instructions to set up and configure devices such as Campus APs, Remote APs, Instants, Switches, and. Controllers. In Aruba Central On-Premises, ...
Jul 26, 2023 — Configuring AOS-CX Switches using Templates ... This user guide describes the features supported by Aruba Central ... template group to a UI group.
Not Your Device? Search For Manuals or Datasheets below:
File Info : application/pdf, 986 Pages, 12.48MB
Document Document DEVICE REPORTAruba Central on-premises 2.5.6 User GuideAruba Central On-Premises 2.5.6
User Guide
Copyright Information
© Copyright 2023 Hewlett Packard Enterprise Development LP.
This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:
Hewlett Packard Enterprise Company Attn: General Counsel WW Corporate Headquarters 1701 E Mossy Oaks Rd Spring, TX 77389 United States of America.
Contents
About this Guide
Intended Audience Related Documents Conventions Contacting Support
About Aruba Central On-Premises
Key Features Supported Web Browsers Terminology Change Supported Devices
What's New
Important Notes New Features Enhancements
Getting Started with Aruba Central On-Premises
Provisioning Workflow Accessing Aruba Central On-Premises Features Requiring Internet Access Scaling Devices for Aruba Central On-Premises Dashboard Overview Quick Actions Resource Restriction Policies Managing Users and Roles Creating a Group Managing Devices and Device Subscriptions Assigning Labels Assigning Sites Connecting Aruba APs to Aruba Central On-Premises Connecting Aruba Switches to Aruba Central Configuring Communication Ports Verifying Device Configuration Status Local Overrides Device Replacement About the Aruba Central On-Premises App User Interface Using the Search Bar Command Line Interface IPv6 Support
Managing Licenses
Changes to the Legacy Licensing Model Supported Devices
Managing Authentication Methods
Configuring Local Authentication Single Sign-On Management Configuring SAML SSO for HPE GreenLake How SAML SSO Works
Aruba Central On-Premises 2.5.6 | User Guide
Contents
Contents
3
7
7 7 7 8
9
9 10 11 11
22
22 22 25
30
30 30 30 31 33 34 35 38 42 43 54 54 55 55 56 59 59 63 63 92 95 129
131
131 132
133
133 134 134 135
3
Ways to Configure HPE GreenLake SAML SSO Understanding HPE GreenLake SAML Attributes Syntax requirements for HPE GreenLake SAML attributes Configuring a RADIUS Authentication and Authorization Configuring Radius Service in Aruba ClearPass Policy Manager Radius Server User Roles
Upgrading Device Firmware
Viewing Firmware Details Firmware Maintenance Window Uploading a Software Image Upgrading a Single Device or Multiple Devices Upgrading Devices using Upgrade All Option Setting Firmware Compliance For Access Points Setting Firmware Compliance For Switches Setting Firmware Compliance For Controllers
Network Structure
Viewing the Network Structure Page Managing Groups Managing Sites and Labels Device Preprovisioning Managing Certificates
System Management
Viewing System Management Viewing System Performance Aruba Central On-Premises Upgrade Version Network External Services Backing up and Restoring Aruba Central System Data Migrating the AirWave Server
The AI Insights Dashboard
Wi-Fi Connectivity Connectivity Alerts Insight Context Cards Clients with High Number of Wi-Fi Association Failures Clients with High Number of MAC Authentication Failures Clients with DHCP Server Connection Problems Clients with High Wi-Fi Security Key-Exchange Failures Clients with High 802.1X Authentication Failures Clients with Captive Portal Authentication Problems AOS-CX Switch Ports with High Power-over-Ethernet Problems AOS-S Switch Ports with High Power-over-Ethernet Problems
Managing APs
Supported APs Supported IAP Events Configuring IAPs Monitoring APs
Managing AOS-CX Switches
Getting Started with AOS-CX Deployments Configuring AOS-CX Switches using Templates Configuring AOS-CX Switches in UI Groups Managing an AOS-CX VSF Stack Aruba Central NetConductor Overview
Configuring AOS-S Switches
Getting Started with AOS-S Deployments Configuring AOS-S Switches using Templates Configuring AOS-S Switches in UI Groups
136 140 140 143 144 146
147
147 147 154 154 155 156 157 157
159
159 159 186 194 196
207
207 207 210 217 218 219 222 227
237
238 242 244 245 246 248 250 251 253 255 257 259
262
262 268 271 444
481
482 504 510 571 595
613
613 635 638
Contents | 4
AOS-S Stack Replacing an AOS-S Switch
Managing Controllers
Before You Begin Supported Aruba Mobility Controllers Adding Mobility Controllers Deleting a Controller Creating a WebSocket Connection The Controller Dashboard
Monitoring Your Network
Network Overview Network Health About Floor Plan Alerts & Events Reports RAPIDS Viewing Audit Trail Accessing and Exporting Audit Logs Monitoring Sites in the Topology Tab
All Clients
Client Overview Client Details
Application Visibility
Viewing Visibility Dashboard Graph View in Visibility Dashboard Applications Websites Blocked Traffic
Using Troubleshooting Tools
Troubleshooting Network Issues Troubleshooting Device Issues Advanced Device Troubleshooting Troubleshooting System Issues
Unified Communications
Licensing Configuring UCC Monitoring UCC in List View Monitoring UCC in Summary View
Webhook
Creating and Updating Webhooks Through the UI Viewing and Editing Webhooks Refreshing Webhooks Token Through the UI Creating and Updating Webhooks Through the API Gateway Integrating Aruba Central with ServiceNow
API Gateway
Accessing API Gateway Viewing Swagger Interface List of Supported APIs Creating Application and Token Using OAuth 2.0 for Authentication Obtaining Token Using Offline Token Mechanism Obtaining Token Using OAuth Grant Mechanism Viewing Usage Statistics Changes to Aruba Central APIs Streaming APIs
Related Information
Aruba Central On-Premises Release Notes
Aruba Central On-Premises 2.5.6 | User Guide
688 699
703
703 704 704 704 706 708
725
725 795 806 817 836 851 857 858 859
872
876 877
906
906 907 908 908 909
910
910 923 925 930
934
934 935 940 943
945
945 945 947 947 948
953
954 954 955 956 957 960 961 968 969 981
985
985
5
Aruba Central On-Premises 2.5.6 PDF Documents
985
Aruba Central APIs
985
ArubaOS and Aruba Instant Documentation
985
Aruba Switch Documentation
985
Accessing Documentation on Support Sites
986
Contents | 6
Chapter 1 About this Guide
About this Guide
This user guide describes the features supported by Aruba Central On-Premises and provides detailed instructions to set up and configure devices such as Campus APs, Remote APs, Instants, Switches, and Controllers. In Aruba Central On-Premises, the only access points that you can configure are Instant APs. However, monitoring is supported for Campus APs, Remote APs, and Instant APs.
Intended Audience
This guide is intended for system administrators who configure and monitor their network using Aruba Central On-Premises.
Related Documents
In addition to this document, the Aruba Central On-Premises product documentation includes the following documents:
n Aruba Central On-Premises Installation and Setup Guide n Aruba Central On-Premises Migration Guide n Aruba Central On-Premises API Reference Guide n Aruba Central On-Premises Release Notes
Conventions
The following conventions are used throughout this guide to emphasize important concepts:
Table 1: Typographical Conventions
Type Style Description
Italics
This style is used to emphasize important terms and to mark the titles of books.
System items
This fixed-width font depicts the following: n Sample screen output n System prompts
Bold
n Keys that are pressed n Text typed into a GUI element n GUI elements that are clicked or selected
The following informational icons are used throughout this guide: Indicates helpful suggestions, pertinent information, and important things to remember.
Aruba Central On-Premises 2.5.6 | User Guide
7
Indicates a risk of damage to your hardware or loss of data.
Indicates a risk of personal injury or death.
Contacting Support
Table 2: Contact Information
Main Site
arubanetworks.com
Support Site
asp.arubanetworks.com
Airheads Social Forums and Knowledge community.arubanetworks.com Base
North American Telephone
1-800-943-4526 (Toll Free) 1-408-754-1200
International Telephone
arubanetworks.com/support-services/contact-support/
Software Licensing Site
lms.arubanetworks.com
End-of-life Information
arubanetworks.com/support-services/end-of-life/
Security Incident Response Team
Site: arubanetworks.com/support-services/security-bulletins/ Email: [email protected]
About this Guide | 8
Chapter 2 About Aruba Central On-Premises
About Aruba Central On-Premises
Aruba Central On-Premises is a variant of Aruba Central, a SaaS platform that offers you a single intelligent console to monitor, analyze, and configure WLAN and wired networks. Aruba Central OnPremises makes it easy and efficient to manage your networks by combining industry-leading functionality with an intuitive user interface, and enables network administrators and help desk staff to support and control the network for your premises. The features are designed to manage, maintain, and analyze your network. Aruba Central On-Premises is for organizations that do not want the data on cloud because of their business operations and policies regarding confidentiality, security, downtime, loss of data, and so on. This software solution also gives the same agility and efficiency of cloud services as Aruba Central, and at the same time, it adheres to stringent regulatory and compliance requirements. Aruba Central On-Premises is now integrated as one of the apps within the on-premises version of HPE GreenLake that resides on the user's premises. The on-premises version of the platform provides common services such as user management, device inventory, subscription management, etc. Customers fully own and control the appliance, and access to the appliance. No data is sent offpremises. For subscription management Aruba Central On-Premises 2.5.5.0 will continue to communicate with HPE's global licensing (GLIS) server.
Key Features
Aruba Central On-Premises offers the following key features and benefits:
n Zero Touch Provisioning--Automatic provisioning to simplify device onboarding and deployment.
n GreenLake Account Home--provides services such as user management, device inventory, and subscription management.
n Network-wide health monitoring--Comprehensive view of the network, device status, health, and application usage at Global, Site, Label, and client levels.
n Application visibility--Detailed information about the data usage of the clients connected to devices in the network and analysis of the client traffic flow.
n Reporting wizard--Generate scheduled or on-demand reports for the Clients, Infrastructure, Security Compliance, and Applications categories. You can also download reports in PDF and CSV formats.
n Network security--Strict policy and compliance control for the overall security of the network. n API integration--APIs and webhooks support for extensibility with third-party software. n AI Insights--Identify and resolve Wi-Fi connectivity issues, along with logical and actionable insights
about the root cause. n Built-in alerts and troubleshooting tools--Live events and packet capture logs for troubleshooting
or performing diagnostics tests on devices and networks. n Threat detection and prevention--Block malicious links or payload and quickly respond to rogue
APs or suspicious traffic.
Aruba Central On-Premises 2.5.6 | User Guide
9
n Cluster configuration--Aruba Central On-Premises supports up to a 7-node cluster. Cluster configuration is a highly recommended architecture for its high performance, easy management, scalability, and flexibility. Aruba Central On-Premises can be installed as a single node also.
The features such as adding devices, managing licenses, and assigning users and roles are now performed through HPE GreenLake account home.
Supported Web Browsers
To view the Aruba Central On-Premises UI, ensure that JavaScript is enabled on the web browser.
Table 3: Browser Compatibility Matrix
Browser Versions
Operating System
Google Chrome 108.0.5359.71 or later
Windows 10 or later and macOS
Mozilla Firefox 107.0.1 or later
Windows 10 or later and macOS
Safari 15.4 (17613.1.17.1.13) or later
macOS
Microsoft Edge (Microsoft Edge 92.0.902.62 and Microsoft EdgeHTML 18.19041) or later
Windows 10 or later and macOS
What you see depends on who you are and what you have
The content of any screen you access through HPE GreenLake account home relies on a combination of the following:
n Who you are--refers to the effective permissions you have, which depend on the roles to which you are assigned to.
n What you have--refers to the services your organization has purchased or services that you have been offered to use.
About Aruba Central On-Premises | 10
Terminology Change
As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products and publications may continue to include terminology that seemingly evokes bias against specific groups of people. Such content is not representative of our HPE culture and moving forward, Aruba will replace racially insensitive terms and instead use the following new language:
Usage Campus Access Points + Controllers Instant Access Points Switch Stack Wireless LAN Controller Firewall Configuration Types of Hackers
Old Language Master-Slave Master-Slave Master-Slave Mobility Master Blacklist, Whitelist Black Hat, White Hat
New Language Conductor-Member Conductor-Member Conductor-Member Mobility Conductor Denylist, Allowlist Unethical, Ethical
Supported Devices
This section provides the following information:
n Supported APs n Supported AOS-S Platforms n Supported AOS-CX Platforms n Supported Aruba Mobility Controllers
Supported APs
Aruba Central On-Premises supports the following types of Aruba access points (APs).
n Instant APs--The Instant Access Point (IAP) based WLAN solution consists of a cluster of access points in a Layer 2 subnet. The IAPs serve a dual role as both Virtual Controller (VC) and member APs. The IAP WLAN solution does not require dedicated controller hardware and can be deployed through a simplified setup process appropriate for smaller organizations, or for multiple geographically dispersed locations without an on-site administrator. IAPs run on the Aruba Instant. Aruba Central On-Premises supports both monitoring and management of IAPs. With Aruba Central On-Premises, network administrators can configure, monitor, and troubleshoot IAP WLANs, upload new software images, monitor devices, generate reports, and perform other vital management tasks from remote locations.
n Campus APs--The Campus Access Point (CAP)s are used in private networks where APs connect over private links (LAN, WLAN, WAN, or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. Aruba Central On-Premises supports only onboarding and monitoring the Campus APs.
Aruba Central On-Premises 2.5.6 | User Guide
11
n Remote APs--The Remote Access Point (RAP)s allow AP users at remote locations to connect to an Aruba controller over the Internet. Since the Internet is involved, data traffic between the controller and the remote AP is VPN encapsulated. That is the traffic between the controller and AP is encrypted. Remote AP operations are supported on all of Aruba APs.
Supported APs
Aruba Central On-Premises supports the following AP platforms and Aruba Instant software versions:
Table 4: Supported AP Platforms
AP Platform
Installation Mode
Minimum Supported Aruba Instant Software Version
Latest Validated Aruba Instant Software Version
AP-655
Indoor
8.10.0.1
8.11.1.0
AP-635
Indoor
8.9.0.0
8.11.0.0
AP-615
Indoor
8.11.0.0
8.11.0.0
AP-587EX AP-587 AP-585EX AP-585 AP-584 AP-577EX
Outdoor Outdoor Outdoor Outdoor Outdoor Outdoor
8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.7.0.0
8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0
AP-577
Outdoor
8.7.0.0
8.11.0.0
AP-575EX
Outdoor
8.7.0.0
8.11.0.0
AP-575
Outdoor
8.7.0.0
8.11.0.0
AP-574
Outdoor
8.7.0.0
8.11.0.0
AP-567EX
Outdoor
8.7.1.0
8.11.0.0
AP-567
Outdoor
8.7.1.0
8.11.0.0
AP-565EX
Outdoor
8.7.1.0
8.11.0.0
AP-565
Outdoor
8.7.1.0
8.11.0.0
AP-555
Indoor
8.6.0.0
8.11.0.0
AP-535
Indoor
8.6.0.0
8.11.0.0
AP-534
Indoor
8.6.0.0
8.11.0.0
AP-518
Indoor
8.7.0.0
8.11.0.0
AP-515
Indoor
8.6.0.0
8.11.0.0
About Aruba Central On-Premises | 12
AP Platform AP-514 AP-505H AP-505 AP-504 AP-503H AP-387 AP-377EX AP-377 AP-375ATEX AP-375EX AP-375 AP-374 AP-367 AP-365 AP-345 AP-344 AP-318 AP-303P AP-303H AP-303 AP-203RP AP-203R AP-203H IAP-335 IAP-334 IAP-325 IAP-324
Installation Mode
Minimum Supported Aruba Instant Software Version
Indoor
8.6.0.0
Indoor
8.7.0.0
Indoor
8.6.0.0
Indoor
8.6.0.0
Indoor
8.7.1.0
Outdoor
8.6.0.0
Outdoor
8.6.0.0
Outdoor
8.6.0.0
Outdoor
8.10.0.0
Outdoor
8.6.0.0
Outdoor
8.6.0.0
Outdoor
8.6.0.0
Outdoor
6.5.4.8
Outdoor
6.5.4.8
Indoor
8.6.0.0
Indoor
8.6.0.0
Indoor
8.6.0.0
Indoor
8.6.0.0
Indoor
6.5.4.8
Indoor
8.6.0.0
Indoor
6.5.4.8
Indoor Indoor
6.5.4.8 6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Latest Validated Aruba Instant Software Version 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.10.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.10.0.0 8.10.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0
Aruba Central On-Premises 2.5.6 | User Guide
13
AP Platform IAP-315 IAP-314 IAP-305 IAP-304 IAP-277 IAP-275 IAP-274 IAP-207 IAP-205H IAP-205 IAP-204 RAP-109 RAP-108 RAP-3WN RAP-3WNP
Installation Mode
Minimum Supported Aruba Instant Software Version
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Outdoor
6.5.4.3
Outdoor
6.5.4.3
Outdoor
6.5.4.3
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor Indoor Indoor Indoor
4.2.4.21 4.2.4.21 4.2.4.21 4.2.4.21
Latest Validated Aruba Instant Software Version 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.10.0.0 6.5.4.8 6.5.4.8 6.5.4.8 4.2.4.21 4.2.4.21 4.2.4.21 4.2.4.21
n IAP-203H, IAP-203R, IAP-203RP, IAP-207, IAP-324, IAP-325, IAP-334, IAP-335, IAP-344, IAP-345, IAP-387 IAPs are no longer supported from Aruba Instant 8.11.0.0 onwards.
n IAP-214, IAP-215, IAP-224, IAP-225, IAP-228, IAP-274, IAP-275, and IAP-277 IAPs are no longer supported from Aruba Instant 8.7.0.0 onwards.
n IAP-103, IAP-204, IAP-205, and IAP-205H IAPs are no longer supported from Aruba Instant 8.3.0.0 onwards.
n By default, AP-318, AP-374, AP-375, and AP-377 IAPs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba does not recommend you to upgrade these IAPs to Aruba Instant 8.5.0.0 or 8.5.0.1 firmware versions, as the upgrade process changes the uplink port from Eth1 to Eth0 port thereby making the devices unreachable.
About Aruba Central On-Premises | 14
Supported Campus APs and Remote APs
Aruba Central On-Premises supports the following Campus AP and Remote AP platforms and ArubaOS software versions:
AP Platform AP-655 AP-635 AP-615 AP-587EX AP-587 AP-585EX AP-585 AP-584 AP-577EX AP-577 AP-575EX AP-575
Minimum Supported ArubaOS Software Versions 8.10.0.0 8.9.0.0 8.11.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.7.0.0 8.7.0.0 8.7.0.0 8.7.0.0
Latest Validated ArubaOS Software Versions 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0
AP-574
8.7.0.0
8.11.0.0
AP-567EX AP-567 AP-565EX AP-565 AP-555 AP-535 AP-534 AP-518 AP-515 AP-514 AP-505HR
8.8.0.0 8.8.0.0 8.8.0.0 8.8.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.7.0.0 8.6.0.0 8.6.0.0 8.6.0.0
8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0
Aruba Central On-Premises 2.5.6 | User Guide
15
AP Platform
AP-505H
Minimum Supported ArubaOS Software Versions
8.6.0.0
AP-505 AP-504
8.6.0.0 8.6.0.0
AP-503HR AP-503H AP-387 AP-377EX AP-377 AP-375EX AP-375 AP-374 AP-367 AP-365 AP-345 AP-344 AP-335 AP-334 AP-325 AP-324 AP-318 AP-315 AP-314 AP-305 AP-304 AP-303P
8.8.0.0 8.8.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0
AP-303H
8.6.0.0
Latest Validated ArubaOS Software Versions 8.11.0.0
8.11.0.0 8.11.0.0
8.11.0.0 8.11.0.0 8.10.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0
8.11.0.0
About Aruba Central On-Premises | 16
AP Platform AP-303 AP-277 AP-275
Minimum Supported ArubaOS Software Versions 8.6.0.0 8.6.0.0 8.6.0.0
AP-274 AP-207 AP-205H AP-205 AP-204 AP-203RP AP-203R AP-203H RAP-109 RAP-108 AP-103H RAP-3WN RAP-3WNP
8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.3.0.0 8.6.0.0 8.6.0.0
Latest Validated ArubaOS Software Versions 8.11.0.0 8.10.0.0 8.10.0.0
8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.6.0.0 8.6.0.0 8.3.0.0 8.6.0.0 8.6.0.0
n AP-615, AP-635, and AP-655 IAPs are Wi-Fi 6E capable APs that support 6 GHz radio band, in addition to 2.4 GHz and 5 GHz radio bands.
n The tri-radio feature is available only for AP-555. In the 5 GHz tab, the Radio 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode section in the latest Aruba Central On-Premises user guide.
n For more information about Aruba's End-of-life policy and the timelines for hardware and software products at the end of their lives, see: https://www.arubanetworks.com/support-services/end-of-life/
n Data sheets and technical specifications for the supported AP platforms are available at: https://www.arubanetworks.com/products/networking/access-points/
Aruba Central On-Premises 2.5.6 | User Guide
17
Supported AOS-S Platforms
n To manage your AOS-S switches using Aruba Central On-Premises, ensure that the switch software is upgraded to 16.09.0010 or a later version. However, if you already have switches running lower software versions in your account, you can continue to manage these devices from Aruba Central On-Premises.
n Changing AOS-S switches firmware from latest version to earlier major versions is not recommended if the switches are managed in UI groups. For features that are not supported or not managed in Aruba Central On-Premises on earlier AOS-S versions, changing firmware to earlier major versions might result in loss of configuration.
The following tables list the switch platforms, corresponding software versions supported in Aruba Central On-Premises, and switch stacking details.
