Aruba Central User Guide
Aruba Central User Guide
25 mars 2022 — This user guide describes the features supported by Aruba Central and provides ... based on application categories, application type, web categories and.
Not Your Device? Search For Manuals or Datasheets below:
File Info : application/pdf, 2236 Pages, 57.60MB
Document DEVICE REPORTuser-guideUser Guide for Aruba Central and SD-Branch Copyright Information © Copyright 2022 Hewlett Packard Enterprise Development LP. Open Source Code This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US $10.00 to: Hewlett Packard Enterprise Company 6280 America Center Drive San Jose, CA 95002 USA Contents Contents About this Guide Intended Audience Related Documents Conventions Terminology Change Contacting Support What is Aruba Central? Key Features Supported Web Browsers Operational Modes and Interfaces Supported Devices What's New in 2.5.4 New Features Enhancements Getting Started with Aruba Central Key Terms and Concepts Workflow Summary Overview of Aruba Central Foundation and Advanced Licenses Aruba Central Licenses Feature Details Starting Your Free Trial Creating an Aruba Central Account Accessing Aruba Central Portal Accessing Aruba Central Mobile Application About the Network Operations App User Interface Setting up Your Aruba Central Instance Configuring Email Notifications for Software Upgrades Configuring Idle Timeout Opening Firewall Ports for Device Communication Connecting Devices to Aruba Central Device Configuration and Network Management Using the Search Bar Next-Generation Support Experience Administering Aruba Central Apps Global Settings Users and Roles Managing License Keys Managing Your Device Inventory Managing License Assignments Data Collectors Streaming API API Gateway Webhooks SAML SSO for Aruba Central Viewing Audit Trails in the Account Home Page Maintaining Aruba Central Network Structure Viewing Configuration Status Viewing the Configuration Audit Page Aruba Central | User Guide Contents 3 12 12 12 12 13 13 14 14 15 15 17 28 28 38 49 49 50 51 60 71 77 81 82 82 122 129 130 130 137 146 146 166 174 174 175 175 188 193 199 205 240 244 277 337 377 379 379 423 424 3 Applying Configuration Changes Viewing Configuration Overrides and Errors Backing up and Restoring Configuration Templates Managing Software Upgrades Viewing Audit Trail in the Standard Enterprise Mode and MSP Mode Removing Devices Managed Service Provider Terminology Getting Started with MSP Solution Enabling Managed Service Mode Managing MSP Licenses System Users and User Roles in MSP Mode Groups in the MSP Mode About Provisioning Tenant or Customer Accounts Assigning Devices to Tenant Accounts MSP Dashboard MSP Certificates Navigating to the Tenant Account MSP Alerts MSP Audit Trails MSP Reports Firmware Upgrades for MSP Mode Customizing the Portal in MSP Mode MSP Deployment Models Frequently Asked Questions IAPs Supported Deployment Modes Configuration and Management Supported Instant APs Provisioning Instant APs Configuring APs Using Templates Viewing APs Configuration Tabs Navigating to Virtual Controller Configuration Dashboard Deploying a Wireless Network Using IAPs AOS-CX Overview Supported AOS-CX Platforms Getting Started with AOS-CX Deployments Configuring AOS-CX Using Templates Configuring AOS-CX Switches in UI Groups Managing an AOS-CX VSF Stack Troubleshooting AOS-CX Switch Onboarding Issues AOS-S Switches Overview Supported AOS-S Platforms Getting Started with AOS-S Deployments Provisioning Workflow Group Assignment Configuration and Management Switch Monitoring Troubleshooting and Diagnostics Configuring AOS-S Switches Using Configuration Templates for AOS-S Management Configuring or Viewing AOS-S Properties in UI Groups AOS-S Stack Troubleshooting Aruba Switches Aruba SD-Branch Solution Why SD-WAN? Key Features and Benefits Understanding SD-WAN What are the Solution Requirements? Supported SD-Branch Components 424 427 430 431 441 442 443 443 444 444 447 452 458 464 468 469 475 477 477 482 484 491 496 497 504 507 507 507 508 511 512 521 521 522 686 686 688 708 712 773 798 800 800 802 803 803 804 805 805 819 820 824 875 883 885 885 885 886 888 889 Contents | 4 Supported 4G Modems for Aruba SD-Branch SD-Branch What's New Getting Started Creating an Aruba Central Account Accessing Aruba Central Portal Managing License Keys Managing License Assignments Onboarding Devices to Aruba Central Assigning Subscriptions to Aruba Gateways Assigning Gateways to a Group Assigning Gateways to Sites Assigning Labels to Gateways Recovering an Aruba Gateway Assigning a Group Role to an Aruba Gateway Group Connecting Aruba Gateways to Aruba Central Configuring Communication Ports Certificates Provisioning Aruba Gateways in Aruba Central Different Modes of Configuring Gateways and Gateway Groups Configuring Branch Gateway Groups Using the Guided Setup Configuring Branch Gateways Using the Guided Setup Configuring VPNC Group Using the Guided Setup Configuring VPNCs Using the Guided Setup Configuring AOS 10.x Branch Gateways Using the Guided Setup Configuring AOS 10.x Branch Gateway Groups Using the Guided Setup Configuring AOS 10.x VPNCs Using the Guided Setup Configuring AOS 10.x VPNC Groups Using the Guided Setup Configuring AOS 10.x Mobility Gateways Using the Guided Setup Configuring AOS 10.x Mobility Gateway Groups Using the Guided Setup Configuring an SD-Branch Network Using the Advanced Setup Configuration Checklist Configuring Address Pools for Aruba Gateways Uploading Bulk Configuration Template Configuring System Information on Aruba Gateways Configuring VLANs on Aruba Gateways Configuring SLB using NAT Configuring Ports Configuring Uplinks Configuring IP-SLA Profiles Managing 9004-LTE Branch Gateway Configuring WAN Health Check Configuring WAN Interface Bandwidth Priorities SD-WAN Overlay Tunnel and Route Orchestration Configuring the SD-Branch Overlay Network Configuring the SD-WAN Hub Mesh Topology Branch Mesh Topology in SD-Branch Configuring Site-to-Site VPN Configuring Site-to-Site VPN with GRE Tunnel Configuring IKE Policies Routing Configuring Policies for PBR Configuring Policies for Dynamic Path Steering SaaS Application Traffic Management with SaaS Express Configuring Aruba Gateways for Application Visibility and Control Enforcing a Common Security Policy for Wired and Wireless Users Configuring Firewall Policies and ACLs Configuring User Roles for Clients Configuring Authentication Profiles Applying Policies to Gateway Interfaces SD-Branch Redundancy Configuring Aruba Gateways for Certificate-Based Authentication Configuring Aruba Gateways for SNMP-Based Reporting Aruba Central | User Guide 890 891 899 899 904 905 910 913 914 916 917 918 918 919 920 921 922 925 925 926 939 945 955 968 973 980 990 999 1002 1007 1007 1007 1014 1015 1034 1040 1042 1047 1055 1057 1061 1063 1065 1106 1113 1115 1117 1123 1129 1135 1177 1181 1187 1222 1232 1232 1244 1251 1287 1290 1296 1300 5 Configuring Captive Portal IP Redirect Address Viewing Gateway Configuration Status Managing Configuration Overrides Configuring Aruba Gateways for Syslog Message Collection 1302 1302 1303 1304 SD-Branch Advanced Setup for AOS 10.x Personas Configuration Checklist for AOS 10.x Branch Gateway or Branch Gateway Group Persona Configuration Checklist for AOS 10.x VPNC or VPNC Group Persona Configuration Checklist for AOS 10.x Mobility Gateway or Mobility Gateway Group Persona 1307 1308 1310 1312 Configuring an SD-Branch Network Using the Basic Setup Configuring an SD-Branch Network Using the Basic Setup for a Branch Gateway Configuring an SD-Branch Network Using the Basic Setup for a Branch Gateway Group Configuring an SD-Branch Network Using the Basic Setup for a VPNC Configuring an SD-Branch Network Using the Basic Setup for a VPNC Group Configuring System Information on Aruba Gateways Configuring a LAN Interface Configuring Overlay Routing Profiles Configuring Route Maps Configuring LAN Redundancy for High Availability Configuring VPN Pools Configuring Policies for a Branch Gateway Group 1315 1316 1318 1320 1322 1324 1328 1339 1340 1356 1357 1357 SD-Branch Basic Setup for AOS 10.x Personas Configuration Checklist for AOS 10.x Branch Gateway Persona Configuration Checklist for AOS 10.x Branch Gateway Group Persona Configuring Preferred Leader and VRRP for Cluster Management Configuration Checklist for AOS 10.x VPNC Persona Configuration Checklist for AOS 10.x VPNC Group Persona Configuration Checklist for AOS 10.x Mobility Gateway Persona Configuration Checklist for AOS 10.x Mobility Gateway Group Persona 1364 1365 1366 1366 1368 1369 1370 1371 Overview of Aruba IDPS Why Aruba IDPS? Key Features and Benefits How does Aruba IDPS Work? Preparing to add the Aruba IDPS Supported Gateways Configuring Aruba IDPS Monitoring Aruba IDPS Threat Categories 1372 1372 1372 1373 1373 1374 1389 1396 Integration with AWS Public Cloud through Cloud Connect Service Additional References Generating API Token in AWS Console Configuring Aruba Branch Gateway in Aruba Central Onboarding AWS Account in Aruba Central Orchestrating Tunnel to the AWS VPC through Cloud Connect Service Verifying the Instantiation Status 1400 1401 1401 1401 1402 1403 1404 Integration with Microsoft Azure Public Cloud through Cloud Connect Service Additional References Configuring Azure Application in Azure Admin Portal Configuring Azure Application for API Access in Azure Admin Portal Configuring Aruba Branch Gateway in Aruba Central Onboarding Azure Account in Aruba Central Orchestrating Tunnels to Azure Virtual WAN and Vhub through Cloud Connect Service Verifying the Instantiation Status 1407 1408 1408 1408 1409 1409 1410 1412 Integration with Zscaler through Cloud Connect Service Additional References Configuring ZIA for API Access in Zscaler Admin Portal Onboarding a Cloud Provider Account in Aruba Central Orchestrating Tunnels to the Nearest ZIA Public Service Edge Configuring the Locations for Cloud Hub Important Points to Note 1415 1416 1416 1417 1418 1420 1426 Contents | 6 Manual Tunnel Establishment Configuring Zscaler Nexthop List Adding Nexthop List to PBR Policy Verifying Tunnel Status Integration with Zscaler Cloud Security Service Integrating SD-Branch with ZIA Setting up Tunnels to ZIA Additional References Integration with Prisma Access Deployment Scenarios Configuring Prisma Access Integration with Check Point Supported IKE and IPsec Cryptographic Profiles Configuration Steps Configuring Aruba Gateways for Integration with Check Point Integration with Symantec WSS Integration Overview Role-Based and Application-Based Routing Supported IKE and IPSec Cryptographic Profiles Configuring Symantec WSS Microbranch Redundancy Architectures Supported Topologies Configuring a Microbranch with Instant APs Configuring Support for Aruba VIA Service Configuring VIA Configuring VPN IP Pool Defining IKEv1 Shared Secret Configuring VIA User Role Creating VIA Server Group for Authenticating VIA Users Configuring VIA Authentication Parameters Loading and Applying VIA Certificates Configuring and Attaching VIA Connection Profile Uploading VIA Installer to VPNC Provisioning Gateways Using Configuration Templates Important Points to Note Configuring Gateways Using a Template Creating a Template Group Assigning a Gateway to a Template Group Creating a Configuration Template for Gateways Customizing a Template Using Variable Definitions Downloading a Sample Variables File Modifying a Variables File Uploading a Variables File Sample Template and Variables Files Sample Variables File Verifying Configuration Status Backing up and Restoring Templates Monitoring SD-Branch Monitoring Gateway WAN Health--Global WAN Health--Transport WAN Health--Site Monitoring Sites in the Topology Tab Gateway Firewall Logging Monitoring SaaS Express Gateway Alerts Gateway Reports Aruba Central | User Guide 1426 1429 1429 1429 1430 1431 1431 1432 1433 1433 1436 1441 1441 1441 1446 1453 1453 1454 1456 1456 1465 1466 1470 1474 1474 1474 1476 1476 1476 1476 1478 1479 1484 1486 1486 1486 1487 1487 1488 1489 1489 1490 1490 1491 1493 1495 1495 1496 1496 1555 1556 1559 1560 1574 1580 1588 1590 7 Maintenance Troubleshooting Devices Enabling Gateway Logs Gateway Diagnostic Tests Updating Software Images on Aruba Gateways APIs Updating Software Images on Aruba Gateways Feature Availability Across Multiple Software Versions Upgrading Software Deploying Aruba Virtual Gateways Features Supported by Virtual Gateway Virtual Gateway Redundancy Software Image for Virtual Gateways Deploying Aruba Virtual Gateways in AWS Deploying Aruba Virtual Gateways in Microsoft Azure Deploying Aruba Virtual Gateways in VMware ESXi (Unmanaged Mode) Deploying Aruba Virtual Gateways in Google Cloud Platform (Unmanaged Mode) Deploying Aruba Virtual Gateways in MSP (Unmanaged Mode) Provisioning Virtual Gateways to Groups Troubleshooting Deployment Issues High Availability Support for Aruba Virtual Gateways Monitoring Virtual Gateways Monitoring APs Monitoring APs in Summary View Monitoring APs in List View Access Point > Overview > Summary Access Point > Overview > AI Insights Access Point > Overview > Floor Plan Access Point > Overview > Performance Access Point > Overview > RF Access Point > Overview > Spectrum Access Point > Security > VPN Rebooting an IAP Rebooting an IAP Cluster Tech Support for an IAP Opening a Remote Console Enabling Live IAP Monitoring AP Live Events Access Point > Clients > Clients Access Point > Alerts & Events > Alerts & Events About RAPIDS Monitoring Switches and Switch Stacks Monitoring Switches in List View Monitoring Switches in Summary View Switch > Overview > Summary Switch > Overview > Hardware Switch > Overview > Routing Switch > Overview > AI Insights Switch > Clients > Clients Switch > Clients > Neighbours Switch > LAN > Ports Switch > LAN > PoE Switch > LAN > VLAN Switch > VSX Switch > Alerts & Events > Events Monitoring Your Network Network Overview Network Health Dashboard Global--Summary 1599 1599 1599 1601 1607 1609 1610 1610 1610 1611 1611 1611 1611 1612 1636 1680 1691 1698 1699 1699 1700 1706 1708 1708 1708 1722 1730 1732 1733 1734 1737 1740 1741 1741 1741 1742 1742 1743 1744 1745 1745 1749 1749 1752 1752 1757 1760 1762 1764 1766 1767 1770 1773 1776 1778 1780 1780 1780 1796 Contents | 8 Wi-Fi Connectivity Monitoring Sites in the Topology Tab About Floor plan Viewing Audit Trail The AI Insights Dashboard Viewing the AI Insights Dashboard Insights Context Cards Baselines Access Points with High Number of Reboots Access Points with Excessive Number of Channel Changes Access Points with High CPU Utilization Access Points Impacted by High 2.4 GHz Usage Access Points Radios with Frequent Transmit Power Changes Access Point Transmit Power can be Optimized Access Points Impacted by High 5 GHz Usage Access Points with High Memory Usage Clients with High Roaming Latency Clients with Low SNR Minutes Clients with High MAC Authentication Failures Clients with DHCP Server Connection Problems Clients with High 802.1X Authentication Failures Clients with High Wi-Fi Security Key-Exchange Failures Clients who Roamed Excessively Clients with Captive Portal Authentication Problems Clients with High Number of Wi-Fi Association Failures Coverage Holes Identified Dual-band (2.4/5 GHz) Clients Primarily using 2.4 GHz Delayed DNS Request or Response DNS Queries Failed to Reach or Return from the Server DNS Servers Rejected High Number of Queries Gateways with High Memory Usage Gateways with High CPU Utilization Failure to Establish Gateway Tunnels Gateways with Uncommon Health-Probe IPs Gateways with Underperforming WAN Links Gateways WAN Uplinks Having Higher Latency than Peers Improve RF Resiliency by Switching APs between Switches in the Stack Telemetry Information not Received from APs or Radios Outdoor Clients Impacting Wi-Fi Performance AOS-CX Switches with High CPU Utilization AOS-CX Switches with High Memory Usage AOS-CX Switch Ports with High Power-over-Ethernet Problems AOS-CX Switches with High Port Errors AOS-CX Switches with High Port Flaps AOS-S Switches with High Port Errors AOS-S Switches with High Port Flaps AOS-S Switches with High CPU Utilization AOS-S Switches with High Memory Usage AOS-S Switch Ports with High Power-over-Ethernet Problems All Clients Clients Client Overview Client Status Changes Clients > Wireless Client > Overview Clients > Wired Client > Overview Clients > Remote Client > Overview Classifying Clients Client Events Clients Profile Alerts & Events Alerts & Events Dashboard Aruba Central | User Guide 1798 1802 1816 1825 1829 1829 1831 1844 1846 1847 1848 1850 1851 1854 1855 1856 1859 1860 1862 1864 1866 1868 1870 1871 1873 1875 1876 1878 1880 1882 1884 1886 1887 1889 1891 1892 1894 1895 1896 1898 1901 1902 1904 1906 1907 1909 1911 1912 1914 1916 1918 1918 1927 1928 1929 1943 1949 1954 1956 1958 1967 1968 9 Configuring Alerts Adding Default Recipients Suppressing Alert Notifications in the Site Dashboard Configuring Site-specific Email Notifications Viewing Enabled Alerts Supported IAP Events Supported Client Events Dynamic Logs Client Live Events Troubleshooting a Client Packet Capture Starting Packet Capture Reports Viewing the Reports Page Report Categories Report Configuration Options Previewing a Report Creating a Report Editing a Report Viewing the Generated Report Viewing the Scheduled Report Downloading a Report Deleting a Report Aruba Cloud Authentication and Policy Overview Aruba Cloud Authentication and Policy Architecture Roles Applicable for Configuring Cloud Authentication and Policy Supported Devices and Operating Systems Supported Deployment Types Prerequisites for Configuring Cloud Authentication and Policy Caveats for using Cloud Authentication and Policy Configuring Cloud Authentication and Policy Server in a WLAN Network Configuring Cloud Authentication and Policy Server in a Wired Network Cloud Identity Configuring Aruba Cloud Authentication and Policy Updating Aruba Cloud Authentication and Policy Provisioning Clients Monitoring Access Requests and Sessions Client Security Application Visibility Viewing Visibility Dashboard Graph View in Visibility Dashboard Applications Websites Blocked Traffic Service Apps Guest Access Presence Analytics Unified Communications Using Troubleshooting Tools Troubleshooting Network Issues Enabling Gateway Logs Troubleshooting Device Issues Advanced Device Troubleshooting Remote Console Session Troubleshooting Workflows Client Connectivity Device Issues AI Insights 1973 1985 1985 1986 1987 1987 1989 1992 1996 1997 1998 1998 1999 1999 1999 2009 2012 2013 2014 2014 2016 2019 2020 2020 2021 2022 2022 2023 2024 2025 2027 2029 2030 2035 2040 2042 2051 2062 2065 2065 2066 2067 2068 2069 2071 2072 2087 2092 2099 2099 2112 2114 2117 2122 2126 2126 2153 2156 Contents | 10 Network Check Allowlist Features Project SDE Clients with no Response from the DHCP Server Insight Summary Time Series Graph Cards AirGroup Applying Packet Capture Filters Enabling Air Slice on APs IoT Operations Managing Site Installations for MSPs Replacing a Branch Gateway Replacing an Access Point Rogues Streaming API--Auditlogs WAN Health Alerts 2160 2168 2168 2168 2168 2170 2170 2176 2189 2190 2193 2203 2217 2223 2231 2235 2236 Aruba Central | User Guide 11 Chapter 1 About this Guide About this Guide This user guide describes the features supported by Aruba Central and provides detailed instructions to set up and configure devices such as Instant APs, Aruba Switches, and Aruba SD-WAN Gateways. Intended Audience This guide is intended for system administrators who configure and monitor their networks using Aruba Central. Related Documents In addition to this document, the Aruba Central product documentation includes the following documents: n Aruba Central Help Center n Aruba Central Getting Started Guide n Aruba Central Managed Service Provider User Guide n Aruba Central SD Branch Solution Guide Conventions The following conventions are used throughout this guide to emphasize important concepts: Table 1: Typographical Conventions Type Style Description Italics This style is used to emphasize important terms and to mark the titles of books. System items This fixed-width font depicts the following: n Sample screen output n System prompts The following informational icons are used throughout this guide: Indicates helpful suggestions, pertinent information, and important things to remember. Indicates a risk of damage to your hardware or loss of data. Indicates a risk of personal injury or death. Aruba Central | User Guide 12 Terminology Change As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products and publications may continue to include terminology that seemingly evokes bias against specific groups of people. Such content is not representative of our HPE culture and moving forward, Aruba will replace racially insensitive terms and instead use the following new language: Usage Campus Access Points + Controllers Instant Access Points Switch Stack Wireless LAN Controller Firewall Configuration Types of Hackers Old Language Master-Slave Master-Slave Master-Slave Mobility Master Blacklist, Whitelist Black Hat, White Hat New Language Conductor-Member Conductor-Member Conductor-Member Mobility Conductor Denylist, Allowlist Unethical, Ethical Contacting Support Table 2: Contact Information Main Site Support Site Airheads Social Forums and Knowledge Base North American Telephone International Telephone Software Licensing Site End-of-life Information Security Incident Response Team arubanetworks.com asp.arubanetworks.com community.arubanetworks.com 1-800-943-4526 (Toll Free) 1-408-754-1200 arubanetworks.com/support-services/contact-support/ lms.arubanetworks.com arubanetworks.com/support-services/end-of-life/ Site: arubanetworks.com/support-services/security-bulletins/ Email: [email protected] About this Guide | 13 Chapter 2 What is Aruba Central? What is Aruba Central? Aruba Central offers unified network management, AI-based analytics, and IoT device security for wired, wireless, and SD-WAN networks. All of these capabilities are combined into one easy-to-use platform, which includes the following apps: n Network Operations--Provides unified network management by consolidating wired, wireless, and SD-WAN deployment and management tasks, real-time diagnostics, and live monitoring, for simple and fast problem resolution. n ClearPass Device Insight--Provides a single pane of glass for device visibility employing automated device discovery, machine learning (ML) based fingerprinting and identification. For more information, see Aruba ClearPass Device Insight Information Center. This section includes the following topics: n Key Features n What is Aruba Central? n Supported Web Browsers n Operational Modes and Interfaces Key Features Aruba Central offers the following key features and benefits: n Streamlined configuration and deployment of devices--Leverages the ZTP capability of Aruba devices to bring up your network in no time. Aruba Central supports group configuration of devices, which allows you to provision and manage multiple devices with similar configuration requirements with less administrative overhead. n Integrated wired, WAN, and wireless Infrastructure management--Offers a centralized management interface for managing wireless, WAN, and wired networks in distributed environments, and thus help organizations save time and improve efficiency. n Advanced analytics and assurance--With continuous monitoring, AI-based analytics provide real-time visibility and insight into what's happening in the Wi-Fi network. The insights utilize machine learning that leverage a growing pool of network data and deep domain experience. n Secure cloud-based platform--Offers a secure cloud platform with HTTPS connection, certificate-based authentication, and Cloud Authentication and Policy. n Interface for Managed Service Providers--Offers an additional interface for MSPs to provision and manage their respective tenant accounts. Using the MSP mode, service provider organizations can administer network infrastructure for multiple organizations in a single interface. n SD-Branch management--Offers a simplified solution for managing and monitoring SD Branch devices such as Branch Gateways, VPN Concentrators, Instant APs, and Aruba Switches. It also provides detailed dashboards showing WAN health and pictorial depictions of the branch setup. The Aruba SD-Branch solution extends the SD-WAN concepts to all elements in a branch setup to deliver a full-stack solution for managing WLAN, LAN and WAN connections. The SD-Branch solution provides a common cloud- Aruba Central | User Guide 14 management model that simplifies deployment, configuration, and management of all components of a branch setup. The solution leverages the ZTP and cloud management capabilities of Aruba devices to integrate management and infrastructure for WAN, WLAN, and LAN and provide a holistic solution from access network to edge with end-to-end security. It also addresses all communications in distributed deployments, from micro branches to medium or large branches. For more information, see the Aruba SDBranch Solution. n Health and usage monitoring--Provides a comprehensive view of your network, device status and health, and application usage. You can monitor, identify, and address issues by using data-driven dashboards, alerts, reports, and troubleshooting workflows. Aruba Central also utilizes the DPI feature of the devices to monitor, analyze and block traffic based on application categories, application type, web categories and website reputation. Using this data, you can prioritize business critical applications, limit the use of inappropriate content, and enforce access policies on a per user, device or location basis. n Guest Access--Allows you to manage access for your visitors with a secure guest Wi-Fi experience. You can create guest sponsor roles and social logins for your guest networks. You can also design your guest landing page with custom logos, color, and banner text. n Presence Analytics--Offers a value added service for Instant AP based networks to get an insight into user presence and loyalty. The Presence Analytics dashboard allows you to view the presence of users at a specific site and the frequency of user visits at a given location or site. Using this data, you can make business decisions to improve customer engagement. Supported Web Browsers To view the Aruba Central UI, ensure that JavaScript is enabled on the web browser. Table 3: Browser Compatibility Matrix Browser Versions Operating System Google Chrome 39.0.2171.65 or later Windows and macOS Mozilla Firefox 34.0.5 or later Windows and macOS Safari 7 or later macOS Microsoft Edge version 79 or later Windows Operational Modes and Interfaces Aruba offers the following variants of the Aruba Central web interface: n Standard Enterprise Mode n Managed Service Provider Mode Standard Enterprise Mode The Standard Enterprise interface is intended for users who manage their respective accounts end-to-end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision devices and subscriptions to manage their respective accounts. The following figure illustrates a typical Standard Enterprise mode deployment. What is Aruba Central? | 15 Figure 1 Standard Enterprise Mode Managed Service Provider Mode Aruba Central offers the MSP mode for managed service providers who need to manage multiple customer networks. The MSP administrators can provision tenant accounts, allocate devices, assign licenses, and monitor tenant accounts and their networks. The administrators can also drill down to a specific tenant account and perform administration and configuration tasks. Tenants can access only their respective accounts, and only those features and application services to which they have subscribed. The following figure illustrates a typical MSP mode deployment. Aruba Central | User Guide 16 Figure 2 Managed Service Provider Mode Supported Devices This section provides the following information: n Supported Instant APs n Supported AOS-S Platforms n Supported AOS-CX Platforms n Supported SD-Branch Components n Supported 4G Modems for Aruba SD-Branch Supported Instant APs The following table lists the Instant AP platforms, the installation mode, the minimum supported Aruba Instant software versions, and the Instant APs supporting power draw: Table 4: Supported Instant AP Platforms Instant AP Platform Installation Mode Minimum Supported Aruba Instant Software Version AP-655 AP-635 AP-567EX AP-567 AP-565EX Indoor Indoor Outdoor Outdoor Outdoor Aruba Instant 8.10.0.0 Aruba Instant 8.9.0.0 Aruba Instant 8.7.1.0 Aruba Instant 8.7.1.0 Aruba Instant 8.7.1.0 Power Draw Support Yes Yes No Yes No What is Aruba Central? | 17 Instant AP Platform Installation Mode AP-565 AP-503H AP-577EX AP-577 AP-575EX AP-575 AP-574 AP-518 AP-505H AP-505 AP-504 AP-555 AP-535 AP-534 AP-515 AP-514 AP-387 AP-303P AP-377EX AP-377 AP-375EX AP-375 AP-374 AP-345 AP-344 AP-318 AP-303 Outdoor Indoor Outdoor Outdoor Outdoor Outdoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Indoor Outdoor Outdoor Outdoor Outdoor Outdoor Indoor Indoor Indoor Indoor Minimum Supported Aruba Instant Software Version Aruba Instant 8.7.1.0 Aruba Instant 8.7.1.0 Aruba Instant 8.7.0.0 Aruba Instant 8.7.0.0 Aruba Instant 8.7.0.0 Aruba Instant 8.7.0.0 Aruba Instant 8.7.0.0 Aruba Instant 8.7.0.0 Aruba Instant 8.7.0.0 Aruba Instant 8.6.0.0 Aruba Instant 8.6.0.0 Aruba Instant 8.5.0.0 Aruba Instant 8.5.0.0 Aruba Instant 8.5.0.0 Aruba Instant 8.4.0.0 Aruba Instant 8.4.0.0 Aruba Instant 8.4.0.0 Aruba Instant 8.4.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Power Draw Support Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No Yes Yes Yes No No Yes No Yes Yes Yes Yes Yes No Aruba Central | User Guide 18 Instant AP Platform Installation Mode AP-203H AP-367 AP-365 AP-303HR AP-303H AP-203RP AP-203R IAP-305 IAP-304 IAP-207 IAP-335 IAP-334 IAP-315 IAP-314 IAP-325 IAP-324 IAP-277 IAP-228 IAP-205H IAP-215 IAP-214 IAP-205 IAP-204 IAP-275 IAP-274 IAP-103 IAP-225 Indoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Outdoor Indoor Indoor Minimum Supported Aruba Instant Software Version Aruba Instant 6.5.3.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.1.0-4.3.1.0 Aruba Instant 6.5.1.0-4.3.1.0 Aruba Instant 6.5.1.0-4.3.1.0 Aruba Instant 6.5.0.0-4.3.0.0 Aruba Instant 6.5.0.0-4.3.0.0 Aruba Instant 6.5.0.0-4.3.0.0 Aruba Instant 6.5.0.0-4.3.0.0 Aruba Instant 6.4.4.3-4.2.2.0 Aruba Instant 6.4.4.3-4.2.2.0 Aruba Instant 6.4.3.1-4.2.0.0 Aruba Instant 6.4.3.1-4.2.0.0 Aruba Instant 6.4.3.1-4.2.0.0 Aruba Instant 6.4.2.0-4.1.1.0 Aruba Instant 6.4.2.0-4.1.1.0 Aruba Instant 6.4.2.0-4.1.1.0 Aruba Instant 6.4.2.0-4.1.1.0 Aruba Instant 6.4.0.2-4.1.0.0 Aruba Instant 6.4.0.2-4.1.0.0 Aruba Instant 6.4.0.2-4.1.0.0 Aruba Instant 6.3.1.1-4.0.0.0 Power Draw Support No No No No Yes No No Yes Yes No Yes Yes No Yes No No No No No No No No No No No No No What is Aruba Central? | 19 Instant AP Platform Installation Mode IAP-224 IAP-115 IAP-114 RAP-155P RAP-155 RAP-109 RAP-108 RAP-3WN RAP-3WNP Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Minimum Supported Aruba Instant Software Version Aruba Instant 6.3.1.1-4.0.0.0 Aruba Instant 6.3.1.1-4.0.0.0 Aruba Instant 6.3.1.1-4.0.0.0 Aruba Instant 6.2.1.0-3.3.0.0 Aruba Instant 6.2.1.0-3.3.0.0 Aruba Instant 6.2.0.0-3.2.0.0 Aruba Instant 6.2.0.0-3.2.0.0 Aruba Instant 6.1.3.1-3.0.0.0 Aruba Instant 6.1.3.1-3.0.0.0 Power Draw Support No No No No No No No No No n AP-635 and AP-655 IAPs are Wi-Fi 6E capable APs that support 6 GHz radio band, in addition to 2.4 GHz and 5 GHz radio bands. n RAP-155, RAP-155P, IAP-214, IAP-215, IAP-224, IAP-225, IAP-228, IAP-274, IAP-275, and IAP-277 IAPs are no longer supported from Aruba Instant 8.7.0.0 onwards. n IAP-103, RAP-108, RAP-109, IAP-114, IAP-115, IAP-204, IAP-205, and IAP-205H IAPs are no longer supported from Aruba Instant 8.3.0.0 onwards. n By default, AP-318, AP-374, AP-375, and AP-377 IAPs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba does not recommend you to upgrade these IAPs to Aruba Instant 8.5.0.0 or 8.5.0.1 firmware versions, as the upgrade process changes the uplink port from Eth1 to Eth0 port thereby making the devices unreachable. n For more information about Aruba's End-of-life policy and the timelines for hardware and software products at the end of their lives, see: https://www.arubanetworks.com/support-services/end-of-life/ n Data sheets and technical specifications for the supported AP platforms are available at: https://www.arubanetworks.com/products/networking/access-points/ Aruba Central | User Guide 20 Supported AOS-S Platforms n Aruba Central uses the SSL certificate by GeoTrust Certificate Authority for device termination and web services. As the SSL certificate is about to expire, Aruba is replacing it with a new certificate from another trusted Certificate Authority. During the certificate upgrade window, all devices managed by Aruba Central will be disconnected. After the upgrade, the devices reconnect to Aruba Central and resume their services with Aruba Central. However, for AOS-S switches to reconnect to Aruba Central after the certificate upgrade, you must ensure that the switches are upgraded to the recommended software version listed in Table 5. n Aruba Central does not support switch software versions below 16.08 release for firmware upgrade. In addition, only the latest three switch software versions of all major release versions will be available for firmware upgrade from Aruba Central. For example, if the latest switch software version released is 16.10.0016, the following versions will be available for firmware upgrade: 16.10.0014, 16.10.0015 and 16.10.0016. n Changing AOS-S switches firmware from latest version to earlier major versions is not recommended if the switches are managed in UI groups. For features that are not supported or not managed in Aruba Central on earlier AOS-S versions, changing firmware to earlier major versions might result in loss of configuration. The following tables list the switch platforms, corresponding software versions supported in Aruba Central, and switch stacking details. Table 5: Supported AOS-S Switch Series, Software Versions, and Switch Stacking Switch Supported Platform Software Version Recommended Software Version Switch Stacking Support Supported Stack Type (Frontplane (VSF) / Backplane (BPS)) Supported Configuration Group Type for Stacking (UI / Template) Aruba 2530 Switch Series n YA/YB.16.08.002 1 or later n YA/YB.16.09.001 6 or later n YA/YB.16.10.001 2 or later n YA/YB.16.08.002 N/A 1 or later n YA/YB.16.09.001 6 or later n YA/YB.16.10.001 2 or later N/A N/A Aruba 2540 Switch Series n YC.16.08.0019 or later n YC.16.09.0015 or later n YC.16.10.0012 or later n YC.16.08.0019 or N/A later n YC.16.09.0015 or later n YC.16.10.0012 or later N/A N/A Aruba 2920 Switch Series n WB.16.08.0019 or later n WB.16.09.0015 or later n WB.16.10.0011 or later n WB.16.08.0019 or later n WB.16.09.0015 or later n WB.16.10.0011 or later Yes Switch Software Dependency: n WB.16.08.001 9 or later n WB.16.09.001 5 or later BPS UI and Template What is Aruba Central? | 21 Switch Supported Platform Software Version Recommended Software Version Switch Stacking Support Supported Stack Type (Frontplane (VSF) / Backplane (BPS)) Supported Configuration Group Type for Stacking (UI / Template) n WB.16.10.001 1 or later Aruba 2930F Switch Series n WC.16.08.0019 or later n WC.16.09.0015 or later n WC.16.10.0012 or later n WC.16.08.0019 or later n WC.16.09.0015 or later n WC.16.10.0012 or later Yes VSF Switch Software Dependency: n WC.16.08.001 9 or later n WC.16.09.001 5 or later n WC.16.10.001 2 or later UI and Template Aruba 2930M Switch Series n WC.16.08.0019 or later n WC.16.09.0015 or later n WC.16.10.0012 or later n WC.16.08.0019 or later n WC.16.09.0015 or later n WC.16.10.0012 or later Yes Switch Software Dependency: n WC.16.08.001 9 or later n WC.16.09.001 5 or later n WC.16.10.001 2 or later BPS UI and Template Aruba 3810 Switch Series n KB.16.08.0019 or later n KB.16.09.0015 or later n KB.16.10.0012 or later n KB.16.08.0019 or later n KB.16.09.0015 or later n KB.16.10.0012 or later Yes Switch Software Dependency: n KB.16.08.0019 or later n KB.16.09.0015 or later n KB.16.10.0012 or later BPS UI and Template Aruba 5400R Switch Series n KB.16.08.0019 or later n KB.16.09.0015 or later n KB.16.10.0012 or later n KB.16.08.0019 or Yes VSF later n KB.16.09.0015 or later n KB.16.10.0012 or later Switch Software Dependency: n KB.16.08.0019 or later n KB.16.09.0015 or later n KB.16.10.0012 or later Template only Aruba Central | User Guide 22 Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central. Table 6: Supported Aruba Mobility Access Switch Series and Software Versions Mobility Access Switch Series Supported Software Versions n S1500-12P n S1500-24P n S2500-24P n S3500-24T ArubaOS 7.3.2.6 ArubaOS 7.4.0.3 ArubaOS 7.4.0.4 ArubaOS 7.4.0.5 ArubaOS 7.4.0.6 Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/switches/. Supported AOS-CX Platforms To manage your AOS-CX Switches using Aruba Central, ensure that the Switch software is upgraded to 10.05.0021 or a later version. AOS-CX Switches with version 10.05.0021 or earlier might not connect to Aruba Central after ten days of operation. You must upgrade the AOS-CX Switch to a recommended software version to connect to Aruba Central. The following table lists the AOS-CX platforms and corresponding software versions supported in Aruba Central. Aruba Central 2.5.4 does not support AOS-CX switch software version 10.09. Upgrading the AOS-CX switch to 10.09 version could result in loss of connectivity to Aruba Central. The upcoming Aruba Central 2.5.5 release will support AOSCX 10.09 version. Table 7: Supported AOS-CX Switch Series and Software Versions Switch Platform Supported Software Versions Recommended Software Versions AOS-CX 4100i Switch Series AOS-CX 6000 Switch Series AOS-CX 6100 Switch Series AOS-CX 6200 Switch Series 10.08.0001 or later 10.08.1010 or later 10.06.0110 or later 10.05.0021 or later 10.08.0001 or later 10.08.1010 or later 10.06.0160 or 10.07.0040 10.06.0160 or 10.07.0040 Supported Configuration Group Type (UI / Template) UI and Template Template only UI and Template UI and Template What is Aruba Central? | 23 Switch Platform Supported Software Versions Recommended Software Versions Supported Configuration Group Type (UI / Template) AOS-CX 6300 Switch Series 10.05.0021 or later 10.06.0160 or 10.07.0040 UI and Template AOS-CX 6300 Switch Series [JL762A] Back 2 Front Power Supply SKU only 10.06.0001 or later AOS-CX 6400 Switch Series 10.05.0021 or later AOS-CX 8320 Switch Series 10.05.0021 or later AOS-CX 8325 Switch Series 10.05.0021 or later AOS-CX 8360 Switch Series 10.06.0001 or later AOS-CX 8400 Switch Series 10.06.0001 or later 10.06.0160 or 10.07.0040 UI and Template 10.06.0160 or 10.07.0040 Template only 10.06.0160 or 10.07.0040 UI and Template 10.06.0160 or 10.07.0040 UI and Template 10.06.0160 or 10.07.0040 UI and Template 10.06.0160 or 10.07.0040 Template only Provisioning and configuring of AOS-CX 6000, 6400, and 8400 Switch series and Switch stacks is supported only through configuration templates. Data sheets and technical specifications for the supported Switch platforms are available at: https://www.arubanetworks.com/products/Switches/. Supported SD-Branch Components The Aruba SD-WAN Gateway portfolio includes Aruba Gateways that function as Branch Gateways and VPNCs. The following table lists the Aruba Gateway platforms and ArubaOS software versions that function as Branch Gateways: Table 8: Supported Aruba Gateways Platform Minimum Supported Software Version Aruba 9004-LTE ArubaOS 8.5.0.0-2.1.0.0 Aruba 9012 ArubaOS 8.5.0.0-2.0.0.0 Latest Software Version ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 Recommended Software Version ArubaOS 8.6.0.4-2.2.0.4 ArubaOS 8.6.0.4-2.2.0.4 Aruba Central | User Guide 24 Platform Aruba 9004 Minimum Supported Software Version ArubaOS 8.5.0.0-1.0.7.0 Aruba 7210, 7220, and 7240XM Aruba 7030 ArubaOS 8.5.0.0-2.0.0.0 ArubaOS 8.1.0.0-1.0.4.0 Aruba 7024 ArubaOS 8.1.0.0-1.0.4.0 Aruba 7010 ArubaOS 8.1.0.0-1.0.4.0 Aruba 7008 ArubaOS 8.1.0.0-1.0.4.0 Aruba 7005 ArubaOS 8.1.0.0-1.0.4.0 Latest Software Version ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 Recommended Software Version ArubaOS 8.6.0.4-2.2.0.4 ArubaOS 8.6.0.4-2.2.0.4 ArubaOS 8.6.0.4-2.2.0.4 ArubaOS 8.6.0.4-2.2.0.4 ArubaOS 8.6.0.4-2.2.0.4 ArubaOS 8.6.0.4-2.2.0.4 ArubaOS 8.6.0.4-2.2.0.4 The following table lists the Aruba Gateway platforms and ArubaOS software versions that function as VPNCs: Table 9: Supported Aruba VPNCs Platform Minimum Supported Software Version Latest Software Version Recommended Software Version Aruba 9004 ArubaOS 8.7.0.0-2.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.0-2.3.0.0 Aruba 9012 ArubaOS 8.7.0.0-2.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.0-2.3.0.0 Aruba 7280 ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.6.0.4-2.2.0.4 Aruba 7240XM ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.6.0.4-2.2.0.4 Aruba 7220 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.6.0.4-2.2.0.4 Aruba 7210 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.6.0.4-2.2.0.4 vGW-4G ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.6.0.4-2.2.0.4 vGW-2G ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.6.0.4-2.2.0.4 vGW-500M ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.6.0.4-2.2.0.4 What is Aruba Central? | 25 Table 9: Supported Aruba VPNCs Platform Minimum Supported Software Version Aruba 7030 ArubaOS 8.1.0.0-1.0.4.0 Aruba 7024 ArubaOS 8.1.0.0-1.0.4.0 Aruba 7010 ArubaOS 8.1.0.0-1.0.4.0 Latest Software Version ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 Recommended Software Version ArubaOS 8.6.0.4-2.2.0.4 ArubaOS 8.6.0.4-2.2.0.4 ArubaOS 8.6.0.4-2.2.0.4 Aruba Virtual Gateways also function as VPNCs. The minimum supported software version for Virtual Gateways is ArubaOS 8.1.0.0-1.0.4.1. Aruba 9012 Gateway supports traffic inspection while deployed as a VPNC. Data sheets and technical specifications for the supported Gateways are available at: https://www.arubanetworks.com/products/networking/gateways-and-controllers/ Supported 4G Modems for Aruba SD-Branch The following table lists the 4G modems that are supported on the Aruba Branch Gateways: Table 10: Supported 4G Modems for Aruba SD-Branch USB 4G Modem Model Carrier Support ZTP Support Inseego Skyus SC4V Inseego Skyus SC4A Digisol DG-BA4305 ZTE MF861 Franklin Wireless U772 Huawei E3372h-320 Verizon AT&T ROW AT&T Sprint ROW Yes Yes Yes Yes Yes Yes NOTE: ZTP is supported only on Aruba 9000 Series gateways. Huawei E3372s-153/ E3372h-153 ROW Yes Huawei E3372h-607 ROW Yes Huawei E8372h-153 ROW Yes Huawei E8372h-608 ROW Yes Huawei E8372h-511 T-Mobile Yes Huawei E8372h-517 T-Mobile Yes Aruba Central | User Guide 26 USB 4G Modem Model Huawei E3276-500 Huawei K5160 ZTE MF79S ZTE MF825C ZTE MF831 ZTE MF832S ZTE MF832U ZTE MF823 Huawei E3276-150 Novatel (Inseego) U620L Carrier Support ROW ROW ROW ROW ROW ROW ROW ROW ROW Verizon ZTP Support Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes ROW (Rest of the World) indicates that the modem can be used outside of the United States region. However, the list of supported carriers and supported countries for the modem may vary. To select a modem for a specific country and carrier, refer to the modem documentation. What is Aruba Central? | 27 Chapter 3 What's New in 2.5.4 What's New in 2.5.4 Use the following tabs to see the New Features and Enhancements available in this release. New Features The following sections provide an overview of the new features that are added to Aruba Central in this release. Silver Peak Unity EdgeConnect Device Integration Silver Peak Unity EdgeConnect device integration in Aruba Central provides a platform to monitor Unity EdgeConnect devices that are managed in Silver Peak Unity Orchestrator, and help the administrators in the decision making process. n Aruba Central supports the integration of Unity EdgeConnect devices at the Edge. This integration enables you to monitor the network health of Unity EdgeConnect devices, which are mapped with sites in Aruba Central. For more information, see Silver Peak Unity EdgeConnect Integration. n Aruba Central provides manageability and visibility into the Unity EdgeConnect devices at the Edge. The EdgeConnect Status column in the Network Health dashboard indicates the health of EdgeConnect devices that are mapped with sites in Aruba Central. For more information, see Network Health Dashboard. Aruba Cloud Authentication and Policy Aruba Cloud Authentication and Policy for Aruba Central is a cloud-based solution that helps you to configure user and client policies for network access control (NAC). For more information, see Aruba Cloud Authentication and Policy Overview. User and Client Access Policy Configuration You can create, update, and delete user and client access policy using client roles and WLAN SSIDs. In the Network Operations app, the user and client access policy configuration is available under Security > Authentication and Policy. For more information, see Configuring Aruba Cloud Authentication and Policy . Aruba Onboard App App-based provisioning enables a device to connect to the enterprise wireless network through network profiles and Cloud Authentication and Policy authentication. With the Aruba Onboard app, you can download, install, and manage network profiles on your devices. The Aruba Onboard app is available on Windows, Android, and macOS platforms. For more information, see Onboarding Wireless Devices using Cloud Authentication and Policy. Aruba Central | User Guide 28 Monitoring Dashboard Aruba Cloud Authentication and Policy provides various dashboards with charts and tables to view and analyze the authentication requests and sessions from users and clients. For more information, see Monitoring Access Requests and Sessions. Cloud Authentication details on the Client AAA Page Under Client > Security, the AAA page is added to show the authorization details of a client. The AAA page displays authentication, accounting, and authorization details of a client authenticated by the Cloud Authentication and Policy. For more information, see Client Security. AOS-CX 4100i and 6100 Platform Support Aruba Central now supports configuring and monitoring AOS-CX 6100 Switch Series using UI options and MultiEdit mode. Aruba Central also supports configuring and monitoring AOS-CX 4100i Switch Series using UI options, MultiEdit mode, and templates. For more information, see Supported AOS-CX Platforms. AOS-CX Stacking Configuration In addition to onboarding pre-configured AOS-CX VSF stacks, Aruba Central now supports configuring and managing AOS-CX VSF stacks using UI options and templates. VSF Stacking UI Configuration You can now configure an AOS-CX VSF stack using UI group. The following stack-related configurations can be performed using the web UI: n Creating a stack n Adding a stack member n Removing a stack member n Modifying VSF links n Changing the secondary member For more information, see Configuring AOS-CX VSF Stacks Using UI Groups. VSF Stacking Template Configuration You can now configure an AOS-CX VSF stack using templates group. The following stack-related configurations can be performed using templates: n Creating a stack n Adding a stack member n Removing a stack member n Modifying VSF links n Changing the secondary member For more information, see, Configuring AOS-CX VSF Stacks Using Template Groups. AOS-CX UI Configuration The following new features are available for the AOS-CX UI group and device configuration. What's New in 2.5.4 | 29 Client Roles Client Roles allows administrators to assign network access to clients. A network administrator can create configuration profiles (roles) and associate them to clients. Client Roles allows you to create and manage roles and attributes for the network. For more information, see Configuring Client Roles for AOS-CX. Device Finger Printing Device Fingerprinting allows you to classify the end devices connected to a AOS-CX switch. You can find clients' details such as the type of device, host name, vendor identification, and capability of the device, using Device Fingerprinting. Device Fingerprinting is supported on AOS-CX firmware version 10.8 and later. To upgrade the firmware version on the switch, load it locally and then re-join the switch to Aruba Central. Device Fingerprinting configuration is supported only in the MultiEdit mode. In this release, Aruba Central uses Device Fingerprinting to get only the clients' hostname. To enable Device Fingerprinting and DHCP Option 12 on the switch, run the following commands. (config)# client device-fingerprint profile dfp1 (config)# dhcp option-num 12 To apply Device Fingerprinting profile to the interface 1/1/1-1/1/3, run the following commands. (config)# int 1/1/1-1/1/3 (config-if-1/1/1-1/1/3)# client device-fingerprint apply-profile dfp1 Enabling Device Fingerprinting on the AOS-CX switch displays the hostname of the client in the Client Name and Hostname columns on the Clients page. HTTP Proxy HTTP proxy enhances security for device management. An IP address can be made a proxy for all HTTP connections. If your network requires a proxy server for Internet access, ensure that you configure the HTTP proxy on the AOS-CX switch to download the image from the cloud server. For more information, see Configuring HTTP Proxy on AOS-CX. Managed Mode When an AOS-CX switch running 10.07 or a later version connects to Aruba Central 2.5.4 or a later version, Aruba Central takes control of modifying the configuration of the AOS-CX switch. A switch cannot be configured using the CLI when the switch is in the Aruba Central Manged mode. Aruba Central becomes the single source of configuration for the switch. For more information, see Getting Started with AOS-CX Deployments. Multiple Browser Tab Support and Configuration Drift Warning Aruba Central allows users to open multiple browser tab sessions of the same Aruba Central instance with a different switch group or device pages simultaneously. For example, you can open the group configuration of a switch in one browser tab and the device-level configuration of a switch in another browser tab. Aruba Central stores the data from the different browser tabs separately. Aruba Central | User Guide 30 However, if you edit the configuration of one AOS-CX switch in the MultiEdit mode in two different browser tab sessions, and try to save the configuration one after the other, the following events occur: n The configuration that you save first in the editor in any of the two browser tabs is saved on the switch. n When you try to save the configuration in the editor in the other browser tab, Aruba Central displays a warning that the configuration has been changed outside the current editor. n If you ignore the warning and continue to save the configuration, Aruba Central overwrites the changes saved earlier with the current changes. For more information, see Configuring AOS-CX Switches in UI Groups and Using MultiEdit View for AOS-CX. Source Interface Aruba Central allows you to configure a single source interface for a service so that all traffic routed through the AOS-CX switch is sent with the same IP address. You can add the source interface only for Aruba Central and User-based Tunneling services in this release for the AOS-CX switch. For more information see Configuring Source Interface for AOS-CX. User-Based Tunneling User-based tunneling uses GRE to tunnel ingress traffic on a switch interface to a gateway for further processing. User-based tunneling enables a gateway to provide a centralized security policy, using per-user authentication, and access control to ensure consistent access and permissions. For more information, see Configuring User-Based Tunneling for AOS-CX. SNMP Enable Aruba Central allows you to enable or disable the SNMP service at the global level on AOS-CX switches. You can also select the VRF on which you want to configure SNMP on the switch. For more information, see Configuring SNMP on AOS-CX. Concurrent Authentication A new Concurrent option is added in the Authentication drop-down to configure 802.1x and MAC authentication on the ports. This option allows the switch to initiate both authentication methods at the same time to onboard client devices faster. The default priority for concurrent authentication is 802.1x. For more information, see Configuring Authentication on AOS-CX. Port Filter On the Interfaces > Ports & Link Aggregations page, in the device view, all access ports are shown by default. The port filter provides options to select All Uplink Ports or All Access Ports. You can also search for a port using the port name. For more information, see Configuring Ports and LAGs on AOS-CX. AOS-S UI Configuration The following new features are available for the AOS-S UI group and device configuration. IP Client Tracker The IP Client tracker allows you to identify both trusted and untrusted clients that access the system. This feature is supported only on the AOS-S 2930F, 2930M, and 3810 switches. This feature is available on AOS-S versions 16.10.0008 and later. For more information, see Configuring IP Client Tracker on AOS-S Switches. What's New in 2.5.4 | 31 Device Identifier for Device Profile The Device Identifier configuration allows you to configure multiple identifiers for a single device profile. You can create different profiles with predefined rules applicable to a group of devices, directly connected to the switch. This feature is available on AOS-S version 16.10.0011 and later. For CDP, this feature is not supported by the AOS-S 2530 and 2920 switches. For more information, see Configuring Device Profile and Device Identifier . Loop Protection Disable Timer The Disable Timer parameter in the Loop Protection tab allows you to access the switch console with nonadministrative credentials. This feature allows you to configure a timer to auto-recover ports if the switch detects a loop. For more information, see Configuring Loop Protection on AOS-S Ports. AOS-S Monitoring-Only Mode Aruba Central allows you to add AOS-S switches to UI groups in the monitoring-only mode, for monitoring, reporting, and troubleshooting. For switches that are added in this mode, configuration changes are not allowed to be performed using UI groups in Aruba Central. To configure these switches using Aruba Central, you must add them to a template group. For more information, see Monitoring-Only Mode for AOS-S Switches. IAP Configuration 6 GHz Radio Support Aruba Central supports Wi-Fi 6E standard that introduces 6 GHz radio band for IAPs. In this release, only the AP-635 IAPs support 2.4 GHz, 5 GHz, and 6 GHz radio bands simultaneously. This allows client devices to switch seamlessly between the three radio bands. n For more information about configuring 6 GHz band wireless network profile, see the Creating a Wireless Network Profile section in the Configuring Wireless Network Profiles on IAPs page. n For more information about configuring RF parameters for the 6 GHz radio band on an IAP, see Configuring Radio Parameters. n For more information about Band Steering Mode configuring parameters for the 6 GHz radio band, see Configuring ARM Features. n For more information about enabling the 6 GHz radio band, see Configuring Device Parameters . n For more information to configure an IAP with Wi-Fi Uplink for the 6 GHz band, see the Configuring a Wi-Fi Uplink Profile section in the Configuring Uplink Interfaces page. Network Structure Under Organization, a new Network Structure page is added, and the existing tabs such as Groups, Sites,and Labels, are added as tiles on this page. You can click a tile to navigate to the respective page. For more information, see Network Structure. Group Persona You can define a persona for ArubaOS devices while creating a group. The persona of a device represents the role that the device plays in a network deployment. The group persona and device architecture are set at the group level. All devices within a group inherit the same persona from the group settings. You can save the preferred settings to apply the same persona and architecture for subsequent group creations. Aruba Central | User Guide 32 n Creating a group with a persona and architecture--You can set the architecture and persona for devices, when creating a group. For more information, see Creating a Group Persona with ArubaOS 8 Architecture. n Editing a group--You can edit a group to add a new device type. You can mark the settings of an edited group as preferred settings for subsequent group creations. For more information about allowed device combinations, see Editing an ArubaOS 8 architecture group. n Cloning a group--You can clone an existing group to create a new group with the same architecture and persona. For more information, see Cloning a Group. n Importing a device configuration to create a new group--You can import a device configuration and create a new group with the same configuration. You can create a new group for IAPs with ArubaOS 8 architecture by importing configuration from an IAP. For more information, see Creating a New Group by Importing Configuration from a Device. n Moving devices between groups--You can move devices between groups. The moved devices will adopt the destination group configuration. The destination group accepts only the devices for which the group is created. For example, if a group is created for Access Points only, then only Access Points can be assigned to that group. You cannot assign other Aruba devices like switches and gateways to the group. For more information, see Moving Devices between Groups. For more information, see Managing Groups. Group Persona for MSP As an MSP, you can define a persona for devices in a UI group while creating the group. The persona of a device represents the role that the device plays in a network deployment. Persona and architecture are set at the MSP group level. You can percolate the group settings to a tenant group. All devices within a group inherit the same persona from the group settings. You can save the preferred settings to apply the same persona and architecture for subsequent group creations. n Creating an MSP UI group with a persona and architecture--The MSPs can create an MSP UI group and assign a persona and Aruba Instant OS architecture to the group. The UI groups settings can be percolated to the tenant groups. For more information, see Creating an MSP Group Persona with ArubaOS 8 Architecture. n Editing an MSP UI group--You can edit an MSP UI group to add a new device type to the group. You can mark the settings of an edited group as preferred settings for subsequent group creations. For more information about allowed device combinations, see Editing an MSP UI group with ArubaOS 8 architecture. n Cloning a group--You can clone an existing MSP UI group to create a new group with same architecture and persona. For more information, see Cloning an MSP UI Group. For more information, see Groups in the MSP Mode. AI Insights The following new insights are added in this release: What's New in 2.5.4 | 33 Wireless Quality n The Improve RF resiliency by swapping APs between switches in the stack insight recommends changes to the AP-Switch topology, to improve the redundancy in Wi-Fi coverage when switches are down. For more information, see Improve RF Resiliency by Switching APs between Switches in the Stack. Availability - Gateway n The Gateway are using uncommon health-probe IPs insight provides information about uncommon health-probe IP addresses in the network. For more information, see Gateways with Uncommon Health-Probe IPs. n The Gateway are using underperforming WAN links insight provides information about gateways that are using poorer performing WAN links when a better (non-LTE) link is available in the network. For more information, see Gateways with Underperforming WAN Links n The Gateway WAN uplinks have higher latency than comparable peers insight is triggered when a link latency is greater than 50 ms or above 75 percent of the peers in the same geographical location. For more information, see Gateways WAN Uplinks Having Higher Latency than Peers. Outdoor Clients Report The Outdoor Clients is a new report in the Reports module for the Insights category. This report provides a comparison of an outdoor client's impact on the Wi-Fi performance for two weeks based on the Outdoor clients are impacting Wi-Fi performanceAI Insight. The report shows data before and after applying the recommended SNR threshold values (Local Probe Request Threshold and Min RSSI for Auth Request) in the AI Insight. For more information, see Report Categories. Alerts and Events The following new alerts are added in this release: Gateway Threat Count per User A new Aruba Gateway IDS/IPS alert is added to the alerts configuration page. This alert is generated when the number of threats associated with a specific user ID exceeds the configured limit in the given duration. For more information, see Configuring Aruba IDPS Alerts andGateway Alerts. Device Category and System Tags System tags allow you to filter clients based on conditions related to the client profile. Similar device categories are grouped and classified under a tag. For more information, see Managing Tags. Dynamic Logs The Dynamic Logs feature enables Aruba Central to dynamically run CLI commands on IAPs or APs and gateways to collect the output as logs, which can be used for troubleshooting device issues. Dynamic Logs sends notification to the Aruba Support team when failure events are generated in the network. To collect dynamic logs on IAPs, the recommended firmware version is ArubaOS 8.5.0.0 and later. Whereas for gateways, the recommended firmware version is ArubaOS 8.6.0.4-2.2.0.0 and later. Dynamic Logs also support dynamic packet capture (PCAP) for wireless clients connected to IAPs. You can filter Dynamic Logs events based on event types. Aruba Central | User Guide 34 For more information, see Dynamic Logs. Troubleshooting Tools A new Console tab is added under Analyze > Tools. Remote Console Session The new Console tab allows users to open a remote console for a CLI session through SSH for a gateway, switch, and access point. Users with admin roles can access the device directly from the console to debug any device issues. The Console tab enables users to either view previously recorded sessions or create new SSH sessions and troubleshoot devices. For more information, see the following topics: n Remote Console Session n Viewing Recorded Console Sessions n Creating Console Session Firewall Ports The RCS domain names are updated per cluster to accommodate reverse console process. For devices to communicate over a network firewall, you must ensure that the domain names and firewall ports are open. For more information, see Opening Firewall Ports for Device Communication. Aruba Central APIs This release introduces the following new APIs: WLAN Configuration APIs Following APIs are introduced in the Configuration > WLAN Configuration category: n [GET]: o /configuration/full_hotspot/{group_name_or_guid} o /configuration/full_hotspot/{group_name_or_guid}/{mode_name} o /configuration/full_hotspot/{group_name_or_guid}/template o /configuration/full_hotspot/{group_name_or_guid}/{hotspot_name}/{mode_name} n [DELETE]: o /configuration/full_hotspot/{group_name_or_guid}/{hotspot_name}/{mode_name} n [POST]: o /configuration/full_hotspot/{group_name_or_guid}/{hotspot_name}/{mode_name} n [PUT]: o /configuration/full_hotspot/{group_name_or_guid}/{hotspot_name}/{mode_name} Clients APIs Following APIs are introduced in the Monitoring > Clients category: n [GET]: o /monitoring/v2/clients o /monitoring/v2/clients/{macaddr} What's New in 2.5.4 | 35 Clients Match APIs Following APIs are introduced in the Client Match > Status category: n [GET]: o /loadbal-enable/v1/{tenant_id} n POST: o /loadbal-enable/v1/{tenant_id} Troubleshooting APIs Following API are introduced in the Troubleshooting category: n [GET]: o /troubleshooting/v1/running-config-backup/serial/{serial} o /troubleshooting/v1/running-config-backup/serial/{serial}/prefix/{prefix} o /troubleshooting/v1/running-config-backup/name/{name} n [POST]: o /troubleshooting/v1/running-config-backup/serial/{serial}/prefix/{prefix} o /troubleshooting/v1/running-config-backup/group_name/{group_name}/prefix/{prefix} MSP APIs Following API is introduced in the MSP > Groups category: n [GET]: o /msp_api/v1/groups/{group_name}/customers Groups APIs Following API are introduced in the Configuration > Groups category: n [POST]: o /configuration/v3/groups o /configuration/v2/groups/{group}/properties Service IPMS APIs Following API is introduced in the Service IPMS > Aruba ipms category: n [GET]: o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ip_range/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ip_range/{range_id}/ o /ipms-config/v1/node_list/{node_type}/{node_id}/ n [DELETE]: o /ipms-config/v1/node_list/{node_type}/{node_id}/config/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ Aruba Central | User Guide 36 o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ip_range/{range_ id}/ n [POST]: o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ip_range/{range_ id}/ n [PUT]: o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ip_range/{range_ id}/ Authentication & Policy APIs Following APIs are introduced in the Authentication & Policy > Client Registration category: n [GET]: o /client_registration n [DELETE]: o /client_registration/{mac_address} n [POST]: o /client_registration n [PATCH]: o /client_registration/{mac_address} Following APIs are introduced in the Authentication & Policy > Client Policy category: n [GET]: o /client_policy n [DELETE]: o /client_policy n [PUT]: o /client_policy Following APIs are introduced in the Authentication & Policy > User policy category: n [GET]: o /user_policy n [DELETE]: o /user_policy n [PUT]: o /user_policy AI OPs APIs Following APIs are introduced in the AI OPs > Wi-Fi Connectivity at Global category: What's New in 2.5.4 | 37 n [GET]: o /aiops/v1/connectivity/global/stage/{stage}/export o /aiops/v1/connectivity/site/{site_id}/stage/{stage}/export o /aiops/v1/connectivity/group/{group}/stage/{stage}/export Following APIs are introduced in the AI OPs > AI Insights List category: n [GET]: o /aiops/v2/insights/global/list o /aiops/v2/insights/site/{site_id}/list o /aiops/v2/insights/ap/{ap_serial}/list o /aiops/v2/insights/client/{sta_mac}/list o /aiops/v2/insights/gateway/{gw_serial}/list o /aiops/v2/insights/switch/{sw_serial}/list Following APIs are introduced in the AI OPs > AI Insight Details category: n [GET]: o /aiops/v2/insights/global/id/{insight_id}/export o /aiops/v2/insights/site/{site_id}/id/{insight_id}/export o /aiops/v2/insights/ap/{ap_serial}/id/{insight_id}/export o /aiops/v2/insights/client/{sta_mac}/id/{insight_id}/export o /aiops/v2/insights/gateway/{gw_serial}/id/{insight_id}/export o /aiops/v2/insights/switch/{sw_serial}/id/{insight_id}/export Guest APIs Following API is introduced in the Guest > Summary category: n [GET]: o /guest/v1/summary For more information, see New APIs. Enhancements The following sections provide an overview of the enhancements introduced in Aruba Central in this release. UI Navigation Changes The following Aruba Central UI enhancement is introduced in this release. Retain the Same Order of the View Icons The Summary, List, and Config view icons are displayed in the same order for all dashboards. The default view is displayed when you select any item on the left navigation menu and the tabs on the dashboard. On any dashboard, when you select a view, the view is retained when you switch between the tabs on the same dashboard. If a particular view is not applicable for a tab, the default view for the tab is selected. For more information, see About the Network Operations App User Interface. Aruba Central | User Guide 38 AOS-CX Template Configuration The following enhancements are introduced in this release. Plaintext Password Override after Migrating from Version 2.5.3 to 2.5.4 After upgrading Aruba Central to version 2.5.4, for security reasons, any plaintext passwords, previously configured directly or using variables in the AOS-CX switch template, are hidden and displayed as asterisk (*) symbols. The plaintext passwords, previously configured in the template, directly or using variables, will work as expected; however, these plaintext passwords, displayed as asterisk (*) symbols, will not work if you copy them to a new template. You must re-enter the plaintext passwords in the new template for the template to work correctly. For more information, see Configuring AOS-CX Using Templates. VSF Stack Configuration The vsf member 1 line must be present in the configuration template for stackable AOS-CX switches running 10.07 or later versions. This is required to apply the configuration to the switches. Also, the vsf member 1 line cannot be removed from the template. For more information, see Configuring AOS-CX VSF Stacks Using Template Groups. AOS-S UI Configuration The following UI and template configuration enhancements are introduced in this release. Multiple DNS Server Support Aruba Central now allows you to configure two static IPv4 addresses when configuring the DNS servers for AOS-Ses. For more information, see Configuring a Name Server. IAP Configuration The following IAP configuration enhancements are introduced in this release. RRM Quiet IE in SSID The RRM Quiet IE in the Security > Fast Roaming WLAN SSID configuration UI page allows you to enable or disable the Radio Resource Management IE profile elements advertised by an AP in the SSID profile. For more information, see Configuring Security Settings for Wireless Network. Mesh Support for Multiple Radios Aruba Central now allows you to configure mesh profiles for multiple radios in the System > Mesh UI page. Although most mesh deployments require only a single mesh cluster profile, you can configure and apply multiple mesh cluster profiles to an individual AP. For more information, see Configuring Mesh for Multiple Radios. Fast Roaming with Mesh The Mesh mobility RSSI threshold in the Access Points > Mesh configuration UI page allows you to trigger fast roaming on a mobility mesh point when the RSSI of the parent is lower than the threshold value. For more information, see Access Points Configuration Parameters. What's New in 2.5.4 | 39 EST support for Radsec and AP1x Aruba Central now allows EST to support Radsec , AP1X CA, and AP1X Client Cert on the AP in the Security > Certificate Usage UI page. The Radsec use EST Server allows Radsec to use the certificates enrolled using the EST Profile. For more information, see Mapping IAP Certificates and Configuring an EST Profile DHCP Relay Support The DHCP Relay and Helper Address in the System > DHCP UI page allows the AP to relay the DHCP requests for Centralized DHCP Scopes, Local DHCP Scopes, and DHCP For WLANs. For more information, see Configuring a Centralized DHCP Scope, Configuring Local DHCP Scopes, and Configuring DHCP Server for Assigning IP Addresses to IAP Clients Local Probe Request Threshold and Min RSSI for Auth Request To improve the performance of the indoor Wi-Fi clients, this release supports configuring a WLAN SSID with Local Probe Request Threshold and Min RSSI for auth request advanced settings. Based on your selection, the local probe request threshold value and the Min RSSI for authentication request changes to the recommended value automatically from the AI insight. For more information, see Configuring Wireless Network Profiles on IAPs. Authentication Server with fallback to Internal when timeout In the Authentication drop-down list, select Authentication Server with fallback to Internal when timeout if you want to use authentication server as a primary authentication method and Internal authentication as a backup authentication option. The AP will fall back to internal authentication only when the response from the authentication server times out. For more information, see Configuring Users Accounts for the AP Management Interface. IAP Beacon Rate in SSID Profile The Beacon Rate for 2.4 GHz band and 5 GHz band under Advanced Settings in the SSID configuration page is modified. You can only set the maximum transmission rate from the 2.4 GHz and 5 GHz drop-down list. For more information, see Configuring Wireless Network Profiles on IAPs Add Named VLAN Aruba Central supports adding multiple VLAN IDs and VLAN range in the Add Named VLAN window in the SSID configuration page. For more information, see Configuring Wireless Network Profiles on IAPs UCC Configuration In the UCC configuration page, the Facetime protocol row and Server column are removed from the table. Additional system default carriers are added to the DNS Pattern list of Wi-Fi Calling protocol. For more information, see Configuring UCC. Confirmation Message for Deleting a Site When you delete a site, the Aruba Central UI now displays a confirmation message to indicate that deleting a site will disassociate all devices that are associated with it. The disassociated devices are moved to the unassigned devices list. Aruba Central | User Guide 40 For more information, see the Deleting a Site section in the Managing Sites page. Monitoring The following monitoring enhancements are introduced in this release. AOS-CX VSF Stack This release introduces the following enhancements to the Switch > LAN > Ports tab: The switch stack faceplate now displays the following configuration and connection errors related to the AOSCX VSF stack. You can monitor and troubleshoot these errors from the Ports tab: n Auto-join eligibility error n VSF link error n Cabling error n Incompatible switch firmware error For more information, see Monitoring AOS-CX Switch Stacks. Global Dashboard The Connection Experience tile in the Summary view of Manage > Overview > WiFi Connectivity tab is changed to a time series graph. You can hover over the graph to see the connection success percentage for a specific time. In the site context, you can also compare the connection with company or class baseline. For more information, see Wi-Fi Connectivity. Application Visibility The following improvements are made to the Application > Visibility dashboards: n In the Visibility > Applications tab, the Usage and Sent column are removed from the Applications table. You can use the filter option in the Applications and Category column to filter any application and category by its name. Use the sort icon to sort the list in an ascending or descending order. n In the Summary view, the Visibility dashboard user interface is enhanced to include a pie chart along with the stacked bars. The new graphs display both the Applications and Websites usage data, along with the clients traffic flow. You can select or deselect the application/ category check box to show or hide the traffic flow data from the pie chart and stacked bar. By hovering the mouse over the pie chart and stacked bar, you can view the size of the data. For more information, see Application Visibility. Health Bar on the Site Health Dashboard The Health Bar in the Overview > Site Health tab displays a short description for the potential issues at the site and the devices connected. For more information, see Site Health Dashboard. Timezone on the Site Health Dashboard The Site Health dashboard now displays the timezone and local time of the site. For example, IST-11:25 AM. For more information, see Site Health Dashboard. Health Bar for the AP Dashboard Radio health in the Health Bar indicates the number of radios in good, poor, or disabled status. It also summarizes the Radio 2.4 GHz, Radio 5 GHz, and Radio 5 GHz (Secondary) health details. Hovering over the What's New in 2.5.4 | 41 Radio Health displays the device health, the exact value of the channel utilization, and the noise floor. Tunnel status in the Health Bar indicates the number of tunnels that are up and down. AP status and device health value in the health bar changes based on the change in the tunnel status. For more information, see The Health Bar. Client Data Path on IAP Overlay Tunnel The client data path is enhanced to show the data path for IAP-VPN overlay tunnel for wired and wireless clients. In the Client Details page, the Tunneled column shows Yes and the Segmentation column shows Overlay for the tunneled network. To view the details of an overlay tunnel, the IAP and VPNC must be licensed in the same Aruba Central account. For more information, see All Clients, Clients > Wireless Client > Overview, Clients > Wired Client > Overview. Wired Clients in Data Path The AP Summary page displays the number of ports that include USB ports available in the AP and the number of wired clients connected to the AP in the data path. For more information, see Data Path. WAN Summary The WAN Summary page is available in the AP Summary page. The WAN Summary page includes the VPN Availability, Usage, and Throughput details with chart. For more information, see WAN Summary. UCC Monitoring The following improvements are made to the UCC monitoring dashboard: n The Summary bar is removed from the UCC > List page and added as a Call Quality column in the Calls table. You can filter the data by Good, Fair, Poor, or Unknown calls. The and icons are added to the CDR column to indicate wireless and wired connections. n In the UCC > Summary page, the default option to view the graph is changed to Protocol. The scatter plot graph is removed for the Health option. The per AP and per Client graphs are also removed from this page. For more information, see Monitoring UCC in List View and Monitoring UCC in Summary View. Clients Monitoring The List view in the Clients section is enhanced with the following features: n The filter criterion for the MAC Address column supports all delimiters when searching for a MAC address. You can search for a MAC address with any delimiter, Aruba Central automatically converts it to a semicolon and displays the corresponding results. n The download icon is moved next to the ellipsis icon in the Clients table for quick and easy access. The download icon exports the data in the table to a CSV file. n In the List view, you can hover over the row for a wireless client and select DISCONNECT FROM AP to disconnect the client from an AP. For more details, see All Clients and Disconnecting a Wireless Client from an AP. Download Client Live Events The clients Live Events page allows you to download the list of live events to a CSV file for offline analysis. For more information, see Client Live Events. Aruba Central | User Guide 42 Download AP Live Events The AP Live Events page allows you to download the list of live events to a CSV file for offline analysis. For more information, see AP Live Events. Client Category and System Tags Client tags allow you to filter clients based on conditions related to the client profile. Clients belonging to similar categories are grouped and classified under different tags. For more information, see Managing Tags. Topology In the Topology page, the Show Device Labels is now renamed to Show Device Names. The Topology page includes the tunnel details for an IAP. The tunnel details on the Topology page now shows ANY if the source IP or destination IP is 0.0.0.0. For more information, see Monitoring Sites in the Topology Tab. Floor Plan This release introduces the following enhancements to the Floor Plan feature: n The floor plan user interface for a site has been enhanced and now includes a Summary view and List view. The summary view in the Floor Plan dashboard now features the All Floors tile that displays all the available floors in a tile view for a selected site. You can add a new floor using the add icon and can also search for an AP or floor names using the search icon. The list view displays all the floors in a Floor table. n The view mode of a floor is also enhanced to provide a better user experience. For a selected floor, you can now view the floor details in the Floor Details window by clicking the icon. To view any device details in the <Device> Details window, click any device in the floor plan. You can also view the settings applied to the floor plan by clicking the eye icon. n The new Floor Plan dashboard for the site, allows you to delete or edit a floor plan directly from the summary view and the list view. For more information, see About Floor plan. Gateway Firewall Logging This release introduces the following enhancements to the Security > Firewall tab: n Firewall dashboard is also available at the site context. n The user interface for the blocked sessions chart in the Security > Firewall tab is enhanced to include a pie chart and a stacked bar. When the filter is set to a gateway, you can click the pie chart or the stacked histogram to navigate to the Blocked Sessions table. For more information, see Gateway Firewall Logging. AI Insights The following enhancements are added to AI Insights in this release: What's New in 2.5.4 | 43 Outdoor clients are impacting Wi-Fi performance The insight recommendation for this insight can be switched from manual to AI-driven by changing the AP configuration. The recommended SNR threshold values for the Local Probe Request Threshold and Min RSSI for Auth Request can be applied automatically (AI-driven) or updated manually to the impacted APs whenever this insight is triggered. You can update the AP to AI-driven mode directly from the AI Insight page by clicking the Update button or you can also change the configuration settings from the AP configuration page. In the AP configuration page, Advanced Settings, you must set the Local Probe Request Threshold and Min RSSI for Auth Request to either of the following: n Automatic--The AP is switched to AI-driven mode. In this approach the values recommended by the insight are applied automatically whenever the insight is triggered. n Manual--The AP is switched to manual mode. In this approach the values recommended by the insight should be applied manually by the user. If there is no SNR recommendation value from this insight, the AP uses the previously configured recommended default value. For more information, see Outdoor Clients Impacting Wi-Fi Performance and Configuring Wireless Network Profiles on IAPs. DNS Queries Failed to Reach or Return from the Server In this insight a new Loss pattern card is added to show persistent DNS loss patterns observed in the network. This insight operates by identifying similar failure events observed during the DNS resolution stage between entities (site, server, AP) and groups them into a set of specific loss patterns. These patterns help network administrators to identify which combination of DNS server and AP setting result in DNS loss events in single or multiple sites in the network. For more information, see the following help pages: n The AI Insights Dashboard n Insights Context n DNS Queries Failed to Reach or Return from the Server Firmware Upgrade and Compliance This release introduces the following enhancements to the Firmware dashboard: n Under the Later Date radio, the Select Zone drop-down menu includes the Device Local Time option that allows you to schedule compliance and upgrade based on the local site time. n The Set Compliance, Upgrade, and Upgrade All option includes a Install on drop-down option that allows you to select a Primary or Secondary partition to install the firmware. n The Firmware <Device> table includes a Group column that displays the group to which the devices are associated. This information is available only in the global context. n At the device level when you hover over the Compliance Status column, the following information is displayed: o version number and compliance configured level for a set compliance o date, time (UTC), and firmware version number o compliance configured level for a scheduled compliance For more information, see Managing Software Upgrades. Aruba Central | User Guide 44 Reports The following enhancements are added to reports. Infra Inventory Report In the Infra Inventory report, the Device Types and Models by Site (CSV) option is added to the Groups context. For more information, see Report Categories and Report Configuration Options. RF Health Report In the RF Health report, the Optional Widgets section is introduced to include the RF Details and IAP Uplink Usage details in the CSV format. The IAP Uplink Usage information is available only for Instant APs with Advanced license. For more information, see Report Categories and Report Configuration Options. Uptime for an Offline IAP In the Network report, the - (hyphen) symbol in the Uptime column of APs table indicates that the corresponding IAP is in offline status. For more information, see Report Categories. Wired Client Support in Client and Network Reports n The explicit details for the wired clients are available in the Client Inventory, Client Usage, Client Session, and Network reports. o In the Client Inventory report, the Client Count by Connection Type table displays the client count by wireless and wired connection type. o In the Client Usage report, you can filter the data in the Top Ten Clients by Usage widget by All, Connection Type (wireless, wired, or remote) or SSIDs. The inbound and outbound clients data usage metrics is displayed in the Client Usage widget by Connection Type (wireless, wired, or remote) and client count data metrics is displayed in the Client Count widget by Connection Type (wireless, wired, or remote). o In the Network report, you can filter the data in the Top Ten Clients by Usage widget by All, Connection Type (wireless, wired, or remote) or SSIDs. The Wired Clients and Peak & Average Wired Data Usage widgets are also added. The client count is displayed on the time series graph in the Wired Clients widget. The inbound and outbound peak or average data usage metrics is displayed in the Peak & Average Wired Data Usage widget. o In the Client Session report, the Session Data By Role and Clients By Role widgets display the details by role, connection type (wireless or wired) and SSIDs. You can filter the data in the Top Ten Clients by Usage widget by All, Connection Type (wireless or wired) or SSIDs. For more information, see Report Categories. Alerts and Events The following alert and event enhancements are introduced in this release: Suppress Alerts In the Site context, while suppressing alert notifications, you can select Override or Append to either override or append the configured email addresses to receive notifications when an individual or site level alter alert is What's New in 2.5.4 | 45 generated. You can also override or append the configured default recipient email list to receive alert notifications. For more information, see Suppressing Alert Notifications in the Site Dashboard and Adding Default Recipients. Filter Events The Events table columns enables filtration and search ability at all levels. It also allows free text search to enhance the search capability. You can also copy and paste text on the column headers to improve the search mechanism. For more information, see Viewing Events in List view. Client Event Filter Aruba Central allows you to troubleshoot issues related to a wired or wireless client connected to IAPs. The Events tab in the client context provides a detailed drill-down capability to filter events further to identity a specific issue and perform troubleshooting in both List and Summary view. It provides an aggregate view of events in different categories to provide a deep insight to the client's health. For more information, see Client Events. Troubleshooting Tools The following enhancements are added for troubleshooting. Status Indicator in Logs Collection In the Analyze > Tools > Logs tab, the Status column now displays a status bar when you upload logs. The status bar displays the Scheduled, In Progress, Complete, or Failed statuses as a percentage value, as the logs are uploaded. This helps customers and internal users to understand the status of the log collection. For more information, see Enabling Gateway Logs. Live Events Wired Client Packet Capture Aruba Central now allows read-write and admin users to launch targeted packet capture on a wired client connected to a gateway or switch. Packet capture can be done at a site level or for a selected client. For more information, see Client Live Events. Gateway Troubleshooting - Ping Sweep Test For Ping Sweep Test additional parameters are introduced in the Show Additional Test Settings section to enhance the troubleshooting procedure. For more information, see Troubleshooting Gateway Connectivity Issues. API Gateway The following enhancements are introduced for API gateway: n The API call volume is now rate-limited to seven (7) calls per second, per customer. n MSP users can now use their access token to perform the operation on their tenant accounts using NBAPI. User privileges as per the tenant role are applied for these operations. For more information, see Accessing Tenant APIs using MSP Access Token. n The API Gateway > Usage tab now includes a Current usage status bar that displays the current usage of API calls assigned for a day along with the reset time in local time zone. For more information, see API Gateway. Aruba Central | User Guide 46 Aruba Central APIs Following are the API changes and enhancements: Clients APIs The following APIs are enhanced in the Monitoring > Clients category: n [GET]: o /monitoring/v1/clients/wireless o /monitoring/v1/clients/wired Topology APIs The following APIs are enhanced in the Topology category: n [GET]: o /{site_id} o /devices/{device_serial} Switch APIs The following API is enhanced in the Monitoring > Switches category: n [GET]: o /monitoring/v1/switches Groups APIs The following APIs are enhanced in the Configuration > Groups category: n [POST]: o /configuration/v2/groups o /configuration/v2/groups/clone n [GET]: o /configuration/v1/groups/properties The following APIs are removed: n [PATCH]: o /configuration/v1/groups/{group} o /configuration/v1/groups/{group}/properties MobilityController APIs The following APIs are deprecated in the Monitoring > MobilityController category: n [DELETE]: o /monitoring/v1/mobility_controllers/{serial} n [GET]: o /monitoring/v1/mobility_controllers o /monitoring/v1/mobility_controllers/{serial} o /monitoring/v1/mobility_controllers/{serial}/uplinks What's New in 2.5.4 | 47 o /monitoring/v1/mobility_controllers/uplinks/bandwidth_usage o /monitoring/v1/mobility_controllers/{serial}/uplinks/tunnel_stats o /monitoring/v1/mobility_controllers/uplinks/wan_compression_stats o /monitoring/v1/mobility_controllers/uplinks/distribution o /monitoring/v1/mobility_controllers/{serial}/ports/bandwidth_usage o /monitoring/v1/mobility_controllers/{serial}/ports o /monitoring/v1/mobility_controllers/{serial}/tunnels o /monitoring/v1/mobility_controllers/{serial}/dhcp_clients o /monitoring/v1/mobility_controllers/{serial}/dhcp_servers o /monitoring/v1/mobility_controllers/{serial}/vlan For a list of Aruba recommended alternate APIs, see Deprecated APIs. For more information, see Modified API and Removed APIs. Aruba Central | User Guide 48 Chapter 4 Getting Started with Aruba Central Getting Started with Aruba Central Thank you for choosing Aruba Central as your network management solution! Before you get started with Aruba Central, we recommend that you review the Key capabilities of Aruba Central and the list of Aruba devices supported in Aruba Central. Key Terms and Concepts Take a few minutes to familiarize yourself with the key terms and concepts used in the help topics. Cluster Zone Refers to an Aruba Central deployment area within a specific region. In other words, cluster zones are regional grouping of one or more container instances on which Aruba Central is deployed. Cluster zones allow your deployments to restrict customer data to a specific region and plan time zone specific maintenance windows. Each cluster zone has separate URLs for signing up for Aruba Central, accessing Aruba Central portal, and for allowing devices to communicate with Aruba Central. To view the zone in Aruba Central UI, click the User Settings menu at the bottom of the left navigation pane. Enterprise Mode Refers to the Aruba Central solution deployment mode in which the customers provision, manage, and maintain their networks end-to-end for their respective organizations or businesses. Managed Services Mode Refers to the Aruba Central deployment mode in which the service providers, resellers, administrators, and retailers to centrally manage and monitor multiple tenant or end-customer accounts from a single management interface. Subscription Refers to the license granted to a customer for using a product or service. Evaluation Account Refers to the Aruba Central account created for evaluating Aruba Central solution and its services. Paid Subscriber Refers to the customers who have purchased a subscription to obtain access to Aruba Central and its services. Subscription Key Refers to the license key. A subscription key is a 14-character alphanumeric string; for example, PQREWD6ADWERAS. Customer ID Subscriber ID Refers to the identity number of your Aruba Central account. To view your subscriber ID, click the User Settings menu at the bottom of the left navigation pane in the Aruba Central UI. Zero Touch Provisioning Refers to one of the following: n Zero Touch Provisioning of Aruba Central accounts-- When you purchase a subscription key and add this subscription key in Aruba Central, Aruba Central queries the Aruba Activate database to retrieve the devices mapped to your purchase order and add these devices to the inventory. This process is referred to as zero touch provisioning in Aruba Central. n Zero Touch Provisioning of Devices--Most Aruba devices support self-provisioning; that is, when you connect a device to a provisioning network, it can automatically download provisioning parameters from the Activate server and connect to their management entity. Aruba Central | User Guide 49 Onboarding Device Sync Provisioning Group Site Label Refers to the process of importing devices to Aruba Central's device inventory, activating subscriptions, and making devices available for management from Aruba Central. Refers to the process of synchronizing devices from the Activate database. The device sync operation allows Aruba Central to retrieve devices from Activate and automatically add these devices to the device inventory in Aruba Central. Refers to the process of setting up a device for deploying networks as per the configuration requirements of your organization. Refers to the device configuration container in Aruba Central. You can combine devices with common configuration requirements into a single group and apply the same configuration to all the devices in that group. Refers to the physical locations where devices are installed. Organizing devices per sites allows you to filter your dashboard view per site. Refers to the tags used for logically grouping devices based on various parameters such as ownership, specific areas within a site, departments, and so on. Workflow Summary The following illustration summarizes the steps required for getting started with Aruba Central: Navigate through the following topics to know more about the onboarding and provisioning procedures: n Creating an Aruba Central Account n Accessing Aruba Central Portal Getting Started with Aruba Central | 50 n Starting Your Free Trial n Setting up Your Aruba Central Instance Overview of Aruba Central Foundation and Advanced Licenses As part of the shift to an Edge-to-Cloud Platform-as-a-Service organization, Aruba has introduced the Aruba Central Foundation and Advanced Licenses (Aruba Central Licenses). This is a uniform software subscription licensing model that will be extended to all products under the Aruba Central-managed portfolio. The new 1, 3, 5, 7, and 10-year fixed-term licenses offer you the flexibility to choose services and device operations that are most meaningful to the type of business that you own. n The term on a license starts from the day the license is shipped. n A license is pre-activated and has a fixed term from the date of generation. A license expires on the end date of the term. This licensing model provides different licenses for APs, switches, and gateways. The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if you have an Aruba 25xx Switch but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch. The features that are available in both the Foundation and Advanced Licenses have different monitoring and configuration options depending on the licensing tier. For more information, see Supported Features. This licensing model provides the following types of licenses depending on the devices: n Switches: o Foundation--This license provides all the features included in the legacy Device Management tokens. n Aruba Central does not provide Switch Advanced Licenses. n Mobility Access Switch (MAS) license will get converted to Switch Foundation 61xx/25xx license and continue to work. n Access Points (APs): o Foundation--This license provides all the features included in the legacy Device Management tokens and some additional features that were available as value-added services for APs and switches in the earlier licensing model. o Advanced--This license provides all the features included in the Foundation License, with additional features related to AI Insights and WLAN services. n SD-Branch Gateways: o Foundation--This license provides all features required for SD-Branch functionality in branch or headend deployments. o Foundation Base--This license provides all the features included in a Foundation License, but can support only up to 75 client devices per branch site. Aruba Central | User Guide 51 o Foundation with Security--This license provides all features required for SD-WAN functionality in branch or headend deployments and some additional security features. o Foundation Base with Security--This license provides all the features included in a Foundation with Security License, but can support only up to 75 client devices per branch. o Advanced--This license provides all the features included in a Foundation License, with additional features related to SaaS Express and AI Insights. o Advanced with Security--This license provides all the features of an Advanced License, with additional security features related to IPS and IDS, security dashboard, and anti-malware. o Virtual Gateway (VGW) License--This license is available for AWS, Azure, and ESXi platforms and is licensed based on the bandwidth required. The license types available for VGW are, VGW-500M, VGW2G, and VGW-4G. For more information, see SD-WAN Ordering Guide. The Foundation and Advanced Licenses for APs, switches, and SD-Branch gateways are different and cannot be used interchangeably. For a detailed list of the features supported in each type of license, see Supported Features. For more information about evaluation licenses, see Starting Your Free Trial. Changes to the Legacy Licensing Model For existing Aruba Central customers, please note that the previous Device Management and Service Token model is changed to the new licensing model, which provides a uniform licensing structure for all types of devices such as APs, switches, and gateways. The following list provides information about important aspects of the legacy licensing model: n Device Management Token--This is a mandatory token which allows you to manage and monitor your APs and switches from Aruba Central. n Service Token--This token allows you to enable value-added services for APs managed from Aruba Central. These services include UCC, AirGroup, Wi-Fi Connectivity Dashboard (formerly, Clarity), Cloud Guest, WebCC, and Presence Analytics. n Subscription Key--A valid subscription key allows you to manage, profile, and analyze your devices using Aruba Central. A subscription key is a 14-character alphanumeric string provided for either a device management or service token. The new Aruba Central Licenses simplify the existing subscription-based licensing model. With the introduction of this licensing model, the existing Device Management tokens for APs and switches are no longer available. Similarly, the Service tokens for value-added services on the APs are unavailable. Instead, APs and switches have adopted the current Gateway Foundation and Advanced licensing model. Supported Devices The Aruba Central Licenses are supported for APs, switches, and gateways. For more information on the individual device models supported, refer to the next sections. The pricing structure for Foundation and Advanced Licenses for the hardware devices may differ based on the types of models. APs and IAPs All AP and IAP models that are currently being shipped are supported. See Supported Instant APs. Getting Started with Aruba Central | 52 Switches Aruba Central supports AOS-S and AOS-CX switches. All the switches used in a stack must have a license assigned in Aruba Central. AOS-S Switches The following AOS-S switches are supported: n Aruba 2530 Switch Series n Aruba 2540 Switch Series n Aruba 2920 Switch Series n Aruba 2930F Switch Series n Aruba 2930M Switch Series n Aruba 3810 Switch Series n Aruba 5400R Switch Series For more information, see Supported AOS-S Platforms. AOS-CX Switches The following AOS-CX switches are supported: n AOS-CX 4100i Switch Series n AOS-CX 6100 Switch Series n AOS-CX 6200 Switch Series n AOS-CX 6300 Switch Series n AOS-CX 6400 Switch Series n AOS-CX 8320 Switch Series n AOS-CX 8325 Switch Series n AOS-CX 8360 Switch Series n AOS-CX 8400 Switch Series For more information, see Supported AOS-CX Platforms. Gateways Aruba Central supports SD-Branch Gateways based on the license type. For more information, see Supported SD-Branch Components. Gateway Foundation and Advanced License The Gateway Foundation and Advanced License can be assigned to the following gateways: n Aruba 70xx Series n Aruba 72xx Series n Aruba 90xx Series This license does not have a capacity limit for client devices. Gateway Foundation Base License The Gateway Foundation Base License can be assigned to the following gateways: Aruba Central | User Guide 53 n Aruba 7005, 7008, 9004, 9004-LTE, 9012 This license includes all the features available in the Gateway Foundation License. However, this license can support only up to 75 client devices per branch. When the client capacity reaches the threshold, Aruba Central triggers an alert to indicate the Gateway Base License capacity limit has exceeded. If the notification option for the license capacity limit exceeded alert is configured, Aruba Central sends an email notification with a list of Aruba gateways that exceed the clientcapacity threshold. You can also configure alerts to trigger an incident using Webhook. For more information, see Gateway Alerts. Gateway Foundation, Foundation Base, and Advanced with Security License The Gateway Foundation with Security License can be assigned to the following gateways: n Aruba 9004 Gateway n Aruba 9004-LTE Gateway n Aruba 9012 Gateway Virtual Gateway (VGW) License (VPNC only) Virtual gateways have bandwidth based licenses. These licenses are valid on public cloud providers like AWS, Azure, and Google Cloud, including on-premises Hypervisors like VMware ESXi. Currently, the bandwidth licenses available are 500 Mbps, 2 Gbps, and 4 Gbps. Aruba Virtual Gateway is a virtual instance of the headend gateway for ArubaSD-Branch. Aruba Central supports licenses based on the bandwidth capacity for virtual gateways. All license assignments are undertaken by the virtual gateway orchestration app. The following are the options available for Virtual Gateway Licenses: n License duration--1 year, 3 years, and 5 years n Available bandwidths--500 Mbps, 2 Gbps, and 4 Gbps n Available Aruba Virtual Gateways based on the bandwidth--VGW-500Mbps, for 500 Mbps, VGW-2G for 2 Gbps, and VGW-4G for 4Gbps Aruba Central maintains a pool of Virtual Gateway Licenses. When a Virtual Gateway License expires and there are no available Virtual Gateway Licenses, the expired license is unassigned from the Aruba Central account. The availability of SKUs is dependent on the installation consuming the license. If a Virtual Gateway License expires and there is a similar new license available, the new license is assigned to the Virtual Gateway, provided that the Auto-Assign Licenses option is enabled. For more information about the Auto-Assign Licenses option, see Enabling the Auto-Assign Licenses Option. For an Aruba Central evaluation account, four licenses of each base SKU are assigned to the account. These evaluation licenses are valid for 90 days. You can track licenses on the Key Management page or the License Assignment page available from the Account Home page. The list of licenses available against consumed licenses is also displayed during the deployment of a Virtual Gateway. When the client capacity reaches the threshold, Aruba Central triggers an alert to indicate the Gateway Base License capacity limit has exceeded. If the notification option for the license capacity limit exceeded alert is configured, Aruba Central sends an email notification with a list of Aruba gateways that exceed the clientcapacity threshold. You can also configure alerts to trigger an incident using Webhook. For more information, see Gateway Alerts. For more information, see SD-WAN Ordering Guide. Getting Started with Aruba Central | 54 Supported Features This section includes detailed information about the different configuration and monitoring options available for Aruba Central features tied to Foundation and Advanced Licenses. AP Foundation and Advanced License The AP Foundation and Advanced License for Aruba Central includes the following features: Feature Category Configuration Monitoring and Reporting AI Operations Foundation License Features Advanced License Features n UI- and template-based group configuration o SSID (Bridge Mode) o IAP VPN n Auto-commit n Configuration audit All the features in Foundation n Network Health, Summary, Wi-Fi Connectivity Dashboards n Network Topology View n Visual RF Floorplans n Client List and Details n AP List and Details n Go Live mode for Client, AP n Application Visibility n WebCC Firewall rules, visualization by reputation and category n Access to all monitoring data for up to 30 days n Access to reporting data for up to 30 days n Access to historical Network Summary Report data for up to one year n Audit Trail n Alerts and Events n Access, Spectrum, Monitor mode of radio operations n UXI Sensor Integration n All the features in Foundation n Air Slice o Visibility and Prioritization of applications NOTE: Air Slice is supported in this release as Early-Access features. Contact your Aruba SE or Account Manager to enable these in your Aruba Central account. n AI Search n AI Insights o Connectivity--Wi-Fi o Wireless Quality o Availability--Access Points o Class and Company Baselines n AI Assist o Dynamic logs NOTE: Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account n All the features in Foundation n AI Insights--Wireless Quality o Outdoor clients impacting Wi-Fi performance o Coverage Hole Detection o Transmit power optimization n AI Assist o Aruba support notification NOTE: Aruba support notification is supported in this release as an EarlyAccess feature. Contact your Aruba Aruba Central | User Guide 55 Feature Category Foundation License Features Advanced License Features Manager to enable it in your Aruba Central account. SE or Account Manager to enable it in your Aruba Central account. Troubleshooting Services Security n Network Check, CLI commands n Live Events for Client and AP, Packet Capture All the features in Foundation n AirGroup (In InstantOS-based APs, the service is hosted on the IAP Virtual controller and all services are supported.) NOTE: AirGroup is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. n RF Management Services o Adaptive Radio Management (ARM) o ClientMatch n Presence Analytics n All the features in Foundation n UCC NOTE: UCC is supported in this release as Early-Access features. Contact your Aruba SE or Account Manager to enable these in your Aruba Central account. n Cloud Guest n Clients Profile n RAPIDS n WIPS/WIDS All the features in Foundation NOTE: Clients Profile and RAPIDS are supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable these in your Aruba Central account. API Northbound (NB) API: 1000 API calls/day per n All the features in Foundation customer n Streaming API Switch Foundation License The Switch Foundation License for Aruba Central includes the following features: Aruba Central does not support Switch Advanced License. Feature Category Configuration AOS-S Features n UI- and template-based group configuration n Auto-commit AOS-CX Features n UI-, Template-, and MultiEdit-based group configuration n Configuration audit Getting Started with Aruba Central | 56 Feature Category Monitoring and Reporting AI Operations Troubleshooting API AOS-S Features AOS-CX Features n Configuration audit n Network Health, Summary Dashboards n Network Topology View n Client List and Details n Switch List and Details n Access to all monitoring data for up to 30 days n Access to reporting data for up to 30 days n Access to historical Network Summary Report data for up to one year n Audit Trail n Alerts and Events n Network Health, Summary Dashboards n Network Topology View n Client List and Details n Switch List and Details n Access to all monitoring data for up to 30 days n Access to reporting data for up to 30 days n Access to historical Network Summary Report data for up to one year n Audit Trail n Alerts and Events n AI Search n AI Insights o Availability Switch o Class and Company Baselines n AI Search n AI Insights o Availability Switch o Class and Company Baselines n Network Check, Device Check, CLI commands n Live Events and Packet Capture for wired client Network Check, Device Check, CLI commands Northbound (NB) API: 1000 API calls/day per Northbound (NB) API: 1000 API calls/day per customer customer Gateway Foundation, Foundation Base, and Advanced License The Gateway Foundation, Foundation Base, and Advanced License for Aruba Central includes the following features: The Foundation Base License provides all the features included in the Foundation License, but this license can support only up to 75 client devices per branch. Feature Category SD-Branch Foundation and Foundation Base License Features n Branch Gateway and VPNC Management n Stateful Firewall n IPsec VPN n Client VPN n Static and Dynamic Routing (BGP, OSPF, RIPv2) n SD-WAN Route and Tunnel orchestration n Orchestrated Cloud IaaS connectivity (AWS, Azure) n Orchestrated SASE Integration n Dynamic Path Steering Advance License Features All the features in Foundation Aruba Central | User Guide 57 Feature Category Configuration Monitoring and Reporting AI Operations Foundation and Foundation Base License Features n Link Redundancy n 4 WAN links plus 1 LTE link n Application-based policies n High Availability (Active-Standby or Active-Active) n Web content filtering n Role-based Access Policy n Full SD-LAN Control n Clients Profile n UI- and template-based group configuration n Configuration audit n Network, WAN Health, Summary Dashboards n Network Topology View n Client List and Details n Gateway List and Details n Go Live mode for Client n Application Visibility n WebCC Firewall rules, visualization by reputation and category n Access to all monitoring data for up to 30 days n Access to reporting data for up to 30 days n Access to historical Network Summary Report data for up to one year n Audit Trail n Alerts and Events n AI Search n AI Insights o Availability Gateways o Class and Company Baselines n AI Assist o Dynamic logs NOTE: Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. Advance License Features All the features in Foundation All the features in Foundation All the features in Foundation Troubleshooting Network Check, CLI commands API Services Northbound (NB) API: 1000 API calls/day per customer Not Applicable All the features in Foundation Streaming API SaaS Express Gateway Foundation, Foundation Base, and Advanced License with Security The Gateway Foundation, Foundation Base, and Advanced License with Security for Aruba Central includes the following features: Getting Started with Aruba Central | 58 Foundation and Foundation Base with Security All the features in Foundation n Intrusion Detection and Prevention (IDS/IPS) n Anti-malware n Security Dashboard Advanced with Security All the features in Advanced n Intrusion Detection and Prevention (IDS/IPS) n Anti-malware n Security Dashboard Virtual Gateway (VGW) License The Virtual Gateway (VGW) License for Aruba Central includes the following features: Feature Category SD-Branch Configuration Monitoring and Reporting AI Operations VGW License Features n VPNC Management n Stateful Firewall n IPsec VPN n Client VPN n GRE Tunnel n Static and Dynamic Routing (BGP, OSPF, RIPv2) n VGW orchestration in public cloud n SD-WAN Route and Tunnel orchestration n Orchestrated Cloud IaaS connectivity (AWS, Azure) n Orchestrated SASE integration n Link Redundancy n High Availability (Active-Standby or Active-Active) n UI- and template-based group configuration n Configuration audit n Network, WAN Health, Summary Dashboards n Network Topology View n Access to all monitoring data for up to 30 days n Access to reporting data for up to 30 days n Access to historical Network Summary Report data for up to one year n Audit Trail n Alerts and Events n AI Search n AI Insights o Availability Gateways o Class and Company Baselines n AI Assist o Dynamic logs NOTE: Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. Troubleshooting API Network Check, CLI commands Northbound (NB) API: 1000 API calls/day per customer Aruba Central | User Guide 59 For more information about the features supported, see Aruba Central Licenses Feature Details. Aruba Central Licenses Feature Details This section provides a description about the different configuration and monitoring options available for Aruba Central features tied to Foundation and Advanced Licenses. Configuration AP Configuration License Applicability: AP configuration is available for AP Foundation License. Network administrators can manage APs through the Aruba Instant UI, Aruba Central, or AirWave management system. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AP deployments. For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled. For more information, see Deploying a Wireless Network Using IAPs and Configuring APs Using Templates. AOS-S Configuration License Applicability: AOS-S configuration is available for Switch Foundation License. Network administrators can manage AOS-S switches through the Aruba Central UI menu options. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AOS-S deployments. For more information, see Configuring or Viewing AOS-S Properties in UI Groups and Using Configuration Templates for AOS-S Management. AOS-CX Configuration License Applicability: AOS-CX configuration is available for Switch Foundation License. Network administrators can manage AOS-CX switches through the Aruba Central UI menu options and the MultiEdit mode. The MultiEdit mode in Aruba Central provides a single window for viewing and editing the configuration for one or more AOS-CX switches. In this mode, viewing and editing the configuration is performed using the CLI syntax. