Type Framed User lQuery Status of RADIUS Servers (RFC 5997) lDynamic Authorization
Auth Port
Authorization port number of the external RADIUS server. The default port number is 1812.
Accounting Port The accounting port number used for sending accounting records to the RADIUS server. The default port number is 1813.
Shared Key and Retype Shared Key
Shared key for communicating with the external RADIUS server.
Timeout
The timeout duration for one RADIUS request. The Instant AP retries sending the request several times (as configured in the Retry count) before the user is disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds.
Retry Count
The maximum number of authentication requests that can be sent to the server group by the Instant AP. You can specify a value within the range of 15. The default value is 3 requests.
Dynamic Authorization
To allow the APs to process RFC 3576-compliant CoA and disconnect messages from the RADIUS server, select this check box. Disconnect messages terminate the user session immediately, whereas the CoA messages modify session authorization attributes such as data filters. When you enable the Dynamic Authorization option, the AirGroup CoA Port field is displayed with the port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
NAS IP Address
Enter the IP address. lFor Instant AP-based cluster deployments, ensure that you enter the VC IP address as the NAS IP address.
NAS Identifier
Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.
Dead Time
Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the Instant AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.
n If Dynamic RADIUS Proxy (DRP) is enabled on the APs, configure the following parameters:
lDRP IP--IP address to be used as source IP for RADIUS packets.
Configuring Authentication and Security Profiles on Instant APs | 357
Type of Server Parameters
lDRP MASK--Subnet mask of the DRP IP address. lDRP VLAN--VLAN in which the RADIUS packets are sent. lDRP GATEWAY--Gateway IP address of the DRP VLAN.
Service Type Framed User
Select any of the following check boxes to send the service type as Framed User in the access requests to the RADIUS server:
l802.1X--Changes the service type to frame for 802.1X authentication. lMAC--Changes the service type to frame for MAC authentication. lCaptive Portal--Changes the service type to frame for Captive Portal authentication.
Query Status of RADIUS Servers (RFC 5997)
Select any of the following check boxes to detect the server status of the RADIUS server:
lAuthentication--Select this check-box to ensure the Instant AP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable. lAccounting--Select this check-box to ensure the Instant AP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.
LDAP
Name
Name of the LDAP server.
IP Address
IP address of the LDAP server.
Auth Port
Authorization port number of the LDAP server. The default port number is 389.
Admin-DN
A distinguished name for the admin user with read and search privileges across all the entries in the LDAP database (the admin user need not have write privileges, but the admin user must be able to search the database, and read attributes of other users in the database).
Admin Password and Retype Admin Password
Password for the admin user.
Base-DN
Distinguished name for the node that contains the entire user database.
Filter
The filter to apply when searching for a user in the LDAP database. The default filter string is (objectclass=*).
Key Attribute
The attribute to use as a key while searching for the LDAP server. For Active Directory, the value is sAMAccountName.
Timeout
Timeout interval within a range of 130 seconds for one RADIUS request. The default value is 5.
Aruba Central | User Guide
358
Type of Server Parameters
Retry Count
The maximum number of authentication requests that can be sent to the server group. You can specify a value within the range of 15. The default value is 3.
TACACS
Name
Name of the server.
Shared Key and Retype Key
The secret key to authenticate communication between the TACACS client and server.
Auth Port
The TCP IP port used by the server. The default port number is 49.
Timeout
A number between 1 and 30 seconds to indicate the timeout period for TACACS+ requests. The default value is 20 seconds.
IP Address
IP address of the server.
Retry Count
The maximum number of authentication attempts to be allowed. The default value is 3.
Dead Time (in mins)
Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.
Session Authorization
Enable this option to allow the authorization of sessions.
External Captive Portal--The external captive portal servers are used for authenticating guest users in a WLAN.
Name Type
IP or Hostname URL Port Use HTTPS
Enter a name for the profile.
n Select any one of the following types of authentication: lRadius Authentication--Select this option to enable user authentication against a RADIUS server. lAuthentication Text--Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.
Enter the IP address or the host name of the external splash page server.
Enter the URL of the external captive portal server.
Enter the port number that is used for communicating with the external captive portal server.
Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.
Configuring Authentication and Security Profiles on Instant APs | 359
Type of Server Parameters
Captive Portal Failure
This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.
Server Offload
Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
Prevent Frame Overlay
Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
Automatic URL Whitelisting
On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically whitelisted.
Auth Text
If the External Authentication splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.
Redirect URL
Specify a redirect URL if you want to redirect the users to another URL.
Dynamic Authorization Only
Name
Name of the server.
IP Address
IP address of the server.
AirGroup CoA Port
A port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
Shared Key and Retype Key
A shared key for communicating with the external RADIUS server. Change of Authorization(CoA) is a subset of Dynamic Authorization include disconnecting messages.
7. Click Save. To assign the authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.
You can also add an external RADIUS server when configuring a WLAN SSID profile.
Configuring Users Accounts for the Instant AP Management Interface
You can configure RADIUS or TACACS authentication servers to authenticate and authorize the management users of an Instant AP. The authentication servers determine if the user has access to administrative interface. The privilege level for different types of management users is defined on the
Aruba Central | User Guide
360
RADIUS or TACACS server. The Instant APs map the management users to the corresponding privilege level and provide access to the users based on the attributes returned by the RADIUS or TACACS server. In Aruba Central, the Instant AP management user passwords are stored and displayed as hash instead of plain text. The hash-mgmt-user command is enabled by default on the Instant APs provisioned in the template and UI groups. If a pre-configured Instant AP joins Aruba Central and is moved to a new group, Aruba Central uses the hash-mgmt-user configuration settings and discards mgmt-user configuration settings, if any, on the Instant AP. In other words, Aruba Central hashes management user passwords irrespective of the management user configuration settings running on an Instant AP. To configure authentication parameters for local admin, read-only, and guest management administrator account settings, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
Configuring Authentication and Security Profiles on Instant APs | 361
5. Click the Administrator accordion and configure the following parameters:
Table 112: Configuration Parameters for the Instant AP Users
Type of the User
Authentication Options
Steps to Follow
Client Control
Internal
In the Authentication drop-down list, select Internal if you want to specify a single set of user credentials. If using an internal authentication server:
1. In Username and Password, enter a username and password. 2. In Retype Password, retype the password to confirm.
Authentication Server
In the Authentication drop-down list, select the RADIUS or TACACS authentication servers. You can also create a new server by selecting New from the Authentication server drop-down list.
Authentication Server with fallback to Internal
In the Authentication drop-down list, select Authentication server w/ fallback to internal option if you want to use both internal and external servers. When enabled, the authentication switches to Internal if there is no response from the RADIUS server (RADIUS server timeout). To use this option, select the authentication servers and configure the user credentials for internal server based authentication.
1. In Username and Password, enter a username and password. 2. In Retype Password, retype the password to confirm.
Load Balancing
If two servers are configured, the users can use them in the primary or backup mode, or load balancing mode. To enable load balancing, select Enabled from the Load balancing drop-down list. For more information on load balancing, see Authentication Servers for Instant APs.
TACACS Accounting
If a TACACS server is selected, enable TACACS accounting to report management commands, if required.
View Only
To configure a user account with the read-only privileges: 1. In Username and Password, enter a username and password. 2. In Retype Password, retype the password to confirm.
Guest Registration Only
To configure a guest user account with the read-only privileges: 1. In Username and Password, enter a username and password. 2. In Retype Password, retype the password to confirm.
6. Click Save Settings.
Configuring Guest and Employee User Profiles on Instant APs
The local database of an Instant AP consists of a list of guest and employee users. The addition of a user involves specifying a login credentials for a user. The login credentials for these users are provided outside the Aruba Central system.
A guest user can be a visitor who is temporarily using the enterprise network to access the Internet. However, if you do not want to allow access to the internal network and the Intranet, you can segregate the
Aruba Central | User Guide
362
guest traffic from the enterprise traffic by creating a guest WLAN and specifying the required authentication, encryption, and access rules. An employee user is the employee who is using the enterprise network for official tasks. You can create employee WLANs, specify the required authentication, encryption and access rules and allow the employees to use the enterprise network.
The user database is also used when an Instant AP is configured as an internal RADIUS server. The local user database of APs can support up to 512 user entries except IAP-92/93. IAP-92/93 supports only 256 user entries. If there are already 512 users, IAP-92/93 will not be able to join the cluster.
To configure users, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab. The Security details page is displayed.
5. Click User For Internal Server. 6. In the Users pane, click the + icon. 7. In the Add User window, enter the following information:
n In the Username text-box, enter a username. n In the Password text-box, enter the password. n In the Retype text-box, retype the password to confirm. n In the Type drop-down list, select a type of user from the drop-down list. n Click OK. 8. To edit a user settings: a. In the Users pane, select the username to edit. b. Click the edit icon to modify the user settings. c. Click OK. 9. To delete a user: a. In the Users pane, select the username to delete. b. Click the delete icon. c. Click OK. 10. To delete all users, select Delete All in the Users pane, and then click Yes.
Deleting a user only removes the user record from the user database, and will not disconnect the online user associated with the username.
Configuring Intra VLAN Traffic Whitelist
Configuring Authentication and Security Profiles on Instant APs | 363
The Intra VLAN Traffic Whitelist is a global whitelist for all WLAN SSIDs and wired networks configured with the feature. For servers to serve the network, you must add them to the Intra VLAN Traffic Whitelist using their IP or MAC address. When you configure wired servers with their IP address or MAC address, the Instant Access Point allows client traffic to the destination MAC addresses.
Configuring a Wired Server with the IP Address
To configure a wired server with the IP address, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure access points are displayed. 4. Click Show Advanced, and click the Security tab.
The Security details page is displayed. 5. Click the Intra VLAN Traffic Whitelist accordion. 6. In the Wired Server IP window, click + and enter the IP address of the server. 7. Click OK. 8. Click Save Settings.
To edit a wired server, select the IP address of the wired server in the Wired Server IP window, and then click the edit icon. To delete a wired server, select the IP address of the wired server in the Wired Server IP window, and then click the delete icon.
Configuring a Wired Server with the MAC Address
To configure a wired server with the MAC address, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure access points are displayed. 4. Click Show Advanced, and click the Security tab.
The Security details page is displayed. 5. Click the Intra VLAN Traffic Whitelist accordion. 6. In the Wired Server MAC window, click + and enter the MAC address of the server. 7. Click OK. 8. Click Save Settings.
To edit a wired server, select the IP address of the wired server in the Wired Server MAC window, and then click the edit icon. To delete a wired server, select the IP address of the wired server in the Wired Server MAC window, and then click the delete icon. The following figure shows the configuration options of a wired server with the IP address or MAC address:
Aruba Central | User Guide
364
Figure 54 Intra VLAN Traffic Whitelist Configuration
Configuring an MPSK Local Profile
MPSK Local allows the user to configure 24 PSKs per SSID locally on the device. These local PSKs would serve as an extension of the base MPSK functionality. To configure an MPSK Local profile, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure access points are displayed. 4. Click Show Advanced, and click the Security tab.
The Security details page is displayed. 5. Click the Mpsk Local accordion. 6. In the MPSK Local window, click + and enter a name for the MPSK Local profile. 7. To create an MPSK Local passphrase, enter the following information in the Mpsk Local
Passphrase window: a. Name--Enter a name. b. Passphrase--Enter a passphrase. c. Retype Passphrase--Retype the passphrase to confirm. 8. Click OK. 9. In the Mpsk Local Passphrase window, select the MPSK Local passphrase name created in the previous step, and then click OK. 10. Click Save Settings. The following animation shows how to configure an MPSK Local profile:
Configuring Authentication and Security Profiles on Instant APs | 365
Configuring Roles and Policies on Instant APs for User Access Control
Instant APs support identity-based access control to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using the Instant AP firewall policies, you can enforce network access policies to define access to the network, areas of the network that the user may access, and the performance thresholds of various applications. Instant APs supports a role-based stateful firewall. In other words, Instant firewall can recognize flows in a network and keep track of the state of sessions. The firewall logs on the Instant APs are generated as syslog messages. The firewall feature also supports ALG functions such as SIP, Vocera, Alcatel NOE, and Cisco Skinny protocols.
ACL Rules
You can use ACL rules to either permit or deny data packets passing through the Instant AP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses. You can create access rules to allow or block data packets that match the criteria defined in an access rule. You can create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to an IP address through the firewall. The Instant AP clients are associated with user roles, which determine the client's network privileges and the frequency at which clients re-authenticate. Instant AP supports the following types of ACLs:
n ACLs that permit or deny traffic based on the source IP address of the packet. n ACLs that permit or deny traffic based on source or destination IP address, or source or destination port
number.
You can configure up to 64 access control rules for a firewall policy.
Configuring Network Address Translation Rules
Aruba Central | User Guide
366
NAT is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and private (local network), which allows translation of private network IP addresses to a public address space. Instant AP supports the NAT mechanism to allow a routing device to use the translation tables to map the private addresses into a single IP address and packets are sent from this address, so that they appear to originate from the routing device. Similarly, if the packets are sent to the private IP address, the destination address is translated as per the information stored in the translation tables of the routing device. For more information, see: n Configuring Network Service ACLs on page 367 n Configuring ACLs for Deep Packet Inspection n Configuring User Roles for AP Clients n Configuring Role Derivation Rules for AP Clients n Configuring Firewall Parameters for Inbound Traffic
Configuring Network Service ACLs
To configure access rules for network services, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click Show Advanced, and click the Security tab. The Security details page is displayed. 5. Click the Roles accordion. 6. Under Access Rules For Selected Roles, click + to add a new rule. The Access Rule window is displayed. 7. Under Rule Type, select Access Control. 8. To configure access to applications or application categories, select a service category from the following list: n Network n App Category n Application n Web Category n Web Reputation
Configuring Authentication and Security Profiles on Instant APs | 367
9. Based on the selected service category, configure the following parameters:
Table 113: Access Rule Configuration Parameters
Data Pane Item
Description
Rule Type Select a rule type from the list, for example Access Control.
Service
Select a service from the list of available services. You can allow or deny access to any or all of the following services based on your requirement:
n Any--Access is allowed or denied to all services. n CUSTOM--Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID.
NOTE: If TCP and UDP uses the same port, ensure that you configure separate access rules to permit or deny access.
Action
Select any of following attributes: n Select Allow to allow access users based on the access rule. n Select Deny to deny access to users based on the access rule. n Select Destination-NAT to allow the changes to destination IP address. n Select Source-NAT to allow changes to the source IP address.
Destination
Select a destination option. You can allow or deny access to any the following destinations based on your requirements.
n To all destinations--Access is allowed or denied to all destinations. n To a particular server--Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server. n Except to a particular server--Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server. n To a network--Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network. n Except to a network--Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. n To a Domain Name--Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box. n To AP IP--Traffic to the specified Instant AP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP Network--Traffic to the specified Instant AP network is allowed. After selecting this option, specify the domain name in the IP text box. n To master IP--Traffic to the specified master Instant AP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box.
Log
Select Log to create a log entry when this rule is triggered. The Aruba Central firewall
supports firewall based logging. Firewall logs on the Instant APs are generated as security
logs.
Blacklist
Select Blacklist to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window.
Classify Media
Select Classify Media to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NAT traffic and the traffic is marked as follows:
n Video: Priority 5 (Critical)
Aruba Central | User Guide
368
Table 113: Access Rule Configuration Parameters
Data Pane Item
Description
n Voice: Priority 6 (Internetwork Control)
Disable Scanning
Select Disable Scanning to disable ARM scanning when this rule is triggered. The selection of the Disable Scanning applies only if ARM scanning is enabled.
DSCP TAG
Select DSCP TAGto specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0 to 63.
802.1p priority
Select 802.1p priority to specify an 802.1 priority. Specify a value between 0 and 7.
Time Range
Select this check box to allow a specific user to access the network for a specific time range. You can select the time range profile from the drop-down list that appears when the Time Range check box is selected.
10. Click Save Settings.
Configuring User Roles for AP Clients
Every client in the Aruba Central network is associated with a user role, which determines the client's network privileges, the frequency of re-authentication, and the applicable bandwidth contracts. The user role configuration on an Instant AP involves the following procedures:
n Creating a User Role n Configuring User Roles for AP Clients
Creating a User Role
To create a user role, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure access points are displayed. 4. Click Show Advanced, and click the Security tab.
The Security details page is displayed. 5. Click the Roles accordion. 6. In the Roles pane, click +. 7. In the Add Role window, enter a name for the new role in Roles, and then click OK.
You can also create a user role when configuring wireless profile. For more information, see Configuring Wireless Network Profiles on Instant APs.
Assigning Bandwidth Contracts to User Roles
Configuring Authentication and Security Profiles on Instant APs | 369
The administrators can manage bandwidth utilization by assigning maximum bandwidth rates, or bandwidth contracts to user roles. The administrator can assign a bandwidth contract configured in Kbps to upstream (client to the Instant AP) or downstream (Instant AP to clients) traffic for a user role. The bandwidth contract will not be applicable to the user traffic on the bridged out (same subnet) destinations. For example, if clients are connected to an SSID, you can restrict the upstream bandwidth rate allowed for each user to 512 Kbps. By default, all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic. The assigned bandwidth will be served and shared among all the users. You can also assign bandwidth per user to provide every user a specific bandwidth within a range of 1 to 65535 Kbps. If there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed. To assign bandwidth contracts to a user role, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure access points are displayed. 4. Click Show Advanced, and click the Security tab.
The Security details page is displayed. 5. Click the Roles accordion. 6. Create a user role or select an existing role. 7. In the Access Rues For Selected Roles pane, click +. 8. In the Access Rule window, select Bandwidth Contract under Rule Type. 9. Specify the downstream and upstream rates in Kbps. If the assignment is specific for each user, select
Per User. 10. Click Save. Associate the user role to a WLAN SSID or wired profile.
You can also create a user role and assign bandwidth contracts while configuring an SSID.
Configuring Role Derivation Rules for AP Clients
Aruba Central allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user role or VLAN to the clients connecting to an SSID or a wired profile.
Creating a Role Derivation Rule
You can configure rules for determining the role that is assigned for each authenticated client.
When creating more than one role assignment rule, the first matching rule in the rule list is applied.
To create a role assignment rule, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
Aruba Central | User Guide
370
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Click the Access tab. 7. Under Access rules, select Role Based to enable access based on user roles. 8. Under Role Assignment Rules, click + Add Role Assignment. In New Role Assignment Rule,
define a match method by which the string in Operand is matched with the attribute value returned by the authentication server. 9. Select the attribute from the Attribute list that the rule it matches against. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options. 10. Select the operator from the Operator list. The following types of operators are supported: n contains--The rule is applied only if the attribute value contains the string specified in Operand. n Is the role--The rule is applied if the attribute value is the role. n equals--The rule is applied only if the attribute value is equal to the string specified in Operand. n not-equals--The rule is applied only if the attribute value is not equal to the string specified in
Operand. n starts-with--The rule is applied only if the attribute value starts with the string specified in
Operand. n ends-with--The rule is applied only if the attribute value ends with string specified in Operand. n matches-regular-expression--The rule is applied only if the attribute value matches the regular
expression pattern specified in Operand. This operator is available only if the mac-address-anddhcp-options attribute is selected in the Attribute list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for WLAN clients. 11. Enter the string to match in the String box. 12. Select the appropriate role from the Role list. 13. Click Save.
Configuring VLAN Assignment Rule
To configure VLAN assignment rules for an SSID profile:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Click the Access tab. 7. Select the access rule from Access rules.
Configuring Authentication and Security Profiles on Instant APs | 371
8. In the Access Rules For Selected Roles, click + Add Rule to add a new rule. The Access Rule page is displayed.
The VLAN Assignment option is also listed in the Access Rule page when you create or edit a rule for wired port profiles in the Ports > Create a New Network > Access tab.
9. From the Rule Type drop-down list, select VLAN Assignment option. 10. Enter the VLAN ID in the VLAN ID field under Service section. Alternatively, you can select the VLAN
ID or the VLAN name from the drop-down list provided next to the VLAN ID field.
The VLAN name for a specific VLAN is available only after mapping the VLAN ID with the VLAN name in the Systems > Named VLAN Mapping section. .
11. Click Save.
Configuring VLAN Derivation Rules
The users are assigned to a VLAN based on the attributes returned by the RADIUS server after users authenticate. To configure VLAN derivation rules for an SSID profile:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Under VLANs, select Dynamic under Client VLAN Assignment. 7. Click + Add Rule to create a VLAN assignment rule. The New VLAN Assignment Rule window is
displayed. In this window, you can define a match method by which the string in Operand is matched with the attribute values returned by the authentication server. 8. Select an attribute from the Attribute list. 9. Select an operator from the Operator list. The following types of operators are supported: n contains--The rule is applied only if the attribute value contains the string specified in Operand. n equals--The rule is applied only if the attribute value is equal to the string specified in Operand. n not-equals--The rule is applied only if the attribute value is not equal to the string specified in
Operand. n starts-with--The rule is applied only if the attribute value starts with the string specified in
Operand. n ends-with--The rule is applied only if the attribute value ends with string specified in Operand. n matches-regular-expression--The rule is applied only if the attribute value matches the regular
expression pattern specified in Operand. This operator is available only if the mac-address-and-
Aruba Central | User Guide
372
dhcp-options attribute is selected in the Attribute list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for the WLAN clients. 10. Enter the string to match in the String field. 11. Select the appropriate VLAN ID from VLAN. Ensure that all other required parameters are configured. 12. Click OK.
Configuring Firewall Parameters for Wireless Network Protection
To configure firewall settings, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab. The Security details page is displayed.
5. Click the Wireless IDS/IPS accordion. 6. Under Firewall Settings, turn on the toggle switch to enable SIP, VOCERA, ALCATEL NOE, Auto
Topology Rules, Restrict Corporate Access, and CISCO Skinny protocols. 7. Under Protection, in the Protection Against Wired Attacks section, enable the following options:
n Drop Bad ARP--Drops the fake ARP packets. n Fix Malformed DHCP--Fixes the malformed DHCP packets. n ARP Poison Check--Triggers an alert on ARP poisoning caused by the rogue APs.
Configuring Firewall Parameters for Inbound Traffic
Instant APs support an enhanced inbound firewall for the traffic that flows into the network through the uplink ports of an Instant AP. You can configure firewall rules for the inbound traffic in the Security > Inbound Firewall section. To configure the firewall rules, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab. The Security details page is displayed.
5. Click the Wireless IDS/IPS accordion.
Configuring Authentication and Security Profiles on Instant APs | 373
6. Click Firewall Settings. 7. In the Access Rule section, click the + icon.
The Inbound Firewall page is displayed. 8. In the Inbound Firewall page, enter the following information:
Table 114: Inbound Firewall Rule Configuration Parameters Parameter Description
Service
Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement:
n Any--Access is allowed or denied to all services. n Custom--Customize the access based on available options such as TCP, UDP, and other options. If you select the TCP or UDP options, enter appropriate port numbers. If the Other option is selected, ensure that an appropriate ID is entered.
Action
Select any of following actions: n Select Allow to allow user access based on the access rule. n Select Deny to deny user access based on the access rule. n Select Destination-NAT to allow making changes to the destination IP address and the port. n Select Source-NAT to allow making changes to the source IP address. The destination NAT and source NAT actions apply only to the network services rules.
Source
Select any of the following options:
n From all sources--Traffic from all sources is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule.
n From a particular host--Traffic from a particular host is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the host.
n From a network--Traffic from a particular network is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask of the source network.
Destination
Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.
n To all destinations--Traffic for all destinations is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule.
n To a particular server--Traffic to a specific server is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the destination server.
n Except to a particular server--Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.
n To a network--Traffic to the specified network is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask for the destination network.
n Except to a network--Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.
Aruba Central | User Guide
374
Parameter
Log Blacklist Classify Media Disable scanning DSCP TAG 802.1p priority
Description
n To a Domain name--Traffic to the specified domain is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the domain name in the Domain Name text box. n To AP IP--Traffic to the specified Instant AP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP Network--Traffic to the specified Instant AP network is allowed. After selecting this option, specify the domain name in the IP text box. n To master IP--Traffic to the specified master Instant AP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box.
Select the Log check box if you want a log entry to be created when this rule is triggered. Instant supports firewall-based logging function. Firewall logs on the Instant APs are generated as security logs.
Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified in the Auth failure blacklist time on the Blacklisting tab of the Security window.
Select the Classify Media check box to classify and tag media on HTTPS traffic as voice and video packets.
Select Disable scanning check box to disable ARM scanning when this rule is triggered. The selection of Disable scanning applies only if ARM scanning is enabled.
Select the DSCP TAG check box to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 063. To assign a higher priority, specify a higher value.
Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value.
Configuring Management Subnets
You can configure subnets to ensure that the Instant AP management is carried out only from these subnets. When the management subnets are configured, Telnet, SSH, and UI access is restricted to these subnets only. To configure management subnets, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab. The Security details page is displayed.
5. Click the Wireless IDS/IPS accordion. 6. Click Firewall Settings.
Configuring Authentication and Security Profiles on Instant APs | 375
7. Under Management Subnets pane, to add a new management subnet, complete the following steps: n Enter the subnet address in Subnet. n Enter the subnet mask in Mask. n Click Add.
8. Click Save Settings.
Configuring Restricted Access to Corporate Network
You can configure restricted corporate access to block unauthorized users from accessing the corporate network. When restricted corporate access is enabled, corporate access is blocked from the uplink port of master Instant AP, including clients connected to a slave Instant AP. To configure restricted corporate access, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab. The Security details page is displayed.
5. Click the Wireless IDS/IPS accordion. 6. Click Firewall Settings. 7. To restrict corporate access, turn on the Restrict Corporate Access toggle switch. 8. Click Save Settings.