Table 5: Supported AOS-S Switch Series, Software Versions, and Switch Stacking
Switch Platform
Supported Software Version
Recommended Software Version
Switch Stacking Support
Supported Stack Type (Frontplane (VSF) / Backplane (BPS))
Supported Configuration Group Type for Stacking (UI / Template)
Aruba 2540 Switch Series
n YC.16.08.0019 and later
n YC.16.09.0015 and later
n YC.16.10.0012 and later
n YC.16.11.002
n YC.16.08.0026 N/A n YC.16.09.0021 n YC.16.10.0022 n YC.16.11.0006
N/A
N/A
Aruba 2920 Switch Series
n WB.16.08.001 9 and later
n WB.16.09.001 5 and later
n WB.16.10.001 1 and later
n WB.16.11.002
n WB.16.08.002 Yes
BPS
6 n WB.16.09.002
1 n WB.16.10.002
2 n WB.16.11.000
6
Switch Software Dependency: n WB.16.08.001
9 and later n WB.16.09.001
5 and later n WB.16.10.001
1 and later
n WB.16.11.000
2
UI and Template
Aruba 2930F Switch Series
n WC.16.08.001 9 and later
n WC.16.09.001 5 and later
n WC.16.10.001 2 and later
n WC.16.11.002
n WC.16.08.002 Yes
VSF
6 n WC.16.09.002
1 n WC.16.10.002
2 n WC.16.11.000
6
Switch Software Dependency: n WC.16.08.001
9 and later n WC.16.09.001
5 and later n WC.16.10.001
UI and Template
About Aruba Central On-Premises | 18
Switch Platform
Supported Software Version
Recommended Software Version
Switch Stacking Support
Supported Stack Type (Frontplane (VSF) / Backplane (BPS))
Supported Configuration Group Type for Stacking (UI / Template)
2 and later n WC.16.11.000
2
Aruba 2930M Switch Series
n WC.16.08.001 9 and later
n WC.16.09.001 5 and later
n WC.16.10.001 2 and later
n WC.16.11.002
n WC.16.08.002 Yes
BPS
6 n WC.16.09.002
1 n WC.16.10.002
2 n WC.16.11.000
6
Switch Software Dependency: n WC.16.08.001
9 and later n WC.16.09.001
5 and later n WC.16.10.001
2 and later
n WC.16.11.000
2
UI and Template
Aruba 3810 Switch Series
n KB.16.08.0019 and later
n KB.16.09.0015 and later
n KB.16.10.0012 and later
n KB.16.11.002
n KB.16.08.0026 Yes
BPS
n KB.16.09.0021 Switch Software Dependency:
n KB.16.10.0022
n KB.16.11.0006 n KB.16.08.0019
and later
n KB.16.09.0015
and later
n KB.16.10.0012
and later
n KB.16.11.0002
UI and Template
Aruba 5400R Switch Series
n KB.16.08.0019 and later
n KB.16.09.0015 and later
n KB.16.10.0012 and later
n KB.16.11.002
n KB.16.08.0026 Yes
VSF
n KB.16.09.0021 Switch Software Dependency:
n KB.16.10.0022
n KB.16.11.0006 n KB.16.08.0019
and later
n KB.16.09.0015
and later
n KB.16.10.0012
and later
n KB.16.11.0002
Template only
Provisioning and configuring of Aruba 5400R switches and Aruba 5400R switch stacks is supported only using configuration templates. Aruba Central On-Premises does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins.
Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/switches/.
Aruba Central On-Premises 2.5.6 | User Guide
19
Supported AOS-CX Platforms
The following table lists the AOS-CX platforms and corresponding software versions supported in Aruba Central On-Premises.
The version listed under the Recommended Version column in the Firmware page in the Aruba Central OnPremises web UI is the version that HPE Aruba Networking recommends to obtain the best experience from Aruba devices.
Table 6: Supported AOS-CX Switch Series and Software Versions
Switch Platform
Supported Software Version
Latest Software Version
AOS-CX 4100i Switch Series AOS-CX 6000 Switch Series AOS-CX 6100 Switch Series AOS-CX 6200 Switch Series AOS-CX 6300 Switch Series AOS-CX 6400 Switch Series AOS-CX 6400V2 Switch Series AOS-CX 8320 Switch Series AOS-CX 8325 Switch Series AOS-CX 8360 Switch Series AOS-CX 8360V2 Switch Series
10.10.1000 and later
10.10.1000 and later
10.06.0200, 10.10.1000 and later
10.06.0200, 10.10.1000 and later
10.06.0200, 10.10.1010 and later
10.06.0200, 10.10.1000 and later
10.10.1000 and later
10.06.0200, 10.10.1000 and later
10.06.0200, 10.10.1000 and later
10.06.0200, 10.10.1000 and later
10.10.1000 and later
10.11.xxxx 10.11.xxxx 10.11.xxxx 10.11.xxxx 10.11.xxxx 10.11.xxxx 10.11.xxxx 10.11.xxxx 10.11.xxxx 10.11.xxxx 10.11.xxxx
Supported Configuration Group Type (UI / Template) UI and Template UI and Template UI and Template
UI and Template
UI and Template
UI and Template
UI and Template UI and Template
UI and Template
UI and Template
UI and Template
About Aruba Central On-Premises | 20
Switch Platform AOS-CX 8400 Switch Series AOS-CX 9300 Switch Series AOS-CX 10000 Switch Series
Supported Software Version
Latest Software Version
10.06.0200, 10.10.1000 and later
10.10.1000 and later
10.10.1000 and later
10.11.xxxx 10.11.xxxx 10.11.xxxx
Supported Configuration Group Type (UI / Template) UI and Template
UI and Template
UI and Template
Data sheets and technical specifications for the supported Switch platforms are available at: https://www.arubanetworks.com/products/Switches/.
Supported Aruba Mobility Controllers
Aruba Central On-Premises supports provisioning, management, and monitoring of the following Aruba Mobility Controllers.
The following table lists the supported Mobility Controllers and latest validated software versions.
Table 7: Supported Devices and Software Versions Supported Device
Latest Validated Software Versions
Aruba 7000 Series Mobility Controllers
n 8.7.1.9 n 8.8.0.0 n 8.9.0.0 n 8.10.0.3
Aruba 7200 Series Mobility Controllers
n 8.7.1.9 n 8.8.0.0 n 8.9.0.0 n 8.10.0.3
Aruba 9004 non-LTE Mobility Controllers Aruba 9240 Mobility Controllers
8.8.0.0
n 8.9.0.0 n 8.10.0.3
NOTE:
n Controllers WebSocket connection must be manually set up to Aruba Central. n The minimum software version required for monitoring controller clusters and Mobility Conductor managed
networks is ArubaOS 8.2.1.0.
Aruba Central On-Premises 2.5.6 | User Guide
21
Chapter 3 What's New
What's New
Important Notes
n For new Aruba Central On-Premises deployments, it is a requisite to use 10 Gigabit Ethernet (GbE) interface for optimum performance.
n The nodes of an Aruba Central On-Premises cluster must be deployed in the same data center and same VLAN subnet. It is a prerequisite to get 10 Gbps throughput for intra-cluster communication.
n It is recommended to upgrade all the Aruba Central On-Premises nodes to 512 GB for optimum performance. Starting from this release, 256 GB RAM is not supported.
New Features
The following sections provide an overview of the new features that are added to Aruba Central OnPremises in this release.
Aruba Central NetConductor
Aruba Central On-Premises supports Aruba Central NetConductor from this release. Aruba Central NetConductor is a security framework designed to tackle problems for the modern enterprise network. The Aruba Central NetConductor framework aims to enhance the policy and orchestration components to deliver true intent-based network evolution and optimization. For more information, see Aruba Central NetConductor Overview.
Aruba Central On-Premises APIs
This release introduces the following changes to Aruba Central On-Premises APIs. In Aruba Central On-Premises, the API Gateway > Usage page provides more statistical data on API usage. Listed below are the APIs introduced in this release, under the following pages:
n Client Match o [GET]: l /bandsteer-6ghz-enable/v1/{tenant_id} o [POST]: l /bandsteer-6ghz-enable/v1/{tenant_id}
n Configuration > AP Configuration o [GET]: l /configuration/v1/group/ssh_credential/{group_name} l /configuration/v1/device/ssh_credential/{serial_number_or_guid}
Aruba Central On-Premises 2.5.6 | User Guide
22
o [POST]: l /configuration/v1/group/ssh_credential/{group_name} l /configuration/v1/device/ssh_credential/{serial_number_or_guid}
n Configuration > AOS-S o [GET]: l /configuration/v1/aos_switch/system/groups/{group_name} l /configuration/v1/aos_switch/system/devices/{device_serial} l /configuration/v1/aos_switch/system_time/groups/{group_name} l /configuration/v1/aos_switch/system_time/devices/{device_serial} o [PUT]: l /configuration/v1/aos_switch/system/groups/{group_name} l /configuration/v1/aos_switch/system/devices/{device_serial} l /configuration/v1/aos_switch/system_time/groups/{group_name} l /configuration/v1/aos_switch/system_time/devices/{device_serial}
n Configuration > AOS-CX o [GET]: l /configuration/v1/switch/cx/portaccess-auth o [POST]: l /configuration/v1/switch/cx/portaccess-auth
n Service Airgroup o [GET]: l /airgroup-config/v2/custom_services/{name}/service_ids/{service_id}/ l /airgroup-config/v2/custom_services/{name}/service_ids/ l /airgroup-config/v2/custom_services/{name}/ l /airgroup-config/v2/custom_services/ o [POST]: l /airgroup-config/v2/custom_services/{name}/service_ids/{service_id}/ l /airgroup-config/v2/custom_services/{name}/ o [PUT]: l /airgroup-config/v2/custom_services/{name}/service_ids/{service_id}/ l /airgroup-config/v2/custom_services/{name}/ o [DELETE]: l /airgroupconfig/v2/custom_services/{name}/service_ids/{service_id}/ l /airgroupconfig/v2/custom_services/{name}/
n VisualRF > Import o [GET]: l /visualrf_api/v1/restore_sites/status o [POST]: l /visualrf_api/v1/restore_sites
What's New | 23
n VisualRF > Anonymization o [GET]: l /visualrf_api/v1/anonymization o [POST]: l /visualrf_api/v1/anonymization o [DELETE]: l /visualrf_api/v1/anonymization
For more information, see Changes to Aruba Central APIs.
Alerts and Events
The following alert and event enhancement is introduced in this release.
Controller Alerts
Controller Reboot--Generates an alert when controller gets rebooted. For more information, see Controller Alerts.
AP Alerts
AP Crash--Generates an alert when an AP crash is detected. AP Reboot--Generates an alert when an AP reboot is detected. For more information, see Access Point Alerts and Supported IAP Events .
Device Replacement
Device Replacement allows replacing a faulty device with a new device using the Device Replacement tile. The existing attributes and configurations of the faulty device are inherited by the new device. In the Global dashboard, navigate to Maintain > Organization > Network Structure to access the Device Replacement tile. For more information, see Device Replacement.
Guided Steps for Replacing a Controller
Aruba Central On-Premises allows replacement of managed devices and mobility conductors through guided steps. For more information, see Guided Steps for Replacing a Controller.
Monitoring-Only Mode
Aruba Central allows you to add AOS-CX switches to UI groups in the monitoring-only mode, for monitoring, reporting, and troubleshooting. For switches that are added in this mode, you cannot make configuration changes using the UI group in which they are added. For more information, see Monitoring-Only Mode for AOS-CX Switches.
Offline Upgrade- Airgap
Customers can now upgrade Aruba Central On-Premises offline through the Airgap feature. Airgap can be enabled through CLI, option 4-7. An Airgap deployment allows customers to deny all internet access and continue to manage Aruba Central On-Premises setup. For more information on offline upgrade and Airgap CLI, see the following:
Aruba Central On-Premises 2.5.6 | User Guide
24
n Aruba Central On-Premises Upgrade n Command Line Interface
Restricting Access to Group-Level Configuration
Using the HPE GreenLake portal, you can now restrict users to device-level configuration access by configuring appropriate options in the Central Permissions page. This feature allows the users to only view the device configuration pages and the Configuration Audit page at the group-level, but users will have edit access at the device-level. For more information, see Restricting Access to Group-Level Configuration.
Rogues
The Manage >Security > RAPIDS > Rogues tab provides a summary of the rogue APs, suspected rogue APs, interfering APs, and neighboring APs. Each rogue can now be detected by multiple APs which, can be part of multiple groups at the same time. You can see the set of APs that detected a specific rogue in different groups in the rogue details section. Even if one of the APs stop detecting a rogue, other APs can still detect the rogue in the network. For more information, see Rogues.
Support for AP-615 Access Points
Aruba Central On-Premises introduces configuring and monitoring support for AP-615 access points. For more information, see Supported APs.
Enhancements
The following sections provide an overview of the enhancements introduced in Aruba Central OnPremises in this release.
AOS-CX Switches
You can now deploy a maximum of 5000 AOS-CX switches on a 7-node cluster. For more information, see Scaling Devices for Aruba Central On-Premises.
Controller Details
The Last Contacted and Uptime parameters are added to the Controller Details section under the Overview > Summary page.
Reports
The following enhancements are provided to reports:
n Security Compliance Report--The Radio column is added to the Security Compliance report. n Client Inventory Report--The SSID or Role filtering functionality is extended to Campus APs and
Remote APs at the group context. n Client Session Report--The SSID or Role filtering functionality is extended to Campus APs and
Remote APs at the group context.
For more information, see Report Categories and Report Configuration Options.
What's New | 25
Aruba Central On-Premises APIs
Listed below are the APIs enhanced in this release, under the following pages:
n VisualRF > Client Location o [GET]: l /visualrf_api/v1/floor/{floor_id}/client_location
n VisualRF > Rogue Location o [GET]: l /visualrf_api/v1/floor/{floor_id}/rogue_location
n User Management> Roles o [GET]: l /platform/rbac/v1/roles l /platform/rbac/v1/apps/{app_name}/roles/{rolename} o [POST]: l /platform/rbac/v1/apps/{app_name}/roles o [PATCH]: l /platform/rbac/v1/apps/{app_name}/roles/{rolename} o [DELETE]: l /platform/rbac/v1/apps/{app_name}/roles/{rolename}
n Service Airmatch o [GET]: l /airmatchconfig/v1/node_list/{node_type}/{node_d}/config/system/ l /airmatchconfig/v1/node_list/{node_type}/{node_id}/config/ l airmatchconfig/v1/node_list/{node_type}/{node_id}/ o [POST]: l /airmatchconfig/v1/node_list/{node_type}/{node_id}/config/system/ l /airmatchconfig/v1/node_list/{node_type}/{node_id}/config/ o [PUT]: l /airmatchconfig/v1/node_list/{node_type}/{node_id}/config/system/ l /airmatchconfig/v1/node_list/{node_type}/{node_id}/config/
n Monitoring > Site: o [POST]: l /central/v2/sites o [PATCH]: l /central/v2/sites/{site_id} o [DELETE]: l /central/v2/sites/{site_id}
Aruba Central On-Premises 2.5.6 | User Guide
26
n Monitoring > Label o [DELETE]: l /central/v1/labels/{label_id}
These APIs were listed as deprecated in Aruba Central On-Premises 2.5.4, however they are reintroduced back in Aruba Central On-Premises 2.5.6.
n VisualRF > Floorplan o [GET]: l /visualrf_api/v1/campus l /visualrf_api/v1/campus/{campus_id}
The following APIs are removed: n Service Cloud Security
o [GET] l /cloud-securityconfig/v1/node_list/ l /cloud-securityconfig/v1/node_list/{node_type}/{node_id}/config/ l /cloud-securityconfig/v1/node_list/{node_type}/{node_id}/config/zscaler/
For more information, see Changes to Aruba Central APIs.
Sites and Labels
You can now create a site using latitude and longitude values. This helps to accurately display the building on a map with the same address. Aruba Central On-Premises restricts the use of words like Default, Default Site, Default_Site, and Default-Site as the site name. The site deletion icon is available only when all devices are disassociated from the site. The label deletion icon is available only when the label is not assigned to any device. For more information, see Managing Sites and Labels
Ekahau Floor Plan Import
Floor plans designed using the Ekahau software can be imported into Aruba Central On-Premises. For more information, see Importing a Floor Plan.
Encrypting credentials on AOS-S Switches using Templates
Aruba Central On-Premises now allows encrypting credentials on AOS-S switches using templates. The encrypt credentials support allows storing, displaying, and transferring of credentials in the encrypted form. For more information, see Encrypting Credentials on AOS-S Switches using Templates.
Campus APs and Remote APs Details Support
The Country Code, Last Reboot Reason, Power Draw, Power Negotiation, Public IP Address, DNS Name Servers, and Default Gateway details are supported for Campus APs and Remote APs on the Overview > Summary page. For more information, see Access Point > Overview > Summary.
What's New | 27
160 MHz ARM Support
The 160 MHz Support toggle switch is added to the RF > Adaptive Radio Management (ARM) > Access Point Control page in Aruba Central On-Premises. For more information, see Configuring ARM Features.
UTB Filter Block
The UTB Filter Block on the System > General WebUI page allows you to control the band on which the Ultra Tri-Band (UTB) limitation is applied in the regulatory-domain-profile. For more information, see Configuring System Parameters for an IAP .
Flexible Dual Band
The Flexible Dual Band parameter in the Access Points > Radio tab in Aruba Central On-Premises supports configuring a flexible dual radio band mode on AP-615 access points. For more information, see Configuring Device Parameters .
RRM IE profiles
Aruba Central On-Premises supports the Radio Resource Management Information Element (RRM IE) profiles advertised by the AP. You can configure the RRM IE profiles on the Services > RRM IE Profile WebUI page. For more information, see Configuring RRM IE Profile. You can assign the RRM IE profiles to the radio profiles on the Radios > RF > Radio WebUI page. For more information, see Configuring Radio Parameters.
AOS-CX Troubleshooting
In this version of Aruba Central, new show commands have been introduced to troubleshoot AOS-CX switches.
External Services
Syslog Type is introduced with Audit trail and System Log options in the Add Syslog Server window under System Management > External Services tab. This will allow you to select the logging server type for sending the events or messages. The Syslog Type column is added to the Syslog table to indicate which logging type is selected. For more information, see External Services
Alerts
The following alerts are added in this release:
Stack Link Status Change
A new AOS-CX switch alert is added to the alerts configuration page. This alert is generated when there is a change in the VSF link between AOS-CX switch stack members. For more information, see AOS-CX Switch Alerts.
Aruba Central On-Premises 2.5.6 | User Guide
28
Critical hardware fault, thermal failure
These AOS-CX alerts are part of the Switch Hardware Failure alert. These alerts are generated when there is a critical hardware fault or when the temperature of the switch crosses the lower or higher threshold. For more information, see AOS-CX Switch Alerts.
Switch Reboot (AOS-CX)
A new AOS-CX switch alert is added to the alerts configuration page. This alert is generated when the switch reboots, crashes, or when the Redundancy Switchover action is executed on the active module in the switch. For more information, see AOS-CX Switch Alerts.
Switch Uplink Port Status Change
A new AOS-S switch alert is added to the alerts configuration page. This alert is generated when there is a change in the status of the uplink port. For more information, see AOS-CX Switch Alerts.
What's New | 29
Chapter 4
Getting Started with Aruba Central OnPremises
Getting Started with Aruba Central On-Premises
For more information on configuring Aruba Central On-Premises, refer to the Aruba Central On-Premises Installation Guide to reinstall the software or to set up the Aruba Central server or cluster. To start managing your networks using Aruba Central, complete the steps in this section.
Provisioning Workflow
The provisioning workflow for Aruba Central On-Premises deployments includes the following steps:
Ensure that you have completed all the steps mentioned in the Installation and Setup Guide.
n Creating a Group n Managing Devices and Device Subscriptions n Assigning Devices to Groups n Assigning Labels n Assigning Sites n Connecting Aruba APs to Aruba Central On-Premises n Connecting Aruba Switches to Aruba Central n Connecting Controllers to Aruba Central On-Premises n Configuring Communication Ports
Accessing Aruba Central On-Premises
The Dashboard gives you access to the feature application card, Aruba Central On-Premises added to your account. To launch the Aruba Central On-Premises app, perform the following steps:
1. From the HPE GreenLake home page, Aruba Central On-Premises is available on the Dashboard. 2. Click Launch on the Aruba Central On-Premises tile to launch the application.
Features Requiring Internet Access
Following are the only features on Aruba Central On-Premises that require internet connection: n Upgrading the Software
o Internet is required for upgrading the software. When upgrading from a minor to major version, internet connection is required until the process is completed.
o Internet is required to check if any upgrade is available (every 55 days).
Aruba Central On-Premises 2.5.6 | User Guide
30
n Adding a License o Internet is required for adding licenses (subscriptions).
n Accessing Help Menu o All options under the Help ( ) menu on the top menu bar, Documentation Center, Airheads Community, View/Update Case, and Open New Case require internet on your browser for accessing them.
n Providing Remote Access o Internet is required for the Support Connection to provide remote access to Aruba Support for troubleshooting purposes.
Offline map under Global > Overview > Network Health is not available.
Scaling Devices for Aruba Central On-Premises
Aruba Central supports switches, controllers, Instant APs, and Campus APs. Aruba Central can be implemented on multiple nodes. Accordingly, the number of supported devices increase.
Supported Number of Devices - Summary Table
The following table provides a summary of the number of devices supported across multiple nodes
Table 8: Maximum Number of Supported Devices based on the Deployment Types
Node Size
Campus APs and Instant AP Controllers only only
Switches only
(AOS-S and AOSCX)
Mixed-Mode
Single Node
2000
2000
1000
1600 APs (Instant AP or Campus AP) and 400 Switches (AOS-S or AOSCX)
Three Node
8000
Five Node 16000
8000 12000
3000 4000
6000 APs (Instant AP or Campus AP) and 2000 Switches (AOS-S or AOSCX)
12000 APs (Instant AP or Campus AP) and 4000 Switches (AOS-S or AOS-CX)
Seven Node
25000
16000
10000 (AOS-S) / 5000 (AOS-CX)
16000 APs (Instant AP or Campus AP) and 7000 Switches (AOS-S) [ AOS-CX up to 5000 Switches ]
Supported Number of Devices - Detailed Table
The following table details the number of devices that Aruba Central supports across multiple nodes.