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AOS-CX deployments. For more information, see Configuring AOS-CX Switches in UI Groups, Configuring AOS-CX Using Templates, and Using MultiEdit View for AOS-CX. Auto-Commit License Applicability: Auto-Commit is available for Foundation and Advanced Licenses for APs, switches, and gateways. Aruba Central supports a two-staged configuration commit workflow for Instant APs. When the auto-commit state is enabled for a group, the configuration changes are instantly applied to all devices where the autocommit state is enabled. For more information about Auto Commit, see Viewing Configuration Status. Getting Started with Aruba Central | 60 Configuration Audit License Applicability: Configuration Audit is available for Foundation and Advanced Licenses for APs, switches, and gateways. In Aruba Central, the Configuration Audit page provides an audit dashboard for reviewing configuration changes of the devices provisioned in the UI and template groups. The Configuration Audit page allows you to view configuration push errors, template synchronization errors, configuration sync, and device-level configuration overrides. For more information about Configuration Audit, see Viewing Configuration Status. Gateway Configuration License Applicability: Gateway configuration is available for Gateway Foundation and Foundation Base Licenses. Aruba Central supports the following methods to configure Gateway groups and Gateways in SD-Branch deployments: n Guided Setup--You can use the Guided Setup to quickly configure basic and essential parameters on Aruba Gateways for deploying the SD-WAN solution. The Guided Setup provides a wizard-based workflow for provisioning Gateways. For more information about guided setup, see Provisioning Aruba Gateways in Aruba Central. n Basic Mode--Allows you to configure your Gateways in a non-linear fashion. This mode allows you to make configuration changes after you provision your gateways for the first time using a Guided setup. For more information about the basic mode of setup, see Configuring an SD-Branch Network Using the Basic Setup. n Advanced Mode--Allows you to configure advanced features for SD-WAN deployments. For more information about the advanced mode of setup, see Configuring an SD-Branch Network Using the Advanced Setup. Template groups in Aruba Central allow network administrators to create a common configuration output by using a combination of CLI commands and variables, and apply this configuration to the other Gateway devices provisioned in that group. For more information about configuring gateways using templates, see Provisioning Gateways Using Configuration Templates. Monitoring and Reporting Access, Spectrum, Monitor Mode of Radio Operations License Applicability: The Access, Spectrum, and Monitor modes of the radios of an access point are available for AP Foundation and Advanced Licenses. In the Access mode, the Instant AP serves clients, while also monitoring for rogue Instant APs in the background. In the Monitor mode, the Instant AP acts as a dedicated monitor, scanning all channels for rogue Instant APs and clients. In the Spectrum mode, the Instant AP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference, whether from the neighboring Instant APs or from non Wi-Fi devices such as microwaves and cordless phones. For more information about radio modes of an AP, see Configuring Device Parameters . Alerts and Events License Applicability: Alerts and events for APs, Gateways, and switches is part of Foundation License and does not require any extra configuration. This tab shows data for all devices irrespective of device license type. Aruba Central | User Guide 61 The Alerts and Events dashboard displays a list of alerts and events generated for events pertaining to device provisioning, configuration, and user management. You can view the alerts and events in the List view and Summary view. Configuration view is used to configure alerts and is available only at the Global context. For more information about Alerts and Events, see Alerts & Events. Application Visibility License Applicability: The Application Visibility feature is a part of a Foundation License. However, as API streaming is available for Advanced Licenses only, the Application Visibility streaming service is supported only for APs with an Advanced License. Application Visibility is a custom-built Layer-7 firewall capability in Aruba Central that allows you to create firewall policies based on the types of applications in IAPs. Application Visibility provides features like deep packet inspection, application monitoring, and Air Slice Policy. For more information about AppRF, see Application Visibility. Audit Trail License Applicability: Audit Trail logs for APs, gateways, and switches, is part of Foundation License and does not require any extra configuration. This tab shows data for all devices irrespective of device license type. The Audit Trail page in Aruba Central shows the total number of logs generated for all device management, configuration, and user management events triggered in the network. For more information about Audit Trail, see Viewing Audit Trail. Client List and Details License Applicability: Clients monitoring is available for the Foundation License of AP, switch, and gateway. The Clients page is also called the unified clients list and it provides a list of all clients that are connected to access points, switches, or gateways in the network. The List and Summary views under the Clients tab serve as dashboards. It displays details about the network performance, client connection status, instantaneous client refresh, Go Live (only AP), and other information required for monitoring the clients. For more information about clients monitoring, see All Clients. Floorplans License Applicability: Floorplans is available for AP and gateway Foundation Licenses. Floorplans allow you to plan sites, create and manage floorplans, and provision access points. Floorplans provide a real-time picture of the radio environment of your wireless network and the ability to plan the wireless coverage of new sites. For more information about floorplans, see About Floor plan. Reports License Applicability: Reports is available for the Foundation License. The Reports feature enables you to generate reports for the Clients, Infrastructure, Security Compliance, and Applications categories. The Reports feature is present under the Analyze section of the Network Operations app. The functionalities present are creating a report, generating a report, scheduling the report generation, previewing a report, and downloading a report in PDF and CSV formats. The Custom range for the Summary report is available for the last one year, except the current date (today). All other reports are available for 90 days. For more information about Reports, see Reports. Getting Started with Aruba Central | 62 Topology License Applicability: Topology is available for Foundation and Advanced Licenses for APs, switches, and gateways. In Aruba Central, the Topology tab in the site dashboard provides a graphical representation of the site, including the network layout, details of the devices deployed, and the health of the WAN uplinks and tunnels. The topology map provides information about third-party devices and devices that are not managed by Aruba. It also provides information about orphan and offline third-party devices, and the VLANs configured on switches running AOS-S and AOS-CX software. For more information about Topology, see Monitoring Sites in the Topology Tab. Web Content Classification (WebCC) License Applicability: The WebCC feature is available for Foundation Licenses for APs and gateways. The WebCC allows you to classify website content based on reputation and take measures to block malicious sites. It fetches information about website content classification and geolocation of IPs. The IP reputation database contains known IP addresses associated with various malicious activities or threats such as botnet, DOS, and spam sources. The geolocation IP database contains the geographical location of the IP address from where the traffic is received or to which the traffic is sent. This provides geolocation and reputation filtering as part of the security suite. The table below lists the features supported for AP and gateway licenses: AP Foundation WebCC Firewall rules, visualization by reputation and category Gateway Foundation and Foundation Base WebCC Firewall rules, visualization by reputation and category For more information about WebCC, see Filtering URLs Based on Web Content and IP Classification. Wi-Fi Connectivity License Applicability: The Wi-Fi Connectivity dashboard for APs is part of Foundation License and does not require any extra configuration. The Wi-Fi Connectivity page displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include the following: n All--Displays the aggregated success percentage of Association, Authentication, and DHCP for all clients connected to the network. n Association--Displays the percentage of successful attempts made by a client to connect to the network. n Authentication--Displays the percentage of successful attempts of client authentication. n DHCP--Displays the percentage of successful attempts of DHCP requests and responses when onboarding a client. n DNS--Displays the percentage of successful attempts in the detected DNS resolutions, when a client is connected to the network. For more information about Wi-Fi Connectivity, see Wi-Fi Connectivity. Aruba Central | User Guide 63 AI Operations AI Insights License Applicability: AI Insights is available for Foundation and Advanced Licenses for APs, switches, and gateways. The Insights that require an Advanced License are marked as Advanced in the UI. The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level for the selected time range. Each insight provides specific details on the occurrences of these events for easy debugging. Different types of insights are generated by Aruba Central and they can be accessed from different contexts such as Global, Site, Clients, and Device. Some of the insights are part of an Advanced License only and they are marked as Advanced in the user interface. The following figure displays various AI Insights available and some are marked as Advanced. Figure 3 AI Insights List The table below lists the features supported for AP, switch, and gateway licenses: AP Foundation License AP Advanced License n Connectivity--Wi-Fi n Wireless Quality n Availability--Access Points n Class and Company Baselines n Wireless Quality o Outdoor clients impacting Wi-Fi performance o Coverage Hole Detection o Transmit power optimization Switch Foundation n Availability--Switch n Class and Company Baselines Gateway Foundation, Foundation Base, and VGW n Availability--Gateways n Class and Company Baselines Getting Started with Aruba Central | 64 In this release, all AI Insights are available irrespective of the user role or Aruba Central subscription. In the upcoming Aruba Central release, AI Insights marked as Advanced in the user interface would require an advanced subscription. For more information about AI Insights, see Insights Context. AI Search License Applicability: AI Search feature is available for Foundation License for AP, switch, and gateway. The AI search feature in Aruba Central enables you to search for clients, devices, and infrastructure connected to the network. Using the search results, you can navigate to the configuration and troubleshooting pages. The search also retrieves relevant documentation to help you efficiently operate your networks. The search engine uses Natural Language Processing (NLP) to analyze queries and return relevant search results. For more information about Alerts and Events, see Using the Search Bar. Dynamic Logs License Applicability: Dynamic Log is available for both Foundation and Advanced Licenses for APs and gateways. The Dynamic Logs feature enables Aruba Central to dynamically run CLI show commands on APs and gateways, and collect the output as logs. You can also enable Aruba support notification option to notify TAC support regarding the logs generated. These logs can be used to troubleshoot the APs and gateways. Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. The following figure displays the available options for Dynamic Logs. Figure 4 Dynamic Logs Option Aruba Central | User Guide 65 For devices assigned with the Foundation License, the Dynamic Logs feature only supports the log collection activity. Even if you enable the Notify Aruba Support option, the option is not activated for devices licensed with Foundation License. For devices assigned with Advanced Licenses, Dynamic Logs support both log collection and the Aruba support notification option. For example, assume an Aruba Central account with Dynamic Logs enabled, where you configure a group of three Access Points (APs), AP1, AP2, and AP3. AP1 has a Foundation License while AP2 and AP3 have Advanced Licenses. For this group, both Dynamic logs collection and Notify Aruba Support options are enabled. However, the Aruba support notification option is only applicable for AP2 and AP3, which have Advanced Licenses. Troubleshooting Live Events Licensing Applicability: Live Events for clients, APs and switches is part of Foundation License and does not require any extra configuration. The clients Live Events page shows information required to troubleshoot issues related to a client or a site in real time for detailed analysis. Aruba Central also allows to troubleshoot issues related to access points. The AP Live Events feature is similar to client live troubleshooting, but in this case we can enable Live Events at the AP level. Currently, users can subscribe to Radio, VPN, and Spectrum events. For more information about Client and AP Live Events, see Client Live Events. Live Packet Capture (PCAP) Licensing Applicability: Live PCAP for APs and switches is part of Foundation License and does not require any extra configuration. Aruba Central allows users to interact and launch a targeted packet capture on a client connected to a specific AP or a switch. When the user starts packet capture from the UI, Aruba Central notifies the AP and the switch. The default packet capture duration is 15 minutes. For more information about Live PCAP, see Client Live Events. Troubleshooting Tools License Applicability: Troubleshooting for APs, gateways, and switches is part of Foundation License and does not require any extra configuration. The Tools menu option allows network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. The Tools page is divided into the following tabs: n Network Check--Allows you to run diagnostic checks on networks and troubleshoot client connectivity issues. n Device Check--Allows you to run diagnostic checks and troubleshoot switches. n Commands--Allows you to perform network health check on devices at an advanced level using command categories. For more information about Tools, see Using Troubleshooting Tools. Services AirGroup License Applicability: AirGroup is available for both AP Foundation and Advanced Licenses. Getting Started with Aruba Central | 66 AirGroup is a zeroconfiguration networking protocol that enables service discovery, address assignment, and name resolution for desktop computers, mobile devices, and network services. It is designed for flat, singlesubnet IP networks such as wireless networking at home. AirGroup supports both wired and wireless devices. AirGroup is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. In InstantOS-based APs, the service is hosted on the IAP Virtual controller and all services are supported. AirMatch License Applicability: AirMatch is available for AP Foundation License. AirMatch channel planning evens out channel distributions in any size of network and in any subset of the contiguous network. AirMatch also minimizes channel coupling where adjacent radios are assigned to the same channel. AirMatch service is available only for AP with ArubaOS 10.0.0.0 or later firmware version. Air Slice License Applicability: The Air Slice feature is available for only AP Advanced Licenses. The Air Slice feature allows network operators to build virtual networks suitable for specific application requirements. It allows network operators to monitor applications used by clients and supports multiple services such as gaming, IoT, voice, video, and so on. Air Slice is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. For devices that have Advanced Licenses, the Air Slice feature supports unlimited applications and provides prioritization of custom-applications with visibility and configuration. The table below lists the features supported for AP licenses: Advanced n Visibility and prioritization of applications n Maximum number of applications as supported by the Aruba Central platform ClientMatch License Applicability: ClientMatch is available for AP Foundation License. ClientMatch continually monitors the RF neighborhood for each client to provide ongoing client band steering, load balancing, and enhanced AP reassignment for roaming mobile clients. For more information about ClientMatch, see Configuring ARM Features. Presence Analytics License Applicability: Presence Analytics is available for Foundation AP License. Presence Analytics enables businesses to collect and analyze user presence data in public venues, enterprise environments, and retail hubs. Presence Analytics also enables businesses to collect real-time data on user footprints within the wireless network range. Aruba Central | User Guide 67 For more information about Presence Analytics, see Presence Analytics. SaaS Express License Applicability: SaaS Express is available for Advanced Gateway License and Advanced with Security Gateway License only. The SaaS Express feature, on SD-WAN Gateways, enables discovery of the SaaS application servers, monitors application performance, and steers traffic to the best-available servers, and thus provides an improved user experience. For more information about Saas Express, see SaaS Application Traffic Management with SaaS Express. Unified Communications License Applicability: Unified Communications is available for AP Advanced Licenses. The Unified Communications feature enables a seamless user experience for voice calls, video calls, and application-sharing when using communication and collaboration tools. It allows you to actively monitor voice, video, and application-sharing sessions, provide traffic visibility, prioritize the required sessions, and provide rich visual metrics for analytical purposes. Unified Communications is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. Security Cloud Guest License Applicability: Cloud Guest is available for the AP Foundation License. The Cloud Guest access enables the guest users to connect to the network. This is provided through the splash page profile that is created by the administrators for the guest users in the Guests tab under Manage. The Summary page in the Manage > Guest Access application is the monitoring dashboard that displays the number of guests, guest SSID, client count, type of clients, and guest connection. Cloud Guest deals with the AP, so the license that is assigned to the AP is also applicable to Cloud Guest. By default, the Foundation License is applicable. The Advanced License features will also be available if the Cloud Guest is assigned to it. For more information about Cloud Guest, see Guest Access. Clients Profile The Clients Profile enables network and security administrators to discover, monitor, and automatically classify new and existing devices that connect to a network. You can identify devices that include IoT devices, medical devices, printers, smart devices, laptops, VoIP phones, computers, gaming consoles, routers, servers, switches, and so on. Intrusion Detection and Prevention (IDS or IPS) License Applicability: IDS and IPS is available for Foundation with Security Gateway License, Foundation Base with Security Gateway License, and Advanced with Security Gateway License. The IDS and IPS monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDS or IPS adds an extra layer of security that focuses on users, applications, network connections, and can be integrated with the Aruba SD-Branch solution. For more information about IDPS, see Overview of Aruba IDPS. Getting Started with Aruba Central | 68 RAPIDS License Applicability: RAPIDS is available for Foundation and Advanced Licenses for APs. The RAPIDS feature enables Aruba Central to quickly identify and act on interfering APs in the network that can be later considered for investigation, restrictive action, or both. Once the interfering APs are discovered, Aruba Central sends alerts for security events to the network administrators about the possible threat and provides essential information needed to locate and manage the threat. RAPIDS is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. This feature is part of the AP Foundation License. However, as API streaming is available for Advanced License only, Aruba Central would not stream any security events for APs with Foundation License. For APs with Advanced License, API streaming of security events is available for further diagnosis and threat management. For more information about RAPIDs, see About RAPIDS. API Streaming APIs License Applicability: The Streaming API service requires that devices such as IAPs and gateways are assigned with Advanced License. The Streaming API feature enables you to subscribe to a select set of services, instead of polling the NB API to get an aggregated state, or statistics of the events, pertinent to the monitoring activities of Aruba Central. With Streaming API, you can write value-added applications based on the aggregated context. For example, with Streaming API, you are notified about the following types of events: n The UP and DOWN status of the devices n Change in location of stations The Streaming API feature in Aruba Central is enabled only when any one of the devices in the account has an Advanced License. If the account has devices with only Foundation License, the Steaming API tab is not displayed in Aruba Central. If the Streaming API feature is enabled, and the account has a mix of Foundation License and Advanced License for devices, the devices that are assigned with Foundation License do not stream any data for any topics. For more information about Streaming APIs. see Streaming API. SD-Branch Application-based Policy License Applicability: The application-based policy configuration is available for Foundation License for Branch Gateways. The Application-based policy configuration helps in deep packet inspection of application usage by clients. Using this configuration, you can define applications, security, and service aliases. You can configure Access Control Lists (ACLs) to restrict user access to an application or application category. For more information about application-based policies, see Configuring ACLs for Deep Packet Inspection. Aruba Central | User Guide 69 Dynamic Path Steering License Applicability: Dynamic Path Steering is available for Gateway Foundation and Foundation Base License. In the Path Steering tab, you can view traffic path steering details for the Dynamic Path Steering policies configured on the Branch Gateway. This tab also displays the number of policies that are compliant along with the total number of policies configured on the Branch Gateway. For more information about Dynamic Path Steering and configuration steps, see Configuring Policies for Dynamic Path Steering. Full SD-LAN Control License Applicability: SD-LAN monitoring is available for Foundation License for Branch Gateways. The LAN Summary page displays a graphical representation of the LAN link availability of a Branch Gateway. It also provides a summary of all the LAN interfaces and port details. For more information about full SD-LAN control, see Gateway > LAN > Summary. IPsec VPN License Applicability: IPsec VPN is available for Gateway Foundation and Foundation Base License. An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPsec tunnel to the controller secures corporate data. You can configure an IPsec tunnel from virtual controller using Aruba Central. For more information about IPsec VPN, see Configuring IPsec VPN Tunnel. Role-based Access Policy License Applicability: Role-based Access Policy configuration is available for Foundation License for Branch Gateways. The Role-based Access Policy determines client access based on the user roles assigned to a client. Each user or device connected to the branch network is associated with a user role. Once the role is assigned, traffic and security policies are applied to devices based on the role. For more information about role-based access policy, see Configuring Policies for a Branch Gateway Group. SD-WAN Overlay License Applicability: SD-WAN Overlay monitoring is available for Gateway Foundation License. The SD-WAN Overlay is an orchestrator service for branch deployments, which is done by setting up IPsec tunnels between the Branch Gateways and VPN Concentrators. This is achieved through Tunnel and Route orchestration. The tunnel configuration between the branch and hub sites is automatic and the route configuration is done by redistributing the routing information learnt from the branch in a dynamic way. The Map and Grid views of the Tunnel and Route tabs under SD-WAN Overlay serve as dashboards for monitoring purpose, providing information about the tunnels and routes configured for an individual Branch Gateway. For more information about SD-WAN Overlay monitoring, see Monitoring SD-WAN Overlay Tunnels and Route. Stateful Firewalls License Applicability: Stateful Firewalls is available for Gateway Foundation and Foundation Base License. Aruba Gateways support stateful firewall for stateful inspection of packets. Stateful firewalls provide an additional layer of security by tracking the state of network connections and using the state information from Getting Started with Aruba Central | 70 previous communications to monitor and control new communication attempts. To protect your network from external attacks and unauthorized communication attempts, you can configure match conditions and packet filtering criteria for the Aruba Gateways. For more information about Stateful firewalls, see Configuring Global Firewall Parameters. Web Content Filtering License Applicability: Website content filtering is available for Foundation License for Branch Gateways. Aruba Gateways enhance branch security by providing real-time web content and reputation filtering. The Website Content Classification feature on Branch Gateways allows you to classify website content based on reputation and take measures to block malicious sites. For more information about web content filtering, see Filtering URLs Based on Web Content and IP Classification. Starting Your Free Trial Aruba Central offers a 90-day evaluation license for customers who want to try the solution for managing their networks. The evaluation license allows you to use the functions described in the following table: Table 11: Evaluation features Application Function Network Operations n 10 Advanced AP Licenses n 5 Foundation Switches 6100 / 25xx / low density (16 ports or less) Licenses n 5 Foundation Switches 6200 / 29xx Licenses n 5 Foundation Switches 6300 / 3810 Licenses n 5 Foundation Switches 8xxx / 6400 / 5400 Licenses n 5 Advanced 90xx Gateways with security feature Licenses n 10 Advanced 70xx Gateways Licenses n 2 Advanced 72xx Gateways Licenses ClearPass Device Insight Discover, monitor, and automatically classify new and existing devices that connect to a network. Complete the following steps to evaluate Aruba Central: n Step 1: Getting Started with the Initial Setup n Step 2: Viewing Subscription Details (Optional) n Step 3: Adding Devices n Step 4: Assigning Subscriptions n Step 5: Organizing Your Devices into Groups n Step 6: Assigning Sites and Labels (Optional) n Step 7: Configuring Your Network n Step 8: Monitoring Your Network and Devices n Step 9: Canceling or Upgrading Your Subscription (Optional) Step 1: Getting Started with the Initial Setup To get started with the trial: Aruba Central | User Guide 71 1. Register for evaluating Aruba Central. For more information, see Creating an Aruba Central Account. 2. Log in to Aruba Central. For more information, see Accessing Aruba Central Portal. n If you signed up to evaluate only the Network Operations app, the Welcome to Aruba Central page is displayed. o Click Evaluate Now. The Get Started With Aruba Central page guides you through the onboarding steps. o Click through the steps to set up your account and start using Aruba Central. If you want to exit the wizard and complete the onboarding steps on your own, click Exit Workflow. The Initial Setup wizard is displayed only when you log in to Aruba Central for the first time. The wizard is not available for Aruba Central users in the MSP mode. n If you signed up to evaluate both Network Operations and ClearPass Device Insight, the Network Operations page is displayed. For more information, see ClearPass Device Insight Information Center. Step 2: Viewing Subscription Details (Optional) At your first login, the Initial Setup wizard displays the details of the evaluation license details. After you exit the wizard, you can view the license details on the Account Home > Global Settings > Key Management page. Viewing Subscription Key Details The following table shows the typical contents of a license key: Table 12: License Key Details Keys Subscription key number Type Type of the license. Aruba Central supports the following types of licenses: n Foundation--This license provides all the features included in the Device Management subscription and some additional features that were available as value-added services for APs in the earlier licensing model. n Advanced--This license provides all the features of a Foundation license, with additional features related to AI insights Expiration Date Expiration date for the license key. Quantity Number of licenses available. Status Status of the license key. For example, if you are a trial user, Aruba Central displays the status of subscription key as Eval. Step 3: Adding Devices To manage devices from Aruba Central, trial users must manually add the devices to Aruba Central's device inventory. You can add up to 60 devices. The devices can be APs, switches, or gateways. For details about how many device licenses of each type are available, see Table 11. Use one of the following methods to add devices to Aruba Central: Getting Started with Aruba Central | 72 n Using the Initial Setup Wizard n Using the Device Inventory Page Using the Initial Setup Wizard 1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number and MAC address of your devices. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. 3. Click Done. 4. Review the devices in your inventory. Using the Device Inventory Page 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Click Add Devices. The Add Devices pop-up window is displayed. 3. Enter the serial number and the MAC address of each device. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. 4. Click Done. 5. Review the devices in your inventory. Step 4: Assigning Subscriptions By default, an evaluation license key is assigned for users who sign up for a free trial of Aruba Central. The evaluation license key allows you to manage up to 60 devices from Aruba Central. You can either enable automatic assignment of license or manually assign Foundation and Advanced licenses to your devices. By default, the automatic license assignment is disabled. Enabling Automatic Assignment of Subscriptions Use one of the following options to enable automatic assignment of licenses: In the Initial Setup Wizard 1. Verify that you have a valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign License tab, slide the Auto License toggle switch to the On position. From the License Assignment Page 1. In the Account Home page, under Global Settings, click License Assignment. 2. Under Device Licenses, slide the Auto License toggle switch to the On position. All the devices in your inventory are selected for automatic assignment of a license. You can edit the list by clearing the existing selection and re-selecting devices. Manually Assigning Subscriptions Use one of the following options to manually assign subscriptions: In the Initial Setup Wizard Aruba Central | User Guide 73 1. In the Assign License tab, ensure that the AutoLicense toggle switch is turned off. 2. Select the devices in the list for which you want to manually assign licenses. 3. Click Update Licenses. From the Subscription Assignment Page 1. In the Account Home page, under Global Settings, click License Assignment. 2. On the License Assignment page, ensure that the Auto License toggle is turned off. 3. Select the devices to which you want to assign licenses. 4. Click Update Licenses. For more information on subscriptions. see Managing Licenses. Step 5: Organizing Your Devices into Groups A group in Aruba Central functions as a configuration container for devices added in Aruba Central. Why Should You Use Groups? Groups allow you to create a logical subset of devices and simplify the configuration and device management tasks. Groups offer the following functions and benefits: n Combining different types of devices under a group. For example, a group can have APs and switches. Aruba Central allows you to manage configuration of these devices in separate containers (wireless and wired management) within the same group. Any new device that is added to a group inherits the current configuration of the group. n Assigning multiple devices to a single group. For example, a group can consist of multiple Instant AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to member Instant APs in their respective clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location. n Cloning an existing group allows you to create a base configuration for the devices and customize it as per your network requirements. You can also use groups for filtering your monitoring dashboard content, generating reports, and managing software upgrades. A device can be part of only one group at any given time. Groups in Aruba Central are independent and do not follow a hierarchical model. For more information on groups and group configuration workflows, see Groups for Device Configuration and Management. Assigning Devices to Groups After you successfully complete the onboarding workflow, the Initial Setup wizard prompts you to assign your devices to a group. You can click Assign Group and assign your devices to a group. You can also use one of the following methods to assign your devices to groups: To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory. 1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. Getting Started with Aruba Central | 74 3. Select the group to which you want to assign devices. 4. Click Assign Device(s). To assign a device to a group from the Groups page, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Expand a group from which you want to move devices to the selected group. For example, expand the Unprovisioned Devices group, select the devices, and then click the The Move Devices page is displayed. Move devices icon. You can assign only particular devices for which the group is created. For example, if a group is created for Access Points only, then only Access Points can be assigned to that group. You cannot assign other devices to it. 5. Select the Destination Group from the drop-down list. 6. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. Step 6: Assigning Sites and Labels (Optional) A site in Aruba Central refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Aruba Central allows you to use sites as a primary navigation element. For example, if your devices are deployed in a campus, you can create a site called CampusA. You can also tag the devices within CampusA using labels. If your campus consists of multiple buildings, the devices deployed in the campus can be labeled as Building1 or Lobby. For more information on sites and labels and how to assign devices to sites and labels, see Managing Sites and Managing Labels. Step 7: Configuring Your Network If you have added Instant APs as part of your evaluation, you can configure an employee and guest wireless network. If you have Switches or SD-Branch or SD-WAN Gateways, configure wired access network or SDWAN respectively. For more information, see Device Configuration and Network Management. Step 8: Monitoring Your Network and Devices Use monitoring dashboards to view the health of the device and network. You can also run reports, configure alerts, and view client details. Step 9: Canceling or Upgrading Your Subscription (Optional) During the trial period or after you complete your trial, if you want to continue using Aruba Central for managing your devices, contact Aruba Customer Support to upgrade your license. If you do not want to continue, contact Aruba support team to cancel your license or wait until the trial expires. When the trial period expires, your devices can no longer be managed from Aruba Central. Aruba Central | User Guide 75 Upgrading to a Paid Account If you have purchased a license for an AP, a switch, or a gateway, then upgrade your account by completing the following steps: 1. On the Account Home page, in the Network Operation app, click the link that shows the number of days left for the evaluation to expire. Figure 5 Network Operations Evaluation Account The Add a New License window is displayed. 2. Enter the new license key that you purchased from Aruba. 3. Click Add License. After you upgrade your account, you can add more devices, enable services, and continue using Aruba Central. Getting Started with Aruba Central | 76 Creating an Aruba Central Account To start using Aruba Central, you need to register and create an Aruba Central account. Both evaluating and paid subscribers require an account to start using Aruba Central. Zones and Sign Up URLs Aruba Central instances are available on multiple regional clusters. These regional clusters are referred to as zones. When you register for an Aruba Central account, Aruba creates an account for you in the zone that is mapped to the country you selected during registration. If you access the Sign Up URL from the www.arubanetworks.com website, you are automatically redirected to the sign up URL. To create an Aruba Central account in the zone that is mapped to your country, use the following zone-specific sign up URLs. Table 13: Sign Up URLs & Apps Regional Cluster Sign Up URL Available Apps US-1 https://portal-uswest4.central.arubanetworks.com/signup n Network Operations US-2 https://portal-uswest4.central.arubanetworks.com/signup n Network Operations n ClearPass Device Insight US-WEST-4 https://portal-uswest4.central.arubanetworks.com/signup n Network Operations n ClearPass Device Insight CANADA-1 https://portal-ca.central.arubanetworks.com/signup n Network Operations CHINA-1 https://portal.central.arubanetworks.com.cn/signup n Network Operations EU-1 https://portal-eu.central.arubanetworks.com/signup n Network Operations n ClearPass Device Insight EU-3 https://portal-eucentral3.central.arubanetworks.com/signup/ n Network Operations n ClearPass Device Insight Aruba Central | User Guide 77 Regional Cluster APAC-1 APACEAST1 APACSOUTH1 UAENORTH Sign Up URL https://portal-apac.central.arubanetworks.com/signup https://portal-apaceast.central.arubanetworks.com/signup https://portal-apacsouth.central.arubanetworks.com/signup https://portaluaenorth1.central.arubanetworks.com/platform/signup/registration#!/SIGNUP Available Apps n Network Operations n Network Operations n Network Operations n Network Operations Users of the US-WEST-4 cluster experience GLCP workflows. Signing up for an Aruba Central Account You can choose one of the following ways to start your Aruba Central account trail: 1. Go to http://www.arubanetworks.com/products/sme/eval/. n Click Start Demo and fill the form to start a product demo. n Click Got an Aruba AP? Start your trial here. The Registration page opens. 2. Enter your email address. Based on the email address you entered, the Registration page guides you to the subsequent steps: Table 14: Registration Workflow If... Then... If you are a new user: The Registration page prompts you to create a password. To continue with the registration, enter a password in the Password and Confirm Password fields. If you are an existing Aruba customer, but you do not have an Aruba Central account: If your email account is already registered with Aruba, but you do not have an Aruba Central account: The Registration page displays the following message: Email already exists. Please enter the password below. To continue with registration, validate your account: 1. Enter the password. 2. Click Validate Account. NOTE: If you do not remember the password, click Forgot Password to reset the password. If you are invited to join as a user in an existing Aruba Central customer account: The Registration page displays the following message: An invitation email has already been sent to your email ID. Resend. To continue with the registration: Getting Started with Aruba Central | 78 Table 14: Registration Workflow If... Then... 1. Go to your email box and check if you have received the email invitation. 2. If you have not received the email invitation, go to the Registration page and click Resend. A registration invitation will be sent your account. 3. Click the registration link. The user account is validated. 4. Complete the registration on the Sign Up page to sign in to Aruba Central. If you are a registered user of Aruba Central and have not verified your email yet: The Registration page displays the following message: You are an existing Aruba Central user. Please verify your account. Resend Verification email. To continue: 1. Go to your email box and check if you have received the email invitation. 2. If you have not received the email invitation, go to the Registration page and click Resend Verification email. A registration invitation will be sent your account. 3. Click the account activation link. 4. After the email verification is completed successfully, click Log in to access Aruba Central. If you are already a registered user of Aruba Central and have verified your email: The Registration page displays the following message: User has been registered and verified. Sign in to Central. Click Sign in to Central to skip the registration process and access the Aruba Central portal. If your email address is in the arubanetworks.com or hpe.com domain: The Single Sign-On option is enabled. You can use your respective Aruba or HP Enterprise credentials to log in to your Aruba Central account after the registration. 3. To continue with registration, enter your first name, last name, company name, address, country, state, ZIP code, and phone details. 4. Specify if you are an Aruba partner. 5. Ensure that you select an appropriate zone. The Registration page displays a list of zones in which the Aruba Central servers are available for account creation. Based on the country you select, the Aruba Central server is automatically selected. If you want your account and Aruba Central data to reside on a server from another zone, you can select an Aruba Central server from the list of available servers. Aruba Central | User Guide 79 6. From the Interested Apps section, select the app(s) that you want to pre-provision. You must select at least one app to continue: n Network Operations n ClearPass Device Insight See Table 13 for the app(s) available in the zone in which you are signing up. If you are interested in evaluating the Aruba Central MSP solution, select only the Network Operations app. Getting Started with Aruba Central | 80 7. Select the I agree to the Terms and Conditions check box. 8. Set a preferred mode of communication for receiving notifications about Aruba products and services. 9. Optionally, to read about the privacy statement, click the HPE Privacy Statement link. To opt out of marketing communication, you can either click the unsubscribe link available at the bottom of the email or click the link as shown in the following figure: 10. Click Sign Up. Your new account is created in the zone you selected and an email invitation is sent to your email address for account activation. 11. Access your email account and click the Activate Your Account link. After you verify your email, you can log in to Aruba Central. Accessing Aruba Central Portal After you create an Aruba Central account, the link to Aruba Central portal will be sent to your registered email address. You can use this link to log in to Aruba Central. If you are accessing the login URL from the www.arubanetworks.com website, ensure that you select the zone in which your account was created. Login URLs When you try to access Aruba Central portal, you are redirected to the Aruba Central URL that is mapped to your cluster zone. Table 15: Cluster Zone-- Portal URLs Regional Cluster Login URL US-1 US-2 US-WEST-4 Canada-1 China-1 EU-1 EU-3 APAC-1 APAC-EAST1 APAC-SOUTH1 https://portal.central.arubanetworks.com/platform/login/user https://portal-prod2.central.arubanetworks.com/platform/login/user https://portal-uswest4.central.arubanetworks.com/platform/login/user https://portal-ca.central.arubanetworks.com/platform/login/user https://portal.central.arubanetworks.com.cnath/platform/login/user https://portal-eu.central.arubanetworks.com/platform/login/user https://portal-eucentral3.central.arubanetworks.com/platform/login/user https://portal-apac.central.arubanetworks.com/platform/login/user https://portal-apaceast.central.arubanetworks.com/platform/login/user https://portal-apacsouth.central.arubanetworks.com/platform/login/user Logging in to Aruba Central To log in to Aruba Central: Aruba Central | User Guide 81 1. Access the Aruba Central login URL for your zone. 2. Notice that the zone is automatically selected based on your geographical location. 3. Enter the email address and click Continue. 4. Log in using your credentials. If your user credentials are stored in your organization's Identity Management server and SAML SSO authentication is enabled for your IdP on Aruba Central, complete the SSO authentication workflow. 5. Enter the password. If you have forgotten password, you can click the Forgot Password and reset your password. The Forgot Password link resets only your Aruba Central account; hence, it is not available to SSO users. 6. Click Continue. The Initial Setup wizard opens. n If you have a paid subscription, click Get Started and set up your account. n If you are a trial user, click Evaluate Now and start your trial. Changing Your Password To change your Aruba Central account: 1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click Change Password. 3. Enter a new password. 4. Log in to Aruba Central using the new password. The Change Password menu option is not available for federated users who sign in to Aruba Central using their SSO credentials. Logging Out of Aruba Central To log out of Aruba Central: 1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click Logout. Accessing Aruba Central Mobile Application Aruba Central mobile application lets you manage, monitor, and optimize your Central account. You can log in to your Aruba Central account using your credentials from the mobile application. To download the Aruba Central application, visit the App Store on iOS devices running iOS 9.0 or later and Google Play Store on Android devices running android 5.0 Lollipop or later. About the Network Operations App User Interface The Network Operations app is one of the apps in Aruba Central that helps to manage, monitor, and analyze your network. Aruba offers the following variants of the Network Operations app user interface: Getting Started with Aruba Central | 82 n Standard Enterprise mode-- This mode is intended for customers who manage their respective accounts end-to- end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision and manage their respective accounts. n Managed Service Provider (MSP) mode-- This mode is for managed service providers who need to manage multiple customer networks. With MSP mode enabled, the MSP administrators can provision customer accounts, allocate devices, assign licenses, and monitor customer accounts and their networks. The administrators can also drill down to a specific tenant account and perform administration and configuration tasks. The tenants can access only their respective accounts, and only those features and application services to which they have subscribed. The following image displays the navigational elements of the Network Operations app in the Standard Enterprise mode. However, the navigational elements also apply to the MSP mode. Figure 6 Navigation Elements of the Network Operations App Callout Number 1 2 3 4 5 6 7 8 9 Description Filter to select an option under Groups, Labels, or Sites. For all devices, select Global. A corresponding dashboard is displayed. Item under the left navigation contextual menu. The menu is dependent on the filter selection. First-level tab on the dashboard. Second-level tab on the dashboard. Dashboard content for the selected view and filter. For example, the current dashboard in the image displays the UCC tab under Manage > Applications in the List view for the Global filter. Time range filter. This is displayed for selected dashboards only. List view to display tabular data for the selected filter. This is displayed for selected dashboards only. Summary view to display charts for the selected filter. This is displayed for selected dashboards only. Config view to enable configuration options for the selected filter. This is displayed for selected dashboards only. Aruba Central | User Guide 83 Types of Dashboards in the Network Operations App The Network Operations app uses a filter to set the dashboard context for the app. The menu for the left navigation pane changes according to the selected filter value. Selecting any item on the left navigation pane displays a corresponding dashboard. Accordingly, for different values of the filter, the content displayed for the left navigation menu and the dashboard context differs. The dashboard for any item on the left navigation menu can have a combination of the following views: n Summary view-- Click the Summary icon to display the summary dashboard. The summary dashboard displays a number of charts. For example, for the global dashboard, under Manage, the Overview > Network Health tab in Summary view displays a map of the available sites and their corresponding health. If available, use the time range filter to change the time-lines for the charts. n List view-- Click the List icon to display tabular data for a selected dashboard. For example, for the global dashboard under Manage, the Overview > Network Health tab in List view displays a list of the available sites managed by Aruba Central. If available, use the time range filter to change the time-lines for the tabular data. n Config view-- Click the Config icon to enable the configuration options for a specific dashboard. For example, for the global dashboard under Manage, the Applications > UCC tab in Config view displays various configuration options for UCC. n AOS-CX view-- Click the AOS-CX icon to enable the configuration options for AOS-CX switches. n AOS-S view-- Click the AOS-S icon to enable the configuration options for the AOS-S switches. The Summary, List, and Config icons are displayed in the same order for all dashboards. The default view is displayed when you select any item on the left navigation menu and the tabs on the dashboard. For example, if you select the Global filter, and then select Devices on the left navigation menu, the List view is displayed for all the tabs on the dashboard by default. If you select Overview on the left navigation menu, the Summary view is displayed by default. On any dashboard, when you select a view, the view is retained when you switch between the tabs on the same dashboard. If a particular view is not applicable for a tab, the default view for the tab is selected. For example, if you select the Global filter, and then select Manage > Devices > Access Points, the List view is displayed by default. When you are in the Access Points tab, if you select the Summary view, and then select the Switches tab, the Summary view for the Switches tab is displayed. Navigating to the Switch, Access Point, or Gateway Dashboard In the Network Operations app, you can navigate to a device dashboard for a switch, access point, or gateway. The device dashboard enables you to monitor, troubleshoot, or configure a single device. In order to do this, complete the following steps: 1. In the Network Operations app, set the filter to a group, label, or site. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. Getting Started with Aruba Central | 84 2. Under Manage > Devices, select one of the following options: n To view an access point dashboard, click the Access Points tab. n To view a switch dashboard, click the Switches tab. n To view a gateway dashboard, click the Gateways tab. The list of devices is displayed in List view. 3. Click a device listed under Device Name. The dashboard context for the specific device is displayed. To exit the device dashboard, click the back arrow on the filter. Workflow to Configure, Monitor, or Troubleshoot in the Network Operations App The following image displays a flowchart to help you navigate the Network Operations app to complete any task. Figure 7 Navigation Workflow for Network Operations App Aruba Central | User Guide 85 The Standard Enterprise Mode This section discusses the user interface for the Standard Enterprise mode for the Network Operations app. This mode is intended for customers who manage their respective accounts end-to- end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision and manage their respective accounts. The following topics are discussed in this section: n Launching the Network Operations App n Parts of the Network Operations App User Interface n Search Bar n Help Icon n Account Home Icon n User Icon n Filter n Time Range Filter n Left Navigation Pane Launching the Network Operations App If the Network Operations app is the only app provisioned, the Network Operations app is displayed at each user login. If there are a number of apps provisioned such as Network Operations, ClearPass Device Insight and so on, the Account Home page is displayed at each user login. From the Account Home page, you can manage network inventory, subscriptions, and user access. In the event of multiple apps provisioned, perform the following steps to launch the Network Operations app: 1. Log in to the Account Home page. The Account Home page displays the apps and Global Settings For more information, see Accessing Aruba Central Portal. 2. Click Launch on the Network Operations tile. The Network Operations app is launched. Getting Started with Aruba Central | 86 Figure 8 Launching the Network Operations App Parts of the Network Operations App User Interface After you launch the Network Operations app, the Standard Enterprise view is displayed. Figure 9 Parts of the Network Operations App Aruba Central | User Guide 87 Callout Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Description Filter to select an option under Groups, Labels, or Sites. For all devices, select Global. To select a specific device, see Navigating to the Switch, Access Point, or Gateway Dashboard. The example in the image shows the filter set to a group called "IAP_setup_GW". For more information, see Filter. Health Bar for the selected filter. For more information, see The Health Bar. First-level tab for the selected dashboard, corresponding to the selected item in the left navigation pane. The example in the image shows the first-level tab selection as Gateways under Manage > Devices for the group dashboard. Search bar. For more information, see Search Bar. Notifications. Displays notifications like critical alerts, dynamic PCAP, and crash logs. Help icon. For more information, see Help Icon. Account Home icon For more information, see Account Home Icon. User settings icon. For more information, see User Icon. Menu item under left navigation contextual menu. Menu is dependent on the filter selection. For more information, see Types of Dashboards in the Network Operations App. Second-level tab for the dashboard, corresponding to the selected first-level tab. The example in the image shows the second-level tab selection as Gateways under Manage > Devices > Gateways for the group dashboard. Icon is for filtering the data of the selected column. Time range filter icon. Click the time range filter icon and select a duration to view data for that duration. This icon is not available for all pages. List icon. Click the List icon to view a tabular representation of the data. This icon is not available for all pages. Summary icon. Click the Summary icon to view a graphical representation of the data. This icon is not available for all pages. Config icon. Click the Config icon to enable configuration mode. This icon is not available for all pages. Icon is for selecting or resetting the column headers for the selected page. Getting Started with Aruba Central | 88 Search Bar The search bar Help Icon enables users to look for help information. The help icon contains the following options: n Tutorials--Displays the Aruba Central product learning center. n Feedback--Allows you to provide feedback on the Aruba Central. You can choose the rating from the range of 1 to 10, where 1 being extremely unlikely and 10 being extremely likely and type your comment into the box and click Submit to submit the feedback. n Documentation Center--Directs you to the online help documentation. n Get help on this page--Selecting this option changes the appearance of some of the text on the UI to green italics. On the UI, when you point to the text in green italics, a dialog box displays the help information for that text. To disable this option, click Done. n Airheads Community--Directs you to the Aruba support forum at https://community.arubanetworks.com/t5/Cloud-Managed-Networks/bd-p/CloudManagedNetworks. n View / Update Case--Enables you to view or edit an existing support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. n Open New Case--Enables you to create a new support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. Account Home Icon The Account Home icon enables you to go to the Account Home page and switch to another app if you have one subscribed. Most of the apps require service subscriptions to be enabled on the devices. Contact your administrator or the Aruba Central Support team to obtain access to an application service. User Icon The user icon enables you to view user account details such as account name, domain, customer ID, and zone details. It also includes the following options for managing your accounts: n Switch Customer--Enables you to switch to another account. This is especially required during troubleshooting scenarios. n Change Password--Enables you to change the password of the account. n User Settings o Time Zone--Displays the zone, date, time, and time zone of the region. o Language--Administrators can set a language preference. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. o Idle Timeout--Administrators can set a timeout value for inactive user sessions in the Idle Timeout field. The value is in minutes. o Get system maintenance notifications--Administrators can select the check box to receive system maintenance notification on their registered email ID. Email notifications are sent before any scheduled maintenance activity or unplanned outage. o Get software update notifications--Administrators can select the check box to receive software update notification on their registered email ID. Aruba Central | User Guide 89 n Enable MSP--Enables MSP mode and switches the user interface to the MSP mode. This option changes to Disable MSP when the MSP mode is enabled. You can select Disable MSP to switch to the Standard Enterprise interface. The MSP mode can be disabled only if there is no tenant data. The option is grayed out if there are any active tenant accounts. n Terms of Service--Displays the terms and conditions for using Aruba Central services. n Logout--Enables you to log out of from your account. Filter The filter enables you to set the dashboard context to a value under one of the following options: n Groups--Sets the dashboard context to a group of devices. n Sites--Sets the dashboard context to all a site. n Labels--Sets the dashboard context to a label. If no filter is applied, by default the filter is set to Global for all devices. Use the search box in the filter to enter an available group, site, or label name and then select the option to set the filter. Hovering over Groups, Labels, or Sites displays the associated config icon. Clicking on the config icon redirects you to Maintain > Organization in the global dashboard. Time Range Filter The time range filter enables you to set a time duration for showing monitoring and reports data. The option is displayed for selected dashboards only. You can set the filter to any of the following time ranges: n 3 hours n 1 day n 1 week n 1 month n 3 months Left Navigation Pane The left navigation pane is a contextual menu that displays a number of configuration, monitoring, and troubleshooting options depending on filter value. This topic discusses the Network Operations app in MSP mode. To know more about the Account Home page, see the online Aruba Central documentation. The MSP mode is intended for the managed service providers who manage multiple distinct tenant accounts. The MSP mode allows service providers to provision and manage tenant accounts, assign devices to tenant accounts, manage subscription keys and other functions such as configuring network profiles and viewing alerts. Launching the Network Operations App for MSP Aruba Central in MSP mode consists of the Network Operations app and the Account Home page. After you create an Aruba Central account, the link to Aruba Central portal will be sent to your registered email address. You can use this link to log in to Aruba Central. If you are accessing the login URL from the Getting Started with Aruba Central | 90 www.arubanetworks.com website, ensure that you select the zone in which your account was created. The Network Operations app is displayed at each user login to Aruba Central. From the Network Operations app, you can navigate to the Account Home page by clicking the Account Home icon . From the Account Home page, you can navigate to the Network Operations app by clicking the Launch button for the Network Operations tile. Figure 10 Launching the Network Operations App for MSP from Account Home Parts of the Network Operations App for MSP After you launch the Network Operations app, the MSP view opens. Figure 11 Parts of the Aruba Central User Interface for MSP Aruba Central | User Guide 91 Callout Number 1 2 3 4 5 6 7 8 9 Description Filter to select a group or all groups. For more information, see Filter. Here, the global dashboard is displayed as the filter is set to All Groups. First-level tab on dashboard. The dashboard may also have second and third-level tabs dependent on the filter selection. Menu item under left navigation contextual menu. Menu is dependent on the filter selection. Help icon. For more information, see Help Icon. Account Home icon. User Settings icon. For more information, see User Icon. Summary view. Click the Summary icon to view a graphical representation of the data. Only applicable for the global dashboard. List view. Click the List icon to view a tabular representation of the data. Only applicable for the global dashboard. Config view. Click the Config icon to enable configuration mode. Help Icon The help icon contains the following options: n Get help on this page-- Selecting this option changes the appearance of some of the text on the UI to green italics. On the UI, when you point to the text in green italics, a dialog box displays the help information for that text. To disable this option, click Done. n Tutorials-- Displays the Aruba Central product learning center. n Feedback-- Allows you to provide feedback on the Aruba Central. You can choose the rating from the range of 1 to 10, where 1 being extremely unlikely and 10 being extremely likely and type your comment into the box and click Submit to submit the feedback. n Documentation Center-- Directs you to the online help documentation. n Airheads Community-- Directs you to the Aruba support forum. n View / Update Case--Enables you to view or edit an existing support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. n Open New Case-- Enables you to create a new support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. Account Home Icon The Account Home icon enables you to go to the Account Home page. Getting Started with Aruba Central | 92 User Icon The user icon enables you to view user account details such as account name, domain, customer ID, and zone details. It also includes the following options for managing your accounts: n Switch Customer-- Enables you to switch to another account. This is especially required during troubleshooting scenarios. n Change Password-- Enables you to change the password of the account. n User Settings o Time Zone-- Displays the zone, date, time, and time zone of the region. o Language-- Administrators can set a language preference. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. o Idle Timeout-- Administrators can set a timeout value for inactive user sessions in the Idle Timeout field. The value is in minutes. o Get system maintenance notification-- Administrators can select the check box to get system maintenance notification. o Get software update notifications-- Administrators can select the check box to get software update notification. n Disable MSP-- Disables MSP mode and switches the user interface to the standard enterprise mode. This option changes to Enable MSP when the MSP mode is disabled. You can select Enable MSP to switch to the MSP mode. The MSP mode can be disabled only if there is no tenant data. The option is grayed out if there are any active tenant accounts. n Terms of Service-- Displays the terms and conditions for using Aruba Central services. n Logout-- Enables you to log out of from your account. Filter The filter enables you to select a group or All Groups for performing specific configuration and monitoring tasks. If no filter is applied, by default the filter is set to All Groups. When you set the filter to All Groups, the global dashboard is displayed and when you set the filter to a group, the group dashboard is displayed. You can type a group name to start your search for a filter value. Figure 12 MSP Filter set to Global on Selecting All Groups Aruba Central | User Guide 93 Time Range Filter The time range filter enables you to set a time duration for showing monitoring and reports data. This time filter is not displayed when you view the configuration or device details. It is displayed only when you view monitoring data. You can set the filter to any of the following time ranges: n 3 hours n 1 day n 1 week n 1 month n 3 months The Global Dashboard in MSP Mode In the Network Operations app in MSP mode, use the filter to select All Groups. The global dashboard is displayed. In the global dashboard under the left navigation pane, you can see a number of menu items divided under the following categories: Manage, Analyze, and Maintain. Selecting each menu item in the left navigation pane displays a corresponding dashboard with tabs. Each tab may support all or some of the following functions: n Summary -- Click the global dashboard. icon to view a graphical representation of the data. Only applicable for the n List-- Click the dashboard. icon to view a tabular representation of the data. Only applicable for the global n Config-- Click the icon to enable configuration mode. The Group Dashboard in MSP Mode In the Network Operations app in MSP mode, use the filter to select a group. The group dashboard is displayed. Figure 13 Launching the Group Dashboard for MSP Getting Started with Aruba Central | 94 Some tabs or options may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. In the group dashboard under the left navigation pane, you can see the Device and Guest options under Manage. Selecting an option in the left navigation pane displays a corresponding dashboard with tabs. Each tab supports the Config view that enables the configuration mode. The next sections discuss the left navigation menu items in the group dashboard. The Health Bar The Health Bar provides a snapshot of the overall health of the devices configured as part of the specific dashboard. The applicable dashboard includes global, group, site, client, and device dashboards. The topic discusses the following: n Health Bar for the Global Dashboard n Health Bar for the Group Dashboard n Health Bar for the Site Dashboard n Health Bar for the AP Dashboard n Health Bar for the Switch Dashboard n Health Bar Dashboard for the Gateway Dashboard n Health Bar for the Wireless Client Dashboard n Health Bar for the Wired Client Dashboard n Health Bar for the Remote Client Dashboard Viewing the Health Bar Dashboard To view the Health Bar, perform the following steps: 1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed. n To select a client: a. Set the filter to Global. b. Under Manage, click Clients. A list of clients is displayed in the List view. c. Click a client listed under Client Name. The dashboard context for the client is displayed. Aruba Central | User Guide 95 The Health Bar icon displays the overall health of the network of the selected filter as either online or offline. 2. In the selected filter, click the Health Bar icon to expand the Health Bar dashboard. 3. Use the pin icon to pin the Health Bar dashboard to the Network Operations app display. Health Bar for the Global Dashboard The following image shows the Health Bar for the global dashboard. Figure 14 Expanded but Unpinned Health Bar in the Global Dashboard Health Bar Icons Icon Type Description This icon is specific to Site, Device, and Client dashboard. It indicates that there are no issues in the connection. This icon is specific to Site, Device, and Client dashboard. It indicates that there is an issue in the connection. This icon is specific to the Global and Group dashboards, and the health is not calculated at these levels. Device and Clients Status Icons Icon Type Description n For devices, indicates the number of devices that are online. n For clients, indicates the number of clients that are connected. n For radios, indicates the number of radios that are in good health status. n For tunnels, indicates the number of tunnels that are up. n For devices, indicates the number of devices that are offline. n For clients, indicates the number of failed clients. n For AI Insights, indicates the number of insights that are of high priority. Getting Started with Aruba Central | 96 Icon Type Description n For radios, indicates the number of radios that are in poor health status. n For tunnels, indicates the number of tunnels that are down. For radios, indicates the number of radios that are disabled. For AI Insights, indicates the number of insights that are of medium priority. For AI Insights, indicates the number of insights that are of low priority. The Health Bar icon indicating the status changes to red when the value for one of the following parameters in the List view is greater than zero for the Down status: n Number of devices o Status o High Mem Usage o High CPU Usage o High CH Utilization o High Noise n Uplink Status n Tunnels Status The following table includes information on the various parameters of the Health Bar displayed for a global dashboard. The Health Bar in a global dashboard is in the context of all devices. Parameter Description Access Points n Displays the number of access points that are online and the number of access points that are offline. n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view. Switches n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view. Gateways n Displays the number of gateways that are online and the number of gateways that are offline. n The number in green indicates the number of gateways that are online. Aruba Central | User Guide 97 Parameter Clients Description n Clicking the number in green redirects you to Manage > Devices > Gateways > Online in List view. n The number in red indicates the number of gateways that are offline. n Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List view. n Displays the number of clients that are connected and the number of clients that are failed. n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view. Health Bar for the Group Dashboard The following table includes information on the various parameters of the Health Bar displayed for a group dashboard. The Health Bar in a group dashboard is in the context of all devices configured as part of that group. Parameter Description Access Points n Displays the number of access points that are online and the number of access points that are offline. n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view. Switches n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view. Gateways n Displays the number of gateways that are online and the number of gateways that are offline. n The number in green indicates the number of gateways that are online. n Clicking the number in green redirects you to Manage > Devices > Gateways > Online in List view. n The number in red indicates the number of gateways that are offline. n Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List view. Clients n Displays the number of clients that are connected and the number of clients that are failed. n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view. Getting Started with Aruba Central | 98 Health Bar for the Site Dashboard The following table includes information on the various parameters of the Health Bar displayed for a site dashboard. The Health Bar in a site dashboard is in the context of all devices configured as part of that site. The values are refreshed every minute. When there is any issue in the connection, short descriptions are displayed for the Potential Issues label. If there are multiple criteria issues, only the issue criteria with the highest priority is displayed. The <+x> next to the description indicates that there are more issues. You can hover over the value to view the description of the issue. For more information, see Site Health Dashboard. Parameter Description Access Points n Displays the number of access points that are online and the number of access points that are offline. n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view. Switches n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view. Gateways n Displays the number of gateways that are online and the number of gateways that are offline. n The number in green indicates the number of gateways that are online. n Clicking the number in green redirects you to Manage > Devices > Gateways > Online in List view. n The number in red indicates the number of gateways that are offline. n Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List view. Clients n Displays the number of clients that are connected and the number of clients that are failed for the last three hours. n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view. AI Insights n Displays the number of insights categorized by status. n The number in red indicates the insights are of high priority. n The number in orange indicates the insights are of medium priority. n The number in yellow indicates the insights are of low priority. n Clicking the numbers redirects you to Manage > Overview > AI Insights at the site context. Health Bar for the AP Dashboard The following table includes information on the various parameters of the Health Bar displayed for an AP. If the AP is not online and running, not all of the following data is available. Aruba Central | User Guide 99 Parameter Description AP Status n Value can be Online Since, Offline, Operating under Thermal Management, or All tunnels down. n If the value is Online Since, it also displays the time period, in the format of days-hours-minutes, for which the AP has been online and running. n When an AP operates under thermal management, the device health is displayed as Poor and the radios are in disabled mode. For more information, see Thermal Shutdown Support in IAP. n If all the tunnels are down, and the AP is operating under thermal shutdown, the AP status in the health bar is displayed as All tunnels down, and the device health as Poor. Device Health n Displays the performance of the AP in terms of the CPU and memory usage. n For example, the device health is Good when the CPU usage is less than or equal to 70% and the memory usage is less than or equal to 90%. If the value of the CPU and/or memory usage falls below the threshold, the device health is displayed as Poor. If the AP is down, the value is Offline. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Device Health status to get the exact percentage value of the memory and CPU usage. n If all tunnels are down, the Device Health is displayed as Poor, and hovering over the Device Health displays All tunnels down. Radio Health Radio health indicates the number of radios in good, poor, or disabled state and summarizes the Radio 2.4 GHz, Radio 5 GHz, Radio 5 GHz (Secondary), and Radio 6 GHz health details. Hovering over the Radio Health bar displays the device health, the exact value of the channel utilization, and the noise floor details. Radio 2.4 GHz: n Displays the performance of an AP in terms of the channel utilization and noise floor in the 2.4 GHz channel. n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed. Radio 5 GHz: n Displays the performance of an AP in terms of the channel utilization and noise floor in the 5 GHz channel. n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed. Radio 5 GHz (Secondary): n Displays the performance of an AP in terms of the channel utilization and noise floor in the 5 GHz (Secondary) channel. n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed. Getting Started with Aruba Central | 100 Parameter Description NOTE: In the Radio Health page, the Radio 5 GHz (Secondary) data is available only for AP-555 and only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode. Radio 6 GHz: n Displays the performance of the AP in terms of the channel utilization and noise floor in the 6 GHz channel. n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed. NOTE: The Radio 6 GHz data is only available for devices with 6 GHz capability. Tunnels Indicates the number of tunnels that are up and down. AP status and device health value in the health bar change according to the changes in the tunnel status. n If all the tunnels are down, the AP status in the health bar is displayed as All tunnels down, and the device health as Poor. n If all the tunnels are down, and the AP is operating under thermal shutdown, the AP status in the health bar is displayed as All tunnels down, and the device health as Poor. n If the AP is offline, the health bar displays the number of up tunnels as 0, the number of down tunnels as the number of the configured tunnel, and the device health as Offline. n If you click on the up or down tunnel count on the health bar, you will be redirected to the VPN tunnel page. NOTE: Tunnel status in the health bar is not available for the member of a cluster device. Virtual Controller Indicates if the AP is connected to a virtual controller. If the AP is connected, clicking on the virtual controller name redirects you to the Manage > Overview > Summary page for the virtual controller. Health Bar for the Switch Dashboard The following table includes information on the various parameters of the Health Bar displayed for a switch. If the switch is not online and running, not all of the following data is available. Parameter Description Switch Status Displays the time period for which the switch has been online and running or its offline status. Device Health n Displays the performance of the switch in terms of the CPU and memory usage. n For example, the device health is Good when the CPU usage is less than or equal to 70% and the memory usage is less than or equal to 70%. If the value of the CPU and/or memory usage falls below the threshold, the device health is displayed as Poor. n Hover over the Device Health status to get the exact percentage value of the memory and CPU usage. Port - Status n Displays the number of ports on the switch that are online and the number of ports that are offline. n The number in green indicates the number of switch ports that are online. Aruba Central | User Guide 101 Parameter Port - Alerts Description n The number in red indicates the number of switch ports that are offline. n Displays the total number of open alerts. Health Bar Dashboard for the Gateway Dashboard The following table includes information on the various parameters of the Health Bar displayed for a gateway. If the gateway is not online and running, not all of the following data is available. Parameter Description Gateway Status Displays the time period, in the format of days-hours-minutes, for which the gateway has been running or its offline status. WAN n Displays the number of WAN ports as online or offline. n The number in green indicates the number of WAN ports that are online. n The number in red indicates the number of WAN ports that are offline. n Clicking the numbers redirects you to Manage > WAN > Summary. LAN n Displays the number of LAN ports as online or offline. n The number in green indicates the number of LAN ports that are online. n The number in red indicates the number of LAN ports that are offline. n Clicking the numbers redirects you to Manage > LAN > Summary. Tunnels n Displays the number of VPN tunnels as online or offline. n The number in green indicates the number of VPN tunnels that are online. n The number in red indicates the number of VPN tunnels that are offline. n Clicking the numbers redirects you to Manage > WAN > Tunnels. Path Steering n Displays the number of path steering policies that are compliant of the total number of policies. n Clicking the numbers redirects you to Manage > WAN > Path Steering. Alerts n Displays the total number of open alerts. n Clicking the number redirects you to Analyze > Alerts & Events in List view. Health Bar for the Wireless Client Dashboard The following table includes information on the various parameters of the Health Bar displayed for a wireless client. Parameter Description Client Status Displays the connection status of the client. Device Health Displays the device health of the client. Signal Quality Displays the signal quality in dB. Tx | Rx Rate Displays the transmit and receive rate in Mbps. Getting Started with Aruba Central | 102 Parameter Description Connected To n Displays the device to which the wired client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that device. Refresh icon Refreshes the data on the Health Bar for the client. Health Bar for the Wired Client Dashboard The following table includes information on the various parameters of the Health Bar displayed for a wired client. Parameter Description Client Status Displays the connection status of the client. Connected Port Displays the port to which the client is connected. Connected To n Displays the device to which the wired client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that device. Refresh icon Refreshes the data on the Health Bar for the client. Health Bar for the Remote Client Dashboard The following table includes information on the various parameters of the Health Bar displayed for a remote client. Parameter Description Client Status Displays the connection status of the client. Connected To n Displays the name of the gateway to which the remote client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that device. Refresh icon Refreshes the data on the Health Bar for the client. The Global Dashboard In the Network Operations app, the global dashboard is displayed when the filter is set to Global. The global dashboard displays information related to all devices registered to that account in Aruba Central. Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. Table 16: Contents of the Global Dashboard Left Navigation Menu First-Level Tabs Description Manage > Overview Network Health Displays information of the networks sorted by site, including information on network devices and WAN connectivity of individual sites. Aruba Central | User Guide 103 Left Navigation Menu First-Level Tabs Description For more information, see Network Health Dashboard. WAN Health Displays detailed information of the network health status and usage for the sites in which Branch Gateways and VPN Concentrators are configured in your setup. For more information, see WAN Health--Global. Summary Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range Filter. For more information, see Global--Summary Wi-Fi Connectivity Displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include Association, Authentication, DHCP, and DNS. For more information, see Wi-Fi Connectivity. Manage > Devices AI Insights Access Points Displays a report of network events that may affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level observed in the network for the selected time range. Each insight report provides specific details on the occurrences of these events for ease in debugging. For more information, see . Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View Switches Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View Gateways Displays the gateways information in the following views: n Summary view: Monitoring Gateways in Summary View n List view: Monitoring Gateways in List View Manage > Clients Clients Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients. Manage > Guests Guest Access Enables guest users to connect to the network and at the same time, allows the administrator to control guest user access to the network. For more information, see Guest Access. Presence Analytics Enables businesses to collect real-time data on user footprints within the wireless network range of Aruba Instant APs that are managed using Aruba Central. For more information, see Presence Analytics. Manage > Applications Visibility Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility. Getting Started with Aruba Central | 104 Left Navigation Menu First-Level Tabs Description SAAS Express Enables the following to provide an improved user experience: discovering SaaS application servers, monitoring application performance, and steering traffic to the best available servers.. For more information, see SaaS Application Traffic Management with SaaS Express. Manage > Security RAPIDs Helps to identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. For more information, see Rapids. Gateway IDS/IDPS Enables traffic inspection, threat detection, and threat prevention on the Aruba Branch Gateways. For more information, see Overview of Aruba IDPS. Firewall Monitors traffic coming into and going out of the Aruba Central-managed network and acts as an investigative resource for users to track blocked sessions within the network. For more information, see Firewall. Manage > Network Services SD-WAN Overlay Configured IPsec tunnels between the Branch Gateways and VPN Concentrators provisioned in an Aruba Central account. For more information, see SD-WAN Overlay Tunnel and Route Orchestration . Virtual Gateways Helps deploy a virtualized instance of a headend gateway in the customer's public cloud infrastructure. The virtualized instance of Aruba Gateway is referred to as Virtual Gateway. For more information, see Deploying Aruba Virtual Gateways. Cloud Connect Helps integrate SD-Branch with Zscaler and allows to set up and maintain a secure tunnels between Aruba Branch Gateways and Zscaler Public Service Edges. For more information, see Aruba SD-Branch Integration with Zscaler through Cloud Connect Service. Cloud Security (Legacy) Helps integrate SD-Branch with Zscaler and allows to set up tunnels automatically or manually between Aruba Branch Gateways and Zscaler Public Service Edges. For more information, see Aruba SD-Branch Integration with Zscaler Cloud Security Service. Analyze > Alerts Alerts & Events and Events Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events. Analyze > Audit Trail Audit Trail Shows the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. For more information, see Viewing Audit Trail. Analyze > Tools n Network Check n Device Check n Commands n Health Checks Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools. Aruba Central | User Guide 105 Left Navigation Menu First-Level Tabs Description Analyze > Reports Reports Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports. Maintain > Firmware n Access Points n Switch- MAS n Switches n Gateways Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Managing Software Upgrades. Maintain >Organization Groups A group in Aruba Central is the primary configuration element that functions as a container for device management, monitoring, and maintenance. Groups enable administrators to manage devices efficiently by using either a UI-based configuration workflow or CLI-based configuration template. For more information, see Groups for Device Configuration and Management. Sites and Labels A site refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Labels are tags attached to a device provisioned in the network. Labels determine the ownership, departments, and functions of the devices. For more information, see Managing Sites and Labels. Certificates Enables administrators to upload a valid certificate signed by a root CA so that devices are validated and authorized to use Aruba Central. For more information, see Groups for Device Configuration and Management. Install Manager Simplifies and automates site deployments, and helps IT administrators manage site installations with ease. For more information, see Installation Management. The Group Dashboard In the Network Operations app, the group dashboard is displayed when the filter is set to a UI or template group. A template group is marked by a superscript TG tag. The following table lists all the available menu items in the Network Operations app for the group dashboard. Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. Table 17: Contents of the Group Dashboard Left Navigation Menu Manage > Overview First-Level Tabs Description Summary Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter. For more information, see Global--Summary Getting Started with Aruba Central | 106 Left Navigation Menu First-Level Tabs Description Manage > Devices Manage > Clients Manage > Applications Wi-Fi Connectivity Displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include Association, Authentication, DHCP, and DNS. For more information, see Wi-Fi Connectivity. Access Points Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View n Config view: Provisioning Instant APs Switches Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View n Config view: Getting Started with AOS-S Deployments Gateways Displays the gateways information in the following views: n Summary view: Monitoring Gateways in Summary View n List view: Monitoring Gateways in List View n Config view: Provisioning Aruba Gateways in Aruba Central. Clients Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients. Visibility Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility. Manage > Security Analyze > Alerts and Events Analyze > Audit Trail Analyze > Tools RAPIDs Gateway IDS/IDPS Alerts & Events Audit Trail n Network Check n Commands Helps to identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. For more information, see Rapids. Enables traffic inspection, threat detection, and threat prevention on the Aruba Branch Gateways. For more information, see Overview of Aruba IDPS. Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events. Shows the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. For more information, see Viewing Audit Trail. Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools. Aruba Central | User Guide 107 Left Navigation Menu Analyze > Reports Maintain > Firmware First-Level Tabs Description Reports Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports. n Access Points n Switches n Gateways Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Managing Software Upgrades. The Label Dashboard In the Network Operations app, the label dashboard is displayed when the filter is set to any of the options under Labels. The site dashboard displays information related to all devices configured for that site in Aruba Central. Table 18: Contents of the Label Dashboard Left Navigation Menu Manage > Devices Manage > Clients Manage > Security Analyze > Alerts and Events First-Level Tabs Description All Devices Access Points Switches Gateways Clients RAPIDs Alerts & Events Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter. For more information, see Global--Summary Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View Displays the switches information in the following views: Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View Displays the gateways information in the following views: n Summary view: Monitoring Gateways in Summary View n List view: Monitoring Gateways in List View Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients. Identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central sends alerts to the network administrators about the possible threat and provides essential information needed to locate and manage the threat. For more information, see Rapids. Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events. Getting Started with Aruba Central | 108 Left Navigation Menu Analyze > Tools Analyze > Reports First-Level Tabs Description n Network Check n Device Check n Commands Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools. Reports Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports. The Site Dashboard In the Network Operations app, the site dashboard is displayed when the filter is set to any of the options under Sites. The site dashboard displays information related to all devices configured for that site in Aruba Central. Table 19: Contents of the Site Dashboard Left Navigation Menu Manage > Overview First-Level Tabs Description Site Health Displays details of wired and wireless devices deployed on the site. This page includes information on client connectivity statistics, change logs, health of devices, and RF health of the site. For more information, see Site Health Dashboard. Summary Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter. For more information, see Global--Summary Wi-Fi Connectivity Displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include Association, Authentication, DHCP, and DNS. For more information, see Wi-Fi Connectivity. WAN Health Displays details for the wired, wireless, and gateway devices deployed on the site. For more information, see WAN Health--Site. AI Insights Displays a report of network events that may affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level in the network for the selected time range. Each insight report provides specific details on the occurrences of these events for ease in debugging. For more information, see . Topology Provides a graphical representation of the site including the network layout, details of the devices deployed, and the health of the WAN uplinks and tunnels. For more information, see Monitoring Sites in the Topology Tab. Aruba Central | User Guide 109 Left Navigation Menu First-Level Tabs Description Manage > Devices Floor Plans Access Points Provides information regarding the current location of the Instant AP. For more information, see Access Point > Overview > Floor Plan. Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View Switches Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View Gateways Displays the gateways information in the following views: n Summary view: Monitoring Gateways in Summary View n List view: Monitoring Gateways in List View Manage > Clients Clients Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients. Manage > Applications Visibility Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility. Manage > Security RAPIDS Identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central sends alerts to the network administrators about the possible threat and provides essential information needed to locate and manage the threat. For more information, see Rapids. Manage > Guests Presence Analytics Enables businesses to collect real-time data on user footprints within the wireless network range of Aruba Instant APs that are managed using Aruba Central. For more information, see Presence Analytics. Analyze > Alerts and Events Alerts & Events Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events. Analyze > Live Live Events Events Enables you to troubleshoot issues related to a wireless client connected to an access point or a wired client connected to a switch. For more information, see Client Live Events. Analyze > Tools n Network Check n Commands Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools. Analyze > Reports Reports Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports. Getting Started with Aruba Central | 110 The Access Point Dashboard In the Network Operations app, the access point dashboard is displayed when the filter is set to an access point. To navigate to an access point dashboard, see Navigating to the Switch, Access Point, or Gateway Dashboard. The following table lists all the available menu items in the Network Operations app for the access point dashboard. Table 20: Contents of the Access Point Dashboard Left Navigation Menu First-Level Tabs Description Manage > Overview Summary Displays the AP device details, network information, radio details including the topology of clients connected to each radio, and the health status of the AP in the network. See Access Point > Overview > Summary. AI Insights Displays information on AP performance issues such as excessive channel changes, excessive reboots, airtime utilization, and memory utilization. See Access Point > Overview > AI Insights Floor Plan Displays information regarding the current location of the Instant AP. See Access Point > Overview > Floor Plan. Performance Displays the size of data transmitted through the AP. See Access Point > Overview > Performance. RF Displays details corresponding to 2.4 GHz, 5 GHz, and 5 GHz Secondary radios of the AP. See Access Point > Overview > RF. Spectrum Displays details for all Wi-Fi and non-Wi-Fi devices associated to each radio. See Access Point > Overview > Spectrum Manage > Device Access Point Configuration using UI groups Enables AP configuration in the Config view. See Deploying a Wireless Network Using IAPs. Configuration using UI groups contains the following second-level tabs: n WLANs--Configure wireless network profiles on Instant APs. See Configuring Wireless Network Profiles on IAPs. n Access Points--Configure device parameters on Instant APs. See Configuring Device Parameters . n Radios--Configure ARM and RF parameters on Instant APs. See Configuring ARM and RF Parameters on IAPs. n Interfaces--Configuring interfaces parameters on Instant APs. See Configuring Uplink Interfaces on IAPs. n Security--Configure authentication and security profiles on Instant APs. See Configuring Authentication and Security Profiles on IAPs. n VPN--Configure VPN host settings on an Instant AP to enable communication with a controller in a remote location. See Configuring IAPs for VPN Tunnel Creation. n Services--Configure AirGroup, location services, Lawful Intercept, OpenDNS, and Firewall services on Instant APs. See Configuring Aruba Central | User Guide 111 Left Navigation Menu First-Level Tabs Description Services. n System--Configure system parameters on Instant APs. See Configuring Systems. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. Access Point Configuration using template groups Configuration using template groups contains the following second-level tabs: n Templates--Configure Access Points using template groups. See Configuring APs Using Templates. n Variables--Modify, download, or upload variables associated with devices that you can use in template configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. Manage > Clients Clients Displays details of all the clients connected to a specific AP. See Access Point > Clients > Clients. Manage > Security VPN Displays information on VPN connections associated with the virtual controller along with information on the tunnels and the data usage through each of the tunnels. See Access Point > Security > VPN Analyze > Alerts & Events Alerts & Events The Alerts & Events tab displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. See Access Point > Alerts & Events > Alerts & Events. Analyze > Audit Trail Audit Trail The Audit Trail tab displays the logs for all the device management, configuration, and user management events triggered in Aruba Central. See Viewing Audit Trail in the Standard Enterprise Mode and MSP Mode. Analyze > Tools Commands The Commands tab allows network administrators and user with troubleshooting permission to identify, diagnose, and debug issues on Aruba Instant APs at an advanced level using commands. See Using Troubleshooting Tools. Maintain > Firmware Access Points The Access Points tab allows the user to view the firmware details and upgrade the devices provisioned in Aruba Central. See Viewing Firmware Details. The Switch Dashboard In the Network Operations app, the switch dashboard is displayed when the filter is set to a switch. To navigate to a switch dashboard, see Navigating to the Switch, Access Point, or Gateway Dashboard. The following table lists all the available menu items in the Network Operations app for the switch dashboard. Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. Also, some tabs or some fields inside tabs are only applicable either for AOS-S or AOS-CX switches. Getting Started with Aruba Central | 112 Table 21: Contents of the Switch Dashboard Left Navigation Menu First-Level Tabs Description Manage > Overview Summary Displays details about a specific switch, including device information, network summary, and port and hardware status. It also displays uplink and usage details. Use the time range filter to change the time period for the displayed information. See Switch > Overview > Summary. Hardware Displays switch hardware details, including status of power supplies and fans, CPU and memory utilization, and device temperature. See Switch > Overview > Hardware. Routing Displays routing information for the switch, such as, type of route, number of static and connected routes, and distance of the route. See Switch > Overview > Routing. NOTE: The Routing tab is displayed only for AOS-S switches. AI Insights Manage > Clients Clients Neighbours Manage > LAN Ports Manage > VSX PoE VLAN VSX Displays information on switch performance issues, such as, PoE issues, port errors, port flaps, airtime utilization, and memory utilization. See Switch > Overview > AI Insights. Displays details about the wired clients that are connected to the switch. See Switch > Clients > Clients. Displays details about the devices neighboring the switch. See Switch > Clients > Neighbours. Displays details about ports and the LAGs configured in the switch. Also displays information about AOS-CX switch stacks and stack-related errors. See Switch > LAN > Ports. For information about AOS-CX switch stack-related errors, see Monitoring AOSCX Switch Stacks. Displays details about PoE status, PoE ports, and the power consumption from these ports. See Switch > LAN > PoE. Displays VLAN information configured on the switch and details about tagged and untagged ports. See Switch > LAN > VLAN. Displays VSX configuration details between AOS-CX switches and the status of the inter-switch link (ISL). See Switch > VSX. NOTE: The VSX tab is displayed only for AOS-CX switch series. Manage > Device (AOSS) AOS-S-- Configuration using UI groups Enables AOS-S configuration in the AOS-S Config view. See Configuring or Viewing AOS-S Properties in UI Groups. Configuration using UI groups contains the following second-level tabs: n Switches--Configure and view general switch properties, such as, hostname, IP address, and netmask. See Configuring or Viewing Switch Properties. Aruba Central | User Guide 113 Left Navigation Menu First-Level Tabs Description n Stacks--Create stacks, add members, or view stacking details, such as, stack type, stack id, and topology. See Configuring AOS-S Stacks Using UI Groups. n Interface: o Ports--Assign or view port properties, such as, PoE, access policies, and trunk groups. See Configuring Switch Ports on AOS-S Switches. o PoE--Configure or view PoE settings for each port. See Configuring PoE Settings on AOS-S Ports. o Trunk Groups--Configure or view trunk groups and their associated properties, such as, members of the trunk group, and type of trunk group. See Configuring Trunk Groups on AOS-S Switches in UI Groups. o VLANs--Configure or view VLAN details and the associated ports and access policies. See Configuring VLANs on AOS-S Switches. o Spanning Tree--Configure or view spanning tree protocol and its associated properties. See Enabling Spanning Tree Protocol on AOS-S Switches. o Loop Protection--Configure or view loop protection and its associated properties. See Configuring Loop Protection on AOS-S Ports. n Security: o Access Policies--Add or view access policies. See Configuring Access Policies on AOS-S Switches. o DHCP Snooping--Configure or view DHCP snooping, authorized DHCP servers IP addresses, and their associated properties. See Configuring DHCP Snooping on AOS-S Switches. o Port Rate Limit--View or specify bandwidth to be used for inbound or outbound traffic for each port. See Configuring Port Rate Limit on AOS-S Switches. o RADIUS--Configure RADIUS (Remote Authentication Dial-In User Service) server settings on AOS-S switches. See Configuring RADIUS Server Settings on AOS-S Switches. o Downloadable User Role--Enable DUR and configure ClearPass settings to download user roles, policy, and class from the ClearPass Policy Manager server. See Configuring Downloadable User Role on AOS-S Switches. o Tunnel Node Server--Configure user-based tunnel or port-based tunnel on switches. See Configuring Tunnel Node Server on AOS-S Switches. o Authentication--Configure and enable 802.1X and MAC authentication on switches. You can also configure authentication order and priority for authentication methods. Configuring Authentication for AOS-S Switches. n System: o Access/DNS--Configure or view the administrator and operator logins. See Configuring System Access and DNS Parameters for AOS-S Switches. o Time--Configure time synchronization in switches. See Configuring Time Synchronization on AOS-S Switches. o SNMP--Add or view SNMP v2c and v3 community and its trap destination. Getting Started with Aruba Central | 114 Left Navigation Menu First-Level Tabs Description See Configuring SNMP on AOS-S Switches. o CDP--Configure CDP and its associated properties. See Configuring CDP on AOS-S Switches. o DHCP--Add or view a DHCP pool and its associated properties. See Configuring DHCP on AOS-S Switches. o IP Client Tracker--Enable AOS-S switches to learn the IP address of all, trusted, or only untrusted clients connected to the switch. See Configuring IP Client Tracker on AOS-S Switches. n Routing--Configure or view a specific routing path to a gateway. See Configuring Routing on AOS-S Switches. n IGMP--Configure IGMP and its associated properties. See Configuring IGMP on AOS-S Switches. n QoS--Configure QoS traffic policies on switches to classify and prioritize traffic throughout a network. See Configuring QoS Settings on AOS-S Switches. n Device Profile--Configure device profiles and device identifiers on switches to dynamically detect devices based on certain parameters. See Configuring Device Profile and Device Identifier . n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. AOS-S-- Configuration using templates See Using Configuration Templates for AOS-S Management. Configuration of AOS-S switches using template groups contains the following second-level tabs: n Templates--Configure switch using template groups. See Creating a Configuration Template. n Variables--Modify, download, or upload variables associated with devices that you can use in template configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. AOS-S Stack-- Configuration using templates Configuration of AOS-S stacks using template groups contains the following second-level tabs: n Templates--Configure switch stack using template groups. See Configuring AOS-S Stacks using Template Groups. n Variables--Modify, download, or upload variables associated with devices that you can use in template configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. Manage > Device (AOSCX) AOS-CX-- Configuration using UI groups Enables AOS-CX configuration in the AOS-CX Config view. See Configuring AOS-CX Switches in UI Groups. Configuration using UI groups allows you to configure the following features: n System: o Properties--Edit system property settings such as contact, location, time zone, and administrator password. You can also select the VRF to be used and add the DNS and NTP servers. See Configuring System Aruba Central | User Guide 115 Left Navigation Menu First-Level Tabs Description Properties on AOS-CX. o HTTP Proxy--Edit the HTTP proxy configuration details for the switch. See Configuring HTTP Proxy on AOS-CX. o SNMP--Add, edit, or delete SNMP v2 communities, v3 users, and trap notifications. See Configuring SNMP on AOS-CX. o Logging--Add, edit, or delete logging servers to view event logs from the AOS-CX switches. Configure FQDN or IP address, log severity level, and the VRF to be used for each of the logging servers. Also configure the global level debug log severity. See Configuring Logging Servers for AOSCX. o Administrator--Add, edit, or delete server groups to be used for authentication, authorization, and accounting. You must also configure the protocol required to enable connection to these server groups. See Configuring AAA for AOS-CX. o Source Interface--Add, modify, or delete source interface configuration for Central and User-based tunneling interfaces for AOS-CX switches. See Configuring Source Interface for AOS-CX. o Stacking--Create stack, add stack members, modify VSF link, change the secondary conductor, delete stack and delete stack members. See Configuring AOS-CX VSF Stacks Using UI Groups. n Routing: o Static Routing--Add, edit, or delete static routes manually and configure destination IP addresses and next hop values, VRF, and the administrative distance. You can add different static routes for different VRFs on the switch. See Configuring Static Routing on AOS-CX. n Interfaces: o Ports & Link Aggregations--View and edit port settings such as description, VLAN mode, speed duplex, routing, and the operational status of the port. Add, edit, or delete LAGs by combining different ports and configuring the speed duplex, VLAN mode, aggregation mode, and the operational status of the LAG. See Configuring Ports and LAGs on AOS-CX. n Security: o Authentication Servers--Add, edit, or view the RADIUS and TACACS servers for authentication. Add settings such as FQDN or IP address of the servers, authentication port number, response timeout, retry count, and the VRF to be used when communicating with the servers. See Configuring Authentication Servers on AOS-CX. o Authentication--View or edit details about 802.1X and MAC authentication methods. Configure the precedence order and other parameters such as reauthentication timeout, cached reauthentication timeout, and quiet period. See Configuring Authentication on AOS-CX. o Access Control--View or add access policies and rules to permit or deny passage of traffic. See Configuring Access Control on AOS-CX. o Dynamic Segmentation--Enable user-based tunneling on the switch to Getting Started with Aruba Central | 116 Left Navigation Menu First-Level Tabs Description provide a centralized security policy based on user authentication. See Configuring User-Based Tunneling for AOS-CX. o Client Roles--Add or delete client roles and associate these roles to clients. See Configuring Client Roles for AOS-CX. n Bridging: o VLANs--Add, edit, delete, or view VLANs, and associated parameters such as type of IP assignment, operational status, IP address of the DHCP relay. See Configuring VLANs on AOS-CX. o Loop Prevention--Enable or disable loop protection and spanning tree protocol, and associated parameters such as the mode and priority. Enable or disable various MSTP mode-related settings such as BPDU filter, BPDU protection, admin edge, and root guard. See Configuring Loop Prevention on AOS-CX. AOS-CX-- Configuration using templates Enables AOS-CX switch configuration in the AOS-CX view. See Configuring AOS-CX Using Templates. Configuration of AOS-CX switches using template groups contains the following second-level tabs: n Templates--Configure switch using template groups. See Creating a Configuration Template. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. n Configuration Status--View configuration status of AOS-CX switches that are managed through UI groups in Aruba Central. See Using Configuration Status on AOS-CX. AOS-CX-- Configuration using MultiEdit mode Enables AOS-CX configuration using the MultiEdit mode in the AOS-CX Config view. View and edit configuration on the AOS-CX switches using the CLI syntax. You can also apply predefined set of configuration settings such as NAE to the switches. See Using MultiEdit View for AOS-CX. Configuration using the MultiEdit mode contains the following options: n View Config--View configuration of AOS-CX switches and find differences in the configuration across switches. See Viewing Configuration on AOS-CX. n Edit Config--Edit configuration for one or more AOS-CX switches in the MultiEdit mode. Edit the entire configuration in a familiar looking CLI with syntax checking, colorization, and command completion. See Editing Configuration on AOS-CX. For information about commands that are not supported in the MultiEdit mode, see Commands Not Supported in the MultiEdit Mode. n Express Config--Apply predefined set of configuration settings such as NAE scripts and device profile to a single or multiple switches. See Express Configuration on AOS-CX. AOS-CX VSF Stack-- Configuration Enables AOS-CX switch stack configuration in the AOS-CX view. See Managing an AOS-CX VSF Stack. Aruba Central | User Guide 117 Left Navigation Menu Analyze > Alerts & Events Analyze > Audit Trail Analyze > Tools Analyze > Reports Maintain > Firmware First-Level Tabs Description Alerts & Events The Alerts & Events tab displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. See Alerts & Events. You can also configure and enable certain categories of switch alerts. See AOS-S Switch Alerts and AOS-CX Switch Alerts. Audit Trail Displays the details of logs generated for all device management, configuration, and user management events triggered in Aruba Central. See Viewing Audit Trail. Network Check The Network Check tab allows administrators and users with troubleshooting permission to diagnose issues related to wired network connections. See Troubleshooting Switch Connectivity Issues. Device Check The Device Check tab allows network administrators and users with troubleshooting permission to identify, diagnose, and debug issues on AOS-S and AOS-CX switches using predefined tests. See Troubleshooting Device Issues. Commands The Commands tab allows network administrators and user with troubleshooting permission to identify, diagnose, and debug issues on AOS-S and AOS-CX switches at an advanced level using commands. See Troubleshooting Switches. Console The Console tab allows you to open a remote console for a CLI session through SSH for a gateway, switch, and access point to troubleshoot device issues. See Remote Console Session. Reports The Reports tab allows you to create, manage, and view various reports. You can create recurrent reports, generate reports on demand, or schedule reports to run at a later time. See Reports. Switches The Switches tab allows the user to view the firmware details and upgrade the devices provisioned in Aruba Central. See Managing Software Upgrades. The Gateway Dashboard In the Network Operations app, the gateway dashboard is displayed when the filter is set to a gateway. To navigate to a gateway dashboard, see Navigating to the Switch, Access Point, or Gateway Dashboard. The following table lists all the available menu items in the Network Operations app for the gateway dashboard. Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. Getting Started with Aruba Central | 118 Table 22: Contents of the Gateway Dashboard Left Navigation Menu First-Level Tabs Description Manage > Overview Summary Displays details about a specific gateway, including device information, WAN summary, and health status. Use the time range filter to change the time period for the displayed information. See Gateway > Overview > Summary. IDPS Displays the graphs related to IDPS. This feature is only applicable to IDPS gateways. Use the time range filter to change the time period for the displayed information. See Gateways > Overview > IDPS. Routing Displays routing information for the following second-level tabs in List view. n BGP-- See Gateway > Overview > Routing > BGP. n OSPF--See Gateway > Overview > Routing > OSPF. n Overlay--See Gateway > Overview > Routing > Overlay n RIP--See Gateway > Overview > Routing > RIP n Route Table--See Gateway > Overview > Routing > Route Table Use the time range filter to change the time period for the displayed information. Sessions Displays information for the running sessions. See Gateway > Overview > Sessions. AI Insights Displays information on gateway performance issues such as tunnel up, tunnel down, airtime utilization, and memory utilization. See Gateway > Overview > AI Insights. Manage > WAN Summary Displays status information about WAN ports and WAN interfaces. See Gateway > WAN > Summary. Tunnels Display status information for VPN tunnels. See Gateway > WAN > Tunnels Path Steering Displays information about dynamic path steering policies configured on a Branch Gateway. See Gateway > WAN > Path Steering. Manage > LAN Summary Displays information about LAN port and LAN status. See Gateway > LAN > Summary. Manage > Device Gateway Enables gateway configuration in Config view for the basic mode, advanced mode, and guided setup. See Provisioning Aruba Gateways in Aruba Central. Manage > Clients Clients Displays a list of clients connected to a gateway. See All Clients. Manage > Applications Visibility Displays charts showing client traffic trends to application, application categories, website categories, and websites of a specific security reputation score. n Applications-- See Applications n Websites-- See Websites SAAS Express Displays charts with QoE scores for all of the SaaS applications that you have configured. See Monitoring SaaS Express . Aruba Central | User Guide 119 Left Navigation Menu Manage > Security Analyze > Alerts and Events First-Level Tabs Description Firewall Alerts & Events Displays graphical and tabular representations of all the session activities belonging to gateways managed by Aruba Central. See Firewall. Displays alerts for SD-WAN and gateway-related events. See Gateway Alerts. NOTE: You can configure alerts in the global dashboard only. Analyze > Audit Trail Analyze > Tools Analyze > Reports Maintain > Firmware Audit Trail Network Check Logs Commands Reports Firmware Displays the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. See Viewing Audit Trail. Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. See Troubleshooting Gateway Connectivity Issues. Enables network administrators and users with permission to download and upload TAR logs and crash logs related to gateways. See Enabling Gateway Logs. See Troubleshooting Gateways. Enables network administrators to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports. Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Managing Software Upgrades. The Client Dashboard In the Network Operations app, the clients dashboard is displayed when the filter is set to one of the options under Groups, Labels, Sites, or Global. The following table lists all the available menu items in the Network Operations app for the clients dashboard. Table 23: Contents of the Clients Dashboard Left Navigation Menu First-Level Tabs Wireless Clients Manage > Overview Summary AI Insights Location Description Displays the client details about the type of data path that the client uses, the network and connectivity details, and basic client details such as IP address of the client, type of encryption etc. See Summary . Displays the information about client performance and connectivity issues such as, excessive 2.4 GHz dwell and low SNR links. See The AI Insights Dashboard. Displays the current physical location of the client device on the floor map. Getting Started with Aruba Central | 120 Left Navigation Menu First-Level Tabs Sessions Manage > Applications Analyze > Live Events Analyze > Events Analyze > Tools Wired Clients Manage > Overview Summary AI Insights Sessions Manage > Applications Analyze > Live Events Analyze > Events Analyze > Tools Description See Location. Displays the firewall session details for the client connected to an AP or a Branch Gateway. The Sessions page displays information filtered by the IP address of the client. See Sessions. Displays the client details for passive motoring of the client connected to a wireless network. The Visibility dashboard provides a summary of client traffic and their data usage to and from applications, and websites. See Application Visibility. Allows troubleshooting issues related to a client or a site in real time for detailed analysis. See Live Events. Displays the details of events generated by the AP and client association. See Alerts & Events Enables network administrators to perform checks on the client and debug client connectivity issues. See Using Troubleshooting Tools Displays the information about the type of data path that the client uses, the network details, and basic client details such as IP address of the client, type of encryption etc. See Summary . Displays information about client performance and connectivity issues such as, excessive 2.4 GHz dwell and low SNR links. See The AI Insights Dashboard. Displays the firewall session details for the client connected to a Branch Gateway. The Sessions page displays information filtered by the IP address of the client. See Sessions . Displays the client details for passive motoring of the client connected to a wired network. The Visibility dashboard provides a summary of client traffic and their data usage to and from applications, and websites. See Application Visibility. Allows troubleshooting issues related to a wired client connected to a switch in real time for detailed analysis. See Live Events. Displays the details of events generated by the AP and client association. See Alerts & Events. Enables network administrators to perform checks on the client and debug client connectivity issues. See Using Troubleshooting Tools. Aruba Central | User Guide 121 Left Navigation Menu First-Level Tabs Remote Clients Manage > Overview Summary AI Insights Location Sessions Manage > Applications Analyze > Security Analyze > Tools Description Displays the information about the type of data path that the client uses, the network details, and basic client details such as IP address of the client, type of encryption, and so on. See Summary. Displays information about client performance and connectivity issues such as, excessive 2.4 GHz dwell and low SNR links. See The AI Insights Dashboard. Displays the current physical location of the client device on the floor map. See Location. Displays the firewall session details for the client connected to a Branch Gateway. The Sessions page displays information filtered by the IP address of the client. See Sessions. Displays the client details for passive motoring of the client connected to a wired network. The Visibility dashboard provides a summary of client traffic and their data usage to and from applications, and websites. See Applications. Displays the authentication and accounting details of the remote client. See Security. Enables network administrators to perform checks on the client and debug client connectivity issues. See Tools. Setting up Your Aruba Central Instance If you have purchased a license key to manage your devices and networks from Aruba Central, get started with steps described in this topic. Figure 15 illustrates the steps required for setting up your Aruba Central instance: Figure 15 Getting Started Workflow Getting Started with Aruba Central Complete the following steps to start using Aruba Central for managing your devices and setting up your networks. Getting Started with Aruba Central | 122 n Step 1: Getting Started n Step 2: Adding a Subscription Key n Step 3: Adding Devices n Step 4: Assigning Subscriptions n Step 5: Organizing Your Devices into Groups n Step 6: Assigning Sites and Labels (Optional) n Step 7: Configuring Users n Step 8: Configuring and Managing Networks n Step 9: Monitoring Your Network and Devices n Step 10: Upgrading Software Images on Devices n Step 11: Running Diagnostic Checks and Troubleshooting Issues Step 1: Getting Started To get started: 1. Sign up to create your Aruba Central account. For more information, see Creating an Aruba Central Account. 2. If you already have an Aruba Central account, log in to Aruba Central with your credentials. When you log in for the first time, the Initial Setup wizard opens and guides you through the onboarding workflow. 3. Click Get Started. 4. Click through the wizard to complete the onboarding workflow. If you want to exit the wizard and complete the onboarding steps on your own, click Exit and go to Aruba Central. The Initial Setup wizard is displayed only when you log in to Aruba Central for the first time. The wizard is not available for Aruba Central users in the MSP mode. Step 2: Adding a Subscription Key At your first login, the Initial Setup wizard prompts you add your license key. If you are not using the wizard, complete the following steps to add your license key. 1. On the Account Home page, under Global Settings, click Key Management. The Key Management page is displayed. 2. Enter your license key. 3. Click Add Key. The license key is added to Aruba Central and the contents of the license key are displayed in the Manage Keys table. Review the license details. If you add a Device Management token, the key is listed in the Convert Deprecated Licenses page. For more information, see Converting Legacy Tokens to New Licenses. Step 3: Adding Devices If you have a paid license, you can automatically import devices from the Activate database to the Aruba Central device inventory. Aruba Central | User Guide 123 Figure 16 Typical Workflow for Device Sync Setup Setting up Device Sync for Automatic Device Addition To set up device sync, use one of the following methods: n In the Initial Setup Wizard n From the Device Inventory Page In the Initial Setup Wizard 1. Ensure that you have added a license key and click Next. 2. In the Add Devices tab, enter the serial number and MAC address of any one device from your purchase order. Most Aruba devices have the serial number and MAC address on the front or back of the hardware. 3. Click Add Device. Aruba Central imports all other devices mapped to your purchase order. 4. Review the devices in your inventory. 5. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support. From the Device Inventory Page 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. Getting Started with Aruba Central | 124 Aruba Central imports only devices associated with your account from Activate. 2. Do any one of the following: n Click Sync Devices. Enter the serial number and MAC address and click Add Device. n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file. Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page. 3. Review the devices in your inventory. 4. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support. Manually Adding Devices To add devices using MAC address and serial number, use any one of the following methods: n In the Initial Setup Wizard n From the Device Inventory Page In the Initial Setup Wizard If you are using the Initial Setup wizard: 1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number or the MAC address of your device. 3. Click Done. 4. Review the list of devices. From the Device Inventory Page To add devices from the Device Inventory page: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Perform one of the following: n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file. Aruba Central | User Guide 125 Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page. 3. Click Done. 4. Review the devices added to the inventory. When you add the serial number and MAC address of one AP from a cluster or a switch stack member, Aruba Central imports all devices associated in the AP cluster and switch stack respectively. For more information on adding devices, see Onboarding Devices. Step 4: Assigning Subscriptions Aruba Central supports the following types of licenses: n Foundation--This license provides all the features included in the Device Management subscription and some additional features that were available as a value- added services for APs in the earlier licensing model. n Advanced--This license provides all the features of a Foundation License, with additional features related to AI insights. You can either enable automatic assignment of license or manually assign licenses to your devices. By default, the automatic license assignment is disabled. Enabling Automatic Assignment of Licenses Use any one of the following options to enable automatic assignment of licenses: n In the Initial Setup Wizard n From the License Assignment Page In the Initial Setup Wizard 1. Verify that you have a valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the License Assignment tab, slide the Auto Assign Licenses toggle switch to the On position. From the License Assignment Page 1. In the Account Home page, under Global Settings, click License Assignment. 2. Under Device Subscriptions, toggle the Auto Assign Licenses slider to ON. All the devices in your inventory are selected for automatic assignment of licenses. You can edit the list by clearing the existing selection and re-selecting devices. For more information on how auto licensing works, see Automatic License Assignment Workflow. Manually Assigning Licenses Use any one of the following methods to manually assign the licenses: n In the Initial Setup Wizard n From the License Assignment Page Getting Started with Aruba Central | 126 In the Initial Setup Wizard 1. In the Assign License tab, ensure that the Auto License toggle switch is turned off. 2. Select the devices in the list for which you want to manually assign subscriptions. 3. Click Update License. From the License Assignment Page 1. In the Account Home page, under Global Settings, click License Assignment. 2. On the License Assignment page, ensure that the Auto License toggle is turned off. 3. Select the devices to which you want to assign licenses. 4. Click Update License. For more information on subscriptions and how to assign network service and SD-WAN Gateway subscriptions. see Managing License Assignments. Step 5: Organizing Your Devices into Groups A group in Aruba Central functions as a configuration container for devices added in Aruba Central. Why Should You Use Groups? Groups allow you to create a logical subset of devices and simplify the configuration and device management tasks. Groups offer the following functions and benefits: n Combining different types of devices under a group. For example, a group can have Instant APs and Switches. Aruba Central allows you to manage the configuration of these devices in separate containers (wireless and wired management) within the same group. Any new device that is added to a group inherits the current configuration of the group. n Assigning multiple devices to a single group. For example, a group can consist of multiple Instant AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to member Instant APs in their respective clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location. n Cloning an existing group allows you to create a base configuration for the devices and customize it according to your network requirements. You can also use groups for filtering your monitoring dashboard content, generating reports, and managing software upgrades. A device can be part of only one group at any given time. Groups in Aruba Central are independent and do not follow a hierarchical model. For more information on groups and group configuration workflows, see Groups for Device Configuration and Management. Assigning Devices to Groups After you successfully complete the onboarding workflow, the Initial Setup wizard prompts you to assign your devices to a group. You can click Assign Group and assign your devices to a group. You can also use any one of the following methods to assign your devices to groups. To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory. Aruba Central | User Guide 127 1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign devices. 4. Click Assign Device(s). To assign a device to a group from the Groups page, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Expand a group from which you want to move devices to the selected group. For example, expand the Unprovisioned Devices group, select the devices, and then click the The Move Devices page is displayed. Move devices icon. You can assign only particular devices for which the group is created. For example, if a group is created for Access Points only, then only Access Points can be assigned to that group. You cannot assign other devices to it. 5. Select the Destination Group from the drop-down list. 6. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. Step 6: Assigning Sites and Labels (Optional) A site in Aruba Central refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Aruba Central allows you to use sites as a primary navigation element. For example, if your devices are deployed in a campus, you could create a site called CampusA. You can also tag the devices within CampusA using labels. If your campus consists of multiple buildings, the devices deployed in the campus can be labeled as Building1 or Lobby. For more information on sites and labels and how to assign devices to sites and labels, see Managing Sites and Managing Labels. Step 7: Configuring Users Add system users, assign user roles, and configure role-based access control. For more information, see Configuring System Users. Step 8: Configuring and Managing Networks To start configuring your network setup: 1. Connect your devices to Aruba Central. For more information, see Connecting Devices to Aruba Central. 2. Provision Instant APs, AOS-CX switches, AOS-S switches, or gateways to set up your WLAN, wired access, and SD-WAN network. Getting Started with Aruba Central | 128 Step 9: Monitoring Your Network and Devices Use monitoring dashboards to view the health of the device and network. You can also run reports, configure alerts, and view client details. Step 10: Upgrading Software Images on Devices View software images available for the devices provisioned in your account, run a compliance check for the recommended software version, and upgrade devices. For more information and step-by-step instructions, see Managing Software Upgrades. Step 11: Running Diagnostic Checks and Troubleshooting Issues Run diagnostic checks and troubleshooting commands to analyze network connectivity, latency issues, and debug device issues, if any. For more information and step-by-step instructions, see Using Troubleshooting Tools. Configuring Email Notifications for Software Upgrades Aruba Central administrators would receive email notifications before software upgrades, scheduled maintenance activity, or any unplanned outage. By default, email notifications are enabled. The banner is updated in the Aruba Central UI seven days before the upgrade and an email notification is sent seven days before the upgrade. In case of an unplanned outage, an email notification is sent immediately and the banner is also updated immediately in the Aruba Central UI. The email notification contains the following details: n Start date and time. n Estimated end date and time. n Link to the What's New page where users can view the list of new features and enhancements included in the release. n Impact of the outage. Users can no longer check the status of Aruba Central using the following URLs: n US--http://status.central.arubanetworks.com n Canada--http://ca-status.central.arubanetworks.com n APAC--http://apac-status.central.arubanetworks.com n APAC East--http://apaceast-status.central.arubanetworks.com n Europe--http://eu-status.central.arubanetworks.com Enabling Email Notifications By default, email notifications are enabled. However, if email notifications are disabled and you wish to enable system maintenance or software update email notifications, complete the following steps: 1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click User Settings. 3. In the User Settings pop-up window, do the following: a. Select the Get system maintenance notifications check box to receive system maintenance notification on the registered email ID. Email notifications are sent before any scheduled maintenance activity or unplanned outage. Aruba Central | User Guide 129 b. Select the Get software update notifications check box to receive software update notification on the registered email ID. 4. Click Save. Figure 17 Email Notifications Configuring Idle Timeout Aruba Central allows you to set a timeout value for inactive user sessions. The value is in minutes and is the amount of time a user can be inactive before the user's session times out and closes. To configure idle timeout, complete the following steps: 1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click User Settings. 3. In the User Settings pop-up window, enter the timeout value in the Idle Timeout field. The value must be within the range of 5 to 10080 minutes. 4. Click Save. Opening Firewall Ports for Device Communication Most of the communication between devices on the remote site and Aruba Central server in the cloud is carried out through HTTPS (TCP 443). To allow devices to communicate over a network firewall, ensure that the following domain names and ports are open. This section includes the following topics: n Domain names for Aruba Central Portal Access n Domain Names for Device Communication with Aruba Central n Domain Names for Device Communication with Aruba Activate n Cloud Guest Server Domains for Guest Access Service n Domain Names for OpenFlow Getting Started with Aruba Central | 130 n Domain Names for RCS n Other Domain Names Domain names for Aruba Central Portal Access Table 24: Domain Names and URLs for Aruba Central Portal Access Region Domain Name Protocol US-1 portal.central.arubanetworks.com HTTPS TCP port 443 US-2 portal-prod2.central.arubanetworks.com HTTPS TCP port 443 US-WEST-4 portal-uswest4.central.arubanetworks.com HTTPS TCP port 443 EU-1 portal-eu.central.arubanetworks.com HTTPS TCP port 443 EU-3 portal-eucentral3.central.arubanetworks.com HTTPS TCP port 443 Canada-1 portal-ca.central.arubanetworks.com HTTPS TCP port 443 China-1 portal.central.arubanetworks.com.cn HTTPS TCP port 443 APAC-1 portal-apac.central.arubanetworks.com HTTPS TCP port 443 APAC-EAST1 portal-apaceast.central.arubanetworks.com HTTPS TCP port 443 APAC-SOUTH1 portal-apacsouth.central.arubanetworks.com HTTPS TCP port 443 UAENORTH1 portal-uaenorth1.central.arubanetworks.com HTTPS TCP port 443 Domain Names for Device Communication with Aruba Central Table 25: Domain Names for Device Communication with Aruba Central Region Aruba Central URL URL for Device Connectivity Protoc ol FQDNs for SD-WAN Orchestrator Service US-1 app.central.arubanetworks.c om app1.central.arubanetworks. com HTTPS TCP port 443 app1h2.central.arubanetworks .com US-2 appprod2.central.arubanetworks. com deviceprod2.central.arubanetworks. com HTTPS TCP port 443 device-prod2h2.central.arubanetworks .com Aruba Central | User Guide 131 Region Aruba Central URL URL for Device Connectivity Protoc FQDNs for SD-WAN ol Orchestrator Service US-WEST4 appuswest4.central.arubanetwor ks.com deviceuswest4.central.arubanetwor ks.com HTTPS TCP port 443 device-uswest4h2.central.arubanetworks .com EU-1 app2eu.central.arubanetworks.co m deviceeu.central.arubanetworks.co m HTTPS TCP port 443 device-euh2.central.arubanetworks .com EU-3 appeucentral3.central.arubanetw orks.com deviceeucentral3.central.arubanetw orks.com HTTPS TCP port 443 device-eucentral3h2.central.arubanetworks .com Canada-1 appca.central.arubanetworks.co m deviceca.central.arubanetworks.co m HTTPS TCP port 443 device-cah2.central.arubanetworks .com China-1 app.central.arubanetworks.c om.cn device.central.arubanetworks .com.cn HTTPS TCP port 443 deviceh2.central.arubanetworks .com.cn APAC-1 app2ap.central.arubanetworks.co m app1ap.central.arubanetworks.co m HTTPS TCP port 443 app1-aph2.central.arubanetworks .com APACEAST1 appapaceast.central.arubanetwo rks.com deviceapaceast.central.arubanetwo rks.com HTTPS TCP port 443 device-apaceasth2.central.arubanetworks .com APACSOUTH1 appapacsouth.central.arubanetw orks.com deviceapacsouth.central.arubanetw orks.com HTTPS TCP port 443 device-apacsouthh2.central.arubanetworks .com UAENORT H1 appuaenorth1.central.arubanetw orks.com deviceuaenorth1.central.arubanetw orks.com HTTPS TCP port 443 device-uaenorth1h2.central.arubanetworks .com Domain Names for AOS-CX Device Communication with Aruba Central Table 26: Domain Names for AOS-CX Device Communication with Aruba Central Region Aruba Central URL URL for Device Connectivity US-1 app.central.arubanetworks.com device-prodd2.central.arubanetworks.com US-2 app-prod2.central.arubanetworks.com deviceprod2.central.arubanetworks.com US-WEST-4 appuswest4.central.arubanetworks.com device-uswest4d2.central.arubanetworks.com EU-1 app2-eu.central.arubanetworks.com device-eu.central.arubanetworks.com Protocol HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS Getting Started with Aruba Central | 132 Region Aruba Central URL EU-3 Canada-1 appeucentral3.central.arubanetworks.com app-ca.central.arubanetworks.com China-1 app.central.arubanetworks.com.cn APAC-1 app2-ap.central.arubanetworks.com APAC-EAST1 appapaceast.central.arubanetworks.com APAC-SOUTH1 appapacsouth.central.arubanetworks.com UAENORTH1 appuaenorth1.central.arubanetworks.com URL for Device Connectivity device-eucentral3d2.central.arubanetworks.com device-ca.central.arubanetworks.com device.central.arubanetworks.com.cn app1-ap.central.arubanetworks.com deviceapaceast.central.arubanetworks.com deviceapacsouth.central.arubanetworks.com device-uaenorth1d2.central.arubanetworks.com Protocol TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 Domain Names for Device Communication with Aruba Activate Table 27: Domain Names for Device Communication with Aruba Activate Domain Name Protocol device.arubanetworks.com devices-v2.arubanetworks.com HTTPS TCP port 443 est.arubanetworks.com * * Required for Aruba 2530 switches to provision certificate using the EST server in activate. For the switches to establish connection with the Activate server, when a proxy server is configured on the network, the URLs in this table must be added to the list of allowed URLs on the proxy server. Aruba Central | User Guide 133 Cloud Guest Server Domains for Guest Access Service Table 28: Domain Names for Cloud Guest Server Access Region Domain Name Protocol US-1 naw2.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 naw2-elb.cloudguest.central.arubanetworks.com TCP port 443 US-2 nae1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 nae1-elb.cloudguest.central.arubanetworks.com TCP port 443 US-WEST-4 uswest4.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 uswest4-elb.cloudguest.central.arubanetworks.com TCP port 443 EU-1 euw1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 euw1-elb.cloudguest.central.arubanetworks.com TCP port 443 EU-3 euw1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 euw1-elb.cloudguest.central.arubanetworks.com TCP port 443 Canada-1 ca.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 ca-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-1 ap1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 ap1-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-EAST1 apaceast.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 apaceast-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-SOUTH1 apacsouth.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 apacsouth-elb.cloudguest.central.arubanetworks.com TCP port 443 UAENORTH1 asw1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 asw1-elb.cloudguest.central.arubanetworks.com TCP port 443 Getting Started with Aruba Central | 134 Domain Names for OpenFlow Table 29: Domain Names for OpenFlow Region Domain Name US-1 https://app2-ofc.central.arubanetworks.com US-2 https://ofc-prod2.central.arubanetworks.com US-WEST-4 https://ofc-uswest4.central.arubanetworks.com EU-1 https://app2-eu-ofc.central.arubanetworks.com EU-3 https://ofc-eucentral3.central.arubanetworks.com Canada-1 https://ofc-ca.central.arubanetworks.com China-1 https://ofc.central.arubanetworks.com.cn APAC-1 https://app2-ap-ofc.central.arubanetworks.com APAC-EAST1 https://ofc-apaceast.central.arubanetworks.com APAC-SOUTH1 https://ofc-apacsouth.central.arubanetworks.com UAENORTH1 https://ofc-uaenorth1.central.arubanetworks.com Domain Names for RCS Table 30: Domain Names and URLs for RCS Region Domain Name Protocol US-1 rcs-ng-prod.central.arubanetworks.com SSH port 443 rcs-ng-xp-prod.central.arubanetworks.com US-2 rcs-ng-central-prod2.central.arubanetworks.com SSH port 443 rcs-ng-xp-central-prod2.central.arubanetworks.com US-WEST-4 rcs-ng-uswest4.central.arubanetworks.com SSH port 443 rcs-ng-xp-uswest4.central.arubanetworks.com EU-1 rcs-ng-eu.central.arubanetworks.com SSH port 443 rcs-ng-xp-eu.central.arubanetworks.com EU-3 rcs-ng-eucentral3.central.arubanetworks.com SSH port 443 rcs-ng-xp-eucentral3.central.arubanetworks.com Canada-1 rcs-ng-starman.central.arubanetworks.com SSH port 443 rcs-ng-xp-starman.central.arubanetworks.com Aruba Central | User Guide 135 Region Domain Name China-1 rcs-ng-china-prod.central.arubanetworks.com.cn APAC-1 rcs-ng-apac.central.arubanetworks.com rcs-ng-xp-apac.central.arubanetworks.com APAC-EAST1 rcs-ng-apaceast.central.arubanetworks.com rcs-ng-xp-apaceast.central.arubanetworks.com APAC-SOUTH1 rcs-ng-apacsouth.central.arubanetworks.com rcs-ng-xp-apacsouth.central.arubanetworks.com UAENORTH1 rcs-ng-uaenorth1.central.arubanetworks.com Protocol SSH port 443 SSH port 443 SSH port 443 SSH port 443 SSH port 443 Other Domain Names Table 31: Other Domain Names Domain Name sso.arubanetworks.com internal.central.arubanetworks.com internal2.central.arubanetworks.com pool.ntp.org activate.arubanetworks.com stun.pqm.arubanetworks.com pqm.arubanetworks.com common.cloud.hpe.com/ccssvc/ccssystem-firmware-registry https://d20kce0f6gvxjn.cloudfront.net Protocol Description TCP port 443 Allows users to access their accounts on the internal server. TCP port 443 Allows users to access the Aruba Central Internal portal. UDP port 123 Allows users to update the internal clock and configure time zone when a factory default device comes up. By default, the Aruba devices contact pool.ntp.org and use NTP to synchronize their system clocks. TCP port 443 Allows users to configure provisioning rules in Activate. UDP or TCP port 3478 and 3479 Allows users to discover public IP over the WAN uplinks configured on devices. ICMP or UDP Allows users to check the health of WAN uplinks port 4500 configured on Branch Gateways. TCP port 80 and TCP port 443 Allows users to access the CloudFront server for locating all device type software images. TCP port 443 Allows users to access the CloudFront server while Aruba IDPS is enabled in Aruba Central gateways. NOTE: This URL can be invoked only by gateways that have IDPS security enabled. The URL cannot be enabled manually. cloud.arubanetworks.com TCP port 80 Allows users to open the Aruba Central evaluation sign-up page. Getting Started with Aruba Central | 136 Domain Name aruba.brightcloud.com bcap15-dualstack.brightcloud.com api-dualstack.bcti.brightcloud.com database-dualstack.brightcloud.com Protocol Description TCP port 443 Enables devices to access the Webroot Brightcloud server for application, application categories, and website content classification. TCP port 443 Allows Aruba devices to look up the Webroot Brightcloud server for Website categories. TCP port 443 Allows Aruba devices to access the IP Reputation and IP Geolocation service on the Webroot Brightcloud server. TCP port 443 Allows Aruba devices to download the website classification database from the Webroot Brightcloud server. When configuring ACLs to allow traffic over a network firewall, use the domain names instead of the IP addresses. For Branch Gateways to set up IPsec tunnel with the VPN concentrators, the UDP 4500 port must be open. Connecting Devices to Aruba Central Aruba devices support automatic provisioning, also known as ZTP. In other words, Aruba devices can download provisioning parameters from Aruba Activate and connect to their management entity once they are powered on and connected to the network. Although most of the communication between devices on the remote site and Aruba Central server in the cloud is carried out through HTTPS (TCP 443), you may want to open the following ports for devices to communicate over network firewall. This section includes the following topics: n Domain names for Aruba Central Portal Access n Domain Names for Device Communication with Aruba Central n Domain Names for Device Communication with Aruba Activate n Cloud Guest Server Domains for Guest Access Service n Domain Names for OpenFlow n Domain Names for RCS n Other Domain Names Domain names for Aruba Central Portal Access Table 32: Domain Names and URLs for Aruba Central Portal Access Region Domain Name Protocol US-1 portal.central.arubanetworks.com HTTPS TCP port 443 US-2 portal-prod2.central.arubanetworks.com HTTPS TCP port 443 US-WEST-4 portal-uswest4.central.arubanetworks.com HTTPS Aruba Central | User Guide 137 Region Domain Name Protocol TCP port 443 EU-1 portal-eu.central.arubanetworks.com HTTPS TCP port 443 EU-3 portal-eucentral3.central.arubanetworks.com HTTPS TCP port 443 Canada-1 portal-ca.central.arubanetworks.com HTTPS TCP port 443 China-1 portal.central.arubanetworks.com.cn HTTPS TCP port 443 APAC-1 portal-apac.central.arubanetworks.com HTTPS TCP port 443 APAC-EAST1 portal-apaceast.central.arubanetworks.com HTTPS TCP port 443 APAC-SOUTH1 portal-apacsouth.central.arubanetworks.com HTTPS TCP port 443 UAENORTH1 portal-uaenorth1.central.arubanetworks.com HTTPS TCP port 443 Domain Names for Device Communication with Aruba Central Table 33: Domain Names for Device Communication with Aruba Central Region Aruba Central URL URL for Device Connectivity Protoc ol FQDNs for SD-WAN Orchestrator Service US-1 app.central.arubanetworks.c om app1.central.arubanetworks. com HTTPS TCP port 443 app1h2.central.arubanetworks .com US-2 appprod2.central.arubanetworks. com deviceprod2.central.arubanetworks. com HTTPS TCP port 443 device-prod2h2.central.arubanetworks .com US-WEST4 appuswest4.central.arubanetwor ks.com deviceuswest4.central.arubanetwor ks.com HTTPS TCP port 443 device-uswest4h2.central.arubanetworks .com EU-1 app2eu.central.arubanetworks.co m deviceeu.central.arubanetworks.co m HTTPS TCP port 443 device-euh2.central.arubanetworks .com EU-3 appeucentral3.central.arubanetw orks.com deviceeucentral3.central.arubanetw orks.com HTTPS TCP port 443 device-eucentral3h2.central.arubanetworks .com Canada-1 appca.central.arubanetworks.co m deviceca.central.arubanetworks.co m HTTPS TCP port 443 device-cah2.central.arubanetworks .com Getting Started with Aruba Central | 138 Region Aruba Central URL URL for Device Connectivity Protoc FQDNs for SD-WAN ol Orchestrator Service China-1 app.central.arubanetworks.c om.cn device.central.arubanetwork s.com.cn HTTPS TCP port 443 deviceh2.central.arubanetworks .com.cn APAC-1 app2ap.central.arubanetworks.co m app1ap.central.arubanetworks.co m HTTPS TCP port 443 app1-aph2.central.arubanetworks .com APACEAST1 appapaceast.central.arubanetwo rks.com deviceapaceast.central.arubanetwo rks.com HTTPS TCP port 443 device-apaceasth2.central.arubanetworks .com APACSOUTH1 appapacsouth.central.arubanetw orks.com deviceapacsouth.central.arubanetw orks.com HTTPS TCP port 443 device-apacsouthh2.central.arubanetworks .com UAENORT H1 appuaenorth1.central.arubanetw orks.com deviceuaenorth1.central.arubanetw orks.com HTTPS TCP port 443 device-uaenorth1h2.central.arubanetworks .com Domain Names for AOS-CX Device Communication with Aruba Central Table 34: Domain Names for AOS-CX Device Communication with Aruba Central Region Aruba Central URL URL for Device Connectivity US-1 app.central.arubanetworks.com device-prodd2.central.arubanetworks.com US-2 app-prod2.central.arubanetworks.com deviceprod2.central.arubanetworks.com US-WEST-4 appuswest4.central.arubanetworks.com device-uswest4d2.central.arubanetworks.com EU-1 app2-eu.central.arubanetworks.com device-eu.central.arubanetworks.com EU-3 Canada-1 appeucentral3.central.arubanetworks.com device-eucentral3d2.central.arubanetworks.com app-ca.central.arubanetworks.com device-ca.central.arubanetworks.com China-1 app.central.arubanetworks.com.cn device.central.arubanetworks.com.cn APAC-1 app2-ap.central.arubanetworks.com app1-ap.central.arubanetworks.com Protocol HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS Aruba Central | User Guide 139 Region Aruba Central URL APAC-EAST1 appapaceast.central.arubanetworks.com APAC-SOUTH1 appapacsouth.central.arubanetworks.com UAENORTH1 appuaenorth1.central.arubanetworks.com URL for Device Connectivity deviceapaceast.central.arubanetworks.com deviceapacsouth.central.arubanetworks.com device-uaenorth1d2.central.arubanetworks.com Protocol TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 HTTPS TCP port 443 Domain Names for Device Communication with Aruba Activate Table 35: Domain Names for Device Communication with Aruba Activate Domain Name Protocol device.arubanetworks.com devices-v2.arubanetworks.com HTTPS TCP port 443 est.arubanetworks.com * * Required for Aruba 2530 switches to provision certificate using the EST server in activate. For the switches to establish connection with the Activate server, when a proxy server is configured on the network, the URLs in this table must be added to the list of allowed URLs on the proxy server. Cloud Guest Server Domains for Guest Access Service Table 36: Domain Names for Cloud Guest Server Access Region Domain Name Protocol US-1 naw2.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 naw2-elb.cloudguest.central.arubanetworks.com TCP port 443 US-2 nae1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 nae1-elb.cloudguest.central.arubanetworks.com TCP port 443 US-WEST-4 uswest4.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 Getting Started with Aruba Central | 140 Region Domain Name Protocol uswest4-elb.cloudguest.central.arubanetworks.com TCP port 443 EU-1 euw1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 euw1-elb.cloudguest.central.arubanetworks.com TCP port 443 EU-3 euw1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 euw1-elb.cloudguest.central.arubanetworks.com TCP port 443 Canada-1 ca.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 ca-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-1 ap1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 ap1-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-EAST1 apaceast.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 apaceast-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-SOUTH1 apacsouth.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 apacsouth-elb.cloudguest.central.arubanetworks.com TCP port 443 UAENORTH1 asw1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 asw1-elb.cloudguest.central.arubanetworks.com TCP port 443 Domain Names for OpenFlow Table 37: Domain Names for OpenFlow Region Domain Name US-1 https://app2-ofc.central.arubanetworks.com US-2 https://ofc-prod2.central.arubanetworks.com US-WEST-4 https://ofc-uswest4.central.arubanetworks.com EU-1 https://app2-eu-ofc.central.arubanetworks.com EU-3 https://ofc-eucentral3.central.arubanetworks.com Canada-1 https://ofc-ca.central.arubanetworks.com Aruba Central | User Guide 141 Region Domain Name China-1 https://ofc.central.arubanetworks.com.cn APAC-1 https://app2-ap-ofc.central.arubanetworks.com APAC-EAST1 https://ofc-apaceast.central.arubanetworks.com APAC-SOUTH1 https://ofc-apacsouth.central.arubanetworks.com UAENORTH1 https://ofc-uaenorth1.central.arubanetworks.com Domain Names for RCS Table 38: Domain Names and URLs for RCS Region Domain Name Protocol US-1 rcs-ng-prod.central.arubanetworks.com SSH port 443 rcs-ng-xp-prod.central.arubanetworks.com US-2 rcs-ng-central-prod2.central.arubanetworks.com SSH port 443 rcs-ng-xp-central-prod2.central.arubanetworks.com US-WEST-4 rcs-ng-uswest4.central.arubanetworks.com SSH port 443 EU-1 rcs-ng-xp-uswest4.central.arubanetworks.com rcs-ng-eu.central.arubanetworks.com rcs-ng-xp-eu.central.arubanetworks.com SSH port 443 EU-3 rcs-ng-eucentral3.central.arubanetworks.com SSH port 443 rcs-ng-xp-eucentral3.central.arubanetworks.com Canada-1 rcs-ng-starman.central.arubanetworks.com SSH port 443 rcs-ng-xp-starman.central.arubanetworks.com China-1 rcs-ng-china-prod.central.arubanetworks.com.cn SSH port 443 APAC-1 rcs-ng-apac.central.arubanetworks.com SSH port 443 rcs-ng-xp-apac.central.arubanetworks.com APAC-EAST1 rcs-ng-apaceast.central.arubanetworks.com SSH port 443 rcs-ng-xp-apaceast.central.arubanetworks.com APAC-SOUTH1 rcs-ng-apacsouth.central.arubanetworks.com SSH port 443 rcs-ng-xp-apacsouth.central.arubanetworks.com UAENORTH1 rcs-ng-uaenorth1.central.arubanetworks.com SSH port 443 Getting Started with Aruba Central | 142 Other Domain Names Table 39: Other Domain Names Domain Name sso.arubanetworks.com internal.central.arubanetworks.com internal2.central.arubanetworks.com pool.ntp.org activate.arubanetworks.com stun.pqm.arubanetworks.com pqm.arubanetworks.com common.cloud.hpe.com/ccssvc/ccssystem-firmware-registry https://d20kce0f6gvxjn.cloudfront.net Protocol Description TCP port 443 Allows users to access their accounts on the internal server. TCP port 443 Allows users to access the Aruba Central Internal portal. UDP port 123 Allows users to update the internal clock and configure time zone when a factory default device comes up. By default, the Aruba devices contact pool.ntp.org and use NTP to synchronize their system clocks. TCP port 443 Allows users to configure provisioning rules in Activate. UDP or TCP port 3478 and 3479 Allows users to discover public IP over the WAN uplinks configured on devices. ICMP or UDP Allows users to check the health of WAN uplinks port 4500 configured on Branch Gateways. TCP port 80 and TCP port 443 Allows users to access the CloudFront server for locating all device type software images. TCP port 443 Allows users to access the CloudFront server while Aruba IDPS is enabled in Aruba Central gateways. NOTE: This URL can be invoked only by gateways that have IDPS security enabled. The URL cannot be enabled manually. cloud.arubanetworks.com aruba.brightcloud.com bcap15-dualstack.brightcloud.com api-dualstack.bcti.brightcloud.com database-dualstack.brightcloud.com TCP port 80 Allows users to open the Aruba Central evaluation sign-up page. TCP port 443 Enables devices to access the Webroot Brightcloud server for application, application categories, and website content classification. TCP port 443 Allows Aruba devices to look up the Webroot Brightcloud server for Website categories. TCP port 443 Allows Aruba devices to access the IP Reputation and IP Geolocation service on the Webroot Brightcloud server. TCP port 443 Allows Aruba devices to download the website classification database from the Webroot Brightcloud server. When configuring ACLs to allow traffic over a network firewall, use the domain names instead of the IP addresses. For Branch Gateways to set up IPsec tunnel with the VPN concentrators, the UDP 4500 port must be open. Aruba Central | User Guide 143 Connecting Instant APs to Aruba Central To bring up Instant APs in Aruba Central, perform the following steps: 1. Connect the Instant AP to a provisioning network. 2. Ensure that Instant AP is operational and is connected to the Internet. 3. Ensure that the Instant AP has a valid DNS server address either through DHCP or static IP configuration. 4. Ensure that NTP server is running and Instant AP system clock is configured. Connecting Aruba Switches to Aruba Central Note the following points about automatic provisioning of switches: n Pre-configured switches can now join Aruba Central. You can also import configuration from these switches to generate a template. For more information, see Creating a Configuration Template. n If the switches ship with a version lower than the minimum supported firmware version, a factory reset may be required, so that the switch can initiate a connection to Aruba Central. For information, on the minimum firmware versions supported on the switches, see Supported AOS-S Platforms. n During Zero Touch Provisioning, the Aruba switches can join Aruba Central only if they are running the factory default configuration, and have a valid IP address and DNS settings from a DHCP server. n The provisioning of the Aruba Mobility Access Switch fails when the provisioning process is interrupted during the initial booting and if the switch has a static IP address with no DNS server configured. Connecting SD-WAN Gateways to Aruba Central The Aruba gateways have the ability to automatically provision themselves and connect to Aruba Central once they are powered on. The gateways also support multiple active uplinks for ZTP (also referred to as automatic provisioning). The supported ZTP ports for different hardware platforms are listed in the following table. All these ZTP ports are assigned to VLAN 4094. Table 40: ArubaOS Hardware Platforms and Supported ZTP Ports ArubaOS Hardware Platform Supported ZTP Ports Aruba 7005 Gateway ALL ports except 0/0/1 Aruba 7008 Gateway ALL ports except 0/0/1 Aruba 7010 Gateway ALL ports except 0/0/1 Aruba 7030 Gateway ALL ports except 0/0/1 Aruba 7024 Gateway ALL ports except 0/0/1 Aruba 7210 Gateway ALL ports except 0/0/1 Aruba 7220 Gateway ALL ports except 0/0/1 Aruba 7240 Gateway ALL ports except 0/0/1 Getting Started with Aruba Central | 144 Table 40: ArubaOS Hardware Platforms and Supported ZTP Ports ArubaOS Hardware Platform Supported ZTP Ports Aruba 7280 Gateway ALL ports except 0/0/1 Aruba 9004 Gateway ALL ports except 0/0/1 Aruba 9004-LTE Gateway ALL ports except 0/0/1 Aruba 9012 Gateway ALL ports except 0/0/1 To know the minimum software version required for the gateways, see Supported SD-Branch Components. To automatically provision the gateways: 1. Connect your SD-WAN gateway to the provisioning network. 2. Wait for the device to obtain an IP address through DHCP. Gateways support multiple uplink ports. The first port to receive the DHCP IP connects to the Activate server and completes the provisioning procedure: n If the device has factory default configuration, it receives an IP address through DHCP, connects to Aruba Activate, and downloads the provisioning parameters. When a device identifies Aruba Central as its management entity, it automatically connects to Aruba Central. n If the device is running a software version that does not have the SD-WAN image, the devices are automatically upgraded to a supported SD-WAN software version. Aruba 72xx gateways with the ArubaOS 8.3.0.9 factory default image use only port 0/0/1 (the last copper port) for ZTP. When the factory default gateways connect to Activate through ZTP for the first time, Activate recommends a base SD-WAN image, which the gateways will download. In the SD-WAN image, port 0/0/1 is used as a debug port, and DHCP requests will not be sent out of port 0/0/1 for subsequent ZTP requests. Hence, ZTP workflow for Aruba 72xx gateways with the ArubaOS 8.3.0.9 factory default image will not work. You must manually upgrade the Aruba 72xx gateways to the SD-WAN image or use other methods like full-setup and static-activate to provision the gateways. 3. Observe the LED indicators. Table 2 describes the LED behavior. Table 41: LED Indicators LED Indicator LCD Text Description Solid Amber Getting DHCP IP Indicates that the uplink connection is UP, but DHCP IP is yet to be retrieved. Blinking Amber Activate Wait Indicates that the device was able to reach the DHCP server and the connection to the Activate server is yet to be established. Solid Green Activate OK Indicates that the device was able to retrieve provisioning parameters from the Activate server. Alternating Solid Green and Amber Activate Error Indicates that the device was not able to retrieve provisioning parameters. After successfully connecting to Aruba Central, the gateways download the configuration from Aruba Central. Aruba Central | User Guide 145 n From ArubaOS 8.7.0.0-2.3.0.0 release version onwards, Aruba SD-Branch Gateways no longer require additional reboot when they receive the controller IP from Aruba Central after the ZTP process. Some services are restarted, resulting in an expected network impact, but the gateways do not reload for the second time. However, the gateways will reboot if there are any subsequent controller IP changes. n The gateways also include service ports that the technicians can use for manually provisioning devices in the event of ZTP failure. For more information on ports available for Aruba 7000 Series Mobility Controllers and Aruba 7200 Series Mobility Controllers, see ArubaOS User Guide. Device Configuration and Network Management Aruba Central supports provisioning, managing, monitoring, and troubleshooting workflows for the following types of Aruba devices: n Instant APs--Know more about Instant AP, supported hardware platforms and software versions and learn how to manage your WLAN deployments with Instant APs. For more information, see IAPs. n Switches--Know more about Aruba switches, supported hardware platforms and software versions, and learn how to manage wired access using switches. For more information, see AOS-S Switches Overview. n Gateways--Know more about SD-WAN Gateways, supported hardware platforms and software versions, and learn how to build and manage SD-WAN deployments. For more information, see Aruba SD-Branch Solution. n Virtual Gateways--Deploy, connect, and manage Virtual Gateways hosted on customer VPC from Aruba Central. For more information, see Deploying Aruba Virtual Gateways. Using the Search Bar The search bar in the Network Operations app enables users to search for clients, devices, and infrastructure connected to the network. The search also retrieves relevant documentation to help users efficiently operate their networks. The search engine uses Natural Language Processing (NLP) to analyze queries and return relevant search results. The following figure illustrates the search bar option in Aruba Central. Figure 18 Search Bar To start a search in the Aruba Central UI, click the search bar or press / (forward slash) on your computer keyboard. When you click the search bar, you can see the search suggestions in the Recent and Suggested Search list. Recent--Displays all searches performed recently. Suggested Search--Displays search suggestions corresponding to the workflow that you follow in the Network Operations app. The suggested search help you perform onboarding, monitoring, configuring, and troubleshooting tasks. For more information, see the Suggested Search page. The following figure illustrates the sample search result in Aruba Central. Getting Started with Aruba Central | 146 Figure 19 Sample Search Result From the search results, you can navigate to: 1. Search Cards--displays monitoring summary and links to configuration, monitoring, and troubleshooting pages in the Network Operations app. 2. View--relevant links to the corresponding pages in the Network Operations app. 3. Read--relevant links to the help pages in the Aruba Central Help Center. Suggested Search The search bar displays search suggestions corresponding to the workflow that you follow as a user of the platform. The suggestions help you perform on-boarding tasks and bring up the devices in the network, configure and troubleshoot the network issues. The following are some of the sample queries to get you started on the on-boarding journey. These sample queries in the Network Operations app search bar can guide you into getting started with Central, adding devices, assigning licenses to devices, creating groups and sites, and so on: n Getting started with Central n How to add devices n How do I add licenses n How to create groups Aruba Central | User Guide 147 n How to create sites n How to add device to a site n How to add a new user n Where to find install manager n Install manager issues The following figure illustrates search suggestions to get started with Aruba Central. Figure 20 Suggestions to Get Started with Aruba Central The following sample queries in the Network Operations app search bar can guide you to create SSIDs, configure a switch group, configure a gateway and so on: n How to configure an SSID n Configure SSID for group <Group Name> ( Detect an AP group without SSID configuration) n How to configure a switch group n Configure switch group <Group Name> n How to configure a switch port n How to configure a Micro branch AP n Configure Micro branch group <Name> n How to configure a gateway. n Configure gateway group <Group Name> The following figure illustrates search suggestions for the next actions to perform in Aruba Central based on the workflow that you follow in the Network Operations app. Getting Started with Aruba Central | 148 Figure 21 Suggestions to Get Started with Aruba Central Client Search Terms The search bar helps you to search a client's information, navigate to the configuration and troubleshooting pages of the client in the Network Operation app. The sample search terms in this page help you with the list of terms for troubleshooting the client issues in the Network Operations app. Using the search bar you can perform the following tasks: n Hover over a client search card to view more details and links to the monitoring, configuration, and troubleshooting pages. n Click the client name to open the Client Details page. n Click View to open the corresponding page in Aruba Central. For example, clicking the View button corresponding to High DHCP Failures opens the AI Insights dashboard. n Click Read to navigate to the documentation page in the Aruba Central Help Center relevant to the search terms. Search Cards for Clients The search results in Aruba Central displays certain cards with monitoring information and links to the configuration and troubleshooting pages for the client. You can click the links to navigate to that particular page of the client in the Network Operations app. You can see the search cards when you search with the client name, IP address, or MAC address. Following is an example of the search card that appears when you search with a client name: Aruba Central | User Guide 149 Figure 22 Search Card for Client Name Search Options available on the client's search card: n Network Check--Opens the Network Check page for the client. n Live Events--Opens the Live Troubleshooting page for the client. n Events--Opens the Alerts & Events page for the client. n Disconnect--Opens the Client Details page to disconnect the client. n Insights--Opens the AI Insights page for the client. Following is an example of the search card that appears when you search with a client IP address: Figure 23 Search Card for Client IP Address Search Getting Started with Aruba Central | 150 Following is an example of the search card that appears when you search with a client MAC address: Figure 24 Search Card_Client MAC Address Sample Search Terms for a Client The following table lists the sample search terms for a client. Table 42: Client Search Terms Typical Queries Search Terms Result View client(s) facing issues in the network client issues client anomalies problem clients Returns client(s) that failed to connect and client(s) experiencing issues such as high DHCP failures, authentication failures, high roaming latency, and so on. View failed client(s) client failures failed clients Returns client(s) that failed to connect to the network. View client(s) running Windows operation system View client(s) running Android operation system View client(s) in a site View offline client (s) in a site list windows clients Returns a list of the client(s) running Windows operation system. list android clients Returns a list of the client(s) running Android operation system. Enter list clients in site followed by the site name. Example--list clients in siteCalifornia Returns a list of all client(s) in the site. Enter show offline clients in site followed by the site name. Returns a list of offline client(s) in the site. Aruba Central | User Guide 151 Table 42: Client Search Terms Typical Queries Search Terms Result Example--show offline clients in site California View connected client(s) in a particular site Enter show connected clients in site followed by the site name. Example--show connected clients in site California Returns a list of the connected client(s) in the site. Search by client name Enter the name of the client. Example--myipad Returns the client whose name matches the search term. Search by client MAC address Enter client followed by the MAC address. Example-- client00:01:00:10:9f:20 Returns the client whose MAC address matches the search term. User Experience Search Terms The following table provides a list of recommended search terms with the corresponding search results. These sample search terms can help you in gauging the network performance and identifying anomalies affecting user experience in the Network Operations app. Table 43: User Experience Search Terms Search Terms Result user experience issues Returns the following links: n Client-related insights generated for the last three hours n Network Health dashboard Click View to open the corresponding page. user experience issues last month Returns client-related insights generated for the last one month. client issues last week Returns the following: n Client(s) that failed to connect to the network in the last one week n Client-related insights generated for the last one week how is my network today Returns the following links: n Wi-Fi Connectivity dashboard n Network Health > List page Click View to open the corresponding page. is everything ok Returns a link to the AI Insights dashboard. Click View to open the AI Insights dashboard and review the insights triggered. roaming issues Returns links to the following insights: n Clients who Roamed Excessively n Clients with High Roaming Latency Getting Started with Aruba Central | 152 Table 43: User Experience Search Terms Search Terms Result Click View to open the corresponding insight and identify roaming anomalies. authentication issues Returns links to the following insights: n Clients with High 802.1X Authentication Failures n Clients with High MAC Authentication Failures Click View to open the corresponding insight and identify authentication anomalies. problem clients Returns client(s) that failed to connect and client(s) experiencing issues such as high DHCP failures, authentication failures, high roaming latency, and so on. coverage issues Returns links to the following insights: n Clients with Low SNR Minutes n Coverage Holes Identified Click View to open the corresponding insight and identify coverage anomalies. Device Search Terms The search bar helps you to search all devices monitored by Aruba Central. The search enables you to navigate to the monitoring, configuration, and troubleshooting pages of the devices in the Network Operation app. The sample search terms in this page help you with the list of terms for troubleshooting the devices issues in the Network Operations app. Using the search bar you can perform the following tasks: n Hover over a device search card to view more details and links to the monitoring, configuration, and troubleshooting pages. n Click the device name to open the corresponding Device Details page. n Click View to open the corresponding page in Aruba Central. For example, clicking the View button corresponding to Alerts & Events Overview opens the Alerts & Events page. n Click Read to navigate to the documentation page in the Aruba Central Help Center relevant to the search terms. Search Cards for Devices The search results in Aruba Central displays certain cards with monitoring information and links to the configuration and troubleshooting pages for the device. You can click the links to navigate to that particular page of the device in the Network Operations app. You can see the search cards when you search with the device name, IP address, MAC address, group, site, or label name. Following are the examples for APs, switches, and gateways. Following is an example of the search card that appears when you search with an Access Point name: Aruba Central | User Guide 153 Figure 25 Search Card for the Access Point Name Search Options available on the AP name search card: n Configure--Opens the AP Configuration page. n Network Check--Opens the Network Check page. n Locate--Locates the AP in the network. n Events--Opens the Alerts & Events page for the AP. n Clients--Opens the Clients page for the AP. n Configure Group--Opens the Access Points page to configure a group for the AP. n Insights--Opens the AI Insights page for the AP. Following is an example of the search card that appears when you search with a Switch name: Getting Started with Aruba Central | 154 Figure 26 Search Card for the Switch Name Search Options available on the switch name search card: n Configure--Opens the Switch Configuration page. n Network Check--Opens the Network Check page for the switch. n Console--Opens the Switch Details page. n Events--Opens the Alerts & Events page for the switch. n Clients--Opens the Clients page for the AP. n Configure Group--Opens the Switches page to configure a group for the switch. n Insights--Opens the AI Insights page for the switch. The following is an example of the search card that appears when you search with a gateway name: Aruba Central | User Guide 155 Figure 27 Search Card for the Gateway Name Search Options available on the gateway name search card: n Configure Group--Opens the Gateways page to configure a group for the gateway. n Network Check--Opens the Network Check page for the gateway. n Console--Opens the Gateway Summary page for the gateway. n Events--Opens the Alerts & Events page for the gateway. n Clients--Opens the Clients page for the gateway. n Session--Opens the Sessions page for the gateway. The following is an example of the search card that appears when you search with a device serial: Getting Started with Aruba Central | 156 Figure 28 Search Card for the Device Serial Search The following is an example of the search card that appears when you search with a device IP address: Figure 29 Search Card for the Device IP Address Search The following is an example of the search card that appears when you search with a device MAC address: Aruba Central | User Guide 157 Figure 30 Search Card for the Device MAC Address Search The following is an example of the search card that appears when you search with a device group name: Figure 31 Search Card for the Device Group Name Search The following is an example of the search card that appears when you search with a device label: Getting Started with Aruba Central | 158 Figure 32 Search Card for the Label Search Sample Device Search Terms The following table lists the search terms for AP, switch, and gateway. Table 44: Device Search Terms Typical Queries Search Terms Result Access Point View AP(s) facing issues in the network AP issues AP anomalies problem APs Returns a list of the AP(s) that are offline, AP radios changing channels more frequently, AP (s) experiencing higher than normal channel utilization, AP(s) experiencing frequent transmit power changes, and AP(s) that missed sending telemetry data, and so on. View AP(s) in a site Enter list aps in site or show aps in site followed by the site name. Example--list aps in site California Returns a list of the AP(s) in the site. View a list of online AP(s) online aps Returns a list of the AP(s) that are online. View AP(s) belonging to a group Enter list aps in group followed by group name. Example--list aps in groupdefault Returns a list of the AP(s) that are belonging to the group. View AP(s) tagged with a particular label Enter list aps in label followed by the label name. Example--list aps in labellobby Returns a list of the AP(s) that are tagged with the label. Aruba Central | User Guide 159 Table 44: Device Search Terms Typical Queries Search Terms Result View AP(s) by model number Enter show ap model followed by the model number. Example--show ap modelap-105 Returns a list of the AP(s) whose model number matches the search term. Search by AP name Enter the name of the AP. Example--printer-room Returns the AP whose name matches the search term. Search by AP MAC address Enter ap followed by the MAC address. Example--ap 94:b4:0f:d9:ba:cc Returns the AP whose MAC address matches the search term. Search by AP serial number Enter ap serial followed by the serial number. Example--ap serialCNJJKPN1G5 Returns the AP whose serial number matches the search term. Switch View switch(es) facing issues in the network switch issues switch anomalies problem switches Returns a list of switch(es) that are offline, switch(es) experiencing high CPU and memory utilization, switch(es) facing PoE issues, and so on. View switch(es) in a site Enter list switches in site or show switches in site followed by the site name. Example--list switches in site California Returns a list of switch(es) in the site. View a list of online switch(es) online switches Returns a list of switch(es) that are online. View switch(es) belonging to a group Enter list switches in group followed by group name. Example--list switches in groupdefault Returns a list of switch(es) belonging to the group. View switch(es) tagged with a label Enter list switches in label followed by the label name. Example--list switches in labelstore Returns a list of switch(es) that are tagged with the label. Search by switch name Enter the name of the switch. Example--store-switch Returns the switch whose name matches the search term. Search by switch MAC address Enter switches followed by the MAC address. Example--switch f8:60:f0:b6:22:00 Returns the switch whose MAC address matches the search term. Search by switch serial number Enter switch serial followed Returns the switch whose serial number by the serial number. matches the search term. Getting Started with Aruba Central | 160 Table 44: Device Search Terms Typical Queries Search Terms Result Example--switch serialCN90HKX045 Gateway View gateway(s) facing issues in the network gateway issues gateway anomalies problem gateways Returns a list of gateway(s) that are down, gateway(s) experiencing high CPU and memory utilization, gateway tunnel(s) that are down, and so on. View gateway(s) in a site Enter list gateways in site or show gateways in site followed by the site name. Example--list gateways in site California Returns a list of gateway(s) in the site. Configure gateway(s) in a particular group Enter configure gateways in group followed by the site name. Example--configure gateways in groupdefault Returns a link to the gateway configuration page. View a list of online gateway(s) online gateways Returns a list of gateway(s) that are online. View gateway(s) belonging to a group Enter list gateways in group followed by group name. Example--list gateways in groupdefault Returns a list of gateway(s) belonging to the group. View gateway(s) tagged with a label Enter list gateways in label followed by the label name. Example--list gateways in labellobby Returns a list of gateway(s) that are tagged with the label. Search by gateway name Enter the name of the gateway. Example--branch Returns the gateway whose name matches the search term. Search by gateway MAC address Enter gateway followed by the MAC address. Example--gateway 00:0b:86:f9:0d:d2 Returns the gateway whose MAC address matches the search term. Search by gateway serial number Enter gateway serial followed by the serial number. Example--gateway serialCZ0003248 Returns the gateway whose serial number matches the search term. Network & Services Search Terms The following table provides a list of recommended search terms with the corresponding search results for network and services. Aruba Central | User Guide 161 Table 45: Network & Services Search Terms Search Terms Result service issues Returns the following links: n Wi-Fi Connectivity dashboard n AI Insights dashboard Click View to open the corresponding page. dhcp issues Returns a link to the insight. Click View to open the insight and identify the DHCP failures impacting the network. dns issues Returns links to the following insights: n n n Click View to open the corresponding insight and identify DNS anomalies. authentication issues Returns links to the following insights: n n Click View to open the corresponding insight and identify authentication anomalies. Site Search Terms The search bar helps you to search all sites monitored by Aruba Central. The sample search terms in this page help you with the list of terms for troubleshooting the site issues in the Network Operations app. Using the search bar you can perform the following tasks for a site: n Hover over a site search card to view more details and links to the monitoring and troubleshooting pages. n Click the site name to open the Site Health page. n Click View to open the corresponding page in Aruba Central. For example, clicking the View button corresponding to Site Issues opens the AI Insights dashboard. Search Cards for Sites The search results in Aruba Central displays certain cards with monitoring information and links to the troubleshooting pages for the site. You can click the links to navigate to that particular page of the site in the Network Operations app. You can see the search cards when you search with the site name. Following is an example of the search card that appears when you search with a site name: Getting Started with Aruba Central | 162 Figure 33 Search Card for a Site Name Search Options available on the site search card: n Site Health--Opens the Site Health page. n Summary--Opens the Summary page for the site. n Topology--Opens the Topology page for the site. n Events--Opens the Alerts & Events page for the site. n Reports--Opens the Reports page for the site. The following table lists the search terms for a site. Table 46: Site Search Terms Typical Queries Search Terms Result View problems in a site Enter any problems in site followed by the site name. Example--any problems in site California Returns the link to navigate to the AI Insights dashboard for the site. View client(s) in a site Enter list clients in site followed by the site name. Returns a list of all client(s) in the site. Example--list clients in site California View offline client (s) in a site Enter show offline clients in site followed by the site name. Example--show offline clients in site California Returns a list of offline client(s) in the site. View connected client(s) in a site Enter show connected clients in site followed by the site name. Example--show connected clients in site California Returns a list of connected client(s) in the site. View AP(s) in a site Enter list aps in site or show aps in site followed by the site name. Example--list aps in site California Returns a list of AP(s) in the site. Aruba Central | User Guide 163 Table 46: Site Search Terms Typical Queries Search Terms View switch(es) in a site Enter list switches in site or show switches in site followed by the site name. Example--list switches in site California View gateway(s) in a site Enter list gateways in site or show gateways in site followed by the site name. Example--list gateways in site California View alerts at a specific site Enter list gateways in site or show gateways in site followed by the site name. Example--list gateways in site California Result Returns a list of switch(es) in the site. Returns a list of gateway(s) in the site. Returns a list of gateway(s) in the site. Navigation Search Terms The following table provides a list of recommended search terms with the corresponding search results. These sample search terms can help you navigate through Aruba Central. Based on the displayed results, click View to open the corresponding page in Aruba Central. Table 47: Navigation Search Terms Search Terms UI Page network health Network Health > List access points usage statistics ap device summary Devices > Access Points > Summary list alerts Global > Alerts & Events > Summary client overview Clients > Summary bandwidth usage Global > Overview > Summary configure ssid Group > Devices > Access Points > Config > WLANs > Wireless SSIDs configure vpn Group > Devices > Access Points > Config > VPN assign virtual controller config ap ports Group > Devices > Access Points > Interfaces > Wired radios profile Group > Devices > Access Points > Config > Radios manage firmware for virtual controller Global > Firmware > Access Points where can I configure switch Devices > Switches > Config configure switch stacks Devices > Switches > Stacks > Config enable cdp for switches Devices > Switches > System > CDP configuration conflicts for switches Devices > Switches > Configuration Audit Getting Started with Aruba Central | 164 Table 47: Navigation Search Terms Search Terms UI Page switch dhcp pools Devices > Switches > IP Settings > DHCP Pools switch security dhcp Devices > Switches > Security > DHCP Snooping how to configure switch igmp Devices > Switches > IGMP switch port priority Devices > Switches > Interface > PoE manage switch ports Devices > Switches > Interface > Ports configure VLANs Devices > Switches > Interface > VLANs configure gateways Devices > Gateways > Config config audit gateway Devices > Gateways > Config > Advanced Mode > Config Audit wan transport health Devices > Gateways > Summary wan performance Global > Overview > WAN Health > List show branch uplinks utilization Global > Overview > WAN Health > Summary virtual gateway settings Global > Network Services > Virtual Gateways how to upgrade gateway Global > Firmware > Gateways overlay route orchestrator topology Global > Network Services > SD-WAN Overlay > Route topology Site > Overview > Topology list all saas apps saas express summary Global > Applications > SaaS Express > Map ssh threats Global > Security > Gateway IDS/IPS > Threats List current threat map Global > Security > Gateway IDS/IPS > Summary configure presence analytics Global > Guests > Presence Analytics > Config view wifi connected devices Global > Guests > Presence Analytics > Summary setup guest access Global > Guests > Guest Access setup guest network Group > Guests > Config > Guest Networks ucc settings enable call prioritization for ucc Global > Applications > UCC > Config > Settings list ucc call Global > Applications > UCC > List tutorials WalkMe Menu for launching guided tutorials Aruba Central | User Guide 165 Next-Generation Support Experience Live Chat and Case Management are supported in this release as selectively available features. Contact your Aruba Account Manager to enable it in your Aruba Central account. Aruba Central now offers next-generation support experience for its users with its Live Chat feature. This feature allows you to contact Aruba support agents directly and manage support cases from within the Network Operations user interface. Key components of this feature include: n Overview of Live Chat Support n Overview of In-Product Case Management Overview of Live Chat Support Aruba Central users can now initiate a direct conversation with Aruba support agents from within the Network Operations user interface. The Live Chat feature provides faster resolution to problems. Key features are as follows: n Easily accessible and convenient to use n Transfers recent search history and context to the support agent n Creates a support case automatically n Supports bidirectional file transfer n Stores previous conversations n Allows users to provide feedback and rate the support experience Using Live Chat Support To initiate a chat conversation, complete the following steps: 1. Log in to your Aruba Central account. 2. Launch the Network Operations app. 3. Click the Help and Support icon. 4. Click New conversation. As soon as a support agent connects, the chat interface is displayed. The following table describes the key elements of the Live Chat interface: Getting Started with Aruba Central | 166 Table 48: Chat Interface User Interface Description Support agent is unavailable. Try again after sometime. Alternatively, you can choose to create a support case. Support agent is available. Click New conversation to start the conversation. Aruba Central | User Guide 167 User Interface Description Describe your problem or enter your query in the text box. The character limit is 32000. Select the impact on the network. Select one of the following options to proceed: n Network outage n Degraded network services n No network impact Getting Started with Aruba Central | 168 User Interface Description If you select Network outage as the impact on the network, the chat interface automatically recommends you to contact support. However, if you prefer to have a chat conversation, you can describe the problem and click Continue. The support agent has accepted the request and a case is automatically created. The case number is displayed in the chat window title. Enter your query in the text box. The character limit is 6000. Aruba Central | User Guide 169 User Interface Description Click the Attach File icon to attach files. You can attach up to four files at a time. Click Upload to initiate the file transfer. A progress bar displays the progress. NOTE: The maximum upload file size is 12 GB. This option enables you to transfer supporting files and logs for debugging. There are a few file formats that you cannot upload such as JavaScript and executable files. If the format is not supported, an error message is displayed. Getting Started with Aruba Central | 170 User Interface Description You can choose to end the conversation by clicking End. You also have an option to save the chat transcript locally for future reference. The conversation is also stored by Aruba Central and you can view all the conversations if you click See previous conversations. After you end the conversation, you can let us know whether the issue has been resolved. You can also provide feedback and rate the support experience. Aruba Central | User Guide 171 Overview of In-Product Case Management Aruba Central users can now create and manage support cases from within the Network Operations user interface. The in-product case management interface allows users to instantaneously create a case and track the progress. Key features are as follows: n Easily accessible and convenient to use n Creates a support case instantaneously n Allows users to view recent cases Using In-Product Case Management To create a support case, complete the following steps: 1. Log in to your Aruba Central account. 2. Launch the Network Operations app. 3. Click the Help and Support icon. 4. Click Create new case. Figure 34 Create New Case 5. Provide a brief summary of the problem. The character limit is 255. 6. Describe the problem in more detail and provide steps to reproduce the issue. The character limit is 32000. 7. Select an impact on the network: n If you select Network outage, the case management tool automatically recommends you to contact support. n Degraded network services n No network impact Getting Started with Aruba Central | 172 8. Click Submit Figure 35 New Support Case A case is created and the case number is displayed for future reference. Alternatively, you can click See recent cases to view all the cases opened recently. Aruba Central | User Guide 173 Chapter 5 Administering Aruba Central Administering Aruba Central Aruba Central is a cloud-native network operations and assurance solution for wired, wireless, and SD-WAN networks. Aruba Central unifies traditional management with AI-based network and user insights, and IoT device profiling in a single interface for simplified and secure management and control. Apps From the Account Home page, you can manage network inventory, subscriptions, and user access. You can provision or launch the following apps: n Network Operations n ClearPass Device Insight The application(s) displayed in the Apps section of the page are dependent on the app(s) that you selected while signing up for Aruba Central. For more information, see Creating an Aruba Central Account. To provision an app, click Get Started. After the app is provisioned, click Launch to navigate to the corresponding application UI. If the app provisioning fails, you can retry or contact Aruba Technical Support. Figure 36 All Apps Network Operations Network Operations is a unified network operations, assurance and security platform that simplifies the deployment, management, and service assurance of wireless, wired and SD-WAN environments. Network Operations provides a cloud-based network management platform for managing your wireless, WAN, and Aruba Central | User Guide 174 wired networks with Aruba APs, Gateways, and Switches. Along with device and network management functions, the app also offers value-added services such as customized guest access, client presence, and service assurance analytics. For more information, see Aruba Central Help Center. ClearPass Device Insight ClearPass Device Insight enables network and security administrators to discover, monitor, and automatically classify new and existing devices that connect to a network. You can identify devices that include loT devices, medical devices, printers, smart devices, laptops, VoIP phones, computers, gaming consoles, routers, servers, and switches. For more information, see Aruba ClearPass Device Insight Information Center. Global Settings In Aruba Central, most of the general administration tasks are grouped under Global Settings. The following table lists all the options and relevant app(s) to which the option is applicable: Table 49: Options & Apps Option App(s) User and Roles n Network Operations n ClearPass Device Insight Key Management n Network Operations n ClearPass Device Insight Device Inventory Network Operations License Assignment Network Operations Data Collectors Data Collectors option appears only if the ClearPass Device Insight app is provisioned. Audit Trail Network Operations Single Sign On Network Operations API Gateway API Gateway option appears only if the Network Operations app is provisioned and if the API Gateway license is enabled. Webhooks Network Operations Users and Roles Aruba Central users are broadly categorized as follows: n Network Administrators--Network administrators manage, configure, and monitor devices in their respective network or organization using the Aruba Central Standard Enterprise interface. n Service Provider Administrators--Service Provider administrators are referred to as the MSP administrators who create, manage, and monitor accounts for multiple organizations (tenants). For MSP accounts, the Network Operations app provides a separate interface called the MSP View, using which MSP Administering Aruba Central | 175 administrators can provision and manage their respective tenant accounts. Tenant account users' access is limited to their respective account or network setup. For more information on creating tenant accounts, see the Aruba Central MSP User Guide. Within each Aruba Central account, the admin users of the respective accounts can configure and manage the following types of users: n System users--Users who authenticate to the Aruba SSO server (public cloud deployments) or LocalDB servers (private cloud deployments). System users can access both the UI and API interface with their Aruba Central login credentials. Access for the system users is determined by the role to which they are mapped. For more information on configuring system users, see Configuring System Users. n External users--Users who log in to Aruba Central using an external authentication source. External user accounts are maintained by IT administrators of the respective organizations. External users are also referred to as federated users. To provide a secure and seamless sign-on experience for external users, Aruba Central supports a federation configuration module based on the SAML SSO framework. For more information on configuring the SAML SSO framework for federated users, see the Aruba Central SAML SSO Solution Guide. The following table lists the tasks that you can perform from the Users and Roles page: Table 50: Users and Roles--Tasks Task For more information... Create, modify, or delete users Configuring System Users Create, modify, or delete user roles Configuring User Roles Resend email invitation to users Resend Email Invite Enable Two-Factor Authentication (2FA) Two-Factor Authentication Enable support access to debug issues Support Access Configuring System Users In the Account Home page, the Users and Roles option under Global Settings allows you to create, modify, and delete users. This section describes the procedure for configuring users in an enterprise account. For information on how to configure system users in the MSP mode, see the Aruba Central Managed Service Provider User Guide. Adding a System User To add a user, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users and Roles page is displayed. 2. Click Add User. The New User window is displayed. Aruba Central | User Guide 176 3. Configure the following parameters: n Username--Email ID of the user. Enter a valid email address. n Description--Description of the user role. You can enter up to a maximum of 32 characters including alphabets, numbers, and special characters in the text field. n Language--Select a language. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. n Account Home--Select a user role for the Account Home page. If there are common modules between Account Home and other app(s), the Account Home user role has higher precedence. For example, the Devices and Subscription module in the Network Operations app. If an application is not provisioned, that application is not listed in the New User pop-up window. n Network Operations--Select a user role for the Network Operations application. If you assign the user role guestoperator, readonly, or readwrite, from the Select Groups dropdown list, select group(s). By default, the admin user role has access to all groups. n ClearPass Device Insight--Select a user role for the ClearPass Device Insight application. For more information on user roles, see Configuring User Roles. 4. Click Save. An email invite is sent to the user with a registration link. Users can use this link to access Aruba Central. Figure 37 New User Window The registration link in the email invite is valid for 15 days. The link expiry date is also mentioned in the registration email notification: Administering Aruba Central | 177 Figure 38 Aruba Central Registration Email Resend Email Invite If any user has not received the email invite, complete the following steps to resend the invite: 1. Click Actions and slide the Resend Invitation To Users toggle button to the right. 2. Enter the email ID and click Resend Invite. Viewing User Details In the Account Home page, under Global Settings, click Users and Roles. The Users tab is displayed. The List of Users table displays the following information: n Email ID of the user. n Type of user. The user can be system user or external user. Aruba Central | User Guide 178 n Description of the user. n Role assigned for the Network Operations app. n Role assigned for the ClearPass Device Insight app. This option is displayed only if the ClearPass Device Insight app is provisioned and if you have subscribed to the app. n Role assigned for the Account Home page. n Allowed groups for the user. n Last active time of the user. If the last active time cell is blank, the user has not logged in after the product upgrade. Editing a User To edit a user account, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens. 2. In the List of Users table, select the user and click the edit icon. 3. In the Edit User <"Username"> window, modify description, role, or allowed groups. 4. Click Save. Deleting a User To delete a user account: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens. 2. In the List of Users table, select the user and click the delete icon. 3. Confirm user deletion in the Confirm Action dialog box. Viewing Audit Trail Logs for Users Audit logs are generated when a new user is created and an existing user is modified or deleted from the Aruba Central account. It also records the login and logout activities of users. To view audit logs for Aruba Central users: 1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page is displayed. 2. To view audit logs for user addition, modification, or deletion, click the filter in the Classification column, and select User Management. 3. To filter audit logs about user activity, click the filter in the Classification column, and select User Activity. Configuring User Roles A role refers to a logical entity used for determining user access to devices and application services in Aruba Central. Users are always tagged to roles that govern the level of user access to the Aruba Central applications and services. Access control for federated users is determined by the attributes set in the IDP. Administering Aruba Central | 179 Aruba Central supports a set of predefined roles with different privileges and access permissions. You can also configure custom roles. The following sections are covered in this page: n Predefined Roles n Module Permissions n Custom Roles n Viewing Role Details n Editing a Role n Deleting a Role Predefined Roles The Users and Roles page allows you to configure the following types of users with system-defined roles: Table 51: Predefined Roles Application Role Privilege Account Home admin Administrator for the Account Home page. If there are common modules between Account Home and other app(s), the Account Home role has higher precedence and the user is granted permission if the operation is initiated from the Account Home page. guestoperator Has guest operator access to the Network Operations application. User does not have access to Account Home > Global Settings. readwrite Can view and modify settings in the Account Home page and all Global Settings pages. NOTE: The readwrite role does not have modify permission for the following pages: n Users and Roles n Single-Sign-On readonly Can view the Account Home page and all Global Settings pages. Aruba Central | User Guide 180 Application Network Operations Role admin deny-access guestoperator readonly readwrite ClearPass Device Insight admin deny-access readonly Privilege Administrator for the Network Operations application. Has access to Account Home > Global Settings. This is applicable only if the Account Home role is not set or is not conflicting. Cannot view the Network Operations application. Has guest operator access to the Network Operations application. User does not have access to Account Home > Global Settings. Has read-only access to Account Home > Global Settings and the Network Operations application. Has read-write access to Account Home > Global Settings and the Network Operations application. Has access to view and modify data using the Aruba Central UI or APIs. However, the user cannot execute APIs to: n Enable or disable MSP mode. n Perform operations in the following pages: o Account Home > Users and Roles o Network Operations application > Organization > Labels and Sites Administrator for the ClearPass Device Insight application. Cannot view the ClearPass Device Insight application. Can launch and view all the pages in the ClearPass Device Insight application. Module Permissions Aruba Central enables you to define roles with view or modify permissions. You can also block user access to some modules. If a module is blocked for a specific role, the corresponding pages are not displayed in the UI or can access the pages but no data is displayed and all actions are disabled for the role. Aruba Central supports setting permissions for the following modules: Administering Aruba Central | 181 Table 52: Permissions Application Account Home Module Devices and Subscription Users Roles SSO Network Operations MSP Group Management Devices and Subscription Network Management Description Enables users to add devices and assign keys and subscriptions to devices in the Account Home page. Enables users to define a role with access (View, Modify, or Block) to the user details in the Users tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles. Enables users to define a role with access (View, Modify, or Block) to the role details in the Roles tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles. Enables users to define a role with access (View, Modify, and Block) to the Single Sign On profiles details in the Users tab in the Single-Sign-On page (Account Home > Single-Sign-On). Enables users to define a role with access (View, Modify, or Block) to the Single Sign On profiles details in the Single Sign On page. To navigate to the Single Sign On page, go to Account Home > Single Sign On. Enables users with administrator role and privileges to define user access to MSP modules such as Customer Management and Portal Customization. The MSP tenant account user does not have access to the MSP application. Even if a tenant account user is assigned a custom role having MSP application privileges: n Tenant account user does have access to the MSP application. n MSP does not appear in the Account Home > Global Settings > Users and Roles > Roles > Allowed Applications list. Enables users to create, view, modify, and delete groups and assign devices to groups. Users cannot edit or set permissions for this module. Modify and Block options are disabled. By default, the View Only permission is set. Enables users to configure, troubleshoot, and monitor Aruba Central-managed networks. You can customize the permissions (View or Modify or Block) for the following sub-modules: n Configuration n Configuration Variables n Privileged Configuration n Firmware n Troubleshooting n Other Modules NOTE: For the Privileged Configuration, the Block option disables the Admin tab (Gateway > System > Admin) for the user. The user management privileges are disabled for this user for gateways at the device and group level. Aruba Central | User Guide 182 Application Module Description Guest Management Enables users to configure cloud guest splash page profiles. AirGroup Enables users to define or block user access to the AirGroup pages. Presence Analytics Enables users to access the Presence Analytics app and analyze user presence data. Floorplans Enables user to access Floorplans and RF heatmaps. Unified Communications Enables users to access the Unified Communications pages. Install Manager Enables users to manage installer profiles and site installations. Reports Enables users to view and create reports. Other Applications Enables users to access other applications modules such as notifications and Virtual Gateway deployment service. ClearPass Device Insight Classified devices NOTE: This option is displayed only if the ClearPass Device Insight app is provisioned and if you have subscribed to the app. Generic devices User classified devices Enables users to view or modify system and user-classified devices. Enables users to view or modify devices which are not classified by system or user. Enables users to view or modify user-classified devices. Discovery settings Enables users to view, create, modify, or delete discovery settings. Application settings Enables users to view or modify application level user settings Reports Enables users to view create and view reports Other Applications Enables users to define or block access to other applications. Custom Roles Along with the predefined roles, Aruba Central also enables you to create custom roles with specific security requirements and access control. However, only users with the administrator role and privileges can create, modify, clone, or delete a custom role in Aruba Central. With custom roles, you can configure access control at the application level and specify access rights to view or modify specific application services or modules. For example, you can create a custom role that enables access to a specific applications such as Guest Management or Network Management and assign it to a user. MSP tenant account users cannot add, edit, or delete roles. Adding a Custom Role The following are the permissions that you can associate with a custom role: Administering Aruba Central | 183 n Roles with Modify permission can perform add, edit, or delete actions within the specific module. n Roles with View Only permission can only view the specific module. n Roles with Block permission cannot view that particular module or can view the corresponding pages but no data is displayed and all actions are disabled. To add a custom role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. Click Add Role. The New Role window is displayed. 4. Specify a name for the role. 5. From the drop-down list, select one of the following: n Account Home--To manage access to devices and subscriptions in Aruba Central. n Network Operations--To set permissions at the module level in the Network Operations application. n ClearPass Device Insight--To set permissions at the module level in the ClearPass Device Insight application. This option is displayed only if the ClearPass Device Insight app is provisioned and if you have subscribed to the app. 6. For Network Management and MSP modules, you can set access rights at the module level. To set view or edit permissions or block the users from accessing a specific module, complete the following steps: a. Click Customize. b. Select one of the following options for each module as required: n View Only n Modify n Block 7. Click Save. 8. Assign the role to a user account as required. Viewing Role Details To view the details of a role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. The Roles tab displays the following information: n Role Name--Name of the role. n Allowed Applications--The application(s) to which the user account is subscribed to. n Assigned Users--Number of users assigned to a role. Editing a Role To edit a role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the edit icon. 4. In the Edit Role <"Rolename"> window, modify the permissions set for module(s). 5. Click Save. Aruba Central | User Guide 184 Deleting a Role To delete a role, ensure that the role is not associated to any user and complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the delete icon. 4. Confirm role deletion in the Confirm Action dialog box. Two-Factor Authentication Aruba Central now supports multi-factor authentication (MFA) for both computers and mobile phones. The twofactor authentication feature in Aruba Central offers a second layer of security to your login, in addition to password. When two-factor authentication is enabled on a user account, the users can sign in to their Aruba Central account either through the mobile app or the web application, only after providing their password and the six-digit verification code displayed on their trusted devices. When two-factor authentication is enabled at the customer account level, all the users belonging to the customer account are required to complete the authentication procedure when logging in to Aruba Central. If a user account is associated with multiple customer accounts and if two-factor authentication is enabled on one of these accounts, the user must complete the two-factor authentication during the login procedure. If two-factor authentication is enabled on your accounts, you must install the Google Authenticator app on your devices such as mobile phones to access the Aruba Central application. When the users attempt to log in to Aruba Central with their credentials, the Google Authenticator app provides a six-digit verification code to complete the login procedure. Installing the Google Authenticator App For two-factor authentication, ensure that the Google Authenticator app is installed on your mobile device. During the registration process, the Aruba Central application shares a secret key with the mobile device of the user over a secure channel when the user logs in to Aruba Central. The key is stored in the Google Authenticator app and used for future logins to the application. This prevents unauthorized access to a user account as this authentication procedure involves two-levels for secure transaction. When you register your mobile device successfully, the Google Authenticator app generates a six-digit token for the second level authentication. The token is generated every thirty seconds. Enabling Two-factor Authentication for User Accounts To enable two-factor authentication, complete the following steps: 1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed. 2. From the Actions menu, slide the Two-Factor Authentication (2FA) toggle button to the right. The twofactor authentication is enabled for all the users associated with the account. Two-factor Authentication for Aruba Central Web Application When two-factor authentication is enabled for a customer account, the users associated with that customer account are prompted for two-factor authentication when they log in to Aruba Central. To complete two-factor authentication, perform the following actions: Administering Aruba Central | 185 1. Access the Aruba Central website. 2. Log in with your credentials. If two-factor authentication is enforced on your account, the two-factor authentication page opens. 3. Install the Google Authenticator app on your mobile device if not already installed. 4. Click Next. 5. If this is your first login since two-factor authentication is enforced on your account, open Google Authenticator on your mobile device. 6. Scan the QR Code. If you are unable to scan the QR code, perform the following actions: a. Click the Problem in Reading QR Code link. The secret key is displayed. b. Enter the secret key in the Google Authenticator app. c. Ensure that the Time-Based parameter is set. Aruba Central is added to the list of supported clients and a six-digit token is generated. 7. Click Next. 8. Enter the six-digit token. 9. Select the Remember 2FA for 30 Days check box if you want the authentication to expire only after 30 days. 10. Click Finish. Two-factor Authentication for the Aruba Central Mobile App Two-factor authentication must first be enabled for your account. If two-factor authentication is not enabled, you log in to the application directly after a successful SSO authentication. To log in to Aruba Central app on your mobile device, perform the following actions: 1. Open the Aruba Central app on your mobile device. 2. Enter your username and password and click Log in. If the registration process is pending, an error message is displayed: Please register for two-factor authentication in our web app to ensure secured authentication. 3. Enter the token. On successful authentication, the Aruba Central app opens. Registering a New Mobile Device If you have changed your mobile device, you need to install Google Authenticator app on your new device and register again using a web browser on your Desktop for two-factor authentication. To register your new mobile device, complete the following steps: 1. Log in to Aruba Central web application. The two-factor authentication page is displayed. 2. Click the Changed Your Mobile Device? link. 3. To register your new device and receive a reset email with instructions, click Send 2FA Reset Email. A reset email with instructions will be sent to your registered email address: Aruba Central | User Guide 186 Figure 39 Reset Tow-Factor Authentication Email 4. Follow the instructions in the email and complete the registration. Support Access Aruba technical support may ask you to enable Support Access to debug issues. After you enable Support Access, the Aruba support team can access your Aruba Central account remotely. Only users with administrator role can enable Support Access. Enabling Support Access To enable Support Access, complete the following steps: 1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed. 2. From the Actions menu, slide the Support Access toggle button to the right. Administering Aruba Central | 187 3. Set password expiry by selecting the number of days and click Get Password. A new password is generated. 4. Copy the password and share it with the Aruba technical support representative. Disabling Support Access After the remote support session is complete, do the following to disable Support Access: 1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed. 2. From the Actions menu, slide the Support Access toggle button to the left. Managing License Keys A license key is an alphanumeric string with 9 to 14 characters; for example, PQREWD6ADWERAS. Aruba Central can manage a device only if the corresponding license key of the device is added to Aruba Central. License keys can either be evaluation license keys that map to evaluation licenses or paid license keys that map to paid licenses. The evaluation license key is valid for 90 days. To use Aruba Central for managing, profiling, analyzing, and monitoring your devices, you must ensure that you have a valid license key and that the license key is listed in the Account Home > Global Settings > Key Management page. Evaluation License Key The evaluation license key is enabled for trial users by default. It allows you to add up to a total of 60 devices. For an evaluation user, a set of evaluation keys is generated. The Account Home > Global Settings > Key Management page displays the license expiration date in the Key Management table. You will receive license expiry notifications through email 30, 15, and 1 day before the license expiry and on day 1 after the license actually expires. The number of days left for license expiry is also displayed in the respective app under the Apps section of the Account Home page. Upgrading to a Paid Account If you have purchased a license for an AP, a switch, or a gateway, then upgrade your account by completing the following steps: 1. On the Account Home page, in the Network Operation app, click the link that shows the number of days left for the evaluation to expire. Aruba Central | User Guide 188 Figure 40 Network Operations Evaluation Account The Add a New License window is displayed. 2. Enter the new license key that you purchased from Aruba. 3. Click Add License. After you upgrade your account, you can add more devices, enable services, and continue using Aruba Central. Paid License Key If you have purchased a license key, you must ensure that your license key is added to Aruba Central. If you are logging in for the first time, Aruba Central prompts you to add your license key to activate your account. Ensure that you add the license key before on-boarding devices to Aruba Central. The Account Home > Global Settings > Key Management page displays the license expiration date. You receive the license expiry notifications through email 90, 60, 30, 15, and 1 day before expiry and two notifications each day on day 1 and day 2 after the license expires. Administering Aruba Central | 189 When you upgrade or renew your license, or purchase another license key, you must add the key details in the Account Home > Global Settings > Key Management page to avail the benefits of the new license. Adding a License Key 1. On the Account Home page, under Global Settings, click Key Management. The Key Management page is displayed. 2. Enter your license key. 3. Click Add Key. The license key is added to Aruba Central and the contents of the license key are displayed in the Manage Keys table. Review the license details. If you add a Device Management token, the key is listed in the Convert Deprecated Licenses page. For more information, see Converting Legacy Tokens to New Licenses. Viewing License Key Details To view the license key details, navigate to Account Home > Global Settings > Key Management. The Key Management page provides information about license keys available for the devices and their details such as license tier, expiration date, and quantity of licenses. The Key Management sections are described in the next topics. License Summary For the selected device type or app, or for all devices, the License Summary section lists down all the available licenses, the total number of licenses, the number of assigned licenses, and the number of unassigned licenses. The available devices are APs, switches, and gateways. The Applications tab currently lists the license keys for the Network Operations app and the Clear Pass Device Insight app (where applicable). Click a single or multiple licenses in the License Summary section to display the details of the license type in the Key Management table. To unselect the license, click the selected license type again. Aruba Central | User Guide 190 Figure 41 License Summary Details for APs The preceding screenshot shows the following details: n Total number of AP Foundation Licenses = 101 n Assigned AP Foundation Licenses = 2 n Unassigned AP Foundation Licenses = 99 n Total number of AP Advanced Licenses = 0 Key Management Table Details The following table describes the contents of the Key Management table: Table 53: License Key Details Data Pane Item Description Key License key number. License Tier Type Type of the license. Aruba Central supports the following types of licenses: n Foundation n Advanced The Foundation and Advanced licenses for APs, switches, and SD-WAN gateways are different from each other and cannot be used interchangeably. Expiration Expiration date for the license key. License Quantity Number of licenses available. To arrange the rows in ascending or descending order, use the sorting icon ( ) in the table header rows. You can also use the row header indicated by the filter icon ( ) to type in search queries to refine the search. Administering Aruba Central | 191 License Expiry Date The Key Management table displays the expiration date for each license. As the licenses expiration date approaches, users receive expiry notifications. The users with evaluation license receive license expiry notifications through email 30, 15, and 1 day before the license expiry and on day 1 after the license actually expires. The users with paid licenses receive license expiry notifications through email 90, 60, 30, 15, and 1 day before expiry and two notifications per day on day 1 and day 2 after the license expires. If a license for the particular device expires, Aruba Central no longer manages that device. Converting Legacy Tokens to New Licenses The conversion of unassigned Device Management tokens to Foundation Licenses for APs, switches, and gateways is a one-time operation for the selected Device Management tokens. The Device Management token can either be an evaluation token or a purchased token. The Service Management tokens are not converted into the Aruba Central Licenses. If you do not convert the unassigned Device Management tokens by 31 December 2021, all the tokens are automatically converted to AP Foundation Licenses. If you wish to revert a conversion, you must contact Aruba Technical Support. To complete the license conversion: 1. On the Account Home page, go to Global Settings > Key Management. The Key Management page is displayed. 2. Click Click here to complete license conversion. The Convert Deprecated Licenses page is displayed. 3. Select the key that you want to convert and click Convert on the row. The Convert Deprecated Licenses window is displayed. 4. Select the option to which you want to convert the unassigned device license for the key. 5. Click Convert. The Convert button is available only when all the licenses are assigned for the selected key. 6. View Global Settings > License Assignment page. A list of new licenses assigned for the deprecated keys is displayed. Download Conversion Logs This option provides information about how legacy Device Management and Services subscription keys are converted to Aruba Central Licenses either using automatic or manual license assignment. The information can be downloaded as a PDF document. The document contains a table which provides following information: n Conversion Time--Date and time when the legacy keys are converted to Aruba Central Licenses. n SKU Type--Legacy key type as Device Management or Service subscription. n Subscription Key--Legacy subscription key details. n Start Date--Start date of the legacy subscription. n End Date--End date of the legacy subscription. Aruba Central | User Guide 192 n Remaining Unassigned Quantity--Number of Aruba Central Licenses that are not yet assigned (after the legacy subscription keys are converted). n Converted Subscriptions--Information about the Aruba Central Licenses to which the legacy keys are converted. Managing Your Device Inventory After you add the paid subscription key(s) to your Aruba Central account, device(s) purchased by you are automatically added to the device inventory in the respective Aruba Central account. For more information about subscription keys, see Managing License Keys. If the device you purchased does not show up in the inventory, you can manually add it. Aruba Central allows you to add up to 32 devices manually by entering the valid MAC and serial number combination for each device. Users having roles with Modify permission can add devices. Users having roles with View Only permission can only view the Device Inventory module. Viewing Devices The devices provisioned in your account are listed in the Account Home > Global Settings > Device Inventory page. A dashboard lists the total number of devices and the number of access points, switches, and gateways in the inventory. The following table describes the columns in the Devices table. Table 54: Device Details Parameter Description Serial Number Serial number of the device. MAC Address MAC address of the device. Type Type of the device, for example Instant AP, switch, or gateway. Model Hardware model of the device. Part Number Part number of the device. IMEI The International Mobile Equipment Identity (IMEI) number of the gateway device. This field is applicable only for 9004-LTE gateways. Click the ellipsis icon in the table to select this column. It is not displayed by default. IP Address IP address of the device. Name Name of the device. Group Group assigned to the device. Assigned License License assigned to the device. Administering Aruba Central | 193 Adding Devices to Inventory For information on adding devices, see Onboarding Devices. Onboarding Devices Aruba Central supports the following options for adding devices: n If you are an evaluating user, you must manually add the serial number and MAC address of the devices that you want to manage from Aruba Central. This section includes the following topics: n Adding Devices (Evaluation Account) n Adding Devices (Paid Subscription) n Manually Adding Devices Adding Devices (Evaluation Account) Use one of the following methods to add devices to Aruba Central: n Using the Initial Setup Wizard n Using the Device Inventory Page Using the Initial Setup Wizard 1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number and MAC address of your devices. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. 3. Click Done. 4. Review the devices in your inventory. Using the Device Inventory Page 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Click Add Devices. The Add Devices pop-up window is displayed. 3. Enter the serial number and the MAC address of each device. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. 4. Click Done. 5. Review the devices in your inventory. Adding Devices (Paid Subscription) If your devices are not added to your inventory, set up a device sync by adding one device from your purchase order. To set up device sync, use one of the following methods: n In the Initial Setup Wizard n From the Device Inventory Page Aruba Central | User Guide 194 In the Initial Setup Wizard 1. Ensure that you have added a license key and click Next. 2. In the Add Devices tab, enter the serial number and MAC address of any one device from your purchase order. Most Aruba devices have the serial number and MAC address on the front or back of the hardware. 3. Click Add Device. Aruba Central imports all other devices mapped to your purchase order. 4. Review the devices in your inventory. 5. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support. From the Device Inventory Page 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. Aruba Central imports only devices associated with your account from Activate. 2. Do any one of the following: n Click Sync Devices. Enter the serial number and MAC address and click Add Device. n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file. Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page. 3. Review the devices in your inventory. 4. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support. Manually Adding Devices Aruba Central allows you to set up only manual sync of devices from Activate database using one of the following methods: n Adding Devices Using MAC address and Serial Number n Adding Devices Using Activate Account n Adding Devices Using Cloud Activation Key Administering Aruba Central | 195 You can only set up only a manual sync for Aruba Central-managed folders such as the default, licensed, and nonlicensed folders. Adding Devices Using MAC address and Serial Number You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. To add devices using MAC address and serial number, use any one of the following methods: n In the Initial Setup Wizard n From the Device Inventory Page In the Initial Setup Wizard If you are using the Initial Setup wizard: 1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number or the MAC address of your device. 3. Click Done. 4. Review the list of devices. From the Device Inventory Page To add devices from the Device Inventory page: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Perform one of the following: n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file. Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page. 3. Click Done. 4. Review the devices added to the inventory. When you add the serial number and MAC address of one AP from a cluster or a switch stack member, Aruba Central imports all devices associated in the AP cluster and switch stack respectively. Aruba Central | User Guide 196 Adding Devices Using Activate Account n Use this device addition method only when you want to migrate your inventory from Aruba AirWave or a standalone AP deployment to the Aruba Central management framework. n Use this option with caution as it imports all devices from your Activate account to the Aruba Central device inventory. n You can use this option only once. After the devices are added, Aruba Central does not allow you to modify or reimport the devices using your Aruba Activate credentials. To add devices from your Activate account: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Click Advanced and select Using Activate. 3. Enter the username and password of your Activate account. 4. Click Add. 5. Review the devices added to the inventory. Adding Devices Using Cloud Activation Key When you import devices using the Cloud Activation Key, all your devices from the same purchase order are added to your Aruba Central inventory. Before adding devices using cloud activation key, ensure that you have noted the cloud activation key and MAC address of the devices to add. Locating Cloud Activation Key and MAC Address To know the cloud activation key: n For APs: 1. Log in to the WebUI or CLI. n If using the WebUI, go to the Maintenance > About. n If using the CLI, execute the show about command. 2. Note the cloud activation key and MAC address. n For Aruba Switches: 1. Log in to the switch CLI. 2. Execute the show system | in Base and show system | in Serial commands. 3. Note the cloud activation key and MAC address in the command output. n For Mobility Access Switches 1. Log in to the Mobility Access Switch UI or CLI. n If using the UI, go to the Maintenance > About. n If using the CLI, execute the show inventory | include HW and show version commands. 2. Note the cloud activation key and MAC address. The activation key is enabled only if the switch has access to the Internet. Administering Aruba Central | 197 Adding Devices Using Cloud Activation Key 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Click Advanced and select With Cloud Activation Key. The Cloud Activation Key pop-up window opens. 3. Enter the cloud activation key and MAC address of the device. 4. Click Add. If a device belongs to another customer account or is used by another service, Aruba Central displays it as a blocked device. As Aruba Central does not support managing and monitoring blocked devices, you may have to release the blocked devices before proceeding with the next steps. Archiving Devices in Aruba Central Aruba Central supports archiving devices that are not in use or devices that are yet to be installed. Archiving feature helps network administrators to hide devices in the Device Inventory page, to keep the device inventory organized. The archived devices are moved to the Archived tab on the Device Inventory page, and these can be unarchived and used whenever required. Network administrators and users with a custom role and the Modify permission for the Device Inventory page can archive and unarchive devices in Aruba Central. The virtual gateway devices cannot be archived. Archiving Devices Complete the following steps to archive devices in Aruba Central: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Click the All tab. 3. Select the devices to be archived. 4. Click the Archive button. The Confirm Action window is displayed. If you click Yes and the selected devices are licensed, then the licenses applied to the devices are removed automatically, and devices are disconnected from the Aruba Central. The disconnected devices are moved to the Archived tab. For an MSP account, if a device of a tenant is archived, the device gets unlicensed and is moved back to the MSP account and then archived. Unarchiving Devices Complete the following steps to unarchive devices in Aruba Central: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. Aruba Central | User Guide 198 2. Click the Archived tab. 3. Select the devices to be unarchived. 4. Click the Unarchive button. The Confirm Action window is displayed. If you click Yes, the devices are moved out of the Archived tab, and if auto-licensing is enabled, then the devices get licensed automatically. 5. To see the unarchived devices, click the All tab . For an MSP account, if a device is unarchived, the device is moved back to the MSP account. The device continues to stay unlicensed with the MSP and does not move to the tenant. Managing License Assignments Aruba offers two tiers of device licenses as part of the Aruba Central Licenses. The two tiers are Foundation and Advanced Licenses. The devices in Aruba Central that offer Foundation and Advanced Licenses include the following: n APs n Switches n SD-Branch Gateways The value-added services that previously required service subscriptions are now packaged as part of either a Foundation or an Advanced License. To know more about the different types of licenses available for the devices, and the services packaged with each license, see Overview of Aruba Central Foundation and Advanced Licenses. Before proceeding with the license assignment, ensure that all the license keys are available in Aruba Central. For more information on how to add license keys to Aruba Central, see Managing License Keys. For more information about MSP Licenses, see Managing MSP Licenses. Administering Aruba Central | 199 Licensing Workflow in the Initial Setup Wizard To enable automatic assignment of licenses from the Initial Setup Wizard: 1. Verify that you have valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign License tab, turn on the Auto Assign License toggle switch. Licensing Workflow for a New User If you are a new user in Aruba Central, you can avail of either the evaluation license or a paid license. For an evaluation user, see the workflow at Starting Your Free Trial. For a paid user, see the workflow at Setting up Your Aruba Central Instance. If you are a new user in Aruba Central and have purchased one or several licenses, ensure that all of your license keys are added to Aruba Central. For license assignment to devices, you can avail of one of the following options: n Use the Auto-Assign Licenses option n Manually assign, update, or unassign licenses Enabling the Auto-Assign Licenses Option The Auto-Assign Licenses option in Aruba Central enables automatic assignment of available licenses to all of the devices available in the inventory. When you enable this option, you must specify the preferred license type as either Foundation or Advanced. You cannot manually assign licenses to devices if the Auto-Assign Licenses option is enabled. The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if an Aruba 25xx Switch is in the inventory but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch. Before enabling the Auto-Assign License option for a specific device type, ensure that there are sufficient available licenses for the specific device type. To enable automatic assignment of licenses from the License Assignment page: 1. On the Account Home page, under Global Settings, click License Assignment. The License Assignment page is displayed. 