Configuring ACLs for Deep Packet Inspection
To configure ACL rules for a user role for Deep Packet Inspection (DPI), complete the following procedure:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon to display the AP configuration dashboard. 4. Click Show Advanced. 5. Click the Security tab. 6. Under Roles, select the role for which you want to configure access rules. 7. Under Access Rules For Selected Roles, click + to add a new rule. 8. The Access Rule window is displayed. 9. Under Rule Type, select Access Control. 10. To configure access to applications or application categories, select a service category from the
following list: n Network n App Category
Aruba Central | User Guide
376
n Application n Web Category n Web Reputation 11. Based on the selected service category, configure the following parameters:
Table 115: Access Rule Configuration Parameters
Service category
Description
App Category
Select the application categories to which you want to allow or deny access.
Application Select the applications to which you want to allow or deny access.
Application Throttling
Application throttling allows you to set a bandwidth limit for an application and application categories. For example, you can limit the bandwidth rate for video streaming applications such as YouTube or Netflix, or assign a low bandwidth to high risk sites. To specify a bandwidth limit:
1. Select the Application Throttling check box. 2. Specify the Downstream and Upstream rates in Kbps per user.
Action
Select one of the following actions: n Destination-NAT--Translation of the destination IP address of a packet entering the network. n Source-NAT--Used by internal users to access the internet. n Allow--Select Allow to allow access users based on the access rule. n Deny--Select Deny to deny access to users based on the access rule.
Destination
Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.
n To all destinations-- Access is allowed or denied to all destinations. n To a particular server--Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server. n Except to a particular server--Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server. n To a network--Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network. n Except to a network--Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. n To a Domain Name--Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box. n To AP IP--Traffic to the specified Instant AP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP Network--Traffic to the specified Instant AP network is allowed. After selecting this option, specify the domain name in the IP text box. n To master IP--Traffic to the specified master Instant AP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box.
Log
Select this check box if you want a log entry to be created when this rule is triggered.
Aruba Central supports firewall based logging. Firewall logs on the Instant APs are
generated as security logs.
Configuring ACLs for Deep Packet Inspection | 377
Table 115: Access Rule Configuration Parameters
Service category
Description
Blacklist
Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window. .
Classify Media
Select the Classify Media check box to classify and tag media on https traffic as voice and video packets.
Disable Scanning
Select Disable Scanning check box to disable ARM scanning when this rule is triggered. The selection of the Disable Scanning applies only if ARM scanning is enabled.
DSCP Tag
Select this check box to add a DSCP tag to the rule. DSCP is an L3 mechanism for classifying and managing network traffic and providing QoS on the network. To assign a higher priority, specify a higher value.
802.1p priority
Select this check box to enable 802.1p priority. 802.1p priority is an L2 protocol for traffic prioritization to manage QoS on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value.
Time Range
Select this check box to enable user to access network for a specific time period. You can select the time range profile from the drop-down list that appears when the Time Range check box is selected..
12. Click Save.
Configuring ACLs on APs for Website Content Classification
You can configure web policy enforcement on an AP to block certain categories of websites based on your organization specifications by defining ACL rules. To configure ACLs for website content classification, follow the below procedure:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon to display the AP configuration dashboard. 4. Click Show Advanced. 5. Click the Security tab. 6. Under Roles, select the role to modify. 7. Under Access Rules For Selected Roles, click + to add a new rule.
The Access Rule window is displayed. 8. Under Rule Type, select Access Control. 9. To set an access policy based on web categories:
a. Under Service, select Web Category.
b. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option.
Aruba Central | User Guide
378
c. Under Action, select Allow or Deny.
d. Click Save.
10. To filter access based on the security ratings of the website: a. Select Web Reputation under Service.
b. Move the slider to select a specific web reputation value to deny access to websites with a reputation value lower than or equal to the configured value or to permit access to websites with a reputation value higher than or equal to the configured value. The following options are available: n Trustworthy WRI > 81--These are well known sites with strong security practices and may not expose the user to security risks. There is a very low probability that the user will be exposed to malicious links or payloads. n Low Risk WRI 61-80--These are benign sites and may not expose the user to security risks. There is a low probability that the user will be exposed to malicious links or payloads. n Moderate WRI 41-60--These are generally benign sites, but may pose a security risk. There is some probability that the user will be exposed to malicious links or payloads. n Suspicious WRI 21-40--These are suspicious sites. There is a higher than average probability that the user will be exposed to malicious links or payloads. n High Risk WRI < 20--These are high risk sites. There is a high probability that the user will be exposed to malicious links or payloads.
c. Under Action, select Allow or Deny as required.
11. To set a bandwidth limit based on web category or web reputation score, select the Application Throttling check box and specify the downstream and upstream rates in Kbps. For example, you can set a higher bandwidth for trusted sites and a low bandwidth rate for high risk sites.
12. If required, select the following check boxes: n Log --Select this check box if you want a log entry to be created when this rule is triggered. Aruba Central supports firewall based logging. Firewall logs on the Instant APs are generated as security logs. n Blacklist --Select this check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as Auth Failure Blacklist Time on the Blacklisting pane of the Security window. For more information, see Blacklisting Instant AP Clients on page 384. n Disable Scanning--Select Disable scanning check box to disable ARM scanning when this rule is triggered. The selection of the Disable scanning applies only if ARM scanning is enabled, For more information, see Configuring Radio Parameters on page 338. n DSCP Tag--Select this check box to add a DSCP tag to the rule. DSCP is an L3 mechanism for classifying and managing network traffic and providing QoS on the network. To assign a higher priority, specify a higher value. n 802.1p priority--Select this check box to enable 802.1p priority. 802.1p priority is an L2 protocol for traffic prioritization to manage QoS on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value.
13. Click Save to save the rules. 14. Click Save Settings in the Roles pane to save the changes to the role for which you defined ACL
rules.
Configuring ACLs on APs for Website Content Classification | 379
In mixed versions of the groups, the application rule update is supported only at the VC level and not at the group level. If you have a group with multiple Instant APs running 6.2.1.0-4.0 and if you upgrade one or more VC to 6.2.1.0-4.1, you can configure application rules at the VC level, but not at the group level. To use application rules at the group level, create a new group and move Instant APs running 6.2.1.0-4.1 to the newly created group. If application rules are configured in this group, ensure that the Instant APs with versions lower than 6.2.1.0-4.1 are not moved to that group.
Configuring Custom Redirection URLs for Instant AP Clients
You can create a list of URLs to redirect users to when they access blocked websites. You can define an access rule to use these redirect URLs and assign the rule to a user role in the WLAN network.
Creating a List of Error Page URLs
To create a list of error page URLs, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon to display the AP configuration dashboard. 4. Click Show Advanced. 5. Click the Security tab. 6. Under Custom Blocked Page URL, click + and enter the URL to block. 7. Repeat the procedure to add more URLs. You can add up to 8 URLs to the list of blocked web pages. 8. Click OK.
Configuring ACL Rules to Redirect Users to a Specific URL
To configure ACL rules to redirect users to a specific URL, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon to display the AP configuration dashboard. 4. Click Show Advanced. 5. Click the Security tab. 6. Under Roles, select the role for which you want to configure access rules. 7. Click + in the Access Rules section. The New Rule window is displayed. 8. Select the rule type as Blocked Page URL. 9. Select the URLs from the existing list of custom redirect URLs. To add a new URL, click +. 10. Click Save.
Configuring Firewall Parameters for Inbound Traffic
Aruba Central | User Guide
380
Instant APs support an enhanced inbound firewall for the traffic that flows into the network through the uplink ports of an Instant AP. To configure the firewall rules, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab. The Security details page is displayed.
5. Click the Wireless IDS/IPS accordion. 6. Click Firewall Settings. 7. In the Access Rule section, click the + icon.
The Inbound Firewall page is displayed.
Configuring Custom Redirection URLs for Instant AP Clients | 381
8. In the Inbound Firewall page, enter the following information:
Table 116: Inbound Firewall Rule Configuration Parameters Parameter Description
Service
Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement:
n Any--Access is allowed or denied to all services. n Custom--Customize the access based on available options such as TCP, UDP, and other options. If you select the TCP or UDP options, enter appropriate port numbers. If the Other option is selected, ensure that an appropriate ID is entered.
Action
Select any of following actions: n Select Allow to allow user access based on the access rule. n Select Deny to deny user access based on the access rule. n Select Destination-NAT to allow making changes to the destination IP address and the port. n Select Source-NAT to allow making changes to the source IP address. The destination NAT and source NAT actions apply only to the network services rules.
Source
Select any of the following options:
n From all sources--Traffic from all sources is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule.
n From a particular host--Traffic from a particular host is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the host.
n From a network--Traffic from a particular network is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask of the source network.
Destination
Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.
n To all destinations--Traffic for all destinations is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule.
n To a particular server--Traffic to a specific server is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the destination server.
n Except to a particular server--Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.
n To a network--Traffic to the specified network is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask for the destination network.
n Except to a network--Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.
n To a Domain name--Traffic to the specified domain is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the domain name in the Domain Name text box.
Aruba Central | User Guide
382
Parameter
Log Blacklist Classify Media Disable scanning DSCP TAG 802.1p priority
Description
n To AP IP--Traffic to the specified Instant AP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP Network--Traffic to the specified Instant AP network is allowed. After selecting this option, specify the domain name in the IP text box. n To master IP--Traffic to the specified master Instant AP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box.
Select the Log check box if you want a log entry to be created when this rule is triggered. Instant supports firewall-based logging function. Firewall logs on the Instant APs are generated as security logs.
Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified in the Auth failure blacklist time on the Blacklisting tab of the Security window.
Select the Classify Media check box to classify and tag media on HTTPS traffic as voice and video packets.
Select Disable scanning check box to disable ARM scanning when this rule is triggered. The selection of Disable scanning applies only if ARM scanning is enabled.
Select the DSCP TAG check box to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0 63. To assign a higher priority, specify a higher value.
Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value.
9. Click Ok. 10. Click Save Settings.
For all subnets, a deny rule is created by default as the last rule. If at least one rule is configured, the deny all rule is applied to the upstream traffic by default. The inbound firewall is not applied to traffic coming through the GRE tunnel.
Configuring Restricted Access to Corporate Network
You can configure restricted corporate access to block unauthorized users from accessing the corporate network. When restricted corporate access is enabled, corporate access is blocked from the uplink port of master Instant AP, including clients connected to a slave Instant AP. To configure restricted corporate access, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
Configuring Custom Redirection URLs for Instant AP Clients | 383
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab. The Security details page is displayed.
5. Click the Wireless IDS/IPS accordion. 6. Click Firewall Settings. 7. To restrict corporate access, turn on the Restrict Corporate Access toggle switch. 8. Click Save Settings.
Enabling ALG Protocols on Instant APs
To configure protocols for ALG, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click Show Advanced, and click the Security tab. The Security details page is displayed. 5. Click the Wireless IDS/IPS accordion. 6. Under Firewall Settings, set the toggle button against the corresponding protocol to enable SIP, VOCERA, ALCATEL NOE, Auto Topology Rules, Restrict Corporate Access, and CISCO Skinny protocols. 7. Click Save Settings.
When the protocols for the ALG are disabled, the changes do not take effect until the existing user sessions have expired. Reboot the Instant AP and the client, or wait a few minutes for changes to take effect.
Blacklisting Instant AP Clients
The client blacklisting denies connection to the blacklisted clients. When a client is blacklisted, it is not allowed to associate with an Instant AP in the network. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force client disconnection.
Blacklisting Clients Manually
Manual blacklisting adds the MAC address of a client to the blacklist. These clients are added into a permanent blacklist. These clients are not allowed to connect to the network unless they are removed from the blacklist. To add a client to the blacklist manually, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
Aruba Central | User Guide
384
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab. The Security details page is displayed.
5. Click the Blacklisting accordion. 6. Under Manual Blacklisting, click + and enter the MAC address of the client to be blacklisted. 7. Click OK. 8. Click Save Settings.
To delete a client from the manual blacklist, select the MAC Address of the client under the Manual Blacklisting, and then click the delete icon.
For the blacklisting to take effect, you must enable the blacklisting option when you create or edit the WLAN SSID profile. Go to WLANs > Security > Advanced Settings and enable the Blacklisting option. For more information, see Configuring Wireless Network Profiles on Instant APs.
Blacklisting Clients Dynamically
The clients can be blacklisted dynamically when they exceed the authentication failure threshold or when a blacklisting rule is triggered as part of the authentication process. When a client takes time to authenticate and exceeds the configured failure threshold, it is automatically blacklisted by an Instant AP. In session firewall based blacklisting, an ACL rule automates blacklisting. When the ACL rule is triggered, it sends out blacklist information and the client is blacklisted. To configure the blacklisting duration, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab. The Security details page is displayed.
5. Click the Blacklisting accordion. 6. Under Dynamic Blacklisting, enter the following information:
a. For Auth Failure Blacklist Time, enter the duration after which the clients that exceed the authentication failure threshold must be blacklisted.
b. For Policy Enforcement Failure Rule Blacklisted Time, enter the duration after which the clients can be blacklisted due to an ACL rule trigger.
7. Click Save Settings.
Configuring Custom Redirection URLs for Instant AP Clients | 385
You can configure a maximum number of authentication failures by the clients, after which a client must be blacklisted. For more information on configuring maximum authentication failure attempts, see Configuring Wireless Network Profiles on Instant APs. To enable session-firewall-based blacklisting, select the Blacklist check box in the Access Rule page during the WLAN SSID profile creation. For more information, see Configuring Network Service ACLs.
Configuring Instant APs for VPN Services
This section describes the following VPN configuration procedures:
n Instant AP VPN Overview n Configuring Instant APs for VPN Tunnel Creation n Configuring Routing Profiles for Instant AP VPN
Instant AP VPN Overview
As Instant APs use a virtual controller architecture, the Instant AP network does not require a physical controller to provide the configured WLAN services. However, a physical controller is required for terminating VPN tunnels from the Instant AP networks at branch locations or data centers, where the Aruba controller acts as a VPN Concentrator. When the VPN is configured, the Instant AP acting as the virtual controller creates a VPN tunnel to Aruba Mobility Controller in your corporate office. The controller acts as a VPN endpoint and does not supply the Instant AP with any configuration. The VPN features are recommended for:
n Enterprises with many branches that do not have a dedicated VPN connection to the corporate office. n Branch offices that require multiple APs. n Individuals working from home, connecting to the VPN.
Supported VPN Protocols
Instant APs support the following VPN protocols for remote access:
Table 117: VPN Protocols VPN Protocol Description
Aruba IPsec
IPsec is a protocol suite that secures IP communications by authenticating and encrypting each IP packet of a communication session.
You can configure an IPsec tunnel to ensure that to ensure that the data flow between the networks is encrypted. However, you can configure a split-tunnel to encrypt only the corporate traffic.
When IPsec is configured, ensure that you add the Instant AP MAC addresses to the whitelist database stored on the controller or an external server. IPsec supports Local, L2, and L3 modes of IAP-VPN operations.
NOTE: The Instant APs support IPsec only with Aruba Controllers.
Aruba Central | User Guide
386
Table 117: VPN Protocols VPN Protocol Description
Layer-2 (L2) GRE
GRE is a tunnel protocol for encapsulating multicast, broadcast, and L2 packets between a GRE-capable device and an endpoint. Instant APs support the configuration of L2 GRE (Ethernet over GRE) tunnel with an Aruba Controller to encapsulate the packets sent and received by the Instant AP. You can use the GRE configuration for L2 deployments when there is no encryption requirement between the Instant AP and controller for client traffic. Instant APs support two types of GRE configuration:
n Manual GRE--The manual GRE configuration sends unencrypted client traffic with an additional GRE header and does not support failover. When manual GRE is configured on the Instant AP, ensure that the GRE tunnel settings are enabled on the controller. n Aruba GRE--With Aruba GRE, no configuration on the controller is required except for adding the Instant AP MAC addresses to the whitelist database stored on the controller or an external server. Aruba GRE reduces manual configuration when Per-AP Tunnel configuration is required and supports failover between two GRE endpoints.
NOTE: Instant APs support manual and Aruba GRE configuration only for L2 mode of operations. Aruba GRE configuration is supported only with Aruba Controllers.
L2TP
The L2TP version 3 feature allows Instant AP to act as L2TP Access Concentrator (LAC) and tunnel all wireless clients L2 traffic from AP to LNS. In a centralized L2 model, the VLAN on the corporate side are extended to remote branch sites. Wireless clients associated with Instant AP gets the IP address from the DHCP server running on LNS. For this, AP has to transparently allow DHCP transactions through the L2TPv3 tunnel.
Configuring Instant APs for VPN Tunnel Creation
Instant AP supports the configuration of tunneling protocols such as GRE, IPsec, and L2TPv3. This section describes the procedure for configuring VPN host settings on an Instant AP to enable communication with a controller in a remote location:
n Configuring IPsec VPN Tunnel n Configuring Automatic GRE VPN Tunnel n Configuring a GRE VPN Tunnel n Configuring an L2TPv3 VPN Tunnel
Configuring IPsec VPN Tunnel
An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPsec tunnel to the controller secures corporate data. You can configure an IPsec tunnel from virtual controller using Aruba Central. To configure an IPsec tunnel from virtual controller, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
Configuring Instant APs for VPN Services | 387
4. Click Show Advanced, and click the VPN tab. The VPN details page is displayed.
5. Click the Controller accordion. 6. In the Protocol drop-down list, select Aruba IPsec. 7. In the Primary host field, enter the IP address or FQDN for the main VPN/IPsec endpoint. 8. In the Backup host field, enter the IP address or FQDN for the backup VPN/IPsec endpoint. This
entry is optional. When you enter the primary host IP address and backup host IP address, other fields are displayed. 9. Specify the following parameters.
a. To allow the VPN tunnel to switch back to the primary host when it becomes available again, select the Preemption check-box. This step is optional. If Preemption is enabled, specify a value in seconds for Hold time. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold-time. The default value for Hold time is 600 seconds.
b. To allow the Instant AP to create a backup VPN tunnel to the controller along with the primary tunnel, and maintain both the primary and backup tunnels separately, select the Fast Failover check-box. When fast failover is enabled and if the primary tunnel fails, the Instant AP can switch the data stream to the backup tunnel. This reduces the total failover time to less than one minute.
c. Specify a value in seconds for Secs Between Test Packets. Based on the configured frequency, the Instant AP can verify if an active VPN connection is available. The default value is 5 seconds, which means that the Instant AP sends one packet to the controller every 5 seconds.
d. Enter a value for Max Allowed Test Packet Loss, to define a number for lost packets, after which the Instant AP can determine that the VPN connection is unavailable. The default value is 2.
e. To disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary, select the Reconnect User On Failover checkbox.
f. To configure an interval for which wired and wireless users are disconnected during a VPN tunnel switch, specify a value in seconds for Reconnect Time On Failover within a range of 30-900 seconds. By default, the reconnection duration is set to 60 seconds. The Reconnect Time on Failover field is displayed only when Reconnect User On Failover is enabled.
10. When the IPsec tunnel configuration is completed, the packets that are sent from and received by an Instant AP are encrypted.
11. Click Save Settings.
You will be unable to upload the self-signed certificate from Aruba Central. You must upload the self-signed certificate to Aruba Activate followed by the AP reboot procedure. When the AP contacts Aruba Activate, the Aruba Activate informs the AP about the self-signed AP certificate that is required to be downloaded. The AP then installs a new certificate before connecting to Aruba Central. For more information, see Aruba Activate User Guide.
Configuring Automatic GRE VPN Tunnel
Aruba Central | User Guide
388
In Aruba Central, you can configure an Instant AP to automatically set up a GRE tunnel from the Instant AP to the controller. To configure an Instant AP to automatically set up a GRE tunnel, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the VPN tab. The VPN details page is displayed.
5. Click the Controller accordion. 6. In the Protocol drop-down list, select Aruba GRE. 7. In the Primary host field, enter the IP address or FQDN for the main VPN/IPsec endpoint. 8. In the Backup host field, enter the IP address or FQDN for the backup VPN/IPsec endpoint. This
entry is optional. When you enter the primary host IP address and backup host IP address, other fields are displayed. 9. Specify the following parameters: a. To allow the VPN tunnel to switch back to the primary host when it becomes available again,
select the Preemption check-box. This step is optional. If Preemption is enabled, specify a value in seconds for Hold time. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold time. The default value for Hold time is 600 seconds.
b. To allow the Instant AP to create a backup VPN tunnel to the controller along with the primary tunnel, and maintain both the primary and backup tunnels separately, select the Fast Failover check-box. If the primary tunnel fails, the Instant AP can switch the data stream to the backup tunnel. This reduces the total failover time to less than one minute.
c. To disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary, select the Reconnect User On Failover.
d. To configure an interval for which wired and wireless users are disconnected during a VPN tunnel switch, specify a value in seconds for Reconnect Time On Failover within the range of 30-90 seconds. By default, the reconnection duration is set to 60 seconds.
e. Specify a value in seconds for Seconds Between Test Packets. Based on the configured frequency, the Instant AP can verify if an active VPN connection is available. The default value is 5 seconds, which means that the Instant AP sends one packet to the controller every 5 seconds.
f. Enter a value for Max Allowed Test Packet Loss, to define a number for lost packets, after which the Instant AP can determine that the VPN connection is unavailable. The default value is 2.
g. Select the Per-AP-Tunnel check-box. The administrator can enable this option to create a GRE tunnel from each Instant AP to the VPN/GRE Endpoint rather than the tunnels created just from the master Instant AP. When enabled, the traffic to the corporate network is sent through a
Configuring Instant APs for VPN Services | 389
Layer-2 GRE tunnel from the Instant AP itself and need not be forwarded through the master Instant AP.
10. Click Save Settings.
Configuring a GRE VPN Tunnel
You can also manually configure a GRE tunnel by configuring the GRE tunnel parameters on the Instant AP and controller. This procedure describes the steps involved in the manual configuration of a GRE tunnel from virtual controller by using Aruba Central. During the manual GRE setup, you can either use the virtual controller IP or the Instant AP IP to create the GRE tunnel at the controller side depending upon the following Instant AP settings:
n If a virtual controller IP is configured and if Per-AP tunnel is disabled, the virtual controller IP is used to create the GRE tunnel.
n If a virtual controller IP is not configured or if Per-AP tunnel is enabled, the Instant AP IP is used to create the GRE tunnel.
To configure the GRE tunnel manually, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the VPN tab. The VPN details page is displayed.
5. Click the Controller accordion. 6. In the Protocol drop-down list, select Manual GRE. 7. Specify the following parameters:
a. Host--Enter the IPv4 or IPv6 address or FQDN for the main VPN/GRE tunnel.
b. Backup Host--(Optional) Enter the IPv4 or IPv6 address or FQDN for the backup VPN/GRE tunnel. You can edit this field only after you enter the IP address or FQDN in the Host field.
c. Reconnect User On Failover--When you enter the host IP address and backup host IP address, this field appears. Select this check box to disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary.
d. Reconnect Time On Failover--If you select the Reconnect User On Failover check box, this field appears. To configure an interval for which wired and wireless users must be disconnected during a VPN tunnel switch, specify a value within a range of 30-90 seconds. By default, the reconnection duration is set to 60 seconds.
e. GRE Type--Enter a value for the parameter.
Aruba Central | User Guide
390
f. GRE MTU--Specify a size for the GRE MTU within the range of 10241500. After GRE encapsulation, if packet length exceeds the configured MTU, IP fragmentation occurs. The default MTU size is 1300.
g. Per-AP-Tunnel--The administrator can enable this option to create a GRE tunnel from each Instant AP to the VPN/GRE endpoint rather than the tunnels created just from the master Instant AP. When enabled, the traffic to the corporate network is sent through a Layer-2 GRE tunnel from the Instant AP itself and need not be forwarded through the master Instant AP.
By default, the Per-AP tunnel option is disabled.
h. To disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary, select the Reconnect User On Failover.
8. When the GRE tunnel configuration is completed on both the Instant AP and Controller, the packets sent from and received by an Instant AP are encapsulated, but not encrypted.
Configuring an L2TPv3 VPN Tunnel
The Layer 2 Tunneling Protocol version 3 (L2TPv3) feature allows Instant AP to act as L2TP Access Concentrator (LAC) and tunnel all wireless clients L2 traffic from AP to LNS. In a centralized L2 model, the VLAN on the corporate side are extended to remote branch sites. Wireless clients associated with Instant AP gets the IP address from the DHCP server running on LNS. For this, AP has to transparently allow DHCP transactions through the L2TPv3 tunnel. To configure an L2TPv3 tunnel by using Aruba Central, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the VPN tab. The VPN details page is displayed.
5. Click the Controller accordion. 6. In the Protocol drop-down list, select L2TPv3. 7. To configure a tunnel profile, complete the following steps:
a. Turn on the Enable Tunnel Profile toggle switch. b. Enter the profile name. c. Enter the primary server IP address. d. Enter the remote end backup tunnel IP address. This is an optional field and is required only
when backup server is configured. e. Enter the peer UDP and local UDP port numbers. The default value is 1701.
Configuring Instant APs for VPN Services | 391
f. Enter the interval at which the hello packets are sent through the tunnel. The default value is 60 seconds.
g. Select the message digest as MD5 or SHA used for message authentication.
h. Enter a shared key for the message digest. This key should match with the tunnel end point shared key.
i. If required, set the failover mode. The following two failover modes are supported: n Preemptive--In this mode, if the primary comes up when the backup is active, the backup tunnel is deleted and the primary tunnel resumes as an active tunnel. If you configure the tunnel to be preemptive, and when the primary tunnel goes down, it starts the persistence timer which tries to bring up the primary tunnel. n Non-Preemptive--In this mode, when the backup tunnel is established after the primary tunnel goes down, it does not make the primary tunnel active again. n Set an interval between every failover retry. The default value is 60 seconds.
j. Configure a number of retries before the tunnel fails over.
k. Ensure that Checksum is disabled.
l. Specify a value for the tunnel MTU value if required. The default value is 1460.
m. Click Save Settings.