Getting Started with Aruba Central On-Premises | 31
Table 9: Maximum Number of Supported Devices
Nodes
Maximum Number of Supported Devices
Modes
Single Node
2000
n 2000 APs where APs can be either Instant APs, Campus APs, or controllers that manage APs; or a mixed deployment of any of these devices. n 1000 switches where switches can be AOS-S or AOSCX switches or a mix of the two. n In a mixed-mode of switches and APs, up to 1600 APs and 400 switches are supported.
Three Node
8000
n 8000 APs, where APs can be either Instant APs, Campus APs, or APs along with the controllers that manage APs; or a mix of any of these devices.
n 3000 AOS-S or AOS-CX switches or a mix of the two can be deployed in switch-only deployment.
n In a mixed-mode of switches and APs, up to 6000 APs (Instant APs or Campus APs) and 2000 switches (AOS-S or AOS-CX) are supported.
Five Node
16000
n 16000 Campus APs along with the controllers that manage APs can be deployed. n 12000 Instant APs can be deployed. n 4000 AOS-S or AOS-CX switches or a mix of the two can be deployed in switch-only deployment. n In a mixed-mode of switches and APs, up to 12000 (Instant APs or Campus APs) and 4000 (AOS-S or AOSCX) switches are supported.
Seven Node
25000
n 25000 Campus APs along with the controllers that manage APs can be deployed. n 10000 AOS-S switches can be deployed in AOS-S switch-only deployment. n 5000 AOS-CX switches can be deployed in AOS-CX switch-only deployment. n In a mixed-mode of switches and APs, up to 16000 APs (Instant AP or Campus APs), 7000 AOS-S switches and 5000 (AOS-S or AOS-CX) switches are supported.
Limitations
The following features are not supported:
n Live Events on a single-node deployment n API Streaming on a single-node deployment n Live Packet Capture on a single-node deployment n API Gateway on a single-node deployment n RAPIDS on a single-node deployment n UCC on a single-node deployment n High Availability on a single-node deployment n Adding and replacing node on a single-node deployment n AI Insights on single-node and 3-node clusters
Aruba Central On-Premises 2.5.6 | User Guide
32
Dashboard Overview
After logging into HPE GreenLake account home, the dashboard is displayed. The dashboard is the central location where you manage, configure, and access all the HPE GreenLake account home features and functionality you have permissions to use. What you see on any screen in the HPE GreenLake account home, depends on the following:
n The services and tools available to your organization. n The permissions you have, based on your role.
HPE GreenLake Top Menu Bar
The following icons and tools are available on the HPE GreenLake top menu bar. This menu bar is displayed on all pages.
n The top bar displays the title: HPE GreenLake n The following menu options are based on your role and privileges:
Menu Items Dashboard Devices
Manage
Description
The dashboard is the homepage. To return to the dashboard, you can click the Dashboard link from the top menu bar in any HPE GreenLake page.
View and manage all devices in your inventory. Quick Action tasks include: n Add devices n Assign Devices n Apply Subscriptions to devices n Add Device Subscription
Manage and edit your company account's general information.
Help Menu
Click the Help icon to display a resources page to obtain help and support, submit feedback, and access additional resources. The following tabs are available: Help--On the Help tab, the drop-down list options include HPE GreenLake and Aruba Central with access to user documentation and support. Feedback--On the Feedback tab, you can:
n Select an option for providing feedback--HPE GreenLake or Aruba Central.
n Specify the type of feedback--General feedback or Feature Request.
Legal--On the Legal tab you can view information about the Hewlett Packard Enterprise Privacy Policy and Terms of Use.
Services
Click the Services icon to access HPE GreenLake administration pages and general HPE resources. Use this menu to launch the following services: HPE GreenLake Administration
Getting Started with Aruba Central On-Premises | 33
n Manage Account--Links to the Manage Account page where you can manage your account users and their access to HPE GreenLake services and resources.
n Manage Devices--Links to the Devices page where you can view and manage all the devices in your inventory.
HPE Resources Click any of the links in this section to view the related information:
n HPE Support Center n HPE Developer Community n HPE Communities n HPE Financial Services
User Profile
Click the User Profile icon to access your HPE Account Details page. The HPE Account Details page allows you to edit your account data, including changing your password. You can adjust the Time, Language, and Session Timeout settings from the Preferences page.
Quick Actions
The Quick Action cards provide quick access to the HPE GreenLake tools and services for managing devices, applications, and users. The cards that display on your dashboard are based on your role and privileges to use them. Tasks include:
n Inviting Users n Assigning User Access n Onboarding devices n Managing Subscriptionss
Aruba Central On-Premises 2.5.6 | User Guide
34
Chapter 5
Resource Restriction Policies
In HPE GreenLake, each application defines its own scopes and uses the Authorization service to control access to the various scope resources. These scope resources need to be linked to the user role assignments in order to enforce the permissions on them. HPE GreenLake uses Resource Restriction Policies (RRPs) to group these scope resources and facilitate the role assignment process. RRP is a named group of a list of scope resources. Now, instead of maintaining each assignment whenever a scope resource is created, RRP provides a central place where all assignments or a group of assignment can be updated in one place without the need to update multiple users individually. The AllScopes RRP covers all the scopes, old and new, defined by the application to be included in the assignment.
Resource Restriction Policies Page
The Resource Restriction Policies page is where you manage RRPs, including creating, viewing, and deleting them.
You cannot delete an RRP if it has been used in a user role assignment.
Creating a Resource Restriction Policy
To create a resource restriction policy, perform the following steps: 1. On the HPE GreenLake dashboard top menu, click Manage. The Manage Account page appears. 2. On the Manage page, click the Identity & Access tile. The Identity & Access page appears. 3. Click the Resource Restriction Policy tile on the Identity & Access page. The Resource Restriction Policies page appears with a list of available RRPs. 4. Click Create Resource Restriction Policy.
Aruba Central On-Premises 2.5.6 | User Guide
35
5. Add a Name and Description for the RRP and click Next. The Choose an Application screen appears.
6. In the Choose an Application screen, select the Aruba Central (On-Premises) tile and click Next. The Add Resources screen displays.
7. In the Selected Resources, section, click Add Resources. 8. In the Add Aruba Central (On-Premises) Resources screen, configure the resources for your
application. 9. Click the region name, and then the Central On-Premises application instance name.
Note: The displayed region name indicates the region in which the Aruba Central On-Premises application instance is pre-provisioned. 10. Next, click Group Scope. A list of groups scopes and resources appears. Note: These scopes are defined in the Aruba Central On-Premises application.
11. Select the resources for the permissions you want to grant to the group. Click Add to continue. The Add Resources screen appears and now displays the newly created resources for this group.
12. Click Next. The Review & Create screen displays.
13. Verify the settings for your resource restriction policy. Use the Modify links if you decide to change the name, description, application, or resources for this Resource Restriction Policy.
14. Click Finish to create the Resource Restriction Policy. The Resource Restriction Policies page appears with the newly created RRP listed. You can now apply this RRP to any user or a group of users.
Editing Resource Restriction Policies
You can edit an existing RRP to change the permissions for all users assigned that RRP. To edit the scope of a Resource Restriction Policy, perform the following steps.
1. On the HPE GreenLake dashboard top menu, click Manage. The Manage Account page appears.
2. On the Manage page, click the Identity & Access tile. The Identity & Access page appears.
3. Click the Resource Restriction Policy tile. The Resource Restriction Policies page appears with a list of available RRPs.
4. Select the policy you need to change. You can click the policy name or the ellipsis at the end of the policy row to view the details. The Details page for the policy appears.
5. In the Resources section, click Edit, then click Add Resources. 6. In the Add Aruba Central (On-Premises) Resources screen, click the region name, and then the
Central On-Premises application instance name.
| 36
7. Next, click Group Scope. A list of groups scopes and resources appears with the previously-added resources already checked.
8. Select the checkboxes to modify the resources for the policy. Click Add and then click Save Changes. The Details screen displays the modified resources allocated to this policy. These modified permissions now apply to all existing and new users assigned this RRP.
Editing Resource Restriction Policy Assignments
To edit the Resource Restriction Policy assigned to a user, perform the following steps.
1. On the HPE GreenLake dashboard top menu, click Manage. The Manage Account page appears.
2. On the Manage page, click the Identity & Access tile. The Identity & Access page appears.
3. Click the Users tile. The Users page displays a list of users in the account.
4. Select a user from the list. Click the users' row to display details, select the ellipsis, and click View Details. The Details page appears.
5. In the Roles section, click the ellipsis next to a user to display the available options. Options include: Edit Resource Access and Remove Role.
6. Select the Edit Resource Access link. The Edit Resource Access dialog appears.
7. Slide the Limit Resource Access toggle to the right to enable the RRP for this user. 8. Select the specific policy for the user from the Resource Restriction Policy drop-down. 9. Click Save Changes.
The Details page displays the newly applied permissions for the user.
Deleting Resource Restriction Policy Role
To delete a resource restriction policy, perform the following steps.
1. On the HPE GreenLake dashboard top menu, click Manage. The Manage Account page appears.
2. On the Manage page, click the Identity & Access tile. The Identity & Access page appears.
3. Click the Users tile. The Users page displays a list of users in the account.
4. Click a user name to view user details. 5. In the Roles section, click the ellipsis next to Aruba Central On-Premises.
Aruba Central On-Premises 2.5.6 | User Guide
37
Options include: Edit Resource Access or Remove Role.
6. Select the Remove Role link. The remove confirmation dialog displays.
7. Verify that you want to remove the role assignment for this user, and click the Remove Role button to continue.
Managing Users and Roles
Users are assigned roles by administrators that govern the level of user access to HPE GreenLake account home and Aruba Central On-Premises app. A role refers to a logical entity used to determine user access to the HPE GreenLake account home features. Add users to HPE GreenLake account by inviting them. Inviting a user does not automatically give that user access to resources. Access is granted by assigning one or more roles to a user or user group for a specific set of resources within a space. Managing users and user groups are part of Identity & Access. Managing the assignment of roles to users or user groups is also part of Identity & Access. View information about users and other tasks related to users using the Users card or tile.
Aruba Central On-Premises User Roles in HPE GreenLake Account Home
A role refers to a logical entity used for determining user access to devices and application services in Aruba Central On-Premises. Users are always tagged to roles that govern the level of user access to the Aruba Central applications and services.
HPE GreenLake supports a set of built-in Aruba Central On-Premises roles with different privileges and access permissions. You can also configure custom roles.
Access control for federated users is determined by the attributes set in the IdP.
Predefined User Roles
HPE GreenLake account home allows you to assign the following built-in roles to Aruba Central OnPremises users.
Table 10: Predefined User Roles
Role
Privilege
Aruba Central Administrator
Administrator for the Aruba Central On-Premises app. Has access to all menu options as well as the monitoring and configuration pages.
Aruba Central View Only
Has view only access to the Aruba Central On-Premises app.
Aruba Central view edit role
Has edit and view access to the Aruba Central On-Premises app.
Has access to view and data using the Aruba Central On- Premises UI or APIs. However, the user cannot perform operations on the Aruba Central application > Organization > Labels and Sites pages,
Aruba Central Guest Operator
Has edit and view access to the guest module in the Aruba Central On-Premises app.
| 38
Custom Roles with Resource Permissions
HPE GreenLake allows you to create custom roles and assign edit or view permissions to resources in Aruba Central On-Premises. Some resources have sub-resources. You can also block user access to some resources or sub-resources in Aruba Central On-Premises. To block access to a specific resource, you must remove both the edit and view permissions for that resource. If a resource is blocked for a specific role, the corresponding pages are not displayed on the UI.
HPE GreenLake supports setting permissions for the following Aruba Central resources.
Table 11: Resource Permissions
Resource
Permission
AirGroup
Can view, edit, or block user access to the AirGroup pages.
Device Profiling
Can view, edit, or block user access to the Device Profiling pages and the following subresources for Device Profiling: n Device Profiling Application Settings n Device Profiling Classified Devices n Device Profiling Discovery Settings n Device Profiling Generic Devices n Device Profiling Reports n Device Profiling User Classified Devices
Group Management Service
Can view, edit, or block user access to the group management and group scope pages.
Install Manager Can view, edit, or block user access to the install manager pages.
Label Management Service
Can view, edit, or block user access to the label management pages.
Net Insight
Can view, edit, or block user access to the AI Insight pages.
NMS Service
Can view, edit, or block user access to the Network Management services, including: n NMS Service Alerts and Events n NMS Service Apprf n NMS Service Configuration
o NMS Service Privileged Configuration o NMS Service Configuration Variables o NMS Group Level Access n NMS Service Firmware
n NMS Service Troubleshooting
Other Applications
Reports
Site Management Service
Can view, edit, or block user access to other applications modules such as notifications.
Can view, edit, or block user access to view and create reports. Can view, edit, or block user access to the site management pages.
Aruba Central On-Premises 2.5.6 | User Guide
39
Resource UC VisualRF
Permission Can view, edit, or block user access to the Unified Communications pages. Can view, edit, or block user access to the floor plans and RF heatmaps.
Managing User Identity and Access
You can invite users and assign access to resources. You can also define and manage user roles. These activities are managed from the Identity and access page.
Adding a Role
To add a role, complete the following steps:
1. On the HPE GreenLake account home top menu bar, click Manage > Identity & Access> Roles & Permissions. The Roles & Permissions page displays.
2. Click Create Role. The Create Role dialog displays. 3. Select Create new role. 4. Select an Application. 5. Click Next. The Create Role Wizard displays.
Create Role Wizard
Follow the directions on the Create Role Wizard to complete the role setup.
1. Add Name and Description add a role name and description and click Next. 2. Add HPE GreenLake Permissions adding permissions determines who is allowed access to
specific areas of the HPE GreenLake account home. Follow the Permissions screens. You can select and change the actions the user with this role can perform using the permission screens. After specifying permissions, click Next to continue. 3. Review & Create The review & create screen shows you the role details, including the permission granted for each role. Use this screen to review your role configuration before creating it. You can change the role name and permissions using the Modify link. 4. Click Finish to create the role. The Roles & Permission screen displays showing a notification stating the Role created.
Viewing User Details
To view the details of a role, complete the following steps:
1. On the HPE GreenLake home page top menu bar, click Manage. The Manage Account page appears.
2. Click Identity & Access > Users. The Users page appears. 3. Select one of the users to display the details. The user's Details page shows the following
information. n Email--The description of the role name. n Joined Date--The date this role was created.
| 40
n Last Session--The last date this role was updated. n Application--The application where the user has the assigned role. n Role--The user role name. n Resource Access--The list of assigned resources for this role.
Deleting a User
To delete a user account, perform the following steps.
1. On the HPE GreenLake home page top menu bar, click Manage. 2. Click Identity & Access> Users. The Users page displays a list of verified and unverified users. 3. Place a checkmark next to the user's name and click the Delete Users button. 4. Click the ellipsis (...) in the Roles section and select Remove Role to remove the user role. 5. Confirm user deletion in the Delete User action dialog.
Viewing Audit Logs for Users
Audit logs are generated when a new user is created and an existing user is modified or deleted from the HPE GreenLake account. It also records the login and logout activities of users. To view audit logs for HPE GreenLake users, perform the following steps.
1. On the HPE GreenLake home page top menu bar, click Manage. 2. Click Audit Log. The Audit Log page displays. 3. To filter audit logs about user activity, click the Edit Columns link, and select up to six different
columns.
Inviting Users
Use the Invite Users card to add team members as users by sending them a sign-up link. To invite users, complete the following steps:
1. On the HPE GreenLake dashboard Invite Users card , click Send an invite. The Invite User window opens.
2. Enter the user's email address in the Email Address field. 3. In the HPE GreenLake Role dropdown, select the role you wish to assign to the user. Options
include: n Account Administrator n Observer n Operator 4. Click Send Invite. An email notification is sent to the user address specified above. The user can click the Accept Invite link in the notification email and start creating an account.
Aruba Central On-Premises 2.5.6 | User Guide
41
Assigning User Access (Assignments Page)
Use the Assign User Access card to assign roles to users in your team; these roles can be built-in roles or custom roles that you define. The Assignments page is where you give access to the HPE GreenLake applications.
Creating User Role Assignments
To assign roles to users, complete the following steps:
1. On the HPE GreenLake dashboard top menu, click Manage. The Manage Account page appears.
2. On the Manage page, click the Identity & Access tile. The Identity & Access page appears.
3. Click the Users tile. The Users page displays a list of users in the account.
4. Select a user from the list: Click the user's row to display details, select the ellipsis, and click ViewDetails. The Details page appears.
5. In the Roles section, click the ellipsis next to a user to display the available options. Options include: Edit Resource Access and Remove Role.
6. Select the Edit Resource Access link. The Edit Resource Access dialog appears.
7. Slide the Limit Resource Access toggle to the right to enable the RRP for this user. 8. Select the specific policy for the user from the Resource Restriction Policy drop-down. 9. Click SaveChanges.
The Details page displays the newly applied permissions for the user.
Creating a Group
Aruba Central supports creating groups and assigning devices to groups for the ease of configuration and maintenance. For example, you can create a common group for APs that have similar configuration requirements. To create a group, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click (+) New Group.
The Create New Group pop-up window opens. 4. Click the Groups tile.
The Groups page is displayed. 5. Expand a group from which you want to move devices to the selected group. For example,
expand the Unprovisioned Devices group, select the devices, and then click the
| 42
Move devices icon. The Move Devices page is displayed. 6. Click (+) Add Group on the Groups table. The Add Group page is displayed. 7. Enter a name for the group. The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports alphanumeric characters and only "-", "_", and space as special characters. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names.
By default, Aruba Central On-Premises enables the UI-based configuration. The template-based configuration is displayed only when you select devices in the Add group page. Use the toggle button to enable the Configure using templates.
8. Select device types that will be part of this group. A group can contain following devices: n Access points n Controllers n Switches For detailed device combinations, refer to the Device Combinations.
9. Click Next. By default the ArubaOS 8 architecture is applied for access points and controllers.
10. Select the check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations.
11. Click Add Group.
You can also create a group that uses different provisioning methods for switch, IAP, device categories. For example, you can create a group with template-based provisioning method for switches and UIbased provisioning method for Instant APs and controllers.
For more information, see Groups.
Managing Devices and Device Subscriptions
The Devices Inventory page summarizes your device information and provides a set of actions to manage all your devices and their subscriptions.
Adding Devices
You can manually add a device to your HPE GreenLake account by selecting the device type and providing the device details, such as the Serial Number, MAC address, and Part Number.
Aruba Central On-Premises does not support onboarding of devices using Aruba Activate.
Using the Setup Wizard
Use the following steps to add devices to your account.
Aruba Central On-Premises 2.5.6 | User Guide
43
1. On the Dashboard Onboard Devices card, click Add Devices. The Devices Inventory displays. 2. Click Add Devices. The Add Devices window displays. 3. Select the Ownership Type for adding the device information. You can bulk upload devices using
a .CSV file or upload individual devices. Options include: n .CSV File--Click Browse files to upload the .CSV file with device details including: Serial
Number, MAC Address, Part number, and optionally, up to two tag name-value pairs. Click Finish. Note: Devices include Networking Devices. You can download a sample file to see the information that can be included for a bulk upload. n Serial number, MAC, Part Number--Enter the serial number, MAC address, and part number of the device you are adding. Once the device information has been entered, click Next.Optionally enter tag details and click Next, then click Finish. n Device Discovery--Enter a preferred name and the controller IP address; You can find the controller IP address by executing the command, show controller-ip, and then, select the SNMP profile and HTTPS profile details of a compatible device to begin the device discovery process. Click Finish and click Close.
4. The newly added device is displayed in your inventory.
Applying Subscriptions to Devices
All devices must have a subscription assigned for you to activate and use them. Use the following steps to apply subscriptions to devices.
1. On the Dashboard Manage Subscriptions card, click Add Subscriptions. The Subscriptions page displays.
2. Select the device(s) you want to apply a license key. Note: You can select the Require Subscriptions filter tile at the top of the inventory list to narrow the display to show only a list of all devices requiring subscriptions.
3. From the Actions dropdown, select Apply Subscription. The Apply Subscriptions to Devices page displays.
4. Click the Apply Subscriptions link to apply subscriptions keys to the selected devices. The Apply Subscriptions to Devices pane displays.
5. Select a Subscription tier from the dropdown list.. 6. Select the checkbox in the Subscription key section to assign the associated key to the listed
devices. 7. Click Apply Subscriptions. 8. Click Finish and then click Close on the confirmation box. The Devices page opens and you can
view the updated device details in the Inventory list. Note: You have the option to view the audit logs from this box.
Removing Subscriptions from Devices
You can remove subscriptions from devices from the Manage tab. Follow these steps:
| 44
1. From the Home page, navigate to Manage> Subscriptions. The Subscriptions. page displays. 2. From the Dashboard navigate to Devices and select the device or devices you wish to modify. 3. In the Actions dropdown, select Detach Subscription. The Detach Subscription confirmation box
appears. 4. In the Detach Subscription confirmation box, click Detach Subscription and then click Close in
the pop-up box. 5. Click the Require Subscriptions filter tile at the top of the inventory page. The inventory page
now shows the detached devices in the list of devices requiring subscriptions.
You can also remove subscriptions from devices in the Subscriptions page. Follow these steps:
1. From the Home page, navigate to Manage> Subscriptions. The Subscriptions page displays. 2. Select View Details from the ellipsis options at the end subscription key row that you wish to
remove subscriptions. The Subscription Information page opens displaying the list of subscribed devices for the selected subscription key and tier. 3. Click Detach Devices. The Detach Devices confirmation box opens. 4. Click Detach to confirm. The subscription is unassigned, and the inventory page now shows the detached devices in the list of devices requiring subscriptions.
Adding Device Subscription Keys to your Account
You need to add a device subscription key to your account independent of adding a specific device. Use the following steps to apply subscription keys to your account.
1. On the Dashboard Manage Subscriptions card, click Add Subscriptions. The Subscriptions page displays.
2. Click Add Device Subscription. In the Add Subscription dialog, enter the subscription key. 3. Click Submit. Continue adding license keys. 4. Click Add Subscriptions when you are finished adding subscriptions keys. 5. The subscriptions(s) are now available to assign to devices in your account.