2. Select the device type to assign the license. The available tabs are Access Points, Switches, and Gateways. The total number of devices for each device type is displayed for each of the tabs. 3. On the device tab, slide the Auto-Assign Licenses toggle switch to the On position. The Manage License Assignment (Auto) window is displayed. 4. Select the appropriate license type, Foundation or Advanced, from the drop-down menu, and then click Update. All the unassigned devices of the selected type in the inventory are enabled for automatic assignment of license. Manually Assigning, Updating, or Unassigning Licenses The License Assignment page enables you to assign, update, or even unassign a license from a device. Aruba Central | User Guide 200 Aruba Central monitors devices with a valid license only. The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if an Aruba 25xx Switch is in the inventory but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch. To manually assign licenses to devices or to change the existing license assignment: 1. On the Account Home page, under Global Settings, click License Assignment. The License Assignment page is displayed. 2. Select a device type tab. The available tabs are Access Points, Switches, and Gateways. The total number of devices for each device type is displayed for each of the tabs. 3. Under License Summary, ensure that the Auto-Assign Licenses option is disabled. You cannot manually assign licenses if the Auto-Assign Licenses option is enabled. 4. Select the device for which you want to assign or update the license. Clicking on a device type displays two additional sub-tabs: Licensed and Unlicensed. To manually assign or update licenses for all devices of a type, click Select All. You can also select devices at random. 5. Click Manage. The Manage License Assignment (Manual) window is displayed. 6. Do one of the following: a. To update or assign a license: Select the appropriate license from the drop-down menu and click Update. b. To unassign a license: Select Unassign to remove the existing license from that device. Migration Workflow for an Existing User Whether you are an evaluation user or a user with purchased licenses, the following is the migration workflow to the new Aruba Central Licenses: Any existing rules set about Service Management tokens through APIs are discarded during the migration. 1. For all existing APs and switches that are already assigned licenses in the legacy system, the licenses are automatically converted to device-specific Foundation Licenses in the new model. The gateway licenses remain unchanged. 2. To check how the migration was done, and to learn more about the new license keys and corresponding licenses, in the Account Home page, go to Global Settings > Key Management. For more information about the Key Management page, see Managing License Keys. 3. To check how the legacy licenses were converted, navigate to Account Home > Global Settings > Key Management page, and click the Download Conversion Logs link. 4. If there are unassigned evaluation or purchased Device Management tokens, you can convert the legacy tokens to license keys for the new Aruba Central Licenses. Administering Aruba Central | 201 Service Management tokens are not converted. Instead, the AP licenses are pre-packaged with additional services. To know more about converting unassigned Device Management tokens, see Converting Legacy Tokens to New Licenses. 5. If you had the auto-licensing option enabled before migration, in the new licensing model the AutoAssign Licenses option is automatically enabled for APs, switches, and gateways. The Auto-Assign Licenses option for APs and switches is set with the corresponding device-specific Foundation Licenses. The Auto-Assign Licenses option for gateways is not enabled during the migration. For more information about the Auto-Assign Licenses option, see Enabling the Auto-Assign Licenses Option. 6. If you had the auto-licensing option disabled before migration, this option is also disabled in the new licensing system. Viewing the License Assignment Details The License Assignment page consists of three sections for the type of device selected from the tabs. The device can be Access Points, Switches, or Gateways, License Summary A summary about the type of licenses available for the selected device type, the number of licenses available, and number of licenses assigned. The available devices for Aruba Central include APs, switches, and gateways. Clicking on a device type displays two additional sub-tabs: Licensed and Unlicensed. Clicking on one or more license type in the License Summary section displays the details of the license type in the License Management section. To deselect the license, click the selected license type again. License Assignment The License Assignment section provides detailed information about all the devices in the inventory and license status for each of the device. This table provides following information about each device in the inventory: n Type n Serial Number n MAC address n Model n Customer n Assigned License Use the sorting icon ( ) in the table header row to arrange the rows in ascending or descending order. You can also use the row header indicated by the filter icon ( ) to type in search queries to refine the search. Renewing License Assignments To renew your license, contact your Aruba Sales team. Aruba Central | User Guide 202 Automatic License Assignment Workflow The Auto-Assign Licenses option can be set to either Foundation or Advanced. This option enables Aruba Central to automatically assign licenses to all the available APs, switches, and gateways. This section explains how the Auto-Assign Licenses option works with the help of a sample Aruba Central account. Sample Aruba Central Account Details Assume an Aruba Central account with the following devices: n APs - 10 n Aruba 90xx Series Gateway and 1 Aruba 70xx Series Gateway - 1 n Aruba 29xx Series Switches - 2 Now assume that you have the following licenses: n AP Foundation Licenses - 5 n AP Advanced Licenses - 10 n Gateway Foundation Base Licenses - 5 n Gateway Advanced with Security Licenses - 5 n Switch Foundation Licenses for 6200/29xx - 5 Here are the available scenarios for the Auto-Assign Licenses option. Note that only one can be chosen during actual installation. n Auto-Assign Licenses Option Set to Foundation n Auto-Assign Licenses Option Set to Advanced If you have an Aruba Central account with legacy Device Management tokens, the tokens are utilized during the automatic license assignment workflow if and when there is no availability of licenses. The legacy tokens are converted to Foundation Licenses of the required type and assigned to the devices that did not have any licenses mapped. For more information, see Using Legacy Device Management Tokens. Auto-Assign Licenses Option Set to Foundation If you enable the Auto-Assign Licenses option and set the preference to Foundation, this is how the device-tolicense mappings are done: n For APs--First, the Foundation Licenses for APs are used. Since there are five AP Foundation License, five APs are assigned with the Foundation Licenses. For the remaining five APs, the Advanced License pool for APs is used and the five remaining APs are assigned Advanced Licenses. n For Gateways--First, the Foundation Base Licenses for gateways are used. Since there are only two gateways and the Foundation Base Gateway Licenses are applicable to both the Aruba 70xx Series and 90xx Series Gateways, two Foundation Base Licenses for gateways are assigned. n For Switches--First, the Foundation Licenses for switches are used. Since there are only two 29xx Series Switches and two Foundation Licenses for 29xx Series Switches are available, these are assigned. The following is the final device-to-license mapping: Administering Aruba Central | 203 n APs (10) - Five AP Foundation Licenses and five AP Advanced Licenses n Gateways (2) - Two Gateway Foundation Base Licenses n Switches (2) - Two Switch Foundation Licenses for 6200/29xx Auto-Assign Licenses Option Set to Advanced If you enable the Auto-Assign Licenses option and set the preference to Advanced, this is how the device-tolicense mappings are done: n For APs--First, the Advanced Licenses for APs are used. Since there are five AP Advanced Licenses, five APs are assigned with the Advanced License. For the remaining five APs, the Foundation License pool for APs is used and the five remaining APs are assigned Foundation Licenses. n For Gateways--First, the Advanced with Security Licenses for gateways are used. Since there are only two gateways and the Advanced with Security Licenses are applicable to both the Aruba 70xx Series and 90xx Series Gateways, two Advanced with Security Licenses for gateways are assigned. n For Switches--There are no Advanced Licenses for switches available. Hence, the Foundation Switch Licenses for 6200/29xx are used. Since there are only two switches, two Foundation Licenses for switches are assigned. The following is the final device-to-license mapping: n APs (10) - Five AP Advanced Licenses and five AP Foundation Licenses n Gateways (2) - Two Gateway Advanced with Security Licenses n Switches (2) - Two Switch Foundation Licenses Using Legacy Device Management Tokens When you enable the Auto-Assign Licenses option, and there are no available Foundation or Advanced Licenses left to assign, Aruba Central has the option of checking if legacy Device Management tokens are available and use those tokens instead. The legacy tokens are converted to Foundation Licenses of the required type and assigned to the devices that did not have any licenses mapped. Assume that you have the following devices: n APs - 20 n Gateways - 2 n Switches - 2 For the sake of simplicity, the gateway and switch model types are omitted from this example. Now assume that you have the following licenses: n AP Foundation Licenses - 5 n AP Advanced Licenses - 10 n Legacy Device Management Tokens - 20 If you enable the Auto-Assign Licenses option and set the preference to Foundation Licenses, this is how the device to license mappings are done: n For APs--First, the Foundation Licenses for APs are used. Since there are five AP Foundation License, five APs are assigned with the Foundation Licenses. Next, the 10 AP Advanced Licenses are assigned. For the remaining five APs, there are no licenses available. Aruba Central then converts five legacy Device Aruba Central | User Guide 204 Management tokens to five AP Foundation Licenses and assigns them to the remaining five APs. There are now 15 legacy Device Management tokens available. n For Gateways--There are no available gateway licenses. Aruba Central converts two legacy Device Management tokens to two Gateway Foundation Licenses and assigns them to the two gateways. There are now 13 legacy Device Management tokens available. n For Switches--There are no available switch licenses. Aruba Centralconverts two legacy Device Management tokens to two Switch Foundation Licenses and assigns them to the two switches. There are now 11 legacy Device Management tokens available. The following is the final device to license mapping: n APs (20) - 10 AP Foundation Licenses, five AP Advanced Licenses n Gateways (2) - Two Gateway Foundation Licenses n Switches (2) - Two Switch Foundation Licenses n Legacy Device Management Tokens left - 11 Data Collectors Data collectors host applications that process network data. Data collectors are available as a physical appliance or a virtual appliance. To create a data collector, set up and install on-premises at your organization the physical appliance or virtual appliance and then install an Aruba application. Managing Data Collectors High-Level Process Flow The following is a high-level process flow for managing data collectors: 1. Set up on-premises the physical or virtual appliance that will become the data collector. For more information, see Setting Up Appliances. 2. Create the data collector by installing an Aruba application on the physical or virtual appliance. For more information, see Creating Data Collectors. 3. Verify the status of the data collector. The status is Running if the data collector was created successfully. For more information, see Viewing Data Collectors. 4. Repeat Step 1 through 3 until you have created all of the data collectors that you require. 5. Set the auto-update preference for the data collectors. For more information, see Updating Data Collectors. 6. Monitor the status and performance of the different data collectors. For more information, see Viewing Data Collectors. 7. (Optional) Manually update one or all of the data collectors as required. This overrides the global auto- update preference you have set for all data collectors. For more information, see Updating Data Collectors. 8. (Optional) Delete the installed Aruba application from the data collector. This enables the appliance to be available to become a data collector again in the future for the same Aruba application or for a different Aruba application. For more information, see Deleting Data Collectors. About Data Collectors Page The Data Collectors page enables you to manage the data collectors for your organization. Using this page you can: n Create a registration token required for setting up a physical or virtual appliance. Administering Aruba Central | 205 n Download the virtual appliance required for setting up a virtual appliance. n Create data collectors by installing an Aruba application on a physical or virtual appliance. n View data collectors (both managed and unmanaged). n Set the data collectors update preference and update data collectors. n Uninstall the Aruba application running on a data collector. When you uninstall the application, the appliance is freed up and can be used for creating another data collector in the future. This page contains the following four cards, which can be used to perform different data collector functions: n Managed Collectors n Other Collectors n Create Collector n Configure Appliance Managed Collectors Card You can view and update the managed data collectors that you have created in the Managed Collectors card. The Managed Collectors card provides a Dashboard and a List view of the data collectors. Click the grid view icon ( ) in the upper right hand corner of the card to open the List view. Dashboard The Dashboard displays a donut chart showing the data collectors by status, by applications, or by update. By default, the data collectors by status are displayed in the chart. To change the display option for the chart, click the down arrow in the heading of the card and select another display option. Display options are: By Status, By Apps, and By Update. By Status The donut chart shows the data collectors by status. Next to the chart is a legend indicating the different data collector statuses. Statuses are: Starting (grey), Online (green), Offline (red), and Warning (yellow). Hover over the different color sections of the donut chart and a tool tip is displayed indicating the number of data collectors for each status. The total number of data collectors is displayed in the center of the chart. By Apps (Applications) The donut chart displays the data collectors by applications. Next to the chart is a legend indicating the different Aruba applications. Aruba applications include: ClearPass Device Insight. Each application is displayed in a different color. Hover over the different color sections of the donut chart and a tool tip is displayed indicating the number of data collectors for each Aruba application. The total number of data collectors is displayed in the center of the chart. By Update The donut chart shows the data collectors by update status. Next to the chart is a legend indicating the different update statuses. Statuses are: Up to date (yellow), Update in progress (red), and Update available (green). Hover over the different color sections of the donut chart and a tool tip is displayed indicating the number of data collectors for each update status. The total number of data collectors is displayed in the center of the chart. The Auto-Update field is displayed in the lower right corner of the card when you select this display option. By default, As soon as available is displayed in this field. When you click this field, the Collector Update dialog opens. Use the Collector Update dialog to set when you want updates to be installed for all data collectors. Aruba Central | User Guide 206 For more information about setting the data collectors global update preference, see Updating Data Collectors. List View The List view displays all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard. At the top of the List view are the following buttons: n Update All Click this button to update all of the data collectors at once. To update a specific data collector, you can expand a row in the grid and click the Update Now button for that specific data collector. For more information, see Updating Data Collectors. n Create Collector Opens the Create Collector dialog where you can create a data collector. For more information, see Creating Data Collectors. The following table describes the information that is displayed in the List view: Table 55: List View Field Description Name Data collector name. Status Status of the data collector. Statuses are: Starting, Online, Offline and Warning. Applications Aruba application installed on the data collector. Desired Update Time Desired update time for that specific collector. For more information, see Updating Data Collectors. Update Status Update status for the data collector. Statuses are: n Up to date n Update in progress n Update available When you hover over a row in the grid, the following icons are displayed in the row of the grid: n Delete icon is displayed to the right of Applications. Click the Delete icon to uninstall the Aruba application running on that data collector. When you uninstall the application, the appliance is freed up and can be used for creating another data collector in the future. For more information, see Deleting Data Collectors. Additional details for a data collector can be viewed by expanding a row in the grid. Click the plus icon next to a row in the grid to expand a row. When you expand the row, the row expands and the additional details for the data collector are displayed. Additional Details In the expanded row, additional overview details for the data collector are displayed. In the Collector Details area, the data collector name, status, creation date, and the Aruba application installed on the data collector are displayed. To the right in the expanded row, the Appliance In Collector table is displayed. The following table describes the information displayed in the table: Administering Aruba Central | 207 Table 56: Appliance In Collector Table Field Description Name Appliance name. IP Address IP address of the appliance. Model Appliance model name. VMware Virtual Platform is displayed for virtual appliances. At the bottom of the expanded row, the Update Now button is either available or unavailable depending on whether there is an update available for the data collector. If there is no update available, the Update Now button is unavailable and No update available is displayed in the Version field. If there is an update available, the Update Now button is available and the update version is displayed in the Version field. Click the Update Now button to update that specific data collector. To update all data collectors, you can click the Update All button at the top of the List view. For more information, see Updating Data Collectors. Other Collectors Card The Other Collectors card displays an overview of the number of unmanaged data collectors that are connected and not connected. The counts that are displayed in this card are: n Connected (Number of unmanaged data collectors that are connected) n Not Connected (Number of unmanaged data collectors that are not connected) The following actions can be performed within the card: n Click the Connected number to open the Other Collectors dialog where you can view the data collectors that are connected. n Click the Not Connected number to open the Other Collectors dialog where you can view the data collectors that are not connected. For more information, see Viewing Data Collectors. Create Collector Card The Create Collector card displays the number of appliances that are available to be used for creating a data collector. The appliance number is updated after you have successfully set up a physical appliance or virtual appliance. For more information about setting up appliances, see Setting Up Appliances. Click the Create Collector button to open the Create Collector dialog where you can create a data collector. For more information, see Creating Data Collectors. Configure Appliance Card The Configure Appliance card contains a Download Virtual Appliance link and a Registration Token button. Click the Registration Token button to create a registration token. The registration token is required when setting up a physical appliance or virtual appliance. Click the Download Virtual Appliance link to open the Download Virtual Appliance dialog where you can download either the small virtual appliance file (.ova file) or medium virtual appliance file (.ova file) that is required when setting up a virtual appliance. For more information about setting up appliances, see Setting Up Appliances. Aruba Central | User Guide 208 Setting Up Appliances Data collectors are available as physical appliances or virtual appliances. Appliances must be set up before you can create a data collector. This section contains: n Creating Registration Tokens n Downloading Virtual Appliances n Setting Up Physical Appliances n Setting Up Virtual Appliances n Using Command Line Interface Options Creating Registration Tokens A registration token is required when setting up a physical appliance or a virtual appliance. To create a registration token: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. If no data collectors have been created, the Get Started dialog is displayed. Otherwise, the Data Collectors page is displayed. 3. Click Registration Token in the Get Started dialog or the Configure Appliance card of the Data Collectors page. The registration token is created. The Registration Token dialog opens with the token that was created displayed. The date and time the registration token expires is displayed at the bottom of the dialog. 4. Click Copy Token. You can now enter this registration token when setting up a physical appliance or virtual appliance during the registration of the appliance (Option 3 (register)) on the Collector CLI. For more information about setting up appliances, see Setting Up Appliances. 5. Click Close. Downloading Virtual Appliances The virtual appliance file (.ova file) is required for setting up a virtual appliance. To download a virtual appliance: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. If no data collectors have been created, the Get Started dialog is displayed. Otherwise, the Data Collectors page is displayed. 3. Click get a virtual appliance in the Getting Started dialog or the Download Virtual Appliance link in the Configure Appliance card of the Data Collectors page. The Download Virtual Appliance dialog opens displaying a Small virtual appliance card and a Medium virtual appliance card. The small virtual appliance requires: 8 Core CPU, 16 GB Memory, and 256 GB disk. The medium virtual appliance requires: 24 Core CPU, 64 GB Memory, and 480 GB disk. Download the virtual appliance by performing the following: a. Hover over the Small card or the Medium card. The Download File link is displayed in the card. b. Click the Download File link in the Small card or Medium card. The virtual appliance file (.ova) is downloaded. When setting up a virtual appliance using VMWare, you will browse for and select this virtual appliance file (.ova file). For more information about setting up virtual appliances, see Setting Up Appliances. 4. Click Close. Administering Aruba Central | 209 Setting Up Physical Appliances Data collectors are available as physical appliances or virtual appliances. Before you can use an Aruba application that uses data collectors, you need to set up appliances. To set up a physical appliance, you use several command line options from the Collector CLI on the appliance after it is installed. On the Collector CLI there are seven options that are available for selection. The options available are listed below: Options: 1. Configure Hostname 4. Configure Proxy 7. Advanced Options 2. Configure Network 5. Change Timezone/NTP 0. Exit 3. Register 6. Test Connectivity You use options 1 through 6 to set up a physical appliance. Perform the options in the order in which they are displayed. For more information about the advanced options, see Using Command Line Interface Options. Before You Begin Before you begin to set up a physical appliance, you need to create a Registration Token. For more information, see Creating Registration Tokens. About the Physical Appliance Aruba provides one physical appliance for Aruba ClearPass Device Insight, the Aruba Central Data Collector physical appliance. Table 57: Physical Appliance Specifications Model vCPU Memory Disk NICs DC2000 (Medium) 24 64 GB 480 GB 8 (2 mgmt, 6 data) Setting Up Physical Appliances This section discusses how to set up a physical appliance. If you are using a proxy, configure the proxy prior to doing the registration. Additionally, it is recommended that you configure the time zone and NTP prior to registration if you plan on changing them. To set up a physical appliance: 1. Install on-premises the physical appliance. 2. Power on the appliance and log in to the appliance using these credentials: n Username = aruba n Password = aruba 3. Configure the hostname for the appliance using Option 1 (Configure Hostname) on the Collector CLI. 4. Configure the network interfaces for the appliance using Option 2 (Configure Network) on the Collector CLI: n Configure the eth0 Ethernet interface. n (Optional) Configure the eth1 Ethernet interface. Aruba Central | User Guide 210 5. Configure Domain Name System (DNS) for the appliance using Option 2 (Configure Network) on the Collector CLI. 6. Configure routes for the appliance using Option 2 (Configure Network) on the Collector CLI. You only need to configure routes if you have configured the eth1 Ethernet interface. 7. Test the connectivity of the appliance to the Cloud URL discovery server using Option 6 (Test Connectivity) on the Collector CLI. 8. Register the appliance using Option 3 (Register) on the Collector CLI. 9. Test the connectivity of the appliance to the Aruba cloud using Option 6 (Test Connectivity) on the Collector CLI. 10. Configure the proxy server using Option 4 (Configure Proxy) on the Collector CLI. 11. Change the time zone for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. 12. Configure the Network Time Protocol (NTP) server for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. For more information about the different command line options, see Using Command Line Interface Options. Setting Up Virtual Appliances Data collectors are available as virtual appliances or physical appliances. Before you can use an Aruba application that uses data collectors you need to set up appliances. You can set up virtual appliances using two different methods. You can set up a virtual appliance using the VMware ESXi Host Web Client or the VMware vSphere Desktop Client for Windows. Using either of these methods, you create the virtual machine and then you complete the setup using several command line options from the Collector CLI from the virtual machine. On the Collector CLI there are seven options that are available for selection. The options available are listed below: Options: 1. Configure Hostname 4. Configure Proxy 7. Advanced Options 2. Configure Network 5. Change Timezone/NTP 0. Exit 3. Register 6. Test Connectivity You use options 1 through 6 to set up a virtual appliance. Perform the options in the order in which they are displayed. For more information about the advanced options, see Using Command Line Interface Options. You perform the same command line options when setting up a virtual appliance as you would when setting up a physical appliance. Before You Begin Before you begin to set up a virtual appliance you need the following: n VMware ESXi server n A VMware ESXi server is required to set up a virtual appliance. You must know the ESXi server host name and IP address when setting up a virtual appliance. n Registration Token n A registration token is required to set up a virtual appliance. n For more information, see Creating Registration Tokens. Administering Aruba Central | 211 n Virtual appliance file (.ova file) n A virtual appliance file (.ova file) is required to set up a virtual appliance using VMware. n For more information, see Downloading Virtual Appliances. About Aruba Virtual Appliances Aruba provides two virtual appliances for Aruba ClearPass Device Insight: n Aruba Central Data Collector virtual appliance (small) n Aruba Central Data Collector virtual appliance (medium) Table 58: Virtual Appliance Specifications Model vCPU Memory DC1000V (Small) 8 16 GB DC2000V (Medium) 24 64 GB Disk 256 GB 480 GB NICs 4 ports (1 G management, DPI up to 100 Mbps) 4 ports (1 G management, DPI up to 1 Gbps) Setting Up Virtual Appliances Using the VMware ESXi Host Web Client If you are using a proxy, configure the proxy prior to doing the registration. Additionally, it is recommended that you configure the time zone and network time protocol (NTP) prior to registration if you plan on changing them. To set up a virtual appliance using the VMware ESXi Host Web Client: 1. Go to a web browser and enter the IP address for the VMware ESXi server. 2. Press Enter. The VMware ESXi Welcome window appears. Aruba Central | User Guide 212 3. Click the Open the VMware Host Client link under Getting Started. The VMware ESXi Host Client Log In window appears. 4. Enter the User name and Password for the ESXi host server. 5. Click Log In. Administering Aruba Central | 213 6. Click Create/Register VM icon. The New virtual machine- Select creation type window appears. 7. Select Deploy a virtual machine from an OVF or OVA file for creation type. 8. Click Next. The New virtual machine- Select OVF and VMDK files window appears. 9. Enter the following: a. Enter a name for the virtual machine. b. Browse for the ova file and select it. 10. Click Next. The New virtual machine - Select storage window appears. Aruba Central | User Guide 214 11. Select the datastore. 12. Click Next. The New virtual machine - Deployment options window appears. 13. Enter the following: You need to assign a management network and optionally a data network to the virtual machines network adaptors. A virtual machine has network adaptors 1 through 4 to which you can assign the management network, data network, and SPAN networks. You need to identify the network adaptor with the lowest MAC address and assign the management network to this network adaptor. If you have a separate data network, the network adaptor with the second lowest MAC address must be assigned to the data network. You can assign the rest of the network adaptors to the SPAN networks. a. Select the Network mapping for mgmt1. b. Select the Network mappings for data1, data2, and data3. Currently, Aruba ClearPass Device Insight supports one management network mapping and one data network mapping. c. Select the Disk provisioning option. Options are Thin or Thick. Thin appears by default. d. Click the Power on automatically check box to have the machine automatically power on. This check box appears selected by default. Administering Aruba Central | 215 14. Click Next. The New virtual machine - Additional settings window appears. 15. Click Next. The New virtual machine - Ready to complete window appears displaying the selections you made in the previous windows. Aruba Central | User Guide 216 16. Click Finish. The creation of the virtual machine is initiated. Under Recent tasks you can view the results of the new virtual machine tasks by monitoring the Result field status bar for each task. Wait until the Result field displays Completed successfully for each task. When this occurs you have created the virtual machine. 17. Select the new virtual machine that you just created in the upper region of the window and click the Console icon. The Collector CLI appears. Administering Aruba Central | 217 18. Configure the hostname for the appliance using Option 1 (Configure Hostname) on the Collector CLI. 19. Configure the network interfaces for the appliance using Option 2 (Configure Network) on the Collector CLI: n Configure the eth0 Ethernet interface. n (Optional) Configure the eth1 Ethernet interface. 20. Configure Domain Name System (DNS) for the appliance using Option 2 (Configure Network) on the Collector CLI. 21. Configure routes for the appliance using Option 2 (Configure Network) on the Collector CLI. You only need to configure routes if you have configured the eth1 Ethernet interface. 22. Test the connectivity of the appliance to the Cloud URL discovery server using Option 6 (Test Connectivity) on the Collector CLI. 23. Register the appliance using Option 3 (Register) on the Collector CLI. 24. Test the connectivity of the appliance to the Aruba cloud using Option 6 (Test Connectivity) on the Collector CLI. 25. Configure the proxy server using Option 4 (Configure Proxy) on the Collector CLI. 26. Change the time zone for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. 27. Configure the Network Time Protocol (NTP) server for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. For more information about the different command line options, see Using Command Line Interface Options. Setting Up Virtual Appliances Using the VMware vSphere Desktop Client for Windows If you are using a proxy, configure the proxy prior to doing the registration. Plus, it is recommended that you configure the time zone and network time protocol (NTP) prior to registration if you plan on changing them. To set up a virtual appliance using the VMware vSphere Desktop Client for Windows: Aruba Central | User Guide 218 1. Go to a web browser and enter the IP address for the VMware ESXi server. 2. Press Enter. The VMware ESXi Welcome window appears. 3. Click the Download vSphere Client for Windows link under Getting Started. The VMware vSphere Client Log In window appears. Administering Aruba Central | 219 4. Enter the User name and Password for the ESXi host server. Aruba Central | User Guide 220 5. Click Login. The ESXi Host Details window appears. 6. Go to File > Deploy OVF Template. The Deploy OVF Template - Source window appears. 7. Click Browse and browse for the ova file and select it. Administering Aruba Central | 221 8. Click Next. The Deploy OVF Template - OVF Template Details window appears displaying the OVF template details. 9. Click Next. The Deploy OVF Template - Name and Location window appears. Aruba Central | User Guide 222 10. In the Name field enter the name for the virtual appliance. 11. Click Next. The Deploy OVF Template - Disk Format window appears. 12. Enter the following: a. In the Datastore field enter the datastore. b. Select the disk format. Options are: Thick Provision Lazy Zeroed, Thick Provision Eager Zeroed, Administering Aruba Central | 223 and Thin Provision. Thin Provision appears selected by default. 13. Click Next. The Deploy OVF Template - Network Mapping window appears. 14. Enter the following: You need to assign a management network and optionally a data network to the virtual machines network adaptors. A virtual machine has network adaptors 1 through 4 to which you can assign the management network, data network, and SPAN networks. You need to identify the network adaptor with the lowest MAC address and assign the management network to this network adaptor. If you have a separate data network, the network adaptor with the second lowest MAC address must be assigned to the data network. You can assign the rest of the network adaptors to the SPAN networks. a. Select the Destination Network for mgmt1. b. Select the Destination Networks for data1, data2, and data3. Currently, Aruba ClearPass Device Insight supports one management destination network and one data destination network. Aruba Central | User Guide 224 15. Click Next. The Deploy OVF Template - Ready to Complete window appears. 16. Review the settings and select the Power on after deployment check box to have the machine automatically power on. The Power on after deployment check box appears selected by default. Administering Aruba Central | 225 17. Click Finish. The creation of the virtual machine is initiated. A dialog box appears displaying the status of the virtual machine creation. After the virtual machine is created, it is listed in the ESXi Host Details window. Aruba Central | User Guide 226 18. Select the virtual machine on the ESXi Host Details window and then select the Console tab. The Collector CLI appears. 19. Configure the hostname for the appliance using Option 1 (Configure Hostname) on the Collector CLI. 20. Configure the network interfaces for the appliance using Option 2 (Configure Network) on the Collector CLI: n Configure the eth0 Ethernet interface. n (Optional) Configure the eth1 Ethernet interface. 21. Configure Domain Name System (DNS) for the appliance using Option 2 (Configure Network) on the Collector CLI. Administering Aruba Central | 227 22. Configure routes for the appliance using Option 2 (Configure Network) on the Collector CLI. You only need to configure routes if you have configured the eth1 Ethernet interface. 23. Test the connectivity of the appliance to the Cloud URL discovery server using Option 6 (Test Connectivity) on the Collector CLI. 24. Register the appliance using Option 3 (Register) on the Collector CLI. 25. Test the connectivity of the appliance to the Aruba cloud using Option 6 (Test Connectivity) on the Collector CLI. 26. Configure the proxy server using Option 4 (Configure Proxy) on the Collector CLI. 27. Change the time zone for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. 28. Configure the Network Time Protocol (NTP) server for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. For more information about the different command line options, see Using Command Line Interface Options. Using Command Line Interface Options This section describes how to use the different command line interface (CLI) options for an appliance. Several of these options are used when setting up a physical appliance or a virtual appliance. This section contains: n Configuring Hostname n Configuring Network n Registering the Appliance n Configuring Proxy Server n Changing Time Zone and Configuring NTP Server n Testing Appliance Connectivity n Performing Advanced Options Configuring Hostname This section describes how to configure hostname for an appliance and how to edit the hostname after it has been configured. Configuring Hostname To configure hostname: 1. Go to the Collector CLI. 2. In the Enter option field, enter 1 (Configure Hostname) and press Enter. 3. In the New hostname field, enter the hostname and press Enter. The hostname must start with a letter and can contain letters, numbers, and a hyphen "-". It can not contain any other special characters. A message is displayed stating that the hostname has been changed successfully. 4. Press Enter. Editing Configured Hostname This option is available only after you have configured the hostname. To edit configured hostname: Aruba Central | User Guide 228 1. Go to the Collector CLI. 2. In the Enter option field, enter 1 (Configure Hostname) and press Enter. 3. In the Enter option field, enter 1 (Edit Hostname) and press Enter. 4. In the New hostname field, enter the hostname and press Enter. The hostname must start with a letter and can contain letters, numbers, and a hyphen "-". It can not contain any other special characters. A message is displayed stating that the hostname has been changed successfully. 5. Press Enter. Configuring Network This section describes how to configure the network interfaces, domain system name, and routes for the appliance and how to show the interfaces information for the appliance. Configuring Network Interfaces To configure network interfaces: 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 1 (Configure Network Interfaces) and press Enter. 4. In the Enter option field, enter 0 (eth0) and press Enter. You must configure the eth0 (management) Ethernet interface. Configuring the eth1 (data) Ethernet interface is optional. The MAC Address is displayed in brackets next to eth0 and eth1. 5. In the Enter IP Address field, enter the IP address for the appliance and press Enter. 6. In the Enter Subnet mask field, enter the subnet mask for the appliance and press Enter. 7. In the Enter Gateway field, enter the gateway address for the appliance and press Enter. 8. (Optional) Configure the second ethernet interface (eth1). Repeat steps 4 through 7 above except in step 4 enter 1 (eth1). 9. In the Enter option field, enter b (Back to Previous Menu) and press Enter. 10. Press Enter. 11. In the Enter option field, enter m (Main Menu) and press Enter. Configuring DNS To configure Domain Name System (DNS): 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 2 (Configure DNS) and press Enter. 4. In the Enter DNS field, enter the DNS address for the appliance and press Enter. 5. (Optional) In the Enter Secondary DNS field, enter the secondary DNS address for the appliance and press Enter. Otherwise, press Enter to proceed without entering a secondary DNS address. 6. Press Enter. 7. In the Enter option field, enter m (Main Menu) and press Enter. Administering Aruba Central | 229 Configuring Routes You only need to configure routes if you have configured ethernet interface eth1. Routes do not apply to ethernet interface eth0. Listing All Routes To list all routes: 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 3 (Configure Routes) and press Enter. 4. In the Enter option field, enter 1 (List all routes) and press Enter. All of the routes are displayed. 5. Enter b (Back to Previous Menu) and press Enter. 6. Press Enter. 7. In the Enter option field, enter m (Main Menu) and press Enter. Adding a Route Via eth1 To add a route through eth1: 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 3 (Configure Routes) and press Enter. 4. In the Enter option field, enter 2 (Add a route via eth1) and press Enter. 5. In the Enter destination IP Address field, enter the IP address of the node that needs to connect to the eth1 interface and press Enter. The route is created. The system assigns a sequential index number to the route. You can view the index number assigned to the route by using Option 1 - List all routes. 6. Enter b (Back to Previous Menu) and press Enter. 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter. Deleting a Route Via eth1 To delete a route through eth1: 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 3 (Configure Routes) and press Enter. 4. In the Enter option field, enter 3 (Delete a route via eth1) and press Enter. 5. In the Enter index of route to be deleted field, enter the index number associated with the route to be deleted and press Enter. 6. Enter b (Back to Previous Menu) and press Enter. 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter. Showing Interfaces Information To show interfaces information: Aruba Central | User Guide 230 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 4 (Show Interfaces Info) and press Enter. 4. The information for both eth0 and eth1 network interfaces is displayed. The IP address, Netmask, Gateway, and MAC Address is displayed for each interface. 5. Press Enter. 6. In the Enter option field, enter m (Main Menu) and press Enter. Registering the Appliance To register the appliance: 1. Go to the Collector CLI. 2. In the Enter option field, enter 3 (Register) and press Enter. 3. In the Registration code field, enter the registration code and press Enter. The registration process is initiated. The registration process associates the appliance with your customer account. After the registration process completes, a message is displayed that the registration was successful. The appliance is now available to be formed into a data collector by installing an Aruba application on it. The appliance count that is displayed in the Create Collector card on the Data Collectors page is incremented by one. For information about creating a data collector, see Creating Data Collectors. 4. Press Enter. Configuring Proxy Server This section describes how to configure a proxy server, edit a proxy server configuration, and unconfigure a proxy server. Configuring Proxy Server To configure proxy server: 1. Go to the Collector CLI. 2. In the Enter option field, enter 4 (Configure Proxy) and press Enter. 3. In the Proxy Server URL/IP field, enter the URL or IP address for the proxy server and press Enter. 4. In the Proxy Server Port field, enter the port and press Enter. Otherwise, press Enter to accept the default port. 3128 appears as the default port. 5. In the Username field, enter the user name for the server and press Enter. 6. In the Password field, enter the password for the server and press Enter. A password can not contain any special characters. A message is displayed stating the proxy server has been configured. 7. Press Enter. Editing Proxy Configuration This option is available only after you have configured a proxy server. To edit proxy configuration: 1. Go to the Collector CLI. 2. In the Enter option field, enter 4 (Configure Proxy) and press Enter. 3. In the Enter option field enter 1 (Edit Proxy Configuration) and press Enter. Administering Aruba Central | 231 4. In the Proxy Server URL/IP field, enter the URL or IP address for the proxy server and press Enter. 5. In the Proxy Server Port field, enter the port and press Enter. Otherwise, press Enter to accept the default port. 3128 appears as the default port. 6. In the Username field, enter the user name for the server and press Enter. 7. In the Password field, enter the password for the server and press Enter. A password can not contain any special characters. A message is displayed stating the proxy server has been configured. 8. Press Enter. Unconfiguring Proxy Configuration This option is available only after you have configured a proxy server. To unconfigure proxy configuration: 1. Go to the Collector CLI. 2. In the Enter option field, enter 4 (Configure Proxy) and press Enter. 3. In the Enter option field, enter 2 (Unconfigure Proxy) and press Enter. A message is displayed stating the proxy server is being disabled. 4. Press Enter. Changing Time Zone and Configuring NTP Server This section describes how to change the time zone and how to configure the NTP server. Changing Time Zone To change the time zone: 1. Go to the Collector CLI. 2. In the Enter option field, enter 5 (Change Timezone/NTP) and press Enter. 3. In the Enter option field, enter 1 (Change Timezone) and press Enter. The following regions are displayed: l 1- Africa l 2 - America l 3 - Antarctica l 4 - Arctic l 5 - Asia l 6 - Atlantic l 7 - Australia l 8 - Europe l 9 - Indian l 10 - Pacific l 11 - UTC 4. In the Select region field, enter the number for the region and press Enter. For example, to select the Pacific region enter 10. The time zones for the region you selected are displayed. 5. In the Select timezone field, enter the number for the time zone and press Enter. A message is displayed that the time zone was configured. Press Enter. 6. In the Enter option field enter m (Main Menu) and press Enter. Aruba Central | User Guide 232 Configuring NTP Server To configure Network Time Protocol (NTP) server: 1. Go to the Collector CLI. 2. In the Enter option field, enter 5 (Change Timezone/NTP) and press Enter. 3. In the Enter option field, enter 2 (Configure NTP) and press Enter. 4. In the NTP Server field, enter the NTP server hostname and press Enter. A message is displayed that the NTP server has been configured. 5. Press Enter. 6. In the Enter option field, enter m (Main Menu) and press Enter. Testing Appliance Connectivity The section describes how to test the appliances connectivity to the Aruba cloud and to another host. Testing Aruba Cloud Reachability To test Aruba cloud reachability: 1. Go to the Collector CLI. 2. In the Enter option field, enter 6 (Test Connectivity) and press Enter. 3. In the Enter option field, enter 1 (Test Aruba Cloud reachability) and press Enter. This process performs two connectivity tests. The first test, tests the reachability of the appliance to the Cloud URL discovery server. This test you perform before you register the appliance. The second test, tests the reachability of the appliance to the Aruba cloud. This test you perform after you register the appliance. When you perform this process before registration, the following messages are displayed: Testing reachability to Cloud URL discovery server ... Cloud URL discovery server reachable Aruba Cloud URL is not set. Please activate the node. When you perform this process after registration, the following messages are displayed: Testing reachability to Cloud URL discovery server ... Cloud URL discovery server reachable Testing cloud reachability..... Aruba cloud is reachable 4. Press Enter. Testing Connectivity to Another Host To test connectivity to another host: 1. Go to the Collector CLI. 2. In the Enter option field, enter 6 (Test Connectivity) and press Enter. 3. In the Enter option field, enter 2 (Test connectivity to another host (using PING)) and press Enter. 4. In the Type host address field, enter the host address you want to reach and press Enter. A message is Administering Aruba Central | 233 displayed whether the host is reachable or not. 5. Press Enter. Performing Advanced Options This section describes how to complete advanced tasks for appliances such as changing the password, enabling support access, and resetting the factory settings. Rebooting or Shutting Down Rebooting To reboot: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 1 (Reboot/Shutdown) and press Enter. 4. In the Enter option field, enter 1 (Reboot) and press Enter. 5. At the prompt, Are you sure you want to reboot the node? enter y and press Enter. The appliance is rebooted. Shutting Down To shutdown: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 1 (Reboot/Shutdown) and press Enter. 4. In the Enter option field, enter 2 (Shutdown) and press Enter. 5. At the prompt, Are you sure you want to shutdown the node? enter y and press Enter. The appliance is shutdown. Changing Password To change password: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 2 (Change password) and press Enter. 4. At the prompt, Are you sure you want to change the password? enter y and press Enter. 5. In the Enter new UNIX password field, enter the new password and press Enter. 6. In the Retype new UNIX password field, re-enter the new password and press Enter. A message is displayed that the password has been updated successfully. 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter. Enabling Support Access Enabling support access provides a way for Aruba customer support to access the collector remotely for any troubleshooting. This requires both enabling support access on the collector and providing consent in Aruba Central. Enabling Support Access on the Collector To enable support access on the collector: Aruba Central | User Guide 234 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 3 (Enable support access) and press Enter. 4. In the Select an option field, enter 1 (Enable support access) and press Enter. 5. In the Allow access for user field, enter the email address for the Aruba Technical Assistance Center (TAC) support contact you wish to enable access and press Enter. An Access Token is generated and is displayed. 6. Send that Access Token to the Aruba TAC support contact through email or when speaking with them over the phone. The TAC support contact takes that access token and generates a decoded password. From there they can access the appliance remotely using an application such as Webex or Remote Control Service (RCS). 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter. Providing Consent in Aruba Central To provide consent in Aruba Central: 1. Go to Aruba Central (if you are in the Analyzer portal, there is an option on the top right to switch to Aruba Central. 2. Go to User Management. 3. In the Actions drop down located in the top right, select Enable Support Access. A popup appears. 4. Toggle the Enable Support Access option and enable it. 5. Select Get Password. We do not need the password. It can be ignored for the purpose of accessing the collector. Disabling Support Access The support access, once enabled, remains until it is disabled. For security reasons it is recommended that you disable the access once it is no longer required by Aruba customer support. To disable support access: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 3 (Enable support access) and press Enter. 4. In the Select an option field, enter 2 (Disable support access) and press Enter. 5. Press Enter. Transferring Logs Through SCP When troubleshooting an issue, you may want to transfer the logs that have been generated from the appliance. For this transfer to occur you need to have a Linux server that is Secure Shell (SSH) enabled. To transfer logs through SCP: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 4 (Transfer logs through SCP) and press Enter. Administering Aruba Central | 235 4. In the SCP server configuration field, enter the hostname and IP address for the server and press Enter. Before the logs are transferred they are compressed. On the Collector CLI the status of the compression is displayed. 100% is displayed after compression is complete. 5. In the server password field, enter the password for the server and press Enter. A tar file is created for the logs. The date and time when the tar file was created is a part of the name of the file. For example, if a tar file is named (ISO-38-41-PH_logs_11021729.tar.gz) the date and time it was created is November, 2 at 17:29. The time zone reflected is the appliance time zone where the tar file was created. 6. Press Enter. Resetting Factory Settings This option applies only to physical appliances. To reset factory settings: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 5 (Factory Reset) and press Enter. 4. At the prompt, Are you sure you want to do a factory reset? enter y and press Enter. The appliance is reset to the state it was when it came from the factory and then the appliance reboots. To use the appliance perform the appliance setup process again. For more information, see Setting Up Physical Appliances. 5. Press Enter. Creating Data Collectors Before You Begin Before you can create a data collector, you must have already successfully set up a physical appliance or virtual appliance. For information, see Setting Up Appliances. ClearPass Device Insight Requirements This topic lists the ClearPass Device Insight requirement. Network Requirements for CPDI Collector The network requirements for CPDI collector include: n Static IP address n Outbound Internet Access on TCP port 443 n Optional: Proxy Server Network Services (Internal or External) from the collector The network services (internal or external) requirements from the data collector include: n TCP/UDP 53 (DNS) n UDP 123 (NTP) Aruba Central | User Guide 236 Recommended access to network devices from the collector The recommended access to network devices from the collector include UDP 161: SNMP (V1 through 3, but 3 is preferred). Recommended access from the network devices to the collector The recommended access to network devices from the collector include: n UDP 67: DHCP for the ip-helpers / DHCP relays n When used: Netflow or IPFix Recommended access to endpoints from the collector The recommended access to endpoints from the collector include: n TCP, UDP, ICMP - For nmap profiling and WMI profiling n TCP:22 - For SSH scans n UDP:161 - for SNMP scans Creating Data Collectors To create a data collector: 1. Go to the Account Home page. 2. Under Global Settings, click Data Collectors. 3. If no data collectors have been created, the Get Started dialog is displayed. Otherwise, the Data Collectors page is displayed. 4. The number of appliances that are available to form new data collectors is displayed in the Get Started dialog and in the Create Collector card of the Data Collectors page. 5. Click Create Collector in the Get Started dialog or the Create Collector card in the Data Collectors page. The Create Collector dialog is displayed. The Create Collector dialog can also be accessed by clicking the Create Collector button within the Managed Collectors card - List view. 6. In the Give collector a name field, enter a name for the data collector. 7. Select the application you want to install on the data collector. Applications include ClearPass Device Insight. 8. Click Next. All of the appliances that are available to become data collectors are listed in a grid. The appliance Name, IP Address, and Model are displayed. 9. Select the row in the grid for the appliance you want to become the data collector. 10. Click Create. The application you previously selected is installed on the appliance and the data collector is created. You can manage this data collector using the Managed Collectors card. Plus, the data collector is now available for use by the application that was installed on the data collector. For more information, see About Data Collectors Page. Viewing Data Collectors Using the Data Collectors page you can view managed data collectors in the Managed Collectors card and view the unmanaged data collectors that are connected or not connected in the Other Collectors card. Administering Aruba Central | 237 Viewing Managed Data Collectors To view managed data collectors: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens, displaying all of the managed data collectors in the Managed Collectors card by status by default. 3. (Optional) Click the down arrow in the Managed Collectors card heading and select By Apps, to view the data collectors by applications. 4. (Optional) Click the down arrow in the Managed Collectors card heading and select By Update, to view the data collectors by update status. 5. Click the View Grid icon to view more details for the data collectors. The Managed Collectors - List view opens, displaying all of the data collectors in a grid format. 6. Expand a row in the grid to view additional details for a specific data collector. The row is expanded displaying an Overview tab and a Performance tab. View the data collector overview information in the Overview tab. View the data collector performance information in the Performance tab. For more information, see About Data Collectors Page. Viewing Unmanaged Data Collectors To view unmanaged data collectors: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page is displayed. 3. Click the Connected number in the Others card to view the connected unmanaged data collectors. The Other Collectors dialog opens, displaying the connected data collectors in a grid format. The following table describes the information that is displayed in the grid: Table 59: Other Collectors Dialog Field Description Name Data collector name. Status Status of the data collector. Connected is displayed for data collectors that are connected. Address IP address for the data collector. 4. Click the Not Connected number in Others card to view the unmanaged data collectors that are not connected. The Other Collectors dialog opens, displaying the data collectors that are not connected in a grid format. The following table describes the information that is displayed in the grid: Table 60: Other Collectors Dialog Field Description Name Data collector name. Aruba Central | User Guide 238 Table 60: Other Collectors Dialog Field Description Status Status of the data collector. Not Connected is displayed for data collectors that are not connected. Address IP address for the data collector. For more information, see About Data Collectors Page. Updating Data Collectors Setting the Data Collectors Global Auto-Update Preference To set the data collectors global auto-update preference: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens, displaying all of the managed data collectors in the Managed Collectors card by status by default. 3. Click the down arrow in the Managed Collectors card heading and select By Update. The Managed Collectors card displays the data collectors by update status. In lower right hand corner of the card is displayed an Auto-Update field that displays the current global setting for the data collector auto-update preference. As soon as available is displayed by default in this field. 4. Click the Auto-Update field. The Collector Update dialog opens displaying the data collector update options. 5. Select when you want to install the updates for all data collectors. Options are: n Apply Instantly: All data collectors will be updated as soon as a new version is available. n Apply on specific time: All data collectors will be updated at the day and time that you set when a new version is available. When you select this option, a Day field and Time field are displayed. Click the down arrow next to the Day field and select the day. Day options are: Monday through Sunday. Click the up and down arrows in the Time field and select the time. You can also update one or more data collectors earlier than what you have specified with the auto-update option, by clicking the Update All button or Update Now button on the Managed Collectors card - List view. For more information, see Manually Updating All Data Collectors and Manually Updating a Specific Data Collector. 6. Click Save. Manually Updating All Data Collectors To manually update all data collectors: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens displaying all of the managed data collectors in the Managed Collectors card by status by default. 3. Click the down arrow in the Managed Collectors card heading and select By Update. The Managed Collectors card displays the data collectors by update status. In lower right hand corner of the card is displayed an Auto-Update field that displays the current setting for the data collector global auto-update preference. Administering Aruba Central | 239 4. Click the Grid View icon in the upper right corner of the Managed Collectors card. The Managed Collectors card - List view opens displaying all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard view. If an update is available for one or more data collectors, the Update All button is available at the top of the List view. 5. Click Update All. All of the data collectors are updated. Manually Updating a Specific Data Collector To update a specific data collector: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens displaying all of the managed data collectors in the Managed Collectors card by status by default. 3. Click the down arrow in the Managed Collectors card heading and select By Update. The Managed Collectors card displays the data collectors by update status. In lower right hand corner of the card is displayed an Auto-Update field that displays the current setting for the data collector global auto-update preference. 4. Click the Grid View icon in the upper right corner of the Managed Collectors card. The Managed Collectors card - List view opens displaying all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard view. If an update is available for one or more data collectors, Update available is displayed in the Update Status for those data collectors in the grid. 5. Expand the row in the grid for the individual data collector that you want to update. The row expands displaying the additional overview details for that specific data collector. In the lower portion of the expanded row, the update version is displayed in the Version field and the Update Now button is available. 6. Click Update Now. The data collector is updated. Deleting Data Collectors To delete a data collector: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens, displaying all of the managed data collectors in the Managed Collectors card by status by default. 3. Click the Grid View icon in the upper right corner of the Managed Collectors card. The Managed Collectors card - List view opens, displaying all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard view. 4. Hover over a data collector row in the grid that you want to delete. The Delete icon is displayed to the right of Applications. 5. Click the Delete icon. The Delete Collector dialog opens asking if you are sure you want to delete the data collector. 6. Click Delete. The Aruba application running on the collector is uninstalled from the collector. The appliance is freed up and can be used for creating another data collector in the future. For more information about creating a data collector, see Creating Data Collectors. Streaming API Streaming API allows customers to subscribe to select set of services instead of polling the NB API to get an aggregated state or statistics of the events. For example, with Streaming API, the customers can get Aruba Central | User Guide 240 notifications about the following types of events: n The UP and DOWN status of the devices n Change in location of stations For a complete list of supported services, with Streaming API, users can write value-added applications based on the aggregated context. n Streaming API service in Aruba Central is enabled if one of the devices in the account has an Advanced License. If the account has only Foundation License, Steaming API tab is not displayed in Aruba Central. For more information about streaming API feature in the Aruba Central licensing model, see Aruba Central Licensing Guide. n Streaming API service is not supported at MSP level. Supported Services Streaming API supports the following services: n Audit--The Audit messages are sent to notify events like device connectivity, configuration status, and firmware status. n AppRF--AppRF stream is the flow of all the client sessions. For each connected devices (IAP/BGW), It lists the client's web session information of the past 14/15 minutes (Ip, Rx/Tx, Timestamp, etc). n Monitoring--The monitoring streaming event is generated for state message (on state change) and stats message (received for every 5 minutes). n Presence --The Presence events are sent to provide details of all associated and unassociated clients detected by Instant AP devices. n Location--A location event is generated when the location of a client is computed using RSSI values reported by IAPs. The event message includes co-ordinates of the client on the VisualRF floorplan. n Security--The Security streaming event is generated when the IAPs have enabled Intrusion Detection. This feed contains all the IDS detections reported by the IAPs in the network. Viewing the Streaming API Page Perform the following steps to view the Streaming API page: 1. Log in to Account Home. 2. Under Global Settings, click the Webhooks menu option. 3. Click the Streaming tab. The following is an illustration of the Streaming API page: Administering Aruba Central | 241 Figure 42 View of the Streaming API Page The parameters in the page are described in the following table. Refer to the callout numbers. Table 61: Parameters of the Streaming API Page Callout 1 2 3 4 5 6 API Topic Subscribe Protobuf Definition Key Endpoint Streaming Protobuf Definition Description A list of available topics for streaming APIs. To receive streaming events from a topic, subscribe to the specific topic. Enables Aruba Central to stream events for a specific topic when this box is enabled. Definition of the specific topic. All WebSocket response messages are encapsulated in a protocol buffer, the format of which you can download. Access token for establishing a WebSocket connection. WebSocket endpoint address for the Aruba Central instance. The protocol buffer in which all the incoming streaming messages are encapsulated. This protobuf is further used to identify the topic of the message received and decode the topic-specific protobuf message. Subscribing to a Streaming API Topic n Only Aruba Central admin users can subscribe to, or unsubscribe from, a topic. n In case a live WebSocket connection breaks, reconnect the connection. To subscribe to a streaming API topic: 1. In the Account Home page, under Global Settings, click Webhooks. The Webhooks page is displayed. 2. In the Webhooks page, click Streaming tab. The Streaming page is displayed. 3. In the Streaming APIs table, select the check box corresponding to the topic that you want to subscribe. To unsubscribe a topic, clear the corresponding check box. 4. In the Webhooks > Streaming page, the following details are displayed: Aruba Central | User Guide 242 n Key--Access token. The token comes with a validity of seven days after which a new token needs to be generated. n Endpoint--WebSocket endpoint. n Streaming Protobuf Definition--Allows you to download the Streaming protocol buffer definition. Use the WebSocket endpoint and access token to establish a WebSocket connection and start streaming data for the topics you have subscribed to. Downloading Protobuf Definition for a Streaming API topic To download the protobuf definition, complete the following steps: 1. In the Streaming APIs table, click the Download button corresponding to the protobuf definition for the topic to which you have subscribed. The following topics are available for download: n Apprf--Protocol buffer specification of the AppRF topic. n Audit--Protocol buffer specification of the Audit topic. n Monitoring--Protocol buffer specification of the Monitoring topic. n Presence--Protocol buffer specification of the Presence topic. n Location--Protocol buffer specification of the Location topic. n Security--Protocol buffer specification of the Security topic. Retrieving a New Token The access token comes with a validity of seven days after which a new token needs to be generated. You can retrieve the token either directly from the UI or by using the API. 1. To retrieve the new access token from the Aruba Central UI, complete the following steps: a. In the Account Home page, under Global Settings, click Webhooks > Streaming tab. The Streaming page is displayed. b. You can retrieve the valid token from the Key field. The token gets refreshed automatically after seven days of its generation. 2. To retrieve the new access token from the API, here are the details required: n API-- https://<central-host>/streaming/token/validate n Method--GET n Authorization--Enter the current token The API will return the same token if the old token is not expired or will return a new token in case the old token is expired. Enabling Data Streaming From a Topic Complete the following steps to receive streaming events from Aruba Central: 1. Create a WebSocket connection: wss://<central-host>/streaming/api 2. Set the following additional headers: n UserName--Username of the admin. This is an optional header. n Authorization--Access token. For more information about how to generate the key, see Subscribing to a Streaming API Topic. Administering Aruba Central | 243 n Topic--Value of the topic to which you have subscribed. The value should be one of the following: o apprf o monitoring o audit o presence o location o security 3. Start the read loop to read the events. The payload is a protocol buffer message. Decoding WebSocket Response Messages All WebSocket response messages are encapsulated in a protocol buffer. When a message is received, use the subject (topic) to identify the message and invoke an appropriate message processor. To decode the message, refer to the protocol buffer specification of the respective topic. The format is as follows: message MsgProto { string subject = 2; // subject bytes data = 3; // payload int64 timestamp = 4; // received timestamp string customer_id = 5; // customer id to which this data belongs string msp_id = 6; // optional field indicating the msp_id } API Gateway The API Gateway feature in Aruba Central supports the REST API for all Aruba Central services. This feature allows Aruba Central users to write custom applications, embed, or integrate the APIs with their own applications. The REST APIs support HTTP GET and POST operations by providing a specific URL for each query. The output for these operations is returned in the JSON format. For secure access to the APIs, the Aruba Central API Framework plug-in supports OAuth protocol for authentication and authorization. The access tokens provide a temporary and secure access to the APIs. The access tokens have a limited lifetime for security reasons and the applications should use the refresh API to obtain new tokens periodically (every 2 hours). The API call volume is rate-limited to seven (7) calls per second, per customer. The following figure illustrates the API gateway workflow for the users: Aruba Central | User Guide 244 This section includes the following topics: n Accessing API Gateway n Viewing Swagger Interface n List of Supported APIs Accessing API Gateway To access the API Gateway, complete the following steps: 1. In the Account Home page, under Global Settings, click API Gateway. The API Gateway page is displayed. You can get new tokens and refresh old tokens. To obtain a new token application, you must set authentication parameters for a user session. Administering Aruba Central | 245 Figure 43 Account Home Page with API Gateway Option Important Points to Note n The admin user profile of MSP has System Apps & Tokens tab which displays all the apps and tokens generated locally in the admin user profile. This tab also displays all the apps created in the non-admin user profiles. Clicking these apps lists out all the associated tokens created for the non-admin user profile. n Administrator role is specific to an app and hence the administrator account related RBAC library APIs and decorators must contain the application name as one of the parameters in the access verification query. n The decorators associated with Account Home, Network Operations, or ClearPass Device Insight must contain account_setting, central, or optik as app names respectively, as one of the parameters. Viewing Swagger Interface To view the APIs managed through Aruba Central, complete the following steps: 1. In the Account Home page, under Global Settings, click API Gateway. The API Gateway page with the list of published APIs is displayed. 2. To view the Swagger interface, click the link in the Documentation column next to the specific published API name. The documentation is displayed in a new window. Aruba Central | User Guide 246 Figure 44 API Gateway Dashboard List of Supported APIs Aruba Central supports the following APIs for the managed devices. Table 62: APIs and Description API Description Monitoring Gets network, client, and event details. It also allows you to manage labels and switches. Configuration Allows you to configure and retrieve the following: n Groups n Templates n Devices AppRF Gets Top N AppRF statistics. Guest Gets visitor and session details of the portal. MSP Allows you to manage and retrieve the following: n Customers n Users n Resources n Devices Aruba has enforced a request limit for the following APIs: n GET /msp_api/v1/customers n GET /msp_api/v1/customers/{customer_id}/devices n GET /msp_api/v1/devices n PUT /msp_api/v1/customers/{customer_id}/devices The maximum limit is set to 50 per API call. If you exceed this limit, the API call returns the HTTP error code 400 and the following error message: LIMIT_REQUEST_EXCEEDED. User Management Allows you to manage users and also allows you to configure various types of users with a specific level of access control. Audit Event Logs Gets a list of audit events and the details of an audit event. Administering Aruba Central | 247 Table 62: APIs and Description API Description New Device Inventory Gets device details and device statistics. New Licensing Allows you to manage and retrieve subscription keys. Presence Analytics Allows you to configure the Presence Analytics application. It also retrieves site and loyalty data. Device Management Allows you to manage devices. Firmware Allows you to manage firmware. Troubleshooting Gets a list of troubleshooting commands for a specific type of device. Notification Gets notification alerts generated for events pertaining to device provisioning, configuration, and user management. Unified Communications Retrieves data for all sessions for a specific period of time. It also retrieves the total number of clients who made calls in the given time range and gets the Lync/Skype for Business URL for the Aruba Central cluster that you are using. Refresh API Token Allows you to refresh the API token. Reporting Gets the list of configured reports for the given customer ID. WAN Health Allows you to the following: n Get list of configured WAN health policies. n Create a new WAN health policy. n Delete an existing WAN health policy. n Get the details of any specific WAN health policy. n Update an existing WAN health policy. n Get policy schedule details. n Create a schedule for a WAN health policy. n Get statistics for WAN health cookie generated for a site. n Get WAN health test results. n Get WAN health test results for a specific site. Network Health Allows you to get data for all the labels and sites. Webhook Allows you to add, or delete Webhooks, and get or refresh Webhook tokens. See Webhooks for further details on Webhook. VisualRF Allows you retrieve information on floor plans, location of APs, clients and rogue devices. DPS Monitoring Gets DPS compliance and session statistics for all the links of a device belonging to a specific policy. For a complete list of APIs and the corresponding documentation, see https://app1apigw.central.arubanetworks.com/swagger/central. This section also includes the following topics: Aruba Central | User Guide 248 n Domain URL n Creating Application and Token n Viewing and Revoking Tokens n Obtaining Token Using Offline Token Mechanism n Viewing Usage Statistics n Changes to Aruba Central APIs Domain URL To access the API Gateway or generating tokens, you must use the appropriate domain URL. The following table shows the region-specific domain URLs for accessing API Gateway: Table 63: Domain URLs for API Gateway Access Region Domain Name US-1 app1-apigw.central.arubanetworks.com US-2 apigw-prod2.central.arubanetworks.com US-WEST-4 apigw-uswest4.central.arubanetworks.com EU-1 eu-apigw.central.arubanetworks.com EU-3 apigw-eucentral3.central.arubanetworks.com Canada-1 apigw-ca.central.arubanetworks.com China-1 apigw.central.arubanetworks.com.cn APAC-1 api-ap.central.arubanetworks.com APAC-EAST1 apigw-apaceast.central.arubanetworks.com APAC-SOUTH1 apigw-apacsouth.central.arubanetworks.com Creating Application and Token To create an application, complete the following steps: 1. In the Account Home page, under Global Settings, click API Gateway. The API Gateway page is displayed. Administering Aruba Central | 249 Figure 45 API Gateway Dashboard 2. Click the My Apps & Tokens tab. The admin user will be able to create new apps for all the non-admin user by clicking + Add Apps & Tokens in the System Apps & Tokens tab. 3. Click + Add Apps & Tokens. Figure 46 Add Apps and Tokens Option Page 4. In the New Token pop-up window, do the following: a. Enter the application name. In non-admin user profile, the Application Name field contains the logged-in user name and is non-editable. b. In the Redirect URI field, enter the redirect URL. c. From the Application drop-down list, select the application. d. Click Generate. A new application is created and added to the My Apps & Tokens table. The My Apps & Tokens table displays the following details: Aruba Central | User Guide 250 n Name--Name of the application. In non-admin user profile, the Application Name field contains the logged-in user name and is non-editable. Any new tokens generated in non- admin user profile is associated with the same application name. n Client ID--Unique ID for each application. n Client Secret--Unique secret ID for each application. n Redirect URI--Redirect URL. n Application--Name of the application. For example, Network Operations. n Tokens--Token created for the application. The option is available to admin user profile only. n Created At--Date on which the application was created. To delete the added application, click delete to delete that application. icon on the row corresponding to an application and click Yes Only admin users will be able to generate tokens with multiple application names. In non-admin user profile, the Application Name field contains the user name and is non-editable. Any new tokens generated in non- admin user profile is associated with the same application name. However, all the multiple application names and the associated tokens in non-admin user profiles from the earlier versions is retained in the Token List table. Using OAuth 2.0 for Authentication For secure access to the APIs, the Aruba Central API Framework plug-in supports OAuth protocol for authentication and authorization. OAuth 2.0 is a simple and secure authorization framework. It allows applications to acquire an access token for Aruba Central through a variety of work flows supported within the OAuth 2.0 specification. All OAuth 2.0 requests must use the SSL endpoint available at https://app1-apigw.central.arubanetworks.com. Access and Refresh Tokens The access token is a string that identifies a user, app, or web page and is used by the app to access an API. The access tokens provide a temporary and secure access to the APIs. The access tokens have a limited lifetime. If the application uses web server or user-agent OAuth authentication flows, a refresh token is provided during authorization that can be used to get a new access token. If you are writing a long running applications (web app) or native mobile application you should refresh the token periodically. For more information, see Refreshing a token. This section includes the following topics: n Obtaining Access Token n Accessing APIs n Accessing Tenant APIs using MSP Access Token n Viewing and Revoking Tokens n Adding a New Token Obtaining Access Token Users can generate the OAuth token using one of the following methods: n Obtaining Token Using Offline Token Mechanism n Obtaining Token Using OAuth Grant Mechanism Administering Aruba Central | 251 Accessing APIs To access the API, use the following URL: https://app1-apigw.central.arubanetworks.com/. This endpoint is accessible over SSL and the HTTP (non-SSL) connections are redirected to the SSL port. Table 64: Accessing the API URL Description https://app1apigw.central.arubanetworks.com/ The API gateway URL. All APIs can be accessed from this URL by providing a correct access token. The parameters for the API are as follows: Table 65: Parameters for the API Parameter Value Description request_path URL Path URL path of an API, for example, to access monitoring APIs, use the path /monitoring/v1/aps. Table 66: Header for the API Header Value Authorization Bearer ouzMaXEBbB6XqGtsWomK7MvaTuhrqDQ1 Description Pass the access token in the header. Example Request Method: GET https://app1-apigw.central.arubanetworks.com/monitoring/v1/aps Request Header: Authorization: Bearer ouzMaXEBbB6XqGtsWomK7MvaTuhrqDQ1 Response: { "aps": [ { "firmware_version": "6.4.4.4-4.2.3.1_54637", "group_name": "00TestVRK", "ip_address": "10.29.18.195", "labels": [ "Filter_242", "Ziaomof", "roster", "242455", "Diegso" ], "macaddr": "6c:f3:7f:c3:5d:92", "model": "AP-134", "name": "6c:f3:7f:c3:5d:92", "radios": [ { Aruba Central | User Guide 252 "band": 0, "index": 1, "macaddr": "6c:f3:7f:b5:d9:20", "status": "Down" }, { "band": 1, "index": 0, "macaddr": "6c:f3:7f:b5:d9:30", "status": "Down" } ], "serial": "AX0140586", "status": "Down", "swarm_id": "e3bf1ba201a6f85f4b5eaedeead5e502d85a9aef58d8e1d8a0", "swarm_master": true } ], "count": 1 } Accessing Tenant APIs using MSP Access Token MSP users can use their access token to perform the operation on their tenant accounts using NBAPI. User privileges as per the tenant role are applied for these operations. An MSP user must provide the tenant info (CID) as part of the request header. The Rate-limit will be consumed from the MSP account quota. Table 67: Header for the API Header Value TenantID 267958b55d5a463e94a302c20f4a6b68 Description Pass the tenant CID. Example Request Method: GET https://app1-apigw.central.arubanetworks.com/central/v2/sites Request Header: TenantID: 267958b55d5a463e94a302c20f4a6b68 Response Code: 200 Response: { "count": 1, "sites": [ { "address": "bangalore", "associated_device_count": 4, "city": "bangalore", "country": "India", Administering Aruba Central | 253 "latitude": "12.9298689", "longitude": "77.6848366", "site_id": 1, "site_name": "test-pcap", "state": "Karnataka", "tags": null, "zipcode": "560103" } ], "total": 1 } Viewing and Revoking Tokens To view or revoke tokens, complete the following steps: 1. In the Account Home page, under Global Settings, click API Gateway. The API Gateway page is displayed. 2. Click My Apps & Tokens. The Token List table displays the following: n Token ID--Token ID of the application. n User Name--Name of the user to whom this token is associated to. An application can be associated to multiple users. n Application--Name of the application to which this token is associated to. For example, Network Operations. n Generated At--Date on which the token was generated. n Revoke Token--Click Revoke Token and click Yes to revoke the token associated to a particular user. For example, if two users are associated to an application and if you want to remove access to a particular user, revoke the token associated to that user. n Download Token--Click Download Token to download the token. In MSP mode, the admin user profile has System Apps & Tokens tab which displays all the apps and tokens generated in all non-admin user profiles in addition to the apps and tokens created in the admin user profile. To view all the tokens of admin and non-admin user, go to Account Home > Global Settings > API Gateway > System Apps & Tokens. Adding a New Token To add a new token, complete the following steps: 1. In the Account Home page, under Global Settings, click API Gateway. The API Gateway page is displayed. 2. Click My Apps & Tokens. The admin user can create new tokens for all non-admin users by clicking + Add Apps & Tokens in the System Apps & Tokens tab. 3. Click + Add Apps & Tokens to add a new token. 4. Enter the application name in the Application Name box and click Generate. Aruba Central | User Guide 254 If you have registered a custom URI when creating a new app under System Apps and Tokens, the Redirect URI option is disabled for you in the My Apps and Tokens tab > Add Apps and Tokens > New Token . In such cases, the Redirect URI option in Add Apps and Tokens > New Token under My Apps and Tokens populates your already registered URI. Obtaining Token Using Offline Token Mechanism To obtain tokens using the offline token method, complete the following steps: 1. In the Account Home page, under Global Settings, click API Gateway. The API Gateway page is displayed. 2. Click My Apps & Tokens. In the MSP mode, the admin user profile can view the System Apps & Tokens tab which displays all the apps and tokens generated in all the non-admin user profiles in addition to the apps and tokens created in the admin user profile. 3. Click + Add Apps & Tokens. The New Token pane is displayed. 4. Enter the application name and redirect URI in the Application Name and Redirect URI fields respectively. 5. Choose the application from the Application drop-down list and click Generate to generate a new token. 6. The Token List table displays the following: n Token ID--Token ID of the application. n User Name--Name of the user to whom this token is associated to. An application can be associated to multiple users. n Application--Name of the application to which this token is associated to. For example, Network Operations. n Generated At--Date on which the token was generated. n Revoke Token--Click Revoke Token and click Yes to revoke the token associated to a particular user. For example, if two users are associated to an application and if you want to remove access to a particular user, revoke the token associated to that user. n Download Token--Click Download Token to download the token. Obtaining Token Using OAuth Grant Mechanism The following section describes the steps for obtaining the access token and refresh token using the authorization code grant mechanism: n Step 1: Authenticate a User and Create a User Session n Step 2: [Optional] Generating Client Credentials n Step 3: Generate Authorization Code n Step 4: Exchange Auth Code for a Token n Step 5: Refreshing a Token n Step 6: Deleting a Token Administering Aruba Central | 255 API calls are limited to 1 API per second. This rate-limit is applicable only to the APIs in the first 3 steps mentioned above. Step 1: Authenticate a User and Create a User Session The following API authenticates a user and returns a user session value that can be used to create future requests for a client with the specified username and password. It is assumed that you already have a client ID for your application. For more information on how to create an application and obtain tokens, see Creating Application and Token. Domain URL allow you to log in to the API gateway server and to establish the user session. This endpoint is accessible over SSL, and HTTP (non-SSL) connections are redirected to SSL port. The following table lists the region specific domain URLs for accessing the API gateway. If user authentication is successful, the request will return HTTP code 200 and the response header will include the following attributes. Table 68: Authentication and User session Response Codes Header Key Values Description https://app1apigw.central.arubanetworks.com/oauth2/authorize/central/api/login?client_ id=<client_id> csrftoken=xxxx; session=xxxx The server returns a CSRF token and identifies the user session, which must be used for all subsequent HTTP requests. Example Request Method: POST URL: https://app1- apigw.central.arubanetworks.com/oauth2/authorize/central/api/login?client_id=<client_id> HTTP/1.1 Host: app1-apigw.central.arubanetworks.com Request Header: Accept: application/json Content -Type: application/json POST Request Body(JSON): { "username": "xxxxx", "password": "xxxxx" } Error Response: 400: Bad Request Response Body (JSON): { "extra": {}, "message": "<error string>" } 401: Auth failure Response Body (JSON): { "message": "Auth failure", Aruba Central | User Guide 256 "status": false } 429: API rate limit exceeded Response Body (JSON): { "message": "API rate limit exceeded" } Success Response: 200: OK Response Body (JSON): { "status": true } Response Header: Set-Cookie: csrftoken=xxxx;session=xxxx; The csrf token value received in the successful response message must be used as a parameter for all subsequent POST/PUT requests. The session value must also be used for all subsequent requests to maintain the user session context. Step 2: [Optional] Generating Client Credentials The following API can be used to generate client credentials for a specific tenant using your Managed Service Provider (MSP) Client ID. Table 69: URL to Generate Client Credentials URL Description https://app1apigw.central.arubanetworks.com/oauth2/authorize/central/api/client_ credentials?client_id=<msp_client_id> The <msp_client_id> variable is the client ID given from Central to that a Managed Service Provider that user registered the application. Example Request Method: POST URI--https://app1-apigw.central.arubanetworks.coms/oauth2/authorize/central/api/client_credentials?client_ id=<msp_client_id> POST Request Body(JSON): { "customer_id": "<tenant_id>" } Request Header: (Values from login API request) Set-Cookie: csrftoken=xxxx;session=xxxx; Response Body(JSON): { "client_id": "<new-client-id>", "client_secret": <new-client-secret>" } Error Response 429: API rate limit exceeded Response Body (JSON): { "message": "API rate limit exceeded" } Administering Aruba Central | 257 Step 3: Generate Authorization Code After the user is authenticated and you have a valid session for that user, use this API to get authorization code. The authorization code is valid only for 5 minutes and must be exchanged for a token within that time. Table 70: URL for to Generate an Authorization Code URL Description https://app1 apigw.central.arubanetworks.com/oauth2/authorize/central/api The endpoint is a POST call to get an authorization code. Query parameters for this API are as follows: Table 71: Query Parameters for the Auth Code API Parameter Values Description client_id client_id is a unique hexadecimal string The client_id is a unique identifier that identifies the caller. Application developers obtain a client ID and a client secret when they register with the API gateway admin. response_type code Use code as the response type to get the authorization code that can be exchanged for token scope all or read Requested API permissions may be either all (for both read and write access) or read for read-only access. Example Request Method: POST URL: https://app1 - apigw.central.arubanetworks.com/oauth2/authorize/central/api/?client_id=<client_ id>&response_type=code&scope=all HTTP/1.1 Host: app1-apigw.central.arubanetworks.com Request Header: Accept: application/json Cookie: "session=xxxx" X-CSRF-Token: xxxx Content -Type: application/json POST Request Body(JSON): { "customer_id": "xxxxx" } Error Response: 400: Bad Request Response Body (JSON): { "extra": {}, "message": "<error string>" } 401: Auth failure Response Body (JSON): { "message": "Auth failure", "status": false } 429: API rate limit exceeded Response Body (JSON): Aruba Central | User Guide 258 { "message": "API rate limit exceeded" } Success Response: 200: OK Response Body (JSON): { " auth_code ": "xxxx" } Pass the csrf-token value you obtained in step one in the request header, otherwise the request will be rejected. Note the auth_code value in the response, as you will use this code to obtain an OAuth token. Response Header: Set-Cookie: csrftoken=xxxx;session=xxxx; Step 4: Exchange Auth Code for a Token Once you have an authorization code, you just use that code to request an access from the server. The exchanges should be done within 300 seconds of obtaining the auth code from the previous step, or the API will return an error. Table 72: URL for to Generate an Auth Token URL https:// app1- apigw.central.arubanetworks.com/oauth2/token Description The endpoint is a POST call to get an access token using the authorization code obtained from the server. Query parameters for this API are as follows: Table 73: Query Parameters for the Auth Code API Parameter Values Description client_id client_id is a unique hexadecimal string The client_id is a unique identifier that identifies the caller. Application developers obtain a client ID and a client secret when they register with the API gateway admin. client_secret client_secret is a unique hexadecimal string The client_secret is a unique identifier provided to each developer at the time of registration. Application developers can obtain a client ID and client secret when they register with the API gateway admin. grant_type authorization_ code Use code to get the authorization code that can be exchanged for the token. code auth_code received from step 1 The authorization code received from the authorization server. redirect_uri string The redirect URI must be the same as the one given at the time of registration. This is an optional parameter. The response to this API query is a JSON dictionary with following values: Administering Aruba Central | 259 Table 74: Auth Token Values Parameter Values Description token_type bearer Identifies the token type. Central supports only the bearer token type (See https://tools.ietf.org/html/rfc6750) refresh_token string Refresh tokens are credentials used to renew or refresh the access_token when it expires without repeating the complete authentication flow. A refresh token is a string representing the authorization granted to the client by the resource owner. expires_in seconds The lifetime, in seconds, of the access token. access_token string Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. Example Request Method: POST URL: https: //apigw-prod2.central.arubanetworks.com/oauth2/token?client_id=<Ccentral-API-appclientid>&client_secret=xxxx&grant_type=authorization_code&code=xxxx \ Content -Type: application/json Response: { "refresh_token": "xxxx", "token_type": "bearer", "access_token": "xxxx", "expires_in": 7200 } Step 5: Refreshing a Token You can use the refresh token obtained in the previous step to update the access token without repeating the entire authentication process. A refresh token is only required once your access token is expired. You can only refresh a token for a new access token every 15 minutes. For example, when you refresh a new token, you can use the provided access token for 2 hours. If you want a new access token, you have to again refresh the token after 15 minutes from its last refresh. Table 75: URL to Refresh a Token URL Description https://app1apigw.central.arubanetworks.com/oauth2/token The endpoint is a POST call to refresh the access token using the refresh token obtained from the server Query parameters for this API are as follows: Table 76: Query Parameters for Refresh Tokens Parameter Value Description client_id client_id is a unique hexadecimal string The client_id is a unique identifier that identifies the caller. Application developers obtain a client ID and a client secret when they register with the API gateway admin. Aruba Central | User Guide 260 Parameter client_secret grant_type refresh_token Value client_secret is a unique hexadecimal string refresh_token string Description The client_secret is a unique identifier provided to each developer at the time of registration. Application developers obtain a client ID and a client secret when they register with the API gateway admin. Specify refresh_token as the grant type to request that an authorization code be exchanged for a token A string representing the authorization granted to the client by the resource owner. The response to this API query is a JSON dictionary with following values: Parameter token_type Value bearer refresh_token string expires_in access_token seconds string Description Identifies the token type. Only the bearer token type is supported. For more information, see https://tools.ietf.org/html/rfc6750. Refresh tokens are credentials used to renew or refresh the access token when it expires without going through the complete authorization flow. A refresh token is a string representing the authorization granted to the client by the resource owner. The expiration duration of the access tokens in seconds. Access tokens are credentials used to access the protected resources. An access token is a string representing an authorization issued to the client. Example Method: POST https://apigw-prod2.central.arubanetworks.com/oauth2/token?client_id=<Central-API-app-clientid>&client_ secret=xxxx&grant_type=refresh_token&refresh_token=xxxx Response { "refresh_token": "xxxx", "token_type": "bearer", "access_token": "xxxx", "expires_in": 7200 } Step 6: Deleting a Token To delete the access token, access the following URL: Table 77: URL to Delete a Token URL Description https://app1apigw.central.arubanetworks.com/oauth2/token This endpoint is accessible over SSL. The HTTP (non-SSL) connections are redirected to SSL port. Customer ID is a string. Example Method : DELETE URL:https://app1-apigw.central.arubanetworks.com/oauth2/api/tokens Administering Aruba Central | 261 JSON Body: { "access_token": "<access_token_to_be_deleted>" } Headers: Content-Type: application/json X-CSRF-Token: <CSRF_token_obatained_from_login_API> Cookie: "session=<session_obatained_from_login_API>" Viewing Usage Statistics The API Gateway page includes the Usage tab that displays the API usage. The Usage tab is available only for administrators and the usage data is stored only for the previous 30 days. The following details are displayed: n Current Usage n Last one week API usage data n Per user usage n MSP and tenant usage if you are in MSP mode To view the usage statistics for users of API Gateway, complete the following steps: 1. In the Account Home page, under Global Settings, click API Gateway. The API Gateway page is displayed. 2. Click Usage. The following details are displayed: Figure 47 API Gateway Usage Page a. Current usage--Current usage of API calls assigned for a day along with the reset time in local time zone. Aruba Central | User Guide 262 b. Last one week API usage data: n Date--The date of usage. n API Calls Per Day--API calls per day. n Usage Percentage--Usage percentage for a specific date. c. Per User Usage: n User--The name of the user. n Date--The date on which the application was accessed. n Usage Per Day--The total usage by the user per day. This is derived based on the total number of API calls made on a per day basis. This is an aggregate across all customers. d. If you are in MSP mode, the MSP & Tenant Usage table is displayed: n Tenant ID: ID of the tenant account. n Date: The date on which the application was accessed. n Usage Per Day: The total usage by the tenant account per day. This is derived based on the total number of API calls made on a per day basis. 3. To download the API gateway usage statistics, click Download CSV. Changes to Aruba Central APIs This section lists the new APIs, deprecated APIs, alternative APIs, and APIs removed from Aruba Central: n New APIs n Modified API n Deprecated APIs n Removed APIs New APIs The following table lists the new APIs: Table 78: New APIs New API Description Monitoring > Clients APIs n [GET] /monitoring/v2/clients This API is introduced to get a list of unified clients and it is backward compatible with the version 1 APIs (GET /monitoring/v1/clients/wired and GET /monitoring/v1/clients/wireless). This API version is introduced with the following parameter inclusions: n last_client_mac--Use this parameter to fetch the next set of clients beyond set limit. This is used to fetch the clients details beyond 10000 clients. n timerange-- Use this to filter the unified client information based on the time range. By default, 3 hours is selected. n client_type--Use this to select the client type as WIRELESS or WIRED. By default, client type is selected as WIRELESS. n client_status--Use this to select either CONNECTED for a list of connected clients or FAILED_TO_CONNECT for a list failed clients. By default, the client status is selected as CONNECTED. n [GET] /monitoring/v2/clients/{macaddr} This API is introduced to get the client details (wired and wireless). Administering Aruba Central | 263 Table 78: New APIs New API Description Authentication & Policy > Client Policy APIs n [GET] /client_policy This API is introduced to fetch a policy that allows network access for registered clients, based on their MAC address and client profile tag. n [DELETE] /client_policy This API is introduced to delete an existing policy to remove network access for all registered clients. n [PUT] /client_policy This API is introduced to configure or update a policy that allows network access for registered clients, based on their MAC address and client profile tag. Authentication & Policy > Client Registration APIs n [GET] /client_registration This API is introduced to fetch the list of registered clients that are allowed to access the network. n [DELETE] /client_registration/{mac_ address} This API is introduced to delete the registered client and to remove network access. n [POST] /client_registration This API is introduced to add a registered client to allow network access. n [PATCH] /client_registration/{mac_ address} This API is introduced to update Client Name for the registered clients. Authentication & Policy > User policy APIs n [GET] /user_policy This API is introduced to fetch a policy that allows wireless network access for users, based on their user groups. n [DELETE] /user_policy This API is introduced to delete existing policy to remove wireless network access for all users. n [PUT] /user_policy This API is introduced to configure a policy to allow wireless network access for users, based on their user groups. AI OPs > Wi-Fi Connectivity at Global APIs NOTE: For all AI Ops APIs, AI Insights will get triggered only when there are failure events in the user network, so all Insights might not be present all the time. Therefore, providing an empty API response for a selected time period. n [GET] /aiops/v1/connectivity/global/stage/ {stage}/export n [GET] /aiops/v1/connectivity/site/{site_ id}/stage/{stage}/export n [GET] /aiops/v1/connectivity/group/ {group}/stage/{stage}/export This APIs are introduced to get the overall Connectivity Information for a given time duration. Use stage parameter to get the information for that stage. AI OPs > AI Insights List APIs Aruba Central | User Guide 264 Table 78: New APIs New API Description n [GET] /aiops/v2/insights/global/list n [GET] /aiops/v2/insights/site/{site_ id}/list n [GET] /aiops/v2/insights/ap/{ap_ serial}/list n [GET] /aiops/v2/insights/client/{sta_ mac}/list n [GET] /aiops/v2/insights/gateway/{gw_ serial}/list n [GET] /aiops/v2/insights/switch/{sw_ serial}/list This APIs are introduced to get the list of insights for a given time duration AI OPs > AI Insight Details APIs n [GET] /aiops/v2/insights/global/id/ {insight_id}/export n [GET] /aiops/v2/insights/site/{site_ id}/id/{insight_id}/export n [GET] /aiops/v2/insights/ap/{ap_ serial}/id/{insight_id}/export n [GET] /aiops/v2/insights/client/{sta_ mac}/id/{insight_id}/export n [GET] /aiops/v2/insights/gateway/{gw_ serial}/id/{insight_id}/export n [GET] /aiops/v2/insights/switch/{sw_ serial}/id/{insight_id}/export This APIs are introduced to get details of single insight for a given time duration. MSP > Groups APIs n [GET] /msp_api/v1/groups/{group_ name}/customers This API is introduced to get the list of customers mapped to MSP group based on limit and offset. Troubleshooting APIs n [GET] /troubleshooting/v1/runningconfig-backup/serial/{serial} This API is introduced to get list of backups associated with the device serial. n [GET] /troubleshooting/v1/runningconfig-backup/serial/{serial}/prefix/ {prefix} n [GET] /troubleshooting/v1/runningconfig-backup/name/{name} n [POST] /troubleshooting/v1/runningconfig-backup/serial/{serial}/prefix/ {prefix} This API is introduced to filter/list the backups associated with the device serial and starting with the prefix. This API is introduced to fetch the backup stored against the given name. This API is introduced to initiate backup of running config for the switch with the given serial and store output against a name starting with the given prefix. Administering Aruba Central | 265 Table 78: New APIs New API Description n [POST] /troubleshooting/v1/runningconfig-backup/group_name/{group_ name}/prefix/{prefix} This API is introduced to initiate backup of running config for switches in the group and store output against names starting with the given prefix. Configuration > WLAN Configuration APIs n [GET] /configuration/full_hotspot/ {group_name_or_guid} This API is introduced to get the WLAN list of an UI group. n [GET] /configuration/full_hotspot/ {group_name_or_guid}/{mode_name} This API is introduced to get the hotspot list of an UI group or swarm with mode name. n [GET] /configuration/full_hotspot/ {group_name_or_guid}/template This API is introduced to get the WLAN default configuration. n [GET] /configuration/full_hotspot/ {group_name_or_guid}/{hotspot_ name}/{mode_name} This API is introduced to initiate backup of running config for the switch with the given serial and store output against a name starting with the given prefix. n [POST] /configuration/full_hotspot/ {group_name_or_guid}/{hotspot_ name}/{mode_name} This API is introduced to create a new hotspot. n [DELETE] /configuration/full_hotspot/ {group_name_or_guid}/{hotspot_ name}/{mode_name} This API is introduced to delete an existing hotspot. n [PUT] /configuration/full_hotspot/ {group_name_or_guid}/{hotspot_ name}/{mode_name} This API is introduced to update an existing hotspot. Configuration > Templates n [GET] /configuration/v1/groups/ {group}/templates This API is introduced to get all templates in a group. n [PATCH] /configuration/v1/groups/ {group}/templates This API is introduced to update the existing template in a group. n [POST] /configuration/v1/groups/ {group}/templates This API is introduced to create a new template in a group. n [DELETE] /configuration/v1/groups/ {group}/templates/{template} This API is introduced to delete an existing template in a group. n [GET] /configuration/v1/groups/ {group}/templates/{template} This API is introduced to get template text for a template group. Aruba Central | User Guide 266 Table 78: New APIs New API Description Service IPMS > Aruba ipms APIs NOTE: In the API parameter, make sure that the node_type and node_id fields are set to Global. n [GET] /ipms-config/v1/node_list/ {node_type}/{node_ id}/config/address_pool/{pool_ name}/ip_range/ This API is introduced to retrieve an ip range. n [DELETE] /ipms-config/v1/node_list/ {node_type}/{node_id}/config/ This API is introduced to delete a config. n [GET] /ipms-config/v1/node_list/ {node_type}/{node_id}/config/ This API is introduced to retrieve a config. n [GET] /ipms-config/v1/node_list/ {node_type}/{node_ id}/config/address_pool/ This API is introduced to retrieve an address pool. n [DELETE] /ipms-config/v1/node_list/ {node_type}/{node_ id}/config/address_pool/{pool_name}/ This API is introduced to delete an address pool. n [GET] /ipms-config/v1/node_list/ {node_type}/{node_ id}/config/address_pool/{pool_name}/ This API is introduced to retrieve an address pool by identifier pool name. n [POST] /ipms-config/v1/node_list/ {node_type}/{node_ id}/config/address_pool/{pool_name}/ This API is introduced to create an address pool by identifier pool name. n [PUT] /ipms-config/v1/node_list/ {node_type}/{node_ id}/config/address_pool/{pool_name}/ This API is introduced to create or update the address pool by identifier pool name. n [DELETE] /ipms-config/v1/node_list/ {node_type}/{node_ id}/config/address_pool/{pool_ name}/ip_range/{range_id}/ This API is introduced to delete the IP range by identifier range id. n [GET] /ipms-config/v1/node_list/ {node_type}/{node_ id}/config/address_pool/{pool_ name}/ip_range/{range_id}/ This API is introduced to retrieve the IP range by identifier range id. n [POST] /ipms-config/v1/node_list/ {node_type}/{node_ This API is introduced to create IP range by identifier range id. Administering Aruba Central | 267 Table 78: New APIs New API id}/config/address_pool/{pool_ name}/ip_range/{range_id}/ n [PUT] /ipms-config/v1/node_list/ {node_type}/{node_ id}/config/address_pool/{pool_ name}/ip_range/{range_id}/ n [GET] /ipms-config/v1/node_list/ {node_type}/{node_id}/ Configuration > Groups n [POST] /configuration/v3/groups Description This API is introduced to create or update the IP range by identifier range id. This API is introduced to have global level config for IPMS service. This API is introduced to create groups with specified properties. n [PATCH] /configuration/v2/groups/ {group}/properties Guest > Summary n [GET] /guest/v1/summary This API is introduced to update properties for the given group. This API is introduced to get the summary statistics. Client Match > Status n [GET] /loadbal-enable/v1/{tenant_id} This API is introduced to retrieve Client Match Load Balancer status for a tenant. n [POST] /loadbal-enable/v1/{tenant_id} This API is introduced to enable or disable Client Match Load Balancer for a particular tenant. Monitoring > Switch APIs NOTE: The below mentioned APIs are applicable to AOS-CX switches only. n [GET] /monitoring/v1/cx_switches/ {serial}/vlan n [GET] /monitoring/v1/cx_switch_ stacks/{stack_id}/vlan n [GET] /monitoring/v1/cx_switches/ {serial}/poe_detail n [GET] /monitoring/v1/cx_switches/ {serial}/poe_details This API is introduced to get the VLAN information for CX switch. This API is introduced to get the switch stack VLAN information for CX switch. This API is introduced to get the switch port poe information for CX switch. This API is introduced to get the switch poe information for CX switch. Aruba Central | User Guide 268 Table 78: New APIs New API Description n [GET] /monitoring/v1/cx_switches/ {serial}/vsx This API is introduced to get the switch vsx information for CX switch. n [GET] /monitoring/v1/cx_switches/ {serial}/ports This API is introduced to get the ports details for CX switch. n [GET] /monitoring/v1/cx_switch_ stacks/{stack_id}/ports This API is introduced to get the port details for a given stack_id for CX Switch. n [GET] /monitoring/v1/cx_switches/ {serial}/ports/bandwidth_usage This API is introduced to get the switch ports bandwidth usage over a time period for CX switch. n [GET] /monitoring/v1/cx_switches/ {serial}/ports/errors This API is introduced to get the switch ports in and out errors over a time period for CX switch. Monitoring > Switch APIs NOTE: The below mentioned APIs are applicable to AOS-S and AOS-CX switches. n [GET] /monitoring/v1/switches This API is introduced to get the switch details. n [GET] /monitoring/v1/switches/bandwidth_ usage/topn This API is introduced to get top N switches details over a time period. n [DELETE] /monitoring/v1/switches/ {serial} This API is introduced to delete a switch. n [GET] /monitoring/v1/switches/{serial} This API is introduced to get the switch details using serial number. n [GET] /monitoring/v1/switches/ {serial}/chassis_info This API is introduced to get the switch chassis details for chassis type switches. n [GET] /monitoring/v1/switch_stacks This API is introduced to get the list of switch stacks. n [DELETE] /monitoring/v1/switch_ stacks/{stack_id} This API is introduced to delete the stack and associated switches. n [GET] /monitoring/v1/switch_stacks/ {stack_id} This API is introduced to get the switch stack details. Modified API The following table lists the modified APIs: Administering Aruba Central | 269 Table 79: Modified APIs Modified API Monitoring > Switch APIs n [GET] /monitoring/v1/switch_stacks/ {stack-id}/ports n [GET] /monitoring/v1/switches/ {serial}/ports Description Following fields are added in the response to ensure that the API call gets a list of ports, which includes: n out_errors per port n in_errors per port n [GET] /monitoring/v1/switches/{serial} n [GET] /monitoring/v1/switch_stacks/ {stack_id} The switch_type field is added to select the type of switch in the API endpoints. Following are the supported values: n ArubaCX n ArubaSwitch n MAAS n GET /monitoring/v1/switches n site parameter is introduced to filter the switches by site name. n site and stack_id fields are added to the response to get the site name and stack id details for the switches. n The switch_type field is added in the response to select the type of switch in the API endpoints. Following are the supported values: o AOS-CX o AOS-S n GET /monitoring/v1/switches/{serial} n site and stack_id fields are added to the response to get the site name and stack id details for the switches. n nae_aggr_status field is added to the response that informs about the switch status either as Critical, Major, Minor, Normal, and Warning. This field is only applicable for CX switches. n GET /monitoring/v1/switch_stacks Audit Event Logs n host_name parameter is introduced to filter the switches by host name. n [GET] /auditlogs/v1/events n [GET] /platform/auditlogs/v1/logs Monitoring > Client API n The limit parameter has been enhanced to return 100 audit events. n Following new parameters are introduced to filter audit events by time range: o start_time--Start time in epoch seconds. If start time is not specified, current time minus 90 days is automatically filled in as the start time. o end_time--End time in epoch seconds. If end time is not specified, current time is automatically filled in as the end time. n [GET] /monitoring/v1/clients/wireless n [GET] /monitoring/v1/clients/wired Monitoring > Gateway n site parameter is introduced to filter the APIs by site name. n To retrieve clients beyond 10,000, use the last_client_mac parameter to fetch the next set of clients. Aruba Central | User Guide 270 Table 79: Modified APIs Modified API n [GET] /monitoring/v1/gateways Monitoring > Access Points Description site parameter is introduced to filter the APIs by site name. n [GET] /monitoring/v1/aps/{serial} n Following fields are added in the response to get the site and swarm name of the AP: o site_name o swarm_name n 6 GHz radio support is added in the radios response field. n [GET] /monitoring/v3/aps/{serial}/rf_ summary n [GET] /monitoring/v3/aps/bandwidth_ usage 6 GHz radio support is added in the band parameter to filter by band value 6. n [GET] /monitoring/v2/aps Monitoring > Swarm n [GET] /monitoring/v1/swarms Topology n [GET] /{site_id} 6 GHz radio support is added in the radios response field. swarm_name parameter is introduced to filter the API by swarm name. Following fields are added/modified in the response: n vlans--Lists the vlans configured on the device. n taggedVlans and untaggedVlan--Lists the tagged and untagged vlan associated to the ports of the edge. This is applicable only for switches. n In alignment with the redesign of HPE engineering terminology, the term Master in the API response changed to Conductor. n [GET] /devices/{device_serial} Configuration > Groups n [POST] /configuration/v2/groups n [GET] /configuration/v1/groups/properties n In alignment with the redesign of HPE engineering terminology, the term Master in the API response changed to Conductor. This API no longer supports the group password functionality and any value passed for this parameter would not be saved. Make sure that you use respective device configuration UI feature page to set the device admin password at group level. Following property values are added in the response body: n Device types (Access Points, Gateways, and Switches) to be allowed in the group n Network role (Standard or Microbranch) for access points in the group n Network role (Branch Gateway or VPN Concentrator or WLAN Gateway) for gateways in the group n Switch device types (AOS_S or AOS_CX) to be allowed in the group Administering Aruba Central | 271 Deprecated APIs The following table lists the APIs that have been deprecated. These APIs will continue to function but could be removed in a future release. Aruba strongly discourages the use of these APIs and recommends that you use the alternative API. Table 80: Deprecated APIs Deprecated API Alternative API User Management [GET] /accounts/v2/users [GET] /platform/rbac/v1/users [POST] /accounts/v2/users [POST] /platform/rbac/v1/users [POST] /accounts/v1/users/change_password [POST] /platform/rbac/v1/users/{user_id}/password [POST] /accounts/v1/users/reset_password [POST] /platform/rbac/v1/users/{user_id}/password/reset [GET] /accounts/v2/users/{user_id} [GET] /platform/rbac/v1/users/{user_id} [PATCH] /accounts/v2/users/{user_id} [PATCH] /platform/rbac/v1/users/{user_id} [POST] /accounts/v1/bulk_users [POST] /platform/rbac/v1/bulk_users [PATCH] /accounts/v1/bulk_users [PATCH] /platform/rbac/v1/bulk_users [GET] /accounts/v1/status/{cookie_name} [GET] /platform/rbac/v1/status/{cookie_name} [GET] /accounts/v1/roles [GET] /platform/rbac/v1/roles [POST] /accounts/v1/roles [POST] /platform/rbac/v1/apps/{app_name}/roles [GET] /accounts/v1/roles/{rolename} [GET] /platform/rbac/v1/apps/{app_name}/roles/{rolename} [DELETE] /accounts/v1/roles/{rolename} [DELETE] /platform/rbac/v1/apps/{app_name}/roles/ {rolename} [PATCH] /accounts/v1/roles/{rolename} [PATCH] /platform/rbac/v1/apps/{app_name}/roles/ {rolename} [GET] /accounts/v3/users [GET] /platform/rbac/v1/users [GET] /accounts/v1/users [GET] /platform/rbac/v1/users [POST] /accounts/v1/users [GET] /platform/rbac/v1/users [GET] /accounts/v1/users/{user_id} [GET] /platform/rbac/v1/users/{user_id} [PATCH] /accounts/v1/users/{user_id} [PATCH] /platform/rbac/v1/users/{user_id} [POST] /v2/subscriptions/assign [POST] /platform/licensing/v1/subscriptions/assign Presence Analytics [GET] /presence/v2/config/thresholds [GET] /presence/v3/config/thresholds Aruba Central | User Guide 272 Table 80: Deprecated APIs Deprecated API Alternative API [POST] /presence/v2/config/thresholds [POST] /presence/v3/config/thresholds [GET] /presence/v2/analytics/aggregates NA [GET] /presence/v2/analytics/trends [GET] /presence/v3/analytics/trends/passerby_visitors [GET] /presence/v2/insights/top_sites NA [GET] /presence/v2/insights/bottom_sites NA [GET] /presence/v2/insights/sites/aggregates [GET] /presence/v3/insights/sites/aggregates [GET] /presence/v2/loyalty/aggregates NA [GET] /presence/v2/loyalty/trends [GET] /presence/v3/analytics/trends/loyal_visitors [GET] /presence/v2/loyalty/visits [GET] /presence/v3/visit_frequency n [GET] /presence/v2/loyalty/aggregates/top_ NA sites n [GET] [/presence/v2/loyalty/aggregates/bottom_sites n [GET] /presence/v2/loyalty/trends/top_sites n [GET] /presence/v2/loyalty/trends/bottom_sites NOTE: Expected to be slow for customers with large number of sites. [GET] /presence/v2/loyalty/sites/aggregates Monitoring > VPN n [GET] /monitoring/v1/vpn/usage n [GET] /monitoring/v2/vpn/usage Monitoring > Access Points [GET] /monitoring/v1/aps [GET] /monitoring/v2/aps/{serial}/rf_summary n [GET] /monitoring/v1/aps/bandwidth_usage n [GET] /monitoring/v2/aps/bandwidth_usage [GET] /monitoring/v1/aps/{serial}/uplink_history [GET] /monitoring/v1/aps/{serial}/neighbouring_ clients [GET] /monitoring/v1/bssids [GET] /monitoring/v1/aps/bandwidth_usage/topn [GET] /presence/v3/insights/sites/aggregates [POST] /monitoring/v3/vpn/usage [GET] /monitoring/v2/aps [GET] /monitoring/v3/aps/{serial}/rf_summary [GET] /monitoring/v3/aps/bandwidth_usage NA NA [GET] /monitoring/v2/bssids [GET] /monitoring/v2/aps/bandwidth_usage/topn Administering Aruba Central | 273 Table 80: Deprecated APIs Deprecated API Monitoring > Network [GET] /monitoring/v1/networks [GET] /monitoring/v1/networks/{network_name} [GET] /monitoring/v1/networks/bandwidth_usage Deprecated Licensing [GET] /subscriptions [GET] /subscriptions/stats [GET] /services/enabled [GET] /subscriptions/assign [POST] /subscriptions/unassign [GET] /services/config [DELETE] /subscriptions/devices/all [POST] /subscriptions/devices/all [DELETE] /msp/subscriptions/devices/all [POST] /msp/subscriptions/devices/all [GET] /autolicensing/services/{service}/status [DELETE] /customer/settings/autolicense [GET] /customer/settings/autolicense [POST] /customer/settings/autolicense [DELETE] /msp/customer/settings/autolicense [GET] /msp/customer/settings/autolicense [POST] /msp/customer/settings/autolicense Monitoring > MobilityController [GET] /monitoring/v1/mobility_controllers Alternative API [GET] /monitoring/v2/networks [GET] /monitoring/v2/networks/{network_name} [GET] /monitoring/v2/networks/bandwidth_usage [GET] /platform/licensing/v1/subscriptions [GET] /platform/licensing/v1/subscriptions/stats [GET] /platform/licensing/v1/services/enabled [POST] /platform/licensing/v1/subscriptions/assign [POST] /platform/licensing/v1/subscriptions/unassign [GET] /platform/licensing/v1/services/config [DELETE] /platform/licensing/v1/subscriptions/devices/all [POST] /platform/licensing/v1/subscriptions/devices/all [DELETE] /platform/licensing/v1/msp/subscriptions/devices/all [POST] /platform/licensing/v1/msp/subscriptions/devices/all [GET] /platform/licensing/v1/autolicensing/services/ {service}/status [DELETE] /platform/licensing/v1/customer/settings/autolicense [GET] /platform/licensing/v1/customer/settings/autolicense [POST] /platform/licensing/v1/customer/settings/autolicense [DELETE] /platform/licensing/v1/msp/customer/settings/autolicense [GET] /platform/licensing/v1/msp/customer/settings/autolicense [POST] /platform/licensing/v1/msp/customer/settings/autolicense [GET] /monitoring/v1/gateways Aruba Central | User Guide 274 Table 80: Deprecated APIs Deprecated API [GET] /monitoring/v1/mobility_controllers/{serial} [DELETE] /monitoring/v1/mobility_controllers/ {serial} [GET] /monitoring/v1/mobility_controllers/ {serial}/uplinks [GET] /monitoring/v1/mobility_ controllers/uplinks/bandwidth_usage [GET] /monitoring/v1/mobility_controllers/ {serial}/uplinks/tunnel_stats [GET] /monitoring/v1/mobility_ controllers/uplinks/wan_compression_stats [GET] /monitoring/v1/mobility_ controllers/uplinks/distribution [GET] /monitoring/v1/mobility_controllers/ {serial}/ports/bandwidth_usage [GET] /monitoring/v1/mobility_controllers/ {serial}/ports [GET] /monitoring/v1/mobility_controllers/ {serial}/tunnels [GET] /monitoring/v1/mobility_controllers/ {serial}/dhcp_clients [GET] /monitoring/v1/mobility_controllers/ {serial}/dhcp_servers [GET] /monitoring/v1/mobility_controllers/ {serial}/vlan Alternative API [GET] /monitoring/v1/gateways/{serial} [DELETE] /monitoring/v1/gateways/{serial} [GET] /monitoring/v1/gateways/{serial}/uplinks [GET] /monitoring/v1/gateways/{serial}/uplinks/bandwidth_ usage [GET] /monitoring/v1/gateways/{serial}/tunnels/stats [GET] /monitoring/v1/gateways/{serial}/uplinks/wan_ compression_stats [GET] /monitoring/v1/gateways/{serial}/uplinks/distribution [GET] /monitoring/v1/gateways/{serial}/ports/bandwidth_ usage [GET] /monitoring/v1/gateways/{serial}/ports [GET] /monitoring/v1/gateways/{serial}/tunnels [GET] /monitoring/v1/gateways/{serial}/dhcp_clients [GET] /monitoring/v1/gateways/{serial}/dhcp_pools [GET] /monitoring/v1/gateways/{serial}/vlan Removed APIs The following table lists the APIs that have been removed and the alternative APIs: Table 81: Removed and Alternative APIs Removed API Alternative API User Management [DELETE] /accounts/v1/users/{user_id} [DELETE] /platform/rbac/v1/users/{user_id} [DELETE] /accounts/v1/bulk_users [DELETE] /platform/rbac/v1/bulk_users Device Management Administering Aruba Central | 275 Table 81: Removed and Alternative APIs Removed API [GET] /configuration/v1/devices/{device_ serial}/mobility_master/ [POST] /configuration/v1/devices/{device_ serial}/mobility_master/{mm_name} WIDS n [GET] /monitoring/v1/wids/rogue_aps n [GET] /monitoring/v1/wids/interfering_aps Alternative API [GET] /device_management/v1/mobility_master/ {device_serial} [POST] /device_management/v1/mobility_master/ {device_serial}/{mm_name} n [GET] /rapids/v1/rogue_aps n [GET] /rapids/v1/interfering_aps NOTE: Rogue Detection is disabled, contact Aruba Support to enable this feature. [GET] /monitoring/v1/wids/infrastructure_attacks [GET] /monitoring/v1/wids/client_attacks [GET] /monitoring/v1/wids/events Configuration [GET] /rapids/v1/wids/infrastructure_attacks [GET] /rapids/v1/wids/client_attacks [GET] /rapids/v1/wids/events n [PUT] /configuration/v1/msp/templates--This API updates the MSP customer level template to all template groups for the end customers. n [PUT] /configuration/v1/msp/templates/customer/ {cid}--This API updates the end customer-level template and applies the template to all template groups. NOTE: To achieve the functionality of [PUT] /configuration/v1/msp/templates API, it is recommended that you use the combination of 1, 3, and 4 numbered APIs from the alternate API column. NOTE: To achieve the functionality of [PUT] /configuration/v1/msp/templates/customer/{cid} API, it is recommended that you use the combination of 2 and 4 numbered APIs from the alternate API column. 