Configuring Routing Profiles for Instant AP VPN
Aruba Central can terminate a single VPN connection on Aruba Mobility Controller. The routing profile defines the corporate subnets which need to be tunneled through IPsec. You can configure routing profiles to specify a policy based on routing into the VPN tunnel.
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the VPN tab. The VPN details page is displayed.
5. Click the Routing accordion. 6. Click + in the Routing pane.
The New Route page with the route parameters is displayed. 7. Update the following parameters:
n Destination--Specify the destination network that is reachable through the VPN tunnel. This defines the IP or subnet that must reach through the IPsec tunnel. Traffic to the IP or subnet defined here will be forwarded through the IPsec tunnel.
n Netmask--Specify the subnet mask to the destination defined for Destination. n Gateway--Specify the gateway to which traffic must be routed. In this field, enter one of the
following based on the requirement:
Aruba Central | User Guide
392
l The controller IP address on which the VPN connection will be terminated. If you have a primary and backup host, configure two routes with the same destination and netmask, but ensure that the gateway is the primary controller IP for one route and the backup controller IP for the second route.
l The "tunnel" string if you are using the Instant AP in Local mode during local DHCP configuration. n Metric--Specify the best optimal path for routing traffic. A value of 1 indicates the best path, 15 indicates the worst path, and 16 indicates that the destination is unreachable on the route.
8. Click OK. 9. Click Save Settings.
Configuring DHCP Pools and Client IP Assignment Modes on Instant APs
This section provides the following information:
n Configuring DHCP Scopes on Instant APs n Configuring DHCP Server for Assigning IP Addresses to Instant AP Clients
Configuring DHCP Scopes on Instant APs
The VC supports the following types of DHCP address assignments:
n Configuring Distributed DHCP Scopes on page 393 n Configuring a Centralized DHCP Scope on page 395 n Configuring Local DHCP Scopes on page 398
Configuring Distributed DHCP Scopes
Aruba Central allows you to configure the DHCP address assignment for the branches connected to the corporate network through VPN. You can configure the range of DHCP IP addresses used in the branches and the number of client addresses allowed per branch. You can also specify the IP addresses that must be excluded from those assigned to clients, so that they are assigned statically. Aruba Central supports the following distributed DHCP scopes:
n Distributed, L2--In this mode, the VC acts as the DHCP server, but the default gateway is in the data center. Based on the number of clients specified for each branch, the range of IP addresses is divided. Based on the IP address range and client count configuration, the DHCP server in the VC controls a scope that is a subset of the complete IP Address range for the subnet distributed across all the branches. This DHCP Assignment mode is used with the L2 forwarding mode.
n Distributed, L3--In this mode, the VC acts as the DHCP server and the default gateway. Based on the number of clients specified for each branch, the range of IP addresses is divided. Based on the IP address range and client count configuration, the DHCP server in the VC is configured with a unique subnet and a corresponding scope.
To configure distributed DHCP scopes such as Distributed, L2 or Distributed, L3, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
Configuring DHCP Pools and Client IP Assignment Modes on Instant APs | 393
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the DHCP accordion. 6. To configure distributed DHCP scope, click + under Distributed DHCP Scopes.
The New Distributed DHCP Scopes pane is displayed. 7. Based on the type of distributed DHCP scope, configure the following parameters:
Table 118: Distributed DHCP Scope Configuration Parameters
Data pane item
Description
Name
Enter a name for the DHCP scope.
Type
Select any of the following options: n Distributed, L2--On selecting Distributed, L2, the VC acts as the DHCP Server but the default gateway is in the data center. Traffic is bridged into VPN tunnel. n Distributed, L3--On selecting Distributed, L3, the VC acts as both DHCP Server and default gateway. Traffic is routed into the VPN tunnel.
VLAN
Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile.
Netmask
If Distributed, L2 is selected for type of DHCP scope, specify the subnet mask. The subnet mask and the network determine the size of subnet.
Default Router If Distributed, L2 is selected for type of DHCP scope, specify the IP address of the default router.
DNS Server
If required, specify the IP address of a DNS server.
Domain Name If required, specify the domain name.
Lease Time
Specify a lease time for the client in minutes.
IP Address Range
Specify a range of IP addresses to use. To add another range, click the + icon. You can specify up to four different ranges of IP addresses.
n For Distributed, L2 mode, ensure that all IP ranges are in the same subnet as the default router. On specifying the IP address ranges, a subnet validation is performed to ensure that the specified ranges of IP address are in the same subnet as the default router and subnet mask. The configured IP range is divided into blocks based on the configured client count.
n For Distributed, L3 mode, you can configure any dis-contiguous IP ranges. The configured IP range is divided into multiple IP subnets that are sufficient to accommodate the configured client count.
NOTE: You can allocate multiple branch IDs (BID) per subnet. The Instant AP generates a subnet name from the DHCP IP configuration, which the controller can use as a subnet identifier. If static subnets are configured in each branch, all of them
Aruba Central | User Guide
394
Table 118: Distributed DHCP Scope Configuration Parameters
Data pane item
Description
are assigned the with BID 0, which is mapped directly to the configured static subnet.
DHCP Reservation
Option
Displays the total number of DHCP reservations. Click the number to view the list of DHCP reservations.
NOTE: You can configure DHCP reservation only on virtual controllers.
From the filter bar, select a virtual controller and click the + icon to configure DHCP reservation. Specify the following details:
n MAC--Specify the MAC address of the device for which the IP address has to be reserved. n IP--Specify the IP address that has to be reserved for the MAC address. The IP address should be in the IP address range.
NOTE: Aruba Central allows you to configure a maximum of 32 DHCP reservations.
To delete a DHCP reservation, click the delete icon.
Specify the type and a value for the DHCP option. You can configure the organizationspecific DHCP options supported by the DHCP server. For example, 176, 242, 161, and so on. To add multiple DHCP options, click the + icon. You can add up to eight DHCP options.
8. Click Next. The Branch Size tab is displayed. Specify the number of clients to use per branch. The client count configured for a branch determines the use of IP addresses from the IP address range defined for a DHCP scope. For example, if 20 IP addresses are available in an IP address range configured for a DHCP scope and a client count of 9 is configured, only a few IP addresses (in this example, 9) from this range will be used and allocated to a branch. The Instant AP does not allow the administrators to assign the remaining IP addresses to another branch, although a lower value is configured for the client count.
9. Click Next. The Static IP tab is displayed. Specify the number of first and last IP addresses to reserve in the subnet.
10. Click Finish.
Configuring a Centralized DHCP Scope
The centralized DHCP scope supports L2 and L3 clients. When a centralized DHCP scope is configured:
n The virtual controller does not assign an IP address to the client and the DHCP traffic is directly forwarded to the DHCP Server.
n For L2 clients, the virtual controller bridges the DHCP traffic to the controller over the VPN/GRE tunnel. The IP address is obtained from the DHCP server behind the controller serving the VLAN/GRE of the client. This DHCP assignment mode also allows you to add the DHCP option 82 to the DHCP traffic forwarded to the controller.
n For L3 clients, the virtual controller acts as a DHCP relay agent that forwards the DHCP traffic to the DHCP server located behind the controller in the corporate network and reachable through the IPsec
Configuring DHCP Pools and Client IP Assignment Modes on Instant APs | 395
tunnel. The centralized L3 VLAN IP is used as the source IP. The IP address is obtained from the DHCP server.
To configure a centralized DHCP scope, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the DHCP accordion. 6. To configure centralized DHCP scopes, click + under Centralized DHCP Scopes. 7. The New Centralized DHCP Scope data pane is displayed.
Aruba Central | User Guide
396
8. Based on type of centralized DHCP scope, configure the following parameters:
Table 119: DHCP mode configuration parameters
Data pane item
Description
Name Enter a name for the DHCP scope.
Type
Select one of the following options: n Centralized, Layer-2 n Centralized, Layer-3
VLAN
Specify a VLAN ID or multiple VLAN IDs by entering a list of comma separated digits or ranges, for example 1,2,5, or 1- 4, or all. You can enter the VLAN ID in the range of 1-4093. To use this subnet, ensure that the VLAN ID(s) specified here is assigned to an SSID profile.
Split Tunnel
Enable the split tunnel function if you want allow a VPN user to access a public network and a local LAN or WAN network at the same time through the same physical network connection. For example, a user can use a remote access VPN software client connecting to a corporate network using a home wireless network. When the split tunnel function is enabled, the user can connect to file servers, database servers, mail servers, and other servers on the corporate network through the VPN connection. When the user connects to resources on the Internet (websites, FTP sites, and so on), the connection request goes directly to the gateway provided by the home network. The split DNS functionality intercepts DNS requests from clients for non-corporate domains (as configured in Enterprise Domains list) and forwards to the Instant AP's own DNS server. When split tunnel is disabled, all the traffic including the corporate and the Internet traffic is tunneled irrespective of the routing profile specifications. If the GRE tunnel is down and when the corporate network is not reachable, the client traffic is dropped.
NOTE: When split tunnel is enabled, you can specify only a single VLAN ID in the VLAN field. When split tunnel is disabled, you can enter multiple VLAN IDs separated by commas in the VLAN field.
DHCP Relay
Select the DHCP Relay check-box to allow the Instant APs to intercept the broadcast packets and relay DHCP requests.
Helper Enter the IP address of the DHCP server. Address
VLAN IP
Field is applicable only if you select Centralized, Layer-3. Specify the VLAN IP address of the DHCP relay server.
VLAN Mask
Field is applicable only if you select Centralized, Layer-3. Specify the VLAN subnet mask of the DHCP relay server.
Option 82
Select one of the following options:
n None--If you have configured the DHCP Option 82 XML file, the ALU option scope is disabled in the drop-down list. To enable ALU, set the drop-down list to None and delete the DHCP Option 82 XML file. To enable the XML option, select None from the drop-down list and select the XML file from the DHCP Option 82 XML drop-down list.
n ALU--ALU option is disabled if an XML file is selected from the DHCP Option 82 XML drop-down list in the System > General pane. Select ALU to enable DHCP Option 82 to allow clients to send DHCP packets with the Option 82 string. The Option 82 string is available only in the Alcatel (ALU) format. The ALU format for the Option 82 string consists
Configuring DHCP Pools and Client IP Assignment Modes on Instant APs | 397
Table 119: DHCP mode configuration parameters
Data pane item
Description
of the following: n Remote Circuit ID; X AP-MAC; SSID; SSID-Type n Remote Agent; X IDUE-MAC n XML--XML option is enabled only if an XML file is selected from the DHCP Option 82 XML drop-down list in the System > General pane. Alternatively, to enable the XML option, select None from the drop-down list and select the XML file from the DHCP Option 82 XML drop-down list. For information related to XML files, see Configuring System Parameters for an AP
9. Click Save Settings. The following table describes the behavior of the DHCP Relay Agent and Option 82 in the Instant AP.
Table 120: DHCP Relay and Option 82
DHCP Relay Option 82 Behavior
Enabled
Enabled
DHCP packet relayed with the ALU-specific Option 82 string
Enabled
Disabled
DHCP packet relayed without the ALU-specific Option 82 string
Disabled
Enabled
DHCP packet not relayed, but broadcast with the ALU-specific Option 82 string
Disabled
Disabled
DHCP packet not relayed, but broadcast without the ALU-specific Option 82 string
Configuring Local DHCP Scopes
You can configure the following types of local DHCP scopes on an Instant AP:
n Local--In this mode, the VC acts as both the DHCP Server and default gateway. The configured subnet and the corresponding DHCP scope are independent of subnets configured in other Instant AP clusters. The VC assigns an IP address from a local subnet and forwards traffic to both corporate and noncorporate destinations. The network address is translated appropriately and the packet is forwarded through the IPsec tunnel or through the uplink. This DHCP assignment mode is used for the NAT forwarding mode.
n Local, L2--In this mode, the VC acts as a DHCP server and the gateway is located outside the Instant AP. n Local, L3--In this mode, the VC acts as a DHCP server and default gateway, and assigns an IP address
from the local subnet. The Instant AP routes the packets sent by clients on its uplink. This DHCP assignment mode is used with the L3 forwarding mode.
To configure a new local DHCP scope, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
Aruba Central | User Guide
398
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the DHCP accordion. 6. To configure local DHCP scopes, click + under Local DHCP Scopes. 7. The New DHCP Scopes data pane is displayed. 8. Based on type of local DHCP scope, configure the following parameters:
Table 121: Local DHCP Configuration Parameters
Data pane item
Description
Name
Enter a name for the DHCP scope.
Type
Select any of the following options: n Local--On selecting Local, the DHCP server for local branch network is used for keeping the scope of the subnet local to the Instant AP. In the NAT mode, the traffic is forwarded through the uplink. n Local, L2--On selecting Local, L2, the VC acts as a DHCP server and a default gateway in the local network is used. n Local, L3--On selecting Local, L3, the VC acts as a DHCP server and gateway.
VLAN
Enter the VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile.
Network
Specify the network to use.
Netmask
Specify the subnet mask. The subnet mask and the network determine the size of subnet.
Excluded Address
Specify a range of IP addresses to exclude. You can add up to two exclusion ranges. Based on the size of the subnet and the value configured for Excluded address, the IP addresses either before or after the defined range are excluded.
DHCP Reservation
Displays the total number of DHCP reservations. Click the number to view the list of DHCP reservations.
NOTE: You can configure DHCP reservation only on virtual controllers.
From the filter bar, select a virtual controller and click the + icon to configure DHCP reservation. Specify the following details:
n MAC--Specify the MAC address of the device for which the IP address has to be reserved. n IP--Specify the IP address that has to be reserved for the MAC address. The IP address should be in the IP address range.
NOTE: Aruba Central allows you to configure a maximum of 32 DHCP reservations.
To delete a DHCP reservation, click the delete icon.
Default Router
Enter the IP address of the default router.
Configuring DHCP Pools and Client IP Assignment Modes on Instant APs | 399
Table 121: Local DHCP Configuration Parameters
Data pane item
Description
DNS Server
Enter the IP address of a DNS server.
Domain Name Enter the domain name.
Lease Time
Enter a lease time for the client in minutes.
Option
Specify the type and a value for the DHCP option. You can configure the organizationspecific DHCP options supported by the DHCP server. To add multiple DHCP options, click the + icon.
9. Click Save Settings.
Configuring DHCP Server for Assigning IP Addresses to Instant AP Clients
The DHCP server is a built-in server, used for networks in which clients are assigned IP address by the VC. You can customize the DHCP pool subnet and address range to provide simultaneous access to more number of clients. The largest address pool supported is 2048. The default size of the IP address pool is 512.
When the DHCP server is configured and if the Client IP assignment parameter for an SSID profile is set to Virtual Controller Assigned, the virtual controller assigns the IP addresses to the WLAN or wired clients. By default, the Instant AP automatically determines a suitable DHCP pool for Virtual Controller Assigned networks. The Instant AP typically selects the 172.31.98.0/23 subnet. If the IP address of the Instant AP is within the 172.31.98.0/23 subnet, the Instant AP selects the 10.254.98.0/23 subnet. However, this mechanism does not avoid all possible conflicts with the wired network. If your wired network uses either 172.31.98.0/23 or 10.254.98.0/23, and you experience problems with the Virtual Controller Assigned networks after upgrading to Aruba Central, manually configure the DHCP pool by following the steps described in this section.
To configure a domain name, DNS server, and DHCP server for client IP assignment, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the DHCP accordion.
Aruba Central | User Guide
400
6. Click DHCP For WLANs and enter the following information: a. Enter the domain name of the client in Domain Name. b. Enter the IP addresses of the DNS servers in DNS Server. To add another DNS server, click the + icon. c. Enter the duration of the DHCP lease in Lease Time. Select Minutes, Hours, or Days for the lease time from the list next to Lease Time. The default lease time is 0. d. Enter the network name in the Network box. e. Enter the mask name in the Mask box. f. Click Save Settings.
To provide simultaneous access to more than 512 clients, use the Network and Mask fields to specify a larger range. While the network (prefix) is the common part of the address range, the mask (suffix) specifies how long the variable part of the address range is.
Configuring Services
This section describes how to configure AirGroup, location services, Lawful Intercept, OpenDNS, SIP phones, and Firewall services.
n Configuring AirGroup Services on page 401 n Configuring an Instant AP for RTLS Support on page 405 n Configuring an Instant AP for ALE Support on page 405 n Managing BLE Beacons on page 406 n Configuring OpenDNS Credentials on Instant APs on page 407 n Configuring CALEA Server Support on Instant APs on page 407 n Configuring Instant APs for Palo Alto Networks Firewall Integration on page 409 n Configuring XML API Interface on page 409 n Configuring SIP Phones with Source-NAT on page 410 n Application Visibility and Deep Packet Inspection on page 411
Configuring AirGroup Services
AirGroup is a zero configuration networking protocol that enables service discovery, address assignment, and name resolution for desktop computers, mobile devices, and network services. It is designed for flat, single-subnet IP networks such as wireless networking at home. Bonjour can be installed on computers running Microsoft Windows and is supported by the new networkcapable printers. Bonjour uses multicast DNS (mDNS) to locate devices and the services offered by these devices. The AirGroup solution supports both wired and wireless devices. Wired devices that support Bonjour services are part of AirGroup when connected to a VLAN that is terminated on the Virtual Controller. In addition to the mDNS protocol, Instant APs also support UPnP, and DLNA enabled devices. DLNA is a network standard derived from UPnP, which enables devices to discover the services available in a network.
Configuring Services | 401
DLNA also provides the ability to share data between the Windows or Android-based multimedia devices. All the features and policies applicable to mDNS are extended to DLNA to ensure full interoperability between compliant devices.
Limitations
AirGroup has the following limitations:
n When 802.11r supported AirGroup servers roam and do not send any mDNS packets, the location accuracy is not updated until a new mDNS packet is advertised by the server. In such a scenario, reinitiate the mDNS packet from the server.
n AirGroup does not support temporal filter. n AirGroup learns an Amazon device only if the device sends an advertisement and not if it is already
connected. n SSDP devices are not learnt with Wildcard query. n AirGroup does not support wired devices. n AirGroup supports Google Chrome browser but does not support Googlecast-based applications.
AirGroup Features
AirGroup provides the following features:
n Send unicast responses to mDNS queries and reduces mDNS traffic footprint. n Ensure cross-VLAN visibility and availability of AirGroup devices and services. n Allow or block AirGroup services for all users. n Allow or block AirGroup services based on user roles. n Allow or block AirGroup services based on VLANs.
For more information on AirGroup solution, see Aruba Instant User Guide.
AirGroup Services
Bonjour supports zero-configuration services. The services are pre-configured and are available as part of the factory default configuration. The administrator can also enable or disable any or all services. The following services are available for Instant AP clients:
n AirPlay -- Apple AirPlay allows wireless streaming of music, video, and slide shows from your iOS device to Apple TV and other devices that support the AirPlay feature.
n AirPrint -- Apple AirPrint allows you to print from an iPad, iPhone, or iPod Touch directly to any AirPrint compatible printer.
n iTunes-- The iTunes service is used by iTunes Wi-Fi sync and iTunes home-sharing applications across all Apple devices.
n RemoteMgmt-- Use this service for remote login, remote management, and FTP utilities on Apple devices.
n Sharing-- Applications such as disk sharing and file sharing, use the service ID that are part of this service on one or more Apple devices.
n Chat-- The iChat® (Instant Messenger) application on Apple devices uses this service. n ChromeCast--The ChromeCast service allows you to use a ChromeCast device to play audio or video
content on a high-definition television by streaming content through Wi-Fi from the Internet or local network.
Aruba Central | User Guide
402
n DLNA Media--Applications such as Windows Media Player use this service to browse and play content on a remote device.
n DLNA Print--This service is used by printers that support DLNA.
Enabling AirGroup Services
To enable AirGroup services:
Disabling or enabling an AirGroup service results in 20 min delay in clearing the message queue. An AP reboot is mandatory when an AirGroup service is upgraded.
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab. The Services page is displayed. 5. Click the AirGroup accordion. 6. Select the AirGroup check-box.
The mDNS (Bonjour) and SSDP (DLNA/UPNP) check-boxes are selected by default. Select at least mDNS (Bonjour) or SSDP (DLNA/UPNP) to proceed further. Optionally, select the Guest Bonjour Multicast check-box to allow guest users to use the Bonjour services that are enabled in a guest VLAN. When Guest Bonjour Multicast is enabled, the Bonjour devices are visible only in the guest VLAN and AirGroup does not discover or enforce policies in guest VLAN.
7. Under the AirGroup Settings sub-accordion, select the check-box against one or more AirGroup services listed in Table 122.
Table 122: AirGroup Services
Mode
Description
AirGroup Across Mobility Domains
AirGroup service availability in inter cluster domains.
AirPrint Enable AirPlay
Wireless printing between AirPrint capable devices and AirPrint compatible printers.
Wireless streaming of music, video, or slide shows from AirPlay capable devices and AirPlay compatible devices.
iTunes
iTunes service for home-sharing applications.
Remote Management Remote login, remote management, or FTP utilities on compatible devices.
Sharing
Applications like disk sharing or file sharing on compatible devices.
Chat
Instant messenger application between compatible devices.
Googlecast
Wireless streaming of audio or video content from the Internet or local network on a HDTV through a Chromecast device.
Configuring Services | 403
Mode DIAL AmazonTV DLNA Print DLNA Media Allow All
Description
Wireless streaming between DIAL compatible devices likes devices like Roku, Chromecast, or FireTV.
Wireless playing of content from the Internet or local network on a HDTV through a FireTV device.
Wireless printing between DLNA capable devices and DLNA compatible printers.
Wireless browsing or playing audio or video content by applications like Windows Media Player on remote devices.
All AirGroup services.
n Optionally, when enabling an AirGroup service, define disallowed roles. The disallowed roles are not allowed to use the specific AirGroup service. To disallow roles: 1. Click Edit against Disallowed Roles. 2. Move the roles from the Available pool to the Selected pool. 3. Click Ok.
n Optionally, when enabling an AirGroup service, define disallowed VLANs. The disallowed VLANs are not allowed to use the specific AirGroup service. To disallow VLANs: 1. Click Edit against Disallowed VLANs. 2. Type the VLANs in Enter comma-separated list of VLAN IDs. Separate multiple VLANs with a comma. 3. Click Ok.
n Optionally, configure and enable a new AirGroup service. If defined, disallowed roles or VLANs are not allowed to use the new AirGroup service. To configure and enable a new AirGroup service: 1. Click Add New Service. 2. Type the service name in Service Name. Use alphanumeric characters. 3. Type a service ID in Service ID. Use + to add additional service IDs. Sample service ID: urn:schemas-upnp-org:service:RenderingControl:1 or _sleepproxy._udp.
4. Click Ok. 5. Select the check-box against the new AirGroup service.
8. Optionally, under ClearPass Settings sub-accordion, configure the parameters listed in Table 123.
Table 123: ClearPass Settings
Mode
Description
ClearPass Policy Manager Server 1
Specify the ClearPass Policy Manager server to use. Select one from the dropdown or define a new ClearPass Policy Manager server.
Enforce ClearPass Registration
Specify is ClearPass registration should be enforced.
9. Click Save Settings.
Aruba Central | User Guide
404
Configuring an Instant AP for RTLS Support
Aruba Central supports the real time tracking of devices. With the help of the RTLS, the devices can be monitored in real time or through history. To configure RTLS, complete the following steps:
1. In the Network Operations app, use the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services. The Services page is displayed. 5. Click Real Time Locating System > Aruba. 6. Select Aruba RTLS to send the RFID tag information to the Aruba RTLS server. 7. Click 3rd Party and select Aeroscout to send reports on the stations to a third-party server. 8. In the IP/FQDN and Port field, specify the IP address and port number of the RTLS server, to which
location reports must be sent. 9. In the Passphrase field, enter the passphrase required for connecting to the RTLS server. 10. Retype the passphrase in the Retype Passprahrse field. 11. Specify the update interval within the range of 660 seconds in the Update every field. The default
interval is 30 seconds. 12. If 3rd Party is selected, specify the IP address and port number of the 3rd party server. 13. Select Include Unassociated Stations to send reports on the stations that are not associated to
any Instant AP. 14. Click Save Settings.
Configuring an Instant AP for ALE Support
ALE is designed to gather client information from the network, process it and share it through a standard API. The client information gathered by ALE can be used for analyzing a client's Internet behavior for business such as shopping preferences. ALE includes a location engine that calculates the associated and unassociated device location every 30 seconds by default. For every device on the network, ALE provides the following information through the Northbound API:
n Client user name n IP address n MAC address n Device type n Application firewall data, showing the destinations and applications used by associated devices. n Current location n Historical location
ALE requires the AP placement data to be able to calculate location for the devices in a network.
ALE with Aruba Central
Configuring Services | 405
Aruba Central supports Analytics and Location Engine (ALE). The ALE server acts as a primary interface to all third-party applications and the Instant AP sends client information and all status information to the ALE server. To integrate Instant AP with ALE, the ALE server address must be configured on an Instant AP. If the ALE sever is configured with a host name, the Virtual Controller performs a mutual certificated-based authentication with ALE server, before sending any information.