Viewing the Devices List
To view the devices provisioned in your account, follow these steps:
1. Navigate to HPE GreenLake > Devices. The Devices page displays the Inventory table. 2. The Inventory table lists the total number of devices including access points, switches, and
controllers in the inventory. 3. The filter tiles at the top of the list display the total number of devices, assigned and subscribed
devices, and devices requiring subscription in the inventory. To see a list of devices in each category, click the tile.
The following table describes the columns in the Device List table.
Aruba Central On-Premises 2.5.6 | User Guide
45
Fields
Description
Serial Number The device serial number
Model
Hardware model of the device.
MAC Address MAC address of the device
Application
Application assigned to the device.
Subscription Tier
Subscription tier assigned to the device
Tags
Tags assigned to the device
Enabling Automatic Assignment of Subscriptions
To enable automatic assignment of subscriptions, use one of the following methods:
1. From the Home page navigate to Onboard Devices> Add Devices. The Devices page displays. 2. On the Devices page, click the Auto-Subscribe link. The Auto-Subscribe page displays where you
configure auto-subscribe options for devices. Supported devices types include Access Points, Switches, and Controllers. 3. Click Add. The Set Up Auto-Subscribe dialog opens. 4. Select the Device Type. Options include foundation and advanced for each device type n Access Points n Switches n Controllers 5. Use the dropdown to determine the subscription seats available. Updating the subscription tier may affect your auto-subscribe configuration. Make sure you have enough subscription seats to cover your devices. 6. When you have finished selecting options, click Configure Device. A confirmation message appears and the newly added auto-subscribe option is listed on the Auto-Subscribe page.
When a subscription assigned to a device expires or is cancelled, HPE GreenLake checks for the available subscription tokens in your account and assigns the lengthiest available subscription token to the device. If your account does not have an adequate number of subscriptions, you may have to manually assign subscriptions to as many devices as possible. To view the subscription utilization details and the number of subscriptions available in your account, go to Devices> Auto-Subscribe and select Edit to view the available seats for each device type.
Device Subscription Expiration Dates
The subscription assigned to a device expires individually. If you have multiple devices and the expiration date varies, the device(s) are unsubscribed according to the device's expiration date (s).
| 46
Acknowledging Subscription Expiry Notifications
As the subscription expiration date approaches, users receive expiry notifications. To view expiration dates, click Subscriptions> Device Subscriptions. The Device Subscription page displays the expiration date for each subscription.
Onboarding Devices
Aruba Central supports the following deployment methods:
n Online--In this mode, Aruba Central automatically discovers devices associated with your subscription key and adds these devices to the Aruba Central device inventory. For more information on deploying Aruba Central in the online mode, see the Aruba Central On-Premises Installation Guide.
n Offline--In this mode, Aruba Central may not be able to access the Activate server. However, Aruba Central allows you to manually add devices to the inventory by using one of the following options: o Adding Devices Using MAC Address and Serial Number o Adding Devices Using a CSV File o Adding Devices Using PSK o Adding Mobility Controllers
Adding Devices Using MAC Address and Serial Number
To add devices:
1. On the Global Settings> Device Inventory page, click Add Devices 2. In Add Devices pop-up window, enter the MAC address, Serial Number, and Part Number of
the devices. You can add up to 32 devices.
Adding Devices Using a CSV File
To import devices from a CSV file:
1. Create a CSV file with the device list. 2. Ensure that the CSV file includes column headers for part number, MAC address, serial number,
and other optional fields such as firmware version and IP address of the device. 3. On the Global Settings> Device Inventory page, click Import Devices Via CSV 4. On the Global Settings> Device Inventory page, click Import Devices Via CSV 5. Browse to your local directory, select the CSV file, and then click Open. 6. Click Import.
Aruba Central On-Premises 2.5.6 | User Guide
47
Adding Devices Using PSK
Aruba Central supports adding devices using a pre-shared key (PSK). If you want to add Instant APs and switches to Aruba Central, you can configure a shared secret key on the DHCP server. When you add the same shared secret key in Aruba Central, the devices with the known PSK string are added to the Aruba Central device inventory.
Adding Instant APs Using PSK with DHCP Server
To onboard Instant APs using PSK, complete the following steps: 1. Configure the following parameters on the DHCP server to which the Instant APs connect. n Option 60 with ArubaInstantAP For example,
option 60 text "ArubaInstantAP"
n Option 43 in the format <Group>:<Topfolder>:<folder1>,<Aruba-Central IP>,<shared secret> For example,
option 43 text "3810_switch:top:default,100.100.100.10,secret_key"
Ensure that you provide only the IP address and not the host name.
2. On the HPE GreenLake portal, configure the PSK details. For more information, see the HPE GreenLake User Guide.
3. Reboot the Instant APs. Ensure that the Instant APs get the IP address from the DHCP server and connect to Aruba Central On-Premises.
Adding Switches Using PSK
To onboard switches using PSK: 1. Ensure that the switches are running factory default configuration. 2. Configure the following parameters on the DHCP server: Option 43 in the format <Group>:<Topfolder>:<folder1>,<Aruba-Central IP>,<shared secret> 3. In the Aruba Central UI, go to Global Settings >Device Inventory. 4. Click Add/Delete PSK. The Add/Delete PSK window opens. 5. Enter the PSK name and PSK details. 6. Click Add. 7. Reboot the switches. 8. Ensure that the switches get an IP address from the DHCP server, and connect to Aruba Central.
| 48
Adding Mobility Controllers
Aruba Central offers monitoring service for WLAN networks configured and managed using Aruba Mobility Controllers. Aruba Central allows you to onboard and monitor controller clusters, the Mobility Master setup, and the conductor and local controller setup. When you add a conductor controller or a Mobility Master, Aruba Central discovers all the associated controllers and campus APs, and adds them to the device inventory.
Aruba Central
does not support configuring controllers. To configure and deploy controllers, use the ArubaOS WebUI and CLI.
Before You Begin
Before adding controllers to Aruba Central, ensure that the controller has the following parameters configured:
n Management Server profile--The Aruba Central server must be configured as a management server on the controller.
n Advanced Monitoring Messages--Enable AMON for communication between the Aruba Central server and controller. When AMON is enabled on the controller over UDP 8211, the controller periodically sends information about user sessions, AP and client association, and other such information required for managing and monitoring controllers on Aruba Central.
n Syslog Messages and SNMP Traps--Although AMON is a preferred option for polling data from controllers, to obtain data pertaining to AP lists, you may want to enable SNMP, and configure SNMP traps and syslog server for logging system events.
n Websocket connection--To enable controller firmware upgrade and troubleshooting from Aruba Central, ensure that the Aruba Central server URL and IP address are configured on the controllers running ArubaOS 6.5.3.6 or later. For more information on configuring controllers, see ArubaOS User Guide.
Controllers
running ArubaOS 6.5.4.8 software image do not support Websocket connection, due to which Aruba Central cannot onboard these controllers.
Configuring SNMP and HTTPS Connection Profiles
This section describes the procedure for adding controllers using SNMP and HTTPS connection profiles. You can also onboard controllers using their MAC Address and Serial Number. For more information, see Adding Devices Using MAC Address and Serial Number.
To configure connection profiles for adding controllers:
1. Go to Global Settings > Device Inventory. 2. Click Controller Management. The Controller Management pop-up window opens.
Aruba Central On-Premises 2.5.6 | User Guide
49
3. Under Connection Profile, configure the SNMP and HTTPS connection profiles as per your requirement.
4. To add an SNMP connection profile: a. Click SNMP and add the following details: n Name--Name of the connection profile. n SNMP Version--SNMP version, for example V2 or V3. n Community String--Community string required for the management of controller. b. Click Save.
5. To add an HTTPS connection profile: a. Click HTTPS and add the following details: n Name--Name of the connection profile. n HTTPS User--Username for HTTPS authentication. n HTTPS Password and Confirm HTTPS Password--Password for HTTPS authentication. b. Click Save.
Adding a Controller
To add controllers, click the Add MM/Controllers tab.
1. Click + to add a controller. 2. Enter a name for the controller. 3. Enter the controller IP address of the controller. You can find the controller IP address by
executing the command, show controller-ip. 4. Select an SNMP or HTTPS profile. 5. Click Save. 6. Return to the Device Inventory page and verify if your controller is added.
Viewing Devices
The devices provisioned in your account are listed in the Global Settings > Device Inventory page. Table 1 shows the contents of the Device Inventory page.
Table 12: Predefined Variables Example
Parameter
Description
MAC Address MAC address of the device.
Type
Type of the device, for example Instant AP or Switch.
IP address
IP address of the device.
Device Name Name of the device.
Labels
Name of the label to which the device are assigned.
Model
Hardware model of the device.
Group
Name of the group to which the device is assigned. This column is displayed only for the Aruba Central Standard Enterprise mode users.
| 50
Parameter Customer
Status
Description
Name of the tenant account to which the devices are assigned. This column is displayed only for the MSP mode users.
Status of the subscription assignment.
Deleting a Device
To delete a device:
1. On the Global Settings > Device Inventory page, click Delete Devices. The Delete Devices window opens and displays the list of devices provisioned in your network.
2. Select the devices from the list. 3. Click Delete.
Managing Device Profiles
You can use auto-provisioning to add and manage various SNMP and HTTPS profiles for your devices. These pre-defined profiles and keys make it easier to manage device onboarding during the device discovery process.
Setting up a New Profile
To set up a new profile, You will need to:
1. Add an SNMP Profile 2. Add an HTTPS Profile 3. Add PreShared Keys
Adding an SNMP Profile
To add an SNMP profile, follow these steps:
1. From the home page, go to Devices> Auto-Provisioning. 2. Click Add SNMP Profile. The Create SNMP Profile dialog opens. 3. Enter a profile name and select an SNMP version from the dropdown. Options include V2 and V3. 4. If you select SNMPv2, enter a community string password. and click Create. The new profile
name is listed in the SNMP column. 5. If you select SNMPv3, there is additional information required. You need to set up the following
authorization credentials: n SNMPv3 Username n SNMPv3 Authentication Protocol: options include MD5 or SHA n SNMPv3 Auth Password and confirmation n SNMPv3 Privacy Protocol: options include AES or DES n Privacy password and confirmation 6. After entering the SNMP profile authorization details, click Create. The new profile name is created and listed in the SNMP column.
Aruba Central On-Premises 2.5.6 | User Guide
51
Adding an HTTPS Profile
Next you have to create an HTTPS profile. 1. Click Add HTTPS Profile. The Create HTTPS Profile dialog opens. 2. In the HTTPS profile configuration fields enter the following details: n Profile name n User n Password and confirmation 3. Click Create. The new profile name is created and listed in the HTTPS column.
The minimum character length for HTTPS profile is 8 characters.
Adding a Pre-Shared Key
Next you have to create a pre-shared key. 1. Click Add Key. The Create Pre-Shared Key dialog opens. 2. In the HTTPS profile configuration fields enter the following details: n Name n Pre-Shared Key and confirmation 3. Click Create. The new profile name is created and listed in the Pre-Shared Keys column.
Adding a Device Using Device Discovery
Prerequisite: To add a new device using the Device Discovery method, you need to first define profiles using the steps in the Setting Up a New Profile section. To add a device using device discovery, follow these steps:
1. On the Dashboard Onboard Devices card, click Add Devices. The Devices Inventory displays. 2. In the Ownership Type box select the Device Discovery option. The Device Discovery pane opens. 3. Enter a preferred name and IP Address, and select the SNMP profile and HTTPS profile details of
a compatible device to begin the device discovery process. 4. Click Finish. In the Adding Devices to your Inventory dialog, you can view the Audit Logs for the
recent action or click Close to complete the process. 5. The newly added device is displayed in your inventory.
Assigning Devices to Groups
To assign a device to a group from the Device Preprovisioning page, complete the following steps:
The following procedure is only for assigning groups to the devices that are connected for the first time. The group management actions like moving devices between groups, or moving devices from unprovisioned group to other groups is done on the Groups page. For more information, see Managing Groups.
| 52
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Device Preprovisioning tile.
The Device List table is displayed. The Device List table lists the total number of devices in the inventory. 4. Select the device(s) which you want to move to a selected group. You can select and move up to 50 devices at a time.
If the selected device is already connected to Aruba Central On-Premises, the Move devices option will not be available for the device.
5. Click the Move devices icon. The Assign Group page is displayed.
6. Select the Destination Group from the drop-down list.
You can assign only particular device type for which the group is created. For example, if a group is created for Access Points only, then only Access Points can be assigned to that group. You cannot assign other device types to it.
7. Click Move. The selected device(s) are moved to the destination group. These devices will adopt the destination group configuration.
For every device pre-provisioning operation, a warning pop-up is displayed to check the audit trail log for the status. If you are assigning the devices in bulk, ensure to check the audit trail to confirm if the all devices are successfully assigned and reason for the rejected devices.
To assign a device to a group from the Groups page, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Groups tile.
The Groups page is displayed. 4. Expand a group from which you want to move devices to the selected group. For example,
expand the Unprovisioned Devices group, select the devices, and then click the Move devices icon. The Move Devices page is displayed.
You can assign only particular device type for which the group is created. For example, if a group is created for Access Points only, then only Access Points can be assigned to that group. You cannot assign other device types to it.
5. Select the Destination Group from the drop-down list.
Aruba Central On-Premises 2.5.6 | User Guide
53
6. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration.
Assigning Labels
In Aruba Central, assigning Sites and Labels is an optional step. Labels refer to the tags attached to a device provisioned in the network. You can use labels for tagging devices to a specific area in a physical location, to an owner or a specific branch, or a business unit. You can use these labels as filters to monitor branch and device health, and generating reports. To assign a label to a device, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Labels tile.
The Manage Labels page is displayed. 4. Locate the label to which you want to assign a device. You can also create a new label by clicking
Add Label and providing a label name. 5. In the table that lists the labels, you can perform one of the following actions:
n Click All Devices to view all devices. n Click Unassigned to view all the devices that are not assigned to any labels. 6. Select Unassigned. A list of devices that are not assigned to any label is displayed. 7. Select one or several devices from the list of devices. 8. Drag and drop the selected devices to a specific label. A pop-up window opens and prompts you to confirm the label assignment. 9. To confirm the assignment, click Yes. For more information, see Managing Labels.
Assigning Sites
In Aruba Central, assigning Sites and Labels is an optional step. A site in Aruba Central refers to a physical location where a set of devices are installed; for example, campus, branch, or a venue. You can create a branch or campus site; for example Branch A or Campus A, for a specific geographical location and assign devices to it. You can use these sites as filters for viewing your deployment topology, monitoring network and device health. To assign devices to a site complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Sites tile.
The Manage Sites page is displayed.
| 54
4. Under Manage Sites, locate the site to which you want to assign a device. You can also add a new site by clicking (+)New Site and providing details, such as site name and address.
5. To view devices that are not assigned to any site, click Unassigned. 6. Select one or several devices from the list of devices. 7. Drag and drop the devices to the site on the left.
A pop-up window opens and prompts you to confirm the site assignment. 8. To confirm the assignment, click Yes.
For more information, see Managing Sites.
Connecting Aruba APs to Aruba Central On-Premises
The Aruba IAPs have the ability to automatically provision themselves and connect to Aruba Central OnPremises once they are powered on. To provision IAP, complete the following steps:
1. Connect your IAP to the provisioning network through PSK onboarding. 2. Wait for the device to obtain an IP address through DHCP. 3. Observe the LED indicators. For more information, refer to the AP Installation Guide.
When an IAP identifies Aruba Central On-Premises as its management entity, it connects to Aruba Central On-Premises and shows up as a connected device in Aruba Central On-Premises.
Adding an Access Point
You can now assign the devices that you want to manage using Aruba Central On-Premises on the HPE GreenLake account home. To manage devices from Aruba Central On-Premises, trial users must manually add the devices to the device inventory in HPE GreenLake account home . For more information about assigning devices, see Managing Devices and Device Subscriptions.
Connecting Aruba Switches to Aruba Central
The Aruba switches can automatically provision themselves and connect to Aruba Central once they are powered on. The switches support zero-touch provisioning (ZTP) using which devices obtain the IP address in option 43 from the DHCP server. To provision Switches, complete the following steps:
1. Connect your switches to the provisioning network. 2. Wait for the device to obtain an IP address through DHCP. 3. Observe the LED indicators. For more information, refer to the Switch Installation Guide.
n If the device is in the factory default configuration, you must manually add either the serial number, MAC address, or part number of the switch in Aruba Central On-Premises for the switch to connect to Aruba Central On-Premises.
n If the device has preconfigured configuration, you must first create a backup of the configuration, then reset the switch using the erase all zeroize command in the CLI. This initiates ZTP on the switch, enabling the switch to obtain the IP address from the option 43 sent by the DHCP server and then connect to Aruba Central On-Premises.
Aruba Central On-Premises 2.5.6 | User Guide
55
n When a Switch identifies Aruba Central as its management entity, it connects to Aruba Central and shows up as a connected device in Aruba Central.
n If the Switch is running a software version that is not compatible with Aruba Central, upgrade the Switch to a supported software version and wait for it to connect to Aruba Central.
Adding a Switch
You can now add the devices that you want to manage using Aruba Central On-Premises on the HPE GreenLake account home. To manage devices from Aruba Central On-Premises, trial users must manually add the devices to the HPE GreenLake account home. For more information about adding devices, see Managing Devices and Device Subscriptions.
Configuring Communication Ports
Most of the communication between devices on the remote site and Aruba Central server is carried out through HTTPS (TCP 443). However, verify if the ports listed in the following table that are open to allow the Aruba Central server and the managed devices to communicate over a network firewall.
The following table provides information on the various domain names and ports for Aruba Central OnPremises. Table 13: Domain Names and Ports for Aruba Central On-Premises
Source IP/Network
Destination IP/Network
Destination Port
Protocol
Purpose
Inbound Ports Traffic
Administrative workstation IP
Aruba Central On-Premises cluster IP address
443
address
TCP, HTTPS
To access and manage Aruba Central OnPremises WebUI.
Administrative workstation IP address
All Aruba Central On-Premises node IP 4343 address
TCP, HTTPS
To access the Aruba Central OnPremises setup wizard for installation.
Device IP address
Aruba Central On-Premises cluster IP 443 address
TCP, HTTPS
For HTTPS and WebSocket communication between Aruba Central OnPremises and managed devices.
Device IP address
Aruba Central On-Premises cluster IP address
8211
UDP, AMON
To receive AMON messages and view data for controllers in the Aruba Central OnPremises monitoring dashboard.
| 56
Source IP/Network
Switch IP address
Destination IP/Network
Aruba Central On-Premises cluster IP address
Outbound Ports Traffic
All Aruba Central OnPremises node IP address
SMTP server
All Aruba Central OnPremises node IP address
NTP server
All Aruba Central OnPremises node IP address
Device IP address
All Aruba Central OnPremises node IP address
Device IP address
All Aruba Central OnPremises node IP address
Arubacontroller IP address
All Aruba Central OnPremises node IP address
nexus2.airwave.com
All Aruba Central OnPremises node IP address
coreupdate.central.arubanetworks.co m
All Aruba Central OnPremises node IP address
quay.io
Destination Port 8888
25, 456, or 587
123
161 162 4343 22 443
443
Protocol Purpose
TCP, HTTP
For HTTP-based firmware image download for CX and PVOS switches.
TCP, SMTP
Dependent on the SMTP configuration for alerts, reports, and Aruba Central On-Premises account registration.
UDP, NTP
To access userconfigurable NTP server for clock synchronization. Default is ntp.ubuntu.com.
UDP, SNMP For SNMP and traps.
UDP, SNMP For SNMP and traps.
TCP, HTTPS
For device bootstrap to controllers.
TCP, SSH
For Aruba Central On-Premises support connection to TAC.
TCP, HTTPS
To check and download Aruba Central OnPremises software for automatic upgrades.
TCP, HTTPS
To check and download Aruba Central OnPremises software for automatic upgrades.
Aruba Central On-Premises 2.5.6 | User Guide
57
Source IP/Network
Destination IP/Network
All Aruba Central OnPremises node IP address
docker.io
All Aruba Central OnPremises node IP address
docker.com
All Aruba Central OnPremises node IP address
docker.elastic.co
All Aruba Central OnPremises node IP address
maps.googleapis.com
All Aruba Central OnPremises node IP address
https://enterpriselicense.hpe.com
Administrative workstation IP address
api.mapbox.com
Administrative workstation IP address
d1c50u1zbkqmph.cloudfront.net
Administrative workstation IP address
help.arubanetworks.com
Destination Port
Protocol
Purpose
443
TCP, HTTPS To check and
download Aruba
Central On-
Premises software
for automatic
upgrades.
443
TCP, HTTPS To check and
download Aruba
Central On-
Premises software
for automatic
upgrades.
443
TCP, HTTPS To check and
download Aruba
Central On-
Premises software
for automatic
upgrades.
443
TCP, HTTPS To translate
address and map
latitude/longitude.
443
TCP, HTTPS For Aruba Central
On-Premises
license
enforcement.
443
TCP, HTTPS To view maps in
Aruba Central On-
Premises WebUI.
443
TCP, HTTPS For Aruba Central
On-Premises
WebUI static
content access
from CDN.
443
TCP, HTTPS To access Aruba
Central On-
Premises User
Guide from Aruba
Central On-
Premises WebUI.
The source port is always dynamic (random) for both inbound and outbound traffic.
The Aruba appliance opens multiple ports. Aruba recommends that you host the Aruba appliance behind a firewall.
| 58
Verifying Device Configuration Status
Aruba Central provides an audit dashboard for reviewing configuration changes for the devices provisioned in UI and template groups. The Configuration Audit menu option under Manage > Devices allows you to view the configuration template errors, configuration sync, and device-level configuration overrides.
Viewing Configuration Audit Page
n To access the Configuration Audit page for APs, complete the following steps: a. In the Aruba Central On-Premises app, use the filter bar to select a group or device. b. Under Manage > Devices > Access Points.
c. Click the configuration icon and click Show Advanced. d. Click Configuration Audit. n To access the Configuration Audit page for switches, complete the following steps: a. In the Aruba Central On-Premises app, use the filter bar to select a group or device b. Under Manage > Devices > Switches.
c. Click the configuration icon and click Show Advanced. d. Click Configuration Audit.