1. [PUT] /configuration/v2/msp/templates--This API is used to update the template at MSP level. 2. [PUT] /configuration/v2/msp/templates/customer/ {cid}--This API is used to update the template at end customer level. 3. [POST] /configuration/v2/msp/templates/end_ customers/{device_type}/{version}/{model}--This API is used to apply the MSP level template to end customers. 4. [POST]/configuration/v2/msp/templates/end_ customers/{cid}/{device_type}/{version}/ {model}/group--This API is used to apply end customer-level templates to the end customer's template groups. The following table lists the APIs that have been removed: Table 82: Removed APIs Removed APIs ACP MSP n [GET] /platform/msp_api/v1/customers/{customer_id} n [PUT] /platform/msp_api/v1/customers/{customer_id} n [DELETE] /platform/msp_api/v1/customers/ Aruba Central | User Guide 276 Table 82: Removed APIs Removed APIs {customer_id} n [GET] /platform/msp_api/v1/customers n [POST] /platform/msp_api/v1/customers Clarity n [GET] /clarity/v1/overview/healthscore n [GET] /clarity/v1/overview/healthscore/dns n [GET] /clarity/v1/overview/network_stats n [GET] /clarity/v1/ssid/names n [GET] /clarity/v1/overview/reasons n [GET] /clarity/v1/overview/attempts n [GET] /clarity/v1/overview/device_attempts n [GET] /clarity/v1/trend/healthscore n [GET] /clarity/v1/trend/healthscore/dns n [GET] /clarity/v1/trend/network_stats n [GET] /clarity/v1/clients/search/partial n [GET] /clarity/v1/clients/search/absolute n [GET] /clarity/v1/clients/details n [GET] /clarity/v1/clients/stats n [GET] /clarity/v1/insights n [GET] /clarity/v1/insights/details n [GET] /clarity/v1/insights/distribution n [GET] /clarity/v1/license Attributes n [GET] /monitoring/v1/attribute_values Presence Analytics n [POST] /presence/v1/config/thresholds n [GET] /presence/v1/config/thresholds n [GET] /presence/v1/analytics/aggregates n [GET] /presence/v1/analytics/trends n [GET] /presence/v1/insights/top_sites n [GET] /presence/v1/insights/bottom_sites n [GET] /presence/v1/insights/sites/aggregates Configuration > Groups n [PATCH] /configuration/v1/groups/{group} n [PATCH] /configuration/v1/groups/{group}/properties Webhooks Webhooks allow you to implement event reactions by providing real-time information or notifications to other applications. Aruba Central allows you to create Webhooks and select Webhooks as the notification delivery option for all alerts. Administering Aruba Central | 277 Using Aruba Central, you can integrate Webhooks with other third-party applications such as ServiceNow, Zapier, IFTTT, and so on. You can access the Webhooks service either through the Aruba Central UI or API Gateway. Aruba Central supports creating up to 10 Webhooks. To enable redundancy, Aruba Central allows you to add up to three URLs per Webhook. From Aruba Central, you can add, list, or delete Webhooks; get or refresh Webhooks token; get or update Webhooks settings for a specific item; and test Webhooks notification. This section includes the following topics: n Creating and Updating Webhooks Through the UI n Refreshing Webhooks Token Through the UI n Creating and Updating Webhooks Through the API Gateway n List of Webhooks APIs n Sample Webhooks Payload Format for Alerts In the Alerts & Events page, click the Configuration icon to configure and enable an alert. In the Notification Options, select Webhooks as the notification delivery option. The following figure illustrates how Aruba Central integrates with third-party applications using Webhooks. Figure 48 Webhooks Integration Creating and Updating Webhooks Through the UI To access the Webhooks service from the UI: Aruba Central | User Guide 278 1. In the Account Home page, under Global Settings, click Webhooks. The Webhooks page is displayed. 2. In the Webhook tab, click + sign. The Add Webhook pop-up window is displayed. Figure 49 Webhooks Page Administering Aruba Central | 279 Figure 50 Add Webhooks Page 3. To create webhooks, enter the following details: a. Name--Enter a name for the Webhook. b. Retry Policy--Select one of the following options: n None--No retries. n Important--Up to 5 retries over 6 minutes. n Critical--Up to 5 retries over 27 hours. c. URLs--Enter the URL. Click + to enter another URL. You can add up to three URLs. 4. Click Save. The Webhooks is created and listed in the Webhook table. Viewing Webhooks To view the Webhooks, complete the following steps: Aruba Central | User Guide 280 1. In the Account Home page, under Global Settings, click Webhooks. 2. The Webhooks page with Webhook table is displayed. The Webhook table allows you to edit or delete Webhooks and also displays the following information: n Name--Name of the Webhooks. n Number of URL Entries--Number of URLs in Webhooks. Click the number to view the list of URLs. n Updated At--Date and time at which Webhooks was updated. n Webhook ID--Webhooks ID. n Token--Webhooks token. Webhooks token enables header authentication and the third-party receiving service must validate the token to ensure authenticity. n Edit--Select the Webhook from the list and click the Edit icon to edit the Webhook. You can refresh the token and add URLs. Click Save to save the changes. n Delete--Select the Webhook from the list and click the Delete icon and click Yes to delete the Webhook. n Test Webhooks--Select the Webhook from the list and click the Test Webhooks icon to test the Webhook by posting sample webhook payload to the configured URL. The Test Webhooks table provides the URL and Status of the selected Webhook. n View Dispatch Logs--Select the Webhook from the list and click the View Dispatch Log icon to view the Dispatch Logs for the selected Webhook. The Dispatch Logs table provides the URL, Status, and Dispatched Time. Click the arrow against each row to view the Log Details and Attempts in the drop-down for the respective URL. Figure 51 Dispatch Logs Details Page Refreshing Webhooks Token Through the UI To refresh Webhooks token through the UI: 1. In the Account Home page, under Global Settings, click Webhooks. The Webhooks page is displayed. 2. In the Webhook table, select the Webhook from the list and click Edit icon to edit. 3. In the pop-up window, click the Refresh icon next to the token. The token is refreshed. Administering Aruba Central | 281 Creating and Updating Webhooks Through the API Gateway The following HTTP methods are defined for Aruba Central API Webhooks resource: n GET n POST n PUT n DELETE You can perform CRUD operation on the Webhooks URL configuration. The key configuration elements that are required to use API Webhooks service are Webhooks URL and a shared secret. A shared secret token is generated for the Webhooks URL when you register for Webhooks. A hash key is generated using SHA256 algorithm by using the payload and the shared secret token. The API required to refresh the shared secret token is provided for a specific Webhooks configuration. You can choose the frequency at which you want to refresh the secret token. To access and use the API Webhooks service: 1. In the Account Home page, under Global Settings, click API Gateway. The API Gateway page is displayed. 2. In the APIs tab, click the Swagger link under the Documentation header. The Swagger website opens. 3. In the Swagger website, from the URL drop-down list, select Webhook. All available Webhooks APIs are listed under API Reference. For more information on Webhooks APIs, see: https://app1-apigw.central.arubanetworks.com/swagger/central. List of Webhooks APIs Aruba Central supports the following Webhooks APIs: n GET /central/v1/webhooks--Gets a list of Webhooks. The following is a sample response: { "count": 1, "settings": [ { "wid": "e26450be-4dac-435b-ac01-15d8f9667eb8", "name": "AAA", "updated_ts": 1523956927, "urls": [ "https://example.org/webhook1", "https://example.org/webhook1" ], "secure_token": "KEu5ZPTi44UO4MnMiOqz" } ] } n POST /central/v1/webhooks--Creates Webhooks. The following is a sample response: Aruba Central | User Guide 282 { "name": "AAA", "wid": "e829a0f6-1e36-42fe-bafd-631443cbd581" } n DELETE /central/v1/webhooks/{wid}--Deletes Webhooks. The following is a sample response: { "wid": "e26450be-4dac-435b-ac01-15d8f9667eb8" } n GET /central/v1/webhooks/{wid}--Gets Webhooks settings for a specific item. The following is a sample response: { "wid": "e26450be-4dac-435b-ac01-15d8f9667eb8", "name": "AAA", "updated_ts": 1523956927, "urls": [ "https://example.org/webhook1", "https://example.org/webhook1" ], "secure_token": "KEu5ZPTi44UO4MnMiOqz" } n PUT /central/v1/webhooks/{wid}--Updates Webhooks settings for a specific item. The following is a sample response: { "name": "AAA", "wid": "e829a0f6-1e36-42fe-bafd-631443cbd581" } n GET /central/v1/webhooks/{wid}/token--Gets the Webhooks token for the Webhooks ID. The following is a sample response: { "name": "AAA", "secure_token": "[{\"token\": \"zSMrzuYrblgBfByy2JrM\", \"ts\": 1523957233}]" } n PUT /central/v1/webhooks/{wid}/token--Refreshes the Webhooks token for the Webhooks ID. The following is a sample response: Administering Aruba Central | 283 { "name": "AAA", "secure_token": "[{\"token\": \"zSMrzuYrblgBfByy2JrM\", \"ts\": 1523957233}]" } n GET /central/v1/webhooks/{wid}/ping--Tests the Webhooks notification and returns whether success or failure. The following is a sample response: "Ping Response [{'url': 'https://example.org', 'status': 404}]" Sample Webhooks Payload Format for Alerts URL POST <webhook-url> Custom Headers Content-Type: application/json X-Central-Service: Alerts X-Central-Event: Radio-Channel-Utilization X-Central-Delivery-ID: 72d3162e-cc78-11e3-81ab-4c9367dc0958 X-Central-Delivery-Timestamp: 2016-07-12T13:14:19-07:00 X-Central-Customer-ID: <########> Refer to the following topics to view sample JSON content: n Access Point Alerts--Sample JSON n AOS-S Alerts--Sample JSON n AOS-CX Switch Alerts--Sample JSON n Gateway Alerts--Sample JSON n Miscellaneous Alerts--Sample JSON Access Point Alerts--Sample JSON This section includes sample JSON content for the following alerts: AP Connected Clients { "id": "AXdhYi4Eo68tULajREh0", "nid": 1255, "alert_type": "AP_CONNECTED_CLIENTS", "setting_id": "55ef4ae129a24c2180e010708202b502-1255", "device_id": "CNDSHN74L6", "description": "Number of clients connected to AP 20:a6:cd:cc:17:58 has been above 1 for about 5 minutes since 2021-02-02 06:11:00 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612246560, "details": { "customer_id": "55ef4ae129a24c2180e010708202b502", "name": "20:a6:cd:cc:17:58", "serial": "CNDSHN74L6", "group": "1", "labels": "3", "_rule_number": "0", "ds_key": "55ef4ae129a24c2180e010708202b502.CNDSHN74L6.device.clients.5m", "duration": "5", Aruba Central | User Guide 284 "threshold": "1", "time": "2021-02-02 06:11:00 UTC" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "Number of clients connected to AP 20:a6:cd:cc:17:58 above 1 for about 5 minutes since 2021-02-02 06:11:00 UTC" } has been AP CPU Over Utilization { "id": "AXdhYjAko68tULajREiC", "nid": 1250, "alert_type": "AP_CPU_OVER_UTILIZATION", "setting_id": "55ef4ae129a24c2180e010708202b502-1250", "device_id": "CNDSHN74L6", "description": "CPU utilization for AP 20:a6:cd:cc:17:58 with serial CNDSHN74L6 has been above 1% for about 5 minutes since 2021-02-02 06:11:00 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612246560, "details": { "name": "20:a6:cd:cc:17:58", "unit": "%", "serial": "CNDSHN74L6", "group": "1", "labels": "3", "_rule_number": "0", "ds_key": "55ef4ae129a24c2180e010708202b502.CNDSHN74L6.cpu_utilization.5m", "duration": "5", "threshold": "1", "time": "2021-02-02 06:11:00 UTC" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "CPU utilization for AP 20:a6:cd:cc:17:58 with serial CNDSHN74L6 has been above 1% for about 5 minutes since 2021-02-02 06:11:00 UTC" } AP Disconnected { "id": "AXdhbSf7o68tULajRFQy", "nid": 4, "alert_type": "AP disconnected", "setting_id": "55ef4ae129a24c2180e010708202b502-4", "device_id": "DZ0001581", "description": "AP f0:5c:19:c9:f7:6a with MAC address f0:5c:19:c9:f7:6a disconnected, Group:unprovisioned", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612247279, "details": { "params": [ "DZ0001581", "f0:5c:19:c9:f7:6a", "10.29.6.170", "f0:5c:19:c9:f7:6a", "", "" ], "group": "1", "ts": "1612246960735", "labels": "", "serial": "DZ0001581", Administering Aruba Central | 285 "conn_status": "disconnected", "time": "2021-02-02 06:27:59 UTC", "group_name": "unprovisioned" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "AP f0:5c:19:c9:f7:6a with MAC address f0:5c:19:c9:f7:6a disconnected, Group:unprovisioned" } AP Memory Over Utilization { "id": "AXdhYi_Bo68tULajREh_", "nid": 1251, "alert_type": "AP_MEMORY_OVER_UTILIZATION", "setting_id": "55ef4ae129a24c2180e010708202b502-1251", "device_id": "CNDSHN74L6", "description": "Memory utilization for AP 20:a6:cd:cc:17:58 with serial CNDSHN74L6 has been above 10% for about 5 minutes since 2021-02-02 06:11:00 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612246560, "details": { "name": "20:a6:cd:cc:17:58", "unit": "%", "serial": "CNDSHN74L6", "group": "1", "labels": "3", "_rule_number": "0", "ds_key": "55ef4ae129a24c2180e010708202b502.CNDSHN74L6.memory_utilization.5m", "duration": "5", "threshold": "10", "time": "2021-02-02 06:11:00 UTC" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "Memory utilization for AP 20:a6:cd:cc:17:58 with serial CNDSHN74L6 has been above 10% for about 5 minutes since 2021-02-02 06:11:00 UTC" } AP Radio Noise Floor { "id": "AXdhYFmQo68tULajREe3", "nid": 1253, "alert_type": "AP_RADIO_NOISE_FLOOR", "setting_id": "55ef4ae129a24c2180e010708202b502-1253", "device_id": "DZ0001581", "description": "Noise floor on AP f0:5c:19:c9:f7:6a operating on channel 132E and serving 0 clients has been above -100 dBm for about 5 minutes since 2021-02-02 06:09:00 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612246440, "details": { "name": "f0:5c:19:c9:f7:6a", "_band": "1", "_radio_num": "0", "channel": "132E", "client_count": "0", "unit": "%", "serial": "DZ0001581", "group": "1", "_rule_number": "0", "ds_key": "55ef4ae129a24c2180e010708202b502.DZ0001581.radio.noisefloor", Aruba Central | User Guide 286 "duration": "5", "threshold": "100", "time": "2021-02-02 06:09:00 UTC" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "Noise floor on AP f0:5c:19:c9:f7:6a operating on channel 132E and serving 0 clients has been above -100 dBm for about 5 minutes since 2021-02-02 06:09:00 UTC" } AP Radio Over Utilization { "id": "AXdhYFm6o68tULajREe4", "nid": 1252, "alert_type": "AP_RADIO_OVER_UTILIZATION", "setting_id": "55ef4ae129a24c2180e010708202b502-1252", "device_id": "DZ0001581", "description": "Radio utilization on AP f0:5c:19:c9:f7:6a operating on channel 132E and serving 0 clients has been above 5% for about 5 minutes since 2021-02-02 06:09:00 UTC", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612246440, "details": { "name": "f0:5c:19:c9:f7:6a", "_band": "1", "_radio_num": "0", "channel": "132E", "client_count": "0", "unit": "%", "serial": "DZ0001581", "group": "1", "_rule_number": "0", "ds_key": "55ef4ae129a24c2180e010708202b502.DZ0001581.radio.busy64", "duration": "5", "threshold": "5", "time": "2021-02-02 06:09:00 UTC" } AP_Radio_Non_Wifi_Over_Utilization { "id": "AXdhYFnIo68tULajREe5", "nid": 1259, "alert_type": "AP_RADIO_NON_WIFI_OVER_UTILIZATION", "setting_id": "55ef4ae129a24c2180e010708202b502-1259", "device_id": "DZ0001581", "description": "Radio Non-Wifi utilization on AP f0:5c:19:c9:f7:6a operating on channel 6 and serving 0 clients has been above 1% for about 5 minutes since 2021-02-02 06:09:00 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612246440, "details": { "name": "f0:5c:19:c9:f7:6a", "_band": "0", "_radio_num": "1", "channel": "6", "client_count": "0", "unit": "%", "serial": "DZ0001581", "group": "1", "_rule_number": "0", Administering Aruba Central | 287 "ds_key": "55ef4ae129a24c2180e010708202b502.DZ0001581.radio.interference", "duration": "5", "threshold": "1", "time": "2021-02-02 06:09:00 UTC" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "Radio Non-Wifi utilization on AP f0:5c:19:c9:f7:6a operating on channel 6 and serving 0 clients has been above 1% for about 5 minutes since 2021-02-02 06:09:00 UTC" } AP_Tunnel_Down { "id": "AXdhfDSyo68tULajRGTZ", "nid": 1257, "alert_type": "AP_TUNNEL_DOWN", "setting_id": "55ef4ae129a24c2180e010708202b502-1257", "device_id": "CNDSHN74L6", "description": "AP tunnel vpn_tun_default_0 from 0.0.0.0 to 0.0.0.0 is DOWN on device 20:a6:cd:cc:17:58 with serial CNDSHN74L6 at 2021-02-02 06:44:25 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612248265, "details": { "src_ip": "0.0.0.0", "dst_ip": "0.0.0.0", "alias_map_name": "vpn_tun_default_0", "name": "20:a6:cd:cc:17:58", "serial": "CNDSHN74L6", "group": "86", "labels": "3", "rule_number": "0", "time": "2021-02-02 06:44:25 UTC" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "AP tunnel vpn_tun_default_0 from 0.0.0.0 to 0.0.0.0 is DOWN on device 20:a6:cd:cc:17:58 with serial CNDSHN74L6 at 2021-02-02 06:44:25 UTC." } AP With Missing Radios { "id": "AXdhvfeko68tULajRJMu", "nid": 1249, "alert_type": "AP With Missing Radios", "setting_id": "6f00c6501c5c4331b7934845815ef078-1249", "device_id": "FVZP000008", "description": "AP FVZP000008 reporting 2 out of 1 radios. Reported radio MAC 76:d6:07:35:60:00, b1:66:99:ed:f0:00.", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612252575, "details": { "serial": "FVZP000008", "labels": [ "5", "4", "1" ], "group": "34", "params": [ "FVZP000008", "2", "1", Aruba Central | User Guide 288 "76:d6:07:35:60:00, b1:66:99:ed:f0:00" ], "time": "2021-02-02 07:56:15 UTC" }, "webhook": "f383ee40-888b-4dee-97d5-bcbbcf5db946", "text": "AP FVZP000008 reporting 2 out of 1 radios. Reported radio MAC 76:d6:07:35:60:00, b1:66:99:ed:f0:00." } Client Attack detected { "alert_type": "Client attack detected", "description": "An AP (NAME iap-303-iphone456-o and MAC 90:4c:81:cf:27:74 on RADIO 1) detected an unencrypted frame between a valid client (88:63:df:bb:2a:9d) and access point (BSSID 90:4c:81:72:77:55) with source 88:63:df:bb:2a:9d and receiver ff:ff:ff:ff:ff:ff SNR value is 55", "timestamp": 1564392710, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-13", "state": "Open", "nid": 13, "details": { "group": "3", "labels": "3,142,141", "params": "None", "_rule_number": "0", "time": "2019-07-29 09:31:50 UTC" }, "operation": "create", "device_id": "CNGHKGX004", "id": "AWw9EmBxVQO1ZtiGO1Q8", "severity": "Critical" } Connected Clients { "id": "AXdhWQbro68tULajREA9", "nid": 1254, "alert_type": "CONNECTED_CLIENTS", "setting_id": "55ef4ae129a24c2180e010708202b502-1254", "device_id": "cf62d07c019cd6bca90e6079e351251070d9e286f310c87541", "description": "Number of clients connected to VC SetMeUp-C9:F7:6A has been above 1 for about 5 minutes since 2021-02-02 06:01:00 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612245960, "details": { "customer_id": "55ef4ae129a24c2180e010708202b502", "name": "SetMeUp-C9:F7:6A", "serial": "cf62d07c019cd6bca90e6079e351251070d9e286f310c87541", "group": "1", "_rule_number": "0", "ds_key": "55ef4ae129a24c2180e010708202b502.cluster.363.device.clients.5m", "duration": "5", "threshold": "1", "time": "2021-02-02 06:01:00 UTC" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "Number of clients connected to VC SetMeUp-C9:F7:6A has been above 1 for about 5 minutes since 2021-02-02 06:01:00 UTC" } IAP Firmware Upgrade Failed Administering Aruba Central | 289 { "id": "AXdheDego68tULajRGB5", "nid": 2200, "alert_type": "IAP_FW_UPGRADE_FAILURE", "setting_id": "55ef4ae129a24c2180e010708202b502-2200", "device_id": "", "description": "Firmware upgrade failed for AP CNDSHN74L6 with serial None and MAC address 20:a6:cd:cc:17:58", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612248004, "details": { "mac": "20:a6:cd:cc:17:58", "hostname": "CNDSHN74L6", "serial": "None", "group": "86", "labels": "", "_rule_number": "0", "params": "None", "time": "2021-02-02 06:40:04 UTC" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "Firmware upgrade failed for AP CNDSHN74L6 with serial None and MAC address 20:a6:cd:cc:17:58" } Infrastructure Attack Detected { "alert_type": "Infrastructure attack detected", "description": "An AP (NAME iap-303-iphone456-o and MAC 90:4c:81:cf:27:74 on RADIO 1) detected that the Access Point with MAC f0:5c:19:23:56:10 and BSSID f0:5c:19:23:56:10 has sent a beacon for SSID tan This beacon advertizes channel 149 but was received on channel 161 with SNR 50 ", "timestamp": 1564400165, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-12", "state": "Open", "nid": 12, "details": { "group": "3", "labels": "3,142,141", "params": "None", "_rule_number": "0", "time": "2019-07-29 11:36:05 UTC" }, "operation": "create", "device_id": "CNGHKGX004", "id": "AWw9hCLAVQO1ZtiGP1ig", "severity": "Critical" } Insufficient Power Alert { "id": "AXdhan_Zo68tULajRFB6", "nid": 21, "alert_type": "INSUFFICIENT_POWER_ALERT", "setting_id": "55ef4ae129a24c2180e010708202b502-21", "device_id": "CNDSHN74L6", "description": "Insufficient inline power supplied to AP-325 with name 20:a6:cd:cc:17:58", "state": "Open", "severity": "Major", "operation": "create", Aruba Central | User Guide 290 "timestamp": 1612247105, "details": { "name": "20:a6:cd:cc:17:58", "ap_model": "AP-325", "group": "1", "labels": [ "3" ], "serial": "CNDSHN74L6", "rule_number": "0", "time": "2021-02-02 06:25:05 UTC" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "Insufficient inline power supplied to AP-325 with name 20:a6:cd:cc:17:58" } Modem Plugged { "id": "AXdhmYueo68tULajRH6n", "nid": 18, "alert_type": "Modem Plugged", "setting_id": "b8be21720dc04a8e9f0028374b6a9bbd-18", "device_id": "GRUT000002", "description": "Modem plugged to AP GRUT000002 with MAC address 4a:36:66:b8:50:00", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612250188, "details": { "group": "0", "labels": "", "_rule_number": "0", "params": [ "GRUT000002", "4a:36:66:b8:50:00" ], "serial": "GRUT000002", "time": "2021-02-02 07:16:28 UTC" }, "webhook": "31a75d0a-dfd4-4c22-a32b-09d7b033d41e", "text": "Modem plugged to AP GRUT000002 with MAC address 4a:36:66:b8:50:00" } Modem Unplugged { "id": "AXdhp2Uwo68tULajRIVC", "nid": 19, "alert_type": "Modem Unplugged", "setting_id": "b8be21720dc04a8e9f0028374b6a9bbd-19", "device_id": "GRUT000001", "description": "Modem unplugged from AP GRUT000001 with MAC address 64:2a:90:97:f0:00", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612251096, "details": { "group": "0", "labels": "", "_rule_number": "0", "params": [ "GRUT000001", "64:2a:90:97:f0:00" ], "serial": "GRUT000001", Administering Aruba Central | 291 "time": "2021-02-02 07:31:36 UTC" }, "webhook": "31a75d0a-dfd4-4c22-a32b-09d7b033d41e", "text": "Modem unplugged from AP GRUT000001 with MAC address 64:2a:90:97:f0:00" } New AP Detected { "id": "AXdhcXF1o68tULajRFld", "nid": 3, "alert_type": "New AP detected", "setting_id": "55ef4ae129a24c2180e010708202b502-3", "device_id": "DZ0001581", "description": "New AP f0:5c:19:c9:f7:6a with MAC address f0:5c:19:c9:f7:6a detected, Group:unprovisioned", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612247560, "details": { "group": "1", "labels": "", "_rule_number": "0", "params": [ "f0:5c:19:c9:f7:6a", "f0:5c:19:c9:f7:6a" ], "serial": "DZ0001581", "time": "2021-02-02 06:32:40 UTC", "group_name": "unprovisioned" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "New AP f0:5c:19:c9:f7:6a with MAC address f0:5c:19:c9:f7:6a detected, Group:unprovisioned" } New Virtual Controller Detected { "id": "AXdhcJgro68tULajRFjG", "nid": 1, "alert_type": "New Virtual Controller detected", "setting_id": "55ef4ae129a24c2180e010708202b502-1", "device_id": "", "description": "New Virtual controller SetMeUp-C9:F7:6A with version 8.7.1.0_77203 and IP address 10.29.6.170 detected, Group:unprovisioned", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612247504, "details": { "group": "1", "labels": "", "_rule_number": "0", "params": [ "SetMeUp-C9:F7:6A", "8.7.1.0_77203", "10.29.6.170", "DZ0001581" ], "serial": "None", "time": "2021-02-02 06:31:44 UTC", "group_name": "unprovisioned" }, "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "New Virtual controller SetMeUp-C9:F7:6A with version 8.7.1.0_77203 and IP address 10.29.6.170 detected, Group:unprovisioned" Aruba Central | User Guide 292 } Rogue AP Detected { "alert_type": "Rogue AP detected", "description": "An AP (NAME 84:d4:7e:c5:c8:8c and MAC address 84:d4:7e:c5:c8:8con RADIO 1) detected an access point (BSSID 0c:00:01:34:69:62 and SSID ssid1 on CHANNEL 52) as rogue", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-10", "state": "Open", "nid": 10, "details": { "_rule_number": "0", "group": "1", "labels": "", "params": [ "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c", "1", "0c:00:01:34:69:62", "ssid1", "52" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiJK89l", "severity": "Critical" } Radio Frames Retry Percent { "id": "AXdrc2PMo68tULajSvRF", "nid": 1256, "alert_type": "AP_TX_RETRY_PERCENT", "setting_id": "2a35217e2f114cd8958f00a676258785-1256", "device_id": "VEYB000004", "description": "Radio frames retry percent for AP VEYB000004 with serial VEYB000004 has been above 1% for about 5 minutes since 2021-02-04 05:06:00 UTC", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612415460, "details": { "name": "VEYB000004", "_band": "0", "_radio_num": "0", "channel": "11", "client_count": "1", "unit": "%", "serial": "VEYB000004", "group": "2", "labels": "4", "_rule_number": "0", "ds_key": "2a35217e2f114cd8958f00a676258785.VEYB000004.radio.retry_percent", "duration": "5", "threshold": "1", "time": "2021-02-04 05:06:00 UTC" }, "webhook": "bd4f20e6-55e6-4360-ab55-da2829f1a390", Administering Aruba Central | 293 "text": "Radio frames retry percent for AP VEYB000004 with serial VEYB000004 has been above 1% for about 5 minutes since 2021-02-04 05:06:00 UTC" } Uplink Changed { "id": "AXdhmSSKo68tULajRH4M", "nid": 17, "alert_type": "Uplink Changed", "setting_id": "b8be21720dc04a8e9f0028374b6a9bbd-17", "device_id": "GRUT000003", "description": "Uplink changed from Ethernet to WiFi Mesh for AP GRUT000003 with MAC address 3d:62:d4:3f:90:00", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612250162, "details": { "group": "0", "labels": "", "_rule_number": "0", "params": [ "Ethernet", "WiFi Mesh", "GRUT000003", "3d:62:d4:3f:90:00" ], "serial": "GRUT000003", "time": "2021-02-02 07:16:02 UTC" }, "webhook": "31a75d0a-dfd4-4c22-a32b-09d7b033d41e", "text": "Uplink changed from Ethernet to WiFi Mesh for AP GRUT000003 with MAC address 3d:62:d4:3f:90:00" } Virtual Controller Disconnected { "id": "AXdheuQHo68tULajRGQ5", "nid": 2, "alert_type": "Virtual controller disconnected", "setting_id": "55ef4ae129a24c2180e010708202b502-2", "device_id": "DZ0001581", "description": "Virtual controller SetMeUp-C9:F7:6A with version 8.7.1.0_77203 and IP address 10.29.6.170 disconnected, Group:unprovisioned", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612248179, "details": { "params": [ "DZ0001581", "f0:5c:19:c9:f7:6a", "10.29.6.170", "SetMeUp-C9:F7:6A", "8.7.1.0_77203", "" ], "group": "1", "ts": "1612247876960", "labels": "", "serial": "DZ0001581", "conn_status": "disconnected", "time": "2021-02-02 06:42:59 UTC", "group_name": "unprovisioned" }, Aruba Central | User Guide 294 "webhook": "110576c0-59fb-4295-b53b-fdbafbc95dee", "text": "Virtual controller SetMeUp-C9:F7:6A with version 8.7.1.0_77203 and IP address 10.29.6.170 disconnected, Group:unprovisioned" } AOS-S Alerts--Sample JSON This section includes sample JSON content for the following alerts: Switch Disconnected { "id": "AXbhjMPpKHBn24BIWnGc", "nid": 203, "alert_type": "Switch Disconnected", "setting_id": "f1ae23ba9025490cb53efb0993e05f17-203", "device_id": "CN80HKW2Z6", "description": "Switch with serial CN80HKW2Z6, MAC address 54:80:28:61:b3:20 IP address 10.21.20.231 and Hostname Aruba-2930F-24G-PoEP-4SFPP reconnected", "state": "Close", "severity": "Major", "operation": "update", "timestamp": 1612383547, "details": { "params": [ "CN80HKW2Z6", "54:80:28:61:b3:20", "10.21.20.231", "Aruba-2930F-24G-PoEP-4SFPP", "", "" ], "serial": "CN80HKW2Z6", "time": "2021-01-08 10:31:07 UTC", "conn_status": "reconnected" }, "webhook": "8077a55e-f8d3-43af-a67f-12263f5b778e", "text": "Switch with serial CN80HKW2Z6, MAC address 54:80:28:61:b3:20 IP address 10.21.20.231 and Hostname Aruba-2930F-24G-PoEP-4SFPP reconnected" } New Switch Connected { "id": "AXdpfWeFo68tULajSfwu", "nid": 201, "alert_type": "New Switch Connected", "setting_id": "f1ae23ba9025490cb53efb0993e05f17-201", "device_id": "CN80HKW2Z6", "description": "New Switch with serial CN80HKW2Z6, MAC address 54:80:28:61:b3:20 IP address 10.21.20.231 and Hostname Aruba-2930F-24G-PoEP-4SFPP connected, Group:unprovisioned, Site:Bangalore Site", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612382562, "details": { "group": "1", "labels": "46", "_rule_number": "0", Administering Aruba Central | 295 "params": [ "CN80HKW2Z6", "54:80:28:61:b3:20", "10.21.20.231", "Aruba-2930F-24G-PoEP-4SFPP" ], "serial": "CN80HKW2Z6", "time": "2021-02-03 20:02:42 UTC", "group_name": "unprovisioned", "site_name": "Bangalore Site" }, "webhook": "8077a55e-f8d3-43af-a67f-12263f5b778e", "text": "New Switch with serial CN80HKW2Z6, MAC address 54:80:28:61:b3:20 IP address 10.21.20.231 and Hostname Aruba-2930F-24G-PoEP-4SFPP connected, Group:unprovisioned, Site:Bangalore Site" } Switch Memory Over Utilization { "id": "AXdr9zozo68tULajS0Xo", "nid": 1301, "alert_type": "SWITCH_MEMORY_OVER_UTILIZATION", "setting_id": "f1ae23ba9025490cb53efb0993e05f17-1301", "device_id": "SG92GPT00K", "description": "Memory utilization for Switch with serial SG92GPT00K has been above 1% for about 5 minutes since 2021-02-04 07:30:00 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612424100, "details": { "name": "", "unit": "%", "serial": "SG92GPT00K", "group": "212", "_rule_number": "0", "ds_key": "f1ae23ba9025490cb53efb0993e05f17.SG92GPT00K.memory_utilization.5m", "duration": "5", "threshold": "1", "time": "2021-02-04 07:30:00 UTC" }, "webhook": "8077a55e-f8d3-43af-a67f-12263f5b778e", "text": "Memory utilization for Switch with serial SG92GPT00K has been above 1% for about 5 minutes since 2021-02-04 07:30:00 UTC" } Switch CPU Over Utilization { "id": "AXdrVwIbo68tULajSsgm", "nid": 1300, "alert_type": "SWITCH_CPU_OVER_UTILIZATION", "setting_id": "f1ae23ba9025490cb53efb0993e05f17-1300", "device_id": "SG53FLZ0RX", "description": "CPU utilization for Switch HP-2920-48G-POEP with serial SG53FLZ0RX has been above 1% for about 5 minutes since 2021-02-04 04:35:00 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612413600, "details": { "name": "HP-2920-48G-POEP", "unit": "%", Aruba Central | User Guide 296 "serial": "SG53FLZ0RX", "group": "211", "_rule_number": "0", "ds_key": "f1ae23ba9025490cb53efb0993e05f17.SG53FLZ0RX.cpu_utilization.5m", "duration": "5", "threshold": "1", "time": "2021-02-04 04:35:00 UTC" }, "webhook": "8077a55e-f8d3-43af-a67f-12263f5b778e", "text": "CPU utilization for Switch HP-2920-48G-POEP with serial SG53FLZ0RX has been above 1% for about 5 minutes since 2021-02-04 04:35:00 UTC." } Switch Interface Rx Rate { "alert_type": "SWITCH_INTERFACE_RX_RATE", "description": "Receive rate for Interface 15 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 1 % for about 5 minutes since 2019-09-26 13:18:00 UTC.", "timestamp": 1569504180, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1303", "state": "Open", "nid": 1303, "details": { "_rule_number": "0", "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "max_value_for_percentage": "1000.0", "threshold": "1", "intf_name": "15", "time": "2019-09-26 13:18:00 UTC", "duration": "5", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN8AHKW095.intf.rx_utilization.5m", "serial": "CN8AHKW095", "unit": "%" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1tvTgBYu0OgJ2 aoCgl", "severity": "Critical" } Switch Interface Tx Rate { "alert_type": "SWITCH_INTERFACE_TX_RATE", "description": "Transfer rate for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 1 % for about 5 minutes since 2019-09-26 13:18:00 UTC.", "timestamp": 1569504180, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1302", "state": "Open", "nid": 1302, "details": { "_rule_number": "0", "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "max_value_for_percentage": "1000.0", "threshold": "1", "intf_name": "19", "time": "2019-09-26 13:18:00 UTC", "duration": "5", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN8AHKW095.intf.tx_utilization.5m", "serial": "CN8AHKW095", Administering Aruba Central | 297 "unit": "%" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1tvTgBYu0OgJ2aoCgk", "severity": "Critical" } Switch POE Utilization { "alert_type": "SWITCH_POE_UTILIZATION", "description": "PoE utilization for Switch Aruba-2930F-24G-PoEP-4SFPP with serial CN69HKW05T MAC address e0:07:1b:c4:8d:80 and IP address 10.22.182.78 has been above 1%", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Interface Input Errors { "alert_type": "SWITCH_INTERFACE_INPUT_ERRORS", "description": "Input errors for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 90% for about 30 minutes since 2019-09-26 06:07:00 UTC .", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1304, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Interface Output Errors { Aruba Central | User Guide 298 "alert_type": "SWITCH_INTERFACE_OUTPUT_ERRORS", "description": "Output errors for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 90% for about 30 minutes since 2019-09-26 06:07:00 UTC. ", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1305, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Mismatch Config { "alert_type": "SWITCH_CONFIG_MISMATCH", "description": "Config mismatch occurred in switch with serial CN69HKW05T MAC address e0:07:1b:c4:8d:80 and IP address 10.22 .182 .78 and Hostname Aruba - 2930 F - 48 G - PoEP - 4 SFPP ", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 206, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Hardward Failure { "alert_type": "SWITCH_HARDWARE_FAILURE", "description": "Switch with serial CN8AHKW095 : Fan 1 failed ", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 207, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", Administering Aruba Central | 299 "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Port Duplex Mode { "id": "AXvFH4hFo68tULajP1c9", "nid": 1306, "alert_type": "SWITCH_INTERFACE_DUPLEX_MODE", "setting_id": "6ec75df161974434b54e298a353d11f3-1306", "device_id": "SG9ZKN7050", "description": "Interface 1/1/2 on switch 6300 with serial SG9ZKN7050 is operating at Half-Duplex mode", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1631099783, "details": { "group": "2848", "labels": "", "name": "6300", "serial": "SG9ZKN7050", "intf_name": "1/1/2", "mode": "Half", "time": "2021-09-08 11:16:23 UTC" }, "webhook": "76f4af2c-a47c-4726-b9d3-133c45e8f436", "text": "Interface 1/1/2 on switch 6300 with serial SG9ZKN7050 is operating at Half-Duplex mode", "cluster_hostname": "app-yoda.arubathena.com" } Switch AOS-S Reboot { "id": "AXt5CJ51o68tULaj30iP", "nid": 1312, "alert_type": "SWITCH_REBOOT", "setting_id": "f1ae23ba9025490cb53efb0993e05f17-1312", "device_id": "FFFWA7Y5B", "description": "Switch Aruba-3810M-24G-PoEP-1-slot with FFFWA7Y5B on group - default rebooted. Reason: Operator reboot from Aruba CENTRAL session.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1629823213, "details": { "name": "Aruba-3810M-24G-PoEP-1-slot", "serial": "FFFWA7Y5B", "group_name": "default", "site_name": "", "reboot_reason": "Operator reboot from Aruba CENTRAL session.", "ts": "1629823080", "group": "0", "labels": "46", "time": "2021-08-24 16:40:13 UTC" }, "webhook": "8077a55e-f8d3-43af-a67f-12263f5b778e", Aruba Central | User Guide 300 "text": "Switch Aruba-3810M-24G-PoEP-1-slot with FFFWA7Y5B on group - default rebooted. Reason: Operator reboot from Aruba CENTRAL session." } Switch STP Root Change { "id": "AXt4qBL_fvwY_x8ol-sJ", "nid": 1308, "alert_type": "SWITCH_STP_ROOT_CHANGE", "setting_id": "417fc95887044bcba9b3e2ce3830aecb-1308", "device_id": "QXRF011180", "description": "CST Root changed on Sep 24 10:57:09 from Switch QXRF011180. dummy with Serial: QXRF011180, IP Address: 75.200.87.30 and Priority: 24576 to Switch 70:10:6f:84:0c:80 with Serial: QXRF011180, IP Address: 75.200.87.30 and Priority 20480", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1629816886, "details": { "ts": "Sep 24 10:57:09", "pr1": "24576", "pr2": "20480", "host1": "QXRF011180.dummy", "host2": "70:10:6f:84:0c:80", "ip1": "75.200.87.30", "ip2": " ", "serial1": "QXRF011180", "serial2": " ", "type": "CST", "group": "16336", "labels": "5844", "serial": "QXRF011180", "time": "2021-08-24 14:54:46 UTC" }, "webhook": "34000e8a-475c-46e3-9bec-79c5f281e868", "text": "CST Root changed on Sep 24 10:57:09 from Switch QXRF011180.dummy with Serial: QXRF011180, IP Address: 75.200.87.30 and Priority: 24576 to Switch 70:10:6f:84:0c:80 with Serial: QXRF011180, IP Address: 75.200.87.30 and Priority 20480 } Switch Uplink Port Over Utilization { "id": "AXwISXRXuaNimYkpzKTQ", "nid": 1311, "alert_type": "SWITCH_UPLINK_PORT_OVER_UTILIZATION", "setting_id": "111952054-1311", "device_id": "SG87GYW05B", "description": "Uplink usage on Switch Aruba-3810M-24G-PoEP-1-slot exceeded 2GB in 30 minutes", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1632226604, "details": { "name": "Aruba-3810M-24G-PoEP-1-slot", "duration": "30", "usage": "2", "site_str": "", "ts": "1632226604", "group": "1", "labels": "", "serial": "SG87GYW05B", "time": "2021-09-21 11:46:44 UTC" Administering Aruba Central | 301 }, "webhook": "e62eb85b-0547-4fba-9cfb-c8d36fb2b0c3", "text": "Uplink usage on Switch Aruba-3810M-24G-PoEP-1-slot exceeded 2GB in 30 minutes", "cluster_hostname": "sol-central.arubathena.com" } AOS-CX Switch Alerts--Sample JSON This section includes sample JSON content for the following alerts: New Switch Connected { "id": "AXdpfWeFo68tULajSfwu", "nid": 201, "alert_type": "New Switch Connected", "setting_id": "f1ae23ba9025490cb53efb0993e05f17-201", "device_id": "CN80HKW2Z6", "description": "New Switch with serial CN80HKW2Z6, MAC address 54:80:28:61:b3:20 IP address 10.21.20.231 and Hostname Aruba-2930F-24G-PoEP-4SFPP connected, Group:unprovisioned, Site:Bangalore Site", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612382562, "details": { "group": "1", "labels": "46", "_rule_number": "0", "params": [ "CN80HKW2Z6", "54:80:28:61:b3:20", "10.21.20.231", "Aruba-2930F-24G-PoEP-4SFPP" ], "serial": "CN80HKW2Z6", "time": "2021-02-03 20:02:42 UTC", "group_name": "unprovisioned", "site_name": "Bangalore Site" }, "webhook": "8077a55e-f8d3-43af-a67f-12263f5b778e", "text": "New Switch with serial CN80HKW2Z6, MAC address 54:80:28:61:b3:20 IP address 10.21.20.231 and Hostname Aruba-2930F-24G-PoEP-4SFPP connected, Group:unprovisioned, Site:Bangalore Site" } Switch Disconnected { "id": "AXbhjMPpKHBn24BIWnGc", "nid": 203, "alert_type": "Switch Disconnected", "setting_id": "f1ae23ba9025490cb53efb0993e05f17-203", "device_id": "CN80HKW2Z6", "description": "Switch with serial CN80HKW2Z6, MAC address 54:80:28:61:b3:20 IP address 10.21.20.231 and Hostname Aruba-2930F-24G-PoEP-4SFPP reconnected", "state": "Close", "severity": "Major", "operation": "update", "timestamp": 1612383547, "details": { "params": [ Aruba Central | User Guide 302 "CN80HKW2Z6", "54:80:28:61:b3:20", "10.21.20.231", "Aruba-2930F-24G-PoEP-4SFPP", "", "" ], "serial": "CN80HKW2Z6", "time": "2021-01-08 10:31:07 UTC", "conn_status": "reconnected" }, "webhook": "8077a55e-f8d3-43af-a67f-12263f5b778e", "text": "Switch with serial CN80HKW2Z6, MAC address 54:80:28:61:b3:20 IP address 10.21.20.231 and Hostname Aruba-2930F-24G-PoEP-4SFPP reconnected" } Switch Memory Over Utilization { "id": "AXdr9zozo68tULajS0Xo", "nid": 1301, "alert_type": "SWITCH_MEMORY_OVER_UTILIZATION", "setting_id": "f1ae23ba9025490cb53efb0993e05f17-1301", "device_id": "SG92GPT00K", "description": "Memory utilization for Switch with serial SG92GPT00K has been above 1% for about 5 minutes since 2021-02-04 07:30:00 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612424100, "details": { "name": "", "unit": "%", "serial": "SG92GPT00K", "group": "212", "_rule_number": "0", "ds_key": "f1ae23ba9025490cb53efb0993e05f17.SG92GPT00K.memory_utilization.5m", "duration": "5", "threshold": "1", "time": "2021-02-04 07:30:00 UTC" }, "webhook": "8077a55e-f8d3-43af-a67f-12263f5b778e", "text": "Memory utilization for Switch with serial SG92GPT00K has been above 1% for about 5 minutes since 2021-02-04 07:30:00 UTC" } Switch CPU Over Utilization { "id": "AXdrVwIbo68tULajSsgm", "nid": 1300, "alert_type": "SWITCH_CPU_OVER_UTILIZATION", "setting_id": "f1ae23ba9025490cb53efb0993e05f17-1300", "device_id": "SG53FLZ0RX", "description": "CPU utilization for Switch HP-2920-48G-POEP with serial SG53FLZ0RX has been above 1% for about 5 minutes since 2021-02-04 04:35:00 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612413600, "details": { "name": "HP-2920-48G-POEP", "unit": "%", "serial": "SG53FLZ0RX", Administering Aruba Central | 303 "group": "211", "_rule_number": "0", "ds_key": "f1ae23ba9025490cb53efb0993e05f17.SG53FLZ0RX.cpu_utilization.5m", "duration": "5", "threshold": "1", "time": "2021-02-04 04:35:00 UTC" }, "webhook": "8077a55e-f8d3-43af-a67f-12263f5b778e", "text": "CPU utilization for Switch HP-2920-48G-POEP with serial SG53FLZ0RX has been above 1% for about 5 minutes since 2021-02-04 04:35:00 UTC." } Switch Interface Rx Rate { "alert_type": "SWITCH_INTERFACE_RX_RATE", "description": "Receive rate for Interface 15 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 1 % for about 5 minutes since 2019-09-26 13:18:00 UTC.", "timestamp": 1569504180, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1303", "state": "Open", "nid": 1303, "details": { "_rule_number": "0", "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "max_value_for_percentage": "1000.0", "threshold": "1", "intf_name": "15", "time": "2019-09-26 13:18:00 UTC", "duration": "5", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN8AHKW095.intf.rx_utilization.5m", "serial": "CN8AHKW095", "unit": "%" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1tvTgBYu0OgJ2 aoCgl", "severity": "Critical" } Switch Interface Tx Rate { "alert_type": "SWITCH_INTERFACE_TX_RATE", "description": "Transfer rate for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 1 % for about 5 minutes since 2019-09-26 13:18:00 UTC.", "timestamp": 1569504180, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1302", "state": "Open", "nid": 1302, "details": { "_rule_number": "0", "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "max_value_for_percentage": "1000.0", "threshold": "1", "intf_name": "19", "time": "2019-09-26 13:18:00 UTC", "duration": "5", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN8AHKW095.intf.tx_utilization.5m", "serial": "CN8AHKW095", "unit": "%" Aruba Central | User Guide 304 }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1tvTgBYu0OgJ2aoCgk", "severity": "Critical" } Switch POE Utilization { "alert_type": "SWITCH_POE_UTILIZATION", "description": "PoE utilization for Switch Aruba-2930F-24G-PoEP-4SFPP with serial CN69HKW05T MAC address e0:07:1b:c4:8d:80 and IP address 10.22.182.78 has been above 1%", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Interface Input Errors { "alert_type": "SWITCH_INTERFACE_INPUT_ERRORS", "description": "Input errors for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 90% for about 30 minutes since 2019-09-26 06:07:00 UTC .", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1304, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Interface Output Errors { "alert_type": "SWITCH_INTERFACE_OUTPUT_ERRORS", Administering Aruba Central | 305 "description": "Output errors for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 90% for about 30 minutes since 2019-09-26 06:07:00 UTC. ", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1305, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Config Mismatch { "alert_type": "SWITCH_CONFIG_MISMATCH", "description": "Config mismatch occurred in switch with serial CN69HKW05T MAC address e0:07:1b:c4:8d:80 and IP address 10.22 .182 .78 and Hostname Aruba - 2930 F - 48 G - PoEP - 4 SFPP ", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 206, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Hardware Failure { "id": "AXvJXn_oo68tULajUT9W", "nid": 207, "alert_type": "SWITCH_HARDWARE_FAILURE", "setting_id": "6ec75df161974434b54e298a353d11f3-207", "device_id": "SG9ZKN7078", "description": "Switch with serial SG9ZKN7078 : eMMC storage reached critical utilization level.Please contact HPE Aruba support for further assistance.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1631171018, Aruba Central | User Guide 306 "details": { "group": "1", "labels": "", "serial": "SG9ZKN7078", "name": "6300", "site": "", "device_id": "SG9ZKN7078", "hostname": "6300", "description": "eMMC storage reached critical utilization level.Please contact HPE Aruba support for further assistance.", "event_id": "9104", "time": "2021-09-09 07:03:38 UTC" }, "webhook": "5ef178b6-4916-46e6-bed2-ab61a8cd7271", "text": "Switch with serial SG9ZKN7078 : eMMC storage reached critical utilization level.Please contact HPE Aruba support for further assistance.", "cluster_hostname": "app-yoda.arubathena.com" } Switch NAE Status { "id": "AXs01pfTKYUYZt8VfT9m", "nid": 208, "alert_type": "Switch NAE Status", "setting_id": "424a17fea2a24d46859a33699cd6b3d4-208", "device_id": "SG9ZEFB7F2", "description": "Aggregated NAE status reached or exceeds the desired severity level for the switch with serial SG9ZEFB7F2 MAC address 70:72:cf:ef:b7:f2 IP address 10.101.60.40 and Hostname 6300", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1628679083, "details": { "group": "1", "labels": "", "serial": "SG9ZEFB7F2", "name": "{\\'hostname\\': \\'6300\\'}", "site": "", "device_id": "SG9ZEFB7F2", "mac": "70:72:cf:ef:b7:f2", "ip": "10.101.60.40", "hostname": "6300", "time": "2021-08-11 10:51:23 UTC" }, "webhook": "b18819a2-75a1-4bf8-951e-037b9fd1914a", "text": "Aggregated NAE status reached or exceeds the desired severity level for the switch with serial SG9ZEFB7F2 MAC address 70:72:cf:ef:b7:f2 IP address 10.101.60.40 and Hostname 6300" } Switch Stack Commander Change { "id": "AXvGFP59KFHq3kj2rOJu", "nid": 1310, "alert_type": "SWITCH_STACK_COMMANDER_CHANGE", "setting_id": "698e8e55b6294a7daf4de0f80f51b231-1310", "device_id": "SG9ZKN709Y", "description": "New Commander with Serial ID: SG9ZKN70B5, MAC Address: 38:21:c7:5c:c4:c0, Hostname: Commander, Stack ID: 6a9cb0fb-2346-48df-a0c4-90237ea71afa, Group: 322 Connected, Old Commander Serial ID: SG9ZKN709Y, Mac Address: 38:21:c7:5d:70:c0", Administering Aruba Central | 307 "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1631115869, "details": { "old_serial": "SG9ZKN709Y", "old_mac": "38:21:c7:5d:70:c0", "new_serial": "SG9ZKN70B5", "new_mac": "38:21:c7:5c:c4:c0", "host": "Commander", "stack_id": "6a9cb0fb-2346-48df-a0c4-90237ea71afa", "group": "322", "labels": "", "serial": "SG9ZKN709Y", "time": "2021-09-08 15:44:29 UTC" }, "webhook": "374b4438-dff9-464c-a03e-a781c6c9a68f", "text": "New Commander with Serial ID: SG9ZKN70B5, MAC Address: 38:21:c7:5c:c4:c0, Hostname: Commander, Stack ID: 6a9cb0fb-2346-48df-a0c4-90237ea71afa, Group: 322 Connected, Old Commander Serial ID: SG9ZKN709Y, Mac Address: 38:21:c7:5d:70:c0" } Stack Member Added { "id": "AXvGRNvsKFHq3kj2rOYF", "nid": 1309, "alert_type": "SWITCH_STACK_MEMBER_ADDED_REMOVED", "setting_id": "698e8e55b6294a7daf4de0f80f51b231-1309", "device_id": "SG9ZKN702T", "description": "Stack Member with Serial ID: SG9ZKN702T, MAC Address: 38:21:c7:5a:c5:80, Member ID: 4 and Role: ['Member'] Added To stack with Hostname: 6300, Stack ID: 6a9cb0fb-2346-48df-a0c4-90237ea71afa", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1631119006, "details": { "serial": "SG9ZKN702T", "mac": "38:21:c7:5a:c5:80", "mem_id": "4", "role": [ "Member" ], "action": "Added To", "host": "6300", "stack_id": "6a9cb0fb-2346-48df-a0c4-90237ea71afa", "group": "326", "time": "2021-09-08 16:36:46 UTC" }, "webhook": "374b4438-dff9-464c-a03e-a781c6c9a68f", "text": "Stack Member with Serial ID: SG9ZKN702T, MAC Address: 38:21:c7:5a:c5:80, Member ID: 4 and Role: ['Member'] Added To stack with Hostname: 6300, Stack ID: 6a9cb0fb-2346-48df-a0c4-90237ea71afa" } Stack Member Removed { "id": "AXvGQ0JcKFHq3kj2rOXu", "nid": 1309, "alert_type": "SWITCH_STACK_MEMBER_ADDED_REMOVED", "setting_id": "698e8e55b6294a7daf4de0f80f51b231-1309", "device_id": "SG9ZKN702T", "description": "Stack Member with Serial ID: SG9ZKN702T, Aruba Central | User Guide 308 MAC Address: , Member ID: 4 and Role: ['Member'] Removed From stack with Hostname: 6300, Stack ID: 6a9cb0fb-2346-48df-a0c4-90237ea71afa", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1631118901, "details": { "serial": "SG9ZKN702T", "mac": "", "mem_id": "4", "role": [ "Member" ], "action": "Removed From", "host": "6300", "stack_id": "6a9cb0fb-2346-48df-a0c4-90237ea71afa", "group": "326", "time": "2021-09-08 16:35:01 UTC" }, "webhook": "374b4438-dff9-464c-a03e-a781c6c9a68f", "text": "Stack Member with Serial ID: SG9ZKN702T, MAC Address: , Member ID: 4 and Role: ['Member'] Removed From stack with Hostname: 6300, Stack ID: 6a9cb0fb-2346-48df-a0c4-90237ea71afa" } Switch Port Duplex Mode { "id": "AXvFH4hFo68tULajP1c9", "nid": 1306, "alert_type": "SWITCH_INTERFACE_DUPLEX_MODE", "setting_id": "6ec75df161974434b54e298a353d11f3-1306", "device_id": "SG9ZKN7050", "description": "Interface 1/1/2 on switch 6300 with serial SG9ZKN7050 is operating at Half-Duplex mode", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1631099783, "details": { "group": "2848", "labels": "", "name": "6300", "serial": "SG9ZKN7050", "intf_name": "1/1/2", "mode": "Half", "time": "2021-09-08 11:16:23 UTC" }, "webhook": "76f4af2c-a47c-4726-b9d3-133c45e8f436", "text": "Interface 1/1/2 on switch 6300 with serial SG9ZKN7050 is operating at Half-Duplex mode", "cluster_hostname": "app-yoda.arubathena.com" } Gateway Alerts--Sample JSON This section includes sample JSON content for the following alerts: BGP Neighbor Route Limit { "id": "AXeDCfY2o68tULajXkth", "nid": 1358, "alert_type": "CONTROLLER BGP NEIGHBOR ROUTE LIMIT", "setting_id": "a847a3aea73d4ba7b34c00323fb9ee7a-1358", Administering Aruba Central | 309 "device_id": "CV0012105", "description": "BGP neighbor 172.30.1.102 route limit exceeded on device MDC1-VPNC1-KSA-03_E1_A0(router_id=10.53.9.44, ASN=3002, serial=CV0012105, limit=1,action=warning)", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612811204, "details": { "serial": "CV0012105", "action": "warning", "hostname": "MDC1-VPNC1-KSA-03_E1_A0", "limit": "1", "nbr_addr": "172.30.1.102", "nbr_id": "10.53.9.44", "nbr_as": "3002", "group": "12", "time": "2021-02-08 19:06:44 UTC" }, "webhook": "f6f2b19a-31d5-445c-b340-eb1ca8a6fdd8", "text": "BGP neighbor 172.30.1.102 route limit exceeded on device MDC1-VPNC1-KSA-03_E1_A0(router_id=10.53.9.44, ASN=3002, serial=CV0012105, limit=1,action=warning)" } CFG-SET Advertisement Failure { "id": "AXdnqE9jo68tULajSR8X", "nid": 1554, "alert_type": "CFG_SET_ADVERTISEMENT_FAILURE", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1554", "device_id": "BIM0010001", "description": "CFG-Set advertisement failure for Gateway BIM0010001 with serial BIM0010001 on tunnel default-local-vpnip-data-ipsecmap-00:1a:1e:04:27:48-link6 from 10.1.1.1 to 200.1.1.6", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612351819, "details": { "src_ip": "10.1.1.1", "dst_ip": "200.1.1.6", "alias_map_name": "default-local-vpnip-data-ipsecmap-00:1a:1e:04:27:48-link6", "map_name": "default-local-vpnip-data-ipsecmap-00:1a:1e:04:27:48-link6", "hostname": "BIM0010001", "serial": "BIM0010001", "group": "0", "labels": [], "time": "2021-02-03 11:30:19 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "CFG-Set advertisement failure for Gateway BIM0010001 with serial BIM0010001 on tunnel default-local-vpnip-data-ipsecmap-00:1a:1e:04:27:48-link6 from 10.1.1.1 to 200.1.1.6" } BGP Session Error { "id": "AXeCfcXbbbaB9p462rCU", "nid": 1355, "alert_type": "CONTROLLER BGP SESSION ERROR", "setting_id": "417fc95887044bcba9b3e2ce3830aecb-1355", "device_id": "DL0002986", "description": "BGP neighbor 103.1.1.2 is down (router-id=197.0.0.3, ASN=103, Aruba Central | User Guide 310 serial=DL0002986)", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612802016, "details": { "serial": "DL0002986", "nbr_addr": "103.1.1.2", "nbr_as": "103", "nbr_id": "197.0.0.3", "group": "57", "time": "2021-02-08 16:33:36 UTC" }, "webhook": "5cbc87e4-9eb5-45d2-b890-b21db89ca5b4", "text": "BGP neighbor 103.1.1.2 is down (router-id=197.0.0.3, ASN=103, serial=DL0002986)" } EST Enrolment Failure { "id": "AXvSPh4-Kzxaq3kj2rgh7", "nid": 1701, "alert_type": "EST enrollment failure", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1504", "device_id": "CZ0003243", "description": " EST enrollment failure for Virtual Gateway with name : 7024-HF-254, serial :CZ0003243, mac :00:0b:86:f9:0d:d1.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1648194475, "details": { "mac": "00:0b:86:f9:0d:d1", "hostname": "7024-HF-254", "serial": "CZ0003243", "group": "6", "labels": "2", "_rule_number": "0", "params": "", "time": "2022-03-25 13:17:51 UTC" }, "webhook": "87fae42a-78ec-45c0-a22a-4f81417cad56", "text": "EST enrollment failure for Virtual Gateway with name : 7024-HF-254, serial :CZ0003243, mac :00:0b:86:f9:0d:d1." } Gateway CPU Utilization { "id": "AXdi7ppYo68tULajRVeA", "nid": 1351, "alert_type": "CONTROLLER_CPU_OVER_UTILIZATION", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1351", "device_id": "CNJJKLB0HB", "description": "CPU utilization for Gateway WTH_9004-2 with serial CNJJKLB0HB has been above 10% for about 5 minutes since 2021-02-02 13:24:00 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612272540, "details": { "name": "WTH_9004-2", "unit": "%", "serial": "CNJJKLB0HB", "group": "36", "labels": "8", Administering Aruba Central | 311 "_rule_number": "0", "ds_key": "6039f9543bac449291bfcd19eb10d1eb.CNJJKLB0HB.cpu_utilization.5m", "duration": "5", "threshold": "10", "time": "2021-02-02 13:24:00 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "CPU utilization for Gateway WTH_9004-2 with serial CNJJKLB0HB has been above 10% for about 5 minutes since 2021-02-02 13:24:00 UTC." } Gateway Emergency Mode { "id": "AXdjJsYpo68tULajRXTU", "nid": 1353, "alert_type": "CONTROLLER_EMERGENCY_UP_LINK_MODE", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1353", "device_id": "BIM0010002", "description": "Gateway BIM0010002 with serial BIM0010002 is operating on emergency mode at 2021-02-02 14:30:21 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612276221, "details": { "name": "BIM0010002", "serial": "BIM0010002", "group": "0", "labels": [], "time": "2021-02-02 14:30:21 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "Gateway BIM0010002 with serial BIM0010002 is operating on emergency mode at 2021-02-02 14:30:21 UTC" } VGW VM Down { "id": "AXeBVwDSXFtba20Mo_fm", "nid": 1702, "alert_type": "VGW_HEALTH_STATE_CHANGE_DETECTED", "setting_id": "417fc95887044bcba9b3e2ce3830aecb-1702", "device_id": "VG2101216619", "description": "VGW VM DOWN -- User: [email protected] Cloud-Account: Karan-Azure Cloud-Provider: Azure Region-Id: canadacentral VPC-Id: /karan_res_canada/canadavnet VM-Id: /subscriptions/2bf1e338-5361-470d-bcba-78c50b2b7f16/resourceGroups/karan_res_ canada/providers/Microsoft. Compute/virtualMachines/ArubaVGW-92-1A-3A Serial-Number: VG2101216619 Mac-Address: 02:1A:1E:92:1A:3A", "state": "Open", "severity": "Major", "operation": "create", "timestamp": 1612782698, "details": { "account_id": "4c0116d9-a26b-4b4b-8be0-350631e434be", "mac": "02:1A:1E:92:1A:3A", "serial": "VG2101216619", "vm_id": "/subscriptions/2bf1e338-5361-470d-bcba-78c50b2b7f16/resourceGroups/karan_ res_canada /providers/Microsoft.Compute/virtualMachines/ArubaVGW-92-1A-3A", "account_name": "Karan-Azure", Aruba Central | User Guide 312 "region_id": "canadacentral", "customer_name": "[email protected]", "health": "DOWN", "vpc_id": "/karan_res_canada/canadavnet", "provider_name": "Azure", "customer_id": "417fc95887044bcba9b3e2ce3830aecb", "time": "2021-02-08 11:11:38 UTC" }, "webhook": "5cbc87e4-9eb5-45d2-b890-b21db89ca5b4", "text": "VGW VM DOWN -- User: [email protected] Cloud-Account: Karan-Azure Cloud-Provider: Azure Region-Id: canadacentral VPC-Id: /karan_res_canada/canadavnet VM-Id: /subscriptions/2bf1e338-5361-470d-bcba-78c50b2b7f16/resourceGroups/karan_res_ canada/providers/Microsoft. Compute/virtualMachines/ArubaVGW-92-1A-3A Serial-Number: VG2101216619 Mac-Address: 02:1A:1E:92:1A:3A" } VPN Peer Failover { "id": "AXvSPh4-Kzxaq3kj2rgh7", "nid": 1504, "alert_type": "WAN_UPLINK_LOAD_BALANCE_VPNC_PEER_FAILOVER", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1504", "device_id": "CZ0003243", "description": " VPN peer failover for gateway 7024-HF-254 with serial CZ0003243", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1648061695, "details": { "mac": "00:0b:86:f9:0d:d1", "hostname": "7024-HF-254", "serial": "CZ0003243", "group": "6", "labels": "2", "_rule_number": "0", "params": "", "time": "2022-03-23 00:24:51 UTC" }, "webhook": "87fae42a-78ec-45c0-a22a-4f81417cad56", "text": "VPN peer failover for gateway 7024-HF-254 with serial CZ0003243" } Gateway Memory Utilization { "id": "AXdiyfwQo68tULajRTiG", "nid": 1352, "alert_type": "CONTROLLER_MEMORY_OVER_UTILIZATION", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1352", "device_id": "CNJJKLB0G6", "description": "Memory utilization for Gateway WTH_9004-1 with serial CNJJKLB0G6 has been above 30% for about 30 minutes since 2021-02-02 12:19:00 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612270140, "details": { "name": "WTH_9004-1", "unit": "%", "serial": "CNJJKLB0G6", "group": "36", "labels": "8", "_rule_number": "0", Administering Aruba Central | 313 "ds_key": "6039f9543bac449291bfcd19eb10d1eb.CNJJKLB0G6.memory_utilization.5m", "duration": "30", "threshold": "30", "time": "2021-02-02 12:19:00 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "Memory utilization for Gateway WTH_9004-1 with serial CNJJKLB0G6 has been above 30% for about 30 minutes since 2021-02-02 12:19:00 UTC." } OSPF Session Error { "alert_type": "CONTROLLER OSPF SESSION ERROR", "description": "OSPF session state change for Gateway with hostname GSK_VPNC2 and serial CW0003307 from Init State to Down State for neighbor 1.0.0.2 on interface 100 with reason No hello packets received from neighbour.Inactivity timer fired", "timestamp": 1564121712, "webhook": "60785e88-9513-4352-94d6-ec25fedbeddc", "setting_id": "b27f67fa44234c51a890fccea7c9b83e-1354", "state": "Open", "nid": 1354, "details": { "dst_state": "Down State", "neighbour_ip": "1.0.0.2", "group": "4", "uniq_identifier": "100-16777218", "labels": [ "2", "11", "12", "15", "13", "8" ], "src_state": "Init State", "reason": "No hello packets received from neighbour.Inactivity timer fired", "time": "2019-07-26 06:15:12 UTC", "interface": "100", "serial": "CW0003307", "hostname": "GSK_VPNC2" }, "operation": "create", "device_id": "CW0003307", "id": "AWws60Yxon2R5PyMmUU4", "severity": "Major" } DHCP Pool Consumption Alert { "alert_type": "DHCP_POOL_CONSUMPTION_ALERT", "description": "DHCP Pool Consumption on Gateway CNHHKLB031 is 12% at 2019-07-25 13:02:39 UTC for 192.168.53.0/24", "timestamp": 1564059759, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1510", "state": "Open", "nid": 1510, "details": { "subnet": "192.168.53.0/24", "group": "77", "name": "None", "labels": "8,661", "time": "2019-07-25 13:02:39 UTC", "threshold": "12", Aruba Central | User Guide 314 "serial": "CNHHKLB031", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpOfQAVQO1ZtiGiE2H", "severity": "Critical" } SLA DPS_Compliance_Alert { "ack_by": null, "ack_ts": 1579828824000, "acknowledge": 0, "cid": "201804172180", "description": "SLA DPS Compliance Violations for Customer : aruba, Device Hostname : bg2-ha2, Policy : all, Uplink : 400_lte, Probe Ip: 52.52.253.87, Threshold Profile : {u'dps_threshold_ profile_name': u'BestForInternet', u'dps_threshold_profile_packet_loss_value': 1, u'dps_threshold_profile_bw_util_ value': 80, u'dps_threshold_profile_latency_value': 1}, Violation Reason: Latency, Violation Value: 1.363ms", "group_name": "", "id": "AW_VItEnenGOhQ4XrMp_", "labels": [], "nid": 20, "severity": 5, "sites": [ { "id": 38, "name": "site_2" } ], "ts": 1579828824000, "type": "DPS_COMPLIANCE_ALERT", "type_desc": "SLA DPS Compliance Violations" } Gateway Joining Cluster { "id": "AXd9xwjio68tULajWyCm", "nid": 1802, "alert_type": "GATEWAY_CONNECTED_TO_CLUSTER", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1802", "device_id": "None", "description": "Gateway with name: c2c-7010-4-1 and serial: CG0020729 joined cluster: C2C-253-YODA.", "state": "Open", "severity": "Warning", "operation": "create", "timestamp": 1612722931, "details": { "group": "278", "labels": [], "name": "c2c-7010-4-1", "serial": "None", "gateway": "CG0020729", "cluster_name": "C2C-253-YODA", "alert_key": "CG0020729", "time": "2021-02-07 18:35:31 UTC" }, "webhook": "52e0abbd-cdda-45f2-bd68-3107fef43841", "text": "Gateway with name: c2c-7010-4-1 and serial: CG0020729 joined cluster: C2C-253-YODA." } Administering Aruba Central | 315 Gateway Leaving Cluster { "id": "AXd9vPKro68tULajWxzi", "nid": 1803, "alert_type": "GATEWAY_DISCONNECTED_FROM_CLUSTER", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1803", "device_id": "54", "description": "Gateway with name: c2c-7010-4-1 and serial: CG0020729 left cluster: C2C-253-YODA.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612722270, "details": { "group": "278", "labels": [], "name": "c2c-7010-4-1", "serial": "54", "gateway": "CG0020729", "cluster_name": "C2C-253-YODA", "alert_key": "CG0020729", "time": "2021-02-07 18:24:30 UTC" }, "webhook": "52e0abbd-cdda-45f2-bd68-3107fef43841", "text": "Gateway with name: c2c-7010-4-1 and serial: CG0020729 left cluster: C2C-253-YODA." } Gateway Cluster Leader Change { "id": "AXd9wglqo68tULajWx7a", "nid": 1804, "alert_type": "GATEWAY_CLUSTER_LEADER_CHANGE", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1804", "device_id": "54", "description": "Gateway with name: c2c-7010-3 and serial: CG0021234 became the leader of cluster: C2C-253-YODA.", "state": "Open", "severity": "Minor", "operation": "create", "timestamp": 1612722604, "details": { "group": "278", "labels": [], "name": "c2c-7010-3", "serial": "54", "gateway": "CG0021234", "cluster_name": "C2C-253-YODA", "alert_key": "CG0021234", "time": "2021-02-07 18:30:04 UTC" }, "webhook": "52e0abbd-cdda-45f2-bd68-3107fef43841", "text": "Gateway with name: c2c-7010-3 and serial: CG0021234 became the leader of cluster: C2C-253-YODA." } Gateway Cluster Client Capacity { "id": "AXvSPh4-Kzxaq3kj2rgh7", "nid": 1805, "alert_type": "GATEWAY_CLUSTER_CLIENT_CAPACITY_EXCEEDED", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1805", "device_id": "CZ0003243", Aruba Central | User Guide 316 "description": " Client Capacity for Gateway Cluster C2C-254 has been above 90% for about 30 minutes since 2022-03-24 16:14:00 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1648095240, "details": { "mac": "00:0b:86:f9:0d:d1", "hostname": "7024-HF-254", "serial": "CZ0003243", "group": "6", "labels": "2", "_rule_number": "0", "params": "", "time": "2021-09-11 00:24:51 UTC" }, "webhook": "87fae42a-78ec-45c0-a22a-4f81417cad56", "text": "Client Capacity for Gateway Cluster C2C-254 has been above 90% for about 30 minutes since 2022-03-24 16:14:00 UTC" } Gateway Base License Capacity Limit Exceeded { "id": "AXdr-dsfo68tULajS0bj", "nid": 1356, "alert_type": "GATEWAY_BASE_LICENSE_CAPACITY_EXCEEDED", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1356", "device_id": "SCA0000073", "description": "Base license capacity limit exceeded for Gateway with name: CSIM_SCA0000073, serial: SCA0000073", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612424272, "details": { "group": "0", "labels": [], "name": "CSIM_SCA0000073", "serial": "SCA0000073", "time": "2021-02-04 07:37:52 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "Base license capacity limit exceeded for Gateway with name: CSIM_SCA0000073, serial: SCA0000073" } Gateway Threat Count { "alert_type": "GW_IDS_IPS_ALERT_THREAT_OVER_A_PERIOD", "id": "AXX7N0IhaFBUFq6FQ2R1", "nid": 2305, "setting_id": "8fc0df01a43b42aa9f8e9fbc3d3b9d35-2305", "device_id": "TWJ6KSP005", "description": "Dear Incident Manager, Your Aruba Central Portal admin configured an email alert notification to be sent to this email address Why this alert? Aruba Branch Gateway https://app-yoda.arubathena.com/frontend/#/GATEWAYDETAIL/OVERVIEW/TWJ6KSP005aruba9004 _lte with serial number TWJ6KSP005exceeded 50 threat events in last 10 minutes, triggering this CRITICAL Alert notification What is next? Reach out to your Aruba Central Portal admin to address this incident .If not addressed or if the situation escalates, you may continue to receive similar alert notifications. More Information Go to https://app-yoda.arubathena.com/frontend/#/IDPS_DASHBOARDSystem Generated Email Administering Aruba Central | 317 from Aruba Central based on alert configuration; do not reply Thanks, Aruba Central", "state": "Close", "severity": "Critical", "operation": "update", "timestamp": 1606238738, "details__threshold": 50, "details__agg_field_name": "device", "details__duration": 10, "details__device": "TWJ6KSP005", "details__severity": "CRITICAL", "details__rule_id": 0, "details__serial": "TWJ6KSP005", "details__name": "aruba9004_lte", "details__group_id": 73, "details__time": "2020-11-24 16:55:04 UTC", "webhook": "001378a5-bfb1-465e-a955-0034ef801136", "text": "Dear Incident Manager, Your Aruba Central Portal admin configured an email alert notification to be sent to this email address Why this alert? Aruba Branch Gateway https://app-yoda.arubathena.com/frontend/#/GATEWAYDETAIL/OVERVIEW/TWJ6KSP005aruba9004 _lte with serial number TWJ6KSP005exceeded 50 threat events in last 10 minutes, triggering this CRITICAL Alert notification What is next? Reach out to your Aruba Central Portal admin to address this incident. If not addressed or if the situation escalates, you may continue to receive similar alert notifications. More Information Go to https://app-yoda.arubathena.com/frontend/#/IDPS_DASHBOARDSystem Generated Email from Aruba Central based on alert configuration; do not reply Thanks, Aruba Central" } Gateway Disconnected { "id": "AXdmLPpwo68tULajSCh_", "nid": 303, "alert_type": "GATEWAY_DISCONNECTED", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-303", "device_id": "CNJJKLB0NZ", "description": "Gateway WTH-9004-3 with serial CNJJKLB0NZ, MAC address 20:4c:03:b1:e0:22 and IP address 192.168.142.2 disconnected. , Group:UTM, Site:UTM", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612326959, "details": { "params": [ "CNJJKLB0NZ", "20:4c:03:b1:e0:22", "192.168.142.2", "WTH-9004-3", "", "" ], "group": "36", "ts": "1612326547369", "labels": "8", "serial": "CNJJKLB0NZ", "conn_status": "disconnected", "time": "2021-02-03 04:35:59 UTC", "group_name": "UTM", "site_name": "UTM" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "Gateway WTH-9004-3 with serial CNJJKLB0NZ, MAC address 20:4c:03:b1:e0:22 and IP address 192.168.142.2 disconnected. , Group:UTM, Site:UTM" } Aruba Central | User Guide 318 Gateway Threat Count per Signature { "id": "AXdr6Yf3o68tULajSz4Y", "nid": 2306, "alert_type": "GW_IDS_IPS_ALERT_THREAT_SID_OVER_A_PERIOD", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-2306", "device_id": "2821300", "description": "Dear Incident Manager,<br/>Your <b>Aruba Central Portal</b> admin configured an email alert notification to be sent to this email address <br/><br/><b>Why this alert?</b><br/>Threat events of signature id <b>2821300</b> exceeded the threshold <b>50</b> in last <b>30</b> minutes, triggering this <b>CRITICAL</b> Alert notification. <br/><br/><b>What is next? </b><br/>Reach out to your <b>Aruba Central Portal</b> admin to address this incident.<br/>If not addressed or if the situation escalates, you may continue to receive similar alert notifications. <br/><br/><b>More Information</b> <br/>Go to \"https://app-yoda.arubathena.com/frontend/#/IDPS_ DASHBOARD\" <br/><br/><i>System Generated Email from Aruba Central based on alert configuration; do not reply.</i> <br/><br/>Thanks,<br/><br/>Aruba Central", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612423202, "details": { "threshold": "50", "agg_field_name": "signature", "duration": "30", "signature": "2821300", "severity": "CRITICAL", "rule_id": "0", "serial": "2821300", "time": "2021-02-04 06:50:02 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "Dear Incident Manager,<br/>Your <b>Aruba Central Portal</b> admin configured an email alert notification to be sent to this email address <br/><br/><b>Why this alert?</b><br/>Threat events of signature id <b>2821300</b> exceeded the threshold <b>50</b> in last <b>30</b> minutes, triggering this <b>CRITICAL</b> Alert notification. <br/><br/><b>What is next? </b><br/>Reach out to your <b>Aruba Central Portal</b> admin to address this incident.<br/>If not addressed or if the situation escalates, you may continue to receive similar alert notifications. <br/><br/><b>More Information</b> <br/>Go to \"https://app-yoda.arubathena.com/frontend/#/IDPS_DASHBOARD\" <br/><br/><i>System Generated Email from Aruba Central based on alert configuration; do not reply.</i> <br/><br/>Thanks,<br/><br/>Aruba Central" } Gateway IDS/IPS Engine Error State { "id": "AXdq-8_vo68tULajSqJi", "nid": 2301, "alert_type": "GW_IDS_IPS_ENGINE_ERROR_STATE_ALERT", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-2301", "device_id": "CNJJKLB0G6", "description": "IDS/IPS engine on Gateway WTH_9004-1 with serial CNJJKLB0G6 has moved to an error (Stopped) state.", "state": "Close", "severity": "Critical", Administering Aruba Central | 319 "operation": "update", "timestamp": 1612407706, "details": { "serial": "CNJJKLB0G6", "hostname": "WTH_9004-1", "state": "Stopped", "time": "2021-02-04 03:00:23 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "IDS/IPS engine on Gateway WTH_9004-1 with serial CNJJKLB0G6 has moved to an error (Stopped) state." } Gateway IDS IPS Engine CPU Utilization { "id": "AXdq9flmo68tULajSqDN", "nid": 2302, "alert_type": "GW_IDS_IPS_ENGINE_CPU_OVER_UTILIZATION", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-2302", "device_id": "CNJJKLB0HB", "description": "CPU utilization for IDS/IPS engine on Gateway WTH_9004-2 with serial CNJJKLB0HB has been above 10% for about 11 minutes since 2021-02-04 02:43:01 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612407241, "details": { "name": "WTH_9004-2", "unit": "%", "serial": "CNJJKLB0HB", "group": "36", "labels": "8", "_rule_number": "0", "ds_key": "6039f9543bac449291bfcd19eb10d1eb.CNJJKLB0HB.idps.cpu.5m", "duration": "11", "threshold": "10", "time": "2021-02-04 02:43:01 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "CPU utilization for IDS/IPS engine on Gateway WTH_9004-2 with serial CNJJKLB0HB has been above 10% for about 11 minutes since 2021-02-04 02:43:01 UTC." } Gateway IDS IPS Engine Memory Utilization { "id": "AXdq9fkVo68tULajSqDL", "nid": 2303, "alert_type": "GW_IDS_IPS_ENGINE_MEMORY_OVER_UTILIZATION", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-2303", "device_id": "CNJJKLB0HB", "description": "Memory utilization for IDS/IPS engine on Gateway WTH_9004-2 with serial CNJJKLB0HB has been above 2% for about 5 minutes since 2021-02-04 02:49:00 UTC.", "state": "Open", "severity": "Minor", "operation": "create", "timestamp": 1612407240, "details": { "name": "WTH_9004-2", "unit": "%", "serial": "CNJJKLB0HB", "group": "36", "labels": "8", "_rule_number": "0", "ds_key": "6039f9543bac449291bfcd19eb10d1eb.CNJJKLB0HB.idps.mem.5m", Aruba Central | User Guide 320 "duration": "5", "threshold": "2", "time": "2021-02-04 02:49:00 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "Memory utilization for IDS/IPS engine on Gateway WTH_9004-2 with serial CNJJKLB0HB has been above 2% for about 5 minutes since 2021-02-04 02:49:00 UTC." } Gateway IDS IPS Engine Packet Dropped Detected { "id": "AXdr8CPmo68tULajS0K8", "nid": 2304, "alert_type": "GW_IDS_IPS_ENGINE_PACKET_DROPPED_DETECTED", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-2304", "device_id": "SCA0000004", "description": "Packet drop for IDS/IPS engine on Gateway CSIM_SCA0000004 with serial SCA0000004 has been above 75% for about 5 minutes since 2021-02-04 07:22:15 UTC.", "state": "Open", "severity": "Minor", "operation": "create", "timestamp": 1612423635, "details": { "name": "CSIM_SCA0000004", "serial": "SCA0000004", "threshold": "75", "duration": "5", "time": "2021-02-04 07:22:15 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "Packet drop for IDS/IPS engine on Gateway CSIM_SCA0000004 with serial SCA0000004 has been above 75% for about 5 minutes since 2021-02-04 07:22:15 UTC." } GW Cluster VLAN Mismatch { "id": "AXd9rMzXo68tULajWxbZ", "nid": 1801, "alert_type": "GW_CLUSTER_VLAN_MISMATCH", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1801", "device_id": "54", "description": "There is a VLAN mismatch in cluster C2C-253-YODA between Gateway with serial: CG0020729 and Gateway with serial: CG0021234.", "state": "Close", "severity": "Minor", "operation": "update", "timestamp": 1612722281, "details": { "gateway2": "CG0021234", "gateway1": "CG0020729", "serial": "54", "alert_key": "CG0020729-CG0021234", "time": "2021-02-07 18:06:52 UTC", "cluster-name": "C2C-253-YODA", "group": "278", "labels": [] }, "webhook": "52e0abbd-cdda-45f2-bd68-3107fef43841", "text": "There is a VLAN mismatch in cluster C2C-253-YODA between Gateway with serial: CG0020729 and Gateway with serial: CG0021234." } New Gateway Connected { Administering Aruba Central | 321 "id": "AXd96oFqo68tULajWy28", "nid": 301, "alert_type": "NEW_GATEWAY_DETECTED", "setting_id": "abce082bef4a428bb31366f6d6ff223f-301", "device_id": "CP0021763", "description": "New Gateway GSK-7005-2 with serial CP0021763, MAC address 20:4c:03:11:eb:78 and IP address 172.168.1.1 connected, Group:unprovisioned", "state": "Open", "severity": "Warning", "operation": "create", "timestamp": 1612725256, "details": { "group": "1", "labels": "", "_rule_number": "0", "params": [ "CP0021763", "20:4c:03:11:eb:78", "172.168.1.1", "GSK-7005-2" ], "serial": "CP0021763", "time": "2021-02-07 19:14:16 UTC", "group_name": "unprovisioned" }, "webhook": "52e0abbd-cdda-45f2-bd68-3107fef43841", "text": "New Gateway GSK-7005-2 with serial CP0021763, MAC address 20:4c:03:11:eb:78 and IP address 172.168.1.1 connected, Group:unprovisioned" } Overlay Route Orchestrator Connection { "id": "AXeC5dlWo68tULajXiwK", "nid": 1359, "alert_type": "CONTROLLER OAP CONNECTION", "setting_id": "a847a3aea73d4ba7b34c00323fb9ee7a-1359", "device_id": "CP0048220", "description": "Overlay Route Orchestrator control connection is down for Legacy2.0-BGW1-A7005-39_82_AC (serial=CP0048220)", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612808837, "details": { "hostname": "Legacy2.0-BGW1-A7005-39_82_AC", "serial": "CP0048220", "group": "22", "time": "2021-02-08 18:27:17 UTC" }, "webhook": "f6f2b19a-31d5-445c-b340-eb1ca8a6fdd8", "text": "Overlay Route Orchestrator control connection is down for Legacy2.0-BGW1-A7005-39_82_AC (serial=CP0048220)" } Route Table Limit { "id": "AXeEaOYlo68tULajX4gT", "nid": 1357, "alert_type": "CONTROLLER ROUTE TABLE CAPACITY", "setting_id": "a847a3aea73d4ba7b34c00323fb9ee7a-1357", "device_id": "CP0059047", Aruba Central | User Guide 322 "description": "Routing table for device Legacy-2.1-BGW2-A7005_5F_9A_2A exceeded threshold(serial=CP0059047, IP=111.1.10.1, count=3463, max=4096)", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612834203, "details": { "serial": "CP0059047", "ip_address": "111.1.10.1", "count": "3463", "hostname": "Legacy-2.1-BGW2-A7005_5F_9A_2A", "max": "4096", "group": "21", "time": "2021-02-09 01:30:03 UTC" }, "webhook": "f6f2b19a-31d5-445c-b340-eb1ca8a6fdd8", "text": "Routing table for device Legacy-2.1-BGW2-A7005_5F_9A_2A exceeded threshold(serial=CP0059047, IP=111.1.10.1, count=3463, max=4096)" } Route Table Capacity { "id": "AXeCfX4pPppb5nv9WSDi", "nid": 1357, "alert_type": "CONTROLLER ROUTE TABLE CAPACITY", "setting_id": "417fc95887044bcba9b3e2ce3830aecb-1357", "device_id": "DL0003539", "description": "Routing table for device DC3_VPNC8_7240XM exceeded threshold (serial=DL0003539, IP=2.3.1.5, count=29268, max=32768)", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612801998, "details": { "serial": "DL0003539", "ip_address": "2.3.1.5", "count": "29268", "hostname": "DC3_VPNC8_7240XM", "max": "32768", "group": "57", "time": "2021-02-08 16:33:18 UTC" }, "webhook": "5cbc87e4-9eb5-45d2-b890-b21db89ca5b4", "text": "Routing table for device DC3_VPNC8_7240XM exceeded threshold (serial=DL0003539, IP=2.3.1.5, count=29268, max=32768)" } WAN Uplink Autonegotiation State Change { "id": "AXdnjuvwo68tULajSQyc", "nid": 1506, "alert_type": "WAN_UPLINK_AUTONEGOTIATION_STATE_CHANGE", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1506", "device_id": "CNJJKLB0NZ", "description": "WAN ports autonegotiaton speed changed from 1000 Mbps to Auto Mbps for device WTH-9004-3 with serial CNJJKLB0NZ for uplink GE0/0/1 at 2021-02-03 11:02:35 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612350155, "details": { "intf_name": "GE0/0/1", "speed": "1000", "new_speed": "Auto", Administering Aruba Central | 323 "hostname": "WTH-9004-3", "serial": "CNJJKLB0NZ", "group": "36", "labels": [ "8" ], "time": "2021-02-03 11:02:35 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "WAN ports autonegotiaton speed changed from 1000 Mbps to Auto Mbps for device WTH-9004-3 with serial CNJJKLB0NZ for uplink GE0/0/1 at 2021-02-03 11:02:35 UTC" } WAN Health-check failure { "id": "AXdk2LK6o68tULajRvY4", "nid": 1501, "alert_type": "WAN_UPLINK_REACHABILITY_HEALTH_CHECK_IP_FAILED", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1501", "device_id": "CNJJKLB0HB", "description": "WAN reachability check failed for Gateway WTH_9004-2 with serial CNJJKLB0HB to Health Check IP 52.52.253.87 on uplink inet2_inet. Default-gateway is reachable.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612304659, "details": { "default_gw_status": "reachable", "intf_name": "inet2_inet", "ip": "52.52.253.87", "hostname": "WTH_9004-2", "serial": "CNJJKLB0HB", "group": "36", "labels": [ "8" ], "time": "2021-02-02 22:24:19 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "WAN reachability check failed for Gateway WTH_9004-2 with serial CNJJKLB0HB to Health Check IP 52.52.253.87 on uplink inet2_inet. Default-gateway is reachable." } WAN VPN-Peer unreachable { "id": "AXdncVpfo68tULajSPzi", "nid": 1502, "alert_type": "WAN_UPLINK_REACHABILITY_VPN_PEER_FAILED", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1502", "device_id": "CNJJKLB0HB", "description": "WAN reachability check failed for Gateway WTH_9004-2 with serial CNJJKLB0HB to VPN peer 192.168.103.99 on uplink inet2_inet. Default-gateway is unreachable.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612348217, "details": { "ip": "192.168.103.99", "intf_name": "inet2_inet", "default_gw_status": "unreachable", "hostname": "WTH_9004-2", "serial": "CNJJKLB0HB", Aruba Central | User Guide 324 "group": "36", "labels": [ "8" ], "time": "2021-02-03 10:30:17 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "WAN reachability check failed for Gateway WTH_9004-2 with serial CNJJKLB0HB to VPN peer 192.168.103.99 on uplink inet2_inet. Default-gateway is unreachable." } WAN Uplink Status Change { "id": "AXdnjgBlo68tULajSQwz", "nid": 1505, "alert_type": "WAN_UPLINK_STATUS_CHANGE", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1505", "device_id": "CNJJKLB0NZ", "description": "Uplink port inet_inet status change UP -> DOWN for device WTH-9004-3 with serial CNJJKLB0NZ at 2021-02-03 11:01:35 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612350095, "details": { "intf_name": "inet_inet", "status": "UP", "current_status": "DOWN", "uplink_tag": "inet_inet", "hostname": "WTH-9004-3", "serial": "CNJJKLB0NZ", "group": "36", "labels": [ "8" ], "time": "2021-02-03 11:01:35 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "Uplink port inet_inet status change UP -> DOWN for device WTH-9004-3 with serial CNJJKLB0NZ at 2021-02-03 11:01:35 UTC" } Uplink Flapping { "id": "AXe2GwY1o68tULajexWO", "nid": 1600, "alert_type": "WAN_UPLINK_FLAP", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1600", "device_id": "CNJJKLB0G6", "description": "Uplink inet_inet link status flapped 1% on device WTH_9004-1 with serial CNJJKLB0G6 for about 15 minutes since 2021-02-18 16:51:00 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1613667960, "details": { "intf_name": "inet_inet", "status": "DOWN", "current_status": "UP", "uplink_tag": "inet_inet", "hostname": "WTH_9004-1", "unit": "%", "serial": "CNJJKLB0G6", Administering Aruba Central | 325 "group": "36", "labels": "8", "_rule_number": "0", "ds_key": "6039f9543bac449291bfcd19eb10d1eb.CNJJKLB0G6.uplink.flap.5m", "duration": "15", "threshold": "1", "time": "2021-02-18 16:51:00 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "Uplink inet_inet link status flapped 1% on device WTH_9004-1 with serial CNJJKLB0G6 for about 15 minutes since 2021-02-18 16:51:00 UTC." } Tunnel Flapping { "id": "AXe2H5oGo68tULajexfD", "nid": 1601, "alert_type": "WAN_TUNNEL_FLAP", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1601", "device_id": "CNJJKLB0G6", "description": "Tunnel WTH_9004-1:inet_inet::GSK_VPNC2:vlan103 status flapped 1% on device WTH_9004-1 with serial CNJJKLB0G6 for about 15 minutes since 2021-02-18 16:56:00 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1613668260, "details": { "src_ip": "192.168.32.10", "dst_ip": "192.168.103.99", "alias_map_name": "WTH_9004-1:inet_inet::GSK_VPNC2:vlan103", "uplink_tag": "inet_inet", "hostname": "WTH_9004-1", "unit": "%", "serial": "CNJJKLB0G6", "group": "36", "labels": "8", "_rule_number": "0", "ds_key": "6039f9543bac449291bfcd19eb10d1eb.CNJJKLB0G6.uplink.tunnel.flap.5m", "duration": "15", "threshold": "1", "time": "2021-02-18 16:56:00 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "Tunnel WTH_9004-1:inet_inet::GSK_VPNC2:vlan103 status flapped 1% on device WTH_9004-1 with serial CNJJKLB0G6 for about 15 minutes since 2021-02-18 16:56:00 UTC." } IPSec Establishment Failure { "id": "AXdi4-5Bo68tULajRU_R", "nid": 1550, "alert_type": "WAN_IPSEC_SA_ESTABILSHMENT_FAILED", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1550", "device_id": "CNJJKLB0NZ", "description": "IPSec Tunnel Establishment from 192.168.36.10 to 192.168.103.99 failed on device WTH-9004-3 with serial CNJJKLB0NZ at 2021-02-02 13:17:20 UTC", "state": "Open", "severity": "Critical", "operation": "create", Aruba Central | User Guide 326 "timestamp": 1612271840, "details": { "src_ip": "192.168.36.10", "dst_ip": "192.168.103.99", "alias_map_name": "WTH-9004-3:inet_inet::GSK_VPNC2:vlan103", "link_tag": "inet_inet", "hostname": "WTH-9004-3", "serial": "CNJJKLB0NZ", "group": "36", "labels": [ "8" ], "time": "2021-02-02 13:17:20 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "IPSec Tunnel Establishment from 192.168.36.10 to 192.168.103.99 failed on device WTH-9004-3 with serial CNJJKLB0NZ at 2021-02-02 13:17:20 UTC" } IPSec SA Down { "id": "AXdi4Qjgo68tULajRUzp", "nid": 1551, "alert_type": "WAN_IPSEC_SA_DOWN", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1551", "device_id": "CNJJKLB0G6", "description": "IPSec tunnel WTH_9004-1:inet2_inet::GSK_VPNC2:vlan103 from 192.168.31.10 to 192.168.103.99 is DOWN on device WTH_9004-1 with serial CNJJKLB0G6. Reason: Administrator cleared IPSEC SA at 2021-02-02 13:14:11 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612271651, "details": { "src_ip": "192.168.31.10", "dst_ip": "192.168.103.99", "reason": "Administrator cleared IPSEC SA", "alias_map_name": "WTH_9004-1:inet2_inet::GSK_VPNC2:vlan103", "uplink_tag": "inet2_inet", "hostname": "WTH_9004-1", "serial": "CNJJKLB0G6", "group": "36", "labels": [ "8" ], "time": "2021-02-02 13:14:11 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "IPSec tunnel WTH_9004-1:inet2_inet::GSK_VPNC2:vlan103 from 192.168.31.10 to 192.168.103.99 is DOWN on device WTH_9004-1 with serial CNJJKLB0G6. Reason: Administrator cleared IPSEC SA at 2021-02-02 13:14:11 UTC" } All IPSec SAs Down { "id": "AXdi4Qoyo68tULajRUzs", "nid": 1552, "alert_type": "WAN_IPSEC_SA_ALL_DOWN", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1552", "device_id": "CNJJKLB0G6", "description": "All IPSec SAs down for device WTH_9004-1 with serial CNJJKLB0G6 at Administering Aruba Central | 327 2021-02-02 13:14:11 UTC", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1612271651, "details": { "hostname": "WTH_9004-1", "serial": "CNJJKLB0G6", "group": "36", "labels": [ "8" ], "time": "2021-02-02 13:14:11 UTC" }, "webhook": "a82456c8-1402-4fe1-a195-0131e6b392ee", "text": "All IPSec SAs down for device WTH_9004-1 with serial CNJJKLB0G6 at 2021-02-02 13:14:11 UTC" } Gateway Cellular Data Usage { "id": "AXuqDamDKFHq3kj2qihO", "nid": 1511, "alert_type": "CELLULAR_DATA_USAGE", "setting_id": "082445a5b8264597bce334f932c9a3a4-1511", "device_id": "TWJCKSP01C", "description": "Cellular data usage 11 MB has exceeded the configured limit 1 MB for Gateway Aruba9004-LTE with serial TWJCKSP01C", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1630645627, "details": { "usage": "11 MB", "limit": "1 MB", "name": "Aruba9004-LTE", "serial": "TWJCKSP01C", "group": "6", "labels": [], "time": "2021-09-03 05:07:07 UTC" }, "webhook": "a7b7f0de-2465-4340-b491-d9ea676326f3", "text": "Cellular data usage 11 MB has exceeded the configured limit 1 MB for Gateway Aruba9004-LTE with serial TWJCKSP01C" } Gateway Firmware Upgrade Failed { "id": "AXvSPh4-KFHq3kj2rcg9", "nid": 2201, "alert_type": "GW_FW_UPGRADE_FAILURE", "setting_id": "082445a5b8264597bce334f932c9a3a4-2201", "device_id": "", "description": "Firmware upgrade failed for gateway (NAME Aruba9004-LTE_95_EA_76 SN MAC 20:4c:03:95:ea:76)", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1631319891, "details": { "mac": "20:4c:03:95:ea:76", "hostname": "Aruba9004-LTE_95_EA_76", "serial": "", "group": "6", "labels": "", Aruba Central | User Guide 328 "_rule_number": "0", "params": "", "time": "2021-09-11 00:24:51 UTC" }, "webhook": "87fae42a-78ec-45c0-a22a-4f81417cad56", "text": "Firmware upgrade failed for gateway (NAME Aruba9004-LTE_95_EA_76 SN MAC 20:4c:03:95:ea:76)" } Uplink Speed Flapping { "id": "AXwCtmSrKFHq3kj2s2hh", "nid": 1602, "alert_type": "WAN_AUTO_NEGOTIATION_FLAP", "setting_id": "082445a5b8264597bce334f932c9a3a4-1602", "device_id": "TWJCKSP01C", "description": "Uplink GE0/0/1 speed flapped 1% on device Aruba9004-LTE_95_EA_76 with serial TWJCKSP01C for about 15 minutes since 2021-09-20 10:03:00 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1632133080, "details": { "intf_name": "GE0/0/1", "speed": "1000", "new_speed": "100", "hostname": "Aruba9004-LTE_95_EA_76", "serial": "TWJCKSP01C", "group": "6", "labels": "8,7", "unit": "%", "_rule_number": "0", "ds_key": "082445a5b8264597bce334f932c9a3a4.TWJCKSP01C.uplink.speed.flap.5m", "duration": "15", "threshold": "1", "time": "2021-09-20 10:03:00 UTC" }, "webhook": "4a1b58b1-3371-471e-8093-73c07fb6b384", "text": "Uplink GE0/0/1 speed flapped 1% on device Aruba9004-LTE_95_EA_76 with serial TWJCKSP01C for about 15 minutes since 2021-09-20 10:03:00 UTC." } WAN Uplink Input Errors { "id": "AX0JamvlJ_Ty_F5wJkqF", "nid": 1507, "alert_type": "WAN_UPLINK_INPUT_ERRORS", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1507", "device_id": "SCA0000006", "description": "Input errors for Uplink Interface GE 0/0/0 on Gateway CSIM_SCA0000006 with serial SCA0000006 has been above 1% for about 5 minutes since 2021-11-10 10:30:09 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1636540509, "details": { "intf_name": "GE 0/0/0", "hostname": "CSIM_SCA0000006", "serial": "SCA0000006", "group": "0", "labels": "48", "_rule_number": "0", "ds_key": "6039f9543bac449291bfcd19eb10d1eb.SCA0000006.intf.inerrors_percent.5m", "duration": "5", Administering Aruba Central | 329 "threshold": "1", "time": "2021-11-10 10:30:09 UTC" }, "webhook": "4c09b716-eb38-4c4f-8a3f-61f476eb9ca6", "text": "Input errors for Uplink Interface GE 0/0/0 on Gateway CSIM_SCA0000006 with serial SCA0000006 has been above 1% for about 5 minutes since 2021-11-10 10:30:09 UTC.", "cluster_hostname": "app-yoda.arubathena.com" } WAN Uplink Output Errors { "id": "AX0JazwZJ_Ty_F5wJkqp", "nid": 1508, "alert_type": "WAN_UPLINK_OUTPUT_ERRORS", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1508", "device_id": "SCA0000096", "description": "Output errors for Uplink Interface GE 0/0/2 on Gateway CSIM_SCA0000096 with serial SCA0000096 has been above 1% for about 5 minutes since 2021-11-10 10:31:02 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1636540562, "details": { "intf_name": "GE 0/0/2", "hostname": "CSIM_SCA0000096", "serial": "SCA0000096", "group": "0", "_rule_number": "0", "ds_key": "6039f9543bac449291bfcd19eb10d1eb.SCA0000096.intf.outerrors_percent.5m", "duration": "5", "threshold": "1", "time": "2021-11-10 10:31:02 UTC" }, "webhook": "4c09b716-eb38-4c4f-8a3f-61f476eb9ca6", "text": "Output errors for Uplink Interface GE 0/0/2 on Gateway CSIM_SCA0000096 with serial SCA0000096 has been above 1% for about 5 minutes since 2021-11-10 10:31:02 UTC.", "cluster_hostname": "app-yoda.arubathena.com" } WAN Uplink PHY Errors { "id": "AX0Jamx2J_Ty_F5wJkqG", "nid": 1509, "alert_type": "WAN_UPLINK_PHY_ERRORS", "setting_id": "6039f9543bac449291bfcd19eb10d1eb-1509", "device_id": "SCA0000006", "description": "PHY errors for Uplink Interface GE 0/0/2 on Gateway CSIM_SCA0000006 with serial SCA0000006 has been above 1% for about 5 minutes since 2021-11-10 10:30:09 UTC.", "state": "Open", "severity": "Critical", "operation": "create", "timestamp": 1636540509, "details": { "intf_name": "GE 0/0/2", "hostname": "CSIM_SCA0000006", "serial": "SCA0000006", "group": "0", "labels": "48", "_rule_number": "0", "ds_key": "6039f9543bac449291bfcd19eb10d1eb.SCA0000006.intf.phyerrors_percent.5m", "duration": "5", Aruba Central | User Guide 330 "threshold": "1", "time": "2021-11-10 10:30:09 UTC" }, "webhook": "4c09b716-eb38-4c4f-8a3f-61f476eb9ca6", "text": "PHY errors for Uplink Interface GE 0/0/2 on Gateway CSIM_SCA0000006 with serial SCA0000006 has been above 1% for about 5 minutes since 2021-11-10 10:30:09 UTC.", "cluster_hostname": "app-yoda.arubathena.com" } Miscellaneous Alerts--Sample JSON This section includes sample JSON content for the following alerts: Device Config Change Detected { "alert_type": "DEVICE_CONFIG_CHANGE_DETECTED", "description": "Config change detected on group nbapi_test for device type Switch by user [email protected].\n\nSerial: None, \nMacAddress: None, \nConfig Content: Template Updated \nmodel: ALL\nversion: ALL\ndevice_type: HPPC\ntemplate changes: \n @@ -18,6 +18,6 @@\n\n\n ip address dhcp-bootp\n\n exit\n\n vlan 13\n\n- name \"vlan_8888\"\n\n+ name \"vlan_44\"\n\n no ip address\n\n exit ", "timestamp": 1564383294, "webhook": "272eda1a-f79b-4192-ad6f-b35da11515bc", "setting_id": "715e45fe3ff8453da355cd34aff2afa5-2000", "state": "Open", "nid": 2000, "details": { "config_change": "Template Updated\nmodel: ALL\nversion: ALL\ndevice_type: HPPC\ntemplate changes: \n @@ -18,6 +18, 6 @@\n\n\n ip address dhcp-bootp\n\n exit\n\n vlan 13\n\n- name \"vlan_8888\"\n\n+ name \"vlan_44\"\n\n no ip address\n\n exit ", "macaddr": "None", "group": "8", "dev_type": "Switch", "labels": "None", "group_name": "nbapi_test", "_rule_number": "0", "params": "None", "user": "[email protected]", "time": "2019-07-29 06:54:54 UTC", "serial": "None" }, "operation": "create", "device_id": "", "id": "AWw8grSBeZ6A6PlBvMk4", "severity": "Warning" } User Account Deleted { "alert_type": "User account deleted", "description": "User with name [email protected] deleted.", "timestamp": 1569234480, "webhook": "057b0a95-9f06-4a0f-b4bf-149a28d749b3", "setting_id": "573b0412517a41c8a73a80f3e74ff0d2-15", "state": "Open", "nid": 15, "details": { "group": "-1", "labels": "None", Administering Aruba Central | 331 "params": [ "[email protected]" ], "_rule_number": "0", "time": "2019-09-23 10:28:00 UTC" }, "operation": "create", "device_id": "", "id": "AW1dqe6rYu0OgJ2alXzT", "severity": "Major" } New User Account Added { "alert_type": "New User account added", "description": "User account setting updated for user: [email protected] with language:en_US and idle timeout: 1800", "timestamp": 1569234534, "webhook": "057b0a95-9f06-4a0f-b4bf-149a28d749b3", "setting_id": "573b0412517a41c8a73a80f3e74ff0d2-14", "state": "Open", "nid": 14, "details": { "group": "-1", "labels": "None", "params": [], "_rule_number": "0", "time": "2019-09-23 10:28:54 UTC" }, "operation": "create", "device_id": "", "id": "AW1dqr6nYu0OgJ2alX1l", "severity": "Major" } User Account Edited { "alert_type": "User account edited", "description": "User with Name [email protected], role readwrite and access [] updated.", "timestamp": 1569235100, "webhook": "057b0a95-9f06-4a0f-b4bf-149a28d749b3", "setting_id": "573b0412517a41c8a73a80f3e74ff0d2-16", "state": "Open", "nid": 16, "details": { "group": "-1", "labels": "None", "params": [ "[email protected]", "readwrite", "[]" ], "_rule_number": "0", "time": "2019-09-23 10:38:20 UTC" }, "operation": "create", "device_id": "", "id": "AW1ds2LcYu0OgJ2alYM2", "severity": "Major" } Aruba Central | User Guide 332 Integrating Aruba Central with ServiceNow ServiceNow is an IT service management platform that allows you to automatically create incidents or IT tickets based on a live data feed from a Webhook service. If you have a ServiceNow instance, you can configure a Webhook service on Aruba Central to send a notification feed. The ServiceNow integration enables your current IT Infrastructure management systems to automatically generate an IT incident or a ticket whenever an alert is triggered due to a user-generated event in Aruba Central. Before You Begin Before you begin, ensure that you have a valid ServiceNow account. If you do not have a ServiceNow instance, create an instance before you proceed with the steps described in following sections. For more information on creating a ServiceNow instance, see the ServiceNow user documentation. Integration Workflow Complete the following steps to enable ServiceNow integration with Aruba Central: n Step 1: Add the Hash Library to Your ServiceNow Instance n Step 2: Create a Scripted REST API to Obtain a Webhook URL n Step 3: Configure a Webhook in Aruba Central n Step 4: Configure an Alert in Aruba Central n Step 5: Verify the Integration Status Step 1: Add the Hash Library to Your ServiceNow Instance To get started with the ServiceNow integration, create a new script with the hash library in your ServiceNow instance. The hash library is required for header authentication. 1. Log in to ServiceNow with your user credentials. 2. Click Manage > Instance and log in to your instance. 3. Go to System Definition > Script Includes. 4. Click New. 5. Name the script as Hashes. 6. Select All application scopes from the Accessible from drop-down list. 7. Select the Client callable check box. 8. Go to the GitHub Gist website that hosts the hash library. 9. Copy the snow_hashes.js file content and paste it in the Script text box. 10. Click Submit. Step 2: Create a Scripted REST API to Obtain a Webhook URL To create a Scripted REST API to obtain a webhook URL, complete the following steps: 1. In your ServiceNow instance, go to System Web Services > Scripted REST APIs. 2. Click New. The REST API creation page is displayed. 3. Provide a name and the API ID. 4. Click Submit. The API is added to the list of REST APIs. 5. Open the REST API you just created. Administering Aruba Central | 333 6. To add a REST resource with header and query parameters, click New in the Resources tab. The Scripted REST Resource New record page is displayed. 7. Provide a name for the resource. 8. Select POST for the HTTP method. 9. Clear the Requires authentication check box. 10. In the Script section, add the following text: (function process( /*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) { // Calcuate signature for verification using request headers, data and token var centralService = request.getHeader('X-Central-Service'); var centralDeliveryId = request.getHeader('X-Central-Delivery-ID'); var centralDeliveryTimestamp = request.getHeader('X-Central-Delivery- Timestamp'); var token = "<webhook_token>"; var body = request.body.dataString; var message = body + centralService + centralDeliveryId + centralDeliveryTimestamp; var calculatedSign = new Hashes.SHA256().b64_hmac(token, message); var signFromServer = request.getHeader('X-Central-Signature'); // Signature sent by Aruba Central var low_severities = ["Minor", "Warning"]; if (calculatedSign == signFromServer) { event = JSON.parse(body); // Only process events from Central which has status Open if (event.state == "Open") { var inc = new GlideRecord('incident'); inc.initialize(); inc.short_description = event.alert_type; inc.state = 1; if (low_severities.includes(event.severity)) { inc.impact = 3; inc.urgency = 3; } else if (event.severity == "Major") { inc.impact = 2; inc.urgency = 2; } else if (event.severity == "Critical") { inc.impact = 1; inc.urgency = 1; } inc.description = event.description; inc.insert(); } response.setStatus(200); response.setBody({ status: "success" }); } else { response.setStatus(200); Aruba Central | User Guide 334 response.setBody({ status: "failure" }); } })(request, response); After you create a Webhook in Aruba Central.replace the Webhook token (see highlighted text in the above code sample) in your Scripted REST API. 11. Click Submit. The Scripted REST API you just created is added to your list of APIs. 12. Note the base API path. The base API path must be appended to your Webhook URL. 13. Ensure that your Webhook URL is in the following format: https://<yourInstanceName>.service-now.com/<baseApiPath>. Step 3: Configure a Webhook in Aruba Central To create a Webhook in Aruba Central, complete the following steps: 1. In the Account Home page, under Global Settings, click Webhooks. The Webhooks page is displayed. 2. In the Webhook tab, click + sign. The Add Webhook pop-up box opens. Administering Aruba Central | 335 a. Name--Enter a name for the Webhook b. Retry Policy-- Select any one of the following options: n None--Select this to have no retry. n Important--Select this to have up to 5 retries over 6 minutes. n Critical--Select this to have up to 5 retries over 27 hours. c. URLs--Enter the URL. Click + to enter another URL. You can add up to three URLs. https://<yourInstanceName>.service-now.com/<baseApiPath> The URL must include your ServiceNow instance and the base API path generated for your Scripted REST API. 3. Click Save. The Webhooks is created and listed in the Webhook table. 4. Note the token ID. Aruba Central | User Guide 336 5. Go back to your ServiceNow instance and update the Webhook token in the script text of the Scripted REST API you created in step 2. You can also create a Webhook using the API interface. For more information, see Webhook documentation in Aruba Central documentation portal. Step 4: Configure an Alert in Aruba Central To configure an alert in Aruba Central, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Analyze, click Alerts & Events to view the alert and events dashboard. 3. To configure alerts, click the Config icon. 4. In the Alert Severities & Notifications page, click All. 5. Select an alert and click + to enable the alert with default settings. 6. Configure the following alert parameters. a. Severity--Set the severity. The available options are Critical, Major, Minor, and Warning. b. Duration--Enter the duration in minutes. c. Device Filter Options--(Optional) You can restrict the scope of an alert by setting any of the following parameters: n Group--Select a group to limit the alert to a specific group. n Label--Select a label to limit the alert to a specific label. n Device--Select a device to limit the alert to a specific device. d. Select Webhook check box under Notification Options and select a webhook from the drop-down list. e. Click Save. Step 5: Verify the Integration Status To verify if the integration is successful, complete the following steps: 1. Trigger an alert from Aruba Central. 2. Verify if an incident is created in your ServiceNow instance. SAML SSO for Aruba Central The Single Sign On (SSO) solution simplifies user management by allowing users to access multiple applications and services with a single set of login credentials. If the applications services are offered by different vendors, IT administrators can use the SAML authentication and authorization framework to provide a seamless login experience for their users. Administering Aruba Central | 337 To provide seamless login experience for users whose identity is managed by an external authentication source, Aruba Central now offers a federated SSO solution based on the SAML 2.0 authentication and authorization framework. SAML is an XML-based open standard for exchanging authentication and authorization data between trusted partners; in particular, between an application service provider and identity management system used by an enterprise. With Aruba Central's SAML SSO solution, organizations can manage user access using a single authentication and authorization source. SAML SSO Solution Overview The SAML SSO solution consists of the following key elements: n Service Provider (SP)--The provider of a business function or service; For example, Aruba Central. The service provider requests and obtains an identity assertion from the IdP. Based on this assertion, the service provider allows a user to access the service. n Identity Provider (IdP)--The Identity Management system that maintains identity information of the user and authenticates the user. n SAML Request--The authentication request that is generated when a user tries to access the Aruba Central portal. n SAML Assertion--The authentication and authorization information issued by the IdP to allow access to the service offered by the service (Aruba Central portal). n Relying Party--The business service that relies on SAML assertion for authenticating a user; For example, Aruba Central. n Asserting Party--The Identity management system or the IdP that creates SAML assertions for a service provider. n Metadata--Data in the XML format that is exchanged between the trusted partners (IdP and Aruba Central) for establishing interoperability. n SAML Attributes--The attributes associated with the user; for example, username, customer ID, role, and group in which the devices belonging to a user account are provisioned. The SAML attributes must be configured on the IdP according to specifications associated with a user account in Aruba Central. These attributes are included in the SAML assertion when Aruba Central sends a SAML request to the IdP. n Entity ID--A unique string to identify the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as a URL by all providers. n Assertion Services Consumer URL--The URL that sends the SAML request and receives the SAML response from the IdP. n User--User with SSO credentials. n Aruba Central SAML SSO solution supports only the HTTP Redirect POST method for sending and receiving SAML requests and response. n The SAML SSO integration allows federated users to access only the Central UI. The API Gateway access is restricted to system users that are configured and managed from Aruba Central. How SAML SSO Works Aruba Central supports the following types of SAML SSO workflows: n SP-initiated SSO n IdP-initiated SSO Aruba Central | User Guide 338 SP-initiated SSO In an SP Initiated SSO workflow, the SSO request originates from the service provider domain, that is, from Aruba Central. When a user tries to access Aruba Central, a federation authentication request is created and sent to the IdP server. The following figure illustrates the standard SP-Initiated SAML SSO workflow: Figure 52 SP-Initiated SSO The SP-initiated SSO workflow with Aruba Central is supported only through the HTTP Redirect POST method. In other words, Aruba Central sends an HTTP redirect message with an authentication request to the IdP through the user's browser. The IdP sends a SAML response with an assertion to Aruba Central through HTTP POST. The SP-initiated SSO workflow with HTTP Redirect POST includes the following steps: 1. The user tries to access Aruba Central and the request is redirected to the IdP. 2. Aruba Central sends an HTTP redirect message with the SAML request to the IdP for authentication through the user's browser. 3. The user logs in with the SSO credentials. 4. On successful authentication, the IdP sends a digitally signed HTML form with SAML assertion and attributes to Aruba Central through the web browser. 5. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access to the user. IdP-initiated SSO In the IdP-Initiated workflow, the SSO request originates from the IdP domain. The IdP server creates a SAML response and redirects the users to Aruba Central. The Aruba Central SAML SSO deployments support the IdP-initiated SSO workflow through the HTTP POST method. The IdP-initiated SSO workflow consists of the following steps: Administering Aruba Central | 339 1. The user is logged in to the IdP and tries to access Aruba Central. 2. The IdP sends a digitally signed HTML form with SAML assertion and attributes to Aruba Central through the web browser. 3. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access to the user. The following figure illustrates the standard IdP-Initiated SAML SSO workflow: Figure 53 IdP-Initiated SSO SAML SSO Single Logout Aruba Central supports Single Logout (SLO) of SAML SSO users. SLO allows users to terminate server sessions established using SAML SSO by initiating the logout process once. SAML SLO can be initiated either from the Service Provider or the IdP. However, Aruba Central supports only the IdP-initiated SLO. IdP-initiated SAML SLO The IdP-initiated logout workflow includes the following steps: 1. User logs out of the IdP. 2. The IdP sends a logout request to Aruba Central. 3. Aruba Central validates the logout request from the IdP, terminates the user session, and sends a logout response to the IdP. 4. User is logged out of Aruba Central. 5. After the IdP receives logout response from all service providers, the IdP logs out the user. Configuring SAML SSO The SAML SSO configuration for Aruba Central includes the following steps: 1. Configuring user accounts and roles in Aruba Central. For more information, see the Managing User Access topic in Aruba Central Help Center. Aruba Central | User Guide 340 2. Configure SAML authorization profile in Aruba Central. 3. Configuring Service Provider metadata such as metadata URL, service consumer URL, Name and other attributes on the IdP server. Configuring SAML Authorization Profiles in Aruba Central For SAML SSO solution with Aruba Central, you must configure a valid SAML authorization profile in the Aruba Central portal. Important Points to Note Following are the important points to note about the SAML authorization in Aruba Central: n The SAML authorization profile configuration feature is available only for the admin users of an Aruba Central account. Aruba Central allows only MSP admin users to configure SAML authorization profiles for their respective tenant accounts. n Each domain can have only one federation. There must be at least one verified user belonging to the domain in the system users' list. n Aruba Central allows only one authorization profile per domain. n SAML user access is determined by the role attribute included in the SAML token provided by the IdP. n SAML users with admin privileges can configure system users in Aruba Central. n SAML users can initiate a Single Sign On request by trying to log in to Aruba Central (SP-initiated login). However, SAML users cannot initiate a single logout request from Aruba Central. n The following menu options in Aruba Central UI are not available for a SAML user. o Enable MSP and Disable MSP--SAML users cannot enable or disable MSP deployment mode in Aruba Central. o Change Password--Aruba Central does not support changing the password of a SAML user account. Before You Begin Before you begin, ensure that you have the following information: n Entity ID--A unique string that identifies the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as URL by all providers. n Login URL--Login URL configured on the IdP server. n Logout URL--Logout URL configured on the IdP server. n Certificate Details--SAML signing certificate in the Base64 encoded format. The SAML signing certificates are required for verifying the identity of IdP server and relying applications such as Aruba Central. n Metadata URL--Service provider metadata URL configured on the IdP server. SAML profiles can also be configured using NB APIs. If you want to use NB APIs for configuring SAML profiles, use the APIs available under the SSO Configuration category in Aruba Central API Gateway. Configuring a SAML Authorization Profile To configure the SAML authorization profiles in Aruba Central, complete the following steps: 1. In the Account Home page, under Global Settings, click Single Sign On. The Single Sign On page is displayed. Administering Aruba Central | 341 2. To add an authorization profile, enter the domain name. n Ensure that the domain has at least one verified user. n For public cloud deployments, Aruba Central does not support adding hpe.com, arubanetworks.com and other free public domain names, such as Gmail.com, Yahoo.com, or Facebook.com, for SAML authorization profiles. 3. Click Add SAML Profile. 