Enabling ALE support on an Instant AP
To configure an Instant AP for ALE support:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab. The Services page is displayed. 5. Click the Real Time Locating System accordion. 6. Click Aruba, and then select Analytics & Location. 7. Specify the ALE server name or IP address. 8. Specify the reporting interval within the range of 660 seconds. The Instant AP sends messages to
the ALE server at the specified interval. The default interval is 30 seconds. 9. Click Save Settings.
Managing BLE Beacons
Instant APs support Aruba BLE devices, such as BT-100 and BT-105, which are used for location tracking and proximity detection. The BLE devices can be connected to an Instant AP and are managed by a cloud-based Beacon Management Console. The BLE Beacon Management feature allows you to configure parameters for managing the BLE beacons and establishing secure communication with the Beacon Management Console.
Support for BLE Asset Tracking
Instant AP assets can be tracked using BLE tags, Instant AP beacons scan the network. When a tag is detected, the Instant AP sends a beacon with information about the tag including the MAC address and RSSI of the tag to the Virtual Controller.
To manage beacons and configure BLE operation mode, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab. The Services page is displayed. 5. Click the Real Time Locating System accordion. 6. Click Aruba.
Aruba Central | User Guide
406
7. Select Manage BLE Beacons to manage the BLE devices using BMC. a. Enter the authorization token in Authorization token. The authorization token is a text string of 1255 characters used by the BLE devices in the HTTPS header when communicating with the BMC. This token is unique for each deployment.
b. Enter the server URL in Endpoint URL. The BLE data is sent to the server URL for monitoring.
8. Select any of the following options from BLE Operation Mode drop-down list:
Table 124: BLE Operation Modes
Mode
Description
beaconing The built-in BLE chip in the Instant AP functions as an iBeacon combined with the beacon management functionality.
disabled
The built-in BLE chip of the Instant AP is turned off. The BLE operation mode is set to Disabled by default.
dynamicconsole
The built-in BLE chip of the Instant AP functions in the beaconing mode and dynamically enables access to Instant AP console over BLE when the link to LMS is lost.
persistent- The built-in BLE chip of the Instant AP provides access to the Instant AP console over BLE
console
and also operates in the Beaconing mode.
9. To configure BLE web socket management server, enter the URL of BLE web socket management server in BLE Asset Tag Mgmt Server(wss).
10. Select BLE Asset Tag Mgmt Server(https) to configure BLE HTTPS management server. a. Enter the URL of BLE HTTPS management server in Server URL. b. Enter the authorization token in Authorization token. c. Enter the location ID in Location ID.
11. Click Save Settings.
Configuring OpenDNS Credentials on Instant APs
Instant APs use the OpenDNS credentials to provide enterprise-level content filtering. To configure OpenDNS credentials:
1. In the Network Operations app, use the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services. The Services page is displayed. 5. Click the OpenDNS accordion. 6. Enter the Username and Password. 7. Click Save Settings.
Configuring CALEA Server Support on Instant APs
LI allows the Law Enforcement Agencies to perform an authorized electronic surveillance. Depending on the country of operation, the ISPs are required to support LI in their respective networks.
Configuring Services | 407
In the United States, Service Providers are required to ensure LI compliance based on CALEA specifications. Aruba Central supports CALEA integration with an Instant AP in a hierarchical and flat topology, mesh Instant AP network, the wired and wireless networks.
Enable this feature only if lawful interception is authorized by a law enforcement agency.
For more information on the communication and traffic flow from an Instant AP to CALEA server, see Aruba Instant User Guide. To enable an Instant AP to communicate with the CALEA server, complete the following steps:
n Creating a CALEA Profile n Creating ACLs for CALEA Server Support
Creating a CALEA Profile
To create a CALEA profile, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab. The Services page is displayed. 5. Click the CALEA accordion. 6. Specify the following parameters:
n IP address-- Specify the IP address of the CALEA server. n Encapsulation type-- Specify the encapsulation type. The current release of Aruba Central
supports GRE only. n GRE type-- Specify the GRE type. n MTU-- Specify a size for the MTU within the range of 68--1500. After GRE encapsulation, if
packet length exceeds the configured MTU, IP fragmentation occurs. The default MTU size is 1500. 7. Click Save Settings.
Creating ACLs for CALEA Server Support
To create an access rule for CALEA, complete the following steps:
1. In the Network Operations app, use the filter to select a group or a device. 2. If you select a group, perform the following steps:
a. Under Manage, click Devices > Access Points.
b. Click the Config icon. The tabs to configure the group is displayed.
3. If you select a device, under Manage, click Devices. 4. Click Show Advanced, and click Security tab. The Security page is displayed. 5. Click the Roles accordion. 6. Under Access Rules for Selected Roles, click + icon. The New Rule window is displayed. 7. Set the Rule Type to CALEA. 8. Click Save.
Aruba Central | User Guide
408
9. Create a role assignment rule if required. 10. Click Save Settings.
Configuring Instant APs for Palo Alto Networks Firewall Integration
Instant APs maintains the network (such as mapping IP address) and user information for its clients in the network. To integrate the Instant AP network with a third-party network, you can enable an Instant AP to provide this information to the third-party servers. To integrate an Instant AP with a third-party network, you must add a global profile. This profile can be configured on an Instant AP with information such as IP address, port, user name, password, firewall enabled or disabled status.
Configuring an Instant AP for Network Integration
To configure an Instant AP for network integration:
1. In the Network Operations app, use the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services. The Services page is displayed. 5. Click the Network Integration accordion. 6. Select Enable to enable PAN firewall. 7. Specify the Username and Password. Ensure that you provide user credentials of the PAN firewall
administrator. 8. Re-enter the password in Retype. 9. Enter the PAN firewall IP Address. 10. Enter the port number within the range of 1--65535. The default port is 443. 11. Enter the client domain in Client Domain. 12. Click Save Settings.
Configuring XML API Interface
The XML API interface allows Instant APs to communicate with an external server. The communication between Instant AP and an external server through XML API Interface includes the following steps:
n An API command is issued in the XML format from the server to the virtual controller. n The virtual controller processes the XML request and identifies where the client is and sends the
command to the correct slave Instant AP. n Once the operation is completed, the virtual controller sends the XML response to the XML server. n The administrators can use the response and take appropriate action to suit their requirements. The
response from the virtual controller is returned using the predefined formats.
To configure XML API for servers, complete the following steps:
1. In the Network Operations app, set the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed
Configuring XML API Interface | 409
4. Click Show Advanced, and click Services. The Services page is displayed. 5. Go to Network Integration > XML API Server Configuration. 6. Click + to add a new XML API server. 7. Enter a name for the XML API server in the Name text box. 8. Enter the IP address of the XML API server in the IP Address text box. 9. Enter the subnet mask of the XML API server in the Mask text box. 10. Enter a passcode in the Passphrase text box, to enable authorized access to the XML API Server. 11. Re-enter the passcode in the Retype Passphrase box. 12. To add multiple entries, repeat the procedure. 13. Click Add. 14. Click Save Settings. 15. To edit or delete the server entries, use the Edit and Delete buttons, respectively.
For information on adding an XML API request, see Aruba Instant User Guide.
Configuring SIP Phones with Source-NAT
Aruba Central allows to use SIP phones with source-NAT function using centralized Gateway service. SIP ALG is supported in bridge mode along with the use of NAT on APs.
The SIP phones with source-NAT supported only on AP devices running Aruba Instant 8.6.0.3.
To configure SIP phones with source-NAT function, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Services tab. The Services details page is displayed.
5. Click the SIP accordion. 6. Click the + icon in the SIP pane.
The SIP-ALG SVC Port window is displayed. 7. In the Port field, enter the port number within the range of 1--65535. 8. Select TCP or UDP from the Protocol drop-down list. 9. In the Timeout field, enter the timeout value in seconds. The value should be between 15 to 30
seconds. 10. Click OK.
The SIP-ALG SVC Port table in the SIP section lists the configured SIP settings. 11. Click Save Settings.
The following figure displays the SIP configuration page:
Aruba Central | User Guide
410
Figure 55 SIP Configuration
Application Visibility and Deep Packet Inspection
AppRF is a custom built Layer 7 firewall capability supported for Instant APs managed by Aruba Central. It consists of an on-board deep packet inspection and a cloud-based Web Policy Enforcement service that allows creating firewall policies based on types of application. Instant APs with DPI capability analyze data packets to identify applications in use and allow you to create access rules to determine client access to applications, application categories, web categories and website URLs based on security ratings. You can also define traffic shaping policies such as bandwidth control and QoS per application for client roles. For example, you can block bandwidth monopolizing applications on a guest role within an enterprise.
The Deep Packet Inspection feature is supported on Instant AP running 6.4.3.x-4.1.x.x or later releases. The AppRF feature is not supported on IAP-104/105 and IAP-134/135 devices. You can configure InstantInstant APs to send URL information for the blocked HTTP and HTTPS sessions to ALE. The URL information can be extracted for the associated clients for DPI, analytics, and data mining through the Northbound APIs. To enable URL information logging and extraction, enable the URL Visibility parameter in the InstantInstant AP UI or CLI. For more information, see Aruba Instant User Guide.
For more information on DPI and application analytics, see the following topics: n Application Visibility on page 684 n Enabling Application Visibility Service on APs n Configuring ACLs for Deep Packet Inspection on page 376 n Configuring ACLs on APs for Website Content Classification on page 378 n Configuring Custom Redirection URLs for Instant AP Clients on page 380
Enabling Application Visibility Service on APs
To view application usage metrics for WLAN clients, enable the Application Visibility service on APs. To enable the Application Visibility feature, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon to display the AP configuration dashboard. 4. If you select the device, click Device under Manage.
Application Visibility and Deep Packet Inspection | 411
5. Click Show Advanced. 6. Click Services. The Services page is displayed. 7. Click AppRF. 8. Select any of the following options for Deep Packet Inspection: n All--Performs deep packet inspection on client traffic to application, application categories, website
categories, and websites with a specific reputation score. n App--Performs deep packet inspection on client traffic to applications and application categories. n WebCC--Performs deep packet inspection on client traffic to specific website categories and websites
with specific reputation ratings. n None--Disables deep packet inspection. 9. Click Save Settings.
Configuring Uplink Interfaces on Instant APs
This section provides the following information:
n Configuring Uplink Interfaces n Configuring Uplink Preferences and Switching
Configuring Uplink Interfaces
Aruba Central supports 3G and 4G USB modems, and the Wi-Fi uplink to provide access to the corporate network.
By default, the AP-318, AP-374, AP-375, and AP-377 access points have Eth1 as the uplink port and Eth0 as the downlink port. Aruba recommends you not to upgrade the mentioned access points to 8.5.0.0 and 8.5.0.1 firmware versions as the upgrade process changes the uplink from Eth1 to Eth0 port thereby making the devices non-reachable.
The following types of uplinks are supported on Aruba Central:
n 3G/4G Uplink n Ethernet Uplink on page 414 n Wi-Fi Uplink on page 415
3G/4G Uplink
Aruba Central supports the use of 3G/4G USB modems to provide the Internet back haul to Aruba Central. The 3G/4G USB modems can be used to extend client connectivity to places where an Ethernet uplink cannot be configured. This enables the Instant APs to automatically choose the available network in a specific region.
Types of Modems
Aruba Central supports the following three types of 3G modems:
n True Auto Detect--Modems of this type can be used only in one country and for a specific ISP. The parameters are configured automatically and hence no configuration is necessary.
n Auto-detect + ISP/country--Modems of this type require the user to specify the Country and ISP. The same modem is used for different ISPs with different parameters configured for each of them.
Aruba Central | User Guide
412
n No Auto Detect--Modems of this type are used only if they share the same Device-ID, Country, and ISP details. You need to configure different parameters for each of them. These modems work with Aruba Central when the appropriate parameters are configured.
Table 125: 4G Supported Modem
Modem Type Supported 4G Modem
True Auto Detect
n Pantech UML290 n Ether-lte
When UML290 runs in auto detect mode, the modem can switch from 4G network to 3G network or vice-versa based on the signal strength. To configure the UML290 for the 3G network only, manually set the USB type to pantech-3g. To configure the UML290 for the 4G network only, manually set the 4G USB type to pantech-lte.
Configuring Cellular Uplink Profiles
To configure 3G or 4G uplinks using Aruba Central, complete the following steps:
Before you begin, obtain the modem configuration parameters from the local IT administrator or the modem manufacturer.
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed.
5. Click the Uplink accordion. 6. Under 3G/4G, perform any of the following steps:
n To configure a 3G or 4G uplink automatically, select the Country and ISP. The parameters are automatically populated.
n To configure a 3G or 4G uplink manually, perform the following steps: a. Select the country from the Country drop-down list. b. Select the service protocol from the ISP drop-down list. c. Enter the type of the 3G/4G modem driver type:
n For 3G--Enter the type of 3G modem in the USB Type text box. n For 4G--Enter the type of 4G modem in the 4G USB Type text box.
a. Enter the device ID of modem in the USB DEV text box. b. Enter the TTY port of the modem in the USB TTY text box. c. Enter the parameter to initialize the modem in the USB INIT text box. d. Enter the parameter to dial the cell tower in the USB Dial text box.
Configuring Uplink Interfaces on Instant APs | 413
e. Enter the parameter used to switch a modem from the storage mode to modem mode in the USB Mode Switch text box.
f. Select the USB authentication type from the USB Auth Type drop-down list. g. Enter the username used to dial the ISP in the USB User text box. h. Enter the password used to dial the ISP in the USB Password text box. 7. Click Save Settings. 8. Reboot the Instant AP for changes to affect.
Ethernet Uplink
The Ethernet 0 port on an Instant AP is enabled as an uplink port by default. The Ethernet uplink supports the following:
n PPPoE n DHCP n Static IP
You can use PPPoE for your uplink connectivity in a single AP deployment.
Uplink redundancy with the PPPoE link is not supported.
When the Ethernet link is up, it is used as a PPPoE or DHCP uplink. After the PPPoE settings are configured, PPPoE has the highest priority for the uplink connections. The Instant AP can establish a PPPoE session with a PPPoE server at the ISP and get authenticated using PAP or the CHAP. Depending upon the request from the PPPoE server, either the PAP or the CHAP credentials are used for authentication. After configuring PPPoE, reboot the Instant AP for the configuration to take effect. The PPPoE connection is dialed after the AP comes up. The PPPoE configuration is checked during Instant AP boot and if the configuration is correct, Ethernet is used for the uplink connection.
When PPPoE is used, do not configure Dynamic RADIUS Proxy and IP address of the VC. An SSID created with default VLAN is not supported with PPPoE uplink.
You can also configure an alternate Ethernet uplink to enable uplink failover when an Ethernet port fails.
Configuring PPPoE Uplink Profile
To configure PPPoE settings, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed.
5. Click the Uplink accordion.
Aruba Central | User Guide
414
6. Under PPPoE, configure the following parameters: a. Enter the PPPoE service name provided by your service provider in the Service Name. b. In the CHAP Secret and Retype CHAP Secret fields, enter the secret key used for CHAP authentication. You can use a maximum of 34 characters for the CHAP secret key. c. To set a local interface for the PPPoE uplink connections, select a value from Local Interface. The selected DHCP scope is used as a local interface on the PPPoE interface and the Local, L3 DHCP gateway IP address as its local IP address. When configured, the local interface acts as an unnumbered PPPoE interface and allocated the entire Local, L3 DHCP subnet to the clients. d. Enter the user name for the PPPoE connection in the User field. e. In the Password and Retype Password fields, enter a password for the PPPoE connection and confirm it.
The options in Local Interface are displayed only if a Local, L3 DHCP scope is configured on the Instant AP.
7. Click Save Settings. 8. Reboot the Instant AP.
Wi-Fi Uplink
The Wi-Fi uplink is supported for all Instant AP models, except 802.11ac APs. Only the master Instant AP uses the Wi-Fi uplink. The Wi-Fi allows uplink to open, PSK-CCMP, and PSK-TKIP SSIDs. n For single radio Instant APs, the radio serves wireless clients and Wi-Fi uplink. n For dual radio Instant APs, both radios can be used to serve clients but only one of them can be used for
Wi-Fi uplink.
When Wi-Fi uplink is in use, the client IP is assigned by the internal DHCP server.
Configuring a Wi-Fi Uplink Profile
The following configuration conditions apply to the Wi-Fi uplink: n To bind or unbind the Wi-Fi uplink on the 5 GHz band, reboot the Instant AP. n If Wi-Fi uplink is used on the 5 GHz band, mesh is disabled. The two links are mutually exclusive. To provision an Instant AP with Wi-Fi Uplink, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed.
Configuring Uplink Interfaces on Instant APs | 415
5. Click the Uplink accordion. 6. Under Wi-Fi, enter the name of the wireless network that is used for Wi-Fi uplink in the Name(SSID)
box. 7. From Band, select the band in which the VC currently operates. The following options are available:
n 2.4 GHz (default) n 5 GHz 8. From Key Management drop-down list, select the type of key for uplink encryption and authentication. n When WPA Personal or WPA-2 Personal key management type is selected, the passphrase
options are available for configuration. a. Select a passphrase format from the Passphrase Format drop-down list.
The following passphrase options are available: 8 - 63 alphanumeric characters 64 hexadecimal characters
Ensure that the hexadecimal password string is exactly 64 digits in length.
b. Enter a PSK passphrase in Passphrase. n When WPA Enterprise or WPA-2 Enterprise key management type is selected, the 802.1x
authentication options are available for configuration. a. From the WiFi1X drop-down list, select 802.1x authentication protocol to be used:
n Specify the certificate type to be used by selecting Cert TPM or Cert User. n If PEAP authentication type is selected, enter the user credentials in the Username and
Password text box. b. Toggle the Validate Server button to enable or disable server certificate verification by the
AP. 9. Click Save Settings.
If the uplink wireless router uses mixed encryption, WPA-2 Personal or WPA-2 Enterprise is recommended for Wi-Fi uplink.
Configuring Uplink Preferences and Switching
This section describes the following topics:
n Enforcing Uplinks n Setting an Uplink Priority n Enabling Uplink Pre-emption
Enforcing Uplinks
The following conditions apply to the uplink enforcement:
n When an uplink is enforced, the Instant AP uses the specified uplink regardless of uplink pre-emption configuration and the current uplink status.
Aruba Central | User Guide
416
n When an uplink is enforced and multiple Ethernet ports are configured and uplink is enabled on the wired profiles, the Instant AP tries to find an alternate Ethernet link based on the priority configured.
n When no uplink is enforced and pre-emption is not enabled, and if the current uplink fails, the Instant AP tries to find an available uplink based on the priority configured.
n When no uplink is enforced and pre-emption is enabled, and if the current uplink fails, the Instant AP tries to find an available uplink based on the priority configured. If current uplink is active, the Instant AP periodically tries to use a higher priority uplink and switches to the higher priority uplink even if the current uplink is active.
To enforce a specific uplink on an Instant AP, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed.
5. Click the Uplink accordion. 6. Under Management > Enforce Uplink, select the type of uplink from the drop-down list. If
Ethernet uplink is selected, the Port field is displayed. 7. Specify the Ethernet interface port number. 8. Click Save Settings.
The selected uplink is enforced on the Instant AP.
Setting an Uplink Priority
To set an uplink priority, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed.
5. Click the Uplink accordion. 6. Under Management > Uplink Priority List, select the uplink to increase or decrease the priority.
By default, the Eth0 uplink is set as a high priority uplink. 7. Click Save Settings.
The selected uplink is prioritized over other uplinks.
Enabling Uplink Pre-emption
Configuring Uplink Interfaces on Instant APs | 417
The following configuration conditions apply to uplink pre-emption:
n Pre-emption can be enabled only when no uplink is enforced. n When pre-emption is disabled and the current uplink fails, the Instant AP tries to find an available uplink
based on the uplink priority configuration. n When pre-emption is enabled and if the current uplink is active, the Instant AP periodically tries to use a
higher priority uplink, and switches to a higher priority uplink even if the current uplink is active.
To enable uplink pre-emption, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed.
5. Click the Uplink accordion. 6. Under Management, ensure that the Enforce Uplink is set to None. 7. Select the Pre-emption check-box. 8. Specify value for Pre-emption Interval. 9. Click Save Settings.
Switching Uplinks based on the Internet Availability
You can configure Aruba Central to switch uplinks based on the Internet availability. When the uplink switchover based on Internet availability is enabled, the Instant AP continuously sends ICMP packets to some well-known Internet servers. If the request is timed out due to a bad uplink connection or uplink interface failure, and the Internet is not reachable from the current uplink, the Instant AP switches to a different connection. To configure uplink switching, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed.
5. Click the Uplink accordion. 6. Under Management, specify a value for Failover Internet IP. 7. Select the Internet Failover check-box. 8. Specify values for Failover Internet Packet Send Frequency, Failover Internet Packet Lost
Aruba Central | User Guide
418
Count, and Internet Check Count. 9. Click Save Settings.
By default, the master AP sends the ICMP packets to 8.8.8.8 IP address only if the out-of-service operation based on Internet availability (internet-down state) is configured on the SSID. You can use Failover Internet IP as an alternative to the default option to configure an IP address to which the AP must send AP packets, and verify if the Internet is reachable when the uplink is down. When Internet Failover is enabled, the Instant AP ignores the VPN status, although uplink switching based on VPN status is enabled.
Configuring Preferred Uplink on AP-318 and 370 Series APs
The AP-318 and 370 Series APs have an ethernet port for Eth0 and a fibreport for Eth1. Either of these ports can be configured as the uplink port as required. By default, Eth1 port is configured as the uplink for these AP platforms. All functionality of the Eth0 port is supported by Eth1 port with exception to the following: n Eth0 bridging feature is not supported when the Eth1 port is configured as preferred uplink. n If LACP is enabled, the Eth1 port cannot be configured as the preferred uplink.
By default, the AP-318, AP-374, AP-375, and AP-377 Instant APs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba recommends you not to upgrade the mentioned access points to 8.5.0.0 and 8.5.0.1 firmware versions as the upgrade process changes the uplink from Eth1 to Eth0 port thereby making the devices non-reachable.
Configuring Enterprise Domains
In a typical Instant AP deployment without tunneling, all DNS requests from a client are forwarded to the client's DNS server by default. However, if an Instant AP is configured for tunneling, the IAP-VPN enables split DNS by default, and the DNS behavior for both the clients on the Instant AP network is determined by the enterprise domain settings. The enterprise domain setting on the Instant AP specifies the domains for which DNS resolution must be forwarded to the default DNS server of the client. For example, if the enterprise domain is configured for arubanetworks.com, the DNS resolution for host names in the arubanetworks.com domain is forwarded to the default DNS server of the client. The DNS resolution for host names in all other domains is forwarded to the local DNS server of the Instant AP.
In a full-tunnel mode, all DNS traffic is forwarded over IPSec tunnel to DNS server of the client regardless of the enterprise domain configuration. If an asterisk is configured in the enterprise domain list instead of a domain name, then all DNS requests are forwarded to the default DNS server of the client. Split DNS functionality is supported for IAP-VPN scenarios only.
To configure an enterprise domain, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
Configuring Enterprise Domains | 419
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the Enterprise Domains accordion. 6. Click + in the Enterprise Domains pane, and enter a name in the New Domain Name window. 7. Click OK. 8. Click Save Settings.
To delete an enterprise domain, select the domain in the Enterprise Domains pane, and then click the delete icon.
Configuring SNMP Parameters
This section describes the following topics:
n SNMP Configuration Parameters on page 420 n Configuring Community String for SNMP on page 421 n Configuring SNMP Trap Receivers on page 422
SNMP Configuration Parameters
Aruba Central supports SNMPv1, SNMPv2c, and SNMPv3 for reporting purposes only. An Instant AP cannot use SNMP to set values in an Aruba system. You can configure the following parameters for an Instant AP:
Table 126: SNMP Parameters
Data Pane Item Description
Community Strings for SNMPV1 and SNMPV2
An SNMP Community string is a text string that acts as a password, and is used to authenticate messages sent between the virtual controller and the SNMP agent.
If you are using SNMPv3 to obtain values from the Instant AP, you can configure the following parameters:
Name
A string representing the name of the user.
Authentication Protocol
An indication of whether messages sent on behalf of this user can be authenticated, and if so, the type of authentication protocol used. This can take one of the two values:
n MD5--HMAC-MD5-96 Digest Authentication Protocol n SHA--HMAC-SHA-96 Digest Authentication Protocol
Authentication protocol password
If messages sent on behalf of this user can be authenticated, the (private) authentication key for use with the authentication protocol. This is a string password for MD5 or SHA depending on the choice above.
Aruba Central | User Guide
420
Data Pane Item Privacy protocol
Privacy protocol password
Description
An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol which is used. This takes the value DES (CBC-DES Symmetric Encryption).
If messages sent on behalf of this user can be encrypted/decrypted with DES, the (private) privacy key for use with the privacy protocol.
Configuring Community String for SNMP
This section describes the procedure for configuring SNMPv1, SNMPv2, and SNMPv3 community strings in Aruba Central.
Creating Community strings for SNMPv1 and SNMPv2 using Aruba Central
To create community strings for SNMPv1 and SNMPv2, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the SNMP accordion. 6. Under SNMP, click + to add a new community string. 7. In the New SNMP window, enter a name for the community string. 8. Click OK. 9. To delete a community string, select the string in the SNMP pane, and then click the delete icon.
Creating community strings for SNMPv3 using Aruba Central
To create community strings for SNMPv3, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the SNMP accordion. 6. Under User for SNMPV3, click + to add a new community string for SNMPv3.
Configuring SNMP Parameters | 421
7. In the New SNMPv3 User window, enter the following information: a. In the Auth protocol drop-down list, select the type of authentication protocol. b. In the Password text-box, enter the authentication password and retype the password in the Retype Password text-box. c. In the Privacy protocol drop-down list, select the type of privacy protocol. d. In the Password text-box, enter the privacy protocol password and retype the password in the Retype Password text box. e. Click OK.