Configuration Synchronization Errors
The devices managed by Aruba Central On-Premises receive configuration changes from Aruba Central On-Premises. Occasionally, an Aruba Central On-Premises-managed device may fail to receive a configuration change from Aruba Central On-Premises. Such instances are marked as Failed changes in the Configuration Audit dashboard. If the condition persists, contact Aruba Technical Assistance.
Local Overrides
In Aruba Central On-Premises, devices are assigned to groups that serve as the primary configuration elements. Occasionally, based on the network provisioning requirements, the administrators may need to modify the configuration of a specific device in a group. As these modifications override the configuration settings that the device has inherited from the group, Aruba Central On-Premises marks these as local overrides.
Viewing Status for a Template Group
On selecting a template group, the Configuration Audit page displays the options listed in the following table:
Table 14: Configuration Audit Status for a Template Group
Data Pane Content
Description
Template Errors
Provides details of the number of devices with template errors for the selected template group.
Aruba Central On-Premises 2.5.6 | User Guide
59
Table 14: Configuration Audit Status for a Template Group
Data Pane Content
Description
Devices deployed in the template group are provisioned using configuration templates. If there are errors in the templates or variable definitions, the configuration push to the devices fails. Aruba Central On-Premises records such failed instances as template errors and displays these errors on the Configuration Audit page.
To view a complete list of errors, click View Template Errors. The Template Errors window allows you to view and resolve the template errors issues (if any) for the devices in the group.
Configuration Status
Provides details of the number of devices with configuration sync errors for the selected template group.
To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs:
n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch.
To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central OnPremises will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page.
Group & Device Modes
Allows you to view and edit devices that are set to managed or monitored operation mode.
n Managed Mode Devices--Click the View & Edit link. The Managed Mode Devices window is displayed with the list of devices operating in the managed mode. To change the device operation mode to monitored, click Change to Monitor Mode.
n Monitored Mode Devices--Click the View & Edit link. The Monitored Mode Devices window is displayed. To change the device operation mode to managed, click Change to Managed Mode.
Configuration Backup & Restore
Allows you to create a backup of templates and variables applied to the devices in the template group. .
n New Configuration Backup--Allows you to create a new backup of templates and variables applied to the devices in the template group.
All Devices
The All Devices table provides the following device information for the selected group: n Name--The name of the device. n Type--The type of the device. n Auto Commit--The status of the auto commit state for all the devices within the group. n Config Sync--Indicator showing configuration sync errors. n Template Error--Indicator showing configuration template errors for the devices deployed in template groups.
| 60
Viewing Status for Devices Assigned to a Template Group
On selecting a device that is provisioned in a template group, the Configuration Audit page displays the options listed in the following table:
Table 15: Configuration Audit Status for Devices in Template Groups
Data Pane Content
Description
Template Applied Displays the template that is currently applied to the selected device.
Template Errors
Displays the number of template errors for the selected device. To view a complete list of errors, click View Template Errors.
Configuration Status
Displays the configuration sync errors for the selected device.
To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs:
n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch.
To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page.
Config Comparison Tool
Allows you to view the difference between the current configuration (Device Running Configuration) and the configuration that is yet to be pushed to the device (Attempted Configuration). To view the running and attempted configuration changes side by side, click View.
Group & Device Modes
Allows you to view and edit devices that are operating in the managed or monitored mode.
n Managed Mode Devices--Click the View & Edit link. The Managed Mode Devices window is displayed with the list of devices operating in the managed mode. To change the device operation mode to monitored, click Change to Monitor Mode.
n Monitored Mode Devices--Click the View & Edit link. The Monitored Mode Devices window is displayed. To change the device operation mode to managed, click Change to Managed Mode.
Viewing Configuration Status for a UI Group
On selecting a UI group, the Configuration Audit page displays the options listed in the following table:
Table 16: Configuration Audit Status for a UI Group
Data Pane Content
Description
Configuration Status
Displays the number of devices with configuration sync errors for the selected UI group.
To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs:
n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch.
Aruba Central On-Premises 2.5.6 | User Guide
61
Table 16: Configuration Audit Status for a UI Group
Data Pane Content
Description
Local Overrides All Devices
To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page.
Displays the number of devices with local overrides. To view a complete list of overrides, click the Manage Local Overrides link. The Local Overrides window is displayed.
n To preserve the overrides, click Close. n To remove the overrides, select the group name with local override, click Remove, and click OK.
The All Devices List table provides the following device information for the selected group:
n Name--The name of the device. n Type--The type of the device. n Auto Commit--The status of the auto commit state for all the devices within the group. n Config Sync--Indicator showing configuration sync errors. n Local Override--Indicator showing configuration overrides for the devices deployed in UI groups.
Viewing Configuration Status for Devices Assigned to a UI Group
On selecting a device assigned to a UI group, the Configuration Audit page displays the options listed in the following table:
Table 17: Configuration Audit Status for a Device Assigned to a UI Group
Data Pane Content
Description
Configuration Status
Displays the number of devices with configuration sync errors for the selected device.
To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs:
n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch.
To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page.
Local Overrides
Displays the number of local overrides. To view a complete list of overrides, click Manage Local Overrides. The Local Overrides window is displayed. The overrides are grouped based on the features that are configured in the UI and are displayed as drop-down sections. For example, all overrides for IGMP are listed under a separate drop-down with the heading IGMP.
n To preserve the overrides, click Close. n To remove the overrides, click Remove, and click OK.
| 62
Device Replacement
Aruba Central supports device replacement workflows for the following types of Aruba devices:
n Access Points--For more information about Instant APs replacement workflows, see Replacing an Access Point and Bulk Replacement of Access Points.
n AOS-S Switches--For more information about AOS-S switches replacement workflows, see Replacing an AOS-S Switch.
The device replacement workflows inherit the existing device attributes and configuration from the faulty device to the new device.
The device replacement workflows for AOS-S switch and AOS-S stack is not supported.
About the Aruba Central On-Premises App User Interface
The Aruba Central On-Premises app helps to manage, monitor, and analyze your network. You can manage your respective accounts end-to-end. Here, the customers have complete access to their accounts. You can also provision and manage the accounts. The following image displays the navigational elements of the Aruba Central On-Premises app. Figure 1 Navigation Elements of the Aruba Central On-Premises App
Callout Number 1
2 3 4 5
Description
Filter to select an option under Group, Label, Site. For all devices, select Global. A corresponding dashboard is displayed. Item under the left navigation contextual menu. The menu is dependent on the filter selection. First-level tab on the dashboard. Second-level tab on the dashboard. Dashboard content for the selected view and filter. For example, the current dashboard in the image displays the UCC tab under Manage > Applications in the List view for the Global filter.
Aruba Central On-Premises 2.5.6 | User Guide
63
Callout Number 6 7
8
9
Description
Time range filter. This is displayed for selected dashboards only.
List view to display tabular data for the selected filter. This is displayed for selected dashboards only.
Summary view to display charts for the selected filter. This is displayed for selected dashboards only.
Config view to enable configuration options for the selected filter. This is displayed for selected dashboards only.
Types of Dashboards in the Aruba Central On-Premises App
The Aruba Central On-Premises app uses a filter to set the dashboard context for the app. The menu for the left navigation pane changes according to the selected filter value. Selecting any item on the left navigation pane displays a corresponding dashboard. Accordingly, for different values of the filter, the content displayed for the left navigation menu and the dashboard context differs. The following table lists down all the available dashboards and the link to the detailed description of each type of dashboard.
Table 18: Types of Dashboards
Link to the Dashboard
Filter Value and Dashboard Description
The Global Dashboard
When the filter is set to Global (for standard enterprise modes) or All Groups (for managed service modes), the dashboard context displayed is for all available devices registered to the specific Aruba Central account. This is called the global dashboard.
The Group Dashboard
When the filter is set to a specific group, the dashboard context displayed is only for the devices that are configured as part of that group. This is called the group dashboard.
The Site Dashboard
When the filter is set to a specific site, the dashboard context displayed is only for the devices that are configured as part of that site. This is called the site dashboard.
The Label Dashboard
When the filter is set to a specific label, the dashboard context displayed is only for the devices that are configured as part of that label. This is called the label dashboard.
The Controller Dashboard
When the filter is set to a controller, the dashboard context displayed is only for that specific controller. This is called the controller dashboard. The controller dashboard enables you to manage and monitor a specific controller.
The Access Point Dashboard
When the filter is set to an access point, the dashboard context displayed is only for that specific access point. This is called the access point dashboard. The access point dashboard enables you to manage and monitor a specific access point.
The Switch Dashboard
When the filter is set to a switch, the dashboard context displayed is only for that specific switch. This is called the switch dashboard. The switch dashboard enables you to manage and monitor a specific switch.
The Client Dashboard
In the Aruba Central On-Premises app, the client dashboard is displayed under Manage > Clients for any filter value.
| 64
The dashboard for any item on the left navigation menu can have a combination of the following views:
n
Summary view-- Click the
Summary icon to display the summary dashboard. The summary
dashboard displays a number of charts. For example, in the global dashboard, under Manage, the
Overview > Network Health tab in Summary view displays a map of the available sites and their
corresponding health. If available, use the time range filter to change the time-lines for the charts.
n
List view-- Click the
List icon to display tabular data for a selected dashboard. For example, in
the global dashboard under Manage, the Overview > Network Health tab in List view displays a list
of the available sites managed by Aruba Central. If available, use the time range filter to change the
time-lines for the tabular data.
n
Config view-- Click the
Config icon to enable the configuration options for a specific
dashboard. For example, in the global dashboard under Manage, the Applications > UCC tab in
Config view displays various configuration options for UCC.
Navigating to the Switch, Access Point, or Controller Dashboard
In the Aruba Central On-Premises app, you can navigate to a device dashboard for a switch, access point, or controller. The device dashboard enables you to monitor, troubleshoot, or configure a single device. In order to do this, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Group, Label, or Site. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Manage > Devices, select one of the following options: n To view an access point dashboard, click the Access Points tab. n To view a switch dashboard, click the Switches tab. n To view a controller dashboard, click the Controllers tab. The list of devices is displayed in List view.
3. Click a device listed under Device Name. The dashboard context for the specific device is displayed. To exit the device dashboard, click the back arrow on the filter.
Workflow to Configure, Monitor, or Troubleshoot in the Aruba Central On-Premises App
The following image displays a flowchart to help you navigate the Aruba Central On-Premises app to complete any task.
Aruba Central On-Premises 2.5.6 | User Guide
65
Figure 2 Navigation Workflow for Aruba Central On-Premises App
| 66
Aruba Central On-Premises 2.5.6 | User Guide
67
The Global Dashboard
In the Aruba Central On-Premises app, the global dashboard is displayed when the filter is set to Global. The global dashboard displays information related to all devices registered to that account in Aruba Central On-Premises.
Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central OnPremises account.
Table 19: Contents of the Global Dashboard
Left Navigation Menu
First-Level Tabs
Description
Manage > Overview
Network Health
Displays information of the networks sorted by site, including information on network devices and WAN connectivity of individual sites. For more information, see Network Health.
Summary
Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range Filter.
For more information, see Global--Summary.
Wi-Fi Connectivity
The Wi-Fi Connectivity page displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include Association, Authentication, DHCP, and DNS.
For more information, see Wi-Fi Connectivity.
Ai Insights
Manage > Devices
Access Points
The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. For more information, see The AI Insights Dashboard.
Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View
Switches
Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View
Controllers
Displays the controller information in the following view: n Summary view: Controller > Overview > Summary
Manage > Clients
Clients
Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients.
Manage > Applications
Visibility
Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility.
| 68
Left Navigation Menu
First-Level Tabs
Description
UCC
Manage > Security
RAPIDs Firewall
Analyze > Alerts Alerts & Events and Events
Analyze > Audit Audit Trail Trail
Analyze > Tools
n Network Check n Device Check n Commands
Analyze > Reports
Reports
Maintain > Firmware
Maintain > Organization
n Access Points n Switches n Controller
Network Structure
Monitors voice, video, and application sharing sessions, provides traffic visibility, and allows you to prioritize the required sessions. The app also leverages the functions of the service engine on the cloud platform to provide visual metrics for analytical purposes. For more information, see Unified Communications.
Helps to identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. For more information, see RAPIDS.
Monitors traffic coming into and going out of the Aruba Centralmanaged network and acts as an investigative resource for users to track blocked sessions within the network. For more information, see Configuring Firewall Parameters for Wireless Network Protection.
Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events.
Shows the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. For more information, see Viewing Audit Trail.
Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools.
Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports .
Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Upgrading Device Firmware.
n Groups A group in Aruba Central On-Premises is the primary configuration element that functions as a container for device management, monitoring, and maintenance. Groups enable administrators to manage devices efficiently by using either a UI-based configuration workflow or CLI-based configuration template. For more information, see Managing Groups.
n Sites and Labels
Aruba Central On-Premises 2.5.6 | User Guide
69
Left Navigation Menu
Maintain > System Management
First-Level Tabs
Description
Platform Integration System Management
A site refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Labels are tags attached to a device provisioned in the network. Labels determine the ownership, departments, and functions of the devices. For more information, see Managing Sites and Managing Labels. n Certificates Enables administrators to upload a valid certificate signed by a root CA so that devices are validated and authorized to use Aruba Central On-Premises. For more information, see Managing Certificates. n Device Preprovisioning
Displays the number of devices that are pre-provisioned to a group. It enables administrators to assign factory default devices to a group. For more information, see For more information, see Device Preprovisioning. n Install Manager
Simplifies and automates site deployments, and helps IT administrators manage site installations with ease.
Shows tiles view for API Gateway, and Webhooks. You can click on a tile to navigate to the respective page in Aruba Central OnPremises. n API Gateway
Supports the REST API for all Aruba Central On-Premises services. This feature allows Aruba Central On-Premises users to write custom applications, embed, or integrate the APIs with their own applications. n Webhooks
Webhooks allow you to implement event reactions by providing real-time information or notifications to other applications.
System management tab allows you to perform administrative tasks such as setting up the system, enabling SMTP settings, notifications, migration, and even backup and restore.
The Access Point Dashboard
In the Aruba Central On-Premises app, the access point dashboard is displayed when the filter is set to an access point. To navigate to an access point dashboard, see Navigating to the Switch, Access Point, or Controller Dashboard.
The following table lists all the available menu items in the Aruba Central On-Premises app for the access point dashboard.
| 70
Table 20: Contents of the Access Point Dashboard
Left Navigation Menu
Manage > Overview
First-Level Tabs Summary
AI Insights
Floor Plan
Performance
RF
Manage > Device
Access Point Configuration using UI groups
Description
The Summary tab displays the AP device details, network information, radio details including the topology of clients connected to each radio, and the health status of the AP in the network. For more information, see Access Point > Overview > Summary.
The AI Insights tab displays information on AP performance issues such as excessive channel changes, excessive reboots, airtime utilization, and memory utilization. For more information, see Access Point > Overview > AI Insights.
The Floor Plan tab provides information regarding the current location of the Instant AP. For more information, see Access Point > Overview > Floor Plan.
The Performance tab displays the size of data transmitted through the AP. For more information, see Access Point > Overview > Performance.
The RF tab provides details corresponding to 2.4 GHz, 5 GHz, and 5 GHz Secondary radios of the AP. See Access Point > Overview > RF.
Enables AP configuration in the Config view. See Configuring IAPs. Configuration using UI groups contains the following second-level tabs:
n WLANs--Configure wireless network profiles on Instant APs. For more information, see Configuring Wireless Network Profiles on IAPs. n Access Points--Configure device parameters on Instant APs. For more information, see Configuring Device Parameters . n Radios--Configure ARM and RF parameters on Instant APs. For more information, see Configuring ARM and RF Parameters on IAPs. n Interfaces--Configuring interfaces parameters on Instant APs. For more information, see Configuring Uplink Interfaces on IAPs. n Security--Configure authentication and security profiles on Instant APs. For more information, see Configuring Authentication and Security Profiles on IAPs. n VPN--Configure VPN host settings on an Instant AP to enable communication with a controller in a remote location. For more information, see Configuring IAPs for VPN Tunnel Creation. n Services--Configure AirGroup, location services, Lawful Intercept, OpenDNS, and Firewall services on Instant APs. For more information, see Configuring Services. n System--Configure system parameters on Instant
Aruba Central On-Premises 2.5.6 | User Guide
71
Left Navigation Menu
First-Level Tabs
Access Point Configuration using template groups
Manage > Clients
Clients
Description
APs. For more information, see Configuring System Parameters for an IAP . n Configuration Audit--View configuration sync errors and overrides. For more information, see Verifying Device Configuration Status.
Configuration using template groups contains the following second-level tabs:
n Templates--Configure Access Points using template groups. For more information, see Configuring IAPs Using Templates. n Variables--Modify, download, or upload variables associated with devices that you can use in template configuration. For more information, see Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. For more information, see Verifying Device Configuration Status.
The Clients tab displays details of all the clients connected to a specific AP. For more information, see Access Point > Clients > Clients.
Manage > Security VPN
Analyze > Alerts and Events
Alerts & Events
Analyze > Audit Trail
Audit Trail
Analyze > Tools
Commands
Maintain > Firmware
Access Points
The VPN tab provides information on VPN connections associated with the Virtual Controller along with information on the tunnels and the data usage through each of the tunnels. For more information, see Access Point > Security > VPN.
The Alerts & Events tab displays details of the alerts and events generated for the AP. For more information, see Access Point > Alerts & Events > Alerts & Events.
The Audit Trail tab displays the logs for all the device management, configuration, and user management events triggered in Aruba Central. For more information, see Viewing Audit Trail.
The Commands tab allows network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Advanced Device Troubleshooting
The Access Points tab allow the user to view the firmware details for devices provisioned in Aruba Central. For more information, see Upgrading Device Firmware
The Switch Dashboard
In the Aruba Central On-Premises app, the switch dashboard is displayed when the filter is set to a switch. To navigate to a switch dashboard, For more information, see Navigating to the Switch, Access Point, or Controller Dashboard.
| 72
Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central OnPremises account. Also, some tabs or some fields inside tabs are only applicable either for AOS-S or AOS-CX switch series.
Table 21: Contents of the Switch Dashboard
Left Navigation Menu
First-Level Tabs
Description
Manage > Overview
Summary
Displays details about a specific switch, including device information, network summary, and port and hardware status. It also displays uplink and usage details. Use the time range filter to change the time period for the displayed information.
For more information, see Switch > Overview > Summary.
Hardware
Displays switch hardware details, including status of power supplies and fans, CPU and memory utilization, and device temperature. For more information, see Switch > Overview > Hardware.
Routing
Displays routing information for the switch, such as, type of route, number of static and connected routes, and distance of the route. For more information, see Switch > Overview > Routing. The Routing tab is displayed only for AOS-S switches.
Manage > Clients
Clients
Displays details about the wired clients that are connected to the switch. For more information, see Switch > Clients > Clients.
Neighbours
Displays details about the devices neighboring the switch. For more information, see Switch > Clients > Neighbours.
Manage > LAN Ports
Displays details about ports and the LAGs configured in the switch. Also displays information about AOS-CX switch stacks and stack-related errors. See Switch > LAN > Ports. For information about AOS-CX switch stack-related errors, see Monitoring AOS-CX Switch Stacks.
PoE
Displays details about PoE status, PoE ports, and the power consumption
from these ports.
For more information, see Switch > LAN > PoE.
VLAN
Displays VLAN information configured on the switch and details about tagged and untagged ports. For more information, see Switch > LAN > VLAN.
Manage > VSX VSX
Displays VSX configuration details between AOS-CX switches and the status of the inter-switch link (ISL). For more information, see Switch > VSX. The VSX tab is displayed only for AOS-CX switch series.
Manage > Device (AOS-S)
AOS-S-- Configuration using UI groups
Enables AOS-S configuration in the AOS-S Config view. For more information, see Configuring AOS-S Switches in UI Groups. Configuration using UI groups contains the following second-level tabs:
n Switches--Configure and view general switch properties, such as,
hostname, IP address, and netmask. For more information, see
Configuring or Viewing Switch Properties.
Aruba Central On-Premises 2.5.6 | User Guide
73
Left Navigation Menu
First-Level Tabs
Description
n Stacks--Create stacks, add members, or view stacking details, such as, stack type, stack id, and topology. For more information, see Configuring AOS-S Stacks Using UI Groups.
n Interface: o Ports--Assign or view port properties, such as, PoE, access policies, and trunk groups. For more information, see Configuring Switch Ports on AOS-S Switches. o PoE--Configure or view PoE settings for each port. For more information, see Configuring PoE Settings on AOS-S Ports. o Trunk Groups--Configure or view trunk groups and their associated properties, such as, members of the trunk group, and type of trunk group. For more information, see Configuring Trunk Groups on AOS-S Switches in UI Groups. o VLANs--Configure or view VLAN details and the associated ports and access policies. For more information, see Configuring VLANs on AOS-S Switches. o Spanning Tree--Configure or view spanning tree protocol and its associated properties. For more information, see Enabling Spanning Tree Protocol on AOS-S Switches in UI Groups. o Loop Protection--Configure or view loop protection and its associated properties. For more information, see Configuring Loop Protection on AOS-S Switch Ports.
n Security: o Access Policies--Add or view access policies. For more information, see Configuring Access Policies on AOS-S Switches. o DHCP Snooping--Configure or view DHCP snooping, authorized DHCP servers IP addresses, and their associated properties. For more information, see Configuring DHCP Snooping on AOS-S Switches. o Port Rate Limit--View or specify bandwidth to be used for inbound or outbound traffic for each port. For more information, see Configuring Port Rate Limit on AOS-S Switches in UI Groups. o RADIUS--Configure RADIUS (Remote Authentication Dial-In User Service) server settings on AOS-S switches. For more information, see Configuring RADIUS Server Settings on AOS-S Switches. o Downloadable User Role--Enable DUR and configure ClearPass settings to download user roles, policy, and class from the ClearPass Policy Manager server. For more information, see Configuring Downloadable User Role on AOS-S Switches. o Tunneled Node Server--Configure user-based tunnel or portbased tunnel on switches. For more information, see Configuring Tunnel Node Server on AOS-S Switches. o Authentication--Configure and enable 802.1X and MAC authentication on switches. You can also configure authentication order and priority for authentication methods. For more
| 74
Left Navigation Menu
First-Level Tabs
Description
information, see Configuring Authentication for AOS-S Switches. n System:
o Access/DNS--Configure or view the administrator and operator logins. For more information, see Configuring System Parameters for AOS-S Switches.
o Time--Configure time synchronization in switches. For more information, see Configuring Time Synchronization on AOS-S Switches.
o SNMP--Add or view SNMP v2c and v3 community and its trap destination. For more information, see Configuring SNMP on AOS-S Switches.
o CDP--Configure CDP and its associated properties. For more information, see Configuring CDP on AOS-S Switches.
o DHCP--Add or view a DHCP pool and its associated properties. For more information, see Configuring DHCP on AOS-S Switches.
o IP Client Tracker--Enable AOS-S switches to learn the IP address of all, trusted, or only untrusted clients connected to the switch. For more information, see Configuring IP Client Tracker on AOS-S Switches.
n Routing--Configure or view a specific routing path to a controller. For more information, see Configuring Routing on AOS-S Switches.
n IGMP--Configure IGMP and its associated properties. For more information, see Configuring IGMP on AOS-S Switches.
n QoS--Configure QoS traffic policies on switches to classify and prioritize traffic throughout a network. For more information, see Configuring QoS Settings on AOS-S Switches.
n Device Profile--Configure device profile on switches to dynamically detect devices based on certain parameters. For more information, see Configuring Device Profile and Device Identifier on AOS-S Switches.
n Configuration Audit--View configuration sync errors and overrides. For more information, see Verifying Device Configuration Status.