4. To manually enter the metadata: a. Select Manual Setting and enter the following information: n Entity ID--Entity ID configured on the IdP server. n Login URL--Login URL configured on the IdP server. n Logout URL--Login URL configured on the IdP server. n Certificate--Certificate details. Ensure that the certificate content is in the Base64 encoded format. You can either upload a certificate or paste the contents of the certificate in the text box. Ensure that the Entity ID, Login URL, and Logout URL fields have valid HTTPS URLs. b. Click Save. The following figure shows an example for the manual entry of metadata: Aruba Central | User Guide 342 Figure 54 Manual Addition of Metadata 5. If you have already configured the IdP server and downloaded the metadata file, you can upload the metadata file. To upload a metadata file: a. Select Metadata File. Ensure that the metadata file is in the XML format and it includes valid certificate content and HTTPS URLs for the Entity ID, Login URL, and Logout URL fields. b. Click Browse and select the IdP metadata file. Aruba Central extracts the Entity ID, Login URL, Logout URL, and certificate content. c. Verify the details. d. Click Save. The following figure shows an example for the content imported from a metadata file: Administering Aruba Central | 343 Figure 55 Importing Information from a Metadata File Configuring Service Provider Metadata in IdP Aruba Central supports SAML SSO authentication framework with various Identity Management vendors such as ADFS, PingFederate, Aruba ClearPass Policy Manager, and so on. Aruba recommends that you look up the instructions provided by your organization for adding service provider metadata to the IdP server in your setup. Aruba Central | User Guide 344 Some of the generic and necessary attributes required to be configured on the IdP server for SAML integration with Aruba Central are described in the following list: n Metadata URL--URL that provides service provider metadata. n Entity ID--A unique string that identifies the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as URL by all providers. n Assertion Services Consumer URL--The URL that sends SAML SSO login requests and receives authentication response from the IdP. n NameID--The NameID attribute must include the email address of the user. <NameID>[email protected]</NameID> If the NameID attribute does not return the email address of the user, you can use the aruba_user_email attribute. Ensure that you configure the NameID or the aruba_user_email attribute for each user. n SAML Attributes--The following example shows the syntax structure for SAML attributes: #customer 1 aruba_1_cid = <customer-id> # app1, scope1 aruba_1_app_1 = central aruba_1_app_1_role_1 = <readonly> aruba_1_app_1_role_1_tenant = <admin> aruba_1_app_1_group_1 = groupx, groupy aruba_1_app_2 = device_profiling aruba_1_app_2_role_1 = <readonly> aruba_1_app_3 = account_setting aruba_1_app_3_role_1 = <readonly> #customer 2 aruba_2_cid = <customer-id> # app1, scope1 aruba_2_app_1 = central aruba_2_app_1_role_1 = <readonly> aruba_2_app_1_role_1_tenant = <admin> aruba_2_app_1_group_1 = groupx, groupy aruba_2_app_2 = device_profiling aruba_2_app_2_role_1 = <readonly> aruba_2_app_3 = account_setting aruba_2_app_3_role_1 = <readonly> Note the following points when defining SAML attributes in the IdP server: n cid--Customer ID. If you have multiple customers, define attributes separately for each customer ID. n app--Application. Set the value as per the following: o Network Operations--central o Clear Pass Device Insight--device_profiling o Account Home--account_setting n role--User role. Specify the user role. If no role is defined, Aruba Central assigns read-only role to the user. If the user is not a part of any role or group in the LDAP server, by default, the user is provided with read-only access in Aruba Central. Administering Aruba Central | 345 n tenant role--Tenant user role. If the tenant role is not defined in the IdP, the MSP role is assigned to the SAML user. n group--Group in Aruba Central. When a group is specified in the attribute, the user is allowed to access only the devices in that group. If the attribute does not include any group, Aruba Central allows SAML SSO users to access all groups. You can also configure custom attributes to add multiple groups if the user requires access to multiple groups. Aruba Central recommends you to configure the Account Home. However, If you do not return the Account Home application from the Idp, then the Network Operations role is applied by default. See Also: n Configuring Service Provider Metadata in Microsoft ADFS n Configuring Service Provider Metadata in PingFederate IdP n Configuring Service Provider Metadata in Aruba ClearPass Policy Manager n Configuring Service Provider Metadata in G Suite Configuring Service Provider Metadata in Microsoft ADFS This procedure describes the steps required for configuring service provider metadata in Microsoft Active Directory Federation Services (ADFS) for SAML integration with Aruba Central. ADFS runs on Windows Servers and provides users with SSO access to application services hosted by the trusted service providers. This topic provides a basic set of guidelines required for setting up the ADFS instance on a Windows Server 2016 as an IdP. The images used in this procedure may change with Windows Server updates. Before you Begin n Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central. n Ensure that the ADFS is installed and available for configuration on a Windows server. For more information, see the ADFS Deployment Guide. n Ensure that an Active Directory security group is configured and the users are added as group members. For more information, see the ADFS Deployment Guide. Steps to Configure Service Provider Metadata in ADFS To enable SAML integration with ADFS, complete the following steps: n Step 1: Adding a Relying Party Trust n Step 2: Configure the Name ID Attribute n Step 3: Configure the Customer ID Attribute n Step 4: Configure the Application Attribute n Step 5: Configure the Role Attribute n Step 6: Configure the Group Attribute n Step 7: Configure the Logout URL Aruba Central | User Guide 346 n Step 8: Exporting Token-signing Certificate n Step 9: SAML Authorization Profile in Aruba Central Step 1: Adding a Relying Party Trust To configure Aruba Central and ADFS as trusted partners, complete the following steps: 1. On Windows Server, click Start > Administrative Tools > AD FS Management. The ADFS administrative console opens. 2. Click AD FS folder and select Add Relying Party Trust from the Actions menu. Figure 56 AD FS Management 3. Select Enter data about the relying party manually. 4. Click Next. 5. Enter a Display Name. The name entered here will be displayed in the management console and to the users logging in to Aruba Central. 6. Click Next. 7. Select AD FS Profile and then click Next. 8. Select Enable support for the SAML 2.0 WebSSO protocol check box and enter the consumer URL that you want to use for sending SAML SSO login requests and receiving SAML response from the IdP. Figure 57 Enabling Support for SAML 2.0 WebSSO Protocol 9. Click Next. Administering Aruba Central | 347 10. Add Aruba Central URL as the relying party trust identifier. Figure 58 Adding Replying Party Trust Identifier 11. Click Next. 12. Select the preferred security setting. You can select Permit all users to access this relying party option to permit access to all users. 13. Click Close. 14. Verify if Aruba Central is added to the list of relying party trust. Step 2: Configure the Name ID Attribute The Name ID attribute is used for user identification. For SAML integration with Aruba Central, the Name ID attribute must include the email address of the user. If the Name ID attribute does not return the email address of the user, use the aruba_user_email attribute. To configure the Name-ID attribute: 1. Select the display name you just added for Aruba Central and click Edit Claim Issuance Policy. 2. In the Edit Claim Issuance Policy window, click Add Rule. 3. Set the Claim Rule template to Send LDAP Attributes as Claims rule. 4. Click Next. 5. In the Claim rule name text box, enter Name-ID. Figure 59 Adding Claim Rule Name Aruba Central | User Guide 348 6. Select the LDAP as the Attribute store. 7. Select the User-Principal-Name as LDAP attribute and Name ID for the Outgoing Claim Type. 8. Click Finish. Step 3: Configure the Customer ID Attribute To create a rule with the customer ID attribute: 1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the customer ID attribute. For example, aruba-cid. 5. Select a user group. Figure 60 Selecting a User Group 6. Click OK. 7. Select a customer ID attribute for the Outgoing claim rule and enter a value for the Outgoing claim value. Administering Aruba Central | 349 Figure 61 Configuring Claim Rule Details 8. Click Finish. 9. If you have multiple customers, define the customer ID attribute separately for each customer ID. Step 4: Configure the Application Attribute To add a rule for the application attribute, complete the following steps: 1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App Name. 5. Select a user group. Aruba Central | User Guide 350 6. Select the application attribute for Outgoing claim type and enter a value for the Outgoing claim value. Figure 62 Configuring the Application Attribute 7. Click Finish. Step 5: Configure the Role Attribute To add a rule for a role attribute, complete the following steps: 1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App Role. 5. Select a user group. Administering Aruba Central | 351 6. Select the role attribute for Outgoing claim type and enter a value for the Outgoing claim value. Figure 63 Configuring the Role Attribute 7. Click Finish. If the role attribute is not configured, Aruba Central assigns a read-only role to the user. Step 6: Configure the Group Attribute If you want to restrict user access to a group in Aruba Central, you can configure the group attribute. If the group attribute is not configured, Aruba Central allows SAML SSO users to access all groups. To add a rule for a group attribute, complete the following steps: 1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App Group. 5. Select a user group. 6. Select a group attribute for Outgoing claim type and enter a value for the Outgoing claim value. 7. Click Finish. Step 7: Configure the Logout URL To enable IdP-initiated logout, complete the following steps: Aruba Central | User Guide 352 1. Select the relying party trust entry created for Aruba Central and click Properties. 2. Click Endpoints. 3. To add a logout URL, click Add SAML. 4. Select the endpoint type as SAML Logout. 5. Select Redirect for Binding. 6. Enter the Aruba Central logout URL for Trusted URL. Sample Trusted URL: https://portal-yoda.arubathena.com/global_login/aaa_saml/adfsaruba.com?sls 7. Enter the IdP logout URL for Response URL. Figure 64 Configuring the Logour URL 8. Click OK. Administering Aruba Central | 353 Step 8: Exporting Token-signing Certificate The token-signing certificate is required SAML authentication. To export the token-signing certificate: 1. In the ADFS management console, go to AD FS > Service > Certificates. 2. Click the certificate under Token-signing and select View Certificate from the contextual menu. 3. Click Details > Copy to File. Figure 65 Exporting Token-Signing Certificate 4. Click Next and select Base-64 encoded X.509 (.CER) as the certificate format. 5. Click Next. 6. Save the certificate file on your local directory. Aruba Central | User Guide 354 Step 9: SAML Authorization Profile in Aruba Central For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central. Configuring Service Provider Metadata in PingFederate IdP This procedure describes the steps required for configuring service provider metadata in PingFederate. This topic provides a basic set of guidelines required for service provider metadata on the PingFederate server. The images and attributes may change with PingFederate software updates. Before you Begin Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central. Steps to Configure Service Provider Metadata in PingFederate To configure service provider metadata in PingFederate, complete the following steps: n Step 1: Create an SP Connection Profile n Step 2: Configure Browser SSO Settings n Step 3: Configure Credentials n Step 4: Review Configuration n Step 5: SAML Authorization Profile in Aruba Central Step 1: Create an SP Connection Profile 1. Log in to the PingFederate administration console. 2. Click IdP Configuration > SP Connections > Create New. The SP Connections page opens. Figure 66 SP Connections Window Administering Aruba Central | 355 3. In the Connection Type tab, select Browser SSO Profiles. Figure 67 Connection Options 4. Click the General Info tab. 5. Verify the Entity ID and select the logging mode. Figure 68 General Info Figure 69 Logging Mode 6. Click Next to configure the Browser SSO Settings. Aruba Central | User Guide 356 Step 2: Configure Browser SSO Settings 1. On the SP Connections page in PingFederate administrative console, click Browser SSO. Figure 70 Browser SSO 2. Click Configure Browser SSO. 3. Select the following SAML profiles: n Select IDP-INITITATED SSO n Select SP-INITITATED SSO Figure 71 SAML Profiles 4. Click Next. The Assertion Lifetime tab opens. Administering Aruba Central | 357 5. Click Next. The Assertion Creation page opens. a. Click Configure Assertion Creation. The Assertion Creation wizard opens. Figure 72 Assertion Creation Window b. Click Next. The Attribute Contract page opens. c. Add the SAML attributes in the SAML assertion. The IdP sends these attributes in the SAML Assertion. Figure 73 Attribute Contract Aruba Central | User Guide 358 d. Click Next. The Authentication Source Mapping tab opens. Figure 74 Authentication Source Mapping e. Click Map New Adapter Instance. The adapter configuration screen opens. Figure 75 Adapter Insurance f. Complete the following configuration steps: i. Click Mapping Method and select a mapping option. Figure 76 Mapping Method Selection ii. Click Attribute Sources and User Lookup iii. To add a data source, click Add Attribute Store and add the data store ID as shown in the following figure: Figure 77 Add Data Store ID iv. Click Save. Administering Aruba Central | 359 6. On the SP Connections > Browser SSO Settings page, click Protocol Settings to configure the Browser SSO Protocol Settings, SSO service URLs, and SAML bindings. Figure 78 Protocol Settings 7. Click Configure Protocol Settings and complete the following steps: a. Verify the Assertion Consumer Service URL. The endpoint URLs for Redirect and Post bindings are both automatically populated from the metadata. If not, enter the URL manually. The URL will be the same for both bindings. Figure 79 Assertion Consumer Service URL Verification b. Click Next. The Allowable SAML Bindings tab opens. c. Select Post and Redirect. Figure 80 SAML Bindings Selection d. Click Next. The Encryption Policy Settings tab opens. Aruba Central | User Guide 360 e. Select None. Figure 81 Encryption Policy Settings f. Click Next. Review the protocol setting. g. Click Done. Step 3: Configure Credentials 1. On the SP Connections page in the PingFederate administrative console, click Credentials. 2. Click Configure Credentials. 3. Click Digital Signature Settings. 4. Select the certificate to use for digital signature in SAML messages. Figure 82 Digital Signature Settings Step 4: Review Configuration To review the configuration, click the Activation & Summary tab. Step 5: SAML Authorization Profile in Aruba Central For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central. Configuring Service Provider Metadata in Aruba ClearPass Policy Manager This procedure describes the configuration steps required for setting up ArubaClearPass Policy Manager as an IdP. ClearPass must be synced to NTP along with any other SAML SPs and IdPs. If clocks are out of sync, SAML will not function. Before you Begin n Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central. Administering Aruba Central | 361 n Ensure that you have access to the ClearPass Policy Manager instance. n Ensure that you have downloaded the SAML metadata from Aruba Central. Steps to Configure ClearPass Policy Manager as an IdP To configure ClearPass as an IdP for providing SAML authentication and authorization services to Aruba Central, complete the following steps: n Step 1: Configuring Enforcement Profile and Policies n Step 2: Adding Roles n Step 3: Mapping Roles to Enforcement Policies n Step 4: Configuring an IdP Service n Step 5: Uploading SP Metadata n Step 6: Adding Local Users n Step 7: Configuring SAML Authorization Profile in Aruba Central Step 1: Configuring Enforcement Profile and Policies To configure an enforcement profile: 1. Go to Configuration > Enforcement > Profiles. 2. Click Add to add a new enforcement profile. The Enforcement Profiles page is displayed. 3. In the Profile tab, select the template as Generic Application Enforcement from the Template drop- down list. 4. Enter a name and description for the profile in the Name and Description fields. 5. In the Action field, click and select Accept from the given options. 6. Click Next. The Attributes tab is displayed. 7. Click to add the attributes name and attributes value in the Attributes Name and Attributes Value fields. Ensure that you add Aruba-defined attributes and values. To know more about Aruba defined attributes, see Configuring Service Provider Metadata in IdP. 8. Click Next. The Summary tab is displayed. 9. In the Summary tab, check the information entered in the Profile and Attributes field and click Save to save the enforcement profile. To configure an enforcement policy, complete the following steps: 1. Go to Configuration > Enforcement > Policies. 2. Click Add to add a new enforcement policy. The Enforcement Policies page is displayed. 3. Enter a name and description for the policies in the Name and Description fields. 4. In the Enforcement Type field, click and select Application. 5. From the Default Profile drop-down list, select the profile which you created. 6. Click Next. The Rules tab is displayed. 7. For configuring the rules, follow the steps mentioned in Step 3 below. 8. Click Next. The Summary tab is displayed. 9. In the Summary tab, check and validate the information and click Save to save the enforcement policy. Step 2: Adding Roles To add a user role: Aruba Central | User Guide 362 1. Go to Configuration > Identity > Roles. The Roles page is displayed. 2. To add a new role, click Add in the Roles page. Figure 83 Configuring Roles 3. Enter the role name and description in the Name and Description fields and click Save to save the role. Figure 84 Adding Role Information Step 3: Mapping Roles to Enforcement Policies To map roles to enforcement policies: 1. Go to Configuration > Enforcement > Policies. The Enforcement Policies page is displayed. 2. Click and select the policy that you created. 3. Click the Rules tab and select Add rule to map a rule to the policy. 4. In the Rules Editor page, fill in the Type, Name, Operator, and Values as shown in the below example figure. Figure 85 Rules Editor Page Administering Aruba Central | 363 5. In the Profile Names under Enforcement Profiles, select the profile that you created and click Save. 6. Click Save. Step 4: Configuring an IdP Service To configure an IdP service, complete the following steps: 1. Go to Configuration > Services. The Services Page is displayed. 2. From the Services page, click Add to add a new service. 3. In the Service tab, select Aruba Application Authentication as a type of authentication from the Type drop-down list. 4. Enter a name Prefix and description for the services in the Name and Description fields respectively. This prefix is used to name all of the services and enforcement policies/profiles created by the wizard. 5. Optionally, you can enable the monitor mode and more options by clicking the Monitor Mode and More Options check boxes. By default, both the check boxes are not selected. 6. From the Service Rule option, select ANY or All of the following conditions to match the conditions. 7. You can define Type, Name, Operator, and Values for the condition by clicking and selecting from the respective drop-down lists. 8. Click Next. The Authentication tab is displayed. 9. Select [Local User Repository] [Local SQL DB] as an authentication source from Authentication Sources drop-down list. 10. Click Next. The Roles tab is displayed. 11. Keep the Roles tab to default values. 12. Click Next. The Enforcement tab is displayed. 13. Add an enforcement policy from the Enforcement Policy drop-down list. 14. Click Next. The Summary tab is displayed. 15. In the Summary tab, check if all the information in Service, Authentication, Roles , and Enforcement fields are correct and click Save to save the service. Step 5: Uploading SP Metadata To upload SP metadata, complete the following steps: 1. In the Account Home page, under Global Settings, click Single Sign On. The Single Sign On page is displayed. 2. Select the SAML authorization profile configured for the ClearPass IdP service, click Show Metadata, and download the metadata. 3. To upload SP metadata, go to Configuration > Identity > Single Sign-On (SSO). 4. Click SAML IdP Configuration tab, and click Add SP metadata. Aruba Central | User Guide 364 5. Set the SP name as Aruba Central and select the metadata file and click Upload. Figure 86 SAML IdP Configuration Step 6: Adding Local Users To add local users, complete the following steps: 1. Go to Configuration > Identity > Local Users. The Local Users page is displayed. 2. In the Local Users page, click Add. The Add Local User page is displayed. 3. Enter the user id, name, and password in their respective fields. 4. Enter the password again to verify password in the Verify Password field. 5. By default, the Enable User check box is selected. 6. Select the Change Password check box if you want to force change the password on next user login. By default, the check box is not selected. 7. Select the role from the Role drop-down list and click Add to add the user. Below is an example figure for adding user: Figure 87 Adding a Local User Step 7: Configuring SAML Authorization Profile in Aruba Central For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central. Configuring Service Provider Metadata in G Suite This procedure describes the configuration steps required for setting up service provider metadata in G Suite. Administering Aruba Central | 365 Before you Begin n Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central. n Ensure that you have a domain and administrator privileges access to the G Suite. For more information, see G Suite Admin Help. n Ensure that you have a verified user in Aruba Central. n Ensure that you have downloaded the SAML metadata from Aruba Central. Steps to Configure Service Provider Metadata in Google Admin Console To configure Google Admin Console for providing SAML authentication and authorization services to Aruba Central, complete the following steps: n Step 1: Add Custom Attributes n Step 2: Add new user n Step 3: Add values to custom attributes n Step 4: Set up Custom SAML app n Step 5: Turn on SSO to your new SAML app Step 1: Add Custom Attributes To add custom attributes in Google Admin: 1. In the Google Admin console, go to Users > More > Manage custom attributes. The Manage user attributes page is displayed. 2. At the top right corner, click Add Custom Attribute. Figure 88 Manage User Attributes Aruba Central | User Guide 366 3. In the Add custom fields pop-up window, configure the parameters as per the following table: Parameter Description Category Enter a name for the category you want to add. Description Optionally, enter a description for the category. Custom fields Configure the custom fields as per the following: n Name-- Enter the label you want to display on the user's account page. n Info type-- Select one of the following from the drop-down list: o Text o Whole Number o Yes or No o Decimal number o Phone o Email o Date n Visibility-- Select one of the following from the drop-down list: o Visible to user and admin o Visible to organization n No. of values-- Select one of the following from the drop-down list: o Multi-Value o Single-value NOTE: n You cannot edit the info type and No. of values once you have created the custom attribute. n You can add multiple numbers of custom attributes in the Custom fields. Make sure that you add the Aruba supported attributes in the Name field. For more information on Aruba supported attributes, see Configuring Service Provider Metadata in IdP. 4. Click Add to finish adding the custom attributes. Step 2: Add new user To add a new user in the Google Admin console, complete the following steps: 1. In the Google Admin console, go to Users > Add new user. The Add new user page is displayed. 2. To add an image for the user, click Add photo and select the image file from the storage. You can also add the image later if you do not have it ready. 3. Fill the account information as per the following table: Parameter First name Last name Primary email Description Enter the first name of the user. Enter the last name of the user. Enter the primary email of the user. Administering Aruba Central | 367 Parameter Description Organization unit The field gets auto populated. Secondary email Optionally, enter the secondary email of the user Phone number Optionally, enter the phone number of the user. 4. You can either generate the password automatically by turning on the toggle button or enter the password manually. By default, you have to enter the password manually. While creating the password, make sure that the password is of at least 8 characters. 5. Optionally, turn on the toggle to ask the user to change the password at the next sign-in. 6. Click Add New User. Step 3: Add values to custom attributes You can add or update values for custom attributes on the User information page for an user. To add values to custom attributes: 1. In the Google Admin console, click Users. The user page is displayed. Figure 89 Users Page 2. From the users list, find the user by using a filter or Search bar. For more information on how to find the user, see Find a user account. 3. Click User information. Figure 90 User Information 4. Click the Aruba-Attributes section to edit. Aruba Central | User Guide 368 5. Add or change values to custom attributes as shown in the following example figure: Figure 91 Editing Aruba-Attributes 6. Click Save. You can only assign roles to the user which are already existing and valid in Aruba Central. Step 4: Set up Custom SAML app To setup own custom SAML App: 1. Log in to G Suite. The Admin console is displayed. Figure 92 Google Admin Console 2. From the Admin Console main screen, click Apps. The Apps page is displayed. 3. From the Apps screen, click SAML apps. The SAML apps page is displayed. Figure 93 SAML Applications 4. Click the + sign at the bottom of the screen to add a new SAML app (or, you can edit an existing one). The Enable SSO for SAML Application window page is displayed. Administering Aruba Central | 369 Figure 94 Enable SSO for SAML Application 5. Click Setup My Own Custom App. The Google IdP Information window opens and the SSO URL and Entity ID fields automatically populate. Figure 95 Setup Custom Application 6. Get the setup information needed using one of these methods: a. Copy the SSO URL and Entity ID and download the Certificate. b. Download the Idp metadata. Figure 96 Google IdP Information Aruba Central | User Guide 370 7. In a separate browser tab or window, sign in to Aruba Central and enter the information you copied in step 6 above into the appropriate SSO configuration page, then return to the Admin console. For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central. 8. Click Next. 9. In the Basic Information for Your Custom App window, add an application name and description. 10. Optionally, upload a PNG or GIF file to serve as an icon for your custom app. The icon image should be of size 256 x 256 pixels. Figure 97 Configuring Basic Information 11. Click Next. 12. In Aruba Central, select the SAML authorization profile configured for the domain, click show meta data, download the metadata, and return to the G Suite Admin console. 13. In the Service Provider Details window, enter an ACS URL, Entity ID, and Start URL (if needed) for your custom app. These values are all provided from the downloaded metadata. 14. By default, the Signed Response check box is not selected. 15. The Name ID and Name ID Format fields are automatically populated. Figure 98 Service Provider Details 16. Click Next. Administering Aruba Central | 371 17. Optionally, click Add New Mapping and enter a new name for the attribute you want to map. 18. In the drop-down list, select the category and user attributes to map the attribute from the Google profile. Figure 99 Attribute Mapping 19. Click Finish. Step 5: Turn on SSO to your new SAML app To turn on SSO in your SAML app: 1. In the Google Admin console, go to Apps > SAML apps and select the SAML app that you created. 2. At the top right corner of the gray box, click Edit Service. Figure 100 Editing a Service 3. To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone from the Service status option, and click Save. Aruba Central | User Guide 372 Figure 101 Configuring All Organizational Units Viewing Federated Users in Aruba Central If your Aruba Central account has SAML SSO users, Aruba Central displays these users as federated users. To view a list of federated users in your account: 1. In the Account Home page, under Global Settings, click Users & Roles. The Users & Roles page opens. 2. In the Users table, use the filter in User Type column to sort the table by federated users. Viewing Audit Logs for Federated Users in Aruba Central The federated or the SAML SSO user activity is logged in Aruba Central as audit trails. To view the audit logs for federated users, complete the following steps: 1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page is displayed. 2. To filter audit logs by federated user activity, click the filter in the Category column and select User Activity. To view audit logs for the SAML authorization profiles, in the Audit Trail page, select SAML Profile from the Classification filter. Converting System Users to Federated Users The system users in Aruba Central use the standard authentication method, whereas the federated users sign in to Aruba Central using the SAML-based SSO authentication method. If your business requires you to move system users from the standard authentication method to SAML-based authentication, follow the steps described in this page. Before you Begin Check if the user is accessing Aruba Central application using the web application, API Gateway, or the mobile app. Aruba does not support SAML-Based SSO logins for Aruba Central API Gateway, Aruba Installer, and Aruba Central mobile apps; Hence, it is recommended that you do not convert the API Gateway and mobile app user profiles to federated users. Migrating Aruba Central Web Application Users to Federated User Profiles To move system users of the Aruba Central web application users to SAML-based authentication method: Administering Aruba Central | 373 1. Back up the user profiles in the domain that is being migrated to SAML-based authentication framework. To view and create a backup of a list of existing user profiles, access the [GET] /platform/rbac/v1/users NB API. 2. Restore the current users in the system along with role and scope information defined for each user. To restore user profiles in bulk, use the [POST] /platform/rbac/v1/bulk_users API in the same domain. 3. Validate the configuration for one user. 4. If the migration is successful, remove the remaining system users in the domain, by using one of the following methods: n In the Account Home page, under Global Settings, click Users & Roles. page in the UI, select the user profile that you want to delete and click the delete icon. n Access the [DELETE] /platform/rbac/v1/bulk_users API and adding user account names in Parameters section. Example Param [ "[email protected]","[email protected]","[email protected]" ] 5. Ensure that there is at least one system admin user in the domain that you are migrating to SAML-based SSO authentication framework. 6. Validate the SSO workflow for the users that you just migrated to the SAML-based SSO authentication method. Enabling NB API Access for Federated Users To enable NB API access for federated users: 1. Log in to Aruba Central web application using the SAML-based SSO authentication method. 2. In the Account Home page, under Global Settings, click API Gateway. 3. Click My Apps& Tokens. 4. Click + Add Apps & Tokens and generate an OAuth token. For more information on generating tokens and API Gateway bootstrapping, see Aruba Central API Gateway Documentation. Troubleshooting SAML SSO Authentication Issues This section provides troubleshooting guidelines and tips to help Aruba Central administrators to diagnose and fix issues related to SAML SSO authentication. Installing SAML Tracer on Web Browsers To view SAML trace logs, you can install SAML Tracer on your web browsers. To install SAML Tracer: n Mozilla FireFox-- Go to https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/. n Google Chrome--Go to https://chrome.google.com/webstore/category/extensions. Viewing SAML Trace Logs To view the SAML trace logs, open the SAML Tracer add-on in the web browser. SAML Tracer records all HTTP requests sent or received by your browser. If the HTTP request contains SAML, the SAML tab in the Aruba Central | User Guide 374 SAML Trace window records the trace logs. For example, when the SAML user logs in, you can verify the SAML attributes that are recorded. Note the key elements in the SAML attributes output when diagnosing a SAML authentication error. <Subject> <NameID>[email protected]</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="ONELOGIN_ f937f6f66c3d29c4713eee99e09fd31e23ae6fec" NotOnOrAfter="2019-06-14T11:57:47.883Z" Recipient="https://portal-yodaacdc.arubathena.com/global_login/aaa_ saml/adfsaruba.com?acs" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2019-0614T11:52:47.881Z" NotOnOrAfter="2019-06-14T12:52:47.881Z" > <AudienceRestriction> <Audience>https://portal-yodaacdc.arubathena.com/global_ login/aaa_saml/adfsaruba.com/metadata</Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="aruba_1_cid"> <AttributeValue>ab8eeb91a8434025a3ecbdad9b8af705</AttributeValue> </Attribute> <Attribute Name="aruba_1_app_1"> <AttributeValue>central</AttributeValue> </Attribute> <Attribute Name="aruba_1_app_1_role_1"> <AttributeValue>admin</AttributeValue> </Attribute> <Attribute Name="aruba_1_app_1_role_1_tenant"> <AttributeValue>readonly</AttributeValue> </Attribute> Troubleshooting Tips for Most Common Errors Error 1--A blank page is displayed when the SAML user is redirected to the IdP server n Description: When a SAML user is redirected to the IdP server for authentication, the IdP server does not return the SAML response and displays a blank page. n Cause: This issue may occur when the Service Provider metadata for Aruba Central is not configured on the IdP server. n Resolution: Configure Service Provider metadata for your Aruba Central account in the IdP server. Error 2--The SAML user is logged out of Aruba Central after logging in to IdP n Description: The SAML user gets logged out of Aruba Central after logging in to the IdP server and the following error code is displayed in the browser: error_code=INVALID+EXTERNAL+AUTH+REQUEST n Reason: This issue may occur when the customer ID for the SAML user is not successfully retrieved from the IdP server. n Solution: Verify the trace logs, check the IdP configuration for customer ID details, and ensure that the IdP sends the correct customer ID. <NameID>[email protected]</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="ONELOGIN_ c000669424a538ea0f4793ec38dab3b57a635efb" NotOnOrAfter="2019-06-14T10:06:20.153Z" Recipient="https://compass.arubathena.com/global_login/aaa_ saml/adfsaruba.com?acs"/> </SubjectConfirmation> </Subject> <Conditions NotBefore="2019-06- Administering Aruba Central | 375 14T10:01:20.151Z" NotOnOrAfter="2019-06-14T11:01:20.151Z"> <AudienceRestriction> <Audience>https://compass.arubathena.com/global_login/aaa_ saml/adfsaruba.com/metadata</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2019-06-14T10:01:19.749Z" SessionIndex="_400366f7-75dc-4423-909c-2b3dc4e9fd9c"> <AuthnContext> Error 3--The web browser displays an error message when a SAML user is redirected to Aruba Central after logging in to IdP n Description: The web browser displays the following error message when the SAML user logs into IdP and is redirected to Aruba Central: error_code "FAILED EXTERNAL AUTH - SAML ACS PROCESSING" message "NameID not found in the assertion of the Response" n Cause: This issue may occur when the name-id attribute is not configured in the IdP server. n Solution: Verify the trace logs, check the IdP configuration, and ensure that the name-id attribute maps to the user's email address. Error 4--The web browser displays a 404 error message when a SAML user is redirected to Aruba Central after logging into IdP n Description: The web browser displays the following error message when a SAML user is redirected to Aruba Central after logging into IdP: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again. status_code 404 n Cause: This issue may occur due to one of the following reasons: o The name-id attribute does not contain user's email address. o The app-id attribute is not configured as Central in IdP. o The role attribute returned by the IdP is not configured in Aruba Central. o The group attribute in the IdP server is mapped to a group that is not available in your Aruba Central account. o IdP returns a tenant role for the SAML user of a standalone enterprise account. n Solution: Verify the trace logs, check your Aruba Central deployment setup and the IdP configuration, and ensure that the correct values are configured for these attributes in the IdP server. Error 5--Although the role attribute is not configured in IdP, the SAML user is assigned a readonly role n Description: Although the role attribute is not configured in the IdP server, the SAML user is assigned a readonly role after logging in to Aruba Central. n Cause: By default, Aruba Central assigns readonly role for SAML users if role attribute is not configured in IdP. Aruba Central | User Guide 376 n Solution: If you want the SAML user to have a specific role assigned, configure the role attribute for the user in the IdP server. Error 6--A SAML user was able to log in to Aruba Central earlier, but cannot access Aruba Central now n Description: The SAML user who was able to log in to Aruba Central earlier gets the following message during login: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again. status_code 404 This issue is observed when the customer ID of a SAML user is changed from an MSP to its tenant or from a tenant to its MSP in the IdP server. n Cause: This issue occurs when the Aruba Central user database already has a user entry for the SAML user who tries to log in to Aruba Central after the customer ID modification in the IdP server. n Solution: In the Account Home page, under Global Settings click Users & Roles page and delete the SAML user in Aruba Central. Verify if the user entry is removed from the user database. Error 7--The web browser displays SAML authentication error message when a SAML user tries to log in to Aruba Central n Description: When a SAML user tries the log in to Aruba Central, the following error message is displayed: FAILED EXTERNAL AUTH - SAML ACS PROCESSING message 0 "invalid_response" n Cause: This issue may occur due to certificate mismatch. n Solution: Verify the SAML authorization profile configured in Aruba Central and ensure that the correct certificate is uploaded. Error 8--The Aruba Central login page is displayed for the SAML user instead of the IdP login page n Description: When a SAML user tries to access Aruba Central, the user is redirected to the Aruba Central login page instead of the IdP login page. n Cause: This issue may occur when the SAML user is configured as a system user in Aruba Central. n Solution: If a SAML user is added as a system user in Aruba Central, delete the system user entry for the user in Aruba Central. Viewing Audit Trails in the Account Home Page The Audit Trail page shows the logs for all the device management, configuration, and user management events triggered in Aruba Central. To view audit trail logs: Administering Aruba Central | 377 1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page opens. 2. From the Select App drop-down list, select one of the following: n All Apps--Displays audit trail logs for all apps. n Network Operations--Displays audit trail logs for the Network Operations app. n ClearPass Device Insight--Displays audit trail logs for the ClearPass Device Insight app. The following table describes the fields displayed in the Audit Trail table: Table 83: Audit Trail Details Parameter Description Occurred On Time stamp of the events for which the audit trails are shown. IP Address IP address of the client device. Username Username of the admin user who applied the changes. Target Group or device to which the changes were applied. Source Tenant account in which the changes occurred. NOTE: This column is applicable only in the MSP mode. Category Description Type of modification and the affected device management category. A short description of the changes such as subscription assignment, firmware upgrade, and configuration updates. Click to view the complete details of the event. For example, if an event was not successful, click the ellipsis to view the reason for the failure. Aruba Central | User Guide 378 Chapter 6 Maintaining Aruba Central Maintaining Aruba Central The Maintain menu includes the following options: n Firmware--Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information see, Managing Software Upgrades. n Organization--Allows you to navigate to the Network Structure page from where you can create groups, sites, labels, upload certificates, and manage site installations. See the following topics: o Network Structure o Managing Groups o Managing Sites o Managing Labels o Installation Management o Certificates Network Structure The Network Structure page shows tiles view for groups, sites, labels, install manager, and certificates sections. You can click on a tile to navigate to the respective page in Aruba Central. Viewing the Network Structure Page To view the Network Structure page, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Select the Network Structure tab. The Network Structure page is displayed. Aruba Central | User Guide 379 Figure 102 Network Structure Page The Network Structure page displays tiles view for the following sections: n Groups--Displays the number of groups and number of unprovisioned devices. Click on the tile to navigate to the Groups page. n Sites--Displays the number of sites and number of unassociated devices. Click on the tile to navigate to the Sites page. n Labels--Displays the number of labels and number of unassociated devices. Click on the tile to navigate to the Labels page. n Install Manager--Displays the number of site installations that are either in progress or completed, and the number of authorized installers. Click on the tile to navigate to the Install Manager page. n Certificates--Displays the number of certificates available to upload. Click on the tile to navigate to the Certificates page. Managing Groups Aruba Central allows you to manage configuration for different types of devices, such as ArubaInstant APs, gateways, and switches in your inventory. These devices can be configured using either UI workflows or configuration templates. You can define your preferred configuration method when creating a group. Aruba Central allows you to create a single group with different configuration methods defined for each device type. For example, you can create a group with the name Group1 and within this group, you can enable template-based configuration method for switches and UI-based configuration method for Instant APs and Gateways. Aruba Central identifies both these groups under a single name (Group1). If a device type in the group is marked for template-based configuration method, the group name is prefixed with TG, (TG Group1). You can use Group1 as the group ID for workflows such as user management, monitoring, reports, and audit trail. After you assign devices to a group and when you access configuration containers, Aruba Central automatically displays relevant configuration options based on the configuration method you defined for the device group. The Groups page allows you to create, edit, or delete a group, view the list of groups provisioned in Aruba Central, and assign devices to groups. This section describes the following topics: Maintaining Aruba Central | 380 n Groups for Device Configuration and Management n Group Persona n Creating a Group Persona with ArubaOS 8 Architecture n Creating Groups for Switches n Assigning Devices to Groups n Creating a New Group by Importing Configuration from a Device n Viewing Groups and Associated Devices n Cloning a Group n Moving Devices between Groups n Deleting a Group Configuring Groups in MSP Mode For information on using groups in the MSP mode and instructions on how to assign devices to MSP tenants, see the Aruba Central Managed Service Provider User Guide. Groups for Device Configuration and Management A group in Aruba Central is the primary configuration element that functions as a container for device management, monitoring, and maintenance. Groups enable administrators to manage devices efficiently by using either a UI-based configuration workflow or CLI-based configuration template. Groups provide the following functions and benefits: n Ability to provision different types of devices in a group. For example, a group can consist of Instant APs, Gateways, and Switches. n Ability to create a configuration base and add devices as necessary. When you assign a new device to a group, it inherits the configuration that is currently applied to the group. n Ability to create a clone of an existing group. If you want to build a new group based on an existing group, you can create a clone of the group and customize it as per your network requirements. n A device can be part of only one group at any given time. n Groups in Aruba Central are mutually exclusive (independent) and do not follow a hierarchical model. The following figure illustrates a generic group deployment scenario in Aruba Central: Aruba Central | User Guide 381 Figure 103 Group Deployment Group Operations The following list shows the most common tasks performed at a group level: n Configuration-- Add, modify, or delete configuration parameters for devices in a group n User Management--Control user access to device groups and group operations based the type of user role n Device Status and Health Monitoring--View device health and performance for devices in a specific group. n Report Generation--Run reports per group. n Alerts and Notifications--View and configure notification settings per group. n Firmware Upgrades--Enforce firmware compliance across all devices in a group. Group Configuration Modes Aruba Central allows network administrators to manage device configuration using either UI workflows or configuration templates: n UI-based configuration method--For device groups that use UI-based workflows, Aruba Central provides a set of UI menu options. You can use these UI menu options to configure devices in a group. n Template-based configuration method--For device groups that use a template-based workflow, Aruba Central allows you to manage devices using configuration templates. A device configuration template includes a set of CLI commands and variable definitions that can be applied to all other devices deployed in a group. When you add Instant APs, Gateways, and switches to a group, Aruba Central groups these devices based on the configuration method you chose for the device type, and displays relevant workflows when you try to access the respective configuration menu. For information, see Group Persona. Default Groups and Unprovisioned Devices The default group is a system-defined group to which Aruba Central assigns all new devices with factory default configuration. When a new device with factory default configuration connects to Aruba Central, it is automatically added to the default group. Maintaining Aruba Central | 382 If a device has customized configuration and connects to Aruba Central, Aruba Central marks the device as Unprovisioned. If you want to preserve the device configuration, you can create a new group and assign this device to the newly created group. If you want to overwrite the configuration, you can move the unprovisioned device to an existing group. The unprovisioned state does not apply to Aruba Switches as only the factory-default switches can join Aruba Central. Best Practices and Recommendations Use the following best practices and recommendations for deploying devices in groups: n Determine the configuration method (UI or template-based) to use based on your deployment, configuration, and device management requirements. n If there are multiple sites with similar characteristics--for example, with the same device management and configuration requirements--assign the devices deployed in these sites to a single group. n Apply device-level or cluster-level configuration changes if necessary. n Use groups cloning feature if you need to create a group with an existing group configuration settings. n If the user access to a particular site must be restricted, create separate groups for each site. Group Persona A persona of a device represents the role that the device plays in a network deployment. Creating persona for devices helps in customizing configuration workflows, automating parts of configurations, showing the default configuration, showing relevant settings for the device. Persona configuration also helps in customizing the monitoring screens and troubleshooting workflows appropriate for the device. Creating a Persona Persona can be created when creating a group. Persona and architecture can be set at the group level. All devices within a group inherit the same persona from the group settings. While creating a group, the architecture and persona settings of the current group can be marked as preferred settings for adding subsequent groups. For subsequent groups, you can either automatically apply the preferred settings or manually select settings for the new group. Based on the device persona selected in a group, the device configuration page displays only particular device tabs for that group. For example, if a group has only access points persona assigned to it, then the device configuration page for that group displays only the access points tab. Persona for Access Points Access Points can have the following persona: n Campus/Branch--In this persona, AP provides WLAN functionality. This persona applies to ArubaOS 8 (including IAP-VPN) architecture. Persona for Gateways Gateways can have the following persona: n Branch--In this persona, gateways provide Aruba InstantOS SD-Branch (LAN + WAN) functionality. This persona applies to ArubaOS 8 architecture. n VPN Concentrator--In this persona, gateways provide VPN concentrator functionality for ArubaOS 8 deployments. Aruba Central | User Guide 383 Architecture The following architecture is supported for creating groups: n ArubaOS 8--Instant AP-based deployment, including Aruba InstanOS 6.x or Aruba InstantOS 8.x (IAP, IAPVPN), or Aruba InstantOS 8.x SD-Branch deployments. For information on creating groups with a persona and architecture, see the following topic: n Creating a Group Persona with ArubaOS 8 Architecture Creating a Group Persona with ArubaOS 8 Architecture To manage device configuration using configuration containers in Aruba Central, you can create a group and assign devices. During the group creation, you can assign a device persona and select an architecture for the group. Adding a Group To add a group and assign a persona and ArubaOS 8 architecture, complete the following steps: 1. From the Network Operations app, filter Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Click (+) Add Group on the Groups table. The Add Group page is displayed. 5. Enter a name for the group. The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports all special characters excluding the ">" character. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names. By default, Aruba Central enables the UI-based configuration. The template-based configuration is displayed only when you select devices in the Add group page. Use the toggle button to enable the Configure using templates. 6. Select device types that will be part of this group. A group can contain following devices: n Access points n Gateways n Switches For detailed device combinations, refer to the Device Combinations table. 7. Click Next. By default the ArubaOS 8 architecture is applied for access points and gateways. 8. Select the check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations. 9. Click Add. A group with persona configuration is created. Maintaining Aruba Central | 384 You can also create a group that uses different provisioning methods for switch, IAP, and Gateway device categories. For example, you can create a group with template-based provisioning method for switches and UI-based provisioning method for Instant APs and Gateways. Device Combinations The following table lists the valid combinations for a group persona with ArubaOS 8 architecture. Table 84: Device Combinations for a Group Persona Device Type Access Points Gateways Switches n Access Points n Gateways n Access Points n Switches n Access Points n Gateways n Switches Architecture ArubaOS 8 ArubaOS 8 AP Network Role Campus/Branch N/A No architecture N/A ArubaOS 8 Campus/Branch ArubaOS 8 Campus/Branch ArubaOS 8 Campus/Branch Gateway Network Role N/A n Branch n VPN Concentrator N/A Branch N/A Branch Switches N/A N/A Monitoring Only N/A N/A n AOS-CX only n AOS-S only n Both AOS-CX and AOS-S Monitoring only for AOS-S N/A N/A n AOS-CX only n AOS-S only n Both AOS-CX and AOS-S Monitoring only for AOS-S n AOS-CX only n AOS-S only n Both AOS-CX and AOS-S Monitoring only for AOS-S Aruba Central | User Guide 385 Editing a Group You can edit a group to add a new device type to the group. The group architecture and persona cannot be changed through group edit. You can mark the settings of an edited group as preferred settings for subsequent group creations. To edit a group, complete the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. To edit an existing group, hover over the group in the groups table and click the Edit Group icon. The Edit Group page is displayed. 5. Add a new device type and its persona. 6. For valid edit operations, refer to the Editing a Group table. 7. Select check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations. 8. Click Save. The group edit changes are saved. The following table lists the behavior for various edit operations: Table 85: Editing a Group Original State Architecture ArubaOS 8 ArubaOS 8 Devices and Persona Access Points - Campus/Branch No Gateways Action n Add Gateways n Add Switches No Access Points Gateways - Branch n Add Access Points n Add Switches Edit Group Behavior Allowed Gateways persona - Branch Switch types: AOSCX only or AOS-S only or Both AOSCX and AOS-S Monitoring only for AOS-S Allowed Access Points persona Campus/Branch Switch types: AOSCX only or AOS-S only or Both AOSCX and AOS-S Monitoring only for AOS-S Maintaining Aruba Central | 386 Original State Architecture ArubaOS 8 No architecture Devices and Persona No Access Points Gateways - VPN Concentrator Action n Add Access Points n Add Switches No Access Points No Gateways Switches - AOS-CX only or AOS-S only or Both AOS-CX and AOS-S n Add Access Points n Add Gateways Edit Group Behavior Adding Access Points is not allowed Switch types: AOSCX only or AOS-S only or Both AOSCX and AOS-S Monitoring only for AOS-S Allowed Architecture ArubaOS 8 Access Points persona Campus/Branch Gateways persona - Branch Creating Groups for Switches You can create a group with switches only in it or you can also add a switch to an existing group containing other devices such as APs and gateways. A switch group will not have any architecture. Adding a Switch Group To add a switch group, complete the following steps: 1. From the Network Operations app, filter Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Click (+) Add Group on the Groups table. The Add Group page is displayed. 5. Enter a name for the group. The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports all special characters excluding the ">" character. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names. By default, Aruba Central enables the UI-based configuration. The template-based configuration is displayed only when you select devices in the Add group page. Use the toggle button to enable the Configure using templates. 6. From the Group will contain section, select the switch check box. 7. Click Next. Aruba Central | User Guide 387 8. Select the type of switches used in this group: n AOS-CX only n AOS-S only n Both AOS-CX and AOS-S You can select the 'Monitoring only for AOS-S' option for the AOS-S switches for an UI group. This option is not available for a template group. 9. Select the check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations. 10. Click Add. A group for the selected switch type is created. To add a switch type to an existing group, see Creating a Group Persona with ArubaOS 8 Architecture. Assigning Devices to Groups In Aruba Central, devices are assigned to groups for configuration, monitoring, and management purposes. A group in Aruba Central is a primary configuration element that acts like a container. In other words, groups are a subset of one or several devices that share common configuration settings. Aruba Central supports assigning devices to groups for the ease of configuration and maintenance. For example, you can create a common group for Branch Gateways or APs that have similar configuration requirements. Assigning Instant APs to Groups The Instant AP groups may consist of the configuration elements: n Instant AP Cluster--Consists of a conductor Instant AP and a set of member Instant APs in the same VLAN and their Instant AP mode is cluster. n Virtual Controller--A virtual controller provides an interface for entire cluster. The member Instant APs and conductor Instant APs function together to provide a virtual interface. n Conductor Instant AP and Member Instant AP--In a typical Instant AP deployment scenario, mostly, the first Instant AP that comes up is elected as the conductor Instant AP; or, the Instant AP will be the conductor Instant AP when its prefered conductor setting is enabled. All other Instant APs joining the cluster function as the member Instant APs. When a conductor Instant AP is elected, the member Instant APs sync up the configuration changes from conductor Instant AP. The following table describes the group assignment criteria for Instant APs: Table 86: Instant AP Group Assignment APs with Default Configuration APs with Non-Default Configuration If an Instant AP with factory default configuration is added to Aruba Central, it is automatically assigned to the default group or to an existing group with similar configuration settings. The administrators can perform any of the following actions: n Manually assign them to a pre-provisioned group. n Create a new group. If an Instant AP with non-default or custom configuration joins Aruba Central, it is automatically assigned to an unprovisioned group. The administrators can perform any of the following actions: n Import group to create a new group for the device, it preserves device configuration. n Move the device to an existing group and override the device configuration. Maintaining Aruba Central | 388 Assigning Switches to Groups Aruba Central allows switches running factory default configuration and pre-configured switches to join groups. Switches with factory default configuration are automatically assigned to the default group. Pre-configured switches are assigned to the unprovisioned group if no group is assigned. Administrators can either move the switch to an existing group or create a new group. n Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central. n Provisioning and configuring of AOS-CX 6000, 6405, 6410, and 8400 Switch series and Switch stacks is supported only through configuration templates. Assigning Devices to a Group The following procedure helps you to assign devices to a group. To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory. 1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign devices. 4. Click Assign Device(s). To assign a device to a group from the Groups page, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Expand a group from which you want to move devices to the selected group. For example, expand the Unprovisioned Devices group, select the devices, and then click the Move devices icon. The Move Devices page is displayed. You can assign only particular devices for which the group is created. For example, if a group is created for Access Points only, then only Access Points can be assigned to that group. You cannot assign other devices to it. 5. Select the Destination Group from the drop-down list. 6. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. Aruba Central | User Guide 389 Creating a New Group by Importing Configuration from a Device You can create a new group by importing configuration from a device. The import configuration is supported only for IAPs with ArubaOS 8 architecture. You can create a new group for IAPs with ArubaOS 8 architecture by importing configuration from an IAP. You can add more devices later by editing the group. To import configuration from an existing IAP to a new group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Expand a group which has IAP devices. 5. Select the IAP with ArubaOS 8 architecture. 6. Click the Import Group icon. The Import Configuration pop-up window is displayed. 7. Enter a name for the group. 8. Click Add. A group is created with the configuration imported from a device. Viewing Groups and Associated Devices To view the groups dashboard, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. The groups table lists all the groups and displays the following information: n Groups--Number of total groups. n Group Name--Name of the group. You can filter the list with a group name and sort the groups list in ascending and descending order. For each group, the next column displays the devices icons that are part of the group. Hover over a group to see the Edit, Clone, Go to Config, or Delete a group. n Search--You can use the search functionality to search for a device name, MAC address, and serial number. n All Connected Devices--Total number of devices provisioned in Aruba Central. The devices table on right side of the page shows all the devices provisioned in Aruba Central. n Unprovisioned devices--This group lists the licensed devices that are never connected to Aruba Central but not assigned to any group. This group cannot be edited or deleted. 4. To view the devices assigned to a group, expand the group from the groups table. You can see the following information: n Device Name--Name of the device. n Type--Type of the device such as Instant AP or Switch. Maintaining Aruba Central | 390 n Serial Number--Serial number of the device. n MAC Address--MAC address of the device. Cloning a Group Cloning a group will clone the same architecture and persona from the source group. To clone a group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. To create a clone of an existing group, hover over the group in the groups table and click the Group icon. The Clone Group page is displayed. 5. Enter a name for the cloned group. 6. Click Clone. A new group is created from the source group settings. Clone When you clone a group, Aruba Central also copies the configuration templates applied to the devices in the group. Moving Devices between Groups You can move devices between groups. When devices are moved from one group to another group, the devices will adopt the destination group configuration. You can assign only particular device type for which the group is created. For example, if a group is created for Access Points only, then only Access Points can be assigned to that group. You cannot assign other device types to it. To move a device from one group to another group: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Expand a group from which you want to move devices to the selected group. For example, expand the Unprovisioned Devices group, select the devices, and then click the The Move Devices page is displayed. Move devices icon. Aruba Central | User Guide 391 5. Select the Destination Group from the drop-down list. For AOS-CX switches, you can select the Retain CX-Switch Configuration check box to retain the existing configuration of the switch. This option is available only for the AOS-CX Switches (stack and standalone) while moving them from a Template or UI group to a different UI group. If the configuration of the device being moved differs from that of the group, Aruba Centralretains the device configuration as device overrides. 6. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. MSP mode does not support moving devices across different groups. Moving Instant Access Point(s) Between Groups In Aruba Central, an Instant AP device group may consist of any of the following: n Instant AP--Consist a commander Instant AP. n Virtual Controller (VC)--VC provides an interface for entire cluster. The member Instant APs and commander Instant APs function together to provide a virtual interface. In typical Instant AP deployment scenario, the first Instant AP that comes up is elected as the commander Instant AP. All other Instant AP(s) joining the cluster function as the member Instant AP(s). When a commander Instant AP is configured, the member Instant AP(s) download the configuration changes. The commander Instant AP may change as necessary from one device to another without impacting network performance. To move an Instant AP or VC from one group to another group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Expand a group from which you want to move the Instant APs. 5. Select the devices, and then click the Move devices icon. The Move Devices page is displayed. Moving a VC also moves the member IAP(s) to the new group. 6. Select the Destination Group from the drop-down list. 7. Click Move. MSP mode does not support moving devices across different groups. Important Points to Note Maintaining Aruba Central | 392 n The instant AP(s) inherits the configuration of the group to which it is moved. However, only the system configuration is inherited and the Per AP Settings on the IAP(s) are retained. n If the instant AP(s) did not inherit the configuration of the new group, go to the Configuration Audit page of the IAP(s) to check the configuration difference. For more information, see Viewing Configuration Status. n If firmware compliance is enabled on the new group and if the firmware version enforced by the group is different from the IAP(s) firmware version, the firmware is upgraded and the IAP(s) reboots. Deleting a Group If you no longer required a group, you can delete it. The delete option is available only for the groups that have no devices. To delete a group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. From the list of groups, hover over the group in the groups table and click the The Delete Group confirmation window is displayed. 5. Click Yes to confirm. The group is deleted. Delete Group icon. Caveats for Group Management The following section provides details on the caveats to be noted in Group Management in Aruba Central. n In the Groups table, the device list grid displays empty cells on continuous scrolling. n If a gateway group name consists of a special character such as `+' symbol, the gateway configuration page does not work properly. n The AOS-CX configuration icon is not displayed for groups in which template configuration is applied for AP and gateway, and the UI configuration is applied for the switches. n The groups for which the workflow is not set by the administrators, the guided setup wizard pops up when a read-only user tries to access the configuration screens in the group. n The groups for which simplified workflow is not set by the administrators, guided setup wizard pops up for a user while accessing the gateway configuration screens in the group and the read-only user is not able to exit the wizard. However, admin users can click Cancel and exit from the guided setup wizard. After this, the read-only users will not encounter the issue again for that group. n No warning message is displayed on the UI when devices are provisioned to an unsupported group. Check the audit trail to see the status of preprovisioning. n Cloning an AP group with type Campus, Branch, or Microbranch does not copy the overlay configurations of that AP to the newly cloned AP group. For more information on Campus or Branch overlay configuration, see Configuring VLAN Settings for Wireless Network. Setting up Password for Devices in a Group When you create a new group and assign devices to the group, you must set the password for the devices before proceeding with any device configuration. Aruba Central | User Guide 393 Setting the Password for Access Points To set the password for access points in a group, complete the following steps: 1. Navigate to the access points configuration page using either of the following methods: n Set the filter to a Group, navigate to Manage > Devices, select the Access Points tab, click the Config icon. n Set the filter to Global, navigate to Maintain > Organization > Network Structure > Groups, then select a group and click the Go to config icon. The 'Set Device Password' pop up is displayed to set the password for access points. 2. Enter the password, confirm and click Set Password. The password is set for the access points. Setting the Password for AOS-S Switches To set the password for AOS-S switches in a group, complete the following steps. If the password is not set for the AOS-S switches, any user can access the switch using the SSH or Telnet and perform the configuration. So, it is mandatory to set the password before proceeding with any configuration. 1. Navigate to the AOS-S switches configuration page using either of the following methods: n Set the filter to a Group, navigate to Manage > Devices, select the Switches tab. n Set the filter to Global, navigate to Maintain > Organization > Network Structure > Groups, select a group, click the Go to config icon, and select the Switches tab. 2. Select the AOS-S Config icon. 3. Navigate to System > Access/DNS. 4. Enter the Admin Username, Admin Password, then Confirm Password. 5. Click Save Settings. The password is set for the AOS-S switches. Setting the Password for AOS-CX Switches To set the password for AOS-CX switches in a group, complete the following steps: 1. Navigate to the AOS-CX switches configuration page using either of the following methods: n Set the filter to a Group, navigate to Manage > Devices, select the Switches tab. n Set the filter to Global, navigate to Maintain > Organization > Network Structure > Groups, select a group, click the Go to config icon, and select the Switches tab. 2. Select the AOS-CX Config icon. The Set Device Password pop-up is displayed. 3. Enter the Administrator password and click Save. The password is set for the AOS-CX switches. Setting the Password for Gateways To set the password for gateways in a group, complete the following steps: 1. Navigate to the gateways configuration page using either of the following methods: n Set the filter to a Group, navigate to Manage > Devices, then select the Gateways tab, click Config. Maintaining Aruba Central | 394 n Set the filter to Global, navigate to Maintain > Organization > Network Structure > Groups, then select a group and click Go to config, select the Gateways tab. 2. In the Advanced Mode, select System > General > Basic Info. 3. Enter the password in the Password for user admin field. 4. Retype the password and click Save Settings. The password is set for the gateways. Provisioning Devices Using UI-based Workflows This section describes the important points to consider when assigning devices to UI groups: n Provisioning Instant APs using UI-based Configuration Method n Provisioning Switches Using UI-based Configuration Method n Provisioning Aruba Gateways Using UI-based Configuration Method Provisioning Instant APs using UI-based Configuration Method An Instant AP device group may consist of any of the following: n Instant AP Cluster--Consists of a conductor Instant AP and member Instant APs in the same VLAN. n VC--A virtual controller. VC provides an interface for entire cluster. The member Instant APs and conductor Instant APs function together to provide a virtual interface. n Conductor Instant AP and Member Instant AP--In typical Instant AP deployment scenario, the first Instant AP that comes up is elected as the conductor Instant AP. All other Instant APs joining the cluster function as the member Instant APs. When a conductor Instant AP is configured, the member Instant APs download the configuration changes. The conductor Instant AP may change as necessary from one device to another without impacting network performance. Aruba Central allows configuration operations at the following levels for a device group with Instant APs. n Per group configuration--Aruba Central allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all VCs within a group can have common SSID settings. n Per VC Configuration--Any changes that need to applied at the Instant AP cluster level can be configured on a VC within a group. For example, VCs within a group can have different VLAN configuration for the SSIDs. n Per Device Configuration--Although devices are assigned to a group, the users can maintain device specific configuration such as radio, power, or uplink settings for an individual AP within a group. When the APs that are not pre-provisioned to any group join Aruba Central, they are assigned to groups based on their current configuration. Table 87: Instant AP Provisioning APs with Default Configuration If an Instant AP with factory default configuration joins Aruba Central, it is automatically assigned to the default group or an existing group with similar configuration settings. The administrators can perform any of the following actions: n Manually assign them to an existing group. n Create a new group. APs with Non-Default Configuration If an Instant AP with non-default or custom configuration joins Aruba Central, it is automatically assigned to an unprovisioned group. Aruba Central | User Guide 395 APs with Default Configuration APs with Non-Default Configuration The administrators can perform any of the following actions: n Create a new group for the device and preserve device configuration. n Move the device to an existing group and override the device configuration. Ensure that the conductor Instant AP and member Instant APs are assigned to the same group. You must convert the member Instant AP to a standalone AP in order to move the member Instant AP to another group independently. In the following illustration, Instant APs from three different geographical locations are grouped under California, Texas, and New York states. Each state has unique SSIDs and can support devices from multiple locations in a state. As shown in Figure 104, the California group has devices from different locations and has the same SSID, while devices in the other states/groups have different SSIDs. When a device with the factory default configuration connects to Aruba Central, it is automatically assigned to the default group. If the device has custom configuration, it is marked as unprovisioned. If you want to preserve the custom configuration, create a new group for the device. If you want to overwrite the custom configuration, you can assign the device to an existing group. Figure 104 Instant AP Provisioning For more information on how to configure Instant APs using UI-based configuration workflows, see Deploying a Wireless Network Using IAPs. To view local overrides and configuration errors, select a template group and navigate to Devices > Access Points > Settings > Configuration Audit page. Provisioning Switches Using UI-based Configuration Method Aruba Central allows switches to join UI groups only if the switches are running factory default configuration. Aruba Central assigns switches with factory default configuration to the default group. The administrators can either move the switch to an existing group or create a new group. Maintaining Aruba Central | 396 Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central Aruba Central allows the following configuration operations at the following levels for switches in a UI group: n Per group configuration-- Aruba Central allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all switches within a group can have common VLAN settings. n Per Device Configuration--Although the Switches inherit group configuration, the users can maintain device-specific configuration, for example, ports or DHCP pools. For more information on how to configure switches using UI-based configuration workflows, see Configuring or Viewing AOS-S Properties in UI Groups. To view local overrides and configuration errors, select a template group and navigate to Devices > Switches > Settings > Configuration Audit page. Provisioning Aruba Gateways Using UI-based Configuration Method For SD-Branch deployments with Aruba Gateways, the following recommendations apply: n Combine Branch Gateways of identical characteristics and configuration requirements under a single group. n Create groups according to your branch requirements. o You can create separate groups for the small, medium, and large sized branches. o You can also create separate groups for the branch sites in different geographical locations; for example, East Coast and West Coast branch sites. If these groups have similar characteristics with minor differences, you can create the first group and then clone it. o You can use either a single group for all their devices or deploy devices in multiple groups. For example, you can deploy 7008 controllers and Aruba 2930F Switch Series with 24 ports in a single group for every branch. o You can also deploy 7005 controller and Aruba 2930F Switch Series with 24 ports in one group and provision 7008 controller with Aruba 2930F Switch Series with 48 ports in another group. Important Points to Note n The groups in Aruba Central are not device-specific, however, Aruba recommends that you use the following guidelines for provisioning SD-WAN Gateways. o Assign Branch Gateways and VPN Concentrators to separate groups. Because the configuration requirements for Branch Gateways and VPN Concentrators are different, the Branch Gateways and VPN Concentrators must be assigned to different groups. o Ensure that the configuration group for SD-WAN Gateways consists of the same type of devices. For example, Branch Gateways assigned to a group must have the same number of ports. n Before assigning SD-WAN Gateways to groups, you must set the device persona or role as Branch Gateway or VPN Concentrator. Example The following figures shows a few sample group deployment scenarios for Aruba Branch Gateways and VPN Concentrators: Aruba Central | User Guide 397 Figure 105 Branch Gateway Groups Figure 106 VPN Concentrator Groups For more information on how to configure Aruba using UI-based configuration workflows, see the SD-Branch Configuration section in Aruba Central Help Center. To view local overrides and configuration errors, select a template group and navigate to Devices > Gateways > Settings > Configuration Audit page. Provisioning Devices Using Configuration Templates Aruba Central allows you to provision devices using UI-based or template-based configuration method. If you have groups with template-based configuration enabled, you can create a template with a common set of CLI Maintaining Aruba Central | 398 scripts, configuration commands, and variables. Using templates, you can apply CLI-based configuration parameters to multiple devices in a group. If the template-based configuration method is enabled for a group, the UI configuration wizards for the devices in that group are disabled. Creating a Group with Template-Based Configuration Method To create a template group, complete the following steps: 1. From the Network Operations app, filter Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Click (+) Add Group on the Groups table. The Add Group page is displayed. 5. Enter the name of the group. 6. Select one of the following device types for which you want to create a template group: n IAP and Gateway n Switch 7. Click Next. By default the Aruba Instant OS architecture is applied for access points and gateways. The network role for access points and gateways is Instant access points and WLAN with branch gateways respectively. For more information about group persona and architecture, see Group Persona. 8. Select the check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations. 9. Click Add. A template group with persona configuration is created. If the group is set as a template group, a configuration template is required for managing device configuration. Provisioning Devices Using Configuration Templates and Variable Definitions For information on configuration template, see the following topics: n Configuring APs Using Templates n Using Configuration Templates for AOS-S Management n Managing Variable Files Managing Variable Files Aruba Central allows you to configure multiple devices in bulk using templates. However, in some cases, the configuration parameters may vary per device. To address this, Aruba Central identifies some customizable CLI parameters as variables and allows you to modify the definitions for these variables as per your requirements. Aruba Central | User Guide 399 You can download a sample file with variables for a template group or for the devices deployed in a template group, update the variable definitions, upload the file with the customized definitions, and apply these configuration changes in bulk. Important Points to Note n Variables are associated to a device and not to a group. If you move a device between groups, variables remain with the device. n Variables are displayed as part of the group to which the device belongs. After you upload the variables for a device, the association would stay in the system even if the device is moved to a UI group or template group. n If the device is part of a UI group, variables are unused and not displayed in the UI. Aruba Central ignores the variables. n If the device is moved to a template group, variables are displayed in the UI and used for configuration purposes. Downloading a Sample Variables File The sample variables file includes a set of sample variables that the users can customize. You can download the sample variables file in the JSON or CSV format. To download a sample variables file: 1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select one of the following formats to download the sample variables file: n JSON--shows the file in JSON format. n CSV--Shows the variables in different columns. 6. Click Download Sample Variables File. The sample variables file is saved to your local directory. Modifying a Variable File The CSV file includes the following columns for which the variable definitions are mandatory: n _sys_serial--Serial number of the device. n _sys_lan_mac--MAC address of the device. n modified--Indicates the modification status of the device. The value for this column is set to N in the sample variables file. When you edit a variable definition, set the modified column to Y to allow Aruba Central to parse the modified definition. n The CSV file must contain only one modified column with the value Y in each row where the variables are modified. n The modified column is not required when using JSON files to upload the variables. Following is an example format of the CSV file with the modified column. Maintaining Aruba Central | 400 Predefined Variables for Aruba Switches The system defined variables in the sample variables files are indicated with sys prefix. Table 88 lists the predefined variables for switches. Table 88: Predefined Variables Example Variable Name Description Variable Value _sys_gateway Populates gateway IP address. 10.22.159.1 _sys_hostname Maintains unique host name. HP-2920-48G-POEP _sys_ip_address Indicates the IP address 10.22.159.201 of the device. _sys_module_command Populates module lines. module 1 type j9729a _sys_netmask Netmask of the device. 255.255.255.0 _sys_oobm_command Represents Out of Band Management (OOBM) block. oobm ip address dhcp-bootp exit _sys_snmpv3_engineid Populates engine ID. 00:00:00:0b:00:00:5c:b9:01:22:4c:00 _sys_stack_command Represents stack block. stacking member 1 type "J9729A" mac-address 5cb901224c00 exit _sys_template_header Represents the first two lines of the configuration file. Ensure that this variable is the first line in the template. ; J9729A Configuration Editor; Created on release #WB.16.03.0003+ ; Ver #0f:3f.f3.b8.ee.34.79.3c.29.eb.9f.fc.f3.ff.37.ef:91 _sys_use_dhcp Indicates DHCP status 0 (true or false) of VLAN 1 _sys_vlan_1_untag_command Indicates untagged ports 1-28,A1-A2 of VLAN 1 _sys_vlan_1_tag_command Indicates tagged ports of 28-48 VLAN 1 The _sys_template_header_ and _sys_snmpv3 engineid are mandatory variables that must have the values populated, irrespective of their use in the template. If there is no value set for these variables, Aruba Central re-imports the values for these mandatory variables when it processes the running configuration of the device. Aruba Central | User Guide 401 Predefined Variables for APs For APs, the sample variables file includes the _sys_allowed_ap variable for which you can specify a value to allow new APs to join the Instant AP cluster. Conditions The following conditions apply to the variable files: n The variable names must be on the left side of condition and its value must be defined on the right side. For example, %if var=100% is supported and %if 100=var% is not supported. n The < or <= or > or >= operators should have only numeric integer value on the right side. The variables used in these 4 operations are compared as integer after flooring. For example, if any float value is set as %if dpi_value > 2.8%, it is converted as %if dpi_value > 2 for comparison. n The variable names should not include white space, and the & and % special characters. The variable names must match regular expression [a-zA-Z0-9_]. If the variables values with % are defined, ensure that the variable is surrounded by space. For example, wlan ssid-profile %ssid_name%. n The first character of the variable name must be an alphabet. Numeric values are not accepted. n The values defined for the variable must not include spaces. If quotes are required, they must be included as part of the variable value. For example, if the intended variable name is wlan ssid-profile "emp ssid", then the recommended format for the syntax is "wlan ssid-profile %ssid_name%" and variable as "ssid_name": "\"emp ssid\"". n If the configuration text has the percentage sign % in it--for example, "url "/portal/scope.cust5001098/Splash%20Profile%201/capture"--Aruba Central treats it as a variable when you save the template. To allow the use of percentage % as an escape character, use \" in the variable definition as shown in the following example: Template text wlan external-captive-portal "Splash Profile 1_#guest#_"server naw1.cloudguest.central.arubanetworks.comport url %url% Variable "url": "\"/portal/scope.cust-5001098/Splash%20Profile%201/capture\"" n Aruba Central supports adding multiple lines of variables in Instant AP configuration templates. If you want to add multiple lines of variables, you must add the HAS_MULTILINE_VARIABLE directive at the beginning of the template. Example #define HAS_MULTILINE_VARIABLE 1 %if allowed_aps% %allowed_aps% %endif% Variable Maintaining Aruba Central | 402 "allowed_aps": "allowed-ap 24:de:c6:cb:76:4e\n allowed-ap ac:a3:1e:c5:db:d8\n allowed-ap 84:d4:7e:c4:8f:2c" For Instant APs, you can configure a variable file with a set of values defined for a master AP in the network. When the variable file is uploaded, the configuration changes are applied to all Instant AP devices in the cluster. Examples The following example shows the contents of a variable file in the JSON format for Instant APs: { "CK0036968": { "_sys_serial": "CK0036968", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:7a", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_1" }, "CJ0219729": { "_sys_serial": "CJ0219729", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:cb:04:92", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_2" }, "CK0112486": { "_sys_serial": "CK0112486", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c8:29:76", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_3" }, "CT0779001": { "_sys_serial": "CT0779001", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c5:c6:b0", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", Aruba Central | User Guide 403 "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_4" }, "CM0640401": { "_sys_serial": "CM0640401", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c4:8f:2c", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_6" }, "CK0037015": { "_sys_serial": "CK0037015", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:d8", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_7" }, "CK0324517": { "_sys_serial": "CK0324517", "ssid": "s1", "_sys_lan_mac": "f0:5c:19:c0:71:24", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_8" } } Figure 107 shows a sample variables file in the CSV format: Figure 107 Variables File in the CSV Format Uploading a Variable File To upload a variable file, complete the following steps: Maintaining Aruba Central | 404 While uploading the variables file to Aruba Central in the CSV format, make sure to: n Choose the default language in Microsoft Excel as English (United States). n Add only one modified column in the CSV file with the value Y in each row where the variables are modified. 1. Ensure that the _sys_serial and _sys_lan_mac variables are defined with the serial number and MAC address of the devices, respectively. 2. In the Network Operations app, set the filter to one of the template groups under Groups. 3. Under Manage, click Devices > Switches. 4. Click the Config icon. 5. Click Variables. 6. Click Upload Variables File and select the variable file to upload. 7. Click Open. The contents of the variable file is displayed in the Variables table. 8. To search for a variable, specify a search term and click Search icon. 9. To download variable file with device-specific definitions, click the download icon in the Variables table. Modifying Variables To modify variables without downloading a variable file, modifying the variable file, and uploading the customized variable file: 1. In the Network Operations app, set the filter to one of the template groups under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select a device and variable. 6. Modify the value and click Add to Modifications. 7. Click Save. Alternatively, to modify a single variable without downloading a variable file, modifying the variable file, and uploading the customized variable file: 1. In the Network Operations app, set the filter to one of the template groups under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Hover over a desired variable and click Edit. 5. Modify the value and click Save. 6. Click Save. Backing Up and Restoring Configuration Templates Aruba Central allows you to create a backup of configuration templates and variables that you can restore in the event of a failure or loss of data. The Configuration Backup and Restore feature is available in the Configuration Audit page for devices deployed using the template-based configuration method. The Configuration Backup and Restore feature enables administrators to perform the following functions: n Back up templates and variable files applied to the devices, managed using the template-based configuration method. Aruba Central | User Guide 405 n Restore an earlier known working combination of the configuration template and device variables in the event of a failure. Important Points to Note n The backup and restoration options are available for devices deployed using the template-based configuration method. n When the backup or restore for a group is in progress, you cannot make configuration changes to that group. n The restore operation restores the variables only for the devices that are currently provisioned or preprovisioned to the group. n The restore operation is terminated if the firmware version running on any one device in the group does not match the firmware version in the backed up file that is being restored. For example, if the configuration file was backed up when a switch was running 16.03.0003 and was later upgraded to 16.04.0003, the restore operation fails for the group. n The restore operation deletes any templates applied to the group before the restore. It also deletes and replaces device variables with the backed up version that is being restored. n The details pertaining to the actions carried out during the backup and restore operations are logged in the Audit Trail page. Creating a Configuration Backup To back up configuration templates and variables applied to devices: 1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click New Configuration Backup. The Create New Backup window is displayed. 4. Enter a Backup Name. 5. Select Do Not Delete if you do not want the backed up file to be deleted by a new backup after the threshold of 20 backups is exceeded. You can create and maintain up to 20 backed up configuration files. If the number of backup files exceed 20, the old backed up configuration files are overwritten. However, if the backed up files are marked as Do not Delete, Aruba Central does not overwrite the backed up configuration files. 6. Click OK. The Confirm Backup window is displayed. 7. Read through the information. Select the check box to confirm that configuration changes to the group cannot be done when the backup is in progress. 8. Click Proceed. The backup for the group configuration is created. Viewing Contents of a Backed Up Configuration To view the contents of a backed up configuration: 1. Click the Manage Backup option. 2. Download the backup and untar the downloaded file. The following example shows the tree structure of a typical backup download. Maintaining Aruba Central | 406 <backup-name_timestamp> templates <hppctemplate1.tmpl> <iaptemplate1.tmpl> template_meta.json variables HPPC_variables_1.json IAP_variables_1.json devices_meta.json The variables are stored according the device type, such as, Instant APs and Aruba Switches. For example, for all Instant APs, the variables are aggregated and stored together. The aggregated file can include variables for up to 80 devices or up to 5 MB of variables data, based on whichever condition is met first. When the number of variables or the data size exceeds this limit, new aggregate files are created and added to the backup until all the variables in the selected group are backed up. The variable data limit applies only to the aggregated files. Aruba Central does not impose any limit on the number of devices or the device variables that can be backed up. The following details are available for a backed up configuration snapshot: n Backups--Provides details of the number of available and allowed backup and allows you to perform the following actions: o Manage group configuration backups o Create new configuration backups o Modify backup delete protection n Last Backup--Provides details of the status and the timestamp of the last backup. n Last Restore--Provides details of the status and the timestamp of the last restore. Restoring a Backed Up Configuration To restore a backed up configuration snapshot: 1. In the Network Operations app, use the filter to select a group that uses template-based configuration method. 2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click Restore Configuration Backup. The Restore from Backup window is displayed. 4. Select the backup name that you want to restore, from the Backup Name drop-down list. 5. Select the required device type from the Device Type drop-down list. Selecting a device type allows you to restore the backed up configuration by the specific device type, for example, Instant APs, Aruba Switch. By default, All is selected. When the device type is set to All, configuration restore does not follow any specific order. 6. Click OK. The Confirm Configuration Restore window is displayed. 7. Read the instructions and select the check boxes to confirm your action for configuration restore. 8. Click Proceed. The selected backup configuration is restored. Aruba Central | User Guide 407 Aruba recommends that the administrators take a backup of the current configuration of the group before the restore operation. Managing Backups To manage the backed up configuration files: 1. In the Network Operations app, use the filter to select a group that uses template-based configuration method. 2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click Manage Backup. The Last <#> Backups window is displayed. 4. View the backup details such as date and time of backup, backup name, username, and the delete protection status for each configuration backup. 5. Click Close. 6. Click Last Backup Log to view the details of the latest backup. The Last Backup Log window displays the following details: n Group name n Backup name n Username that initiated the configuration backup n Details on whether templates and device variables are being saved, and completion of the configuration backup process. 7. To get the status of the last restore, click Last Restore Log. To get the error log for a restore error event, click Last Restore Error Log. Backing Up and Restoring Templates and Variables Using APIs Aruba Central supports the following NB APIs for the backup and restore feature: n Create new configuration backup for group [POST] /configuration/v1/groups/snapshot/{group} n Create backups for multiple groups associated with a customer account [POST]/configuration/v1/groups/snapshot/create_backups Aruba Central creates a backup of configuration template and variables only for the groups included in the API request payload. You can use the include or exclude parameters to create backups for specific list of groups. The following table describes the API response based on the inputs provided in the parameters: Table 89: API Functionality for Backup Creation include_groups exclude_groups API Functionality No groups specified No groups specified Raises an exception to either include or exclude groups. group names group names Raises an exception to include or exclude groups. Maintaining Aruba Central | 408 include_groups [] group names No groups specified No groups specified exclude_groups No groups specified No groups specified ALL_GROUPS group names API Functionality Raises an exception to provide valid values for the include groups parameter. Includes selected groups for the backup operation. Creates a backup for all groups. Does not create backup for the excluded groups. n Restore a backed up version of the configuration template for all devices in a group: [POST] /configuration/v1/groups/<group_name>/snapshots/<snapshot_name>/restore The API restores a specific version of the backup snapshot for the group specified in the API request. n Restore a backed up version of the configuration template by device type: The [POST]/configuration/v1/groups/{group}/snapshots/{snapshot}/restore API provides you an option to restore the configuration by device type. By selecting a specific device type, you can control the order in which the configuration is restored by device type. This minimizes the impact of the configuration restore activity on the network. If monitor mode is enabled at the device level, the selected device functions in the monitor mode. If the monitor mode is enabled at the group level, all devices in the group inherit this setting. If a device managed by Aruba Central displays a configuration sync issue and persistently fails to receive configuration updates from Aruba Central, contact Aruba Central Technical Support. Managing Sites and Labels This section provides an overview of sites, labels, and device classification. Sites A site in refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Aruba Central allows you to use sites as a primary navigation element. For example, if your devices are deployed in a campus, you could create a site called CampusA. You can also tag the devices within CampusA using labels. For example, if the campus consists of multiple buildings, the devices deployed in the campus can be labeled as Building1 or Lobby. If the devices in a specific location or an area within a specific location must have similar configuration, the devices can be grouped together. For more information, see Managing Sites. Labels Labels are tags attached to a device provisioned in the network. Labels determine the ownership, departments, and functions of the devices. You can use labels for creating a logical set of devices and use these labels as filters when monitoring devices and generating reports. For example, consider an Instant AP labeled as Building 25 and Lobby. These tags identify the location of the Instant AP within the enterprise campus or a building. The Instant APs in other buildings within the same campus can also be tagged as Lobby. To filter and monitor Instant APs in the lobbies of all the campus buildings, you can tag all the Instant APs in a lobby with the label Lobby. For more information, see Managing Labels. Aruba Central | User Guide 409 Device Classification Devices can also be classified using Groups and Sites. n The group classification can be used for role-based access to a device, while labels can be used for tagging a device to a location or a specific area at a physical site. However, if a device is already assigned to a group and has a label associated with it, it is classified based on both groups and labels. n The site classification is used for logically grouping devices deployed at a given physical location. You can also convert labels to sites. Ensure you have un-assigned the sites and labels of a device before performing the following tasks for the device: n Dismantling or updating, or changing a switch stack and its members. n Deleting a device from the Monitoring page. Managing Sites The Sites page allows you to create sites, view the list of sites configured in your setup, and assign devices to sites. The Sites page includes the following functions: Table 90: Sites Page Parameter Description Convert Labels to Sites Allows you to convert existing labels to sites. To convert labels, download the CSV file with the list of labels configured in your setup, add the site information, and upload the CSV file. For more information, see Creating a Site. New Site Allows you to create a new site. Bulk upload Allows you to add sites in bulk from a CSV file. Sites Table The sites table displays a list of sites configured. It provides the following information: Table 91: Sites Table Parameter Description Site Name Name of the site. Address Physical address of the site. Device Count Number of devices assigned to a site. The table also includes the following sorting options to reset the table view on the right: n All Devices--Displays all the devices provisioned in Aruba Central. n Unassigned--Displays the list of devices that are not assigned to any site. You can also use the filter and sort icons on the Sites and Address columns to filter and sort sites respectively. Maintaining Aruba Central | 410 Devices Table The devices table displays a list of devices provisioned. It provides the following information: Table 92: Devices Table Parameter Description Name Name of the device. Group Group to which the device is assigned. Type Type of the device. Creating a Site A site refers to a physical location where a set of devices are installed; for example, campus or branch. If your devices are deployed in a campus, you could create a site with the campus name. You can use the sites to monitor devices installed on a physical location. To create a site, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Sites tile. The Manage Sites page is displayed. 4. To add a new site, click (+) New Site. The Create New Site pop-up window opens. 5. In the Create New Site pop-up window, enter the following details: a. Site Name--Name of the site. The site name can be a maximum of 255 single byte characters. Special characters are allowed. b. Street Address--Address of the site. c. City--City in which the site is located. d. Country--Country in which the site is located. e. State/Province--State or province in which the site is located. f. ZIP/Postal Code--(Optional) ZIP or postal code of the site. 6. Click Add. The new site is added to the Sites table. Adding Multiple Sites in Bulk You can add multiple sites by creating and importing a CSV file with mandatory information such as the site name, address, city, state, and country details. To import site information from a CSV file, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Sites tile. The Manage Sites page is displayed. 4. Click (+) Bulk upload. The Bulk Upload pop-up opens. 5. Download a sample file. Aruba Central | User Guide 411 6. Fill the site information and save the CSV file in your local directory. The CSV file for bulk upload of sites must include the mandatory information such as the name, address, city, state, and country details. 7. In the Aruba Central UI, click Browse and add the file from your local directory. 8. Click Upload. The sites from the CSV file are added to the site table. Assigning a Device to a Site Sites are used to group devices by a physical location. You can assign devices to a site to group them and monitor based on the site name. To assign devices to a site, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Sites tile. The Manage Sites page is displayed. 4. Select Unassigned. The list of devices that are not assigned to any site is displayed. 5. Select device(s) from the list of devices. To select multiple devices use shift+click or ctrl+click. It is recommended not to add more than 20 devices at a time for seamless operation. 6. Drag and drop the devices to the site on the left. A pop-up window opens and prompts you to confirm the site assignment. 7. Click Yes. Converting Existing Labels to Sites Labels are tags attached to devices provisioned in a network. Labels determine the ownership, departments, and functions of the devices. You can covert these labels to sites for creating a logical set of devices. To convert existing labels to sites, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Sites tile. The Manage Sites page is displayed. 4. Click Convert Labels to Sites. The Confirm Conversion pop-up window opens. 5. To download a CSV file with the list of labels configured in your setup, click Download file with existing labels. A CSV file with a list of all the labels in your setup is downloaded to your local directory. 6. Enter address, city, state, country, and ZIP code details for the labels that you want to convert to sites. In the CSV file, you must enter the following details: address, city, state, and country. 7. Save the CSV file. Maintaining Aruba Central | 412 8. On the Confirm Conversion pop-up window, click Browse and select the CSV file with the list of labels to convert. 9. Click Upload. 10. Click Convert. The labels are converted to sites. Points to Note n If the conversion process fails for some labels, Aruba Central generates and opens an Excel file showing a list of labels that could not be converted to sites. Verify the reason for the errors, update the CSV file, and reupload the file. n Aruba Central does not allow conversion of sites to labels. If the existing labels are converted to sites, you cannot revert these sites to labels. n When the existing labels are converted to sites, Aruba Central retains only the historical data for these labels. Aruba Central displays the historical data for these labels only in reports and on the monitoring dashboard. Editing a Site You can edit a site to modify the site details such as site name, street address, city, county, state, or zip or postal code. To modify a site details, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Sites tile. The Manage Sites page is displayed. 4. Select the site to edit and click the edit icon. 5. Modify the site information and click Update. Deleting a Site If you no longer need a site, you can delete it. To delete a site, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Sites tile. The Manage Sites page is displayed. 4. Select the site to be deleted and click the delete A confirmation window is displayed. icon. Deleting a site disassociates all devices that are associated with it. However, your network and devices will continue to operate normally. Aruba Central | User Guide 413 5. Click Yes to confirm. The site is deleted and devices associated with the site are moved to the unassigned devices list. Managing Labels The Labels page allows you to create labels, view a list of labels, and assign devices to labels. The page includes two tables. The table on the left lists the labels, whereas the table on the right lists the devices. These tables provide the following information: Table 93: Labels Name Contents of the Table Labels Displays a list of labels configured. The table provides the following information: n Name of the label n Number of devices assigned to a label The table also includes the following sorting options to reset the table view on the right: n All Devices--Displays all the devices provisioned in Aruba Central. n Unassigned--Displays the list of devices that are not assigned to any label. Devices Displays a list of devices provisioned. The table provides the following information about the devices: n Name--Name of the device n Group--Group to which the device is assigned n Type--Type of the device n Labels--Number of labels assigned to a device Creating a Label To create a label, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Labels tile. The Manage Labels page is displayed. 4. To add a new label, click (+) Add Label. The Create New Label pop-up window opens. 5. Enter a name for the label. The label name can be a maximum of 255 single byte characters. Special characters are allowed. 6. Click Add. The new label is added to the All Labels table. Assigning a Label to a Device To assign a label to a device, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Labels tile. The Manage Labels page is displayed. 4. Locate the label to which you want to assign a device. Maintaining Aruba Central | 414 5. In the table that lists the labels, you can perform one of the following actions: n Click All Devices to view all devices. n Click Unassigned to view all the devices that are not assigned to any labels. 6. Select Unassigned. The list of devices that are not assigned to any label is displayed. 7. Select device(s) from the list of devices. To select multiple devices use shift+click or ctrl+click. It is recommended not to add more than 20 devices at a time for seamless operation. 8. Drag and drop the selected device(s) to a specific label. A pop-up window asking you to confirm the label assignment opens. 9. Click Yes. Aruba Central allows you to assign up to five label tags per device. Detaching a Device from a Label To remove a label assigned to a device, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Labels tile. The MANAGE LABELS page is displayed. 4. Select the device from the table on the right. 5. Click the delete icon. 6. To detach labels from the multiple devices at once, select the devices, and click Batch Remove Labels. 7. Confirm deletion. Editing a Label To edit a label, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Labels tile. The MANAGE LABELS page is displayed. 4. Select the label to edit. 5. Click the edit icon. 6. Edit the label and click Update. Deleting a Label To delete one or several labels, complete the following steps: Aruba Central | User Guide 415 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Labels tile. The Manag Labels page is displayed. 4. Select the label to delete. 5. Click the delete icon. 6. Confirm deletion. Certificates By default, Aruba Central includes a self-signed certificate that is available on the Certificates page. The default certificate is not signed by a root certificate authority (CA). For devices to validate and authorize Aruba Central, administrators must upload a valid certificate signed by a root CA. Aruba devices use digital certificates for authenticating a client's access to user-centric network services. Most devices such as controllers and Instant APs include a server certificate by default for captive portal server authentication. However, Aruba recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CA. Certificates can be stored locally on the devices and used for validating device or user identity during authentication. Aruba Central-managed devices such as Instant AP and switches support the following root CA certificates: Instant APs n AddTrust n GeoTrust n VeriSign n Go Daddy Switches n Comodo n GeoTrust Uploading Certificates To upload certificates, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Certificates tile. The CERTIFICATES page is displayed. 4. Click the plus (+) icon to add a certificate to the certificate store. 5. In the ADD CERTIFICATES dialog box, do the following: a. In the Name text box, enter the certificate name. b. From the Type drop-down list, selectelect the type of certificate. You can select any one of the following certificates: n CA Certificate--Digital certificates issued by the CA. n Server Certificate--Server certificates required for communication between devices and authentication servers. n CRL--Certificate Revocation List that contains the serial numbers of certificates that have been revoked. This certificate is required for performing a certificate revocation check. Maintaining Aruba Central | 416 n OCSP Responder Cert--OCSP Responder certificates. n OCSP Signer Cert--OCSP Response Signing Certificate. OCSP certificates are required for OCSP server authentication. c. From the Format drop-down list, select a certificate format; for example, PEM, DER, and PKCS12. d. In the Passphrase text box, enter a passphrase. e. In the Retype Passphrase text box, retype the passphrase for confirmation. The Passphrase and Retype Passphrase text boxes are displayed only when you select Server Certificate from the Type drop-down list. f. In the Certificate File field, click Choose file and select the certificate files. g. Click Add. The certificate is added to the Certificate Store. Managing Certificates on Instant APs Configured Using Templates Aruba Central supports uploading multiple certificates to Instant APs configured using templates. You can manage certificates either from the Aruba Central UI or through the API Gateway. For more information about APIs, see API Documentation. To push certificates to Instant APs configured using templates: 1. Upload certificate(s) through one of the following methods: n UI--See Uploading Certificates. n API--Use the [POST] /configuration/v1/certificates API. 2. Get the certificate name and MD5 checksum through one of the following methods: n UI--In the Network Operations app, filter All Devices. Under Maintain, click Organization and select the Certificates tab. The Certificate Store table displays these details. n API--Use the [GET] /configuration/v1/certificates API. 3. In the template, anywhere before the per-ap settings block, depending on your requirement, add one or more of the following commands: ca-cert-checksum <ca_cert_checksum/ca_cert_name> cp-cert-checksum <captive_portal_cert_checksum/captive_portal_cert_name> radsec-ca-checksum <radsed_ca_checksum/radsed_ca_name> radsec-cert-checksum <radsed_cert_checksum/radsed_cert_name> server-cert-checksum <server_cert_checksum/server_cert_name> You can either use the certificate name or the checksum value in the command. Or, you can set it as a variable and enter the variable value for the Instant AP. Aruba recommends using the certificate name. Example 1 ca-cert-checksum my_default_cert Example 2 ca-cert-checksum %ca_cert_name% variable: Aruba Central | User Guide 417 { "ca_cert_name": "my_default_cert" } Installation Management Site installations and device deployments at customer premises require extensive coordination between the IT administrators and installation personnel. If there are multiple sites to deploy, businesses may require more time and manual effort to coordinate and manage site installations. The Aruba Installation Management service simplifies and automates site deployments, and helps IT administrators manage site installations with ease. The Installation Management service includes the following components: n Install Manager on Aruba Central portal--Intended for IT administrators who oversee the installation management activities in an organization. Using Install Manager, network administrators can create installer profiles, assign site deployments to installers, and monitor deployment status for each site from a remote location. Aruba Central users can access the Install Manager application from the app selection pane in the UI. n Aruba Installer mobile app--Intended for the installation personnel who deploy devices on a site. The Aruba Installer mobile app allows the installers to scan devices and add them to the provisioning network. The Aruba Installer mobile app is available for downloads on Apple® App Store and Google Play Store. Installation Management and Monitoring The Install Manager feature in Aruba Central includes the following menu options: n Site Installations --Displays a list of sites associated with an Aruba Central account. n Installers--Displays a list of installers added using the Install Manager application. Installation Management Workflow The following figure illustrates the installation management workflow for the Install Manager users: Maintaining Aruba Central | 418 Figure 108 Installation Management Workflow Installer Workflow Installers are technicians who are assigned the task of visiting a physical site or location, and install devices. The Aruba Installer mobile app enables installers to scan devices and report the task status to IT administrators. The following figure illustrates the installation workflow for the Aruba Installer mobile app users: Aruba Central | User Guide 419 Figure 109 Installer Workflow Managing Site Deployments Before you begin, ensure that the following tasks are completed: n Onboarding Devices n Managing License Assignments The steps required for completing a site installation procedure are listed in the following table: Maintaining Aruba Central | 420 Table 94: Installation Management Administrator Workflow n Creating a Site n Assigning Groups to a Site n Adding an Installer and Assigning Sites for Installation n Monitoring and Troubleshooting Installation Issues Installer Workflow n Downloading the Installer Mobile App n Registering as an Aruba Installer n Installing Devices on a Site Creating a Site To create a site in Aruba Central, complete the steps described in Creating a Site. Assigning Groups to a Site To assign groups to a site, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Install Manager tile. The Install Manager page is displayed. 