8. To edit the details for a particular user, select the user, and then click the edit icon. 9. To delete a particular user, select the user, and then click the delete icon.
Configuring SNMP Trap Receivers
Aruba Central supports the configuration of external trap receivers. Only the Instant AP acting as the VC generates traps. The OID of the traps is 1.3.6.1.4.1.14823.2.3.3.1.200.2.X. To configure SNMP traps, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the SNMP accordion. 6. Under SNMP Traps Receivers, click + to add a new community string for SNMP Traps Receivers. 7. In the New SNMP Trap Receiver window, enter the following information:
a. In the IP Address text-box, enter the IP address of the new SNMP Trap Receiver. b. In the Version drop-down list, select the SNMP version, such as v1, v2c, v3. The version
specifies the format of traps generated by the access point. c. In the Community/Username text-box, specify the community string for SNMPv1 and
SNMPv2c traps and a username for SNMPv3 traps. d. In the Port text-box, enter the port to which the traps are sent. The default value is 162. e. In the Inform drop-down list, select Yes or No. When enabled, traps are sent as SNMP INFORM
messages. It is applicable to SNMPv3 only. The default value is Yes. f. Click OK.
Configuring Syslog and TFTP Servers for Logging Events
Aruba Central | User Guide
422
This section describes the following topics: n Configuring Syslog Server on Instant APs on page 423 n Configuring TFTP Dump Server Instant APs on page 424
Configuring Syslog Server on Instant APs
To specify a syslog server for sending syslog messages to the external servers, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click Show Advanced, and click the System tab. The System details page is displayed. 5. Click the Logging accordion. 6. In the Servers section, enter the IP address of the syslog server in the Syslog Server text-box. You can enter up to three IP addresses in the Syslog Server text box. Separate each value with a comma.
Aruba Central allows you to configure up to three syslog servers for logging events.
7. Click Syslog Facility Levels, and enter the required logging level from the drop-down in each of the fields. Syslog facility is an information field associated with a syslog message. It is an application or operating system component that generates a log message. The Instant AP supports the following syslog facilities: n Syslog Level--Detailed log about syslog levels. n AP-Debug--Detailed log about the AP device. n Network--Log about change of network, for example, when a new Instant AP is added to a network. n Security--Log about network security, for example, when a client connects using wrong password. n System--Log about configuration and system status. n User--Important logs about client. n User-Debug--Detailed log about client. n Wireless--Log about radio. Table 127 describes the logging levels in order of severity, from the most severe to the least.
Configuring Syslog and TFTP Servers for Logging Events | 423
Table 127: Logging Levels
Logging level Description
Emergency
Panic conditions that occur when the system becomes unusable.
Alert
Any condition requiring immediate attention and correction.
Critical
Any critical condition such as a hard drive error.
Error
Error conditions.
Warning
Warning messages.
Notice
Significant events of a non-critical nature. The default value for all syslog facilities.
Information
Messages of general interest to system users.
Debug
Messages containing information useful for debugging.
8. Click Save Settings.
Configuring TFTP Dump Server Instant APs
To configure a TFTP server for storing core dump files, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the Logging accordion. 6. In the Servers section, enter the IP address of the TFTP server in the TFTP Dump Server text-box. 7. Click Save Settings.
Configuring Mobility for Clients
This section provides the following information on Layer-3 Mobility for Instant AP clients:
n Layer-3 Mobility on page 424 n Configuring L3 Mobility Domain on page 425
Layer-3 Mobility
Instant APs form a single Aruba Central network when they are in the same Layer-2 (L2) domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead. In such a scenario, a client must be allowed to roam away from the Aruba Central network to which it first connected (home
Aruba Central | User Guide
424
network) to another network supporting the same WLAN access parameters (foreign network) and continue its existing sessions. Layer-3 (L3) mobility allows a client to roam without losing its IP address and sessions. If WLAN access parameters are the same across these networks, clients connected to Instant APs in a given Aruba Central network can roam to Instant APs in a foreign Aruba Central network and continue their existing sessions using their IP addresses. You can configure a list of Virtual Controller IP addresses across which L3 mobility is supported.
Home Agent Load Balancing
Home Agent Load Balancing is required in large networks where multiple tunnels might terminate on a single border or lobby AP and overload it. When load balancing is enabled, the VC assigns the home AP for roamed clients by using a round robin policy. With this policy, the load for the APs acting as Home Agents for roamed clients is uniformly distributed across the Instant AP cluster.
Configuring L3 Mobility Domain
To configure a mobility domain, you have to specify the list of all Aruba Central networks that form the mobility domain. To allow clients to roam seamlessly among all the APs, specify the VC IP for each foreign subnet. You may include the local Aruba Central or VC IP address, so that the same configuration can be used across all Aruba Central networks in the mobility domain. Aruba recommends that you configure all client subnets in the mobility domain. When client subnets are configured:
n If a client is from a local subnet, it is identified as a local client. When a local client starts using the IP address, the L3 roaming is terminated.
n If the client is from a foreign subnet, it is identified as a foreign client. When a foreign client starts using the IP address, the L3 roaming is set up.
To configure a Layer-3 Mobility domain, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the System tab. The System details page is displayed.
5. Click the Layer-3 Mobility accordion. 6. Turn on the Home Agent Load Balancing toggle switch. By default, home agent load balancing is
disabled. 7. Under IP Address, click +, and enter an IP address name in the New IP Address window, and then
click OK. Repeat Step 7 to add the IP addresses of all VCs that form the L3 mobility domain.
Configuring Mobility for Clients | 425
8. Under Subnets, click +, and specify the following: a. Enter the client subnet in the IP Address box.
b. Enter the mask in the Subnet Mask box.
c. Enter the VLAN ID in the home network in the VLAN ID box.
d. Enter the home VC IP address for this subnet in the Virtual Controller IP box.
9. Click OK.
Mapping Instant AP Certificates
When an Instant AP joins a group that does not have a certificate, the Instant AP's existing certificate is retained. When an Instant AP joins a group that already has a certificate, the Instant AP's certificate is overwritten by the group certificate. To map an Instant AP certificate name to a specific certificate type or category, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab. The Security details page is displayed.
5. Click the Certificate Usage accordion. 6. To map a certificate, for each usage type under Usage Type, select the suitable certificate from the
Certificate drop-down list: n Certificate Authority--To verify the identity of a client. n Authentication Server--To verify the identity of the server to a client. n Captive Portal--To verify the identity of internal captive portal server. n RadSec--To verify the identity of the TLS server. n RadSec Certificate Authority--To verify the authentication between the Instant AP and the TLS
server. n Clearpass--To verify the identity of the ClearPass server. 7. Click Save Settings.
To enable certificates for the Cloud Guest Service, contact the Aruba Central support team.
Configuring HTTP Proxy on an Instant AP
If your network requires a proxy server for Internet access, ensure that you configure the HTTP proxy on the Instant AP to download the image from the cloud server. After setting up the HTTP proxy settings, the Instant AP connects to the Activate server, Aruba Central, or OpenDNS server through a secure HTTP connection. You can also exempt certain applications from using the HTTP proxy (configured on an Instant AP) by providing their host name or IP address under exceptions. Aruba Central allows the user to configuring HTTP proxy on an Instant AP.
Aruba Central | User Guide
426
To configure HTTP proxy on Instant AP through Aruba Central, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click Show Advanced, and click the System tab. The System details page is displayed. 5. Click the Proxy accordion and specify the following: a. Enter the HTTP proxy server IP address in the Server text-box. b. Enter the port number in the Port text-box. 6. Click Save Settings.
Aruba Central displays the Username, Password, and Retype Password fields under System > Proxy for Instant AP running Aruba Instant 8.3.0.0. The Instant APs with the Aruba Instant 8.3.0.0 firmware require user credentials for proxy server authentication.
Configuring APs Using Templates
Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AP deployments.
To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba APs.
For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled. To create a template for the APs in a template group, complete the following steps:
1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Under Manage, click Devices > Access Points.
A list of access points is displayed in the List view. 3. Click the Config icon.
The tabs to configure access points in a template group are displayed. 4. In the Templates table, click + to add a new template.
The Add Template window is displayed. 5. Under Basic Info, enter the following information:
Configuring APs Using Templates | 427
a. Template Name--Enter the template name.
b. Model--Set the model parameter to ALL.
c. Version--Set the model parameter to ALL.
6. Under Template, add the CLI script content. 7. Check the following guidelines before adding content to the template:
n Ensure that the command text indentation matches the indentation in the running configuration. n The template allows multiple per-ap-settings blocks. The template must include the per-ap-
settings %_sys_lan_mac% variable. The per-ap-settings block uses the variables for each AP. The general VC configuration uses variables for master AP to generate the final configuration from the provided template. Hence, Aruba recommends that you upload all variables for all devices in a cluster and change values as required for individual AP variables. n You can obtain the list of variables for per-ap-settings by using the show amp-audit command. The following example shows the list of variables for per-ap-settings.
(Instant AP)# show amp-audit | begin per-ap per-ap-settings 70:3a:0e:cc:ee:60 hostname EE:60-335-24 rf-zone bj-qa ip-address 10.65.127.24 255.255.255.0 10.65.127.1 10.65.6.15 "" swarm-mode standalone wifi0-mode access wifi1-mode access g-channel 6+ 21 a-channel 140 26 uplink-vlan 0 g-external-antenna 0 a-external-antenna 0 ap1x-peap-user peap22 282eaf1077b8d898b91ec41b5da19895
The commands in the template are case-sensitive. IF ELSE ENDIF conditions are supported in the template. If the template text includes the if condition, % sign is required at the beginning and the end of the text. For example, %if guest%. The following example shows the template text with the IF ELSE ENDIF condition.
wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes %else% opmode opensystem %endif%
Templates also support nesting of the IF ELSE END IF condition blocks. The following example shows how to nest such blocks:
%if condition1=true% routing-profile
Aruba Central | User Guide
428
route 10.10.0.0 255.255.255.0 10.10.0.255 %if condition2=true% routing-profile
route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile
route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else% routing-profile
route 10.40.0.0 255.255.255.0 10.40.0.255 %if condition3=true% routing-profile
route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile
route 10.60.0.0 255.255.255.0 10.60.0.255 %endif% %endif%
For profile configuration CLI text, for example, vlan, interface, access-list, ssid and so on, the first command must start with no white space. The subsequent local commands in given profile must start with at least one initial space (' ') or indented as shown in the following examples:
Example 1
vlan 1 name "vlan1" no untagged 1-24 ip address dhcp-bootp exit
Example 2
%if vlan_id1% vlan %vlan_id1% %if vlan_id1=1% ip address dhcp-bootp %endif% no untagged %_sys_vlan_1_untag_command% exit %endif%
To comment out a line in the template text, use the pound sign (#). Any template text preceded by # is ignored when processing the template. To allow or restrict APs from joining the Instant AP cluster, Aruba Central uses the _sys_allowed_ ap_ system-defined variable. Use this variable only when allowed APs configuration is enabled. For example, _sys_allowed_ap: "a_mac, b_mac, c_mac". Use this variable only once in the template. 8. Click OK.
Configuring APs Using Templates | 429
The variables configured for the Instant AP devices functioning as the VCs are replaced with the values configured at the template level. If any device in the cluster has any missing variables, the configuration push to those AP devices in the cluster fails. The audit trail for such instances shows the missing variables. You can configure the RF zone for an AP by adding the rf-zone %rfzone% variable in the template. Similarly, you can add the wifi0-mode %wifi0-mode% variable to configure a Wi-Fi0 interface of an AP to function in the access, monitor, or spectrum monitor mode.
Sample Template The following example shows the typical contents allowed in a template file for APs:
virtual-controller-country %countrycode% virtual-controller-key d2d8c79e010af35667dae85f950cf144b476ab4beba9ce5696 organization %org% name %VCname% virtual-controller-ip %vcip% terminal-access clock time zone none 00 00 rf-band all
allow-new-aps allowed-ap 38:17:c3:cd:34:ca
hash-mgmt-password hash-mgmt-user admin password cleartext public
syslog-level debug syslog-level warn ap-debug
arm wide-bands none a-channels 44,44+,40,36 g-channels 13,1+ min-tx-power 15 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode fair-access channel-quality-aware-arm-disable client-match client-match nb-matching 55 client-match calc-interval 5 client-match slb-mode 2
wlan access-rule default_wired_port_profile index 0 rule any any match any any any permit
wlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permit
wlan access-rule %ssid_name% index 2 rule any any match any any any permit
wlan ssid-profile %ssid_name%
Aruba Central | User Guide
430
%if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes %else% opmode opensystem %endif% type employee essid %ssid_name% wpa-passphrase %pw% max-authentication-failures 0 auth-server InternalServer rf-band all captive-portal disable dtim-period 1 broadcast-filter arp blacklist dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64 okc %if condition1=true% routing-profile
route 10.10.0.0 255.255.255.0 10.10.0.255 %if condition2=true% routing-profile
route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile
route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else% routing-profile
route 10.40.0.0 255.255.255.0 10.40.0.255 %if condition3=true% routing-profile
route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile
route 10.60.0.0 255.255.255.0 10.60.0.255 %endif% %endif%
wired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1x
wired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown
Configuring APs Using Templates | 431
access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1x
enet0-port-profile default_wired_port_profile enet1-port-profile wired-SetMeUp
uplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180
cluster-security allow-low-assurance-devices
per-ap-settings %_sys_lan_mac% hostname %hostname% rf-zone %rfname% swarm-mode %mode% wifi0-mode %wifi0mode% wifi1-mode %wifi1mode% g-channel %gch% %gtx% a-channel %ach% %gtx%
Password Management in Configuration Templates for AP
In Aruba Central, the AP management user passwords are stored and displayed as hash instead of plain text. Password for an AP can be set using the following commands:
mgmt-user <user-name> <password>
mgmt-user <user-name> <password> guest-mgmt
mgmt-user <user-name> <password> read-only
The mgmt-user commands are used for APs running below Aruba Instant 4.3 firmware version.
The hash-mgmt-user commands is enabled by default on the APs provisioned in the template and UI groups. If a pre-configured AP joins Aruba Central and is moved to a new group, Aruba Central uses the hash-mgmt-user configuration settings and discards mgmt-user configuration settings, if any, on the AP. In other words, Aruba Central hashes management user passwords irrespective of the management user configuration settings running on an AP.
The mgmt-user commands can only be used for APs running firmware versions equal to or above Aruba Instant 4.3.
Password for AP can be set using the following hash-mgmt-user commands:
Aruba Central | User Guide
432
hash-mgmt-user <user-name> password hash <hash-password> hash-mgmt-user <user-name> password cleartext <cleartext-password> hash-mgmt-user <user-name> password hash <hash-password> usertype read-only hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype readonly hash-mgmt-user <user-name> password hash <hash-password> usertype guest-mgmt hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype guestmgmt hash-mgmt-user <user-name> password hash <hash-password> usertype local hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype local Aruba Central supports the use of hash commands with clear text, however, Aruba recommends you to use hash passwords instead of clear text passwords to avoid password disclosures. Aruba Central allows you to re-use the hash from one AP on another AP. All AP templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates
Configuring APs Using Templates | 433
Chapter 7 Aruba Switches
Aruba Switches
Aruba switches enable secure, role-based network access for wired users and devices, independent of their location or application. With Aruba switches, enterprises can deploy a consistent and secure access to network resources based on the type of users, client devices, and connection methods. Aruba Central offers a cloud-based management platform for managing Aruba switch infrastructure. It simplifies switch management with flexible configuration options, monitoring dashboards, and troubleshooting tools.
n Getting Started with Aruba Switch Deployments on page 437 n Getting Started with Aruba CX Deployments on page 453 n Provisioning Factory Default Switches on page 439 n Provisioning Pre-Configured Switches on page 443 n Using Configuration Templates for Aruba Switch Management on page 469 n Configuring or Viewing Switch Properties in UI Groups on page 480 n Aruba Switch Stack on page 519 n Monitoring Switches and Switch Stacks on page 560
Supported Aruba Switch Platforms
Aruba Central uses the SSL certificate by GeoTrust Certificate Authority for device termination and web services. As the SSL certificate is about to expire, Aruba is replacing it with a new certificate from another trusted Certificate Authority. During the certificate upgrade window, all devices managed by Aruba Central will be disconnected. After the upgrade, the devices reconnect to Aruba Central and resume their services with Aruba Central. However, for Aruba switches to reconnect to Aruba Central after the certificate upgrade, you must ensure that the switches are upgraded to the recommended software version listed in Table 128. Aruba Central does not support switch software versions below 16.08 release for firmware upgrade. In addition, only the latest three switch software versions of all major release versions will be available for firmware upgrade from Aruba Central. For example, if the latest switch software version released is 16.10.0009, the following versions will be available for firmware upgrade: 16.10.0007, 16.10.0008 and 16.10.0009.
The following tables list the switch platforms, corresponding software versions supported in Aruba Central, and switch stacking details.
Aruba Central | User Guide
434
Table 128: Supported Aruba Switch Series, Software Versions, and Switch Stacking
Switch Platform
Supported Software Versions
Recommended Software Versions
Switch Stacking Support
Supported Stack Type (Frontplane (VSF) / Backplane (BPS))
Aruba
YA/YB.16.05.0008 YA/YB.16.10.0009 N/A
N/A
2530
or later
Switch
Series
Aruba
YC.16.03.0004 or YC.16.10.0009
N/A
N/A
2540
later
Switch
Series
Aruba 2920 Switch Series
WB.16.03.0004 or WB.16.10.0009 later
Yes
BPS
Switch
Software
Dependency:
WB.16.04.0008
or later
Aruba 2930F Switch Series
WC.16.03.0004 or WC.16.10.0009 later
Yes
VSF
Switch
Software
Dependency:
WC.16.07.0002
or later
Aruba 2930M Switch Series
WC.16.04.0008 or WC.16.10.0009 later
Yes
BPS
Switch
Software
Dependency:
WC.16.06.0006
or later
Aruba 3810 Switch Series
KB.16.03.0004 or KB.16.10.0009 later
Yes
BPS
Switch
Software
Dependency:
KB.16.07.0002
or later
Aruba 5400R Switch Series
KB.16.04.0008 or KB.16.10.0009 later
Yes
VSF
Switch
Software
Dependency:
KB.16.06.0008
or later
Supported Configuration Group Type for Stacking (UI / Template) N/A
N/A
UI and Template
UI and Template
UI and Template
UI and Template
Template only
Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central.
Aruba Switches | 435
Table 129: Supported Aruba Mobility Access Switch Series and Software Versions
Mobility Access Switch Series Supported Software Versions
n S1500-12P n S1500-24P n S2500-24P n S3500-24T
ArubaOS 7.3.2.6 ArubaOS 7.4.0.3 ArubaOS 7.4.0.4 ArubaOS 7.4.0.5 ArubaOS 7.4.0.6
Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/networking/switches/
Supported Aruba CX Platforms
To manage your Aruba CX switches using Aruba Central, ensure that the switch software is upgraded to 10.05.0001 or a later version. Aruba CX switches with version 10.04.2000 or earlier might not connect to Aruba Central after ten days of operation. You must upgrade the Aruba CX switch to a recommended software version to connect to Aruba Central.
The following table lists the Aruba CX platforms, corresponding software versions supported in Aruba Central, and switch stacking details.
Table 130: Supported Aruba CX Switch Series, Software Versions, and Switch Stacking
Switch Platform
Supported Software Versions
Recommended Software Versions
Switch Stacking Support
Supported Stack Type
Maximum Number of Stack Members
Supported Configuration Group Type (UI / Template)
Aruba CX 10.04.1000 10.05.0010
Yes
VSF
8
6200
Switch
Switch
Software
Series
Dependency:
10.04.1000
Template only
Aruba CX 6300 Switch Series
10.04.0020
10.05.0010
Aruba CX 6405 Switch Series
Aruba CX 6410 Switch Series
10.04.1000 10.05.0001
10.05.0010 10.05.0010
Yes
VSF
Switch
Software
Dependency:
10.04.0020
-N/A-
-N/A-
-N/A-
-N/A-
10
Template only
-N/A-
Template only
-N/A-
Template only
Aruba Central | User Guide
436
Switch Platform
Supported Software Versions
Recommended Software Versions
Switch Stacking Support
Aruba CX 8320 Switch Series
Aruba CX 8325 Switch Series
10.05.0001 10.05.0001
10.05.0010 10.05.0010
-N/A-N/A-
Supported Stack Type
Maximum Number of Stack Members
Supported Configuration Group Type (UI / Template)
-N/A-
-N/A-
Template only
-N/A-
-N/A-
Template only
Provisioning and configuring of Aruba CX switch series and switch stacks is supported only through configuration templates.
Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/networking/switches/.
Getting Started with Aruba Switch Deployments
Before you get started with your onboarding and provisioning operations, browse through the list of Aruba switches supported in Aruba Central.
Provisioning Workflow
The following sections list the steps required for provisioning switches in Aruba Central.
Provisioning a Factory Default Switch
Like most Aruba devices, Aruba Switches support ZTP. Switches with factory default configuration have very basic configuration for all ports in VLAN-1. When a new switch (factory default) is powered on, it automatically obtains IP address, connects to Aruba Activate and downloads the provisioning parameters. When the switch identifies Aruba Central as its management entity, it connects to Aruba Central. To manage switches from Aruba Central, you must onboard the switches to the device inventory and assign a valid subscription. For step-by-step instructions, see Provisioning Factory Default Switches on page 439.
Provisioning a Pre-configured or Locally-Managed Switch
Pre-configured switches have customized configuration; for example, an additional VLAN or static IP address configured on the default. Unlike factory default switches, locally managed switches and the switches with custom configuration require one touch provisioning. These switches do not automatically identify Aruba Central as their management platform, therefore you must manually enable the Aruba Central management service on these switches to allow them to connect to Aruba Central. For step-by-step instructions, see Provisioning Pre-Configured Switches.
Getting Started with Aruba Switch Deployments | 437
Group Assignment
Aruba Central supports provisioning switches in one of the following types of groups:
n UI group--Allows you to customize and manage device parameters using the UI workflows, that is, the menu options and tabs available under Network Operations.
n Template Group--Allows you to configure devices using CLI-based configuration templates.
The following figure illustrates the group assignment workflow in Aruba Central: Figure 56 Group Assignment-Switches
Configuration and Management
Aruba Central supports managing switch configuration using UI workflows or configuration templates. Based on your configuration requirements, ensure that you assign switches to either UI group or template group. For more information on managing switches in Aruba Central, see the following topics:
Aruba Central | User Guide
438
n Using Configuration Templates for Aruba Switch Management on page 469 n Configuring or Viewing Switch Properties in UI Groups on page 480
Switch Monitoring
To view the operation status of switches and health of wired access network:
n In the Network Operations app, use the filter to select a group that has switches. n Under Manage, click Devices > Switches.
For more information, see Monitoring Your Network on page 536.
Troubleshooting and Diagnostics
The Configuration Audit page under Network Operations > Device(s) > Switches in the Aruba Central UI displays errors in configuration sync, templates, and a list of configuration overrides. For more information, see Viewing Configuration Status on page 144. To troubleshoot switches remotely, use the tools available under Network Operations > Analyze > Tools. For more information, see Using Troubleshooting Tools.
Provisioning Factory Default Switches
Switches that run default configuration either after shipped from a factory or a factory reset are referred to as factory default switches. This topic describes the steps for provisioning factory default switches in Aruba Central.
n Step 1: Onboard the Switch to Aruba Central n Step 2: Assign the Switch to a Group n Step 3: Connect the Switch to Aruba Central n Step 4: Provision the Switch to a Group n Step 5: Verify the Configuration Status
Step 1: Onboard the Switch to Aruba Central
To onboard switches to the device inventory in Aruba Central, complete the following steps:
n Log in to Aruba Central n Add switches to Aruba Central n Assign Subscriptions
Step 2: Assign the Switch to a Group
Before assigning a group, determine if the switch must be provisioned in a UI or template group. By default, Aruba Central assigns the factory default switches to default group. You can create a new group and assign switch to the new group. For more information on creating a group, see Creating a Group on page 120. To assign a device to a group from the Account Home page:
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed
2. Select the device that you want to assign to a group.
Switch Monitoring | 439
3. Click Assign Group. The Assign a Group to the Selected Devices window is displayed. 4. Select the group to which you want to assign. 5. Click Assign Device(s).
To assign a device to a group from the Network Operations app:
6. In the Network Operations app, set the filter to Global. The dashboard context for the group is displayed.
7. Under Maintain, click Organization > Groups. The Groups page is displayed. 8. From the devices table on the right, select the device that you want to assign to a new group. 9. Drag and drop the device to the group to which you want to assign the device.
Step 3: Connect the Switch to Aruba Central
Switches with factory default configuration have very basic configuration for all ports in VLAN-1 that is required for obtaining an IP address and automatic provisioning (ZTP). For ZTP, switches must have a valid IP address, DNS, and NTP configuration. When a factory default switch is powered on and connected to the Internet, it establishes connection with Aruba Activate and downloads the provisioning parameters. If the switch is already added and assigned a subscription, it connects to Aruba Central.
Step 4: Provision the Switch to a Group
When the switch connects to Central, if it is already added to the device inventory and is assigned a subscription in Aruba Central, Aruba Central assigns it to a pre-assigned group. If there is no pre-assigned group, Aruba Central moves the device to the default group. Based on your configuration requirements, you create a UI group or template group and assign the switch. The following figure illustrates the provisioning step required for each group type.