AOS-S-- Configuration using templates
Configuration of AOS-S switches using template groups contains the following second-level tabs: n Templates--Configure switch using template groups. For more
information, see Provisioning Devices Using Configuration Templates. n Variables--Modify, download, or upload variables associated with
devices that you can use in template configuration. For more information, see Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. For more information, see Verifying Device Configuration Status. For more information, see Configuring AOS-S Switches using Templates.
AOS-S Stack-- Configuration using templates
Configuration of AOS-S stacks using template groups contains the following second-level tabs:
Aruba Central On-Premises 2.5.6 | User Guide
75
Left Navigation Menu
Manage Device (AOSCX)
First-Level Tabs
Description
n Templates--Configure switch stack using template groups. For more information, see Configuring AOS-S Stacks Using Template Groups.
n Variables--Modify, download, or upload variables associated with devices that you can use in template configuration. For more information, see Managing Variable Files.
n Configuration Audit--View configuration sync errors and overrides. For more information, see Verifying Device Configuration Status.
AOS-CX-- Configuration using UI groups
Enables AOS-CX configuration in the AOS-CX Config view. For more information, see Configuring AOS-CX Switches in UI Groups. Configuration using UI groups allows you to configure the following features: n System:
o Properties--Edit system property settings such as contact, location, time zone, and administrator password. You can also select the VRF to be used and add the DNS and NTP servers. For more information, see Configuring System Properties on AOS-CX.
o HTTP Proxy--Edit the HTTP proxy configuration details for the switch. For more information, see Configuring HTTP Proxy on AOSCX.
o SNMP--Add, edit, or delete SNMP v2 communities, v3 users, and trap notifications. For more information, see Configuring SNMP on AOS-CX.
o Logging--Add, edit, or delete logging servers to view event logs from the AOS-CX switches. Configure FQDN or IP address, log severity level, and the VRF to be used for each of the logging servers. Also configure the global level debug log severity. For more information, see Configuring Logging Servers for AOS-CX.
o Administrator--Add, edit, or delete server groups to be used for authentication, authorization, and accounting. You must also configure the protocol required to enable connection to these server groups. For more information, see Configuring AAA for AOSCX.
o Source Interface--Add, modify, or delete source interface configuration for Central and User-based tunneling interfaces for AOS-CX switches. For more information, see Configuring Source Interface for AOS-CX.
o Stacking--Create stack, add stack members, modify VSF link, change the secondary conductor, delete stack and delete stack members. For more information, see Configuring AOS-CX VSF Stacks Using UI Groups.
n Routing: o Static Routing--Add, edit, or delete static routes manually and configure destination IP addresses and next hop values, VRF, and the administrative distance. You can add different static routes for different VRFs on the switch. For more information, see Configuring
| 76
Left Navigation Menu
First-Level Tabs
Description
Static Routing on AOS-CX. n Interfaces:
o Ports & Link Aggregations--View and edit port settings such as description, VLAN mode, speed duplex, routing, and the operational status of the port. Add, edit, or delete LAGs by combining different ports and configuring the speed duplex, VLAN mode, aggregation mode, and the operational status of the LAG. For more information, see Configuring Ports and LAGs on AOS-CX.
n Security: o Authentication Servers--Add, edit, or view the RADIUS and TACACS servers for authentication. Add settings such as FQDN or IP address of the servers, authentication port number, response timeout, retry count, and the VRF to be used when communicating with the servers. For more information, see Configuring Authentication Servers on AOS-CX. o Authentication--View or edit details about 802.1X and MAC authentication methods. Configure the precedence order and other parameters such as reauthentication timeout, cached reauthentication timeout, and quiet period. For more information, see Configuring Authentication on AOS-CX. o Access Control--View or add access policies and rules to permit or deny passage of traffic. For more information, see Configuring Access Control on AOS-CX. o Dynamic Segmentation--Enable user-based tunneling on the switch to provide a centralized security policy based on user authentication. For more information, see Configuring User-Based Tunneling for AOS-CX. o Client Roles--Add or delete client roles and associate these roles to clients. For more information, see Configuring Client Roles for AOS-CX.
n Bridging: o VLANs--Add, edit, delete, or view VLANs, and associated parameters such as type of IP assignment, operational status, IP address of the DHCP relay. For more information, see Configuring VLANs on AOS-CX. o Loop Prevention--Enable or disable loop protection and spanning tree protocol, and associated parameters such as the mode and priority. Enable or disable various MSTP mode-related settings such as BPDU filter, BPDU protection, admin edge, and root guard. For more information, see Configuring Loop Prevention on AOS-CX.
Aruba Central On-Premises 2.5.6 | User Guide
77
Left Navigation Menu
Analyze > Alerts & Events Analyze > Audit Trail Analyze > Tools
First-Level Tabs
Description
AOS-CX-- Configuration using MultiEdit mode
Enables AOS-CX configuration using the MultiEdit mode in the AOS-CX Config view. View and edit configuration on the AOS-CX switches using the CLI syntax. You can also apply predefined set of configuration settings such as NAE to the switches. For more information, see Using MultiEdit View for AOS-CX. Configuration using the MultiEdit mode contains the following options: n View Config--View configuration of AOS-CX switches and find
differences in the configuration across switches. For more information, see Viewing Configuration Using MultiEdit on AOS-CX. n Edit Config--Edit configuration for one or more AOS-CX switches in the MultiEdit mode. Edit the entire configuration in a familiar looking CLI with syntax checking, colorization, and command completion. For more information, see Editing Configuration Using MultiEdit on AOSCX. n Express Config--Apply predefined set of configuration settings such as NAE scripts and device profile to a single or multiple switches. For more information, see Express Configuration Using MultiEdit on AOSCX.
AOS-CX-- Configuration using templates
Enables AOS-CX switch configuration in the AOS-CX view. For more information, see Configuring AOS-CX Switches using Templates. Configuration of AOS-CX switches using template groups contains the following second-level tabs:
n Templates--Configure switch using template groups. For more information, see Creating a Configuration Template.
n Configuration Audit--View configuration sync errors and overrides. For more information, see Verifying Device Configuration Status.
n Configuration Status--View configuration status of AOS-CX switches that are managed through UI groups in Aruba Central On-Premises. For more information, see Using Configuration Status on AOS-CX.
AOS-CX VSF Stack-- Configuration
Enables AOS-CX switch stack configuration in the AOS-CX view. For more information, see Managing an AOS-CX VSF Stack.
Alerts & Events
The Alerts & Events tab displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events.
You can also configure and enable certain categories of switch alerts. For more information, see AOS-S Switch Alerts.
Audit Trail
Displays the details of logs generated for all device management, configuration, and user management events triggered in Aruba Central On-Premises. For more information, see Viewing Audit Trail.
Network Check
The Network Check tab allows administrators and users with troubleshooting permission to diagnose issues related to wired network connections. For more information, see Troubleshooting Network Issues.
| 78
Left Navigation Menu
Analyze > Reports
Maintain > Firmware
First-Level Tabs
Description
Device Check Commands Reports Switches
The Device Check tab allows network administrators and users with troubleshooting permission to identify, diagnose, and debug issues on AOS-S and AOS-CX switches using predefined tests. For more information, see Troubleshooting Device Issues.
The Commands tab allows network administrators and user with troubleshooting permission to identify, diagnose, and debug issues on AOS-S and AOS-CX switches at an advanced level using commands. For more information, see Advanced Device Troubleshooting.
The Reports tab allows you to create, manage, and view various reports. You can create recurrent reports, generate reports on demand, or schedule reports to run at a later time. For more information, see Reports .
The Switches tab allows the user to view the firmware details and upgrade the devices provisioned in Aruba Central On-Premises. For more information, see Upgrading Device Firmware
The Controller Dashboard
In the Aruba Central On-Premises app, the controller dashboard is displayed when a controller is selected. To navigate to a controller dashboard, see Navigating to the Switch, Access Point, or Controller Dashboard.
The following table lists all the available menu items in the Aruba Central On-Premises app for the controller dashboard.
Table 22: Contents of the Controller Dashboard
Left Navigation Menu Manage > Overview
Manage > LAN
Manage > Clients
Analyze > Alerts and Events
First-Level Tabs Summary
Routing Summary Clients Alerts & Events
Description
The Summary tab displays the Controller Details and Health Status. For more information, see Controller > Overview > Summary.
Displays a summary of the IP routes configured on the controller. For more information, see Controller > Overview > Routing
Displays information about Port Status, LAN Interfaces Summary, and VLAN Interfaces Summary. For more information, see Controller > LAN > Summary.
Displays a list of clients connected to a controller. For more information, see All Clients.
The Alerts & Events tab displays details of the alerts and events generated for the controller. For more information, see Controller Alerts and Viewing Events List View
Aruba Central On-Premises 2.5.6 | User Guide
79
Left Navigation Menu
Analyze > Audit Trail
Analyze > Tools
First-Level Tabs Audit Trail Network Check
Commands
Analyze > Reports Reports
Maintain > Firmware
List Config
Description
Displays the logs generated in Aruba Central On-Premises. For more information, see Viewing Audit Trail.
Enables network administrators and users to identify, diagnose, and debug issues detected by performing diagnostics tests on devices and networks managed by Aruba Central On-Premises. For more information, see Troubleshooting Controller Connectivity Issues.
The Commands tab allows network administrators and users with troubleshooting permission to execute the CLI to validate the details of the device. For more information, see Troubleshooting Controllers and Command Line Interface.
Enables network administrators to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports .
Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade. For more information, see Upgrading Device Firmware.
Provides an upgrade status and compliance status for APs that are connected to the selected controller. For more information, see Upgrading Device Firmware.
The Group Dashboard
In the Aruba Central On-Premises app, the group dashboard is displayed when the filter is set to a UI or template group. A template group is marked by a superscript TG tag. The following table lists all the available menu items in the Aruba Central On-Premises app for the group dashboard.
Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account.
Table 23: Contents of the Group Dashboard
Left Navigation Menu
First-Level Tabs
Description
Manage > Overview
Summary
Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter.
For more information, see Global--Summary
Manage > Devices
Access Points
Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View
| 80
Left Navigation Menu
First-Level Tabs
Switches
Controllers
Manage > Clients
Clients
Manage > Applications
Visibility
Manage > Security
RAPIDs
Description
n Config view: Getting Started with AP Deployments
Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View n Config view: Getting Started with AOS-S Deployments
Displays the controller information in the following view: n Summary view: Controller > Overview > Summary
Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients.
Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility.
Helps to identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. For more information, see RAPIDS.
Analyze > Alerts and Events
Analyze > Audit Trail
Analyze > Tools
Analyze > Reports
Maintain > Firmware
Alerts & Events
Audit Trail
n Network Check n Commands
Reports
n Access Points n Switches n Controllers
Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events.
Shows the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. For more information, see Viewing Audit Trail.
Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools.
Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports .
Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Upgrading Device Firmware.
The Client Dashboard
In the Aruba Central On-Premises app, the clients dashboard is displayed when the filter is set to one of the options under Groups, Labels, Sites, or Global.
The following table lists all the available menu items in the Aruba Central On-Premises app for the clients dashboard.
Aruba Central On-Premises 2.5.6 | User Guide
81
Table 24: Contents of the Clients Dashboard
Left Navigation Menu
Manage > Overview
First-Level Tabs Summary
Sessions Manage > Applications
Analyze > Events
Description
Displays the client details about the type of data path that the client uses, the network and connectivity details, and basic client details such as IP address of the client, type of encryption etc. For more information, see Client Details.
Displays the firewall session details for the client connected to an AP. The Sessions page displays information filtered by the IP address of the client. For more information, see Client Details.
Displays the client details for passive motoring of the client connected to a wireless network. The Visibility dashboard provides a summary of client traffic and their data usage to and from applications, and websites. For more information, see Application Visibility.
Displays the details of events generated by the AP and client association. For more information, see Alerts & Events
The Site Dashboard
In the Aruba Central On-Premises app, the site dashboard is displayed when the filter is set to any of the options under Sites. The site dashboard displays information related to all devices configured for that site in Aruba Central.
Table 25: Contents of the Site Dashboard
Left Navigation Menu
First-Level Tabs
Description
Manage > Overview
Site Health
Displays details of wired and wireless devices deployed on the site. This page includes information on client connectivity statistics, change logs, health of devices, and RF health of the site.
For more information, see Managing Sites.
Summary
Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter.
For more information, see Global--Summary
WAN Health
Displays details for the wired, wireless, and controller devices deployed on the site. For more information, see WAN Health--Site.
Topology
Provides a graphical representation of the site including the network layout, details of the devices deployed, and the health of the WAN uplinks and tunnels.
| 82
Left Navigation Menu
First-Level Tabs
Floor Plans
Manage > Devices
Access Points Switches
Controllers
Manage > Clients
Clients
Manage > Applications
Visibility
Manage > Security
RAPIDS
Analyze > Alerts and Events
Analyze > Tools
Alerts & Events
Network Check Commands
Analyze > Reports
Reports
Description
For more information, see Topology Tab.
Provides information regarding the current location of the AP. For more information, see Access Point > Overview > Floor Plan.
Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View
Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View
Displays the controller information in the following view: n Summary view: Controller > Overview > Summary
Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients.
Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility.
Identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central sends alerts to the network administrators about the possible threat and provides essential information needed to locate and manage the threat. For more information, see RAPIDS.
Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events.
Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools.
Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports .
The Label Dashboard
In the Aruba Central On-Premises app, the label dashboard is displayed when the filter is set to any of the options under Labels. The label dashboard displays information related to all devices configured for that label in Aruba Central.
Aruba Central On-Premises 2.5.6 | User Guide
83
Table 26: Contents of the Label Dashboard
Left Navigation Menu
First-Level Tabs
Manage > Devices
All Devices
Access Points
Switches
Controllers
Manage > Clients
Clients
Manage > Applications
UCC
Manage > Security
RAPIDs
Analyze > Alerts Alerts & Events and Events
Analyze > Tools
n Network Check n Device Check n Commands
Analyze > Reports
Reports
Description
Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter. For more information, see Global--Summary
Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View
Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View
Displays the controller information in the following view: n Summary view: Controller > Overview > Summary
Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients.
Displays a variety of charts and lists that allow you to assess the quality of calls in the network. For more information, see Unified Communications.
Identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central sends alerts to the network administrators about the possible threat and provides essential information needed to locate and manage the threat. For more information, see RAPIDS.
Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events.
Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools.
Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports .
The Health Bar
The Health Bar provides a snapshot of the overall health of the devices configured as part of the specific dashboard. The applicable dashboards include global, group, site, client, and device dashboards.
The topic discusses the following:
| 84
n Health Bar Dashboard for Global n Health Bar Dashboard for Group n Health Bar Dashboard for Site n Health Bar Dashboard for Access Point n Health Bar Dashboard for Switch n Health Bar Dashboard for Controller n Health Bar Dashboard for Wireless Client n Health Bar Dashboard for Wired Client
Viewing the Health Bar Dashboard
To view the Health Bar, perform the following steps:
1. In the Aruba Central On-Premises app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Controllers. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed.
n To select a client: a. Set the filter to Global. b. Under Manage, click Clients. A list of clients is displayed in the List view. c. Click a client listed under Client Name. The dashboard context for the client is displayed.
The Health Bar icon displays the overall health of the network of the selected filter as either online or offline.
2. In the selected filter, click the Health Bar icon to expand the Health Bar dashboard.
3. Use the display.
pin icon to pin the Health Bar dashboard to the Aruba Central On-Premises app
Health Bar Dashboard for Global
The following image shows the health bar for the global dashboard.
Aruba Central On-Premises 2.5.6 | User Guide
85
Figure 3 Expanded but Unpinned Health Bar in the Global Dashboard
Health Bar Icons
Icon Type Description This icon is specific to Site, Device, and Client dashboard. It indicates that there are no issues in the connection.
This icon is specific to Site, Device, and Client dashboard. It indicates that there is an issue in the connection.
This icon is specific to the Global and Group dashboards, and the health is not calculated at these levels.
Device and Clients Status Icons
Icon Type
Description
n For devices, indicates the number of devices that are online. n For clients, indicates the number of clients that are connected.
n For devices, indicates the number of devices that are offline. n For clients, indicates the number of failed clients. n For AI Insights, indicates the number of insights that are of high priority. For AI Insights, indicates the number of insights that are of medium priority.
For AI Insights, indicates the number of insights that are of low priority.
| 86
The following table includes information on the various parameters of the Health Bar displayed for a global dashboard. The health bar in a global dashboard is in the context of all devices.
Parameter Description
Access Points
n Displays the number of access points that are online and the number of access points that are offline.
n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points >
Online in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline
in List view.
Switches
n Displays the number of switches that are online and the number of switches that are offline.
n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in
Listview. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in
List view.
Controllers
n Displays the number of controllers that are online and the number of controllers that are offline.
n The number in green indicates the number of controllers that are online. n Clicking the number in green redirects you to Manage > Devices > Controllers > Online
in List view. n The number in red indicates the number of controllers that are offline. n Clicking the number in red redirects you to Manage > Devices > Controllers > Offline in
List view.
Clients
n Displays the number of clients that are connected and the number of clients that are failed.
n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view.
Health Bar Dashboard for Group
The following table includes information on the various parameters of the Health Bar displayed for a group dashboard. The health bar in a group dashboard is in the context of all devices configured as part of that group.
Parameter Access Points
Description
n Displays the number of access points that are online and the number of access points that are offline.
n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points >
Online in List view.
Aruba Central On-Premises 2.5.6 | User Guide
87
Parameter Switches Controllers Clients
Description
n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline
in List view.
n Displays the number of switches that are online and the number of switches that are offline.
n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in
List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in
List view.
n Displays the number of controllers that are online and the number of controllers that are offline.
n The number in green indicates the number of controllers that are online. n Clicking the number in green redirects you to Manage > Devices > Controllers > Online
in List view. n The number in red indicates the number of controllers that are offline. n Clicking the number in red redirects you to Manage > Devices > Controllers > Offline in
List view.
n Displays the number of clients that are connected and the number of clients that are failed.
n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view.
Health Bar Dashboard for Site
The following table includes information on the various parameters of the Health Bar displayed for a site dashboard. The Health Bar in a site dashboard is in the context of all devices configured as part of that site. The values are refreshed every minute. When there is any issue in the connection, short descriptions are displayed for the Potential Issues label. If there are multiple criteria issues, only the issue criteria with the highest priority is displayed. The <+x> next to the description indicates that there are more issues. You can hover over the value to view the description of the issue. For more information, see Site Health Dashboard.
Parameter Access Points
Description
n Displays the number of access points that are online and the number of access points that are offline.
n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points >
Online in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline
in List view.
| 88
Parameter Switches
Controllers
Clients AI Insights
Description
n Displays the number of switches that are online and the number of switches that are offline.
n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in
List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in
List view.
n Displays the number of controllers that are online and the number of controllers that are offline.
n The number in green indicates the number of controllers that are online. n Clicking the number in green redirects you to Manage > Devices > Controllers > Online
in List view. n The number in red indicates the number of controllers that are offline. n Clicking the number in red redirects you to Manage > Devices > Controllers > Offline in
List view.
n Displays the number of clients that are connected and the number of clients that are failed.
n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view.
n Displays the number of insights categorized by status. n The number in red indicates the insights are of high priority. n The number in orange indicates the insights are of medium priority. n The number in yellow indicates the insights are of low priority. n Clicking the numbers redirects you to Manage > Overview > AI Insights at the site
context.
Health Bar Dashboard for Access Point
The following table includes information on the various parameters of the Health Bar displayed for an AP. If the AP is not online and running, not all of the following data is available.
Parameter Description
AP Status
n Value can be Online Since, Offline, or Operating under Thermal Management. n If the value is Online Since, it also displays the time period, in the format of days-hours-
minutes, for which the AP has been online and running. n When an AP operates under thermal management, the device health is displayed as Poor
and the radios are in disabled mode. For more information, see Thermal Shutdown Support in IAP.
Device Health
n Displays the performance of the AP in terms of the CPU and memory usage. n For example, the device health is Good when the CPU usage is less than or equal to 70%
and the memory usage is less than or equal to 90%. If the value of the CPU and/or
Aruba Central On-Premises 2.5.6 | User Guide
89
Parameter Description
memory usage falls below the threshold, the device health is displayed as Poor. If the AP is down, the value is Offline. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Device Health status to get the exact percentage value of the memory and CPU usage.
Radio 2.4 GHz
n Displays the performance of the AP in terms of the channel utilization and noise floor in the 2.4 GHz channel.
n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed.
n Hover over the Radio 2.4 GHz status to get the exact value of the channel utilization and noise floor.