4. On the Site Installations page, click the expand arrow of the site you want to edit. 5. Select the group for each device category. 6. Click Save. To assign groups to multiple sites, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Install Manager tile. The Install Manager page is displayed. 4. On the Site Installations page, select the sites. 5. Click Assign Groups. 6. In the Assign Groups to Sites pop-up window, select a group for each device category. 7. Click Save. You can also add installation notes for sites. The installers can view the notes by clicking the info icon in the Installer mobile app. Adding an Installer and Assigning Sites for Installation Administrators can add installers and assign installation tasks to these installers through the Aruba Installer mobile app. To add an installer profile in Aruba Central, complete the following steps: Aruba Central | User Guide 421 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Install Manager tile. The Install Manager page is displayed. 4. In the Install Manager page, click Installers. The Installers page is displayed. 5. Click + Add Installer. The Add Installer page is displayed. 6. Enter the name and phone number of the technician to whom you want to assign a site for installing the devices. 7. Specify the time until which the installer's profile is valid. The technicians will be automatically logged out of the Aruba Installer app on the specified date. 8. On the Add Installer page, you can do the following: n Click the + icon, to select a site from the list and click Assign to assign the site. n Select the site(s) in the Sites Assigned table and click Delete Site(s) to remove the site(s). 9. Click Save. An SMS notification is sent to the installer's mobile device. The site(s) assigned are displayed in the Sites Assigned table. To start the installation, the installer must download the Aruba Installer mobile app and sign up as an installer. The administrators can verify the installer registration status on the Installers dashboard in the Install Manager application in Aruba Central. The Installers dashboard displays the following status indicators for installers. n Invited--The installer is added and an SMS notification is sent to the installer. n Registered--The installer has registered using the Aruba Installer mobile app. n Verified--The installer has accepted the installation invite and successfully completed the registration with the Aruba Installer app. Downloading the Installer Mobile App When an installer is added in the Install Manager application in Aruba Central, an SMS notification is sent to the installer's mobile device. The SMS notification includes the links for downloading the Aruba Installer mobile app. If you are an installer and have received the SMS notification with the Aruba Installer mobile app details, download the Aruba Installer mobile app. The Aruba Installer mobile app is available in App Store for iOS devices and Google Play Store for Android devices. Registering as an Aruba Installer To register as an installer, complete the following steps: 1. Open the Aruba Installer app. 2. In the Sign Up tab, enter your first name, last name, country code and mobile number. 3. Click Register. A verification code is sent to your mobile device. 4. Enter the verification code received through the text message in the Code field. 5. Click Validate Code. If the code is valid, the installer is registered. Maintaining Aruba Central | 422 Installing Devices on a Site To install a device on a site, complete the following steps: 1. Sign in to Aruba Installer mobile app. 2. View the sites assigned for deployment. 3. Select the site that you want to deploy. 4. Note the devices assigned for the site and installation notes if any. 5. Click Scan Device. Scan the serial number of the device. The Aruba Installer app verifies if the device is onboarded to Aruba Central device inventory and is assigned a valid subscription. 6. Power on the device and connect it to the Internet. The device automatically connects to Aruba Central and is provisioned in the group to which it is already assigned. 7. Verify the installation status and report errors if any. Before scanning a device, ensure that the device is not connected to Aruba Central. If the device is already connected to Aruba Central, Install Manager will not assign it to a group. Monitoring and Troubleshooting Installation Issues To monitor the installation progress, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Install Manager tile. The Install Manager page is displayed. 4. Click the Site Installations tab. 5. The Site Installations tab shows the following sub tabs for the status of a site installation: n Pending--Indicates that the device installations in pending. n In Progress--Indicates that the device installation is in progress. n Completed--Indicates that the device installation is completed. If the installation status displays an error: n Check if the devices are onboarded to Aruba Central. n Verify if the devices are assigned a valid subscription. n Check if the sites are assigned to a group. n View the audit trails. 6. If the installation is completed, click the site name to navigate to the site details page and click Mark Completed. You can mark a site as completed even if Install Manager was not used to install or onboard the device. 7. Click Save. Viewing Configuration Status Aruba Central provides an audit dashboard for reviewing configuration changes for the devices provisioned in UI and template groups. The Configuration Audit page is available for Instant APs, switches, and gateways. Aruba Central | User Guide 423 The Configuration Audit page and the Auto Commit feature is available for Foundation and Advanced licenses for APs, switches, and gateways. Viewing the Configuration Audit Page To view the Configuration Audit page, complete the following steps: n For Instant APs: a. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Access Points. c. Click the Config icon. The tabs to configure access points are displayed. d. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed. n For Aruba switches: a. In the Network Operations app, set the filter to a group that contains at least one switch. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon. The tabs to configure switches are displayed. d. Click Configuration Audit. The Configuration Audit details page is displayed. n For Aruba gateways: a. In the Network Operations app, set the filter to a group that contains at least one Branch Gateway. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Gateways. c. Click the Config icon. The tabs to configure gateways are displayed. d. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed. Applying Configuration Changes Aruba Central supports a two-staged configuration commit workflow for Instant APs and switches. Aruba Central now supports the auto commit feature at a group level. When auto commit state is enabled for a group, the configuration changes are instantly applied to all devices where auto commit state is enabled. In the Configuration Audit page of the group, the Auto Commit State section allows administrators to switch their preference for committing configuration changes to the devices within the group. n To enable auto commit, click Change to Auto commit state ON. When auto commit state is enabled for a group, the configuration changes are instantly applied to all devices where auto commit state is enabled. n To disable auto commit, click Change to Auto commit state OFF. When auto commit state is disabled for a group, an administrator can build a candidate configuration, save it on cloud, review it, and then commit the configuration changes to all devices within the group. Maintaining Aruba Central | 424 Aruba Central resets the auto commit state, when a device moves to another group. The device inherits the auto commit state of the group to which the device is moved. When auto commit state is disabled for a group, Aruba Central restricts modification to the auto commit state at a device level. When auto commit state is enabled for a group, Aruba Central allows modification to the auto commit state at a device level. The auto commit at a group level is not applicable for Aruba MAS switches and Aruba gateways in the Configuration Audit page. Auto commit state is always enabled for Aruba MAS switches and Aruba gateways. Viewing and Editing To modify the auto commit state of devices within the group, when Auto Commit State for a group is enabled, complete the following steps: 1. Click View & Edit under Auto Commit State: ON tile. 2. Select a device name, click Disable Auto Commit, and then click OK. 3. Click Yes in the Confirm Action dialog box. To modify the auto commit state of devices within the group, when Auto Commit State for a group is disabled, complete the following steps: 1. Click View & Edit under Auto Commit State: OFF tile. 2. Select a device name, click Enable Auto Commit, and then click OK. 3. Click Yes in the Confirm Action dialog box. When auto commit state for a group is disabled, the View & Edit link is disabled to restrict modifications to the auto commit state of the devices within the group. When auto commit state for a group is enabled, the View & Edit link allows you to modify the auto commit state of the devices within the group. Auto Commit Workflow To enable Aruba Central to commit configuration changes instantly, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP and a switch. The dashboard context for the selected group is displayed. 2. Under Manage, click Devices > Access Points. In Aruba Central, the auto commit workflow for a group can be implemented either from the switch configuration audit page or Instant AP configuration audit page. Alternatively, you can navigate to Devices > Switches. 3. Click the Config icon. The tabs to configure access points are displayed. 4. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed. 5. Ensure that the Auto Commit State for the group is set to ON. Aruba Central | User Guide 425 6. Based on configuration mode set for the devices in the group, use either the UI workflows or a configuration template to complete the configuration workflow and save the changes. Aruba Central automatically commits the configuration changes to all devices where auto commit state is enabled. 7. View the Local Overrides and Configuration Sync Issues, if any. Aruba Central does not support the two-staged configuration commit workflow for Aruba MAS switches and Aruba gateways. The tenant accounts in the MSP deployments do not inherit the Auto Commit State configured at the MSP level. The tenant account users can enable or disable Auto Commit state for the devices in their respective accounts. Manual Commit Workflow To build configuration and review it before committing the configuration changes, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP and a switch. The dashboard context for the selected group is displayed. 2. Under Manage, click Devices > Access Points. In Aruba Central, the manual commit workflow for a group can be implemented either from the switch configuration audit page or Instant AP configuration audit page. Alternatively, you can navigate to Devices > Switches. 3. Click the Config icon. The tabs to configure access points are displayed. 4. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed. 5. Ensure that the Auto Commit State for the group is set to OFF. 6. Based on configuration mode set for the device, use either the UI workflows or a configuration template to complete the configuration workflow and save the changes. When you try to save the save changes, Aruba Central displays the following warning message: 7. When the auto commit state for a group is set to OFF, and changes are configured to the devices at a group level, Aruba Central displays the following warning message when you try to save the changes: 8. View the Local Overrides and Configuration Sync Issues, if any. 9. Click Commit Now to commits the configuration changes to all devices within the group. Maintaining Aruba Central | 426 Viewing Configuration Overrides and Errors The Configuration Audit page allows you to view the configuration push errors, template synchronization errors, configuration sync, and device level configuration overrides. Some of notable status indicators available on the page includes: n Configuration Status--Provides details of the number of devices with configuration sync errors. To view the devices with configuration sync errors, click View Details. The Config Difference window is displayed. You can view configuration differences for each device within the group. n Local Overrides--Provides details of the number of devices with local overrides. To view a complete list of overrides, click Manage Local Overrides. The Local Overrides window is displayed. You can view configuration differences for each device within the group. The overrides are grouped based on the features that are configured in the UI and are displayed as drop-down sections. For example, all overrides for IGMP are listed under a separate drop-down with the heading IGMP. To preserve the overrides, click Close. To remove the overrides, select the group name with local override, type REMOVE in the text box and click OK. n Configuration Conflicts--Provides details of the number of devices with configuration conflict errors. To view a complete list of configuration conflicts, click Manage Configuration Conflicts. The Configuration Conflict window is displayed. To resolve the configuration conflicts, enable the check box against each conflict, and then click Remove to remove the conflict. n Template Errors--Provides the details of the number of devices with template errors. To view a complete list of configuration template errors, click View Template Errors. The Template Errors window is displayed. You can view a list of templates with errors. n Move Failures--Aruba Central supports moving a device from one group to another. If the move operation fails, Aruba Central logs such instances as Move Failures. Viewing Configuration Status for Devices at the Group Level (Template Configuration Mode) When you select a template group from the filter, the Configuration Audit page displays the following information: Table 95: Configuration Audit Status for a Template Group Data Pane Content Description Template Errors Provides details of the number of devices with template errors for the selected template group. Devices deployed in the template group are provisioned using configuration templates. If there are errors in the templates or variable definitions, the configuration push to the devices fails. Aruba Central records such failed instances as template errors and displays these errors on the Configuration Audit page. To view a complete list of errors, click View Template Errors. The Template Errors window allows you to view and resolve the template errors issues if any. Configuration Status Provides details of the number of devices with configuration sync errors for the selected template group. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not Aruba Central | User Guide 427 Table 95: Configuration Audit Status for a Template Group Data Pane Content Description synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. Configuration Backup & Restore To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Allows you to create a backup of templates and variables applied to the devices in the template group. For more information, see Backing Up and Restoring Configuration Templates. n New Configuration Backup--Allows you to create a new backup of templates and variables applied to the devices in the template group. All Devices The All Devices table provides the following device information for the selected group: n Name--The name of the device. n Type--The type of the device. n Auto Commit--The status of the auto commit state for all the devices within the group. n Config Sync--Indicator showing configuration sync errors. n Template Errors--Indicator showing configuration template errors for the devices deployed in template groups. Viewing Configuration Status for a Device (Template Configuration Mode) When you select a device that is provisioned in a template group, the Configuration Audit page displays the following information: Table 96: Configuration Audit Status for Devices in Template Groups Data Pane Content Description Template Applied Displays the template that is currently applied on the selected device. Template Errors Displays the number of template errors for the selected device. To view a complete list of errors, click View Template Errors. Configuration Status Displays the configuration sync errors for the selected device. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Maintaining Aruba Central | 428 Table 96: Configuration Audit Status for Devices in Template Groups Data Pane Content Description Config Comparison Tool Allows you to view the difference between the current configuration (Device Running Configuration) and the configuration that is yet to be pushed to the device (Attempted Configuration). To view the running and attempted configuration changes side by side, click View. Viewing Configuration Status for Devices at the Group Level (UI-based Configuration Mode) When you select an UI group, the Configuration Audit page displays the following information: Table 97: Configuration Audit Status for a UI Group Data Pane Content Description Configuration Status Displays the number of devices with configuration sync errors for the selected UI group. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Local Overrides Displays the number of devices with local overrides. To view a complete list of overrides, click Manage Local Overrides. The Local Overrides window is displayed. The overrides are grouped based on the features that are configured in the UI and are displayed as drop-down sections. For example, all overrides for IGMP are listed under a separate dropdown with the heading IGMP. n To preserve the overrides, click Close. n To remove the overrides, select the group name with local override, type REMOVE in the text box and then click OK. All Devices The All Devices table provides the following device information for the selected group: n MAC Address--MAC address of the device. n Name--The name of the device. n IP Address--IP address of the device. n Site--Name of the site to which the device is assigned. n Type--The type of the device. n Auto Commit--The status of the auto commit state for all the devices within the group. n Config Sync/Config Status--Indicator showing configuration sync errors. n Local Overrides--Indicator showing configuration overrides for the devices deployed in the UI groups. Aruba Central | User Guide 429 Table 97: Configuration Audit Status for a UI Group Data Pane Content Description NOTE: The MAC Address, IP Address, Site, and Config Status columns are available only for groups in which Aruba gateways are provisioned (Manage > Device > Gateways, click the Config icon. The gateway configuration page is displayed. Navigate to Configuration Audit). Viewing Configuration Status for a Device (UI-based Configuration Mode) When you select a device assigned to a UI group, the Configuration Audit page displays the following information: Table 98: Configuration Audit Status for a Device Assigned to a UI Group Data Pane Content Description Configuration Status Displays the number of devices with configuration sync errors for the selected device. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Local Overrides Displays the number of local overrides. To view a complete list of overrides, click Manage Local Overrides. The Local Overrides window is displayed. The overrides are grouped based on the features that are configured in the UI and are displayed as drop-down sections. For example, all overrides for IGMP are listed under a separate drop-down with the heading IGMP. n To preserve the overrides, click Close. n To remove the overrides, click Remove Local Overrides, type REMOVE in the text box and then click OK. Backing up and Restoring Configuration Templates Aruba Central allows you to back up configuration templates assigned to the devices deployed in a template group. The Configuration Audit pages for Instant AP, switch, and gateway configuration containers allow you to create and manage backed up files and restore these files when required. For more information, see Backing Up and Restoring Configuration Templates. If monitor mode is enabled at the device level, the selected device functions in the monitor mode. If the monitor mode is enabled at the group level, all devices in the group inherit this setting. If a device managed by Aruba Central displays a configuration sync issue and persistently fails to receive configuration updates from Aruba Central, contact Aruba Central Technical Support. Maintaining Aruba Central | 430 Managing Software Upgrades The Firmware page provides an overview of the latest firmware version supported on the device, details of the device, and the option to set compliance and upgrade the device. Changing AOS-S switches firmware from latest version to earlier major versions is not recommended if the switches are managed in UI groups. For features that are not supported or not managed in Aruba Central on earlier AOS-S versions, changing firmware to earlier major versions might result in loss of configuration. Viewing Firmware Details To view the firmware details for devices provisioned in Aruba Central, perform the following steps: 1. In the Network Operations app, select one of the following options: n To select a group in the filter, set the filter to one of the options under Group. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed. c. Click a device listed under Device Name. The dashboard context for the device is displayed. 2. Under Maintain, click Firmware. The Firmware dashboard displays the following information: The following image displays the Firmware dashboard at the global level: Figure 110 Firmware Dashboard at Global Level Firmware Maintenance Window The following are the data pane items and description: 1. Access Points--Displays the following information: n Name--Name of the AP. The and icons allow you to sort the names in ascending or descending order. Clicking on the device name opens a window with connected APs and allows you to select and view the device Summary page. For more information, see Clients > Wireless Client > Overview. n Group--Displays the group information only on global context. The and icons allow you to sort the groups in ascending or descending order. n Site--Displays the site information only on global context. The and icons allow you to sort the sites in ascending or descending order. Aruba Central | User Guide 431 n Firmware Version--The current firmware version running on the device. The and icons allow you to sort the firmware versions in ascending or descending order. n Recommended Version--The version to which the device is recommended for the upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date n Compliance Status--Status of the firmware compliance setting. Based on the setting, the column displays one of the following values: o Set o Not Set o Compliance scheduled on Hover over any device to view the version number and compliance configured level for set compliance and displays the date, time (UTC), firmware version number, and compliance configured level for a scheduled compliance. Clicking on the device name from the Name columns, opens a window with connected APs and allows you to select and view the device Summary page. For more information, see Clients > Wireless Client > Overview. Click any site name from the Site column to view the site associated APs with their firmware details page. 2. Switches--Displays the following details about Aruba switches managed through Aruba Central: n Name--Host name of the switch. The and icons allow you to sort the names in ascending or descending order. n Family--Displays the following types of switches: o AOS-S o CX This information is only available for Aruba switch and Aruba CX switches. n Site--Displays the site information only on global context. The and icons allow you to sort the sites in ascending or descending order. n Group--Displays the group information only on global context. The and icons allow you to sort the groups in ascending or descending order. n MAC Address--MAC address of the switch. The and icons allow you to sort the address in ascending or descending order. n Model--Hardware model of the switch. The and icons allow you to sort the models in ascending or descending order. n Firmware Version--The current firmware version running on the switch. The and icons allow you to sort the firmware versions in ascending or descending order. n Recommended Version--The version to which the device is recommended for the upgrade. Maintaining Aruba Central | 432 n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date n Compliance Status--Status of the firmware compliance setting. Based on the setting, the column displays one of the following values: o Set o Not Set o Compliance scheduled on Hover over any device to view the version number and compliance configured level for set compliance and displays the date, time (UTC), firmware version number, and compliance configured level for a scheduled compliance. n The Switch-MAS tab is only available for accounts with MAS-switches. n The Switches tab displays details of both Aruba Switch and Aruba CX switches. 3. Gateways--Displays the following details about the SD-WAN Gateways managed through Aruba Central in Standalone mode: n Name--Host name of the SD-WAN Gateway. The and icons allow you to sort the names in ascending or descending order. n Site--Displays the site information only on global context. The and icons allow you to sort the sites in ascending or descending order. n Group--Displays the group information only on global context. The and icons allow you to sort the groups in ascending or descending order. n MAC Address--MAC address of the SD-WAN Gateway. The and icons allow you to sort the address in ascending or descending order. n Model--Hardware model of the SD-WAN Gateway. The and icons allow you to sort the models in ascending or descending order. n Firmware Version--The current firmware version running on the SD-WAN Gateway. The and icons allow you to sort the firmware versions in ascending or descending order. n Recommended Version--The version to which the device is recommended for the upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date n Compliance Status--Status of the firmware compliance setting. Based on the setting, the column displays one of the following values: Aruba Central | User Guide 433 o Set o Not Set o Compliance scheduled on Hover over any device to view the version number and compliance configured level for set compliance and displays the date, time (UTC), firmware version number, and compliance configured level for a scheduled compliance. 4. Set Compliance--Allows you to set firmware compliance for devices within a group. Click Set Compliance and turn on the toggle switch to enable and view the list of supported firmware versions for each device in a group in the Manage Firmware Compliance page. a. Set Compliance for Access Points--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select a specific group or multiple groups for which the compliance must be set. Select All Groups if you want to set compliance for all the groups. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time. o Now--Select this if you want the compliance to be carried out immediately. o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time. n Click Save button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch. b. Set Compliance for Switches--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select the group for which the compliance must be set. Select the specific group to set compliance at group level. n AOS-S Firmware Version--Select the AOS-S firmware version number from the drop-down list to which the compliance is required to be set. n CX Firmware Version--Select the Aruba CX switch version number from the drop-down list to which the compliance is required to be set. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: o Now--Select this if you want the compliance to be carried out immediately. o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time. n Install on--Use the drop-down to select a primary partition or a secondary partition to install on. n Automatically reboot to complete the upgrade--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n Click Save button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch. Aruba Central lists all available Aruba CX switches software versions. Select the software version that is applicable to the Aruba CX switch to which compliance is required to be set. For example, version 10.04.0020 is not applicable to Aruba CX 6200 and 6400 switch series. Maintaining Aruba Central | 434 c. Set Compliance for Gateways in Standalone Mode--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select a specific group or multiple groups for which the compliance must be set. Select All Groups if you want to set compliance for all the groups. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: o Now--Select this if you want the compliance to be carried out immediately. o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time. n Install on--Use the drop-down to select a primary partition or a secondary partition to install on. n Automatically reboot to complete the upgrade--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n Click Save button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch. 5. Upgrade All--Allows you to simultaneously upgrade firmware for all devices. Click Upgrade All to view a list of supported firmware versions for each device. a. To Upgrade all Access Points--Click Upgrade All and complete the following parameters in the Upgrade Access Points Firmware page: n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also search for the site in the search filter. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. Select None for none of the firmware versions. n When --Select one of the following radio buttons to specify if the upgrade must be carried out immediately or at a later date and time: o Now--Select this if you want the compliance to be carried out immediately. o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings. n Schedule--Click this button to schedule the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade. While upgrading a large number of APs, cancel operation may not work as intended, and continues to upgrade. b. To Upgrade all Switches--Click Upgrade All and complete the following parameters in the Upgrade Switch Firmware page: n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also search for the site in the search filter. n AOS-S Firmware Version--Select the AOS-S firmware version number from the drop-down list to which the compliance is required to be set. n CX Firmware Version--Select the CX switch firmware version number from the drop-down list to which the compliance is required to be set. n When--Select one of the following radio buttons to specify if the upgrade must be carried out immediately or at a later date and time: Aruba Central | User Guide 435 o Now--Select this if you want the compliance to be carried out immediately. o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time. n Install on--Use the drop-down to select a primary partition or a secondary partition to install on. n Automatically reboot to complete the upgrade--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n Upgrade--Click this button to start the upgrade with the above settings. n Schedule--Click this button to schedule the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade. c. To Upgrade all Gateways in Standalone Mode--click Upgrade All and complete the following parameters in the Upgrade Gateway Firmware page: n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also search for the site in the search filter. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n When--Select one of the following radio buttons to specify if the upgrade must be carried out immediately or at a later date and time. o Now--Select this if you want the compliance to be carried out immediately. o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time. n Install on--Use the drop-down to select a primary partition or a secondary partition to install on. n Automatically reboot to complete the upgrade--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n Upgrade--Click this button to start the upgrade with the above settings. n Schedule--Click this button to schedule the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade. 6. Search Filter--Allows you to define a filter criterion for searching devices based on the following properties: n Common to all devices--Name, Firmware Version, Recommended Version and Upgrade Status of the device. n Specific to switches and gateways--MAC address and Model. 7. Column Filter--Clicking view. icon enables you to customize the table columns or set it to the default 8. Continue--Allows you to continue with firmware upgrade. 9. Cancel Upgrade--Cancels a scheduled upgrade. 10. Cancel All--Cancels a scheduled upgrade for all devices. This section also includes the following topics: n Upgrading a Single Device or Multiple Devices n Upgrading Devices using Upgrade All Option n Setting Firmware Compliance For Access Points Maintaining Aruba Central | 436 n Setting Firmware Compliance For Switches n Setting Firmware Compliance For Gateways in Standalone Mode Upgrading a Single Device or Multiple Devices To check a new version for a single device or multiple devices, complete the following steps: 1. In the Network Operations app, select one of the following options: a. To select a group, site or global in the filter: n Set the filter to one of the options under Group or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n Under Maintain, click Firmware. n Select one or more devices from the device list and click the Upgrade icon at the bottom of the page or hover over one of the selected device and click the Upgrade icon. The Upgrade <Device> Firmware pop-up window opens. b. To select a device in the filter: n Set the filter to Global. n Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed. n Click a device listed under Device Name. The dashboard context for the device is displayed. n Under Maintain, click Firmware and click Upgrade in the Firmware Details window. The Upgrade <Device> Firmware pop-up window opens. 2. In the Upgrade <Device> Firmware pop-up window, select the appropriate firmware version. You can either select a recommended version or manually choose a specific firmware version. n To obtain custom build details, contact Aruba Central Technical Support. n The recommended firmware versions can be different for different devices and depends on the device model and software architecture. 3. Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time. Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time. 4. From the Install On drop-down, select any one of the following partition options: n Primary partition--Select this if you want to install the firmware version in the primary partition. n Secondary partition-- Select this if you want to install the firmware version in the secondary partition. 5. Select the check box if you want Aruba Central to automatically reboot after device upgrade. The Install On drop-down option and auto reboot check box option is available for Mobility Access Switches, Aruba Switch, Aruba CX switches, and Branch Gateways. 6. Click Upgrade. The device downloads the image from the server, saves it to flash, and reboots. Depending on the progress and success of the upgrade, one of the following messages is displayed: n Upgrading--While image upgrade is in progress. n Upgrade failed--When the upgrade fails. Aruba Central | User Guide 437 7. If the upgrade fails, retry upgrading your device. After upgrading a switch, click Reboot. Upgrading Devices using Upgrade All Option To upgrade multiple devices using the Upgrade All option, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Group or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. 2. Under Maintain, click Firmware. The firmware dashboard for Access Points is displayed by default. 3. Click Upgrade All. The Upgrade <Device> Firmware pop-up window opens. 4. In the Upgrade <Device> Firmware pop-up window, select the specific site or multiple sites from the Sites drop-down list. This option is available only at the global context. 5. Select the appropriate firmware version (for Access points and Gateways) and AOS-S firmware version and CX firmware version (for Mobility Access Switches, Aruba Switch and Aruba CX switches) from their respective drop-down list. You can either select a recommended version or manually choose a specific firmware version. n To obtain custom build details, contact Aruba Central Technical Support. n The recommended firmware versions can be different for different devices and depends on the device model and software architecture. 6. Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time. Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time. 7. From the Install On drop-down, select any one of the following partition options: n Primary partition--Select this if you want to install the firmware version in the primary partition. n Secondary partition-- Select this if you want to install the firmware version in the secondary partition. 8. Select the check box if you want Aruba Central to automatically reboot after device upgrade. The Install On drop-down option and auto reboot check box option is available for Mobility Access Switches, Aruba Switch, Aruba CX switches, and Branch Gateways. 9. Click Upgrade. The device downloads the image from the server, saves it to flash, and reboots. Depending on the progress and success of the upgrade, one of the following messages is displayed: n Upgrading--While image upgrade is in progress. n Upgrade failed--When the upgrade fails. 10. If the upgrade fails, retry upgrading your device. After upgrading a switch, click Reboot. Maintaining Aruba Central | 438 Setting Firmware Compliance For Access Points Aruba Central allows you to run a firmware compliance check and force firmware upgrade for all APs in a group. To force a specific firmware version for all APs in a group, complete the following steps: 1. In the Global dashboard, under Maintain, click Firmware. The Access Points tab is selected by default. 2. Verify the firmware upgrade status for all APs. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time. Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time. 7. Click Save. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. Setting Firmware Compliance For Switches To force a specific firmware version for all MAS switches in a group, complete the following steps: 1. In the Global dashboard, under Maintain, click Firmware > Switch-MAS tab. 2. Verify the firmware upgrade status for all MAS switches. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time. Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time. 7. From the Install On drop-down, select any one of the following partition options: n Primary partition--Select this if you want to install the firmware version in the primary partition. n Secondary partition-- Select this if you want to install the firmware version in the secondary partition. 8. Select the check box if you want Aruba Central to automatically reboot. 9. Click Save. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. To force a specific firmware version for all Aruba switches in a group, complete the following steps: Aruba Central | User Guide 439 1. In the Global dashboard, under Maintain, click Firmware > Switches tab. 2. Verify the firmware upgrade status for all switches. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a AOS-S firmware version from the AOS-S Firmware Version drop-down list. 6. Select a CX firmware version from the CX Firmware Version drop-down list. 7. Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time. Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time. 8. From the Install On drop-down, select any one of the following partition options: n Primary partition--Select this if you want to install the firmware version in the primary partition. n Secondary partition-- Select this if you want to install the firmware version in the secondary partition. 9. Select the check box if you want Aruba Central to automatically reboot. 10. Click Save. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. Setting Firmware Compliance For Gateways in Standalone Mode To force a specific firmware version for all gateways in standalone mode, complete the following steps: 1. In the Global dashboard, under Maintain, click Firmware > Gateways tab. All the gateways with standalone mode is displayed. 2. Verify the firmware upgrade status for all gateways. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time. Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time. 7. From the Install On drop-down, select any one of the following partition options: n Primary partition--Select this if you want to install the firmware version in the primary partition. n Secondary partition-- Select this if you want to install the firmware version in the secondary partition. 8. Select the check box if you want Aruba Central to automatically reboot. 9. Click Save. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. Maintaining Aruba Central | 440 Viewing Audit Trail in the Standard Enterprise Mode and MSP Mode The Audit Trail page in the Standard Enterprise Portal shows the total logs generated for all the device management, configuration, and user management events triggered in Aruba Central. You can search or filter the audit trail records based on any of the following columns: n Occurred on (Custom Range) n Username n IP Address n Category n Description n Target To view the audit trail log details in Aruba Central, perform the following steps: 1. In the Network Operations app, select one of the following options: n To select a group or all devices in the filter, set the filter to Group. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed. 2. Under Analyze, click Audit Trail. The Audit Trail table is displayed with the following details: n Occurred On-- Timestamp of the audit log. Use the sort option to sort the audit logs by date and time. Use the filter option to select a specific time range to display the audit logs. n IP Address--IP address of the client device. n Username--Username of the admin user who applied the changes. n Target--The group or device to which the changes were applied. n Category--Type of modification and the affected device management category. n Description--A short description of the changes such as subscription assignment, firmware upgrade, and configuration updates. Click to view the complete details of the event. For example, if an event was not successful, clicking the ellipsis displays the reason for the failure. To customize the Audit Trail table, click the eclipses default to set the table to the default columns. icon to select the required columns, or click Reset to Classification of Audit Trails The audit trail is classified according to the type of modification and the affected device management category. The category can be one of the following: Aruba Central | User Guide 441 n Configuration n Firmware Management n Reboot n Device Management n Templates n User Management n Variables n Label Management n MSP n Guest n Groups n Subscription Management n API Gateway n RBAC n Sites Management n SAML Profile n User Activity n Federated User Activity n Alert Configuration n Install Manager n Tools Removing Devices The device monitoring dashboards allow you to remove an offline device. However, you will not be able to remove a device completely from Aruba Central database, because the device entry remains in the Device Inventory page. The devices appearing in the Device Inventory page shows the hardware devices that belong to your account or purchase order. For information on removing an offline device, see the following topics: n Deleting an Offline AP n Deleting an Offline Switch n Deleting a Gateway Removing a Device from the Device Inventory Page You cannot remove a device completely from Aruba Central, but you can unsubscribe the device. After you unsubscribe, the device status changes to Unsubscribed in the Device Inventory page. If you have more than one Aruba Central account and if another Aruba Central user adds this unsubscribed device to another Aruba Central account, the device entry is removed from the Device Inventory page in your Aruba Central account. Maintaining Aruba Central | 442 Chapter 7 Managed Service Provider Managed Service Provider Aruba Central is a SaaS platform that provides a single customer login for all cloud applications delivered by Aruba. Aruba Central in MSP mode consists of the Network Operations app and the Account Home page. The Network Operations app in Aruba Central provides a cloud-based network management platform for managing your wireless, WAN, and wired networks with Aruba Instant APs, Gateways, and Switches. Along with device and network management functions, the Network Operations app offers value-added services such as customized guest access, client presence and service assurance analytics. In Account Home, you can manage network inventory, subscriptions, user access and other functions. The Managed Service Provider (MSP) mode is a multi-tenant operational mode that Aruba Central accounts can be converted into, provided these accounts have subscribed to the Network Operations app. Enabling MSP mode for the Network Operations app provides additional options that an administrator can use to manage multiple independent Aruba Central accounts from a single interface. With the MSP mode enabled, MSP administrators can provision tenant accounts, allocate devices, assign subscriptions, and monitor tenant accounts. MSP administrators can drill down to a specific tenant account and perform additional administration and configuration tasks. Terminology Take a few minutes to familiarize yourself with the following key terms: Term Standard Enterprise mode MSP mode n Tenant accounts n Customer accounts Description Refers to the Aruba Central deployment mode in which customers manage their respective accounts end-toend. The Standard Enterprise mode is a single-tenant environment for a single endcustomer. Refers to the Aruba Central deployment mode in which service providers centrally manage and monitor multiple tenant accounts from a single management interface. End-customer accounts created in the MSP mode. Each tenant is an independent instance of Aruba Central. Aruba Central | User Guide 443 Term MSP administrator n Tenant users n Customers Description Refers to owners of the primary account. These users have administrator privileges to provision, manage, and monitor tenant accounts. Refers to the owners of an individual tenant account provisioned in the Managed Service Provider mode. The MSP administrator can create a tenant account. Getting Started with MSP Solution Before you get started with your onboarding and provisioning operations, we recommend that you browse through the following topics to know the key capabilities of Aruba Central MSP Solution. n Operational Modes and Interfaces n About the Managed Service Portal User Interface Navigate through the following steps to view help pages that describe the onboarding and provisioning procedures for MSP and tenant accounts: 1. Set up your Aruba Central account 2. Accessing Aruba Central Portal 3. Enabling Managed Service Mode 4. Onboard devices 5. Add subscription keys 6. Create groups 7. Provision tenant accounts 8. Assign devices to tenant accounts 9. Assign licenses to devices and services 10. Configure users and roles 11. Customize tenant account view 12. Add Certificates 13. Monitor tenant accounts Enabling Managed Service Mode The Enable MSP option is only available if the following conditions are met: n You sign into Aruba Central as an administrator. n The Aruba Central account is only subscribed to the Network Operations app. If the account has multiple subscriptions, such as both Network Operations and ClearPass Device Insight, the Enable MSP option is not available. Managed Service Provider | 444 Figure 111 Do Not Select the ClearPass Device Insight n You access the User Settings icon from the Network Operations app and not the Account Home page. To enable MSP mode, perform the following steps: 1. Log in to your Aruba Central account as an administrator. 2. Launch the Network Operations app. If you have subscriptions to other apps, enabling MSP mode is not supported, and the Enable MSP option is not available. In this case, create a new Aruba Central account with the Networks Operations app and contact Aruba Technical Support to migrate devices and licenses to the new account. 3. Click the user icon. Aruba Central | User Guide 445 4. Click Enable MSP. Figure 112 Click Enable MSP 5. In the Managed Service Mode pop-up window, fill in the required details and click Submit. In the confirmation pop-up window, the following message is displayed if the submitted information meets the acceptance criteria: MSP Mode is enabled for this account. If the submitted information does not meet the acceptance criteria, a request denied message is displayed along with the reason on why the MSP mode is not recommended. MSP mode is not recommended and the MSP application is denied if one of the following conditions are true: n Your deployment of Aruba Central does not require you to deliver network management services to your end customers. n You are going to manage Aruba Central for your customers, however, the network devices are purchased by the customers. In this scenario, you can manage the customer accounts from the Standard Enterprise Mode by using the Switch Customer option. For more information on this deployment model, see End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2). Managed Service Provider | 446 6. Click OK. The page is automatically redirected to the MSP Dashboard view. If your online application is rejected because the conditions for enabling MSP were not met, and you wish to revise the provided information, the Enable MSP option is reset after 30 minutes for you to try again. Disabling the Managed Service Mode If you do not want to use Managed Service Mode, you can switch to the Standard Enterprise mode. Delete all tenant account data before you proceed. To disable Managed Service mode: 1. Click the user icon. 2. Click Disable MSP. The option is grayed out if tenant account data exists. 3. In the Managed Service Mode pop-up window, click Disable Managed Service Mode. MSP Mode Enablement Scenarios You can convert the Standard Enterprise mode in the Network Operations app to MSP mode. Only the Network Operations app supports the MSP mode and it must be the only app running in Aruba Central for enabling the MSP mode. The following is a list of possible scenarios you might encounter while subscribing to the Network Operations app. n Scenario 1: You sign up for Aruba Central to evaluate the Networks Operations app as well as the ClearPass Device Insight app. Subsequently, you wish to enable MSP mode on the Network Operations app. MSP mode conversion is not allowed in this scenario. Create another Aruba Central account with only the Network Operations app and convert this account to MSP mode. Contact Aruba Support for migrating the devices and licenses. n Scenario 2: You sign up for an Aruba Central account to evaluate the ClearPass Device Insight app. After that, you also sign up for evaluating the Network Operations app in standard enterprise mode in the same account. This mode of operation is supported. n Scenario 3: You sign up for an Aruba Central account to evaluate the Network Operations app. After that, you also sign up for evaluating the ClearPass Device Insight in the same Aruba Central account. If you are running the Network Operations app in the standard enterprise mode, this mode of operation is supported. Managing MSP Licenses As part of the shift to an Edge-to-Cloud Platform-as-a-Service organization, Aruba has introduced the Aruba Central Foundation and Advanced Licenses (Aruba Central Licenses). This is a uniform software subscription licensing model that will be extended to all products under the Aruba Central-managed portfolio. The new 1, 3, 5, 7, and 10-year fixed-term licenses offer you the flexibility to choose services and device operations that are most meaningful to the type of business that you own. This licensing model provides different licenses for APs, switches, and gateways. Aruba Central | User Guide 447 The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if you have an Aruba 25xx Switch but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch. The features that are available in both the Foundation and Advanced Licenses have different monitoring and configuration options depending on the licensing tier. For more information, see Supported Features. Aruba Central in the Managed Service Provider (MSP) mode supports the following types of licenses for switches, APs, and gateways: n Switches: o Foundation--This license provides all the features included in the legacy Device Management tokens. n Aruba Central does not provide Switch Advanced Licenses. n Mobility Access Switch (MAS) license will get converted to Switch Foundation 61xx/25xx license and continue to work. n APs: o Foundation--This license provides all the features included in the legacy Device Management tokens and some additional features that were available as value-added services for APs and switches in the earlier licensing model. o Advanced--This license provides all the features included in the Foundation License, with additional features related to AI Insights and WLAN services. n SD-Branch Gateways: o Foundation--This license provides all features required for SD-Branch functionality in branch or headend deployments. o Foundation Base--This license provides all the features included in a Foundation License, but can support only up to 75 client devices per branch site. o Foundation with Security--This license provides all features required for SD-WAN functionality in branch or headend deployments and some additional security features. o Foundation Base with Security--This license provides all the features included in a Foundation with Security License, but can support only up to 75 client devices per branch. o Advanced--This license provides all the features included in a Foundation License, with additional features related to SaaS Express and AI Insights. o Advanced with Security--This license provides all the features of an Advanced License, with additional security features related to IPS and IDS, security dashboard, and anti-malware. o Virtual Gateway (VGW) License--This license is available for AWS, Azure, and ESXi platforms and is licensed based on the bandwidth required. The license types available for VGW are, VGW-500M, VGW2G, and VGW-4G. For more information, see SD-WAN Ordering Guide. Managed Service Provider | 448 The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if an Aruba 25xx Switch is in the inventory but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch. Before enabling the Auto-Assign License option for a specific device type, ensure that there are sufficient available licenses for the specific device type. For more information about the features supported, see Aruba Central License Feature Details. A license key is an alphanumeric string with 9 to 14 characters; for example, PQREWD6ADWERAS. Aruba Central can manage a device only if the corresponding license key of the device is added to Aruba Central. License keys can either be evaluation license keys that map to evaluation licenses or paid license keys that map to paid licenses. The evaluation license key is valid for 90 days. To use Aruba Central for managing, profiling, analyzing, and monitoring your devices, you must ensure that you have a valid license key and that the license key is listed in the Account Home > Global Settings > Key Management page. The license keys are not mapped directly to devices. Before assigning a license key to a device, the system only checks whether there are licenses available in the pool for the device. All license keys that are added to an MSP account goes to a license pool and devices are licensed from this MSP license pool. Licenses can be assigned to devices only when the devices are already mapped to customer accounts. In the MSP mode, all the hardware and licenses are owned by the MSP. The MSP temporarily assigns devices and their corresponding licenses to customers for the duration of the managed service contract. When the contract ends, the devices and the licenses are returned back to the common pool of resources of the MSP and can be reassigned to another customer. You can either enable automatic assignment of licenses or manually assign licenses for devices added in Aruba Central MSP mode. Enabling Automatic License Assignments If you, as an MSP administrator, want to enable automatic assignment of licenses to the devices mapped to your customer accounts, note the following points: n Aruba Central assigns licenses only if the devices are mapped to a customer account. n When a device is moved from a customer account back to the MSP pool, Aruba Central removes the license assigned to this device. n When the automatic license assignment is enabled, Aruba Central disables the device-specific and customer-specific overrides. n When the automatic license assignment is enabled, all the existing customers and newly created customers in the MSP account inherit the license assignment settings. Subsequently, Aruba Central assigns licenses to the customers and their respective devices. n If you migrate from the Standard Enterprise mode to the MSP mode, Aruba Central retains your license settings. n If the devices are no longer mapped to a customer account, MSP administrators cannot assign licenses to these devices. n If auto-assignment is enabled and the device license expires, you are notified about the license expiry. Aruba Central checks if an equivalent license of the same tier or capacity is available and reassigns that license to the device automatically. If an equivalent license is unavailable, Aruba Central un-assigns a set of devices to match the number of expiring licenses and you are notified that the device license is updated. Aruba Central | User Guide 449 You can configure automatic license assignment either during initial setup or later from the Account Home page. Automatic License Assignment from the Initial Setup Wizard To enable automatic assignment of licenses from the Initial Setup Wizard: 1. Verify that you have a valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign License tab, slide the Auto-Assign Licenses toggle switch to the On position. Automatic License Assignment from Account Home To enable automatic assignment of licenses from the License Assignment page: 1. On the Account Home page, under Global Settings, click License Assignment. The License Management page is displayed. 2. In the Assign License tab, slide the Auto-Assign Licenses toggle switch to the On position. All the devices in your inventory are selected for automatic assignment of licenses. You can edit the list by clearing the existing selection and re-selecting devices. When a license assigned to a device expires, or is canceled, Aruba Central checks for the available licenses in your account and assigns an available license of the longest validity to the device. If your account does not have an adequate number of licenses, you may have to manually assign licenses to as many devices as possible. To view the license utilization details and the number of licenses available in your account, go to the Account Home > Global Settings > Key Management page. Enabling Manual License Assignments You can disable the Auto-assign License option and manually assign licenses to devices. Licenses can be assigned only for devices which are mapped to a customer account. To manually assign licenses to devices or override the current assignment: 1. In the Account Home page, under Global Settings, click License Assignment. The License Management page is displayed. 2. Ensure that the Auto-Assign Licenses toggle switch is turned off. When you turn off the Auto-Assign Licenses toggle switch: n Automatic assignment of licenses for all the existing customers, including the MSP devices, are disabled. n All device licenses assigned to devices are preserved. n Devices must be assigned to customer accounts before assigning a license to it. If a license is assigned to a device that is not mapped to any specific customer account, Aruba Central displays the following error message: Please assign this device to a customer before licensing it. Customer assignment can be performed in the Device Inventory page. 3. Click one of the tabs for Access Points, Switches, or Gateways. Each of the device tabs has two sub-tabs: Unlicensed and Licensed. 4. You can use the Customer filter to display a specific customer. Managed Service Provider | 450 5. In the Unlicensed tab, you can select one or multiple devices and click Manage or Manage Assignment. The Manual License Assignment (Manual) window is displayed. 6. From the Choose License Type drop-down menu, select a suitable license and click Update to assign a license. If the license update is successful, you get a notification and the device in not listed anymore under the Unlicensed tab. Removing or Updating a License from a Device You can remove a license from a device or change the license assigned to a device from the License Assignment window. 1. In the Account Home page, under Global Settings, click License Assignment. Ensure that the Auto-Assign License toggle is turned off. 2. Click one of the tabs for Access Points, Switches, or Gateways. Each of the device tabs has two sub-tabs: Unlicensed and Licensed. 3. You can use the Customer filter to display a specific customer. 4. In the Licensed tab, you can select one or multiple devices for which you want to either update or remove a license. 5. Click Manage or Manage Assignment. The Manual License Assignment (Manual) window is displayed. 6. You can do one of the following: n To remove a license, click Unassign. The devices with unassigned licenses are no longer listed in the Licensed tab. n To update to a new license, from the Choose License Type drop-down menu, select a suitable license and click Update. If the license update is successful, you get a notification and the Licensed tab displays the updated licenses. Acknowledging License Expiry Notifications In the Account Home page, under Global Settings, click Key Management. The Key Management page displays the expiration date for each license. As the licenses expiration date approaches, users receive expiry notifications. The users with an evaluation license receive license expiry notifications through email 30, 15, and 1 day before the license expiry and on day 1 after the license actually expires. The users with paid licenses receive license expiry notifications through email 90, 60, 30, 15, and 1 day before expiry and two notifications per day on day 1 and day 2 after the license expires. Acknowledging Notifications through Email If the user has multiple licenses, a consolidated email with the expiry notifications for all licenses is sent to the user. Users can acknowledge these notifications by clicking the Acknowledge All link in the email notification. Aruba Central | User Guide 451 Figure 113 Acknowledging Notifications through Email Acknowledging Notifications in the UI If a license has already expired, or is about to expire within 24 hours, a license expiry notification message is displayed in a pop-up window when the user logs in to Aruba Central. To prevent Aruba Central from generating expiry notifications, click Acknowledge. Renewing Licenses To renew your licenses, contact Aruba Sales team. System Users and User Roles in MSP Mode The Users and Roles page under Global Settings enables you to view, create, and modify users and roles. The Users and Roles page has two tabs: Users and Roles. The following topics are included: n About Roles in MSP Home Account o Module Permissions for Roles o Adding a Custom Role in MSP Account Home o Viewing Role Details o Editing a Role o Deleting a Role n About Users in MSP Account Home o Adding a User in MSP Account Home o Editing a User in MSP Account Home o Deleting a User in MSP Account Home o Viewing Audit Trail Logs for Users About Roles in MSP Home Account Aruba Central MSP mode supports role-based access control. Aruba Central allows you to create predefined user roles and custom roles. As shown in the following figure, MSP user A is mapped to two roles. MSP role admin gives the user administrator access to all MSP applications and the tenant role readonly gives the user read-only access to all tenant accounts. MSP user B is tied to MSP role admin and tenant role admin. The tenant administrator role provides the user administrator access to all tenant accounts. Tenant user A is mapped to the admin role. This role gives the user administrator access to all tenant A applications. Tenant user B is mapped to the readonly role. This role gives the user read-only access to tenant B applications. Tenant user A and tenant user B can access only their respective accounts. Managed Service Provider | 452 Figure 114 MSP Role-Based Access Control The Roles tab has the following predefined roles. Table 99: Predefined Roles Application Role Privilege Account Home admin Administrator for the Account Home page. If there are common modules between Account Home and other app(s), the Account Home role has higher precedence and the user is granted permission if the operation is initiated from the Account Home page. readwrite Can view and modify settings in the Account Home page and all Global Settings pages. NOTE: Note: The 'readwrite' role will not have modify permission for the following pages: n Users and Roles n Single-Sign-On readonly Can view the Account Home page and all Global Settings pages. Network Operations admin Administrator for the Network Operations application. Has access to Account Home > Global Settings. This is applicable only if the Account Home role is not set or is not conflicting. deny-access Cannot view the Network Operations application. guestoperator Has guest operator access to the Network Operations application. User does not have access to Account Home > Global Settings. readonly Has read-only access to Account Home > Global Settings and the Network Operations application. readwrite Has read-write access to Account Home > Global Settings and the Network Operations application. Has access to view and modify data using the Aruba Central UI or APIs. However, the user cannot execute APIs to: n Enable or disable MSP mode. n Perform operations in the following pages: o Account Home > Users and Roles o Network Operations application > Organization > Labels and Sites Aruba Central | User Guide 453 Module Permissions for Roles Aruba Central enables you to define roles with view or modify permissions. You can also block user access to some modules. If a module is blocked for a specific role, the corresponding pages are not displayed in the UI or can access the pages but no data is displayed and all actions are disabled for the role. Aruba Central supports setting permissions for the following modules: Table 100: Permissions Application Module Description Account Home Devices and Subscription Enables users to add devices and assign keys and subscriptions to devices in the Account Home page. Users Enables users to define a role with access (View, Modify, or Block) to the user details in the Users tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles. Roles Enables users to define a role with access (View, Modify, or Block) to the role details in the Roles tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles. SSO Enables users to define a role with access (View, Modify, and Block) to the Single Sign On profiles details in the Users tab in the Single-Sign-On page (Account Home > Single-Sign-On). Enables users to define a role with access (View, Modify, or Block) to the Single Sign On profiles details in the Single Sign On page. To navigate to the Single Sign On page, go to Account Home > Single Sign On. Network Operations MSP Enables users with administrator role and privileges to define user access to MSP modules such as Customer Management and Portal Customization. The MSP tenant account user does not have access to the MSP application. Even if a tenant account user is assigned a custom role having MSP application privileges: n Tenant account user does have access to the MSP application. n MSP will not appear in the Account Home > Global Settings > Users and Roles > Roles > Allowed Applications list. Group Management Enables users to create, view, modify, and delete groups and assign devices to groups. Devices and Subscription Users cannot edit or set permissions for this module. Modify and Block options are disabled. By default, the View Only permission is set. Network Management Enables users to configure, troubleshoot, and monitor Aruba Centralmanaged networks. You can customize the permissions (view or modify or block) for the following sub-modules: n Configuration n Configuration Variables n Privileged Configuration n Firmware n Troubleshooting n Other Modules NOTE: For the Privileged Configuration, the 'Block' option disables the Admin tab (Gateway>System>Admin) for the user. The user management privileges are disabled for this user for gateways at the device and group Managed Service Provider | 454 Application Module Description level. Guest Management Enables users to configure cloud guest splash page profiles. AirGroup Enables users to define or block user access to the AirGroup pages. Presence Analytics Enables users to access the Presence Analytics app and analyze user presence data. Floorplans Enables user to access Floorplans and RF heatmaps. Unified Communications Enables users to access the Unified Communications pages. Install Manager Enables users to manage installer profiles and site installations. Reports Enables users to view and create reports. Other Applications Enables users to access other applications modules such as notifications and Virtual Gateway deployment service. Adding a Custom Role in MSP Account Home The following are the permissions that you can associate with a custom role: n Roles with Modify permission can perform add, edit, or delete actions within the specific module. n Roles with View Only permission can only view the specific module. n Roles with Block permission cannot view that particular module or can view the corresponding pages but no data is displayed and all actions are disabled. To add a custom role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. Click Add Role. The New Role window is displayed. 4. Specify a name for the role. 5. From the drop-down list, select one of the following: n Account Home--To manage access to devices and subscriptions in Aruba Central. n Network Operations--To set permissions at the module level in the Network Operations application. 6. For Network Management and MSP modules, you can set access rights at the module level. To set view or edit permissions or block the users from accessing a specific module, complete the following steps: a. Click Customize. b. Select one of the following options for each module as required: n View Only n Modify n Block 7. Click Save. 8. Assign the role to a user account as required. Aruba Central | User Guide 455 Viewing Role Details To view the details of a role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. The Roles tab displays the following information: n Role Name--Name of the role. n Allowed Applications--The application(s) to which the user account is subscribed to. n Assigned Users--Number of users assigned to a role. Editing a Role To edit a role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the edit icon. 4. In the Edit Role <"Rolename"> window, modify the permissions set for module(s). 5. Click Save. Deleting a Role To delete a role, ensure that the role is not associated to any user and complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the delete icon. 4. Confirm role deletion in the Confirm Action dialog box. About Users in MSP Account Home In the Account Home page, under Global Settings, click Users and Roles. The Users tab is displayed. The List of Users table displays the following information: n Email ID of the user. n Type of user. The user can be system user or external user. n Description of the user. n MSP role n Tenant role n Account Home role n Allowed groups for the user. n Last active time of the user. If the last active time cell is blank, the user has not logged in after the product upgrade. The Actions link offers the following options: n Resend invitation to users--If any user has not received the email invite, you can use this link to resend invitations n Two-Factor Authentication (2FA)--Enables Two-factor authentication. n Support Access--Enables you to generate a new password of a specified validity to give access to a support person from Aruba. Managed Service Provider | 456 Adding a User in MSP Account Home To add a user, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users and Roles page is displayed. 2. Click Add User. The New User window is displayed. 3. Configure the following parameters: n Username--Email ID of the user. Enter a valid email address. n Description--Description of the user role. You can enter up to a maximum of 32 characters including alphabets, numbers, and special characters in the text field. n Language--Select a language. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. n Account Home--Select a user role for the Account Home page. n Network Operations--Select an MSP role and Tenant role for the Network Operations application. 4. Click Save. An email invite is sent to the user with a registration link. Users can use this link to access Aruba Central. The registration link in the email invite is valid for 15 days. Track Progress Click the Track Progress link to open the Operations Status page that provides the user account creation or modification status. The status can be in progress or failed. No status is displayed if the user account is successfully created. Editing a User in MSP Account Home To edit a user account, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens. 2. In the List of Users table, select the user and click the edit icon. 3. In the Edit User <"Username"> window, modify description, role, or allowed groups. 4. Click Save. Deleting a User in MSP Account Home To delete a user account: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens. 2. In the List of Users table, select the user and click the delete icon. 3. Confirm user deletion in the Confirm Action dialog box. Viewing Audit Trail Logs for Users Audit logs are generated when a new user is created and an existing user is modified or deleted from the Aruba Central account. It also records the login and logout activities of users. Aruba Central | User Guide 457 To view audit logs for Aruba Central users: 1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page is displayed. 2. To view audit logs for user addition, modification, or deletion, click the filter in the Classification column, and select User Management. 3. To filter audit logs about user activity, click the filter in the Classification column, and select User Activity. Groups in the MSP Mode MSP groups are UI groups mapped to the default UI groups in the tenant account. If a tenant account is associated to a specific group in the MSP mode, the configuration changes to the devices associated with this tenant account are pushed only to the default group in the tenant account view. However, MSP administrators can create more groups for a specific tenant by drilling down to a tenant account. Template, Microbranch, WLAN gateways, VPNC, AOS-CX, Monitoring only, and gateways with ArubaOS 10 architecture groups are not supported in the MSP mode. Creating, editing, and cloning of these groups is not allowed at MSP. However, these groups can be created and managed at each tenant account individually. This section describes the following topics: n MSP Group Illustration n Tenant Default Group Overrides n MSP Group Persona n Creating an MSP Group Persona with ArubaOS 8 Architecture n Cloning an MSP UI Group n Deleting an MSP UI Group MSP Group Illustration As shown in the following figure, tenant A and tenant B are mapped to MSP group 1. The default group configuration for these tenants is inherited from MSP group 1 configuration. Tenant A has two additional userdefined groups that are independent of MSP group 1 configuration. Tenant B has one additional user-defined group that is independent of MSP group 1 configuration. Tenant C is mapped to MSP group 2 configuration. Its default group configuration is inherited from MSP group 2. It also has one additional user-defined group that is independent of MSP group 2 configuration. Tenant D has only one default group and its configuration is inherited from MSP group 3. Tenant E is not mapped to any MSP group. Its default group configuration is independent of any MSP group configuration. It can have additional user-defined groups as well, if required. Managed Service Provider | 458 Figure 115 MSP Groups Tenant Default Group Overrides If a tenant is mapped to an MSP group, the configuration of its default group is inherited from the MSP group it is mapped to. Once mapped, except for any newly created WLAN SSID and WLAN PSK, other configurations are overridden. As shown in the following figure, the mentioned configuration options are allowed on a tenant default group that is mapped to an MSP group: n Creating a new WLAN SSID. n Overriding the WLAN PSK for a WLAN inherited from an MSP group. Aruba Central | User Guide 459 Figure 116 Default Group Overrides Considerations for Editing a Tenant Default Group n If a tenant default group does not have any devices assigned to it, then any MSP group can be mapped to that tenant default group. n If a tenant default group has any devices assigned to it, mapping to a new MSP group is allowed only if the MSP group architecture and persona match with that of the tenant default group. If the MSP group and tenant default group persona do not match then the percolation is not allowed. As a workaround, you can move all the devices from the tenant default group to a non-default group and then try mapping the MSP group. n If a tenant default group has only access points assigned to it and is not shown in monitoring, mapping to a new MSP group is still allowed even if the MSP group and tenant default group persona and architecture do not match. n If a tenant default group does not support a device type, adding such a type of factory default devices to the tenant default group is not supported. These devices will be moved to the unprovisioned group when they come up in Aruba Central. n During the migration of tenant default groups, the tenant default group contains AOS-S and AOS-CX Switch personas. As the AOS-CX Switch type is not supported in the MSP groups, assigning a different MSP group to this tenant default group is not supported, when the tenant default group has devices assigned to it. Managed Service Provider | 460 n When a standard enterprise account is converted to an MSP account in Aruba Central 2.5.4 release, the MSP default group contains the gateway properties even if the MSP account is not an allowlisted account for gateways. n When a standard enterprise account is converted to an MSP account in Aruba Central 2.5.4 release, such MSP default group will have an AOS-CX Switch persona along with AOS-S Switch. The AOS-CX persona is not supported in the MSP mode. Hence, mapping of this MSP default group to a tenant is not allowed. MSP Group Persona A persona of a device represents the role that the device plays in a network deployment. Creating persona for devices helps in customizing configuration workflows, automating parts of configurations, showing the default configuration, showing relevant settings for the device. Persona configuration also helps in customizing the monitoring screens and troubleshooting workflows appropriate for the device. Aruba Central does not support managing gateways at the MSP level. However, gateways can be configured and managed at the tenant account level. Creating a Persona Persona can be created when creating a group. Persona and architecture can be set at the group level. All devices within a group inherit the same persona from the group settings. While creating a group, the architecture and persona settings of the current group can be marked as preferred settings for adding subsequent groups. For subsequent groups, you can either automatically apply the preferred settings or manually select settings for the new group. Persona for Access Points Access Points can have the following persona: n Campus/Branch--In this persona, AP provides WLAN functionality. This persona applies to ArubaOS 8 (including IAP-VPN) architecture. Persona for Gateways Gateways can have the following persona: n Branch--In this persona, gateways provide ArubaOS 8 SD-Branch (LAN + WAN) functionality. This persona applies to ArubaOS 8 architecture. Architecture The following architecture is supported for creating groups: n ArubaOS 8--Instant AP-based deployment, including Aruba InstanOS 6.x or Aruba InstantOS 8.x (IAP, IAPVPN), or Aruba InstantOS 8.x SD-Branch deployments. For information on creating groups with a persona and architecture, see the following topic: n Creating an MSP Group Persona with ArubaOS 8 Architecture Creating an MSP Group Persona with ArubaOS 8 Architecture To manage device configuration using UI configuration containers in Aruba Central, you can create a UI group and assign devices. During the group creation, you can assign a persona and select an architecture for the group. Aruba Central | User Guide 461 The gateway configuration is supported in this release as selectively available features. Contact your Aruba Account Manager to enable it in your Aruba Central account. Aruba Central does not support managing gateways at the MSP level. However, gateways can be configured and managed at the tenant account level. Adding an MSP UI Group To create an MSP UI group and assign a persona and ArubaOS 8 architecture, complete the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Click (+) Add Group. The Add Group page is displayed. 5. Enter a name for the group. 6. Select device types that will be part of this group. A group can contain following devices: n Access points n Gateways n Switches (Only AOS-S switch type is supported at MSP UI groups) For detailed device combinations, refer to the Device Combinations table. 7. Select check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations. 8. Click Add Group. A group with persona configuration is created. Device Combinations for MSP Group Persona The following are the valid combinations for a group persona with Aruba Instant OS architecture. Table 101: Device Combinations Device Type Architecture AP Gateway Switch n AP n Gateway n AP n Switch ArubaOS 8 ArubaOS 8 No architecture ArubaOS 8 ArubaOS 8 AP Network Role Campus/Branch N/A N/A Campus/Branch GW Network Role Switches N/A Branch N/A Branch N/A N/A AOS-S only N/A Monitoring Only N/A N/A N/A N/A Campus/Branch N/A AOS-S only N/A Managed Service Provider | 462 Device Type Architecture n AP n Gateway n Switch ArubaOS 8 AP Network Role Campus/Branch GW Network Role Switches Branch AOS-S only Monitoring Only N/A Editing an MSP UI Group You can edit an MSP UI group to add a new device type to the group. The group architecture and persona cannot be changed through group edit. You can mark the settings of an edited group as preferred settings for subsequent group creations. To edit an MSP UI group, complete the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. To edit an existing group, hover over the the group in the groups table and click the Edit Group icon. The Edit Group page is displayed. 5. Add a new device type. 6. Select check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations. 7. Click Save. The group edit changes are saved. The group edit is not allowed in the following scenarios: n If an MSP group is mapped to any tenant, the MSP group edit is not allowed. n If the tenant default group is mapped to any MSP group, the tenant default group edit is not allowed. Cloning an MSP UI Group Cloning a group will clone the same architecture and persona as is from the source group. To clone an MSP UI group, complete the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. To create a clone of an existing group, hover over the group in the groups table and click the Group icon. The Clone Group page is displayed. 5. Enter a name for the group. Clone Aruba Central | User Guide 463 6. Click Clone. The group is cloned. Deleting an MSP UI Group If you no longer required a group, you can delete it. The delete option is available only if the group is not mapped to a tenant account. When you delete a group, Aruba Central removes all configuration, templates, and variable definitions associated with the group. Before deleting a group, ensure that there are no devices attached to the group. To delete a group, complete the following steps: 1. In the Network Operations app, filter All Groups. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. From the list of groups, hover over the group in the groups table and click the The Delete Group confirmation window is displayed. 5. Click Yes to confirm. The group is deleted. Delete Group icon. About Provisioning Tenant or Customer Accounts After adding a device in the MSP mode, the device must be mapped to a tenant account for device management and monitoring operations. With MSP mode enabled, the MSP administrator manages the creation and deletion of tenant accounts. After a tenant account is created, the MSP administrator can add tenant users to the account. To create a tenant user, the MSP administrator must provide a valid email address for the user. A verification email is sent to this email address. Tenant users have access to their individual tenant account only. Tenant users do not have access to other tenant accounts managed by the MSP. The group associated to the tenant account in the MSP mode shows up as the default group for tenant account users. In the MSP mode, all configuration changes made to the group associated to the tenant account are applied to the default group on the tenant account. Flowchart for Tenant Account Mapping in MSP The following flowchart displays a visual representation of how you can create a tenant account and map it to an MSP group. Managed Service Provider | 464 Figure 117 Tenant Account Mapping to an MSP Group Creating a Tenant Account and Mapping to an MSP Group The following are the usage guidelines for creating a tenant account: n If the tenant account provisioning fails, the task is marked as Provision Failed in the UI and PROVISION_ FAILED in the [GET] /msp/v1/customers API response. To view the task status in the UI, under Manage, click Overview to display the Dashboard page. Click the Customers tab. If the provisioning fails, you can delete the tenant account and try again. n Tenant account users can only view reports generated for the default group. The administrators of a specific tenant account can drill down to the tenant account and generate reports for the default group. n If cloud guest provisioning fails, cloud guest features for the tenant may get impacted. In such instances, contact Aruba Central Technical Support. To add a tenant account, complete the following steps: Aruba Central | User Guide 465 1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview. The Dashboard is displayed. 3. Click Add New Customer. The Add Customer page is displayed. 4. Enter the name of the tenant in the Customer Name text box. The MSP customer name can be a maximum of 70 single byte characters. All special characters, ASCII, and Unicode are allowed. 5. Enter the description of the tenant in the Description text box. The MSP customer description field can be a maximum of 32 single byte characters. All special characters, ASCII, and Unicode are allowed. 6. If you want to associate the tenant to a group, click the Add to group toggle switch. 7. From the Group drop-down list, select a group to which you want to assign the tenant. The group associated to the tenant account in the MSP mode shows up as the default group for tenant account users. In the MSP mode, all configuration changes made to the group associated to the tenant account are applied to the default group on the tenant account. 8. If you want to prevent the users of the tenant account from modifying SSID settings of the device group, select the Lock SSID check box. 9. Click Save. Viewing Tenant Account Details To view the tenant account details, perform the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview to display the Dashboard page. 3. Click the Customers tab. 4. Hover over the tenant account and click expand. The customer details window displays the following sections. Click the X mark on the top right-corner of the screen to exit the window and return to the dashboard. Summary n Customer ID--Displays the subscription renewal schedule for the next 12 months. The graph plots the total count of subscriptions that are due for renewal for each month. n Customer Created--Displays the count of devices that are managed in the network over a period of time. n MSP Group--Displays the total number of tenants added to Aruba Central over a period of time. n Description--Description of the tenant account. n Customer Name--Name of the tenant account. Devices This section is a graphical representation of the devices assigned to the selected tenant account, as well as the licensed and unlicensed count for each device type. n The section consists of three doughnut charts, each chart representing one of the following types of devices, APs, switches, and gateways. Managed Service Provider | 466 n The number in the center of the chart indicates the total number of devices, both licensed and unlicensed, of a specific type allocated to the tenant account. n The two colors on the ring of the doughnut indicates the number of licensed and unlicensed devices of a specific type allocated to the tenant account. You can hover over one segment of the doughnut to see the numbers corresponding to the selected segment. n You can also deselect and reselect the Licensed and Unlicensed options for each chart. For example, in the following image, the tenant account has three APs, one switch, and one gateway. Out of this, only one AP is unlicensed. Figure 118 Devices Section of the Expand Tenant Account Page Licenses This section is a graphical representation of the device subscriptions assigned to the devices for the selected tenant account. The section also shows the number of Foundation and Advanced licenses for each type of device. n The section consists of three doughnut charts, each chart representing one of the following types of devices, APs, switches, and gateways. n The number in the center of the chart indicates the total number of licensed devices of a specific type allocated to the tenant account. n The two colors on the ring of the doughnut indicates the number of Advanced and Foundation licenses assigned to a device of a specific type allocated to the tenant account. You can hover over one segment of the doughnut to see the numbers corresponding to the selected segment. n You can also deselect and reselect the Advanced and Foundation options for each chart. For example, in the following image, the tenant account has two APs, one switch, and one gateway, each assigned with a Foundation license. Aruba Central | User Guide 467 Figure 119 Licenses Section of the Expand Tenant Account Page Editing a Tenant Account When editing the group associated with the MSP customer or tenant, the default group configuration of the tenant account is also impacted. To edit a tenant account, complete the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview. The Dashboard is displayed. 3. Hover over the tenant account that you want to edit and click edit. 4. Modify the account details. If you want to associate the tenant account to a different group, turn on the Add to group toggle switch and select a group. 5. Click Save. Deleting a Tenant Account To delete a tenant account, complete the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview. The Dashboard is displayed. 3. Hover over the tenant account that you want to delete and click delete. 4. Click Yes to confirm the action. If the tenant account deletion fails, the provisioning status is marked as Delete Failed in the UI and DELETE_ FAILED in the [GET] /msp/v1/customers/{customer_id} API response. To view the task status in the UI, under Manage, click Overview to display the Dashboard page. Click the Customers tab. Assigning Devices to Tenant Accounts Before assigning devices to tenant accounts, ensure that you have completed the following: onboarded devices, assigned subscriptions, and provisioned tenant accounts. To assign devices to tenant accounts, complete the following steps: Managed Service Provider | 468 1. In the Account Home page, under Global Settings, click Device Inventory. A list of devices provisioned in the MSP mode is displayed. 2. Select one or several devices from the table. To select multiple devices, press and hold the Ctrl key and select the devices. The Assign Customer button is displayed under the table. 3. Click Assign Customer. A window showing a list of tenant accounts provisioned in the MSP mode is displayed. 4. Select the tenant account to which you want to assign the device. The groups associated with the tenant accounts are displayed. 5. Click Assign Device (s). 6. Click Yes when prompted for confirmation. MSP Dashboard The MSP dashboard provides a summary of hardware and subscriptions owned by the MSP and details about the tenant accounts managed by the MSP. The hardware includes APs, switches, and gateways. Viewing the MSP Dashboard To view the MSP dashboard, perform the following steps: 1. In the Network Operations app, set the filter to All Groups. The filter context changes to Global. 2. Under Manage, click Overview to display the Dashboard. The number is parenthesis () for Customers indicates the total number of customers for that MSP account. In the following image, the total number of customers is 54. The Dashboard page includes the following sections: n A summary section for the dashboard--Displays the assigned and unassigned devices and the assigned and unassigned licenses for APs, switches, and gateways. n Overview--Displays the list of customers, the types of devices assigned to each customer, as well as critical alerts, if any. n Trends--Displays charts for license renewal, the number of devices under MSP management, and the number of customers added over the last year. n Add New Customer--Enables you to add a new tenant to the MSP account. Perform the steps detailed in About Provisioning Tenant or Customer Accounts. Aruba Central | User Guide 469 Figure 120 Viewing the MSP Dashboard Dashboard Summary The summary section for Dashboard displays the total number of assigned and unassigned devices, and the total number of assigned and unassigned licenses for three categories of hardware devices that include APs, switches, and gateways. In MSP mode, you must first assign a device to a tenant account before assigning a license to the device. The summary section includes the following details: n Access Points o Devices--Number of available APs. Click the number to navigate to Account Home > Device Inventory to see the details of the APs in the MSP inventory. l Unassigned--Number of APs that are not assigned to any tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the unassigned APs in the MSP inventory. l Assigned--Number of APs that are already assigned to a tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the assigned APs in the MSP inventory. o Licenses--Number of available licenses for APs. Click the number to navigate to Account Home > License Assignment > Access Points to see the details of all the licenses for APs in the MSP inventory. l Unassigned--Number of AP licenses that are not assigned to any AP. Click the number to navigate to Account Home > License Assignment > Access Points > Unlicensed to see the details of all the unassigned licenses for APs in the MSP inventory. l Assigned--Number of AP licenses that are already assigned to APs. Click the number to navigate to Account Home > License Assignment > Access Points > Licensed to see the details of all the assigned licenses for APs in the MSP inventory. n Switches o Devices--Number of available switches. Click the number to navigate to Account Home > Device Inventory to see the details of the switches in the MSP inventory. l Unassigned--Number of switches that are not assigned to any tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of the switches in the MSP inventory. Managed Service Provider | 470 l Assigned--Number of switches that are already assigned to a tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the assigned switches in the MSP inventory. o Licenses--Number of available licenses for switches. Click the number to navigate to Account Home > License Assignment > Switches to see the details of all the licenses for switches in the MSP inventory. l Unassigned--Number of switch licenses that are not assigned to any switches. Click the number to navigate to Account Home > License Assignment > Switches > Unlicensed to see the details of all the unassigned licenses for switches in the MSP inventory. l Assigned--Number of switch licenses that are already assigned to switches. Click the number to navigate to Account Home > License Assignment > Switches > Licensed to see the details of all the assigned licenses for switches in the MSP inventory. n Gateways o Devices--Number of available gateways. Click the number to navigate to Account Home > Device Inventory to see the details of the gateways in the MSP inventory. l Unassigned--Number of gateways that are not assigned to any tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the unassigned gateways in the MSP inventory. l Assigned--Number of gateways that are already assigned to a tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the assigned gateways in the MSP inventory. o Licenses--Number of available licenses for gateways. Click the number to navigate to Account Home > License Assignment > Gateways to see the details of all the licenses for gateways in the MSP inventory. l Unassigned--Number of gateway licenses that are not assigned to any gateways. Click the number to navigate to Account Home > License Assignment > Gateways > Unlicensed to see the details of all the unassigned licenses for gateways in the MSP inventory. l Assigned--Number of gateway licenses that are already assigned to gateways. Click the number to navigate to Account Home > License Assignment > Gateways > Licensed to see the details of all the assigned licenses for gateways in the MSP inventory. Customer | Overview By default, the Customers | Overview table is displayed. The table provides an overview of tenant accounts. MSP administrators can perform tasks such as drilling down to a tenant account, editing an existing tenant account, and deleting a tenant account. n Customer Name Name of the tenant account. Click the customer name to go to the tenant account view for the customer. Hover over the tenant account name to view the following options: o expand--Opens a new pop-up window showing the tenant account details. For more information, see Viewing Tenant Account Details. o edit--Opens the Edit Customer pop-up window. For more information, see Editing a Tenant Account . o delete--Opens the confirmation dialog box. For more information, see Deleting a Tenant Account. Hover over the icon next to the tenant account name to view the provisioning status. The status can be one of the following: Aruba Central | User Guide 471 o In Progress o Provision Failed Use the filter icon on the column header to filter by tenant account name. n Customer ID Unique ID of the tenant account. The ID can be in one of the following formats: o Numerical format o UUID format Use the column filter to search for a particular customer ID. Note that you must enter the full customer ID. The Customer ID column is not displayed in the default view. Use the column selector and select the Customer ID check box to add the column to the table. Figure 121 Selecting the Customer ID for Display n Access Points o Up--Total number of online APs. Click the number to view the list of online APs. o Down--Total number of offline APs. Click the number to view the list of offline APs. Click the sort icon to sort the column in ascending or descending order. Sometimes, the total number of APs that are displayed as Down for a tenant account in MSP view may not equal the total number of corresponding APs displayed as Offline under Manage > Access Points in the tenant account view. This discrepancy is corrected by an automatic and periodic sync between the MSP database and tenant view database. The periodic sync happens every 12 hours. The number in parentheses () indicates the number of devices that are not onboarded. Managed Service Provider | 472 n Switches o Up--Total number of online switches. Click the number to view the list of online switches. o Down--Total number of offline switches. Click the number to view the list of offline switches. Click the sort icon to sort the column in ascending or descending order. Sometimes, the total number of switches that are displayed as Down for a tenant account in MSP view may not equal the total number of corresponding switches displayed as Offline under Manage > Switches in the tenant account view. This discrepancy is corrected by an automatic and periodic sync between the MSP database and tenant view database. The periodic sync happens every 12 hours. The number in parentheses () indicates the number of devices that are not onboarded. The number of switches displayed in the MSP dashboard corresponds to the total number of switches available for the tenant. However, in the tenant view, a switch stack is considered as a single entity. For example, if there are two switch stacks for a tenant account, and each stack has two members, the MSP dashboard displays the count as four whereas the tenant account displays the count as two. n Gateways o Up--Total number of online gateways. Click the number to view the list of online gateways. o Down--Total number of offline gateways. Click the number to view the list of offline gateways. Click the sort icon to sort the column in ascending or descending order. Sometimes, the total number of gateways that are displayed as Down for a tenant account in MSP view may not equal the total number of corresponding gateways displayed as Offline under Manage > Gateways in the tenant account view. This discrepancy is corrected by an automatic and periodic sync between the MSP database and tenant view database. The periodic sync happens every 12 hours. The number in parentheses () indicates the number of devices that are not onboarded. n Critical Alerts Total number of critical alerts for the tenant account. Click the number to navigate to the Alerts page of the tenant account. For more information, see MSP Alerts. Customers | Trends Go to Customers | Trends to view the following sections: n License Renewal Schedule (1 Year)--Displays the subscription renewal schedule for the next 12 months. The entries include the license renewal date and the total count of subscriptions of each type that are due for renewal on that date. n Device Under Management graph--Displays the count of devices that are managed in the network over the last 12 months. The dates are plotted on the x-axis and the number of devices on the y-axis. Hover over any part of the chart to see the number of devices the MSP is managing on that specific date. n Customers graph--Displays the total number of tenants added to Aruba Central over the last 12 months. The dates are plotted on the x-axis and the number of tenants on the y-axis. Hover over any part of the chart to see the number of tenants the MSP added on that specific date. Click Total to view the total number of tenant accounts. Using the Switch Customer Option If you are an MSP administrator and if your user ID has been added to multiple tenant accounts, after you log in to Aruba Central, you must select the tenant account that you want to access. Aruba Central | User Guide 473 Figure 122 Select Account To select a different tenant account, click the User icon tenant account that you want to access. , select Switch Customer, and then select the Managed Service Provider | 474 Figure 123 Switch Customer MSP Certificates You can view and add certificates in MSP. Viewing Certificates in MSP Mode To view certificates in MSP mode, complete the following steps: 1. In the Network Operations app, use the filter to select All Groups. The global dashboard is displayed for the MSP mode. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed 3. Click the Certificates tile. The Certificates page is displayed. The Certificate Store displays the following information: Aruba Central | User Guide 475 Table 102: Certificate Store Parameters Date Pane Item Description Certificate Name Name of the certificate. Status Status of the certificate as either Active or Expired. Expiry Date Date of expiry for the certificate. Type Type of certificate. For example, a server certificate. MD5 Checksum The Message Digest 5 (MD5) algorithm is a widely used hash function producing a 128-bit hash value from the data input. Checksum value of the certificate. SHA-1 Checksum The Secure Hash Algorithm 1 (SHA-1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value. Checksum value of the certificate. Uploading Certificates in the MSP Mode MSP administrators can upload certificates to Aruba Central certificate store. They can also map the certificate usage for server and user authentication for the groups associated to a tenant account. To upload certificates to the certificate store, complete the following steps: 1. In the Network Operations app, use the filter to select All Groups. The global dashboard is displayed for the MSP mode. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed 3. Click the Certificates tile. The Certificates page is displayed. 4. To add a new certificate to the Certificate Store, click the + sign. The Add Certificate dialog box is displayed. 5. Enter the certificate name in the Name text box. 6. Select the certificate type from the Type list. 7. Select the certificate format from the Format drop-down. The supported certificate formats are PEM, DER, and PKCS12. 8. For server certificates, enter and then retype the passphrase. 9. Click Choose File to browse to your local directory and select the certificate to upload. 10. Click Add. Managed Service Provider | 476 Aruba Central allows percolation of certificates that are mapped to the MSP group, to the tenant account. When a certificate is removed from the Device > Access Points > WLANs >Show Advanced > Security > Certificate Usage section in the group dashboard in MSP, the respective certificate is also removed from the tenant's Certificates Store, if the certificate is mapped to the tenant's default group and is no longer used by the tenant. If the certificate is used by any of the tenant's non-default groups, the certificate is retained in the tenant's certificate store, even if the certificate is removed from the MSP. The Device>Access Points> WLANs>Show Advanced >Security> Certificate Usage menu is displayed only when you select a group from the filter. Navigating to the Tenant Account MSP users with administrative privileges to tenant accounts can drill down to tenant accounts. To drill down to a specific tenant account: 1. In the Network Operations app, set the filter to All Groups. 2. Under Manage, click Overview to display the Dashboard. The Dashboard page includes the following sections: n Dashboard summary bar n Overview and trends for customers 3. In the Customers | Overview table, click the tenant account name and click Expand. The tenant account details window is displayed. Close the window. 4. To go to the tenant account, click on the tenant account name. The tenant account is displayed in Standard Enterprise Mode. To return to the MSP view, click Return to MSP View. Aruba recommends that you not use the Back button of the web browser to go back to the MSP view. Points to Note: n The group attached to tenant account in the MSP mode shows up as a default group for the users of the tenant account. n Configuration changes to the group attached to a tenant account in the MSP mode are applied to the default group in the interface displayed for the tenant accounts. n The administrators can add users to a tenant account using the Users & Roles menu in the Global Settings app. n Tenant account administrators can allow or prevent user access to specific groups by configuring custom roles. MSP Alerts Aruba Central MSP mode enables administrators to trigger alerts when tenant provisioning, network, device, or user management events occur. An MSP administrator can configure alerts at the MSP level which percolate down to all tenant accounts managed by the MSP. For example, if the MSP administrator has configured an alert to be triggered when an AP is disconnected, the MSP is notified when an AP is disconnected in any of the tenant networks managed by the MSP. This allows for faster reactive support and makes monitoring and troubleshooting easy across multiple tenant accounts. Aruba Central | User Guide 477 The MSP administrator can configure additional alerts at the tenant account level. At the tenant account level, alerts can be configured based on groups, labels, sites, or devices. Tenant account administrators can also configure additional alerts for their account. In this case, the alert is triggered only for the corresponding tenant account. The MSP administrator can edit an alert configured by the tenant account administrator. However, the tenant account administrator cannot edit an alert created by the MSP administrator. MSP level and tenant level alert configurations are managed separately. For example, if an alert is configured and enabled at both the MSP level and tenant level, two separate notifications are triggered for the event. Figure 124 MSP Alerts This section includes the following topics: n Viewing MSP Alerts Dashboard n MSP Alerts in List View n MSP Alerts in Summary View n MSP Alerts in Config View Viewing MSP Alerts Dashboard 1. In the Network Operations app, filter All Groups. 2. Under Analyze, click Alerts to display the Alerts dashboard. The Alerts dashboard enables you to configure, view, and acknowledge alerts. The dashboard has three views: Managed Service Provider | 478 n Alerts in List View n Alerts in Summary View n Alerts in Config View 3. The Search bar allows you to search for alerts by tenant account. Enter the name of the tenant account and select the tenant account from the list. 4. To view the list of alerts, click the List icon. a. The list view displays the number of alerts in the following categories: n Critical n Major n Minor n Warning b. Click Acknowledge All to acknowledge all the alerts at once. c. Enable the Show Acknowledged Alerts button to display the list of acknowledged alerts. d. Clicking icon enables you to customize the Alerts table columns or set it to the default view. 5. To view detailed graphs about the alerts, click the Summary icon . Select each tab, All, Access Points, Switches, or Gateways to view the graphs pertaining to each device type. 6. To configure alerts, click the Config icon. For more information, see xxx. MSP Alerts in List View The MSP Alerts page in list view displays a list of alerts for all customers associated with the MSP account. Use the Search Customer Name field to filter alerts by customer name. The Alerts summary bar displays a list of all the alerts categorized by severity level. You can click on any of the categories to display the list of alerts for that category. Figure 125 MSP Alerts in List View All the alerts are displayed in a tabular format and displays the following information: Aruba Central | User Guide 479 Table 103: Viewing the MSP Alerts in List View Data Pane Content Description Occurred On Timestamp of the alert. Use the sort option to sort the alerts by date and time. Category Displays the category of the alert. Use the filter option to filter the alert by category. Label Displays the label name of the alert. Site Displays the site name of the alert. Customer Displays the customer name of the alert. Group Displays the group name of the alert. Severity Displays the severity level of the alert. The severity can be Critical, Major, Minor, or Warning. Description Displays a description of the alert. Use the search option in filter bar to filter the alert based on description. MSP Alerts in Summary View The Summary view lists all the alerts in charts. The available charts are: n Alerts by Type--This horizontal bar chart plots the number of alerts versus the category of alerts. You can hover over a bar to get the exact data for the number of alerts for that category. Clicking on a bar redirects you to the list view for that category of alerts. An example is displayed in the next image. n Alerts by Severity--This vertical bar chart plots the number of alerts versus the severity of alerts. You can hover over a bar to get the exact data for the number of alerts for that severity. Clicking on a bar redirects you to the list view for that severity of alerts. Figure 126 Alerts by Type Chart in MSP Alerts Summary View Select each tab, All, Access Points, Switches, or Gateways to view the graphs pertaining to each device type. Managed Service Provider | 480 MSP Alerts in Config View The Alerts page in Config view enables you to configure alerts. You can configure alerts at the MSP level and the tenant account level. Configuring Alerts at the MSP Level To configure alerts at the MSP level, complete the following steps: 1. In the Network Operations app, filter All Groups. 2. Under Analyze, click Alerts to display the Alerts dashboard. 3. Click the Config icon . At the MSP level, you cannot configure alerts based on groups, labels, sites, or devices. 4. Use the tabs to navigate between the alert categories. Select an alert and click + to enable the alert with default settings. To configure alert parameters, click on the alert tile (anywhere within the rectangular box) and do the following: a. Severity--Set the severity. The available options are Critical, Major, Minor, and Warning. By default, the following alerts are enabled and the severity is Major: n Virtual Controller Disconnected n Rogue AP Detected n New User Account Added n Switch Detected n Switch Disconnected b. Notification Options--See Alert Notification Delivery Options. n Click Save. n Add Rule--(Optional) For a few alerts, the Add Rule option appears. For such alerts, you can add additional rule(s). Configuring Alerts at the Tenant Account Level To configure alerts at the tenant account level, complete the following steps: 1. Navigate to the tenant account. See Navigating to the Tenant Account. 2. In the Network Operations app, set the filter to a group or a device. 3. To configure alerts, click the settings icon under Analyze > Alerts & Events. By default, the Alerts & Events > User category is displayed. 4. Use the tabs to navigate between the alert categories. Select an alert and click + to enable the alert with default settings. To configure alert parameters, click on the alert tile (anywhere within the rectangular box) and do the following: a. Severity--Set the severity. The available options are Critical, Major, Minor, and Warning. By default, the following alerts are enabled and the severity is Major: n Virtual Controller Disconnected n Rogue AP Detected n New User Account Added n Switch Detected n Switch Disconnected Aruba Central | User Guide 481 For a few alerts, you can configure threshold value for one or more alert severities. To set the threshold value, select the alert and in the exceeds text box, enter the value. The alert is triggered when one of the threshold values exceed the duration. b. Duration--Enter the duration in minutes. c. Device Filter Options--(Optional) You can restrict the scope of an alert by setting one or more of the following parameters: n Group--Select a group to limit the alert to a specific group. n Label--Select a label to limit the alert to a specific label. n Device--Select a device to limit the alert to a specific device. n Sites--Select a site to limit the alert to a specific site. d. Notification Options n Email--Select the Email check box and enter an email address to receive notifications when an alert is generated. You can enter multiple email addresses, separate each value with a comma. n Webhook--Select the Webhook check box and select the Webhook from the drop-down list. e. Click Save. f. Add Rule--(Optional) For a few alerts, the Add Rule option appears. For such alerts, you can add additional rule(s). The rule summaries appear at the top of the page. Viewing Enabled Alerts To view alerts enabled at the MSP level or tenant account level, do the following: 1. In the Network Operations app, filter All Groups. 2. Under Analyze, click Alerts to display the Alerts dashboard. 