Aruba Central | User Guide
440
Figure 57 Switch Provisioning Steps Per Group Type
If the switch is assigned to a new UI group, Aruba Central uses the current configuration of switch as base configuration and applies it to the other switches that join this group later. You can also modify the configuration of switches in a group using the UI menu options under the Network Operations app > Manage > Devices > Switches. For more information, see Configuring or Viewing Switch Properties in UI Groups on page 480.
Provisioning Switches in Template Groups
If you have assigned the switch to a template group, create a new configuration template. To create a configuration template:
1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Switches. 3. Click the Config icon.
The tabs to configure switches using templates is displayed. 4. Click the Templates tab. The Templates page is displayed. 5. Click + to add a new template. The Add Template window is displayed. 6. In the Basic Info tab, enter a name for the template in the Template Name field. 7. In the Device Type drop-down, select Aruba Switch. 8. Select the switch model and software version. You can specify any of the following combinations:
n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions.
Provisioning Factory Default Switches | 441
n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version.
n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model.
n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions.
9. Select the manufacturing part number of the switch in the Part Number drop-down.
The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop-down, you can apply a template to both a standalone switch and stack.
10. Click Next. The Template tab is displayed. 11. Build a new template or import configuration information from a switch that is already provisioned in
the template group. n To build a new template, add the switch command information in the Template text box. Ensure
that the template text adheres to the guidelines listed in Using Configuration Templates for Aruba Switch Management on page 469. n To import configuration text from a switch that is already provisioned in the template group:
a. Click Import Configuration As Template. b. From the search box, select the switch from which you want to import the configuration.
The imported configuration is displayed in the Template text box.
Importing configuration from an existing device in the template group allows you to quickly create a basic template. However, before applying the template to other switches in the group, ensure that the template text is variabilized as per your deployment requirements. For more information, see Managing Variable Files on page 1. All switch templates must include a password command to set a password for the device. The switch template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates on page 451 . For more information about using password commands, see the Configuring Username and Password Security chapter in the HPE ArubaOS-Switch Access Security Guide.
c. To view the variables present in the imported configuration template, click Show Variables List. The Variables in Template column is displayed. For more information on variables, see Managing Variable Files on page 130.
d. To download the variables as a CSV or plain text file, click the download icon and select one of the following options: n Download .CSV n Download plain text (.txt)
Aruba Central | User Guide
442
12. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central with the new configuration
Step 5: Verify the Configuration Status
To verify the configuration status:
1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
2. Click the Config icon. The tabs to configure switches using templates is displayed.
n To verify the configuration status for the template group, click Configuration Audit. The Configuration Audit dashboard displays the number of devices with template and configuration synchronization errors.
n To view configuration errors for a specific device, select a switch from the filter bar. The Configuration Audit dashboard displays the number of template and configuration synchronization errors for the device.
3. To view template errors, click View Template Errors. 4. To view configuration synchronization errors, click Failed / Pending config changes. 5. To compare running configuration and pending changes, click View under Config Comparsion Tool.
Provisioning Pre-Configured Switches
Unlike factory default switches, locally managed switches and the switches with custom configuration require one touch provisioning. These switches do not automatically identify Aruba Central as their management platform, therefore you must manually enable the Aruba Central management service on these switches to allow them to connect to Aruba Central. To onboard a locally-managed or a pre-configured switch to Aruba Central, follow one of the following options:
n Manually enable Aruba Central management service on the switch and connect it to Aruba Central. Aruba recommends that you use this option if you want to preserve the current configuration running on the switch. For more information on this procedure, see the workflows described in this topic.
n Reset the switch configuration to factory default and use ZTP to provision the switch. For information on provisioning factory default switches, see Provisioning Factory Default Switches on page 439. Aruba Central supports provisioning switches using one of the following methods:
n Pre-provisioning--In this workflow, a switch is added to the device inventory and assigned a group in Aruba Central before it connects to Aruba Central. See Workflow 1--Pre-Provisioning a Switch on page 444.
n Onboarding connected switches--In this workflow, Aruba Central onboards the switch that attempts to connect and then assigns a group.
See Workflow 2--Provisioning a Switch On-Demand on page 448. The following figure illustrates provisioning procedure for a pre-configured switch.
Provisioning Pre-Configured Switches | 443
Figure 58 Provisioning Workflow for Pre-Configured Switches
Workflow 1--Pre-Provisioning a Switch
The pre-provisioning workflow includes the following steps:
n Step 1: Onboard the Switch to Aruba Central n Step 2: Assign the Switch to a Group n Step 3: Enable Aruba Central Management Service on the Switch n Step 4: Provision the Switch to a Group n Step 5: Verify the configuration Status
Step 1: Onboard the Switch to Aruba Central
To onboard switches to the device inventory in Aruba Central, complete the following steps:
n Log in to Aruba Central n Add switches to Aruba Central n Assign Subscriptions
Aruba Central | User Guide
444
Step 2: Assign the Switch to a Group
Before assigning a group, determine if the switch must be provisioned in a UI or template group. If you want to preserve the existing configuration on the switch, Aruba recommends that you create a new group for the switch. For more information on creating a group, see Creating a Group on page 120. To assign a device to a group from the Account Home page:
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed
2. Click Assign Group. The Assign a Group to the Selected Devices window is displayed. 3. Select the group to which you want to assign. 4. Click Assign Device(s).
To assign a device to a group from the Network Operations app:
5. In the Network Operations app, set the filter to Global. The dashboard context for the group is displayed.
6. Under Maintain, click Organization > Groups. The Groups page is displayed.
7. From the devices table on the right, select the device that you want to assign to a new group. 8. Drag and drop the device to the group to which you want to assign the device.
Step 3: Enable Aruba Central Management Service on the Switch
A locally-managed or pre-configured switch cannot connect to Aruba Central, unless it is configured to identify Aruba Central as its management entity. To manage such a device from Aruba Central, you must manually enable the provisioning and management service on the switch.
1. Verify if the Activate provisioning service is enabled by executing the following command at the switch CLI:
switch)# show activate provision
configuration and Status - Activate Provision Service
Activate Provision Service : Enabled
Activate Server Address
: device.arubanetworks.com
If the Activate provision service is not enabled, execute the following command at the switch CLI:
(switch)# activate provision enable
Provisioning Pre-Configured Switches | 445
To enable switches to automatically connect to Aruba Central, enforce ZTP on the switch:
(switch)# activate provision force
The switch establishes connection with Activate and is directed to Aruba Central. If the switch is already added to the device inventory and is assigned a subscription, Aruba Central assigns it to a pre-assigned group.
Step 4: Provision the Switch to a Group
When the switch connects to Aruba Central, Aruba Central automatically assigns it to the pre-assigned group. The following figure illustrates the provisioning steps for each group type. Figure 59 Switch Provisioning Steps Per Group Type
If the switch is assigned to a new UI group, you can modify the configuration of switches in a group using the UI menu options under the Network Operations app > Manage > Devices > Switches. For more information, see Configuring or Viewing Switch Properties in UI Groups on page 480.
If you have assigned the switch to a template group, you can import the existing configuration to a new configuration template and apply this template to other devices in the group. To create a configuration template using the existing configuration on the switch:
Aruba Central | User Guide
446
1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Switches. 3. Click the Config icon.
The tabs to configure switches using templates is displayed. 4. Click the Templates tab. The Templates page is displayed. 5. Click + to add a new template. The Add Template window is displayed. 6. In the Basic Info tab, enter a name for the template in the Template Name field. 7. In the Device Type drop-down, select Aruba Switch. 8. Select the switch model and software version. You can specify any of the following combinations:
n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions.
n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version.
n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model.
n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions.
9. Select the manufacturing part number of the switch in the Part Number drop-down.
The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop-down, you can apply a template to both a standalone switch and stack
10. Click Next. The Template tab is displayed. 11. Build a new template or import configuration information from a switch that is already provisioned in
the template group. n To build a new template, add the switch command information in the Template text box. Ensure
that the template text adheres to the guidelines listed in Using Configuration Templates for Aruba Switch Management on page 469. n To import configuration text from a switch that is already provisioned in the template group:
a. Click Import Configuration As Template. b. From the search box, select the switch from which you want to import the configuration.
The imported configuration is displayed in the Template text box. c. If required, modify the configuration parameters. Ensure that the template text adheres to
the guidelines listed in Using Configuration Templates for Aruba Switch Management on page 469.
Provisioning Pre-Configured Switches | 447
Importing configuration from the switch allows you to quickly create a basic configuration template that you can apply for all devices in a template group. Before applying the template to other switches in the group, ensure that the template text is variabilized based on the deployment requirements. For more information on configuration templates and variable definitions, see Using Configuration Templates for Switch Management on page 1 and Managing Variable Files on page 1. All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates on page 451. For more information about using password commands, see the Configuring Username and Password Security chapter in the HPE ArubaOS-Switch Access Security Guide.
d. To view the variables present in the imported configuration template, click Show Variables List. The Variables in Template column is displayed. For more information on variables, see Managing Variable Files on page 130.
e. To download the variables as a CSV or plain text file, click the download icon and select one of the following options: n Download .CSV n Download plain text (.txt)
12. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central with the new configuration.
Step 5: Verify the configuration Status
To verify the configuration status:
1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Switches. 3. Click the Config icon.
The tabs to configure switches using templates is displayed. n To verify the configuration status for the template group, click Configuration Audit. The
Configuration Audit dashboard displays the number of devices with template and configuration synchronization errors. n To view configuration errors for a specific device, select a switch from the filter bar. The Configuration Audit dashboard displays the number of template and configuration synchronization errors for the device. 4. To view template errors, click View Template Errors. 5. To view configuration synchronization errors, click Failed / Pending config changes. 6. To compare running configuration and pending changes, click View under Config Comparsion Tool.
Workflow 2--Provisioning a Switch On-Demand
Aruba Central | User Guide
448
To dynamically provision switches on-demand, complete the following steps:
n Step 1: Enable Aruba Central Management Service on the Switch n Step 2: Add the Switch to Aruba Central n Step 3: Assign a Subscription n Step 4: Provision the Switch to a Group n Step 5: Verify the configuration Status
Step 1: Enable Aruba Central Management Service on the Switch
A locally-managed or pre-configured switch cannot connect to Aruba Central, unless it is configured to identify Aruba Central as its management entity. To manage such a device from Aruba Central, you must manually enable the provisioning and management service on the switch.
1. Verify if the Activate provisioning service is enabled by executing the following command at the switch CLI:
switch)# show activate provision
configuration and Status - Activate Provision Service
Activate Provision Service : Enabled
Activate Server Address
: device.arubanetworks.com
2. If the Activate provision service is not enabled, execute the following command at the switch CLI: (switch)# activate provision enable
3. To enable switches to automatically connect to Aruba Central, enforce ZTP on the switch: (switch)# activate provision force
The switch establishes connection with Activate. Activate directs the switch to Aruba Central.
Step 2: Add the Switch to Aruba Central
Add the switch to the Aruba Central device inventory. For more information, see Onboarding Devices on page 91.
Step 3: Assign a Subscription
To allow Aruba Central to manage the switch, ensure that a valid subscription is assigned to the switch. For more information, see Managing Subscriptions on page 98.
Step 4: Provision the Switch to a Group
Provisioning Pre-Configured Switches | 449
If the switch has a valid subscription assigned, Aruba Central marks the switch as unprovisioned. To preserve the switch configuration, move it to a new group.
To move the device to a template group:
1. Create a template group. 2. On the Groups page, select the switch. 3. Drag and drop the switch to the new template group that you just created. Aruba Central adds the
switch to the new template group. 4. To import switch configuration to a new configuration template:
a. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
b. Under Manage, click Devices > Switches. c. Click the Config icon.
The tabs to configure switches using templates is displayed.
d. Click the Templates tab. The Templates page is displayed. e. Click + to add a new template. The Add Template window is displayed. f. In the Basic Info tab, enter a name for the template in the Template Name field. g. In the Device Type drop-down, select Aruba Switch. h. Select the switch model and the software version to which you want to apply the new
template. You can specify any of the following combinations: n ALL for both Model and Version--To apply the template to all switch models and all
supported switch software versions. n ALL for Model and a software version for Version--To apply the template to all switch
models running the selected software version. n ALL for Version and a switch model for Model--To apply the template to a switch model
and all software versions supported by the selected switch model. n A switch model and a software version--To apply the template to a specific switch model
and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions. i. Select the manufacturing part number of the switch in the Part Number drop-down.
The Part Number drop-down is displayed only if you select a switch model in the Model dropdown. If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop-down, you can apply a template to both a standalone switch and stack
j. Click Next. The Template tab is displayed. k. Build a new template or import configuration information from a switch that is already
provisioned in the template group. See step 11.
Aruba Central | User Guide
450
Importing configuration from the switch allows you to quickly create a basic configuration template that you can apply for all devices in a template group. Before applying the template to other switches in the group, ensure that the template text is variabilized based on the deployment requirements. For more information on configuration templates and variable definitions, see Using Configuration Templates for Switch Management on page 1 and Managing Variable Files on page 1. All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates on page 451. For more information about using password commands, see the Configuring Username and Password Security chapter in the HPE ArubaOS-Switch Access Security Guide.
l. To view the variables present in the imported configuration template, click Show Variables List. The Variables in Template column is displayed. For more information on variables, see Managing Variable Files on page 130.
m. To download the variables as a CSV or plain text file, click the download icon and select one of the following options: n Download .CSV n Download plain text (.txt)
n. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central with the new configuration.
Step 5: Verify the configuration Status
To verify the configuration status:
1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Switches. 3. Click the Config icon.
The tabs to configure switches using templates is displayed. n To verify the configuration status for the template group, click Configuration Audit. The
Configuration Audit dashboard displays the number of devices with template and configuration synchronization errors. n To view configuration errors for a specific device, select a switch from the filter bar. The Configuration Audit dashboard displays the number of template and configuration synchronization errors for the device. 4. To view template errors, click View Template Errors. 5. To view configuration synchronization errors, click Failed / Pending config changes. 6. To compare running configuration and pending changes, click View under Config Comparsion Tool.
Managing Password in Configuration Templates
Managing Password in Configuration Templates | 451
All IAP and switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the switch does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. When configuring a password, you must add the include-credentials command in the template. This command stores the password in the running-config file associated with the switch. Aruba Central automatically executes this command while reading the switch configuration. For Aruba CX switches, you must configure the password only in plaintext.
Password for Switches
The following format of the passwords can be set on Aruba Switch series: password manager plaintext <string>
password manager sha1 <string>
password manager sha256 <string>
password manager user-name <string> plaintext <string>
password manager user-name <string> sha1 <string>
password manager user-name <string> sha256 <string>
The following format of the passwords can be set on Aruba CX switches: user admin group administrators password plaintext <string>
Password for APs
The following format of the passwords can be set on the APs: mgmt-user <STRING:username:User_name> { <STRING:password:Password> }
hash-mgmt-user <STRING:username:User_name> password cleartext <STRING:cleartext_ password:Password>
Aruba Central | User Guide
452
hash-mgmt-user <STRING:username:User_name> password hash <STRING:hash_ password:Password>
Setting Password using Variables
User cannot enter the entire password line in a variable. The following examples show the valid and invalid format for entering password using a variable. Valid format where the variable contains only the password (for example, %pass_var% = Aruba@123) for the device:
hostname "Aruba-2930M-24G"
password manager plaintext "%pass_var%"
include-credentials
no cwmp enable Invalid format where the variable contains the password command (for example, %pass_var% = password manager plaintext Aruba@123) for the device:
hostname "Aruba-2930M-24G"
%pass_var%
include-credentials
no cwmp enable
Getting Started with Aruba CX Deployments
Before you get started with your onboarding and provisioning operations, browse through the list of Supported Aruba CX Platforms on page 436 in Aruba Central.
Provisioning Workflow
The following sections list the steps required for provisioning Aruba CX switches in Aruba Central.
Provisioning a Factory Default Switch
Getting Started with Aruba CX Deployments | 453
Like most Aruba devices, Aruba CX switches support ZTP. Switches with factory default configuration have very basic configuration for all ports in VLAN-1. When a new Aruba CX switch (factory default) is powered on, it automatically obtains IP address, connects to Aruba Activate and downloads the provisioning parameters. When the switch identifies Aruba Central as its management entity, it connects to Aruba Central. To manage Aruba CX switches from Aruba Central, you must onboard the switches to the device inventory and assign a valid subscription. For step-by-step instructions, see Provisioning Factory Default Aruba CX Switches on page 459.
Provisioning a Pre-configured or Locally-Managed Switch
Pre-configured switches have customized configuration; for example, an additional VLAN or static IP address configured on the default. Aruba Central management service is enabled by default on Aruba CX switches. When the switch is powered on, it identifies Aruba Central as its management entity and connects to Aruba Central. To manage Aruba CX switches from Aruba Central, you must onboard the switches to the device inventory and assign a valid subscription. For step-by-step instructions, see Provisioning Pre-Configured Aruba CX Switches on page 462.
Group Assignment
Aruba Central supports provisioning Aruba CX switches in template groups. Template groups allow you to configure devices using CLI-based configuration templates. The following figure illustrates the group assignment workflow in Aruba Central:
Aruba Central | User Guide
454
Figure 60 Group Assignment-Switches
Configuration and Management
Aruba Central supports managing Aruba CX switches configuration using configuration templates only. Ensure that you assign the Aruba CX switches to a template group. When initially onboarding an Aruba CX switch to Aruba Central, you must manually create the template for the switch in a group, along with the password in plaintext format. You can use the output of the show runningconfig command to create the template. You can also add variables to use the same template for onboarding multiple Aruba CX switches. For more information on managing Aruba CX switches in Aruba Central, see Using Configuration Templates for Aruba CX Switch Management on page 475.
Switch Monitoring
To view the operation status of switches and health of wired access network: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active switch.
Configuration and Management | 455
The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. For more information, see Monitoring Your Network on page 536.
To view Aruba CX switches in the monitoring pages, you must create a template configuration for the switch with the password in plaintext. See Using Configuration Templates for Aruba CX Switch Management on page 475.
Viewing VSX Details
Aruba Central displays information about VSX configuration of Aruba CX switches. For more information, see Switch > VSX on page 587.
Last synced data is displayed in the Switch > VSX page only when VSX synchronization is enabled for the Aruba CX switch. However, enabling VSX synchronization using template configuration in Aruba Central is not recommended. By enabling VSX synchronization, the peer switch may get into an unknown configuration state.
Viewing Topology Map
In Aruba Central, the Topology tab in the site dashboard provides a graphical representation of the site including the network layout, details of the devices deployed and health of the WAN uplinks and tunnels. Aruba Central supports Aruba CX switches to be displayed in the Topology tab. For more information, see Monitoring Sites in the Topology Tab on page 711.
To view Aruba CX switches in the topology map, you must create a template configuration for the switch with the password in plaintext. See Using Configuration Templates for Aruba Switch Management on page 469.
Troubleshooting and Diagnostics
If you are unable to view all details of the Aruba CX switch, then maybe the template configuration was not applied correctly, the password was missing in the template configuration, or the password was not in plaintext. See the audit trail to check the status of the switch. The audit trail should show the device onboarded message for the switch serial number followed by the configuration push and login successful messages. For more information on troubleshooting Aruba CX switch onboarding issues, see Troubleshooting Aruba CX Switch Onboarding Issues on page 592.
Configuration Audit
The Configuration Audit page under Network Operations > Device(s) > Switches in the Aruba Central UI displays errors in configuration sync, templates, and a list of configuration overrides. For more information, see Viewing Configuration Status on page 144.
Troubleshooting Tools
To troubleshoot Aruba CX switches remotely, use the tools available under Network Operations > Analyze > Tools. For more information, see Using Troubleshooting Tools on page 169.
Actions Drop-down
Aruba Central | User Guide
456
You can also reboot, connect to the remote console of the switch, or generate a tech support dump for troubleshooting the device, by using the tools available under the Actions drop-down. The Actions dropdown is available in the switch monitoring pages. The Actions down-down lists the following options available for remote administration of the switch:
n Reboot--Reboots the switch. See Rebooting Switches. n Tech Support--Allows the administrators to generate a tech support dump for troubleshooting the
device. See Troubleshooting Aruba Switches. n Console--Opens the remote console for a CLI session through SSH. Ensure that you allow SSH over port
443. The default user ID is admin, but you can edit and customize the user ID. This custom user ID must be mapped to the device. See Opening Remote Console for Switch.
If the Copy and Paste function from the keyboard shortcut keys (CTRL+C and CTRL+V) do not work in your web browser, use the Copy and Paste functions available under the menu options in the web browser. You can only troubleshoot Aruba switches using the Console option in Aruba Central. You cannot configure the switches.
Limitations of Aruba CX Switch in Aruba Central
There are a few limitations while managing and monitoring Aruba CX switches using Aruba Central. The following sections provide details on the limitations while onboarding, configuring, monitoring, and troubleshooting Aruba CX switches using Aruba Central.
Onboarding
The following limitations should be taken into consideration when onboarding Aruba CX switches in Aruba Central:
n ZTP does not work on inline data ports for Aruba CX 8320 and 8325 switch series. The following is an example configuration for onboarding Aruba CX 8320 and 8325 switch series to Aruba Central:
interface 1/1/1 no shutdown no routing
interface vlan 1 ip address <IP-ADDRESS/MASK>
ip route 0.0.0.0/0 <IP-GATEWAY> ip dns server-address <DNS-SERVER> https-server vrf default ztp force-provision
n After the erase startup-config command is executed on the Aruba CX switches, the switches do not onboard to Aruba Central. It is recommended to execute the erase all zeroize command, instead of the erase startup-config command.
n When an Aruba CX switch is first onboarded to Aruba Central, Aruba Central must perform the following actions, before it can perform events such as rebooting the switch and upgrading the firmware:
l Login to the switch using the password provided in the template configuration l Apply the template to the switch
Troubleshooting and Diagnostics | 457
Applying Template
The following limitations should be taken into consideration when applying the template to Aruba CX switches in Aruba Central:
n You must configure the admin password in the template configuration only in plaintext. The format of the password configuration command must be user admin group administrators password plaintext <string>.
n If the template for Aruba CX switches contains % in the configuration, Aruba Central will not save the configuration. Although the % character is allowed in Aruba CX switches, for example in banners, the same is not allowed in Aruba Central. In Aruba Central, the % character is reserved for variables.
n The maximum number of lines supported in the configuration template is 84000. Beyond this limit, Aruba Central will not apply the template to the Aruba CX switch.
n The Import Configuration as Template option is not displayed for Aruba CX switches on the Add Template window. When initially onboarding an Aruba CX switch to Aruba Central, you must manually create the template for the switch by using the output of the show running-config command.
Configuring Aruba CX VSF Stack
The following are the VSF stacking limitations of Aruba CX switches in Aruba Central: Aruba Central supports only a few functions related to Aruba CX switch stack, such as onboarding a stack to Aruba Central and replacing member switches having the same model and part number, through template configuration. All other stacking related functions, such as creating a stack, deleting, or adding a new member to the stack, must be performed offline, that is, outside Aruba Central. These stacking related functions must be performed before or after onboarding the stack to Aruba Central depending on the function. For example, you must create a stack offline before onboarding the stack to Aruba Central. For more information, see Aruba CX VSF Stack on page 527.
Aruba CX VSF Stack Related Functions Not Supported on Aruba Central
The following stack related functions are not supported on Aruba Central:
n Creating a new stack n Adding a new member to an existing stack n Deleting a member from the stack n Replacing a member with different part number n Modifying standby member ID n Adding, deleting, and modifying VSF links
Using Aruba CX VSX
The following limitations apply when configuring VSX or viewing VSX data for Aruba CX switches in Aruba Central:
n Enabling VSX synchronization using template configuration in Aruba Central is not recommended. By enabling VSX synchronization, the peer switch might get into an unknown configuration state.
n Last synced data is not displayed on the VSX page, in Aruba Central, if VSX synchronization is not enabled.
Aruba Central | User Guide
458
Managing Firmware Upgrade
To upgrade an Aruba CX switch in Aruba Central, a WAN connection with a minimum speed of 2 Mbps is required. The upgrade activity will time out after a period of 60 minutes.
Troubleshooting
The following are the limitations while troubleshooting Aruba CX switches in Aruba Central:
n For Aruba CX 8320 and 8325 switch series, to use the remote console feature, you must enable SSH server on the VRF that the switch uses to connect to Aruba Central. You must add one of the following commands in the template:
l If the switch is connecting to Aruba Central using the inline default VRF, add ssh server vrf default to the template.
l If the switch is connecting to Aruba Central using the OOBM management VRF, add ssh server vrf mgmt to the template. n The Chassis Locate option, in the Analyze > Tools > Device Check tab, is not displayed for Aruba CX 8320 and 8325 switch series.
Monitoring
In the monitoring pages in Aruba Central, the IP address for the connected wired clients on Aruba CX switches might not be displayed. For more information, see Switch > Clients > Clients on page 574.
Provisioning Factory Default Aruba CX Switches
Switches that run default configuration either after shipped from a factory or a factory reset are referred to as factory default switches. This topic describes the steps for provisioning factory default switches in Aruba Central.
n Step 1: Onboard the Aruba CX Switch to Aruba Central n Step 2: Assign the Aruba CX Switch to a Group n Step 3: Connect the Aruba CX Switch to Aruba Central n Step 4: Provision the Aruba CX Switch to a Group n Step 5: Verify the Configuration Status
Step 1: Onboard the Aruba CX Switch to Aruba Central
To onboard switches to the device inventory in Aruba Central, complete the following steps:
n Log in to Aruba Central n Add switches to Aruba Central n Assign Subscriptions
Step 2: Assign the Aruba CX Switch to a Group
Before assigning a group, determine if the switch must be provisioned in a UI or template group. By default, Aruba Central assigns the factory default switches to default group. You can create a new group and assign switch to the new group. For more information on creating a group, see Creating a Group on page 120. To assign a device to a group from the Account Home page:
Provisioning Factory Default Aruba CX Switches | 459
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed
2. Select the device that you want to assign to a group. 3. Click Assign Group. The Assign a Group to the Selected Devices window is displayed. 4. Select the group to which you want to assign. 5. Click Assign Device(s).