Radio 5 GHz
n Displays the performance of the AP in terms of the channel utilization and noise floor in the 5 GHz channel.
n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed.
n Hover over the Radio 5 GHz status to get the exact value of the channel utilization and noise floor.
Radio 5 GHz (Secondary)
n Displays the performance of the AP in terms of the channel utilization and noise floor in the 5 GHz (Secondary) channel.
n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed.
n Hover over the Radio 5 GHz (Secondary) status to get the exact value of the channel utilization and noise floor.
NOTE: In the Health Bar dashboard, the Radio 5 GHz (Secondary) data is available only for AP-555 access points and only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode.
Radio 6 GHz
n Displays the performance of the AP in terms of the channel utilization and noise floor in the 6 GHz channel.
n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed.
n Hover over the Radio 6 GHz status to get the exact value of the channel utilization and noise floor.
| 90
Parameter Description
NOTE: The Radio 6 GHz data is only available for devices with 6 GHz capability.
Virtual Controller
Indicates if the AP is connected to a virtual controller. If the AP is connected, clicking on the virtual controller name redirects you to the Manage > Overview > Summary page for the virtual controller.
Health Bar Dashboard for Switch
The following table includes information on the various parameters of the Health Bar displayed for a switch. If the switch is not online and running, not all of the following data is available.
Parameter Description
Switch Status Displays the time period for which the switch has been online and running or its offline status.
Device Health
n Displays the performance of the switch in terms of the CPU and memory usage. n For example, the device health is Good when the CPU usage is less than or equal to 70%
and the memory usage is less than or equal to 70%. If the value of the CPU and/or memory usage falls below the threshold, the device health is displayed as Poor. n Hover over the Device Health status to get the exact percentage value of the memory and CPU usage.
Port - Status
n Displays the number of ports on the switch that are online and the number of ports that are offline.
n The number in green indicates the number of switch ports that are online. n The number in red indicates the number of switch ports that are offline.
Port - Alerts
n Displays the total number of open alerts.
Health Bar Dashboard for Controller
The following table includes information on the various parameters of the Health Bar displayed for a controller. If the controller is not online and running, not all of the following data is available.
Parameter Controller Status LAN
Alerts
Description
Displays the time period, in the format of days-hours-minutes, for which the controller has been running or its offline status.
n Displays the number of LAN ports as online or offline. n The number in green indicates the number of LAN ports that are online. n The number in red indicates the number of LAN ports that are offline. n Clicking the numbers redirects you to Manage > LAN > Summary.
n Displays the total number of open alerts. n Clicking the number redirects you to Analyze > Alerts & Events in List view.
Aruba Central On-Premises 2.5.6 | User Guide
91
Health Bar Dashboard for Wireless Client
The following table includes information on the various parameters of the Health Bar displayed for a wireless client.
Parameter Description
Client Status Displays the connection status of the client.
Device Health Displays the device health of the client.
Signal Quality Displays the signal quality in dB.
Tx | Rx Rate Displays the transmit and receive rate in Mbps.
Connected To
n Displays the device to which the wired client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that
device.
Refresh icon Refreshes the data on the Health Bar for the client.
Health Bar Dashboard for Wired Client
The following table includes information on the various parameters of the Health Bar displayed for a wired client.
Parameter Description
Client Status Displays the connection status of the client.
Connected Port
Displays the port to which the client is connected.
Connected To
n Displays the device to which the wired client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that
device.
Refresh icon Refreshes the data on the Health Bar for the client.
Using the Search Bar
The search bar in the Aruba Central On-Premises app enables users to search for clients, devices, and infrastructure connected to the network. The search engine uses Natural Language Processing (NLP) to analyze queries and return relevant search results. The following figure illustrates the search bar option in Aruba Central.
Figure 4 Search Bar
To start a search in the Aruba Central UI, click the search bar or press / (forward slash) on your computer keyboard. The search results display cards relevant to the search terms. The Search Cards display a monitoring summary of the devices in the Aruba Central On-Premises app.
| 92
Client Search Terms
The search bar helps you to search a client's information in the Network Operation app. Using the search bar you can perform the following tasks:
n Hover over a client search card to view the monitoring summary for the client. n Click the client name to open the Client Details page.
You can see the search cards when you search with the client name, IP address, or MAC address. You can see the following details on the search card:
n Client Name n IP Address n MAC Address n Username n Status
Following is an example for the client name search: Figure 5 Search Card for Client Name
Following is an example for the client IP address search: Figure 6 Search Card for Client IP Address
Following is an example for the client MAC address search:
Aruba Central On-Premises 2.5.6 | User Guide
93
Figure 7 Search Card for Client MAC Address
Device Search Terms
The search bar helps you to search all devices monitored by Aruba Central. The search enables you to navigate to the monitoring pages of the devices in the Network Operation app. Using the search bar you can perform the following tasks: n Hover over a search card to view the monitoring summary for the device. n Click the client name to open the Device Details page. The cards might vary for each device based on the context. You can click on the search card to navigate to the details page of that device in the app. You can see the search cards when you search with the device name, IP address, MAC address, site, or label. Following are the examples for APs, switches, and controllers. Figure 8 Search Card for a Device Name
Figure 9 Search Card for a Device Serial
| 94
Figure 10 Search Card for a Device MAC Address
Following is an example for the device serial search: Figure 11 Search Card for a Device IP Address
Site Search Terms
The search bar helps you to search a site's information on the Network Operation app. Using the search bar, you can perform the following tasks: n Hover over a client search card to view the monitoring summary for the site. n Click the client name to open the Site Details page. The following illustration is an example for the site search. Figure 12 Search Card for a Site
Command Line Interface
The command-line interface features allows you to install, setup, manage, and troubleshoot Aruba Central On-Premises deployments. The CLI is accessed through a console or through a Secure Shell (SSH) session from a remote management console or workstation.
Aruba Central On-Premises 2.5.6 | User Guide
95
Accessing the Aruba Central On-Premises CLI
The following procedure describes how to access the SSH and start executing CLI commands:
1. From a secure shell (SSH) client, open an SSH connection. 2. Login as copadmin. 3. When prompted, enter the copadmin password.
A list of commands is displayed.
For example:
login as: copadmin [email protected] password: Last login: Wed Aug 7 05:43:22 2019 from 10.20.15.180
Syntax
Enter option [0 - <option number> ] : <enter option> For example:
1. System 2. File Operations 3. Show ... 0. exit ... Enter option [ 0 - 9 ]:
Common Command Options
The following common command options are used to:
n 0 Exit--Use this command option to exit the SSH connection. n b Back--Use this command option to go back to the previous menu. n m - Main menu--Use this command option to go to the main menu.
Password Recovery
The password recovery system helps to create a new password for the copadmin user. If you forget the password, login to the console with the user, coprecovery, and the following options are displayed to generate the recovery key.
n Generate Recovery Key--The recovery key is generated and stored in an encrypted .asc file. You can either copy it or use the SCP command to copy the file. Once the key is copied to the local server, contact customer support to decrypt the recovery key to get a new password.
n SCP Recovery Key--The recovery key is generated and an SCP command is used to copy the file to a local server. Once the key is copied to the local server, contact customer support to decrypt the recovery key to get a new password.
n Activate Recovery secret --The secret key is provided and verified by the customer support. A reset option is used to rest the password in all nodes.
| 96
Main Menu Options
When you login to the Aruba Central On-Premises SSH, the main set of commands are displayed. Using the main menu command options, you can perform various other actions as described in the table.
1. System 2. File Operations 3. Show 4. System Configuration 5. Advanced 6. Security 7. Support 8. Temporary Root Shell 9. Authentication 10. Certificate configuration 11. Search commands ==================================== 0. exit
Enter option [ 0 - 11 ]:
List of CLI Commands
The following table lists all the commands supported in a Aruba Central On-Premises deployment:
Option Number 1 1-1 1-2 1-3 2 2-1 2-2 2-3 2-4 2-5 3
3-1
3-2
Command
Description
System
Reboots or resets the system.
Reboot
Reboots the system.
Shutdown
Shutdowns the system.
Factory Reset
Resets the system to factory settings.
File Operations
Uploads a file to the host.
Upload via (SCP)
Uploads a file to the host over SCP.
Upload via (SFTP)
Uploads a file to the host over SFTP.
Upload via (HTTP/HTTPS) Uploads a file to the host over HTTP or HTTPS.
Download File from COP Downloads a file that is saved on the host.
Delete File
Deletes the files that was uploaded by the upload file command.
Show
Show commands are used to view or display the settings or parameters configured.
Version (Detail)
Displays the version details of the Aruba Central On-Premises deployment.
List Files
Displays the total number of files in the pod.
Aruba Central On-Premises 2.5.6 | User Guide
97
Option Number 3-3 3-4
3-5
3-6 3-7 3-8 3-9 4
4-1 4-2 4-3 4-4 4-5 4-6 4-7 5 5-1 5-2 5-3 5-4 6 6-1 6-2 6-3
Command
Description
Backup Restore Status Configuration
System
User Sessions Show clock App status Cluster Status System Configuration
Upgrade Network Setup Proxy Setup Setup Timezone Setup NTP Node Setup Airgap Advanced Test Connectivity Nslookup Toggle CDN Configure ILO IP Security Reset Password GUI Reset Password CLI Reset debug apps password
Display the backup and restore status of the pod. Display the updated network settings, cluster details, NTP/Timezone information. Display system information like usage of memory, activate information, and uptime. Displays the list of user sessions. Displays the date, week, month, time details. Pod status of any Aruba Central On-Premises application. Displays the cluster details for Aruba Central On-Premises. System configuration commands are used to configure system parameters like network setup, cluster setup, timezone setup and also, upgrade the setup (online/ offline) or perform a complete factory reset. Upgrades the setup for either an online user or an offline user. Sets up a network permanently or temporarily. Setup proxy configuration for Aruba Central On-Premises. Sets up a timezone. Sets up an NTP server. Sets up a node. Enables and Disables Airgap mode for upgrade. Advanced commands are used to ping or check connectivity. Tests the connectivity to any URL. Performs a DNS lookups for any host names. Used to enable CDN, disable CDN , or show CDN Status. Configures the IP address of the ILO. Security commands are used to reset or update the password. Resets the GUI password. Resets the CLI password. Resets the debug applications password.
| 98
Option Number 7 7-1 7-2 7-3 7-4 7-5 7-6 8 9 9-1
9-2 9-3 10 10-1 10-2 10-3 10-4 10-5
11
Command
Description
Support
Support commands are used to collect information that are useful to TAC.
Support Connection
Starts or stops support connection for remote TAC access.
Collect All Logs
Collects Aruba Central On-Premises diagnostic tar for debugging.
Log Snapshot Operations Generates and downloads snapshots. It also deletes snapshots and downloads upgrade reports.
Download COP Setup Logs
Downloads the Aruba Central On-Premises setup logs.
Restart Application
Restarts the applications.
System Operations Lock Management
Restarts a particular application.
Temporary Root Shell
Creates a temporary user and allows access to SSH for 2 days at a time.
Authentication
Authenticates the SSH public keys required to connect to the Aruba Central On-Premises server.
Display public key
Displays SSH public key of the administrator of the Aruba Central On-Premises server. This is used to establish public key based SSH connection from the Aruba Central On-Premises server to an external SSH server.
Add public key to COP
Adds the SSH public key to the Aruba Central On-Premises server.
List all public key added COP
Lists all the SSH public key added to the Aruba Central OnPremises server.
Certificate configuration Configures the certificates.
Enable client cert strict check
Enables strict check for client certificate validation.
Disable client cert strict check
Disables strict check for client certificate validation.
Generate device cert
Generates the device certificates.
Disable client cert strict check for devices
Disables strict check for device certificate validation.
Apply default certificates to Web UI and API Gateway
Generates and applies default certificates to web UI and API gateway.
Search
Displays a list of available command options.
Aruba Central On-Premises 2.5.6 | User Guide
99
System Commands
Enter the command option 1 from the main menu to reboot, shutdown, or reset the system to factory settings.
Enter option [ 0 - 11 ]: 1 1. Reboot 2. Shutdown 3. Factory Reset ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 3 ]:
Reboot
Enter the command option 1 from the System menu to reboot the system.
Enter option [ 0 - 3 ]: 1 Are you sure you want to reboot the node (Y/N):
Shutdown
Enter the command option 2 from the System menu to shutdown the system.
Enter option [ 0 - 3 ]: 2 Executing shutdown... Shutdown scheduled. Node will shutdown after 1 minute. Press [Enter] key to continue...
Factory Reset
Enter the command option 3 from the System menu to reset the system to its factory settings. Currently, it is a complete data reset.
Enter option [ 0 - 3 ]: 3 Error: Please run the reset command from physical or remote console (ILO) Press [Enter] key to continue...
File Operations Commands
Enter the command option 2 from the main menu to upload a file to the host.
Enter option [ 0 - 11 ]: 2 1. Upload via (SCP) 2. Upload via (SFTP) 3. Upload via (HTTP/HTTPS) 4. Download File from COP 5. Delete file ==================================== b. back m. main menu
| 100
0. exit Enter option [ 0 - 5 ]:
Upload via (SCP)
Enter the command option 1 from the File Operations menu to upload a file to the host over SCP.
Enter option [ 0 - 4 ]: 1 This will scp a file from the remote server to COP server Enter remote hostname and path (username@hostname:<filepath>): [email protected]:/home/auto/packages.txt
Copying [email protected]:/home/auto/packages.txt to COP server
[email protected]'s password:
packages.txt
100% 3555
4.4MB/s
Press [Enter] key to continue...
00:00
Upload via (SFTP)
Enter the command option 2 from the File Operations menu to upload a file to the host over SFTP.
Enter option [ 0 - 4 ]: 2 This will scp a file from the remote server to COP server Enter remote hostname and path (username@hostname:<filepath>): [email protected]:/home/auto/inst_packages.txt
Copying [email protected]:/home/auto/inst_packages.txt to COP server
[email protected]'s password: Connected to 10.22.158.92. Fetching /home/auto/inst_packages.txt to /var/airwave/appliance/localdisk/inst_ packages.txt /home/auto/inst_packages.txt
100% 1583 127.9KB/s 00:00 Press [Enter] key to continue...
Upload via (HTTP/HTTPS)
Enter the command option 3 from the File Operations menu to upload a file to the host over HTTP or HTTPS.
Enter option [ 0 - 5 ]: 3
This will copy a file from the url to COP server
Enter full url path for file : http://10.22.154.165/a.html
a.html
100%
[=============================================================================>]
391.90M 106MB/s in 3.7s
Upload file successful.
Press [Enter] key to continue...
Aruba Central On-Premises 2.5.6 | User Guide
101
Download File from COP
Enter the command option 3 from the File Operations menu to download a file that is saved on the host.
Enter option [ 0 - 4 ]: 3 ! Files present under the directory ! cop_setup_logs inst_packages.txt packages.txt sftp.txt Enter the file name to copy from COP server to the remote server: packages.txt This will scp packages.txt from localdisk to the remote server Enter remote hostname and path (username@hostname:<filepath>): [email protected]:/home/auto
Copying localdisk files to [email protected]:/home/auto
The authenticity of host '10.22.158.92 (10.22.158.92)' can't be established.
RSA key fingerprint is SHA256:e9KqvWRV5YQhrPLoJQMiKFKKWVx7ZWz2T34oF31WvpU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.22.158.92' (RSA) to the list of known hosts.
[email protected]'s password:
packages.txt
100% 3555
2.9MB/s 00:00
Press [Enter] key to continue...
Delete File
Enter the command option 4 from the File Operations menu to delete the files that was uploaded by the upload file command.
Enter option [ 0 - 4 ]: 4 ! Files present under the directory ! cop_setup_logs inst_packages.txt packages.txt sftp.txt Enter file/directory to delete: packages.txt Deleting file /var/airwave/appliance/localdisk/packages.txt Are you sure you want to delete this file(Y/N): Y File /var/airwave/appliance/localdisk/packages.txt deleted Press [Enter] key to continue...
Show Commands
Show commands are used to view or display various elements of the Aruba Central On-Premises deployment like configurations currently performed, user sessions, status, and so on.
Enter the command option 3 from the main menu to view all the show commands supported.
Enter option [ 0 - 11 ]: 3 1. Version (Detail) 2. List Files 3. Backup-Restore Status 4. Configuration 5. System 6. User Sessions 7. Clock 8. App Status 9. Cluster Status
| 102
==================================== b. back m. main menu 0. exit
Enter option [ 0 - 9 ]:
The following section describes the set of commands that can be executed under the Show commands category.
Version (Detail)
Enter command option 1 from the Show commands menu to display the version (Detail).
Enter option [ 0 - 9 ]: 1 COP Version: 2.5.5.0 Build: 10.0.0-GA01.139 ISO Installed: Ok COP Software Installed: Ok Setup Cluster: Ok Pulling ILO details. Please wait. HPE Smart Array P408i-a SR Gen10: "4.11" iLO 5: "2.18 Jun 22 2020" System ROM: "U32 v2.34 (04/08/2020)" Press [Enter] key to continue...
List Files
Enter command option 2 from the Show commands menu to display the total number of files.
Enter option [ 0 - 9 ]: 2 total 4 drwxr-xr-x 2 root root 4096 Jan 3 16:29 cop_setup_logs Press [Enter] key to continue...
BackupRestore Status
Enter command option 3 from the Show commands menu to display the backup and restore status.
Enter option [ 0 - 9 ]: 3 ############################ backup/restore status ############################ {"details": [ { "message": "Postgres backup success", "status": "success" }, { "message": "Cassandra backup success", "status": "success" }, { "message": "Elasticsearch backup success", "status": "success" },
Aruba Central On-Premises 2.5.6 | User Guide
103
{ "message": "Minio backup success", "status": "success" }, { "message": "Tar creation success", "status": "success" }, { "message": "Transferring the backup to repository success", "status": "success" } ], "endedOn": "Wed, 26 Jun 2019 12:52:29 GMT", "operation": "Backup", "startedOn": "Wed, 26 Jun 2019 11:59:43 GMT", "status": "Completed" }
Configuration
Enter command option 4 from the Show commands menu to display the updated network settings, AirWave cluster details, and NTP/Timezone information.
Enter option [ 0 - 9 ]: 4 1. Network-config/Cluster-info 2. NTP/Timezone Info Enter option [ 0 - 2 ]:
n Network-config/Cluster-info--Enter command option 1 from the Configuration menu to view the network configuration and cluster information.
Enter option [ 0 - 2 ]: 1
Updated Network Settings
------------------------
Hostname
: node182-158.arubathena.com
IP Address
: 10.22.158.182
Subnet Mask
: 255.255.255.0
Gateway
: 10.22.158.2
DNS
: 10.20.50.10
Secondary DNS
: 10.20.50.25
Timezone
: UTC
COP Cluster Details
-----------------------
Cluster IP
: 10.22.158.27
Cluster FQDN
: node3vip.arubathena.com
Pod CIDR
: 172.16.0.0/16
Service CIDR
: 10.3.0.0/23
Router ID
: 27
Time Zone
: UTC
Cluster Node Count : 3
Cluster Node List :
NAME
STATUS ROLES AGE VERSION
10.22.158.181 Ready master 8h v1.14.5
10.22.158.182 Ready master 8h v1.14.5
10.22.158.77 Ready master 8h v1.14.5
| 104
n NTP/Timezone Info--Enter command option 2 from the Configuration menu to view the NTP/Timezone info.
Enter option [ 0 - 2 ]: 2 ############################ NTP Info ############################ Default NTP server configured is - ntp.ubuntu.com ############################ TimeZone Info ############################ UTC
System
Enter command option 5 from the Show commands menu to display system information like usage of memory, system information, and so on.
Enter option [ 0 - 9 ]: 5 1. Memory/Hard disk/CPU Usage 3. Uptime ==================================== b. back m. main menu 0. exit Enter option [ 0 - 2 ]:
n Memory/Hard disk/ CPU Usage--Enter the command option 1 from the System menu to view the usage of memory, hard disk, and CPU information.
Enter option [ 0 - 2 ]: 1
############################
Memory Usage
############################
total
used
free
shared buff/cache available
Mem:
251G
113G
111G
990M
26G
Swap:
0B
0B
0B
############################
Hardisk Usage
############################
Filesystem
Size Used Avail Use% Mounted on
udev
126G
0 126G 0% /dev
tmpfs
26G 17M 26G 1% /run
/dev/sdb4
15G 6.0G 8.3G 42% /
tmpfs
126G
0 126G 0% /dev/shm
tmpfs
5.0M
0 5.0M 0% /run/lock
tmpfs
126G
0 126G 0% /sys/fs/cgroup
/dev/sdb3
465M 109M 328M 25% /boot
/dev/sdb2
241M 512 241M 1% /boot/efi
/dev/sdb5
15G 41M 15G 1% /secondary
/dev/sdb6
1.7T 82G 1.6T 5% /data
tmpfs
26G
0 26G 0% /run/user/1003
tmpfs
26G
0 26G 0% /run/user/1001
tmpfs
26G
0 26G 0% /run/user/1004
############################
CPU Usage
############################
137G
Aruba Central On-Premises 2.5.6 | User Guide
105
%Cpu(s): 7.0 us, 2.2 sy, 0.0 ni, 90.1 id, 0.4 wa, 0.0 hi, 0.3 si,
Architecture:
x86_64
CPU op-mode(s):
32-bit, 64-bit
Byte Order:
Little Endian
CPU(s):
80
On-line CPU(s) list: 0-79
Thread(s) per core: 2
Core(s) per socket: 20
Socket(s):
2
NUMA node(s):
2
Vendor ID:
GenuineIntel
CPU family:
6
Model:
85
Model name:
Intel(R) Xeon(R) Gold 6138 CPU @ 2.00GHz
Stepping:
4
CPU MHz:
2866.513
CPU max MHz:
3700.0000
CPU min MHz:
1000.0000
BogoMIPS:
4000.00
Virtualization:
VT-x
L1d cache:
32K
L1i cache:
32K
L2 cache:
1024K
L3 cache:
28160K
NUMA node0 CPU(s): 0-19,40-59
NUMA node1 CPU(s): 20-39,60-79
Flags:
fpu vme de pse tsc msr pae mce cx8 apic sep mtrr
0.0 st
n Uptime--Enter the command option 2 from the System menu to view the uptime duration of a Aruba Central On-Premises pod.