3. On the Alerts page, click Enabled. The Enabled tab lists the alerts that you have enabled. Click the tabs to see enabled alerts for each category. Alert Notification Delivery Options When you configure an alert, you can select how you want to be notified when an alert is generated. Aruba Central supports the following notification types: n Email--Select the Email check box and enter an email address to receive notifications when an alert is generated. You can enter multiple email addresses; separate each value with a comma. n Webhook--Select the Webhook check box and select the desired Webhooks from the drop-down list. Before you select this option, you must create Webhooks. For more information about creating and modifying Webhooks, see the Aruba Central Online documentation. MSP Audit Trails The Audit Trail page shows the logs for all the device management, configuration, and user management events triggered in Aruba Central. You can search or filter the audit trail records based on any of the following columns: n Occurred on (Custom Range) n Username n IP Address Managed Service Provider | 482 n Category n Description n Target n Source Viewing the Audit Trail Page To view the audit trail log details in Aruba Central MSP mode: 1. From the Network Operations app, set the filter to All Groups. 2. Under Analyze, click Audit Trail. 3. Adjust the time filter to get the display for the required time range. The Audit Trail logs are displayed for the following types of operations in the MSP: n Addition, modification, and deletion of tenant accounts n Addition, modification and deletion of users associated with a tenant account n Subscription assignment to devices n Modification of groups associated with a tenant account n Configuration push, override , and updates for the devices associated with a tenant account n Addition, modification, and deletion of MSP admin users n License reconciliation The Audit Trail page in the MSP mode displays the following information: Table 104: Audit Trail Pane in the MSP Mode Parameter Occurred On Username IP Address Category Target Source Description Description Time stamp of the events for which the audit trails are shown. Use the filter option to select a specific time range to display the events. The username of the admin user who applied the changes. IP address of the client device. Type of modification and the affected device management category. See Classification of Audit Trails. The group, device, or tenant account to which the changes were applied. The tenant account in which the changes occurred. A short description of the changes such as subscription assignment, firmware upgrade, and configuration updates. Click to view the complete details of the event. For example, if an event was not successful, clicking the ellipsis displays the reason for the failure. Classification of Audit Trails The audit trail is classified according to the type of modification and the affected device management category. The category can be one of the following: n Configuration n Firmware Management Aruba Central | User Guide 483 n Reboot n Device Management n Templates n User Management n Variables n Label Management n MSP n Guest n Groups n Subscription Management n API Gateway n RBAC n Sites Management n SAML Profile n User Activity n Federated User Activity n Alert Configuration n Install Manager n Tools MSP Reports The MSP Reports page enables you to create reports. You can configure these reports to run on demand or periodically. You must have read and write privileges or you must be an Admin user to create reports. The Reports page is only applicable to the global MSP dashboard. MSP reports are generated at the end of day, so the current day data is not available in the report. MSP reporting data is supported from version 2.5.0 onwards, the data is available only after an upgrade to version 2.5.0 or later. Data prior to the 2.5.0 upgrade is not available in the report. Viewing the MSP Reports Page To navigate to the Reports page, complete the following procedure: 1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed. 2. Under Analyze, click Reports. The Reports dashboard is displayed. The Reports dashboard has the following sections: n Browse--Explore, email, download, or delete generated reports. Displays the number of generated reports. Click Browse to displays the Reports page in List view. n Manage--Edit or delete scheduled reports. Displays the number of scheduled reports. Click Manage to displays the Reports page in Config view. In the Config view, click + to generate a new report. Managed Service Provider | 484 n Create--Creates a report that can be run instantly or periodically. Displays the number of report categories and the number of report types. Click Create to generate a new report. Currently, only Device and Subscription Inventory reports are supported in MSP. Types of Reports To access the Reports dashboard, set the filter to All Groups in the Network Operations app. Under Analyze, click Reports. Reports that are already run are listed under Browse > Generated Reports. If any report is yet to run, that report is available under Browse > Scheduled Reports. The following table explains the parameters available in the Device and Subscription Inventory report. Table 105: Device and Subscription Inventory Report Description Parameter Description Access Points Inventory The Access Points Inventory page lists the following options both in table and graph form: n Opening Stock--Total number of unassigned APs in the beginning of the time period. n Purchased--Number of APs purchased during the time period. n Returned--Number of APs returned by the tenants to the customer during the time period. n Assigned--Number of APs assigned to the tenants during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned) Switch Inventory The Switch Inventory page lists the following options both in table and graph form: n Opening Stock--Total number of unassigned switches in the beginning of the time period. n Purchased--Number of switches purchased during the time period. n Returned--Number of switches returned by the tenants to the customer during the time period. n Assigned--Number of switches assigned to the tenants during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned) Gateway Inventory The Gateway Inventory page lists the following options both in table and graph form: n Opening Stock--Total number of unassigned gateways in the beginning of the time period. n Purchased--Number of gateways purchased during the time period. n Returned--Number of gateways returned by the tenants to the customer during the time period. n Assigned--Number of gateways assigned to the tenants during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned) Aruba Central | User Guide 485 Parameter Device Management License Gateway Foundation License Gateway Advanced License Gateway Base License Description The Device Management License page lists the following options both in table and graph form: n Opening Stock--Total number of all licenses available in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The Gateway Foundation License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The Gateway Advanced License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The Gateway Base License page lists the following options both in table and graph form: n Opening--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. Managed Service Provider | 486 Parameter Access Points Foundation License Access Points Advanced License Switch Foundation License Switch Advanced License Description n Closing Stock--Total of (Opening + Purchased + Returned Assigned -Expired) The Access Points Foundation License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The Access Points Advanced License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The Switch Foundation License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The Switch Advanced License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. Aruba Central | User Guide 487 Parameter Description n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The following table explains the parameters available in Generated Reports . Table 106: Generated Reports Description Parameter Description Title Name of the report. Date Run Time when the report was last run. For Scheduled Reports, this is replaced by Next Run which indicates the time when the report will run in the future. Scope List of devices or subscription for which the report was run. Report Type Type of report, currently the only supported value is MSP Inventory. Created by Email address of the user who created the report. The following table explains the parameters available in Scheduled Reports Table 107: Scheduled Reports Description Parameter Description Title Name of the report. Next Run Time when the report will run in the future. Status Status of the report, whether scheduled, failed, running, rerun, or waiting. Scope List of devices or subscription for which the report was run. Report Type Type of report, currently the only supported value is MSP Inventory. Recurrence Time period of the scheduled report. Created by Email address of the user who created the report. Creating a Report The MSP Reports page in Summary view enables you to browse, manage, and create reports. To create a report, perform the following steps: 1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed. Managed Service Provider | 488 2. Under Analyze, click Reports. The Reports page is displayed. 3. In the Reports page, click the Summary icon. Click the Create tile. Else, click the Config view and then click the + sign in the Scheduled Reports page. The Infrastructure page is displayed. 4. Under Infrastructure, click Device and Subscription Inventory and then click Next. 5. Under Scope, select All or a combination of the other choices and then click Next: n All--Generates a report for all access points, gateways, switches, and subscriptions. n Access Points--Generates a report only for access points. n Gateways--Generates a report only for gateways. n Switches--Generates a report only for switches. n Subscriptions--Generates a report only for subscriptions. 6. Under Report period, select one of the following options and then click Next: n Last Month n Last 3 Months n Last 6 Months n Custom Range 7. Select one of the recurrent options: n One Time (now) n One Time (later) n Every day n Every week n Every month 8. For Report Information, enter the title of the report and an email address where the report will be delivered. 9. Select the format as either PDF or CSV. 10. Click Generate. 11. If you select One Time as an option in step 6, the report is available in the Generated view as Generated Reports. If the report is yet to run, the report is available under Scheduled Reports. Editing a Report To edit a report, complete the following procedure: 1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed. 2. Under Analyze, click Reports. The Reports page is displayed. 3. In the Reports page, click the Scheduled view icon. The Scheduled Reports dashboard is displayed. 4. Under Scheduled Reports, select the report you want to edit and then click the edit icon. The Infrastructure page is displayed. Aruba Central | User Guide 489 5. Under Scope, select one or a combination of the following choices and then click Next: n All--Generates a report for all access points, gateways, switches, and subscriptions. n Access Points--Generates a report only for access points. n Gateways--Generates a report only for gateways. n Switches--Generates a report only for switches. n Subscriptions--Generates a report only for subscriptions. 6. Under Report period, select one of the following options and then click Next n Last Month n Last 3 Months n Last 6 Months n Custom Range 7. Select one of the recurrent options: n One Time (now) n One Time (later) n Every day n Every week n Every month 8. For Report Information, enter the title of the report and an email address where the report will be delivered. 9. Select the format as either PDF or CSV. 10. Click Generate. 11. If you select One Time as an option, the report is available under Generated Reports. If the report is yet to run, the report is available under Scheduled Reports. Viewing or Downloading a Report To view or download a report, complete the following procedure: 1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed. 2. Under Analyze, click Reports. The Reports page is displayed. 3. In the Reports page, click the Generated view icon. The Generated Reports dashboard is displayed. 4. Under Generated Reports, select the report you want to view or download. n To view the report online, click the report name. n To download the report, click the report and then click the download icon for either the CSV or PDF file. n To email the report, click the email to icon. n To delete the report, click the delete icon. Deleting a Report or Multiple Reports To delete a report or multiple reports, complete the following procedure: Managed Service Provider | 490 1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed. 2. Under Analyze, click Reports. The Reports page is displayed. 3. In the Reports page, click the Generated view icon. Reports that are already run are listed under Generated Reports. If any report is yet to run, that report is available under Scheduled Reports. 4. Select the report you want to delete and then click the delete icon. You can select multiple reports to delete. Firmware Upgrades for MSP Mode The Firmware menu under Maintenance displays a list of tenant accounts and the status of the devices assigned to the tenant accounts. Viewing the Firmware Dashboard 1. In the Network Operations app, use the filter to select All Groups. 2. Under Maintain, click Firmware. 3. Select one of the following tabs: Access Points, Switch-MAS, Switch-Aruba, or Gateways The Firmware menu displays the Access Points, Switch-MAS, Switch-Aruba, and Gateways tabs that list all the tenants with firmware and compliance status for each of the device types. The following table displays the Firmware dashboard for Access Points, the table for the other tabs are similar: Table 108: Firmware Dashboard Parameters for APs Tab Date Pane Item Description Customer Name Name of the customer. Upgrade Status Status of the devices associated with the tenant account. This column displays one of the following: n Upgrading n Scheduling in progress n Downloading firmware n Upgrade successful, ready for reboot n Upgrade successful and rebooting AP n Upgrade in process n Firmware upgrade failed. Please try again. n Rebooting n Live upgrade initiating n Live upgrade initiated Compliance Status Manage Firmware Compliance Status of compliance for the tenant. This column indicates the compliance status such as Set, Not Set, or Compliance scheduled on <date and time> for a specific tenant. Enables you to plan upgrades. See Managing Firmware Compliance Based on Tenant Account. Aruba Central | User Guide 491 Managing Firmware Compliance Based on Device Tabs 1. In the Network Operations app, use the filter to select All Groups. 2. Under Maintain, click Firmware. 3. Select one of the following tabs: Access Points, Switch-MAS, Switch-Aruba, or Gateways 4. Click Manage Firmware Compliance at the top right. The Manage Firmware Compliance window opens. 5. Select the firmware version and the time for upgrade. 6. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful device upgrade. The Auto Reboot option is not available for Access Points. 7. Select one of the following options as required: n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 8. Click Save and Upgrade. 9. MSP initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. Managing Firmware Compliance Based on Tenant Account 1. In the Network Operations app, use the filter to select All Groups. 2. Under Maintain, click Firmware. 3. Select one of the following tabs: Access Points, Switch-MAS, Switch-Aruba, or Gateways 4. From the dashboard, select one or more customer name and click Continue. 5. The Upgrade <Device Type> Firmware page is displayed. You can click the check box on the table heading of tenant details table to include all the tenants for the firmware upgrade listed in the current page. To manually upgrade firmware for specific tenants, select the check box corresponding to the tenant that requires a manual firmware upgrade in the tenant details table. Clicking the Continue button displays the Upgrade <Device Type> Firmware page. The Filter by upgrade status drop-down list disappears when the Update All button is clicked. 6. Perform the following actions: Table 109: Upgrade <Device Type> Firmware Component Description Firmware Version The firmware version to which the tenant is required to be upgraded. Aruba Central considers the recommended firmware version as the default if no version is specified in the field. Auto Reboot Select this check box to reboot the device automatically after the download of the new version. NOTE: The Auto Reboot option is not applicable for Instant APs. Managed Service Provider | 492 Component Schedule Cancel Description Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time. n Now--To set the firmware upgrade to be carried out immediately. n Later Date--To set the firmware upgrade to take place at a later date and time. Click the Upgrade button to upgrade the firmware. Click this button to cancel the settings and go back to the Maintenance > Firmware page. 7. The Firmware page also displays the Cancel All button. Click Cancel All button to cancel the manual firmware upgrade for all the tenants in the MSP mode. The compliance upgrade settings for the tenants and the tenant devices takes precedence over the manual firmware upgrade. The scheduled manual firmware upgrade becomes invalid when you set or schedule the compliance upgrade. Firmware Upgrade in MSP Through NB API Aruba Central provides an option to upgrade firmware for all the tenants mapped to the MSP through APIs in Maintenance > API Gateway. To set or get the country code at group level through API: 1. In the Account Home page, click API Gateway. 2. Click System Apps & Tokens tab and generate a token key. 3. Download and copy the generated token. 4. Click the link displayed in the APIs tab of the API Gateway. The Central Network Management APIs page opens. 5. On the left navigation pane, select Firmware from the URL drop-down list. 6. Paste the token key in the Token field and press enter. 7. In Firmware Management, the following options are displayed: n [POST] /firmware/v1/msp/upgrade--Upgrades firmware at the MSP level. To configure the firmware upgrade for all the tenants of a specific device type, enter the following inputs in the corresponding labels of the script { "firmware_scheduled_at": 0, "device_type": "string", "firmware_version": "string", "reboot": true, "exclude_groups": "string", "exclude_customers": "string" }: Aruba Central | User Guide 493 Table 110: Firmware Upgrade at MSP level Label Description Firmware_ The time at which the firmware upgrade must be initiated. The value entered in this field is scheduled_at the count in seconds from the current time. Device_type The type of device for which the firmware upgrade must be initiated. Firmware_ version The firmware version to which the device is required to be upgraded. Aruba Central takes the recommended firmware version as the default version if no version is specified in the field. Reboot True or false value to enable or disable the reboot of device once the firmware upgrade build is downloaded. NOTE: The Reboot option is not applicable for Instant APs. Excludegroups Exclude_ customers The list of groups to be excluded from firmware upgrade. The list of tenants to be excluded from firmware upgrade. n [POST] /firmware/v1/msp/upgrade/customers/{customer_id}--Upgrades firmware at the tenant level. To configure the firmware upgrade for a specific tenant of a specific device type, enter the following inputs in the corresponding labels of the script { "firmware_scheduled_at": 0, "device_type": "string", "firmware_version": "string", "reboot": true, "exclude_groups": "string" }. Table 111: Firmware Upgrade at the Tenant level Label Description Firmware_ The time at which the firmware upgrade must be initiated. The value entered in this field is scheduled_at the count in seconds from the current time. Device_type The type of device for which the firmware upgrade must be initiated. Firmware_ version The firmware version to which the device is required to be upgraded. Aruba Central takes the recommended firmware version as the default version if no version is specified in the field. Reboot True or false value to enable or disable the reboot of device once the firmware upgrade build is downloaded. NOTE: The Reboot option is not applicable for Instant APs. Excludegroups List of groups to be excluded from firmware upgrade. Managed Service Provider | 494 n [POST] /firmware/v2/msp/upgrade/cancel--Cancels a scheduled upgrade firmware of devices specified by device_type. Enter the following inputs in the corresponding labels of the script { "device_type": "string", "exclude_groups": "string", "exclude_customers": "string" }. Table 112: Cancel Scheduled Upgrade at MSP Level Label Description Device_type The type of device for which the firmware upgrade schedule must be canceled. Exclude-groups List of groups to be excluded while canceling scheduled upgrade. Exclude_customers List of customer IDs to be excluded while canceling scheduled upgrade. n [POST] /firmware/v2/msp/upgrade/customers/{customer_id}/cancel--Cancels a scheduled upgrade firmware of devices specified by device_type for a tenant. Enter the following inputs in the corresponding labels of the script { "device_type": "string", "exclude_groups": "string" }. Table 113: Cancel Scheduled Upgrade at the Tenant Level Label Description Device_type The type of device for which the firmware schedule must be canceled. Exclude-groups List of groups to be excluded while canceling scheduled upgrade. The following APIs that include v1 version will be deprecated from API Gateway and is replaced with v2 version: n [POST] /firmware/v1/msp/upgrade/cancel n [POST] /firmware/v1/msp/upgrade/customers/{customer_id}/cancel Order of Precedence For Compliance The devices in the MSP mode inherits the compliance set in the following order of precedence from highest to lowest: n Group level n Tenant level n MSP level The devices in MSP mode exhibits the following behavior related to compliance settings: Aruba Central | User Guide 495 n The compliance set at the group level overrides the compliance set at the tenant level or MSP level. If there is no compliance at the group level, the devices in the group inherits the compliance configured at the tenant level. n The compliance set at the tenant level overrides the compliance set at the MSP level. If there is no compliance at the tenant level and group level, the tenant devices inherit the compliance configured at the MSP level. Customizing the Portal in MSP Mode The Portal Customization page enables you to customize the look and feel of the user interface and the email notifications sent to the customers and users. For example, you can use your company logo in the user interface and company address in the email notifications sent to the customers or users. Figure 127 Customizing the Portal in the Network Operations App To customize the look and feel of the portal, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Portal Customization. 3. The Portal Customization page is displayed. 4. Under Customization, configure the following information: n Product Name--Name of the product. n Provider Name--Name of the company. n Contact Link--The URL to the company website that shows the contact address of the company. n Sender Email Address--The email address from which the notifications are sent. n Mailing Address--The postal address of the company. n Service Link--The URL to the company website showing the service related information. n Terms and Conditions Link--The URL to the company website listing the terms and conditions. 5. If you want customize the logo of your portal, click Skinning. Managed Service Provider | 496 6. Browse to your local directory and upload the logo image. 7. Click Save Settings. The customized logo is displayed in the following pages: n Tenant account--All the apps and pages applicable to the tenant. For more information about tenant accounts, see Provisioning Tenant Accounts. Figure 128 Sample Logo for a Customer Account n Email invite--Email invite sent while adding a new user. The email contains the registration link. For more information about adding a new user, see Adding a Custom Role in MSP Account Home. MSP Deployment Models The MSP mode supports multiple configuration constructs such as UI groups, template groups, local overrides, and so on. This section describes various MSP deployment models using examples. MSP supports the following deployment models: n MSP Owns Devices and Subscriptions (Deployment Model 1) n End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2) n Hybrid MSP Deployment Model (Deployment Model 3) MSP Owns Devices and Subscriptions (Deployment Model 1) In this model, the MSP offers Network as a Service (NaaS). The MSP owns both the devices and subscriptions. The MSP acquires end-customers and manages the end-customer's network. The MSP temporarily assigns devices and subscriptions to end-customers for the duration of the managed service contract. Once the contract ends, the devices and the subscriptions are returned back to the MSP's common pool of resources and can be reassigned to another end-customer. Aruba Central | User Guide 497 Setup and Provisioning After the MSP purchases the devices and subscriptions, the MSP administrator has to do the following: n Set up the Aruba Central account. n Onboard devices. n Assign device subscriptions and network services subscriptions. MSPs can provide Network as a Service to end-customers using Aruba Central MSP mode capabilities. Aruba Central provides simplified provisioning. The Overview > Dashboard page under Manage in the MSP view allows you to add, view, edit, and delete tenant accounts. After adding a device, the MSP administrator must map the device to the tenant account for device management and monitoring operations. After you create a tenant account, you can map the tenant to a group. The group associated to the tenant account in the MSP mode shows up as the default group for tenant account users. In the MSP mode, all configuration changes made to the group associated to the tenant account are applied to the default group on the tenant account. Customizing the Portal MSPs can customize their Aruba Central MSP portal and guest splash pages by uploading their own logo. The Portal Customization pane allows you to customize the look and feel of the user interface and the email notifications sent to customers and users. Aruba Central also allows MSPs to localize various pages to support a diverse customer market. Monitoring and Reporting Using the MSP Dashboard, MSPs can monitor and observe trends on end-customer networks. MSPs can do the following from the MSP Dashboard: n View total number of tenant accounts and consolidated device inventory and subscription status. n View graphs representing the devices under management, tenant accounts added, and subscription renewal schedule n Navigate to each tenant account. Managing Firmware and Maintenance MSPs can streamline and automate end-customer's network management while maintaining complete control. MSPs can perform one-click firmware updates or schedule specific updates, manage user accounts across end-customers with different levels of access and tag devices with labels to simplify firmware management and configuration. Example Deployment Scenario In this scenario, an MSP is offering the following wireless management services: n WiFiConnectGo--In this program, for a monthly fee per Instant AP, customers part of this program agree to broadcast MSP's free public WiFi SSID WiFiConnectGo. Customers can add up to 15 additional custom SSIDs, including guest, of their own. Tenant account administrators are responsible for configuring any additional SSIDs and ongoing monitoring and maintenance. MSP is responsible for installing and bringing up the Instant AP only. n WiFiConnectGo-Plus--In this program, for an additional monthly fee per Instant AP, customers part of this program need not broadcast the free public WiFi SSID WiFiConnectGo. Customers can add up to 15 Managed Service Provider | 498 custom SSIDs, including guest, of their own. MSP is responsible for installing Instant APs, configuring custom SSIDs, and ongoing monitoring and maintenance. Configuring WiFiConnectGo Using Default UI Groups Use this deployment model if your customer deployments are identical. UI groups support an inheritance model from MSP to tenant. As shown in the following figure, MSP uses MSP UI groups to push SSID configuration to the default group in each tenant account. Tenants can choose to add additional custom SSIDs to the default group. All sites are mapped to the same default group. Figure 129 MSP Deployment Using Default UI Groups Configuring WiFiConnectGo-Plus Using User-Defined UI Groups Use this deployment model if your customer deployments are unique and if you wish to use the Aruba Central user interface for configuring. UI groups support an inheritance model from MSP to tenant. As shown in the following figure, each tenant has their own custom SSID configuration. In this scenario, the MSP administrator can create separate user-defined UI groups for each tenant. Sites with common SSID are mapped to the same UI group. MSP administrators can use the available UI group APIs add, modify, or remove allowed wireless configuration options. Aruba Central | User Guide 499 Figure 130 MSP Deployment Using User-Defined UI Groups Configuring WiFiConnectGo-Plus Using Template Groups As shown in the following figure, one template group is defined for each tenant and all devices are associated to the same group. Using the if/else conditional statements, you can push SSIDs to Instant APs selectively. MSP administrators can use the template and variable APIs to add, modify, or remove any wireless configuration. You can use this deployment model if you wish to automate your customer deployments using Aruba CLIs and Aruba Central APIs. Managed Service Provider | 500 Figure 131 MSP Deployment Using Template Groups End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2) In this deployment model, the account type must be Standard Enterprise Mode. Aruba recommends that you contact your Aruba Central sales representative or the Aruba Central Support team if you are an MSP proposing this model to your end-customer. In this model, the end-customer owns both the devices and subscriptions, but the MSP manages the endcustomer's network. The end-customer can be one of the following: n An existing Aruba customer who owns Aruba devices, but does not have an Aruba Central account. n An existing Aruba customer who owns Aruba devices and is managing the network using Aruba Central. In this model, to manage end-customer-owned devices and subscriptions, the MSP can use the Aruba Central Standard Enterprise mode. The MSP need not create an Aruba Central account of their own, but can instead add their (MSP) administrator to the end-customer's Aruba Central account. The MSP administrator will only have access to each endcustomer account. Setup and Provisioning The end-customer purchases the devices and subscriptions. The end-customer contacts the MSP to manage the network. As the devices and subscriptions are owned by the end-customer, the MSP uses the Aruba Central Standard Enterprise mode to set up and provision the tenant account. Aruba Central | User Guide 501 The MSP has to request the end-customer to add the MSP administrator to their Aruba Central account. The MSP administrator can use the Switch Customer option to switch between end-customer accounts. Monitoring and Reporting As the MSP is not using the MSP mode, there is no single pane view of end-customer accounts managed by the MSP. The MSP has to monitor each end-customer individually. The MSP administrator has to use the Aruba Central Standard Enterprise mode to monitor the end-customer network. Managing Firmware and Maintenance The MSP has to use the Firmware menu under Maintain to view the latest supported firmware version of the device, details of the device, and the option to upgrade the device. The MSP administrator has to manage software upgrades for each end-customer individually. Example Deployment Scenario In this scenario, an MSP has to configure Instant APs and manage end-customer networks at two different sites. The following are the site details: Site 1 Location: University Ave, Berkeley, CA SSID Name: "WiFi_CE" Security: WPA2-PSK SSID Password: "password@123" VLAN: 20 Site 2 Location: University Ave, Berkeley, CA SSID Name: "WiFi_CE" Security: WPA2-PSK SSID Password: "password@123" VLAN: 40 Considering the requirements, each site needs two Instant APs. The only difference between the sites is the VLAN ID. Deployment Using User-Defined UI Groups The MSP can configure Instant APs at both sites using user-defined UI groups. As the Wi-Fi configuration per site is different, one UI group must be created for each site. For each site, the tenant account administrator has to do the following: 1. Create a new UI group for each site. 2. Configure the UI group with Wi-Fi settings specific to each site. 3. Map the Instant APs in each site to the respective UI group. Points to Note: n One user-defined UI group is created for each site. n For any new site with a different VLAN ID, the tenant account administrator must create a new UI group. Managed Service Provider | 502 n If a configuration change is required at all sites, the tenant account administrator must manually edit each UI group as each group is independent of the other. For example, to change the Wi-Fi SSID name from WiFi_ CE to WiFi_Secure_CE, the tenant account administrator must edit UI group. Deployment Using Template Groups The MSP can configure Instant APs at both sites using template groups. The tenant account administrator can create a single template group for both sites with a variable file that differentiates the VLAN setting per device. Template groups are not supported at the MSP level. However, template groups can be defined and managed at each tenant account individually. For both sites, the tenant account administrator has to do the following: 1. Create one tenant template group. 2. Configure the newly created template group by uploading a base configuration with the WiFi_CE setting and a variable for the SSID VLAN. 3. Upload a variable file with unique entries for each Instant AP. For the Instant APs part of Site 1, the VLAN variable value is 20. For the Instant APs part of Site 2, the VLAN variable value is 40. 4. Map Site 1 and Site 2Instant APs to the common template group. Points to Note: n One tenant template group is created for both sites. n For every additional site with a different VLAN ID, the same template group can be used with a modified variable file. n If a configuration change is required at all sites, the common template group can be updated and pushed to all sites. For example, to change the Wi-Fi SSID name from WiFi_CE to WiFi_Secure_CE, the tenant account administrator can edit the common template group and push the configuration changes to all sites. Hybrid MSP Deployment Model (Deployment Model 3) In this model, Aruba Central supports a hybrid deployment model for the MSP. The MSP can use the following deployment models in conjunction to manage the end-customers' network: n MSP Owns Devices and Subscriptions (Deployment Model 1)--The MSP owns both the devices and subscriptions. The MSP acquires the tenants and uses the Aruba Central MSP mode to manage the tenant's network and monitors multiple tenant accounts using the MSP Dashboard. n End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2)--The MSP manages end-customer's network in which the end-customer owns both the devices and subscriptions. The MSP uses the Aruba Central Standard Enterprise mode to manage the network and the MSP administrator uses the Switch Customer option to navigate between different end-customer accounts. In this deployment model if the end customer owns both devices and subscriptions, the account type must be Standard Enterprise Mode. Aruba recommends that you contact your Aruba Central sales representative or the Aruba Central Support team if you are an MSP proposing this model to your end-customer. Aruba Central | User Guide 503 Frequently Asked Questions How do I create an Aruba Central MSP account? As MSP mode is an operational mode of the Network Operations app which is one of the apps in Aruba Central, the first step to create an MSP account is to create an Aruba Central account, subscribe only to the Network Operations app, and then enable Managed Service Mode. n Sign up for Aruba Central evaluation here. n Enable MSP mode. Should tenants sign up for an Aruba Central account as well? No. With MSP mode enabled, the MSP administrator manages the creation and deletion of tenant accounts. After a tenant account is created, the MSP administrator can add tenant users to the account. To create a tenant user, the MSP administrator must provide a valid email address for the user. A verification email is sent to this email address. Tenant users have access to their individual tenant account only. Tenant users do not have access to other tenant accounts managed by the MSP. Who owns the hardware and subscriptions? In the MSP mode, all the hardware and subscriptions are owned by the MSP. The MSP temporarily assigns devices and their corresponding subscriptions to tenants for the duration of the managed service contract. When the contract ends, the devices and the subscriptions are returned back to the common pool of resources of the MSP and can be reassigned to another tenant. Can existing Aruba Central customers migrate to an MSP account? End customers who own their own devices and subscriptions cannot transfer ownership of the devices to an MSP. However, the MSP administrator can manage the end customer network. What are the supported devices and architectures? MSP supports all devices and architectures supported by Aruba Central. See Supported APs and Supported Switches. Aruba Central support wireless, wired, and SD-WAN deployments, either independently or in combination. For example, as an MSP, you can manage the following combinations: n Customer environments having a wireless deployment. n Customer environments having both wired and wireless deployments. n Customer environments having an SD-WAN deployment. Aruba Central does not support managing gateways at the MSP level. However, gateways can be configured and managed at the tenant account level. Which group is the default group for the tenant account? The MSP group associated to the Tenant account shows up as the default group for Tenant account users. All configuration changes made to the "MSP group" associated to the "Tenant account" are applied to the default Managed Service Provider | 504 group on the Tenant account. What are predefined user roles? The Users & Roles tile under Global Settings in the Account Home page allows you to configure the following types of users with system-defined roles: User Role admin readwrite readonly guestoperator Standard Enterprise Mode MSP Mode n Has full access to all devices. n Can provision devices and enable access to application services. n Can create or update users, groups, and labels. n Has access to the groups and devices assigned in the account. n Can add, modify, configure, and delete a device in the account. n Can view the groups and devices. n Can view generated reports. n Has full access to tenant accounts. n Can create, modify, provision, and manage tenant accounts. Can access and modify tenant accounts. Can view tenant accounts. n Can access and modify cloud guest splash page profiles. n Can configure visitor accounts for the cloud guest splash page profiles. n Can access and modify cloud guest splash page profiles. n Can configure visitor accounts for the cloud guest splash page profiles. What are custom user roles? Along with the predefined user roles, Aruba Central allows you to create custom roles with specific security requirements and access control. However, only the users with the administrator role and privileges can create, modify, clone, or delete a custom role in Aruba Central. With custom roles, you can configure access control at the application level and specify access rights to view or modify specific application services or modules. For example, you can create a custom role that allows access to a specific applications like Guest Access or network management and assign it to a user. You can create a custom role with specific access to MSP modules. The MSP application allows users with administrator role and privileges to define user access to MSP modules such as Customer Management and Portal Customization. The MSP tenant account user does not have access to the MSP application. Even if a tenant account user is assigned a custom role having MSP application privileges, the tenant account user will not have access to the MSP application and MSP will not appear in the Global Settings > Users & Roles > Roles > Allowed Applications list. What tasks can be performed by an MSP user and tenant user? In the MSP mode, MSP users have a superset of administration options compared to tenant users. An MSP administrator can perform the following administrative tasks: n Tenant account management. n Device and subscription management across all tenants. n Monitoring and event management across all tenants. Aruba Central | User Guide 505 n Configuration management across all tenants. n User management across all tenants. n API management for the MSP and across all tenants. A tenant account administrator can perform the following administrative tasks for their respective tenant account only: n Monitoring and event management. n Configuration management. n User management. n API management. Managed Service Provider | 506 Chapter 8 IAPs IAPs Instant Access Points (IAP)s offer an enterprise-grade networking solution with a simple setup. The WLAN solution with IAPs supports simplified deployment, configuration, and management of Wi-Fi networks. APs run the Aruba Instant software that virtualizes Aruba Mobility Controller capabilities on 802.11 APs and offers a feature-rich enterprise-grade Wi-Fi solution. IAPs are often deployed as a cluster. An IAP cluster includes a conductor AP and set of other APs that act as member APs. In an IAP deployment scenario, only the first AP or the conductor AP that is connected to a provisioning network is configured. All other IAPs in the same VLAN join the conductor AP inherit the configuration changes. The IAP clusters are configured through a common interface called Virtual Controller. A Virtual Controller represents the combined intelligence of the IAPs in a cluster. Supported Deployment Modes Aruba IAPs can be deployed in the following modes in Aruba Central: n Cluster mode--In this mode, several IAPs form a cluster when connected to a provisioning network and a conductor Instant AP is elected. In the cluster mode, new IAP onboarded to Aruba Central can join an existing Instant AP cluster. n Standalone mode--In this mode, individual IAPs are provisioned in groups and managed from Aruba Central. Configuration and Management Network administrators can manage IAPs through the Aruba Instant UI, Aruba Central, or AirWave management system. For information on how to configure IAPs using the Aruba Instant UI, see the Aruba Instant User Guide. For more information on how to deploy, provision, manage, and monitor IAPs from Aruba Central, see the following topics: n Supported Instant APs n Provisioning Instant APs n Configuring Device Parameters n Configuring Network Profiles on IAPs n Configuring Time-Based Services for Wireless Network Profiles n Configuring ARM and RF Parameters on IAPs n Configuring IDS Parameters on APs n Configuring Authentication and Security Profiles on IAPs n Configuring IAPs for VPN Services n Configuring DHCP Pools and Client IP Assignment Modes on IAPs n Configuring Services n Configuring Uplink Interfaces on IAPs Aruba Central | User Guide 507 n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Opening a Remote Console n Mapping IAP Certificates n Configuring APs Using Templates n Managing Variable Files n Viewing APs Configuration Tabs Supported Instant APs The following table lists the Instant AP platforms, the installation mode, the minimum supported Aruba Instant software versions, and the Instant APs supporting power draw: Table 114: Supported Instant AP Platforms Instant AP Platform Installation Mode Minimum Supported Aruba Instant Software Version Power Draw Support AP-655 Indoor Aruba Instant 8.10.0.0 Yes AP-635 Indoor Aruba Instant 8.9.0.0 Yes AP-567EX Outdoor Aruba Instant 8.7.1.0 No AP-567 Outdoor Aruba Instant 8.7.1.0 Yes AP-565EX Outdoor Aruba Instant 8.7.1.0 No AP-565 Outdoor Aruba Instant 8.7.1.0 Yes AP-503H Indoor Aruba Instant 8.7.1.0 Yes AP-577EX Outdoor Aruba Instant 8.7.0.0 Yes AP-577 Outdoor Aruba Instant 8.7.0.0 Yes AP-575EX Outdoor Aruba Instant 8.7.0.0 Yes AP-575 Outdoor Aruba Instant 8.7.0.0 Yes AP-574 Outdoor Aruba Instant 8.7.0.0 Yes AP-518 Outdoor Aruba Instant 8.7.0.0 Yes AP-505H Indoor Aruba Instant 8.7.0.0 Yes AP-505 Indoor Aruba Instant 8.6.0.0 Yes AP-504 Indoor Aruba Instant 8.6.0.0 Yes AP-555 Indoor Aruba Instant 8.5.0.0 No AP-535 Indoor Aruba Instant 8.5.0.0 No IAPs | 508 Instant AP Platform Installation Mode AP-534 AP-515 AP-514 AP-387 AP-303P AP-377EX AP-377 AP-375EX AP-375 AP-374 AP-345 AP-344 AP-318 AP-303 AP-203H AP-367 AP-365 AP-303HR AP-303H AP-203RP AP-203R IAP-305 IAP-304 IAP-207 IAP-335 IAP-334 IAP-315 Indoor Indoor Indoor Outdoor Indoor Outdoor Outdoor Outdoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Minimum Supported Aruba Instant Software Version Aruba Instant 8.5.0.0 Aruba Instant 8.4.0.0 Aruba Instant 8.4.0.0 Aruba Instant 8.4.0.0 Aruba Instant 8.4.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 8.3.0.0 Aruba Instant 6.5.3.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.2.0 Aruba Instant 6.5.1.0-4.3.1.0 Aruba Instant 6.5.1.0-4.3.1.0 Aruba Instant 6.5.1.0-4.3.1.0 Aruba Instant 6.5.0.0-4.3.0.0 Aruba Instant 6.5.0.0-4.3.0.0 Aruba Instant 6.5.0.0-4.3.0.0 Power Draw Support No Yes Yes Yes No No Yes No Yes Yes Yes Yes Yes No No No No No Yes No No Yes Yes No Yes Yes No Aruba Central | User Guide 509 Instant AP Platform Installation Mode IAP-314 IAP-325 IAP-324 IAP-277 IAP-228 IAP-205H IAP-215 IAP-214 IAP-205 IAP-204 IAP-275 IAP-274 IAP-103 IAP-225 IAP-224 IAP-115 IAP-114 RAP-155P RAP-155 RAP-109 RAP-108 RAP-3WN RAP-3WNP Indoor Indoor Indoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Minimum Supported Aruba Instant Software Version Aruba Instant 6.5.0.0-4.3.0.0 Aruba Instant 6.4.4.3-4.2.2.0 Aruba Instant 6.4.4.3-4.2.2.0 Aruba Instant 6.4.3.1-4.2.0.0 Aruba Instant 6.4.3.1-4.2.0.0 Aruba Instant 6.4.3.1-4.2.0.0 Aruba Instant 6.4.2.0-4.1.1.0 Aruba Instant 6.4.2.0-4.1.1.0 Aruba Instant 6.4.2.0-4.1.1.0 Aruba Instant 6.4.2.0-4.1.1.0 Aruba Instant 6.4.0.2-4.1.0.0 Aruba Instant 6.4.0.2-4.1.0.0 Aruba Instant 6.4.0.2-4.1.0.0 Aruba Instant 6.3.1.1-4.0.0.0 Aruba Instant 6.3.1.1-4.0.0.0 Aruba Instant 6.3.1.1-4.0.0.0 Aruba Instant 6.3.1.1-4.0.0.0 Aruba Instant 6.2.1.0-3.3.0.0 Aruba Instant 6.2.1.0-3.3.0.0 Aruba Instant 6.2.0.0-3.2.0.0 Aruba Instant 6.2.0.0-3.2.0.0 Aruba Instant 6.1.3.1-3.0.0.0 Aruba Instant 6.1.3.1-3.0.0.0 Power Draw Support Yes No No No No No No No No No No No No No No No No No No No No No No IAPs | 510 n AP-635 and AP-655 IAPs are Wi-Fi 6E capable APs that support 6 GHz radio band, in addition to 2.4 GHz and 5 GHz radio bands. n RAP-155, RAP-155P, IAP-214, IAP-215, IAP-224, IAP-225, IAP-228, IAP-274, IAP-275, and IAP-277 IAPs are no longer supported from Aruba Instant 8.7.0.0 onwards. n IAP-103, RAP-108, RAP-109, IAP-114, IAP-115, IAP-204, IAP-205, and IAP-205H IAPs are no longer supported from Aruba Instant 8.3.0.0 onwards. n By default, AP-318, AP-374, AP-375, and AP-377 IAPs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba does not recommend you to upgrade these IAPs to Aruba Instant 8.5.0.0 or 8.5.0.1 firmware versions, as the upgrade process changes the uplink port from Eth1 to Eth0 port thereby making the devices unreachable. n For more information about Aruba's End-of-life policy and the timelines for hardware and software products at the end of their lives, see: https://www.arubanetworks.com/support-services/end-of-life/ n Data sheets and technical specifications for the supported AP platforms are available at: https://www.arubanetworks.com/products/networking/access-points/ Provisioning Instant APs The following figure illustrates the procedure for bringing up Instant Access Points (IAPs) and configuring a basic WLAN setup. To view a detailed description of the tasks, click the task link in the flowchart. The UI-based provisioning of APs is available for Foundation and Advanced licenses for APs. Aruba Central | User Guide 511 Figure 132 Getting Started--IAPs Configuring APs Using Templates Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate access point (AP) deployments. The template-provisioning of APs is available for Foundation and Advanced licenses for APs. To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba APs. For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled. Prerequisites Before provisioning APs in a template group, ensure that the following prerequisites are completed: IAPs | 512 1. Managing Groups 2. Assigning Devices to Groups Creating a Configuration Template for APs To create a template for the APs in a template group, complete the following steps: 1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure APs in a template group are displayed. 4. In the Templates table, click + to add a new template. The Add Template window is displayed. 5. Under Basic Info, enter the following information: a. Template Name--Enter the template name. b. Model--Set the model parameter to ALL. c. Version--Set the model parameter to ALL or an 8.x.x.x version. 6. Under Template, add the CLI script content. 7. Click Save. Verifying Configuration Status n To verify that Gateways are assigned to the template group and the configuration is pushed from Aruba Central, go to Analyze > Audit Trail. n To view the configuration sync errors, use the Configuration Audit for APs. For more information, see Viewing Audit Trails in the Account Home Page on page 377. Best Practices to Configure APs Using Templates The following are the best practices while adding the content to the template: n Ensure that the command text indentation matches the indentation in the running configuration. n Aruba recommends including utf8 in the WLAN access rules and in WLAN SSID profile when template groups are used to configure APs. n The template allows multiple per-ap-settings blocks. The template must include the per-ap-settings %_ sys_lan_mac% variable. The per-ap-settings block uses the variables for each AP. The general VC configuration uses variables for conductor AP to generate the final configuration from the provided template. Hence, Aruba recommends that you upload all variables for all devices in a cluster and change values as required for individual AP variables. n You can obtain the list of variables for per-ap-settings by using the show amp-audit command. The following example shows the list of variables for per-ap-settings. (Instant AP)# show amp-audit | begin per-ap per-ap-settings 70:3a:0e:cc:ee:60 hostname EE:60-335-24 Aruba Central | User Guide 513 rf-zone bj-qa ip-address 10.65.127.24 255.255.255.0 10.65.127.1 10.65.6.15 "" swarm-mode standalone wifi0-mode access wifi1-mode access g-channel 6+ 21 a-channel 140 26 uplink-vlan 0 g-external-antenna 0 a-external-antenna 0 ap1x-peap-user peap22 282eaf1077b8d898b91ec41b5da19895 n The commands in the template are case-sensitive. n IF ELSE ENDIF conditions are supported in the template. If the template text includes the if condition, % sign is required at the beginning and the end of the text. For example, %if guest%. The following example shows the template text with the IF ELSE ENDIF condition. wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes %else% opmode opensystem %endif% Templates also support nesting of the IF ELSE END IF condition blocks. The following example shows how to nest such blocks: %if condition1=true% routing-profile route 10.10.0.0 255.255.255.0 10.10.0.255 %if condition2=true% routing-profile route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else% routing-profile route 10.40.0.0 255.255.255.0 10.40.0.255 %if condition3=true% routing-profile route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile route 10.60.0.0 255.255.255.0 10.60.0.255 %endif% %endif% n For profile configuration CLI text, for example, vlan, interface, access-list, ssid and so on, the first command must start with no white space. The subsequent local commands in given profile must start with at least one IAPs | 514 initial space (' ') or indented as shown in the following examples: n Example 1 wlan auth-server Test_Radius_Server ip 192.168.4.4 port 1812 acctport 1813 key 123456 Example 2 wlan auth-server %auth_server_name% ip %auth_server_ip% port 1812 acctport 1813 %if auth_server_key% key %auth_server_key% %else% key 123456 %endif% n To comment out a line in the template text, use the pound sign (#). Any template text preceded by # is ignored when processing the template. n To allow or restrict APs from joining the Instant AP cluster, Aruba Central uses the _sys_allowed_ap_ system-defined variable. Use this variable only when allowed APs configuration is enabled. For example, _ sys_allowed_ap: "a_mac, b_mac, c_mac". Use this variable only once in the template. n The variables configured for the Instant AP devices functioning as the VCs are replaced with the values configured at the template level. n If any device in the cluster has any missing variables, the configuration push to those AP devices in the cluster fails. The audit trail for such instances shows the missing variables. n You can configure the RF zone for an AP by adding the rf-zone %rfzone% variable in the template. Similarly, you can add the wifi0-mode %wifi0-mode% variable to configure a Wi-Fi0 interface of an AP to function in the access, monitor, or spectrum monitor mode. Sample Template The following example shows the typical contents allowed in a template file for APs: virtual-controller-country %countrycode% virtual-controller-key d2d8c79e010af35667dae85f950cf144b476ab4beba9ce5696 organization %org% name %VCname% virtual-controller-ip %vcip% terminal-access clock time zone none 00 00 rf-band all allow-new-aps allowed-ap 38:17:c3:cd:34:ca Aruba Central | User Guide 515 hash-mgmt-password hash-mgmt-user admin password cleartext public syslog-level debug syslog-level warn ap-debug arm wide-bands none a-channels 44,44+,40,36 g-channels 13,1+ min-tx-power 15 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode fair-access channel-quality-aware-arm-disable client-match client-match nb-matching 55 client-match calc-interval 5 client-match slb-mode 2 wlan access-rule default_wired_port_profile index 0 rule any any match any any any permit wlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permit wlan access-rule %ssid_name% index 2 rule any any match any any any permit wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes %else% opmode opensystem %endif% type employee essid %ssid_name% wpa-passphrase %pw% max-authentication-failures 0 auth-server InternalServer rf-band all captive-portal disable dtim-period 1 broadcast-filter arp denylist dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64 okc %if condition1=true% routing-profile route 10.10.0.0 255.255.255.0 10.10.0.255 IAPs | 516 %if condition2=true% routing-profile route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else% routing-profile route 10.40.0.0 255.255.255.0 10.40.0.255 %if condition3=true% routing-profile route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile route 10.60.0.0 255.255.255.0 10.60.0.255 %endif% %endif% wired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1x wired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1x enet0-port-profile default_wired_port_profile enet1-port-profile wired-SetMeUp uplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180 cluster-security allow-low-assurance-devices per-ap-settings %_sys_lan_mac% hostname %hostname% rf-zone %rfname% Aruba Central | User Guide 517 swarm-mode %mode% wifi0-mode %wifi0mode% wifi1-mode %wifi1mode% g-channel %gch% %gtx% a-channel %ach% %gtx% Password Management in Configuration Templates for AP In Aruba Central, the AP management user passwords are stored and displayed as hash instead of plain text. Password for an AP can be set using the following commands: mgmt-user <user-name> <password> mgmt-user <user-name> <password> guest-mgmt mgmt-user <user-name> <password> read-only The mgmt-user commands are used for APs running below Aruba InstantOS 4.3 firmware version. The hash-mgmt-user commands is enabled by default on the APs provisioned in the template and UI groups. If a pre-configured AP joins Aruba Central and is moved to a new group, Aruba Central uses the hash-mgmtuser configuration settings and discards mgmt-user configuration settings, if any, on the AP. In other words, Aruba Central hashes management user passwords irrespective of the management user configuration settings running on an AP. The mgmt-user commands can only be used for APs running firmware versions equal to or above Aruba InstantOS 4.3. Password for AP can be set using the following hash-mgmt-user commands: hash-mgmt-user <user-name> password hash <hash-password> hash-mgmt-user <user-name> password cleartext <cleartext-password> hash-mgmt-user <user-name> password hash <hash-password> usertype read-only hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype readonly hash-mgmt-user <user-name> password hash <hash-password> usertype guest-mgmt hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype guestmgmt hash-mgmt-user <user-name> password hash <hash-password> usertype local hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype local IAPs | 518 n Aruba Central supports the use of hash commands with clear text, however, Aruba recommends you to use hash passwords instead of clear text passwords to avoid password disclosures. n Aruba Central allows you to re-use the hash from one AP on another AP. n All AP templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates. Customizing a Template Using Variable Definitions Variables in Aruba Central refer to the data set in the configuration template that can vary per device. Aruba Central supports composing the variables in JSON and CSV formats. To add variable definitions, you can download a sample variable file from Aruba Central, add the definitions, and then upload it to Aruba Central. To view a list of variables in a template, select the template row and click the edit or delete icon, respectively. Downloading a Sample Variables File To download a sample variables file: 1. In the Network Operations app, set the filter to one of the template group under Groups. The dashboard context for the selected group is displayed. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure APs are displayed. 4. Click Variables. 5. Select one of the following formats to download the sample variables file: n JSON--shows the file in JSON format. n CSV--Shows the variables in different columns. 6. Click Download Sample Variables File. The sample variables file is saved to your local directory. Uploading a Variables File To upload a variables file, complete the following steps: 1. Ensure that the _sys_serial and _sys_lan_mac variables are defined with the serial number and MAC address of the devices, respectively. 2. In the Network Operations app, set the filter to one of the template groups under Groups. 3. Under Manage, click Devices > Access Points. 4. Click the Config icon. The tabs to configure APs are displayed. 5. Click Variables tab and click Upload Variables File and select the variables file to upload. 6. To verify if the variables are added in the template, go to Devices > Access Points > Templates. 7. Click the edit icon in the template, and verify the list of variables displayed in the Edit Template screen. Aruba Central | User Guide 519 Sample Variables File The following example shows the contents of a sample variables file in the JSON format: { "CNBQJ0Y095": { "_sys_lan_mac": "70:3a:0e:cc:ed", "_sys_serial": "CNBQJ0Y095", "hostname": "ap_name_test" "rfname" : "test_zone1" "mode" : "standalone" "wifi0mode" : "access" "wifi1mode" : "access" "gch": "6" "gtx" : "26" "ach": "140" "atx" : "36" "condition1" : "TRUE" "condition2" : "FALSE" "condition3" : "FALSE" "ssid_name" : "test_office" "disable_ssid" : "FALSE" "ssid_security" : "wpa2" "pw" : "sit.down-12" "countrycode" : "US" "org" : "8x.group" "VCname" : "Test_VC_1" }, "CNBHHN50G9": { "_sys_lan_mac": "f0:5c:19:cb:3f:64", "_sys_serial": "CNBQJ0Y095", "hostname": "ap_name_test2" "rfname" : "test_zone2" "mode" : "standalone" "wifi0mode" : "access" "wifi1mode" : "monitor" "gch": "8" "gtx" : "26" "ach": "140" "atx" : "36" "condition1" : "FALSE" "condition2" : "TRUE" "condition3" : "FALSE" "ssid_name" : "test_home" "disable_ssid" : "TRUE" "ssid_security" : "wpa2" "pw" : "sit.down-13" "countrycode" : "CA" IAPs | 520 "org" : "8x.group" "VCname" : "Test_VC_2" } } Clean AirWave Configuration Using Template In Aruba Central, you can clean the AirWave configuration in an AP using the following command in the template: clean-airwave-configuration The command in the template will remove ams-ip/ams-key/org from the AP's running configuration if the device has AirWave configurations. Viewing APs Configuration Tabs Aruba Central now constantly displays the default tabs under the Show Advanced and Hide Advanced options in the Devices > Access Points page. When you click the Show Advanced or Hide Advanced option, a set of default configuration tabs are displayed. The respective default tabs under these two options are still displayed when you navigate out of the page, and visit the same page next time. n Following are the default tabs displayed when you navigate to Devices > Access Points page and click the Config icon: o WLANs o Access Points o Radios n When you click the Show Advanced option, the following tabs are displayed: o WLANs o Access Points o Radios o Interfaces o Security o VPN o Services o System o Configuration Audit n To view the default tabs, click Hide Advanced. Navigating to Virtual Controller Configuration Dashboard To navigate to the virtual controller configuration dashboard, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Aruba Central | User Guide 521 The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. In the Virtual Controller column, click on the virtual controller to navigate to the Access Points > List view of the virtual controller. 4. Click the Config icon. The default tabs to configure the virtual controller are displayed. 5. Click Show Advanced to view advanced configuration options. For more information about the various configuration options, see Deploying a Wireless Network Using IAPs. Deploying a Wireless Network Using IAPs This section describes how to configure WLAN SSIDs, radio profiles, DHCP profiles, VPN routes, security and firewall settings, uplink interfaces, and logging servers on Instant Access Points (IAPs). For more information on IAP configuration, see the following topics: n Configuring Device Parameters n Configuring Network Profiles on IAPs n Configuring Time-Based Services for Wireless Network Profiles n Configuring ARM and RF Parameters on IAPs n Configuring IDS Parameters on APs n Configuring Authentication and Security Profiles on IAPs n Configuring IAPs for VPN Services n Configuring DHCP Pools and Client IP Assignment Modes on IAPs n Configuring Services n Configuring Systems n Configuring Uplink Interfaces on IAPs n Configuring Mobility for Clients n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Viewing APs Configuration Tabs n Opening a Remote Console n Mapping IAP Certificates Setting Country Code The initial Wi-Fi setup of an Instant Access Point (IAP) requires you to specify the country code for the country in which the IAP operates. This configuration sets the regulatory domain for the radio frequencies that the IAP uses. The available 20 MHz, 40 MHz, or 80 MHz channels are dependent on the specified country code. Country Code Configuration in Aruba Central from UI If you provision a new IAP without the country code, Aruba Central exhibits the following behavior: IAPs | 522 Table 115: IAP Provisioned to Aruba Central Country Code Configured at IAP Country Code Configured in Group Behavior No Yes The country code of the group is pushed to the newly added IAP. No No Aruba Central displays the Country Code not set. Config not updated message in Audit Trail. A notification is also displayed at the bottom of the main window to set the country code of the new IAP. To set the country code, perform the following actions: 1. Click Set Country Code now link on the notifications pane. The Set Country Code pop up is displayed. 2. In the Device(s) without country code table, click the edit icon. 3. Specify a country code from the Country Code drop-down list. 4. Click Save. Setting Cory Code At Group Level If an IAP has a country code and joins Aruba Central using ZTP configuration, then the country code of the IAP is retained. In this case, Aruba Central will not push the group country code. Setting Country Code at a Group Level To set the country code of the IAP at the group level, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The default tabs to configure the virtual controller are displayed. 4. Click Show Advanced to view advanced configuration options. 5. Click the System tab. The System details page is displayed. 6. Expand the General accordion. 7. In the Set Country code for group drop-down list, select the country code for the IAP. 8. Click Save Settings and then reboot the IAP. n By default, the value corresponding to the Set Country code for group field is empty. This indicates that any IAP with different country codes can be a part of the group. n When the Set Country code for group field is set, the field cannot revert to the default value. When the country code of the group is changed, the country code of the already connected IAP also will be updated. Setting Country Code at a Device Level To set the country code of the IAP at the device level, complete the following steps: Aruba Central | User Guide 523 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. In the Virtual Controller column, click the virtual controller link to navigate to the Access Points > List view of the virtual controller. When you click the virtual controller link in the Virtual Controller column, the dashboard context for the virtual controller is dispalyed. 4. Click the Config icon. The default tabs to configure the virtual controller are displayed. 5. Click Show Advanced to view advanced configuration options. 6. Click the System tab. The System details page is displayed. 7. Expand the General accordion. 8. In the Virtual Controller table, select a virtual controller and then click the edit icon. 9. In the Edit IP Address window, select the country code from the Country Code drop-down list. 10. Click Ok. 11. Click Save Settings and then reboot the IAP. n By default, the value corresponding to the Country code is the country code set at the group level which can be then modified at the device level from the drop-down list. The country code of the IAP will always be the most recently set country code at the group level or device level. n If there is a discrepancy in the country code configuration, Aruba Central displays it as an override in the Configuration Audit page. Country Code Configuration at Group Level from API Aruba Central provides an option to set and get the country code at group level through the APIs in API Gateway. To set or get the country code at group level through API, complete the following steps: 1. In the Account Home page, click API Gateway. The API Gateway page is displayed. 2. Click the Authorized Apps & Tokens tab and generate a token key. The token key is valid only for 2 hours from the time it was generated. 3. Download and copy the generated token. 4. In the All Published APIs window, click the url link listed under the Documentation column. The Central Network Management APIs page is displayed. 5. On the left navigation pane, select Configuration from the URL drop-down list. 6. Paste the token key in the Token field and press enter. IAPs | 524 7. Click NB UI Group Configuration. The following options are displayed: n Set country code at group level ([PUT]/configuration/v1/country)--This API allows to set country code for multiple groups at once. Aruba Central currently allows country codes of up to 50 IAP device groups to be configured simultaneously. To set the country codes of multiple groups, enter the group names and country code as inputs corresponding to the groups and country labels respectively in the script { "groups": [ "string" ], "country": "string" } within the set_ group_config_ country_ code text box. n Get country code set for group ([GET]/configuration/v1/{group}/country)--This API allows to retrieve the country code set for a specific IAP group. To get the country code information of the IAP group, enter the name of the group for which the country code is being queried corresponding to the country label in the script { "country": "string"} within the group text box. The APIs for setting and retrieving country code information are not available for the IAP devices deployed in template groups. The following are the response messages displayed in the Set country code at group level and Get country code set for group sections: Table 116: Response Messages Set country code at group level Get country code set for group n 201 - Successful operation n 400 - Bad Request n 401 - Unauthorized access, authentication required n 403 - Forbidden, do not have write access for group n 413 - Request-size limit exceeded n 417 - Request-size limit exceeded n 429 - API Rate limit exceeded n 500 - Internal Server Error n 503 - Service unavailable, configuration update in progress n 400 - Bad Request n 401 - Unauthorized access authentication required n 403 - Forbidden, do not have read access for group n 413 - Request-size limit exceeded n 417 - Request-size limit exceeded n 429 - API Rate limit exceeded n 500 - Internal Server Error n 503 - Service unavailable, configuration update in progress For further details on APIs, see https://app1-apigw.central.arubanetworks.com/swagger/central. Configuring Device Parameters To configure device parameters on an access point (AP), complete the following steps: 1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. Aruba Central | User Guide 525 n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point. 2. Click the Config icon. The tabs to configure the APs are displayed. 3. Click the Access Points tab. The Access Points page is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Configure the parameters described below: Table 117: Access Points Configuration Parameters UI Parameters Description Basic Info Name Configure a name for the IAP. For IAPs running Aruba InstantOS 8.7.0.0 or later versions, you can enter up to 128 ASCII or non-ASCII characters. For IAPs running Aruba InstantOS 8.6.0.0 or earlier versions, you can enter up to 32 ASCII or nonASCII characters. AP Zone Configure the IAP zone. For IAPs running Aruba InstantOS 6.5.4.7 or later versions, and 8.3.0.0 or later versions, you can configure multiple AP zones by adding zone names as comma separated values. Aruba recommends that you do not configure zones in both SSID and in the Per AP settings of an IAP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide. RF Zone Allows you to create an RF zone for the IAP. With RF zone, you can configure different power transmission settings for APs in different zones or sections of a deployment site. For example, you can configure power transmission settings to make Wi-Fi available only for the devices in specific areas of a store. You can also configure separate RF zones for the 2.4 GHz, 5 GHz, and 6 GHz radio bands for the IAPs in a cluster. For more information, see Configuring Radio Parameters. Aruba recommends that you configure RF zone for either individual AP or for the cluster. Any discrepancy in the RF zone names may lead to configuration errors. Swarm Mode Allows you to set one of the following operation modes: IAPs | 526 UI Parameters Description n Cluster--Allows an IAP to operate in the cluster mode. When an IAP operates in the cluster mode, it can form a cluster with other virtual controller IAPs in the same VLAN. n Standalone--Allows an IAP to operate in the standalone mode. When an IAP operates in the standalone mode, it cannot join a cluster of IAPs even if the IAP is in the same VLAN. n Single-AP--Allows an IAP to operate in the single AP mode that is specifically designed for IAP deployments with only one AP in the site. This mode is a type of standalone AP deployment with additional security when the AP is directly facing a WAN connection. When configured as a single AP, the AP will not send or receive management frames such as mobility packets, roaming packets, and hierarchy beacons through the uplink port. NOTE: After changing the AP operation mode, ensure that you reboot the IAP. LACP Mode Allows you to set one of the following LACP modes: n Active--Allows you to enable the LACP on an IAP. In this mode, both the ethernet ports on the IAP forms a static LAG. n Passive--Allows you to set the LACP on an IAP in a passive mode. n Disabled--Allows you to disable the LACP on an IAP. Preferred Conductor Select the Preferred Conductor check-box to provision the IAP as a conductor IAP. After provisioning the IAP as a conductor IAP, ensure that you reboot the AP. IP Address For Access Point Select one of the following options: n Get IP Address from DHCP server--Allows IP to get an IP address from the DHCP server. By default, the IAPs obtain IP address from a DHCP server. n Static--You can also assign a static IP address to the IAP. To specify a static IP address for the IAP, complete the following steps: n Enter the new IP address for the IAP in the IP Address text-box. n Enter the subnet mask of the network in the Netmask text-box. n Enter the IP address of the default gateway in the Default Gateway text-box. n Enter the IP address of the DNS server in the DNS Aruba Central | User Guide 527 UI Parameters Description Server text-box. n Enter the domain name in the Domain Name text-box. You can configure up to two DNS servers separated by a comma. If the first DNS server goes down, the second DNS server takes control of resolving the domain name. IAPs | 528 UI Radio Installation Type Parameters Dual 5G Mode Split Radio Enable Radio Mode Adaptive radio management assigned Administrator assigned Installation Type Description Select the Dual 5G Mode check-box to enable the dual 5G mode. In the Dual 5G Mode, the Mode remains as Access and is non-editable. The Dual 5G Mode is only supported on AP-344 and AP-345 running on Aruba InstantOS 8.3.0.0. For more information, see Aruba Instant User Guide. Select the Split Radio check-box to allow the radios of the IAP to operate in the tri-radio mode. The Split Radio is only supported on AP-555 running on Aruba InstantOS 8.5.0.0. For more information, see About Tri-Radio Mode. Select the Enable Radio check-box under 2.4GHz Band, 5 GHz Band and 6 GHz Band to enable the radio. NOTE: 6 GHz Band is only supported for devices with 6 GHz capability. From the Mode drop-down list, select any of the following options: n Access--In this mode, the IAP serves clients, while also monitoring for rogue IAPs in the background. n Monitor--In this mode, the IAP acts as a dedicated monitor, scanning all channels for rogue IAPs and clients. n Spectrum--In this mode, the IAP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference, whether from the neighboring IAPs or from non-Wi-Fi devices such as microwaves and cordless phones. For more information, see Spectrum Scan Overview. To get accurate monitoring details and statistics, it is highly recommended to reboot the IAPs once the IAPs are toggled from the 2.4 or 5 GHz mode to dual 5 GHz radio mode or vice-versa. The access, spectrum, and monitor mode of the radios of an access point is available for Foundation and Advanced licenses for APs. You can configure a radio profile on an IAP either manually or by configuring the Adaptive radio management assigned option. Adaptive Radio Management (ARM) feature is enabled on Aruba Central by default. It automatically assigns appropriate channel and power settings for the IAPs. You can also assign an administrator by using the Administrator assigned option and selecting the number of channels in the Channel drop-down list. In the Transmit Power field, enter the signal strength measured in dBm. Configure the Installation Type of the IAP. The Installation Type drop-down consists of the following options: n Default--Select this option to change the installation Aruba Central | User Guide 529 UI Uplink Parameters Uplink Management VLAN Eth0 Mode Eth1 Mode USB Port PEAP User Description type to the default mode. n Indoor--Select this option to change the installation type to the indoor mode. n Outdoor--Select this option to change the installation type to the outdoor mode. The options in the Installation Type drop-down are listed based on the IAP model. The uplink traffic on IAP is carried out through a management VLAN. However, you can configure a nonnative VLAN as an uplink management VLAN. After an IAP is provisioned with the uplink management VLAN, all management traffic sent from the IAP is tagged to the management VLAN. To configure a non-native uplink VLAN, click Uplink and specify the VLAN in Uplink Management VLAN. Allows you to change the Eth0 bridging mode in your wired network. The Eth0 Mode drop-down consists of the following options: n Uplink--Select this option to change the Eth0 bridging mode to the uplink port. n Downlink--Select this option to change the Eth0 bridging mode to the downlink port. Allows you to change the Eth1 bridging mode in your wired network. The Eth1 Mode drop-down consists of the following options: n Default--Select this option to change the Eth1 bridging mode to the default port. n Uplink--Select this option to change the Eth1 bridging mode to the uplink port. n Downlink--Select this option to change the Eth1 bridging mode to the downlink port. Select the USB Port check-box if you do not want to use the cellular uplink or 3G/4G modem in your current network setup. Create the PEAP user credentials for certificate based authentication. Enter the username, password, and retype password in the Username, Password, and Retype Password field for creating the PEAP user. IAPs | 530 UI Mesh External Antenna Parameters Mesh enable Clusterless mesh name Clusterless mesh key Retype Mesh mobility RSSI threshold Antenna Gain Antenna Polarization Type Description Select the Mesh enable check-box to allow mesh access points to form mesh network. The mesh feature ensures reliability and redundancy by allowing the network to continue operating even when an IAP is non-functional or if the device fails to connect to the network. For more information, see Configuring Mesh IAP Enter the name of mesh access points that do not belong to any cluster. The Clusterless mesh name field is disabled when the Mesh enable option is enabled. Enter the key of the mesh access points that do not belong to any cluster. The Clusterless mesh key field is disabled when the Mesh enable option is enabled. Re-enter the clusterless mesh key. The Retype is disabled when the Mesh enable option is enabled. Fast roaming is triggered on a mobility mesh point when the RSSI of the parent is lower than the threshold value. Enter the threshold value either in number between 10--50, high, or low. Enter the Antenna Gain values in dBi for the 2.4 GHz Antenna Gain and the 5 GHz Antenna Gain. For more information, see Configuring External Antenna From the Antenna Polarization Type drop-down list, select any of the following: n co-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be same. n cross-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be different. The integrated antenna of the wireless bridge sends a radio signal that is polarized in a particular direction. The receive sensitivity of the antenna is also higher for radio signals that have the same polarization. To maximize the performance of the wireless link, both antennas must be set to the same polarization direction. 6. Click Save Settings and then reboot the IAP. Configuring Systems This section describes how to configure the General, Administrator, Time-Based Services, DHCP, Layer-3 Mobility, Enterprise Domains, Logging, SNMP, WISPr, Proxy, Named VLAN Mapping, and IPM parameters on an Instant Access Point (IAP). n Configuring System Parameters for an AP n Configuring Users Accounts for the AP Management Interface n Configuring Mesh for Multiple Radios n Configuring Time-Based Services for Wireless Network Profiles Aruba Central | User Guide 531 n Configuring DHCP Pools and Client IP Assignment Modes on IAPs n Configuring Mobility for Clients n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Configuring SNMP Parameters n Supported Authentication Methods n Configuring HTTP Proxy on an IAP n Configuring VLAN Name and VLAN ID n Configuring Intelligent Power Monitoring Configuring VLAN Name and VLAN ID Aruba Central allows you to map VLAN name to a VLAN ID for the ease of identifying the existing VLANs. To map a VLAN name to a VLAN ID, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Named VLAN Mapping accordion. 7. Click the + icon in the VLAN Name to VLAN ID Mapping pane. The VLAN Name to VLAN ID Mapping window is displayed. 8. In the VLAN Name to VLAN ID Mapping window, enter the VLAN Name and VLAN ID. 9. Click OK. The VLAN Name to VLAN ID Mapping table in the Named VLAN Mapping section lists all the mapped VLAN. You can find the Named VLAN Mapping feature applied in the following fields of corresponding UI pages of Aruba Central: n The VLAN ID field in the VLANs tab, when for when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during WLAN SSID creation. For more information, see Configuring Wireless Network Profiles on IAPs. n The VLAN ID field in the VLANs tab, when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during wired port profile creation. For more information, see Configuring Wired Port Profiles on IAPs. n The Access rules page in the Interfaces > Access tab and the WLANs > Access tab, when you add rules for selected roles. Select VLAN Assignment as the rule type in the Access rules page to find the mapped VLAN name in the VLAN ID field. IAPs | 532 You can also map VLAN ID to a VLAN name when you customize the Client VLAN Assignment configuration in VLANs tab during network profile creation. For more information, see VLAN Assignment. Points to Remember n The maximum number of Named VLAN ID Mapping allowed in Aruba Central is 32. n VLAN mapping cannot be performed if the VLAN name does not exist. n The VLAN mapping record is deleted from the VLAN Name to VLAN ID Mapping table when the VLAN name is deleted. n You can only map a single VLAN id to a VLAN name. n The VLAN name field is not case-sensitive. Configuring External Antenna If the Instant Access Point (IAP) has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system's EIRP is in compliance with the limit specified by the regulatory authority of the country in which the IAP is deployed. You can also measure or calculate additional attenuation between the device and antenna before configuring the antenna gain. To know, if the IAP device supports external antenna connectors, see the Installation Guide that is shipped along with the IAP device. EIRP and Antenna Gain The following formula can be used to calculate the EIRP limit related RF power based on selected antennas (Antenna Gain) and feeder (Coaxial Cable Loss): EIRP = Tx RF Power (dBm)+GA (dB) - FL (dB) The following table describes this formula: Table 118: Formula Variable Definitions Formula Element Description EIRP Limit specific for each country of deployment. Tx RF Power RF power measured at RF connector of the unit. GA Antenna gain FL Feeder loss Configuring Antenna Gain To configure antenna gain for IAPs with external connectors, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. Aruba Central | User Guide 533 b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point. 2. Click the Config icon. The tabs to configure the APs are displayed. 3. Click the Access Points tab. The Access Points page is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click the External Antenna tab. 6. Enter the Antenna Gain values in dBi for the 2.4 GHz Antenna Gain and the 5 GHz Antenna Gain. 7. From the Antenna Polarization Type drop-down list, select any of the following: n co-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be same. n cross-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be different. 8. Click Save Settings. After configuring the external antenna parameters, ensure that you reboot the IAP. Adding an IAP To add an Instant Access Point (IAP) to Aruba Central, assign an IP address and a subscription. After an IAP is connected to the network and if the Auto Join Mode feature is enabled, the IAP inherits the configuration from the virtual controller and is listed in the Access Points tab. Deleting an IAP To delete an Instant Access Point (IAP), complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. In the Access Points table, hover over the offline AP that you want to delete. 4. Click the delete icon. IAPs | 534 Configuring Intelligent Power Monitoring The Intelligent Power Monitoring (IPM) feature actively measures the power utilization of an access point (AP) and dynamically adapts to the power resources. IPM allows you to define the features that must be disabled to save power, allowing the APs to operate at a lower power consumption without hampering the performance of the related features. This feature constantly monitors the AP power consumption and adjusts the power saving IPM features within the power budget. IPM dynamically limits the power requirement of an AP as per the available power resources. IPM applies a sequence of power reduction steps as defined by the priority definition until the AP functions within the power budget. This happens dynamically as IPM constantly monitors the AP power consumption and applies the next power reduction step in the priority list if the AP exceeds the power threshold. To manage this prioritization, you can create IPM policies to define a set of power reduction steps and associate them with a priority. The IPM policies, when applied to the AP, are based on IPM priorities, where the IPM policy can be configured to disable or reduce certain features in a specific sequence to reduce the AP power consumption below the power budget. IPM priority settings are defined by integer values, where the lower values have the highest priority and are implemented first. The Intelligent Power Monitoring feature is available only on APs running Aruba InstantOS 8.6.0.3. To configure Intelligent Power Monitoring, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the IPM accordion. 7. Select the IPM Activation check box to enable IPM. 8. Click the + icon in the IPM Power Reduction Steps With Priorities pane. The IPM Power Reduction Steps With Priorities window is displayed. 9. In the IPM Step Priority field, enter a value from 1 to 16 to define IPM priority. 10. From the IPM Step drop-down list, select a setting as described in the following table: Table 119: Intelligent Power Monitoring Step Parameters Parameters Description cpu_throttle_25 Reduces CPU frequency to 25% of normal. cpu_throttle_50 Reduces CPU frequency to 50% of normal. Aruba Central | User Guide 535 Parameters cpu_throttle_75 disable_alt_eth disable_pse disable_usb radio_2ghz_chain_1 radio_2ghz_chain_2 radio_2ghz_chain_3 radio_2ghz_power_3dB radio_2ghz_power_6dB radio_5ghz_chain_1 radio_5ghz_chain_2 radio_5ghz_chain_3 radio_5ghz_power_3dB radio_5ghz_power_6dB Description Reduces CPU frequency to 75% of normal. Disables the second Ethernet port. Disables Power Sourcing Equipment (PSE). Disables USB. Reduces 2 GHz chains to 1x1. Reduces 2 GHz chains to 2x2. Reduces 2 GHz chains to 3x3. Reduces 2 GHz radio power by 3 dB from the maximum value. Reduces 2 GHz radio power by 6 dB from the maximum value. Reduces 5 GHz chains to 1x1. Reduces 5 GHz chains to 2x2. Reduces 5 GHz chains to 3x3. Reduces 5 GHz radio power by 3 dB from the maximum value. Reduces 5 GHz radio power by 6 dB from the maximum value. 11. Click OK. The IPM Power Reduction Steps With Priorities table in the IPM section lists all the IPM settings. 12. Click Save Settings and reboot the IAP for changes to take effect. The following figure shows the IPM steps and priorities listed in the IPM Power Reduction Steps With Priorities table: IAPs | 536 Figure 133 IPM Steps and Priorities Setting a low-priority value for a power reduction step reduces the power level sooner than setting a high-priority value for a power reduction step. However, if the power reduction step is of the same type but different level, the smallest reduction should be allocated the lowest priority value so that the power reduction step takes place earlier. For example, the cpu_throttle_25 or radio_2ghz_power_3dB parameter should have a lower priority level than the cpu_ throttle_50 or radio_2ghz_power_6dB, respectively, so that Intelligent Power Monitoring reduces the CPU throttle or power usage based on the priority list. Points to Remember n By default, Intelligent Power Monitoring is disabled. n When enabled, IPM enables all IAP functionality initially. IPM then proceeds to shut down or restrict functionality if the power usage of the AP goes beyond the power budget of the IAP. Configuring System Parameters for an AP To configure system parameters for an access point (AP), complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. Aruba Central | User Guide 537 6. Click the General accordion and configure the following parameters: Table 120: System Parameters Data Pane Item Description Virtual Controller This parameter configuration is only applicable for APs that operate in a cluster deployment environment. To configure the virtual controller name and IP address, click edit icon and update the name and IP address. The IP address serves as a static IP address for the multi-AP network. When configured, this IP address is automatically provisioned on a shadow interface on the AP that takes the role of a virtual controller. The AP sends three ARP messages with the static IP address and its MAC address to update the network ARP cache. n Name--Name of the virtual controller. n IP address--IPv4 address configured for the virtual controller. The IPv4 address uses the 0.0.0.0 notation. n IPv6 address--IPv6 address configured for the virtual controller. You can configure IPv6 address for the virtual controller only if the Allow IPv6 Management feature is enabled. IPv6 is the latest version of IP that is suitable for large-scale IP networks. IPv6 supports a 128-bit address to allow 2128, or approximately 3.4×1038 addresses while IPv4 supports only 232 addresses. The IP address of the IPv6 host is always represented as eight groups of four hexadecimal digits separated by colons. For example 2001:0db8:0a0b:12f0:0000:0000:0000:0001. However, the IPv6 notation can be abbreviated to compress one or more groups of zeroes or to compress leading or trailing zeroes; for example 2001:db8:a0b:12f0::0:0:1. Set Country code for group To configure a country code for the AP at the group level, select the country code from the Set Country code for group drop-down list. By default, no country code is configured for the AP device groups. When a country code is configured for the group, it takes precedence over the country code setting configured t the device level. Timezone To configure a time zone, select a time zone from the Timezone drop-down list. If the selected time zone supports DST, the UI displays the "The selected country observes Daylight Savings Time" message. Preferred Band Assign a preferred band by selecting an appropriate option from the Preferred Band drop-down list. Reboot the AP after modifying the radio profile for changes to take effect. NTP Server This parameter allows you to configure NTP servers for the IAP. Up to four NTP servers can be configured for the AP, each one separated by a comma. To facilitate communication between various elements in a network, time synchronization between the elements and across the network is critical. Time synchronization allows you to: n Trace and track security gaps, network usage, and troubleshoot network issues. n Validate certificates. n Map an event on one network element to a corresponding event on another. n Maintain accurate time for billing services and similar. n NTP helps obtain the precise time from a server and regulate the local time in each network element. Connectivity to a valid NTP server is required to synchronize the AP clock to set the correct time. If NTP server is not configured in the AP network, an AP reboot may lead to variation in time data. IAPs | 538 Table 120: System Parameters Data Pane Item Description By default, the AP tries to connect to pool.ntp.org to synchronize time. The NTP server can also be provisioned through the DHCP option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server pool.ntp.org is used if no NTP server is configured or provisioned through DHCP option 42. To configure an NTP server, enter the IP address or the URL of the NTP server and reboot the AP to apply the configuration changes. Virtual Controller Netmask Virtual Controller Gateway Virtual Controller DNS Virtual Controller VLAN This parameter configuration is only applicable for APs that operate in a cluster deployment environment. The IP configured for the virtual controller can be in the same subnet as AP or can be in a different subnet. Ensure that you configure the virtual controller VLAN, gateway, and subnet mask details only if the virtual controller IP is in a different subnet. Ensure that virtual controller VLAN is not the same as native VLAN of the AP. DHCP Option 82 XML The DHCP Option 82 XML is not applicable for cloud APs. DHCP Option 82 XML can be customized to cater to the requirements of any ISP using the conductor AP. To facilitate customization using a XML definition, multiple parameters for Circuit ID and Remote ID options of DHCP Option 82 XML are introduced. The XML file is used as the input and is validated against an XSD file in the conductor AP. The format in the XML file is parsed and stored in the DHCP relay which is used to insert Option 82 related values in the DHCP request packets sent from the client to the server. From the drop-down list, select one of the following XML files: n default_dhcpopt82_1.xml n default_dhcpopt82_2.xml For more information, see Configuring DHCP Scopes on IAPs. Dynamic CPU Utilization APs perform various functions such as wired and wireless client connectivity and traffic flows, wireless security, network management, and location tracking. If an AP is overloaded, prioritize the platform resources across different functions. Typically, the APs manage resources automatically in real time. However, under special circumstances, if dynamic resource management needs to be enforced or disabled altogether, the dynamic CPU management feature settings can be modified. To configure dynamic CPU management, select any of the following options from Dynamic CPU Utilization. n Automatic--When selected, the CPU management is enabled or disabled automatically during run-time. This decision is based on real time load calculations taking into account all different functions that the CPU needs to perform. This is the default and recommended option. n Always Disabled in all APs--When selected, this setting disables CPU management on all APs, typically for small networks. This setting protects user experience. n Always Enabled in all APs--When selected, the client and network management functions are protected. This setting helps in large networks with high client density. Auto-Join Mode When enabled, APs can automatically discover the virtual controller and join the network. The Auto-Join Mode feature is enabled by default. Aruba Central | User Guide 539 Table 120: System Parameters Data Pane Item Description APs allowed for Auto-Join Mode Displays the number of APs allowed for Auto-Join Mode. n Click View Allowed APs to view the details of AP allowed for Auto-Join mode. n Click Hide Allowed APs to hide the details of AP allowed for Auto-Join mode. When Auto-Join Mode is enabled, the APs are automatically discovered and are allowed to join the cluster. When the Auto-Join Mode is disabled on the AP, the list of allowed APs on Aruba Central may not be synchronized or up-to-date. In such cases, you can manually add a list of APs that can join the AP cluster in the Aruba Central UI. To manually add the list of allowed AP devices, complete the following steps: 1. Under View Allowed APs, click + in the Allowed APs pane. 2. In the Add Allowed AP window, enter the MAC address of the AP in the MAC Address field. 3. Click Save. Allow IPv6 Management Enables IPv6 address configuration for the virtual controller. You can configure an IPv6 address for a virtual controller IP only when Allow IPv6 Management feature is enabled. Uplink switch native VLAN Allows you to specify a VLAN ID, to prevent the AP from sending tagged frames for clients connected on the SSID that uses the same VLAN as the native VLAN of the switch. By default, the AP considers the native VLAN of the upstream switch, to which it is connected, as the VLAN ID 1. Terminal Access When enabled, the users can access the AP CLI through SSH. Login Session Timeout Allows you to set a timeout for login session. Console Access When enabled, the users can access AP through the console port. WebUI Access If an AP is connected to Aruba Central, you can use this option to disable AP Web UI access and any communication via HTTPS or SSH. If you enable this feature, you can manage the AP only from Aruba Central. Telnet Server When enabled, the users can start a Telnet session with the AP CLI. LED Display Enables or disables the LED display for all APs in a cluster. The LED display is always enabled during the AP reboot. Extended SSID Extended SSID is enabled by default in the factory default settings of APs. This disables mesh in the factory default settings. For AP devices that support Aruba InstantOS 8.4.0.0 firmware versions and above, you can configure up to 14 SSIDs. By enabling Extended SSID, you can create up to 16 networks. Advanced Zone Turn on the Advanced Zone toggle switch to broadcast the same ESSIDs on APs that are part of the same AP zone in a cluster. NOTE: When the advanced-zone feature is enabled and a zone is already configured with 16 SSIDs, ensure to remove the zone from two WLAN SSID profiles if you want to disable extended SSID. IAPs | 540 Table 120: System Parameters Data Pane Item Description Deny Inter User Bridging If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same AP on the same VLAN. When inter-user bridging is denied, the clients can connect to the Internet but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision. To disable inter-user bridging, turn off the Deny Inter User Bridging toggle switch. Deny Local Routing If you have security and traffic management policies defined in upstream devices, you can disable routing traffic between two clients connected to the same AP on different VLANs. When local routing is disabled, the clients can connect to the Internet but cannot communicate with each other, and the routing traffic between the clients is sent to the upstream device to make the forwarding decision. To disable local routing, move the slider to the right. Dynamic RADIUS Proxy If your network has separate RADIUS authentication servers (local and centralized servers) for user authentication, you may want to enable Dynamic RADIUS proxy to route traffic to a specific RADIUS server. When Dynamic RADIUS proxy is enabled, the IP address of the virtual controller is used for communication with external RADIUS servers. To enable Dynamic RADIUS Proxy, you must configure an IP address for the Virtual Controller and set it as a NAS client in the RADIUS server profile. Dynamic TACACS Proxy If you want to route traffic to different TACACS servers, enable Dynamic TACACS Proxy. When enabled, the AP cluster uses the IP address of the Virtual Controller for communication with external TACACS servers. If an IP address is not configured for the Virtual Controller, the IP address of the bridge interface is used for communication between the AP and TACACS servers. However, if a VPN tunnel exists between the Instant AP and TACACS server, the IP address of the tunnel interface is used. Cluster Security This parameter is required to be set only for APs that operate in a cluster deployment environment. Enables or disables the cluster security feature. When enabled, the control plane communication between the AP cluster nodes is secured. The Disallow Non-DTLS Members toggle switch appears. Turn on the toggle switch to allow member APs to join a DTLS enabled cluster. For secure communication between the cluster nodes, the Internet connection must be available, or at least a local NTP server must be configured. After enabling or disabling cluster security, ensure that the configuration is synchronized across all devices in the cluster, and then reboot the cluster. The Disallow Non-DTLS Members feature is only supported in AP devices supporting Aruba InstantOS 8.4.0.0 firmware versions and above. Low Assurance PKI Turn on the toggle switch to allow low assurance devices that use non-TPM chip, in the network. To enable the cluster security feature, turn on the Low Assurance PKI toggle switch. For more information on Low Assurance PKI, refer to Cluster Security section in Aruba Instant User Guide. The Low Assurance PKI toggle switch is supported in AP devices running Aruba InstantOS 6.5.3.0 firmware versions and later. Mobility Access Switch Integration Turn on the toggle switch to enable LLDP protocol for Mobility Access Switch integration. With this protocol, APs can instruct the switch to turn off ports where rogue access points are connected, as well as take actions such as increasing PoE priority and automatically configuring VLANs on ports where APs are connected. Aruba Central | User Guide 541 Table 120: System Parameters Data Pane Item Description URL Visibility Turn on the toggle switch to enable URL data logging for client HTTP and HTTPS sessions and allows APs to extract URL information and periodically log them on ALE for DPI and application analytics. Restrict uplink port Turn on the toggle switch to restrict the uplink port to the specified VLANs. to specified VLANs VOIP QOS Trust Turn on the toggle switch to enable the RTP traffic based on the DSCP value set by the end user device. 7. Click Save Settings. Enabling 802.1X Authentication on Uplink Ports of an AP If your network requires all wired devices to authenticate using PEAP or TLS protocol, you must enable 802.1X authentication type on uplink ports of an access point (AP), so that the APs are granted access only after completing the authentication as a valid client. To enable 802.1X authentication on uplink ports using PEAP or TLS protocol, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Expand the AP1X section. n To set PEAP based authentication, select PEAP in the AP1X Type drop-down list. If you select PEAP protocol, ensure that the PEAP User is configured on the uplink port by selecting an AP group and navigating to Uplink section in the Access Points tab. n To set TLS based authentication: a. Select TLS in the AP1X Type drop-down list. b. Select User in the Certificate Type drop-down list. 8. Select the Validate Server check-box to validate the server credentials using server certificate. Ensure that the server certificates for validating server credentials are available in the IAP database. 9. Click Save Settings. Configuring HTTP Proxy on an IAP If your network requires a proxy server for Internet access, ensure that you configure the HTTP proxy on the Instant Access Point (IAP) to download the image from the cloud server. After setting up the HTTP proxy IAPs | 542 settings, the IAP connects to the Activate server, Aruba Central, or OpenDNS server through a secure HTTP connection. You can also exempt certain applications from using the HTTP proxy (configured on an IAP) by providing their host name or IP address under Exception. Aruba Central allows the user to configure HTTP proxy on an IAP. To configure HTTP proxy on IAP through Aruba Central, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Proxy accordion and specify the following: a. Enter the HTTP proxy server IP address in the Server text-box. b. Enter the port number in the Port text-box. 7. Click Save Settings. Aruba Central displays the Username, Password, and Retype Password fields under System > Proxy for IAP running Aruba InstantOS 8.3.0.0. The IAPs with the Aruba InstantOS 8.3.0.0 firmware require user credentials for proxy server authentication. Configuring Network Profiles on IAPs This section describes the following procedures: n Configuring Wireless Network Profiles on IAPs n Configuring Wireless Networks for Guest Users on IAPs n Configuring Wired Port Profiles on IAPs n Configuring Wired Networks for Guest Users on IAPs n Editing a Wireless Network Profile n Deleting a Network Profile Configuring Wireless Network Profiles on IAPs You can configure up to 14 SSIDs. By enabling Extended SSID in the System > General accordion, you can create up to 16 networks. If more than 16 SSIDs are assigned to a zone and the extended zone option is disabled, an error message is displayed. This section describes the following topics: n Creating a Wireless Network Profile n Configuring VLAN Settings for Wireless Network Aruba Central | User Guide 543 n Configuring Security Settings for Wireless Network n Configuring ACLs for User Access to a Wireless Network n Viewing Wireless SSID Summary Creating a Wireless Network Profile To configure WLAN settings, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the WLANs tab, click + Add SSID. The Create a New Network pane is displayed. 6. In General tab, enter a name that is used to identify the network in the Name (SSID) text-box. 7. Under Advanced Settings, configure the following parameters: Table 121: Advanced Settings Parameters Parameter Description Broadcast/Multicast Broadcast filtering Select any of the following values: n All--The IAP drops all broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols. n ARP--The IAP drops broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols. Additionally, it converts ARP requests to unicast and sends frames directly to the associated clients. By default, the IAP is configured to ARP mode. n Unicast ARP Only--This option enables Instant AP to convert ARP requests to unicast frames thereby sending them to the associated clients. n Disabled--The IAP forwards all the broadcast and multicast traffic is forwarded to the wireless interfaces. DTIM Interval Multicast Transmission Optimization The DTIM Interval indicates the DTIM period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the IAP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode. Range is 1 to 10 beacons. The default value is 1, which means the client checks for buffered data on the IAP at every beacon. You can also configure a higher DTIM value for power saving. Select the check-box if you want the IAP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients. When this option is enabled, multicast traffic can be sent up to a rate of 24 Mbps. The default rate for sending frames for 2.4 GHz is 1 Mbps and that for 5 GHz is 6 Mbps. This option is disabled by default. IAPs | 544 Parameter Dynamic Multicast Optimization (DMO) Description Select the check-box to allow IAP to convert multicast streams into unicast streams over the wireless link. Enabling DMO enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients. NOTE: When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN. DMO channel utilization threshold Specify a value to set a threshold for DMO channel utilization. With DMO, the IAP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the IAP sends multicast traffic over the wireless link. NOTE: This option will be enabled only when Dynamic Multicast Optimization is enabled. Beacon Rate 2.4 GHz 5 GHz Zone Zone If the 2.4 GHz band is configured on an AP, specify the transmission rates from the 2.4 GHz drop-down list. By default, the transmission rate is set as 1 Mbps. The minimum transmission rate supported is 1 Mbps and the maximum transmission rate supported is 54 Mbps. If the 5 GHz band is configured on an AP, specify the transmission rates from the 5 GHz dropdown list. By default, the transmission rate is set to 6 Mbps. The minimum transmission rate supported is 6 Mbps and the maximum transmission rate supported is 54 Mbps. Specify the zone for the SSID. If a zone is configured in the SSID, only the IAP in that zone broadcasts this SSID. If there are no IAPs in the zone, SSID is broadcast. If the IAP cluster has devices running Aruba Instant firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple AP zones by adding zone names as comma separated values. NOTE: Aruba recommends that you do not configure zones in both SSID and in the device specific settings of an IAP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide. Bandwidth Control Airtime Select this to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage. Downstream Enter the downstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per User check-box. NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level. Upstream Enter the upstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per user check-box. NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level. Aruba Central | User Guide 545 Parameter Each Radio Enable 11n Description Select this to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients. The value ranges from 1 through 65535. When this option is selected, there is no disabling of High-Throughput (HT) on 802.11n devices for the 5 GHz radio band. If HT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, HT is enabled on all SSIDs. NOTE: If you want the 802.11ac IAPs to function as 802.11n IAPs, clear this check-box to disable VHT on these devices. Enable 11ac When this option is selected, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs. NOTE: If you want the 802.11ac IAPs to function as 802.11n IAPs, clear this check-box to disable VHT on these devices. Enable 11ax WiFi Multimedia Background Wifi Multimedia Share Best Effort Wifi Multimedia Share Video Wifi Multimedia Share Voice Wifi Multimedia Share When this option is selected, VHT is enabled on the 802.11ax devices. If VHT is enabled for a radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs. Allocates bandwidth for background traffic such as file downloads or print jobs. Specify the appropriate DSCP mapping values within a range of 063 for the background traffic in the corresponding DSCP mapping text-box. Enter up to 8 values with no white space and no duplicate single DHCP mapping value. Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS. Specify the appropriate DSCP mapping values within a range of 063 for the best effort traffic in the corresponding DSCP mapping text-box. Allocates bandwidth for video traffic generated from video streaming. Specify the appropriate DSCP mapping values within a range of 063 for the video traffic in the corresponding DSCP mapping text-box. Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication. Specify the appropriate DSCP mapping values within a range of 063 for the voice traffic in the corresponding DSCP mapping text-box. NOTE: In a non-WMM or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best Effort Wifi Multimedia share and Voice Wifi Multimedia Share to allocate a higher bandwidth to clients transmitting best effort and voice traffic. Traffic Specification (TSPEC) Select this check-box to set if you want the TSPEC for the wireless network. The term TSPEC is used in wireless networks supporting the IEEE 802.11e Quality of Service standard. It defines a series of parameters, characteristics and Quality of Service expectations of a traffic flow. TSPEC Bandwidth Enter the bandwidth for the TSPEC. Spectralink Voice Protocol(SVP) Select this check-box to opt for SVP protocol. IAPs | 546 Parameter WiFi Multimedia Power Save (UAPSD) Miscellaneous Band 6GHz Mesh Content Filtering Primary Usage Description Select this check-box to enable WiFi Multimedia Power Save (U-APSD). The U-APSD is a power saving mechanism that is an optional part of the IEEE amendment 802.11e, QoS. Select a check-box to specify the band at which the network transmits radio signals in the Band. You can set the band to 2.4 GHz, 5 GHz, or 6 GHz. 6 GHz Band is only supported for devices with 6 GHz capability. Turn on the toggle switch to enable 6 GHz mesh, to allow mesh access points to form mesh network. 6 GHz Mesh is only supported for devices with 6 GHz capability. Select this option to route all DNS requests for the non-corporate domains to OpenDNS on this network. Based on the type of network profile, select one of the following options: n Mixed Traffic--Select this option to create an employee or guest network profile. The employee network is used by the employees in an organization and it supports passphrasebased or 802.1X-based authentication methods. Employees can access the protected data of an enterprise through the employee network after successful authentication. The guest network is created for guests, visitors, contractors, and any non-employee users who use the enterprise Wi-Fi network. The VC assigns the IP address for the guest clients. Captive portal or passphrase-based authentication methods can be set for this wireless network. Typically, a guest network is an unencrypted network. However, you can specify the encryption settings when configuring a guest network. n Voice Only--Select this option to configure a network profile for devices that provide only voice services such as handsets or applications that require voice traffic prioritization. NOTE: When a client is associated with the voice network, all data traffic is marked and placed into the high priority queue in QoS. Inactivity timeout Specify an interval for session timeout in seconds, minutes, or hours. If a client session is inactive for the specified duration, the session expires and the user is required to log in again. You can specify a value within the range of 6086,400 seconds (24 hours) for a client session. The default value is 1000 seconds. Hide SSID Select this option if you do not want the SSID to be visible to users. Disable Network Select this option if you want to disable the SSID. When selected, the SSID is disabled, but is not removed from the network. By default, all SSIDs are enabled. Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN. You can specify a value within the range of 0255. The default value is 64. Local Probe Request Threshold Select either automatic or manual to set the Local Probe Request Threshold. automatic: The local probe request threshold value changes to the recommended value provided by the AI insights to improve the performance for the indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value. Aruba Central | User Guide 547 Parameter Description manual: Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests, if required. Min RSSI for auth request Select either automatic or manual to set the minimum RSSI for authentication request. automatic: The minimum RSSI for authentication request value changes to the recommended value provided by the AI insights to improve the performance for the indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value. manual: Enter the minimum RSSI threshold for authentication requests. You can specify an RSSI value within the range of 0100 dB. Deauth inactive clients Select this option to allow the IAP to send a de-authentication frame to the inactive client and the clear client entry. Can be used without uplink Select this option if you do not want the SSID profile to use the uplink. Deny inter user bridging Disables bridging traffic between two clients connected to the same SSID on the same VLAN. When this option is enabled, the clients can connect to the Internet, but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision. Enable SSID when Select an option from the drop-down list and specify the time period. Disable SSID when Select an option from the drop-down list and specify the time period. Deny Intra VLAN Traffic Disables intra VLAN traffic to enable the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. For more information, see Configuring Client Isolation. Management Frame Protection Turn on the Management Frames Protection toggle switch to provide high network security by maintaining data confidentiality of management frames. The Management Frame Protection (MFP) establishes encryption keys between the client and Instant AP using 802.11i framework. For more information, see Configuring Management Frames Protection. Fine Timing Measurement (802.11mc) Responder Mode Turn on the toggle switch to enable the fine timing measurement (802.11mc) responder mode. Time Range Profiles Time Range Profiles Ensure that the NTP server connection is active. Select a time range profile from the Time Range Profiles list and apply a status form the dropdown list. Click + New Time Range Profile to create a new time range profile. For more information, see Configuring Time-Based Services for Wireless Network Profiles. Configuring VLAN Settings for Wireless Network To configure VLANs settings for an SSID, complete the following steps: IAPs | 548 1. In the VLANs tab, select any of the following options for Client IP Assignment: n Instant AP assigned--When selected, the client obtains the IP address from the VC. n External DHCP server assigned--When selected, the client obtains the IP address from the network. 2. Based on the type of client IP assignment mode selected, configure the following parameters: Table 122: VLANs Parameters Parameter Description Instant AP assigned When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on IAPs. If this option is selected, specify any of the following options in Client VLAN Assignment: n Internal VLAN--Assigns IP address to the client in the same subnet as the IAPs. By default, the client VLAN is assigned to the native VLAN on the wired network. n Custom--Allows you to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. When this option is selected, select the scope from the VLAN ID drop- down list. External DHCP server assigned When this option is selected, specify any of the following options in Client VLAN Assignment: n Static--In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. o To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, comp