To assign a device to a group from the Network Operations app:
1. In the Network Operations app, set the filter to Global. The dashboard context for the group is displayed.
2. Under Maintain, click Organization > Groups. The Groups page is displayed. 3. From the devices table on the right, select the device that you want to assign to a new group. 4. Drag and drop the device to the group to which you want to assign the device.
Step 3: Connect the Aruba CX Switch to Aruba Central
Switches with factory default configuration have very basic configuration for all ports in VLAN-1 that is required for obtaining an IP address and automatic provisioning (ZTP). For ZTP, switches must have a valid IP address, DNS, and NTP configuration. When a factory default switch is powered on and connected to the Internet, it establishes connection with Aruba Activate and downloads the provisioning parameters. If the switch is already added and assigned a subscription, it connects to Aruba Central.
Step 4: Provision the Aruba CX Switch to a Group
When the switch connects to Central, if it is already added to the device inventory and is assigned a subscription in Aruba Central, Aruba Central assigns it to a pre-assigned group. If there is no pre-assigned group, Aruba Central moves the device to the default group. Based on your configuration requirements, you create a template group and assign the switch.
Provisioning Switches in Template Groups
After assigning the switch to a template group, create a new configuration template. To create a configuration template:
1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Switches. 3. Click the Config icon.
The tabs to configure switches using templates is displayed.
1. Click the Templates tab. The Templates page is displayed. 2. Click + to add a new template. The Add Template window is displayed. 3. In the Basic Info tab, enter a name for the template in the Template Name field. 4. In the Device Type drop-down, select Aruba CX. 5. Select the switch model and software version. You can specify any of the following combinations:
n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions.
Aruba Central | User Guide
460
n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version.
n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model.
n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions.
6. Select the manufacturing part number of the switch in the Part Number drop-down.
The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop-down, you can apply a template to both a standalone switch and stack.
7. Click Next. The Template tab is displayed. 8. Build a new template by adding the output of the show running-config from the switch CLI in the
Template text box. Ensure that the template text adheres to the guidelines listed in Important Points to Note on page 476.
You must manually create the template for the CX switch in a group, along with the password in plaintext format. You can use the output of the show running-config command to create the template. You can also add variables to use the same template for onboarding multiple CX switches. For more information on variables, see Managing Variable Files on page 1. All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates on page 451. For Aruba CX switches, you must configure the password only in plaintext. Also, the format of password must be user admin group administrators password plaintext <string>.
9. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central with the new configuration.
Step 5: Verify the Configuration Status
To verify the configuration status:
1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Switches. 3. Click the Config icon.
The tabs to configure switches using templates is displayed. n To verify the configuration status for the template group, click Configuration Audit. The
Configuration Audit dashboard displays the number of devices with template and configuration
Provisioning Factory Default Aruba CX Switches | 461
synchronization errors. n To view configuration errors for a specific device, select a switch from the filter bar. The
Configuration Audit dashboard displays the number of template and configuration synchronization errors for the device. 4. To view template errors, click View Template Errors. 5. To view configuration synchronization errors, click Failed / Pending config changes. 6. To compare running configuration and pending changes, click View under Config Comparsion Tool.
Provisioning Pre-Configured Aruba CX Switches
Unlike factory default switches, locally managed switches and the switches with custom configuration require one touch provisioning. On Aruba CX switches, Aruba Central is enabled, by default, as their management platform, and therefore the switches connect to Aruba Central automatically. To onboard a locally-managed or a pre-configured Aruba CX switch to Aruba Central, follow one of the following options:
n Connect the Aruba CX switch directly to Aruba Central. Aruba recommends that you use this option if you want to preserve the current configuration running on the switch. For more information on this procedure, see the workflows described in this topic.
n Reset the switch configuration to factory default and use ZTP to provision the switch. For information on provisioning factory default switches, see Provisioning Factory Default Aruba CX Switches on page 459. Aruba Central supports provisioning Aruba CX switches using one of the following methods:
n Pre-provisioning--In this workflow, a switch is added to the device inventory and assigned a group in Aruba Central before it connects to Aruba Central. See Workflow 1--Pre-Provisioning an Aruba CX Switch.
n Onboarding connected switches--In this workflow, Aruba Central onboards the switch that attempts to connect and then assigns a group. See Workflow 2--Provisioning an Aruba CX Switch On-Demand.
The following figure illustrates provisioning procedure for a pre-configured switch.
Aruba Central | User Guide
462
Figure 61 Provisioning Workflow for Pre-Configured Switches
Workflow 1--Pre-Provisioning an Aruba CX Switch
The pre-provisioning workflow includes the following steps: n Step 1: Onboard the Aruba CX Switch to Aruba Central n Step 2: Assign the Aruba CX Switch to a Group n Step 3: Provision the Aruba CX Switch to a Group n Step 4: Verify the Configuration Status
Step 1: Onboard the Aruba CX Switch to Aruba Central
To onboard Aruba CX switches to the device inventory in Aruba Central, complete the following steps: n Log in to Aruba Central n Add switches to Aruba Central n Assign Subscriptions
Step 2: Assign the Aruba CX Switch to a Group
Provisioning Pre-Configured Aruba CX Switches | 463
Aruba CX switches can be provisioned in a template group only. If you want to preserve the existing configuration on the switch, Aruba recommends that you create a new group for the switch. For more information on creating a group, see Creating a Group on page 120. To assign a device to a group from the Account Home page:
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed
2. Select the device that you want to assign to a group. 3. Click Assign Group. The Assign a Group to the Selected Devices window is displayed. 4. Select the group to which you want to assign. 5. Click Assign Device(s).
To assign a device to a group from the Network Operations app:
1. In the Network Operations app, set the filter to Global. The dashboard context for the group is displayed.
2. Under Maintain, click Organization > Groups. The Groups page is displayed.
3. From the devices table on the right, select the device that you want to assign to a new group. 4. Drag and drop the device to the group to which you want to assign the device.
Step 3: Provision the Aruba CX Switch to a Group
When the Aruba CX switch connects to Aruba Central, Aruba Central automatically assigns it to the preassigned template group. You can import the existing switch configuration to a new configuration template and apply this template to other devices in the group. To create a configuration template using the existing configuration on the switch:
1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Switches. 3. Click the Config icon.
The tabs to configure switches using templates is displayed.
4. Click the Templates tab. The Templates page is displayed. 5. Click + to add a new template. The Add Template window is displayed. 6. In the Basic Info tab, enter a name for the template in the Template Name field. 7. In the Device Type drop-down, select Aruba CX. 8. Select the switch model and software version. You can specify any of the following combinations:
n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions.
n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version.
n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model.
Aruba Central | User Guide
464
n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions.
9. Select the manufacturing part number of the switch in the Part Number drop-down.
The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop-down, you can apply a template to both a standalone switch and stack.
10. Click Next. The Template tab is displayed. 11. Build a new template by adding the output of the show running-config from the switch CLI in the
Template text box. Ensure that the template text adheres to the guidelines listed in Important Points to Note on page 476.
You must manually create the template for the CX switch in a group, along with the password in plaintext format. You can use the output of the show running-config command to create the template. You can also add variables to use the same template for onboarding multiple CX switches. For more information on variables, see Managing Variable Files on page 1. All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates on page 451. For Aruba CX switches, you must configure the password only in plaintext. Also, the format of password must be user admin group administrators password plaintext <string>. For Aruba CX switches, the password configured in the template must match the password configured on the switch. Aruba Central cannot override the password that is configured on the switch.
12. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central with the new configuration.
Step 4: Verify the Configuration Status
To verify the configuration status:
1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Switches. 3. Click the Config icon.
The tabs to configure switches using templates is displayed. n To verify the configuration status for the template group, click Configuration Audit. The
Configuration Audit dashboard displays the number of devices with template and configuration synchronization errors.
Provisioning Pre-Configured Aruba CX Switches | 465
n To view configuration errors for a specific device, select a switch from the filter bar. The Configuration Audit dashboard displays the number of template and configuration synchronization errors for the device.
4. To view template errors, click View Template Errors. 5. To view configuration synchronization errors, click Failed / Pending config changes. 6. To compare running configuration and pending changes, click View under Config Comparsion Tool.
Workflow 2--Provisioning an Aruba CX Switch On-Demand
To dynamically provision switches on-demand, complete the following steps:
n Step 1: Add the Aruba CX Switch to Aruba Central n Step 2 Assign a Subscription to the Aruba CX Switch n Step 3: Provision the Aruba CX Switch to a Group n Step 4: Verify the Configuration Status
Step 1: Add the Aruba CX Switch to Aruba Central
Add the switch to the Aruba Central device inventory. For more information, see Onboarding Devices on page 91
Step 2 Assign a Subscription to the Aruba CX Switch
To allow Aruba Central to manage the switch, ensure that a valid subscription is assigned to the switch. For more information, see Managing Subscriptions on page 98.
Step 3: Provision the Aruba CX Switch to a Group
If the switch has a valid subscription assigned, Aruba Central marks the switch as unprovisioned. To preserve the switch configuration, move it to a new template group.
1. Under Maintain, click Organization > Groups. 2. Select the device. 3. Click Import configuration to New Group. The Import configuration window is displayed. 4. Enter a name for the group. 5. Configure a password for the group. 6. Click Import configuration. Aruba Central imports the switch configuration to the new group.
1. Create a template group. 2. In the Network Operations app, set the filter to Global.
The dashboard context for the group is displayed. 3. Under Maintain, click Organization > Groups.
The Groups page is displayed. 4. Select the Aruba CX switch. 5. Drag and drop the switch to the new template group that you just created. Aruba Central adds the
switch to the new template group.
Aruba Central | User Guide
466
6. To build a new configuration template: a. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon. The tabs to configure switches using templates is displayed. d. Click the Templates tab. The Templates page is displayed. e. Click + to add a new template. The Add Template window is displayed. f. In the Basic Info tab, enter a name for the template in the Template Name field. g. In the Device Type drop-down, select Aruba CX. h. Select the switch model and the software version to which you want to apply the new template. You can specify any of the following combinations: n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions. n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version. n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model. n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions. n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions. i. Select the manufacturing part number of the switch in the Part Number drop-down.
The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. All in the Model drop-down, or if you select a switch model and All in the Part Number dropdown, you can apply a template to both a standalone switch and stack.
j. Click Next. The Template tab is displayed. k. Build a new template by adding the output of the show running-config from the switch CLI in
the Template text box. Ensure that the template text adheres to the guidelines listed in the Important Points to Note on page 476.
Provisioning Pre-Configured Aruba CX Switches | 467
You must manually create the template for the CX switch in a group, along with the password in plaintext format. You can use the output of the show running-config command to create the template. You can also add variables to use the same template for onboarding multiple CX switches. For more information on variables, see Managing Variable Files on page 1. All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates on page 451. For Aruba CX switches, you must configure the password only in plaintext. Also, the format of password must be user admin group administrators password plaintext <string>. For Aruba CX switches, the password configured in the template must match the password configured on the switch. Aruba Central cannot override the password that is configured on the switch.
l. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central with the new configuration.
Step 4: Verify the Configuration Status
To verify the configuration status:
1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Switches. 3. Click the Config icon.
The tabs to configure switches using templates is displayed. n To verify the configuration status for the template group, click Configuration Audit. The
Configuration Audit dashboard displays the number of devices with template and configuration synchronization errors. n To view configuration errors for a specific device, select a switch from the filter bar. The Configuration Audit dashboard displays the number of template and configuration synchronization errors for the device. 4. To view template errors, click View Template Errors. 5. To view configuration synchronization errors, click Failed / Pending config changes. 6. To compare running configuration and pending changes, click View under Config Comparsion Tool.
Configuring Aruba Switches
Aruba Central supports provisioning switches in UI and template groups. Aruba Central supports basic configuration options in the UI. The users can also assign switches to template groups and use configuration templates and variables to manage switches from Aruba Central. See the following topics for more information on managing switches and switch stacks in Aruba Central:
Aruba Central | User Guide
468
n Using Configuration Templates for Aruba Switch Management on page 469 n Configuring or Viewing Switch Properties in UI Groups on page 480 n Aruba Switch Stack on page 519 n Aruba CX VSF Stack on page 527
CA Certificate Installation using API and Templates
This feature is supported for switches with a minimum firmware version of 16.09. Aruba Central supports the installation of CA certificates through templates and APIs. Typically, an administrator uses an NB API to push the CA certificate to the Aruba Central certificate store. The certificates must be pushed to the certificate store of the same tenant. After that, use the ArubaOS-Switch CLI commands in an Aruba Central template to push the certificate as part of the configuration audit. If the certificate push or install process is not successful, the Aruba Central audit logs display the specific failure. Only those certificates that are installed through Aruba Central are monitored by Aruba Central. Other switch certificates are not supported for monitoring. Use the following command to push the CA certificate: cert-prof name "<name of cert>" For example, if the certificate name is ca_cert_1, the following is the format of the command: cert-prof name "ca_cert_1". Points to Note
n Unlike IAPs and Gateways, where a certificate cannot be deleted if it is referenced in a template or a variable, in switches, users can delete a certificate even if it is referenced in a template or a variable.
n Deleting an existing certificate and creating a new certificate with the same name but with different certificate data does not guarantee that the new certificate is installed for switches. Re-apply the template or variable to ensure that the change is propagated.
Using Configuration Templates for Aruba Switch Management
Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple switches in a group and thus automate switch deployments.
To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba Switch.
Creating a Group for Template-Based Configuration
For template-based provisioning, switches must be assigned to a group with template-based configuration method enabled. For more information, see Managing Groups on page 120 and Assigning Devices to Groups on page 121.
Creating a Configuration Template
To create a configuration template for switches:
Using Configuration Templates for Aruba Switch Management | 469
1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Switches. 3. Click the Config icon.
The tabs to configure switches using templates is displayed. 4. Click the Templates tab. The Templates page is displayed. 5. Click + to add a new template. The Add Template window is displayed. 6. In the Basic Info tab, enter a name for the template in the Template Name field. 7. In the Device Type drop-down, select Aruba Switch. 8. Select the switch model and software version. You can specify any of the following combinations:
n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions.
n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version.
n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model. A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions.
9. Select the manufacturing part number of the switch in the Part Number drop-down.
The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop-down, you can apply a template to both a standalone switch and stack.
10. Click Next. The Template tab is displayed. 11. Build a new template or import configuration information from a switch that is already provisioned in
the template group. n To build a new template, add the switch command information in the Template text box. Ensure
that the template text adheres to the guidelines listed in the Important Points to Note on page 471. To import configuration text from a switch that is already provisioned in the template group:
a. Click Import Configuration As Template. b. From the search box, select the switch from which you want to import the configuration.
The imported configuration is displayed in the Template text box. c. If required, modify the configuration parameters. Ensure that the template text adheres to
the guidelines listed in the Important Points to Note on page 471.
Aruba Central | User Guide
470
Importing configuration from an existing device in the template group allows you to quickly create a basic template. However, before applying the template to other switches in the group, ensure that the template text is variabilized as per your deployment requirements. For more information on variable definitions, see Managing Variable Files on page 130. All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates on page 451. For more information about using password commands, see the Configuring Username and Password Security chapter in the HPE ArubaOS-Switch Access Security Guide.
d. To view the variables present in the imported configuration template, click Show Variables List. The Variables in Template column is displayed. For more information on variables, see Managing Variable Files on page 130.
e. To download the variables as a CSV or plain text file, click the download icon and select one of the following options: n Download .CSV n Download plain text (.txt)
12. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central with the new configuration.
Important Points to Note
Note the following points when adding configuration text to a template: n The CLI syntax in the switch template must be accurate. Aruba recommends that you validate the
configuration syntax on the switch before adding it to the template text. n Ensure that the command text indentation matches the indentation in the running configuration. n The commands in the template are case-sensitive.
When configuring a password, you must add the include-credentials command in the template. This command stores the password in the running-config file associated with the switch. Aruba Central automatically executes this command while reading the switch configuration.
The following example illustrates the case discrepancies that the users must avoid in the template text:
trunk E1-E4 trk1 trunk
interface Trk1
dhcp-snooping trust
Using Configuration Templates for Aruba Switch Management | 471
exit
trunk E1-E4 trk1 trunk switch-interconnect trk1
trunk E5-E6 trk2 trunk vlan 5
name "VLAN5" untagged Trk2 tagged Trk1 isolate-list Trk1 ip igmp forcedfastleave Trk1 ip igmp blocked Trk1 ip igmp forward Trk1 forbid Trk1
loop-protect Trk2
Aruba Central | User Guide
472
trunk E1-E4 trk1 trunk trunk E4-E5 trk2 trunk spanning-tree Trk1 priority 4 spanning-tree Trk2 admin-edge-port
trunk A2-A4 trk1 trunk igmp fastlearn Trk1
trunk E4-E5 trk2 trunk ip source-binding 2 4.5.6.7 b05ada-96a4a0 Trk2
[no] ip source-binding trap OutOfResources
snmp-server mib hpSwitchAuthMIB ..
snmp-server mib hpicfMACsec unsecured-access ..
Using Configuration Templates for Aruba Switch Management | 473
[no] lldp config <P-PORT-LIST> dot1TlvEnable ..
[no] lldp config <P-PORT-LIST> medTlvEnable ..
no lldp config <P-PORT-LIST> medPortLocation..
[no] lldp config <P-PORT-LIST> dot3TlvEnable ..
[no] lldp config <P-PORT-LIST> basicTlvEnable ..
[no] lldp config <P-PORT-LIST> ipAddrEnable <lldp-ip>
trunk-load-balance L4-based trunk-load-balance L3-based
Best Practices
Aruba recommends you to follow the below steps to use configuration templates in managing switches:
Aruba Central | User Guide
474
1. Configure the switch. 2. Add the switch to Aruba Central. 3. Create the template, You can use Import template option to import an existing template created
for switches. 4. Modify the template based on the user requirement. For example, addition or removal of variables. 5. Save the edited template.
Using Configuration Templates for Aruba CX Switch Management
Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple switches in a group and thus automate switch deployments
To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba CX switches.
Creating a Group for Template-Based Configuration
For template-based provisioning, switches must be assigned to a group with template-based configuration method enabled. For more information, see Managing Groups on page 120 and Assigning Devices to Groups on page 121.
Aruba CX switches can only be configured using configuration templates.
You cannot move a Aruba CX switch from a template group to a UI group in Aruba Central. If attempted, a warning is displayed that the Aruba CX switch cannot be moved to a UI group, because UI group is not supported on Aruba CX switches.
When you onboard a factory default Aruba CX switch, the switch is listed under Unassigned Devices in the Organization > Groups page, because UI group is not supported on Aruba CX switches.
When you pre-provision a Aruba CX switch, the switch is listed under Unassigned Devices in the Organization > Groups page, because UI group is not available for Aruba CX switches.
For Aruba CX switches, the Import Configuration to New Group feature is not supported.
Creating a Configuration Template
To create a configuration template for switches: 1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Switches.
Using Configuration Templates for Aruba CX Switch Management | 475
3. Click the Config icon. The tabs to configure switches using templates is displayed.
4. Click the Templates tab. The Templates page is displayed. 5. Click + to add a new template. The Add Template window is displayed. 6. In the Basic Info tab, enter a name for the template in the Template Name field. 7. In the Device Type drop-down, select Aruba CX. 8. Select the switch model and software version. You can specify any of the following combinations:
n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions.
n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version.
n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model.
n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions.
9. Select the manufacturing part number of the switch in the Part Number drop-down.
The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop-down, you can apply a template to both a standalone switch and stack.
10. Click Next. The Template tab is displayed. 11. Build a new template by adding the output of the show running-config from the switch CLI in the
Template text box. Ensure that the template text adheres to the guidelines listed in the Important Points to Note on page 476.
You must manually create the template for the Aruba CX switch in a group, along with the password in plaintext format. You can use the output of the show running-config command to create the template. You can also add variables to use the same template for onboarding multiple Aruba CX switches. For more information on variables, see Managing Variable Files on page 130. All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates on page 451. For Aruba CX switches, you must configure the password only in plaintext. Also, the format of password must be user admin group administrators password plaintext <string>.
12. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central with the new configuration
Important Points to Note
Aruba Central | User Guide
476
Note the following points when adding configuration text to a template: n The CLI syntax in the switch template must be accurate. Aruba recommends that you validate the
configuration syntax on the switch before adding it to the template text. n Ensure that the command text indentation matches the indentation in the running configuration. n The commands in the template are case-sensitive.
The following example illustrates the case discrepancies that the users must avoid in the template text: trunk E1-E4 trk1 trunk
interface Trk1
dhcp-snooping trust
exit
trunk E1-E4 trk1 trunk switch-interconnect trk1
trunk E5-E6 trk2 trunk vlan 5
name "VLAN5" untagged Trk2 tagged Trk1 isolate-list Trk1 ip igmp forcedfastleave Trk1
Using Configuration Templates for Aruba CX Switch Management | 477
ip igmp blocked Trk1 ip igmp forward Trk1 forbid Trk1
loop-protect Trk2
trunk E1-E4 trk1 trunk trunk E4-E5 trk2 trunk spanning-tree Trk1 priority 4 spanning-tree Trk2 admin-edge-port
trunk A2-A4 trk1 trunk igmp fastlearn Trk1
trunk E4-E5 trk2 trunk ip source-binding 2 4.5.6.7 b05ada-96a4a0 Trk2
Aruba Central | User Guide
478
[no] ip source-binding trap OutOfResources snmp-server mib hpSwitchAuthMIB .. snmp-server mib hpicfMACsec unsecured-access .. [no] lldp config <P-PORT-LIST> dot1TlvEnable .. [no] lldp config <P-PORT-LIST> medTlvEnable .. no lldp config <P-PORT-LIST> medPortLocation.. [no] lldp config <P-PORT-LIST> dot3TlvEnable .. [no] lldp config <P-PORT-LIST> basicTlvEnable .. [no] lldp config <P-PORT-LIST> ipAddrEnable <lldp-ip>
Using Configuration Templates for Aruba CX Switch Management | 479
trunk-load-balance L4-based
trunk-load-balance L3-based
Configuring or Viewing Switch Properties in UI Groups
This section describes the configuration and viewing procedures for the switches in the UI groups.
Aruba Central does not support pre-configured switches in a UI group. If you want to move a switch from a template group to a UI group, you must clear the switch configuration, delete the device from Aruba Central, and then provision the switch as a new device in a UI group.
To configure or view properties of the switches provisioned in UI groups, perform the following procedure:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches.
n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click the config icon to edit the switch properties. Tabs to access different configuration pages are displayed. The following table describes the different configuration pages and their functions.
Table 131: Tabs for Configuring Switches Provisioned in a UI Group
Tab
Function
Switches
Configure or view general switch properties, such as, hostname, type of IP addressing, and so on. See Configuring or Viewing the Switch Properties.
Stacks
Create stacks, add members, or view stacking details such as stack type, stack id, topology, and so on. See Configuring Switch Stacks using UI Groups.
Ports
Assign or view port properties, such as, PoE, access policies, and trunk groups. See Configuring Switch Ports on Aruba Switches
Aruba Central | User Guide
480
Tab
Function
PoE
Configure or view PoE settings for each port.
See Configuring PoE Settings on Aruba Switch Ports.
Trunk Groups
Configure or view trunk groups and their associated properties, such as, members of the trunk group, type of trunk group, and so on. See Configuring Trunk Groups on Aruba Switches in UI Groups.
VLANs
Configure or view VLANs and the associated ports and access policies. See Configuring VLANs on Aruba Switches
Spanning Tree
Configure or view spanning tree protocol and its associated properties. See Enabling Spanning Tree Protocol on Aruba Switches in UI Groups
Loop Protection
Configure or view loop protection and its associated properties. See Configuring Loop Protection on Aruba Switch Ports.
Access Policy
Add or view access policies. See Configuring Access Policies on Aruba Switches.
DHCP Snooping
Configure or view DHCP snooping, authorized DHCP servers IP addresses, and their associated properties. See Configuring DHCP Snooping on Aruba Switches.
Port Rate Limit View or specify bandwidth to be used for inbound or outbound traffic for each port. See Configuring Port Rate Limit on Aruba Switches in UI Groups.
Radius
Configure or view RADIUS (Remote Authentication Dial-In User Service) server settings on switches. See Configuring RADIUS Server Settings on Aruba Switches.
Tunnel Node Server
Configure or view tunneled node on switches. See Configuring Tunnel Node Server on Aruba Switches.
Authentication Configure or view 802.1X authentication and MAC authentication for switches. See Configuring Authentication for Aruba Switches.
Access/DNS
Configure or view the administrator and operator logins. See Configuring System Parameters for Aruba Switches.
Time
Configure time synchronization in switches. See Configuring Time Synchronization on Aruba Switches.
SNMP
Add or view SNMP community and its trap destination. See Configuring SNMP on Aruba Switches.
CDP
Configure CDP and its associated properties. See Configuring CDP on Aruba Switches.
Routing
Configure or view a specific routing path to a gateway. See Configuring Routing on Aruba Switches.
DHCP Pools
Add or view a DHCP pool and its associated properties. See Configuring DHCP Pools on Aruba Switches.
Configuring or Viewing Switch Properties in UI Groups | 481
Tab IGMP QoS
Device Profie Configuration Audit
Function
Configure IGMP and its associated properties. See Configuring IGMP on Aruba Switches.
Create QoS traffic policies. define QoS classes and change the priorities of traffic on switches. See Configuring QoS Settings on Aruba Switches.
Configure or view device profile settings on switches. See Configuring Device Profile.
View configuration sync errors and overrides. See Viewing Configuration Status.
Configuring or Viewing the Switch Properties
When you add a switch to a group, the switch inherits the configuration of the group. It is not recommended to add a switch with an existing configuration to a group that already has a defined configuration. Aruba Central permits device-level overrides, however the overrides are resolved or preserved based on the requirements. You can create a new group and add a pre-configured switch to that group so that the group inherits the configuration of the switch. If the switch inherits the group configuration, the configuration parameters are already defined. If required, you can edit these parameters. All factory default switches are provisioned in a new group and these parameters can also be defined at the group level. To edit the configuration parameters for the switch in an UI group, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon to view the switch configuration dashboard.
n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click the Switches tab. The Switches page is displayed with the following information.
Aruba Central | User Guide
482
Table 132: Switches Parameters
Name
Description
MAC Address
MAC address of the switch.
Hostname
Name of the host.
IP Assignment
Method of IP assignment as static or DHCP.
IP Address
IP address for static IP assignment.
Netmask
Netmask for static IP assignment.
Default Gateway
Default gateway for static IP assignment.
Location
Location of the switch.
Contact
Email address or phone number.
Value Property inherited from the switch. A string. Static or DHCP.
IPv4 address. Netmask address. IPv4 address.
For example: Portland, Oregon. For example: [email protected].
3. To edit the switch configuration parameters, select the row you want to edit and click the edit icon. The Edit Switches window is displayed.
4. Edit the required parameters.
In the Switches page, you can edit only Hostname, Location, and Contact information. Use the VLANs page to configure IP Assignment, IP address, Netmask and Default Gateway parameters. For more information, see Configuring VLANs on Aruba Switches on page 487.
5. Click OK. 6. Click Save Settings.
Configuring Switch Ports on Aruba Switches
To view the port details of a switch, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed.
Configuring or Viewing Switch Properties in UI Groups | 483
d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click Interface > Ports. The Ports page is displayed with the list of ports configured on the switch. For the Aruba Mobility Access Switches, the Ports page displays the following information:
Table 133: Ports Page--Mobility Access Switches
Name
Description
Value
Port Number Indicates the number assigned to the switch port.
Dependent on the type of switch.
Admin Status Indicates the operational status of Up or Down. the port.
Port Mode
Indicates the mode of operation. The port can be configured to function in Trunk or Access mode.
Trunk Mode or Access Mode.
By default, a port is in Access mode and carries traffic only for the VLAN to which it is assigned. In Trunk mode, a port can carry traffic for multiple VLANs.
VLAN
Shows the VLAN to which the port is assigned. Based on the port mode, you can assign different types of VLAN.
n For Access mode, an Access VLAN can be specified. n For Trunk mode, the Native VLAN and Allowed VLAN can be configured.
Auto Negotiation
Indicates the status of the Auto Negotiation.
n If auto negotiation is enabled, the Speed and Duplex fields are automatically set to Auto.
n If auto negotiation is disabled, the speed can be set to 10 Mbps, 100 Mbps, or 1 Gbps and the duplex mode can be set to half or full.
Speed/Duplex
Displays the speed and duplex configuration settings for the client traffic.
Trusted
Indicates if the port is trusted.
For Aruba switches, the Ports page displays the following information:
Table 134: Ports Page--Aruba Switches
Name
Description
Port Number
Indicates the number assigned to the switch port.
Name
Name of the port for easy identification.
Value
Dependent on the switch type.
For example: UPLINK-SRVRROOM.
Aruba Central | User Guide
484
Name
Admin Status Speed-Duplex (Mbps)
Description
You can add or edit port names. However, do not delete port names as it may cause config push to fail. The config push failure may also arise if you move a switch from a group configured with port names to a new group. This issue is only applicable to switch firmware versions earlier than 16.08.0002.
Allows you to set the operational status of the port.
Allows you to set the maximum bandwidth of the port traffic.
Tunneled
Indicates whether the port is tunneled or not.
DHCP Snooping Status of port to filter DHCP messages received at the port.
Access Policy (In)
Allows you to apply an existing access policy for the inbound traffic on the port.
Access Policy (Out)
Allows you to apply an existing access policy for the outbound traffic on the port.
Trunk Group
Displays the name of the trunk group to which the port is assigned.
Value
Up or Down
Select from dropdown menu.
Default is Auto.
Enable or Disable To configure a Tunnel Node Server, see Configuring Tunnel Node Server on Aruba Switches
Trust or Untrust See Configuring DHCP Snooping on Aruba Switches.
Select from dropdown menu. See Configuring Access Policies on Aruba Switches.
Select from dropdown menu. See Configuring Access Policies on Aruba Switches.
To configure a Trunk Group, see Configuring Trunk Groups on Aruba Switches in UI Groups.
3. Select the port row, click Edit. The Edit Ports window is displayed. 4. Configure the required parameters. 5. Click Save.
Configuring PoE Settings on Aruba Switch Ports
Configuring or Viewing Switch Properties in UI Groups | 485
Power over Ethernet (PoE) is a technology that allows the switches to deliver power to the powered devices (PD). If you have switches provisioned in UI groups, you can enable or disable PoE operation on switch ports. The PoE page displays the configuration details of all PoE enabled ports. To configure the PoE settings of a switch, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon to view the switch configuration dashboard.
n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click Interface > PoE. The PoE page is displayed. 3. Select the port(s) you want to edit and click Edit.
The Edit Power Over Ethernet Settings window is displayed. 4. Configure the following parameters:
Table 135: PoE Parameters
Name
Description
Value
Port
The number assigned to the switch port. The port number is auto-generated and cannot be changed in the settings.
Autogenerated port number
PoE
The status of the PoE operation on the port. When PoE is enabled, the switch Enabled
sends power to the powered device (PD).
or
Disabled
Priority
The PoE priority level of the port. If there is not enough power available to provision all active PoE ports, then PoE ports at priority level as critical are powered first, then high and low priority at the last.
Low, High or Critical
LLDP MED TLV (PoE)
The status of the LLDP MED TLV configuration. Switches use LLDP to repeatedly query the PD to discover the power requirement and send the exact power required.
Enabled or Disabled
LLDP Dot3 The status of the LLDP Dot3 TLV configuration. TLV (PoE+)
Enabled or Disabled
Aruba Central | User Guide
486
Name
Description
Value
Allocation By
The PoE power allocation method used for the port. If usage is selected, then the allocation is made based on the automatic allocation by the PD. If class is selected, then the allocation is made based on class of the PD.
Usage or Class
Pre Std Detect
The status of support for pre-standard devices. When this option is enabled, switch supports some pre-802.3af devices.
Enabled or Disabled
Configured The user-defined identifier for the port to identify its intended use. type
A string
The status of LLDP in PoE page is displayed as Enabled only if one or both LLDP settings (LLDP MED TLV (PoE) and LLDP Dot3 TLV (PoE+)) are enabled for the port.
5. Click OK. 6. Click Save Settings.
Configuring VLANs on Aruba Switches
The Aruba switches support the following types of VLANs:
n Port-based VLANs--In the case of trusted interfaces, all untagged traffic is assigned a VLAN based on the incoming port.
n Tag-based VLANs--In the case of trusted interfaces, all tagged traffic is assigned a VLAN based on the incoming tag.
The Aruba Mobility Access Switch also supports the following types of VLANs:
n Voice VLANs--You can use voice VLANs to separate voice traffic from data traffic when the voice and data traffic are carried over the same Ethernet link.
n MAC-based VLANs--In the case of untrusted interfaces, you can associate a client to a VLAN based on the source MAC of the packet. Based on the MAC, you can assign a role to the user after authentication.
Adding VLAN Details
By default, all ports in the Switches are assigned to VLAN 1. However, if the ports are assigned to different VLANs, the VLANs page displays their details. To add a VLAN, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon to view the switch configuration dashboard.
Configuring or Viewing Switch Properties in UI Groups | 487
n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click Interface > VLANs. The VLANs page is displayed. 3. In the VLANs Settings accordion, click + to add a VLAN and configure the following parameters.
Table 136: Configuring and Viewing VLAN Parameters
Name
Description
Value
Name
The name of the VLAN.
A string
IP Assignment
The method of IP assignment. The static option is displayed only at the device level. The options to assign Primary VLAN and Management VLAN are displayed only when you select Static or DHCP.
Static, DHCP, or Disabled Default: DHCP
IP Address
The IP address for static IP assignment. This field is enabled only when you select Static from the IP Assignment drop-down.
IPv4 address
Netmask
The netmask for static IP assignment. This field is enabled only when you select Static from the IP Assignment drop-down.
IPv4 address
DHCP Server
Indicates whether the switch is configured as the DHCP server on the VLAN.
n This field is enabled only when you select Static from the IP Assignment drop-down. n You can enable DHCP Server option only when there are no DHCP Helper IP addresses configured.
Toggle switch to the on or off position
DHCP Helper IP
IP address of the DHCP helper server for that VLAN. n You can configure a maximum of 16 DHCP helper IP addresses for each VLAN. n You can configure DHCP Helper IP addresses only when DHCP Server option is disabled.
IPv4 address
Voice
Indicates whether support for voice VLANs are enabled for the VLAN interface.
Toggle switch to the on or off position
Primary VLAN
Indicates whether the VLAN is assigned as the primary VLAN for the switches. To assign primary VLAN, at least one tagged or untagged port should be configured. This is a mandatory field.
Toggle switch to the on or off position
Management Indicates whether the VLAN is assigned as the management VLAN
VLAN
for the switches.
Toggle switch to the on or off position
Aruba Central | User Guide
488
Name
Default Gateway
Jumbo
Description
Default gateway for static IP assignment. This field is enabled only when you select Static from the IP Assignment drop-down.
Indicates whether jumbo packet handling is enabled for the VLAN interface.
Access Policy The security policy that you want to apply for the inbound traffic. (In)
Access Policy The security policy that you want to apply for the outbound traffic. (Out)
VLAN Access The security policy that you want to apply for the bridged and
Policy (In)
routed inbound packets on the VLAN.
VLAN Access The security policy that you want to apply for the bridged and Policy (Out) routed outbound packets on the VLAN.
Value
IPv4 address
Toggle switch to the on or off position
See Configuring Access Policies on Aruba Switches.
4. To configure the VLAN ports, complete the following steps: a. In the Ports table, select the port number(s).
b. Select any of the following port modes: n Tagged Ports n Untagged Ports n None
5. To assign the VLAN to a trunk group, select the trunk group in the Trunk Groups table. 6. Click OK. 7. Click Save Settings.
When you upgrade to Aruba Central version 2.5.2, the static IP address configured at group level for VLANs is migrated to device level and preserved as overrides. The static IP assignment is available only at the device level.
Editing the VLAN Details
To edit the details of a VLAN, point to the row for the VLAN, and click the edit icon in the Actions column, and configure the parameters.
Deleting VLAN Details
To delete the VLAN details, complete the following steps: 1. Ensure that the VLANs are not tagged to any ports. 2. Point to the row for the VLAN, and click the edit icon in the Actions column.
VLAN 1 is the primary VLAN and cannot be deleted.
Configuring or Viewing Switch Properties in UI Groups | 489
Configuring DHCP Relay Settings
You can configure a switch as a DHCP relay agent for transmitting DHCP messages between the DHCP server and client. You can also configure the option-82 feature for the switch to include DHCP relay information in the forwarded DHCP request messages. To configure a switch as a DHCP relay agent, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click Interface > VLANs. The VLANs page is displayed. 3. Expand the DHCP Relay Settings accordion. 4. To enable DHCP relay, move the DHCP Relay toggle switch to the on position.
DHCP Relay option is enabled by default.
5. To enable option-82 feature, move the DHCP Relay Option 82 toggle switch to the on position. 6. Click Save Settings.
Configuring Trunk Groups on Aruba Switches in UI Groups
If you have switches provisioned in an UI group, Aruba Central enables you to configure port trunking on these switches using the UI workflows. The network administrator can configure a trunk group on switches to create one logical link or a trunk by aggregating multiple links. The trunk link functions as a high-speed link to provide increased bandwidth.
A trunk group is a set of up to eight ports configured as members of the same port trunk.
Table 137: Trunk Group configuration Support Per Switch Platform
Aruba Switch Platform
Valid Trunk Groups
Aruba 2540 Switch Series
Trk1-Trk26
Aruba 2920 Switch Series Aruba 2930F Switch Series Aruba 2930M Switch Series
Trk1-Trk60
Aruba Central | User Guide
490
Aruba Switch Platform Aruba 2530 Switch Series Aruba 3810 Switch Series
Valid Trunk Groups Trk1-Trk24 Trk1-Trk144
The following are some guidelines:
n All ports in the same trunk group must be of the same trunk type (LACP or trunk.) n The names of the trunk groups include the prefix Trk followed by the numbers in a sequential order. For
example, Trk1, Trk2 and so on. n When STP is enabled on the switch, the STP configuration is applied for all ports at the trunk group level.
Individual ports cannot be configured for STP or VLAN operation.
Adding Trunk Groups on Switches
To configure a trunk group on switches: Ensure that the switches are onboarded and provisioned to a UI group in Aruba Central.
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Click the Config icon to view the switch configuration dashboard. c. Under Manage, click Devices > Switches. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click Interface > Trunk Groups. The Trunk Groups page is displayed. 3. In the Trunk Groups table, click + to add a trunk group and configure the following parameters:
Table 138: Ports Page--Aruba Switches
Name
Description
Name
Indicates the number assigned to the switch port.
Type
A name of the port for easy identification.
Untagged If the switch ports are untagged, select a VLAN from the Untagged
VLANs
VLAN list.
Value
String.
Trunk or LACP.
Select from dropdown menu.
Configuring or Viewing Switch Properties in UI Groups | 491
Name
Tagged VLANs
Ports
Description
If the switch ports are tagged, select the VLANs from the Tagged VLAN list.
Select the ports for trunking. You can use up to eight ports for link aggregation. The ports in a trunk group need not be consecutive.
Value
Select from dropdown menu.
Select from dropdown menu.
DHCP
Select the status of port to filter DHCP messages received at the port. Trust or Untrust.
Snooping
Default is Untrust.
4. Click OK. 5. Click Save Settings.
Editing Trunk Groups on Switches
To edit details of a trunk group, point to the row for the trunk group, and click the edit icon and configure the parameters.
Deleting Trunk Groups on Switches
To delete a trunk group, point to the row for the trunk group, and click the delete icon.
Enabling Spanning Tree Protocol on Aruba Switches in UI Groups
This is a beta feature and not recommended for a production environment.
The Spanning Tree Protocol (STP) eliminates Layer 2 loops in networks, by selectively blocking some ports and allowing other ports to forward traffic, based on global (bridge) and local (port) parameters you can configure. STP is always disabled by default on Aruba switches. To configure STP for switches provisioned in the UI groups:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed.
Aruba Central | User Guide
492
d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click Interface > Spanning Tree. The Spanning Tree page is displayed. 3. Enable MSTP if you want to avoid bridge loops between network nodes and to maintain a single
active path between the network nodes. MSTP will be enabled for all VLANs assigned to switch ports. If you have a trunk group configured for the switches in the group, MSTP is enabled at the trunk level. 4. Set the priority of the UI group. 5. To configure MSTP parameters for ports, select the port row(s) in Port Settings, click Edit. 6. To configure MSTP parameters for trunks, select the trunk group row(s) in Trunk Group Settings, click Edit. 7. Configure the following MSTP parameters for ports or trunks of individual switches:
Table 139: Viewing or Configuring Port and Trunk Settings
Name
Description
Value
Priority
A number used to identify the root bridge in an STP instance. The switch with the lowest value has the highest priority and is the root bridge. A higher numerical value means a lower priority; thus, the highest priority is 0.
08 Default: 8
When the switches in a network select their root bridge, two parameters are considered, the STP priority and the MAC address of the switch. All Aruba switches have a default STP priority of 8. So the switch with the lowest MAC automatically gets selected as a root bridge. This is not a recommended process as it randomizes the selection of the root bridge.
BPDU Protection
A security feature used to protect the active STP topology by preventing spoofed BPDU packets from entering the STP domain. In a typical implementation, BPDU protection is applied to the edge ports and access ports connected to end-user devices that do not run STP. If STP BPDU packets are received on a protected port, the port is disabled and the network manager is alerted via SNMP traps.
Enable or Disable Default: Disable
BPDU Filter
Enables control of STP participation for each port. The feature can be used to exclude specific ports from becoming part of STP operations. A port with the BPDU filter enabled ignores incoming BPDU packets and stays locked in the STP forwarding state. All other ports maintain their role.
Enable or Disable Default: Disable
Recommended ports for BPDU filter: Ports or trunks connected to client devices.
AdminEdge
When set, the port directly goes into forwarding state. This configuration is not recommended for ports which connect to infrastructure devices. A BPDU guard also assists when a port inadvertently goes into a forwarding state.
Enable or Disable Default: Disable
Root Guard
Sets the port to ignore superior BPDUs to prevent the switch from becoming the Root Port.
Enable or Disable Default: Disable
Configuring or Viewing Switch Properties in UI Groups | 493
Name
Trunk Group
Description Sets the trunk group to which the port is assigned.
Value
Enable or Disable Default: Disable
Configuring Loop Protection on Aruba Switch Ports
Enabling Loop Protection consumes CPU resources.
Loop protection provides protection against loops by transmitting loop protocol packets out of ports. For switches provisioned in UI groups, administrators can enable or disable loop protection on the switch ports or trunks by using the menu options available under the Network Operations app. Loop protection is always disabled by default on Aruba switches. To configure loop protection for switches provisioned in the UI groups:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon to view the switch configuration dashboard.
n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click Interface > Loop Protection. The Loop Protection page is displayed. 3. Depending on whether you want to configure a port or trunk, complete one of the following steps:
n In the Port Settings tab, select the port(s), and click Edit. n In the Trunk Group Settings tab, select the trunk(s), and click Edit.
Table 140: Viewing or Configuring Port Settings
Name
Description
Value
Port
The number assigned to the switch port.
0 65535
Loop Protection Enables or disables loop protection.
Enable or Disable Default: Disable
Trunk Group
Name of the trunk group to which the port belongs. Dependent on the switch type.
Aruba Central | User Guide
494
Table 141: Viewing or Configuring Trunk Group Settings
Name
Description
Value
Trunk Group
Name of the trunk group to which the port belongs. Dependent on the switch type.
Loop Protection Enables or disables loop protection.
Enable or Disable Default: Disable
4. Select Enable in the Loop Protection drop-down. 5. Click OK. 6. Click Save Settings.
Configuring Port Rate Limit on Aruba Switches in UI Groups
Rate limiting allows allocating a specific bandwidth for the incoming and outgoing traffic from each port. When traffic exceeds the configured limit, it is dropped. This effectively sets a usage level on a given port and is a tool for enforcing maximum service level commitments granted to network users. This feature operates on a per-port level and is not configurable on port trunks. Rate-limiting is designed to be applied at the network edge to limit traffic from non-critical users or to enforce service agreements such as those offered by Internet Service Providers (ISPs) to provide only the bandwidth for which a customer has paid.
Port rate limit is always disabled by default on Aruba switches. To configure port rate limit for switches provisioned in the UI groups:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon to view the switch configuration dashboard.
n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click Security > Port Rate Limit. The Port Rate Limit page is displayed. 3. Under Port Rate Limit, select the port or ports you want to modify and click Edit. 4. Set the value of Limit to Traffic by Category if you prefer to set individual limitations.
Else, set the value of Limit to All Traffic to set a collective limitation.
Configuring or Viewing Switch Properties in UI Groups | 495
Percentage limits are based on link speed. For example, if a 100 Mbps port negotiates a link at 100 Mbps and the inbound rate-limit is configured at 50%, then the traffic flow through that port is limited to no more than 50 Mbps. Similarly, if the same port negotiates a 10 Mbps link, then it allows no more than 5 Mbps of inbound traffic. Configuring a rate limit of 0 (zero) on a port blocks all traffic on that port. However, if this is the desired behavior on the port, disable the port instead of configuring a rate limit of 0.
a. If you select All Traffic, rate limit is placed on all packets received from unknown sources. Move the slider to Enable and then enter the values for IN and OUT in percentage values.
b. If you select Traffic by Category, refer to the following table to set the correct parameters.
Table 142: Traffic by Category Parameters
Name
Description
Broadcast Sets a rate limit on broadcast traffic.
Multicast Indicates the operational status of the port.
Unknown Indicates the mode of operation. The port can be
Unicast
configured to function in Trunk or Access mode.
ICMP
Sets a rate limit on ICMP traffic.
Value
Expressed as percentage of the total bandwidth.
Configuring RADIUS Server Settings on Aruba Switches
Aruba Central allows you to configure RADIUS (Remote Authentication Dial-In User Service) server settings on switches. To configure a RADIUS server, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon to view the switch configuration dashboard.
n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click Security > RADIUS. The RADIUS page is displayed. 3. Click + to add a RADIUS server. The Add RADIUS Server window is displayed.
Aruba Central | User Guide
496
4. Configure the following parameters.
Table 143: RADIUS Parameters
Name
Description
Server IP
The IP address of the RADIUS server.
Port
The destination port for authentication requests to the specified RADIUS server.
Shared Key
The encryption key for use during authentication sessions with the specified RADIUS server.
Confirm Shared Key
Retype the shared key.
Dynamic Authorization
Indicates whether the dynamic authorization is enabled. When enabled, the RADIUS server can dynamically terminate or change the authorization parameters used in an active client session on the switch.
Value Default: 1812
Toggle switch to the on or off position
5. Click Save.
Editing a RADIUS Server Settings
To edit a RADIUS server, point to the row for the server, and click the edit icon.
Deleting a RADIUS Server Settings
To delete a RADIUS server, point to the row for the server, and click the delete icon.
Configuring Tunnel Node Server on Aruba Switches
Aruba Central allows you to configure tunneled node on switches. The tunneled node connects to one or more client devices at the edge of the network and then establishes a secure Generic Routing Encapsulation (GRE) tunnel to the controlling concentrator server. You can configure Port-Based Tunnel using UI group. To configure a tunneled node on the switch, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click a switch under Device Name. The dashboard context for the switch is displayed.
Configuring or Viewing Switch Properties in UI Groups | 497
d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click Security > Tunnel Node Server. The Tunnel Node Server page is displayed. 3. Configure the following parameters.
Name Mode
Primary Gateway IP Backup Gateway IP
Description
Value
The mode of tunneling from the drop-down:
n No Tunnel--Switch does not tunnel traffic.
n Port Based Tunnel-- Allows the switch to tunnel traffic to an Aruba controller on a per-port basis.
No Tunnel or Port Based Tunnel
The IP address of the primary gateway.
A valid IPv4 address
The IP address of the backup gateway. This field is optional.
A valid IPv4 address
4. Click Save Settings.
Configuring Authentication for Aruba Switches
Aruba Central supports enabling 802.1X and MAC authentication for switches. You can enable and configure 802.1X authentication of clients at the switch and port level, and enable authentication of 802.1X access through a RADIUS server using either EAP or CHAP protocol. You can also enable and configure ports to authenticate clients based on MAC addresses.
802.1X Authentication
802.1X is a method for authenticating the identity of a user before providing network access. Aruba Central supports internal RADIUS server and external RADIUS server for 802.1X authentication.
Configuring 802.1X Authentication
To configure 802.1X authentication for the switch, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view.
Aruba Central | User Guide
498
c. Click a switch under Device Name. The dashboard context for the switch is displayed.
d. Under Manage, click Device. The tabs to configure the switch is displayed.
2. Click Security > Authentication. The Authentication page is displayed. 3. Expand the 802.1X Authentication accordion. 4. To enable 802.1x Authentication at group level in the group context, slide the toggle switch to on
position. 5. In the Authentication Method from the drop-down, select either Local , EAP or CHAP.
If you select EAP or CHAP, you must configure the RADIUS server.
The Port Settings table displays the number of ports and the parameters configured for the ports.
6. Select one or more ports for which you want to enable 802.1X authentication, and click the edit icon. The Edit Ports Selected window is displayed.
7. Select Enable from the 802.1X drop-down. 8. Configure the following parameters.
Table 144: Configuring 802.1X Authentication
Name
Description
Value
Client Limit The maximum number of clients to allow on the port.
Default: 0
UnAuthorized The VLAN to use for an unauthorized client. VLAN ID
Authorized VLAN ID
The VLAN to use for an authorized client.
Default:0
Default: 0
Reauth Period
Cached Reauth Period
The time (in seconds) that the switch enforces on a client to reauthenticate. The client remains authenticated while the re-authentication occurs. When set to 0, re-authentication is disabled.
The time (in seconds) when cached re-authentication is allowed on the port.
Default: 300 seconds
Default: 0
Log off Period
The time (in seconds) that the switch enforces for an implicit logoff.
Default: 300 seconds
Quiet Period Tx Period
The time (in seconds) during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the maxrequests parameter fails.
Default: 60 seconds
The time (in seconds) the port waits to retransmit the next EAPOL PDU during an authentication session.
Default: 30 seconds
Configuring or Viewing Switch Properties in UI Groups | 499
Name
Server Timeout
Supplicant Timeout
Description
The time (in seconds) that the switch waits for a server response to an authentication request
The time (in seconds) that the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out.
Value
Default: 300 seconds
Default: 300 seconds
9. Click Save Settings.
MAC Authentication
MAC authen