Enter option [ 0 - 2 ]: 2 ############################ uptime ############################ 06:44:21 up 8:49, 7 users,
load average: 17.89, 11.79, 10.51
User Sessions
Enter command option 6 from the Show commands menu to display the list of user sessions.
Enter option [ 0 - 9 ]: 6
############################
List of user sessions
############################
copadmin pts/0
2020-07-27 05:26 01:17
ineedshell pts/1
2020-07-27 05:02 01:42
cop_shell pts/2
2020-07-27 05:30 01:10
copadmin pts/3
2020-07-27 05:54 .
ineedshell pts/4
2020-07-27 06:05 00:39
ineedshell pts/5
2020-07-27 06:11 00:32
ineedshell pts/6
2020-07-27 06:42 00:02
)
51432 (10.240.125.20) 3261 (10.20.13.62)
54299 (10.240.125.20) 76741 (10.240.126.221)
47373 (10.20.13.113) 36861 (10.20.44.187) 68881 (10.240.130.81
Clock
Enter command option 7 from the Show commands menu to display the date, week, month, and time details.
| 106
Enter option [ 0 - 9 ]: 7 Thu Aug 8 03:33:50 UTC 2019
App status
Enter command option 8 from the Show commands menu to provide the pod status of any Aruba Central On-Premises application. Following example shows the status of the Aruba Central On-Premises application.
Enter option [ 0 - 9 ]: 8
Enter the application name, to list all apps press Enter key:central
Enter the application name, to list all apps press Enter key:central
acp-system
central-grafana-dashboard-7c845956dc-92xgj
1/1
Running
7h42m 172.16.2.94
10.22.158.181 <none>
<none>
1
central
acp-ae-rapids-api-deployment-b8d794d49-4sxck
1/1
Running
0
7h30m 172.16.0.172 10.22.158.182
<none>
central
acp-ae-rapids-bootstrap-deployment-789f85cbbd-dtjsb
1/1
Running
0
7h38m 172.16.4.131 10.22.158.77
central
acp-ae-rapids-deployment-588b4989b5-kc58v
1/1
Running
0
7h38m 172.16.0.134 10.22.158.182
<none
central
acp-ae-rapids-deployment-588b4989b5-q7mw8
1/1
Running
0
7h38m 172.16.4.130 10.22.158.77
<non
central
acp-ae-rapids-deployment-588b4989b5-q7mw8
1/1
Running
0
7h38m 172.16.4.130 10.22.158.77
<none
central
acp-ae-rapids-deployment-588b4989b5-xx5ks
1/1
Running
0
7h38m 172.16.2.121 10.22.158.181
central
acp-device-visibility-deployment-5f97648f6f-nxq28
1/1
Running
0
7h42m 172.16.4.102 10.22.158.77
<none>
central
acp-device-visibility-deployment-5f97648f6f-nxq28
1/1
Running
0
7h42m 172.16.4.102 10.22.158.77
<none>
central
admin-api-deployment-7d4f4984f7-9wq5h
1/1
Running
0
7h37m 172.16.2.150 10.22.158.181
<none>
<none> <none> <none> <none> <none> <none> <none> <none> <none>
Cluster Status
Enter command option 9 from the Show commands menu to display the cluster details for Aruba Central On-Premises.
Enter option [ 0 - 9 ]: 9
COP Cluster Details
-----------------------
Cluster IP
: 10.22.158.27
Cluster FQDN
: node3vip.arubathena.com
Pod CIDR
: 172.16.0.0/16
Service CIDR
: 10.3.0.0/23
Router ID
: 27
Time Zone
: UTC
Cluster Node Count : 3
Cluster Node List :
Aruba Central On-Premises 2.5.6 | User Guide
107
NAME
STATUS ROLES AGE VERSION
10.22.158.181 Ready master 8h v1.14.5
10.22.158.182 Ready master 8h v1.14.5
10.22.158.77 Ready master 8h v1.14.5
System Configuration Commands
The System Configuration commands are used to configure system parameters like network setup, cluster setup, timezone setup and also, upgrade the setup or perform a complete factory reset. Enter command option 4 from the main menu to view all the system configuration commands supported.
Enter option [ 0 - 11 ]: 4 1. Upgrade 2. Network Setup 3. Proxy Setup 4. Setup Timezone 5. Setup NTP 6. Node Setup 7. Airgap ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 7 ]:
The following section describes the set of commands that can be executed under the system configuration category.
Upgrade
Enter command option 1 from the System Configuration commands menu to upgrade the system for either an online user or an offline user.
Enter option [ 0 - 6 ]: 1
COP Server Status
---------------------------------------------------------
Current Version
: 2.5.2.0
Latest Version
: 2.5.2.0
Online Customer
: true
Upgrade Status
: UP_TO_DATE
Upgrade Available
: false
File Transfer Completion Percentage : 0
Upgrade Stage Completion Percentage : 0
---------------------------------------------------------
Last File Transfer Status
:
Last File Transfer Message
:
Last File Transfer Time
:
Last Upgrade Status
:
Last Upgrade Message
:
Last Upgrade Time
:
---------------------------------------------------------
===== COP is in latest version =====
| 108
Network Setup
Prerequisite Ensure the DNS servers, both primary and secondary configured on Aruba Central On-Premises resolves the following FQDNs:
n central-<FQDN> n sso-<FQDN> n apigw-<FQDN> n ccs-user-api-<FQDN>
Additionally, the DNS servers must also resolve the public and private DNS namespaces required by the organization. Enter command option 2 from the System Configuration commands menu to setup a network permanently or temporarily.
Enter option [ 0 - 6 ]: 2 1. Permanent (Network settings) 2. Temporary (Network settings) 3. Switch Network Interface ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 2 ]:
n Permanent (Network settings)--Enter command option 1 from the Network Setup commands menu to setup the permanent network settings.
Enter option [ 0 - 3 ]: 1 Network Settings
Hostname : ccs-1n-cophost.arubathena.com IP Address : 10.22.154.57 Interface : eno1
Enter Subnet mask : 255.255.255.0 Enter Gateway : 10.22.154.2 Enter DNS : 10.20.50.10
Secondary DNS is optional. Press ENTER to proceed Enter Secondary DNS : 10.20.50.25
Network settings exist; will be reset to new value To list timezones, enter 'list' Enter timezone : UTC
=========================== Updated Network Settings ===========================
Hostname
: ccs-1n-cophost.arubathena.com
Aruba Central On-Premises 2.5.6 | User Guide
109
IP Address Subnet Mask Gateway DNS Secondary DNS Timezone
: 10.22.154.57 : 255.255.255.0 : 10.22.154.2 : 10.20.50.10 : 10.20.50.25 : UTC
=============================================================================== =
Press [Enter] key to continue...
n Temporary (Network settings)--Enter command option 2 from the Network Setup commands menu to setup the temporary network settings.
Enter option [ 0 - 3 ]: 2 Network Settings
Hostname : ccs-1n-cophost.arubathena.com IP Address : 10.22.154.57 Interface : eno1
Enter Subnet mask : 255.255.255.0 Enter Gateway : 10.22.154.2 Enter DNS : 10.20.50.10
Secondary DNS is optional. Press ENTER to proceed Enter Secondary DNS : 10.20.50.25
Network settings exist; will be reset to new value To list timezones, enter 'list' Enter timezone : UTC
=========================== Updated Network Settings ===========================
Hostname IP Address Subnet Mask Gateway DNS Secondary DNS Timezone
: ccs-1n-cophost.arubathena.com : 10.22.154.57 : 255.255.255.0 : 10.22.154.2 : 10.20.50.10 : 10.20.50.25 : UTC
=============================================================================== =
Press [Enter] key to continue...
n Switch Network Interface--Enter command option 3 from the Network Setup commands menu to switch interfaces.
| 110
Enter option [ 0 - 3 ]: 3
The network interface currently configured is: eno1 Please capture and note down current network configurations for interface, IP Address, Subnet mask and Gateway before proceeding further.
Current Network Settings
--------------------------
Current Interface
: eno1
IP Address
: 10.22.156.17
Subnet Mask
: 255.255.255.0
Gateway
: 10.22.156.2
DNS
: 10.20.50.10
Secondary DNS
:
FQDN
: cop-156-17.arubathena.com
Network interface change would need a restart of all nodes in the Central (onpremises) cluster, and cause brief disruption/ downtime. Are you sure you want to proceed?(Y/N) : Y
Enter new interface name: eno2
Press [Enter] key to continue...
n You cannot switch interface from Aruba Central On-Premises CLI to a port slower than 10 Gbps. n If all nodes are not connected to interfaces with same speed, any addition or replacement of nodes might
fail.
Proxy Setup
Enter command option 3 from the System Configuration menu to add, delete, or get proxy URL.
Enter option [ 0 - 6 ]: 3 1. Add Proxy 2. Delete Proxy 3. Get Proxy Enter option [ 0 - 3 ]:
n Add Proxy--Enter command option 1 from the Proxy Setup commands menu from the Proxy Setup menu to add a proxy URL.
Enter option [ 0 - 3 ]: 1 Enter the proxy url: Enter Port: Enter username(optional): Enter password(optional): Enter option [ 0 - 3 ]: 1 Enter the proxy url: www.techpubs.com Enter port: 98
Aruba Central On-Premises 2.5.6 | User Guide
111
Enter username(optional): Enter password(optional):
n Delete Proxy--Enter command option 2 from the Proxy Setup commands menu menu to delete a proxy.
Enter option [ 0 - 3 ]: 2 Proxy deleted Press [Enter] key to continue...
n Get Proxy--Enter command option 3 from the Proxy Setup menu to get the details of a proxy.
Enter option [ 0 - 3 ]: 3
"url": "10.22.154.228", "username": "admin", "password": "", "port": "3128"
Setup Timezone
Enter command option 4 from the System Configuration menu to setup a timezone.
Enter option [ 0 - 7 ]: 4 To list timezones, enter 'list' Enter timezone [UTC]: GMT Setting TimeZone for other nodes in this cluster... configmap/airwave-config patched (no change) Press [Enter] key to continue...
Setup NTP
Enter command option 5 from the System Configuration menu to setup NTP.
Enter option [ 0 - 7 ]: 5 Enter primary NTP server : 10.22.158.230 Enter secondary NTP server (Optional) :10.22.154.165 Enter tertiary NTP server (Optional): Is NTP Authentication required (y/n) : n Configuring NTP for node : 10.22.154.57
10.22.158.230 NTP configured on node 10.22.154.57 10.22.154.165 NTP configured on node 10.22.154.57 NTP is configured node : 10.22.154.57 Press [Enter] key to continue...
All the nodes in a multi-cluster must synchronize to the same NTP server. Run the command NTP/Timezone info to verify if all the nodes are synchronized with the same NTP server. To run the NTP/Timezone info, enter command option 2 from the show configuration menu. You also have an option to authenticate the NTP server by using the secure key.
| 112
n If you are using iLO when configuring NTP servers and require the secure key to authenticate the NTP server, you must either use the WebUI or CLI to copy the NTP server key. The copy and paste operation is not supported on the iLO console. Logon to the CLI with iLO credentials and use the VSP command to get the secure key.
n If the Setup NTP command is executed after the cluster is configured, then the modified details of NTP server is updated to the cluster. If cluster is not configured, then the modified NTP server details is updated only to the node.
Node Setup
Enter command option 6 from the System Configuration menu to setup a node.
Enter option [ 0 - 7 ]: 6 1. Add node 2. Replace node 3. Status ==================================== b. back m. main menu 0. exit Enter option [ 0 - 3 ]: 1 Enter node ip(s) to be added to the cluster separated by space:10.22.154.237 10.22.154.238 10.22.154.237 10.22.154.238 Add job 'platform-config-node-mgmt-job-nwcbs' under progress...
n Add node--Enter command option 1 from the Node Setup menu to add IP addresses to the cluster.
Enter option [ 0 - 3 ]: 1 Enter node ip(s) to be added to the cluster separated by spaces:
n Replace node--Enter command option 2 from the Node Setup menu to replace an existing node ip with another in the cluster.
When replacing a node in the cluster, ensure that IP address of the new node is not same as the old node.
Enter option [ 0 - 3 ]: 2 Enter existing node ip to be replaced from the cluster: Enter new node ip:
n Status--Enter command option 3 from the Node Setup menu to view the system operation details.
Enter option [ 0 - 3 ]: 3 Active system operation details ------------------------------------------operation type: Replace node operation state: SUCCESS start time: Wed Nov 23 15:30:03 UTC 2022
Aruba Central On-Premises 2.5.6 | User Guide
113
end time: Wed Nov 23 15:45:04 UTC 2022 operation data: Old node - 10.22.154.142, New node - 10.22.154.226, Execute node - 10.22.154.137, Job name - platform - config-node-mgmt-job-gm6z9 --------------------------------------------
Airgap
Enter command option 7 from the System Configuration menu to enable or disable Airgap mode for upgrade. Enabling Airgap allows you to upgrade the Aruba Central On-Premises setup offline without any internet access.
Enter option [ 0 - 7 ]: 7 1. Enable Airgap 2. Disable Airgap 3. Status ==================================== b. back m. main menu 0. exit
Advanced Commands
Enter command option 5 from the main menu to check test connectivity and NsLookup.
Enter option [ 0 - 11 ]: 5 1. Test Connectivity 2. NsLookup 3. Toggle CDN 4. Configure ILO IP ==================================== b. back m. main menu 0. exit
Test Connectivity
Enter command option 1 from the Advanced commands menu to test the connectivity to any URLs.
Enter option [ 0 - 4 ]: 1 1. Ping 2. Dependent Servers Reachability ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 2 ]:
| 114
n Ping--Enter command option 1 from the Test Connectivity menu to ping an IP address or hostname.
Enter option [ 0 - 2 ]: 1 Enter the IP address or hostname to ping:10.22.154.56 PING 10.22.154.56 (10.22.154.56) 56(84) bytes of data. 64 bytes from 10.22.154.56: icmp_seq=1 ttl=63 time=0.473 ms 64 bytes from 10.22.154.56: icmp_seq=2 ttl=63 time=1.61 ms 64 bytes from 10.22.154.56: icmp_seq=3 ttl=63 time=2.63 ms 64 bytes from 10.22.154.56: icmp_seq=4 ttl=63 time=1.58 ms 64 bytes from 10.22.154.56: icmp_seq=5 ttl=63 time=2.99 ms
n Dependent Servers Reachability--Enter command option 2 from the Test Connectivity menu to check the reachability of the dependent servers.
Enter option [ 0 - 2 ]: 2
Connection to coreupdate (coreupdate.central.arubanetworks.com) successful.
Connecting to coreupdate(coreupdate-prod.central.arubanetworks.com) ... You are going to access FED system . Required policy 1 LINE 1 2 LINE 2 3 LINE 3 4 LINE 4 5 LINE 5
Connection to coreupdate (coreupdate-prod.central.arubanetworks.com) successful.
Connecting to quay(quay.io) ... You are going to access FED system . Required policy 1 LINE 1 2 LINE 2 3 LINE 3 4 LINE 4 5 LINE 5
Connection to quay (quay.io) successful.
Connecting to nexus(nexus2.airwave.com) ... Connection to nexus(nexus2.airwave.com) successful.
----- All dependent HTTP(S) servers are reachable -----
Press [Enter] key to continue...
NsLookup
Enter option 2 from the Advanced commands menu to get the DNS lookups for any host names.
Enter option [ 0 - 4 ]: 2
Enter the hostname or IP Address for NS Lookup:google.com
../../../lib/dns/hmac_link.c:349:
Server:
10.20.50.10
Address:
10.20.50.10#53
Aruba Central On-Premises 2.5.6 | User Guide
115
Non-authoritative answer: Name: google.com Address: 142.250.76.46 Name: google.com Address: 2404:6800:4007:814::200e
Press [Enter] key to continue...
Toggle CDN
Enter command option 3 from the Advanced commands menu to enable CDN, disable CDN , or show CDN Status.
Enter option [ 0 - 4 ]: 3 1. Enable CDN 2. Disable CDN 3. Show CDN status ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 3 ]:
n Enable CDN--Enter command option 1 from the Toggle CDN commands menu to enable CDN.
Enter option [ 0 - 3 ]: 1 CDN enabled Press [Enter] key to continue...
n Disable CDN--Enter command option 2 from the Toggle CDN commands menu to disable CDN.
Enter option [ 0 - 3 ]: 2 CDN enabled Press [Enter] key to continue...
n Show CDN Status--Enter command option 3 from the Toggle CDN commands menu to show the status of CDN.
Enter option [ 0 - 3 ]: 3 { "monitoring": "//d1c50u1zbkqmph.cloudfront.net", "configuration": "//d1c50u1zbkqmph.cloudfront.net", "base": "//d1c50u1zbkqmph.cloudfront.net", "enabled": false, "guest": "//d1c50u1zbkqmph.cloudfront.net", "msp": "//d1c50u1zbkqmph.cloudfront.net" }
Configure ILO IP
Enter command option 4 from the Advanced commands menu to configure the IP address of the ILO.
| 116
Enter option [ 0 - 4 ]: 4 Enter IP Address: 10.22.155.100 Enter Subnet mask: 255.255.255.0 Enter Gateway: 10.22.155.2 Enter DNS: 10.20.50.10 Enter Secondary DNS: 10.20.50.25 10.22.155.100 ILO IP configuration successful
Security Commands
Enter the command option 6 from the main menu to either reset the GUI or CLI password or update the iLO password.
Enter option [ 0 - 11 ]: 6 1. Reset Password GUI 2. Reset Password CLI 3. Reset debug apps password ==================================== b. back m. main menu 0. exit Enter option [ 0 - 3 ]:
Reset Password GUI
Enter the command option 1 from the Security Commands menu to reset the GUI password.
Enter option [ 0 - 3 ]: 1 Do you want to reset GUI admin user password(y/n) :
Reset Password CLI
Enter the command option 2 from the Security commands menu to reset the CLI password.
Enter option [ 0 - 3 ]: 2 Do you want to reset copadmin password(y/n) :
Reset debug apps password
Enter the command option 3 from the Security commands menu to reset the debug apps password.
Enter option [ 0 - 3 ]: 3 Do you want to reset debug apps password(y/n) :
Aruba Central On-Premises 2.5.6 | User Guide
117
Support Commands
Enter the command option 7 from the main menu to start or stop the support connection, collect logs, and restart a particular application.\
Enter option [ 0 - 11 ]: 7 1. Support Connection 2. Collect All Logs 3. Log Snapshot Operations 4. Download COP Setup Logs 5. Restart Application 6. System Operations Lock Management 7. Enable disable services (Grafana/Kibana) ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 7 ]:
Support Connection
Enter the command option 1 from the Support commands menu to start, stop, restart the support connection from remote TAC access or check the status of the support connection and upload the support connection file.
Enter option [ 0 - 7 ]: 1 1. Start Support Connection 2. Stop Support Connection 3. Restart Support Connection 4. Support Connection Status 5. Upload Support Connection File 6. Add Support User 'copsupport' 7. Delete Support User 'copsupport' 8. Show contents of copsupport.gpg ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 8 ]: 1
n Start Support Connection--Enter command option 1 from the Support Connection commands menu to start a support connection.
Enter option [ 0 - 8 ]: 1 {
"support_connection_status": "stopped", "active_from": "_", "connection": "inactive" } Press [Enter] key to continue...
n Stop Support Connection--Enter command option 2 from the Support Connection commands menu to stop a support connection.
| 118
Enter option [ 0 - 8 ]: 2 {
"support_connection_status": "stopped" } Press [Enter] key to continue...
n Restart Support Connection--Enter command option 3 from the Support Connection commands menu to restart a support connection.
Enter option [ 0 - 8 ]: 3 {
"support_connection_status": "stopped" } {
"support_connection_status": "stopped", "active_from": "_", "connection": "inactive" } Press [Enter] key to continue...
n Support Connection Status--Enter command option 4 from the Support Connection commands menu to check the status of the support connection.
Enter option [ 0 - 8 ]: 4 {
"support_connection_status": "stopped", "active_from": "_", "connection": "inactive", "node": "_" } Press [Enter] key to continue...
n Upload Support Connection File--Enter command option 5 from the Support Connection commands menu to upload the support connection file.
Enter option [ 0 - 8 ]: 5 This will scp a file from the remote server to cop server Enter remote hostname and path (username@hostname:<filepath>): [email protected]:/home/auto/support_connection.tar
Copying [email protected]:/home/auto/support_connection.tar to COP server
[email protected]'s password: Connected to 10.22.158.92. Fetching /home/auto/isupport_connection.tar to /var/airwave/appliance/localdisk/support_connection.tar /home/auto/support_connection.tar
100% 1988 Press [Enter] key to continue...
127.9MB/s
00:00
n Add Support User 'copsupport'--Enter command option 6 from the Support Connection commands menu to add support connection for user, copsupport.
Aruba Central On-Premises 2.5.6 | User Guide
119
Enter option [ 0 - 8 ]: 6
copsupport user account expires on: Mar 10, 2022 8 10:48:17 -----BEGIN PGP MESSAGE-----
hQIMA0wNcZIn82zzAQ//bj0kS7h2s2wMJWX0JlYcfX053lFjWUa2XqHJ5xKk1OP7 jzvVRw+yFApKy5R0DP1RbXnifLHFGGxZx+x40H592agTehIqrI3L5put4Ewi/uK2 RZg9znigDmTe8jKTNWIbrN80VBpTz4QXaArD+4yhAJ80JFhFyFij9fWz1dSCwIUj oej3JpKtDzVNmRZqANje8HeF62Y6WYWXFFn8VrzBPaasIPk1KQU5MZEKXtZyB3zD nmi3IyM5rF/+uqFniR7vYlQfYXwySB17ToPKvjbO4tvEt5WWwfXeEg+DczdNkdIz EpxXwgoby958Le0xCgcV8efbRtGCkxrtks37pPMAGJlVc0qtSJ/74DZc/BHD0WrZ r4euZjWD/F1Eaxq56nMUHal0jzyLVj5w7DP5Rhj9mnCYl+jsy6ZTIbxpfDzembUF LwTbVdjrbq79Ib+RFSHMUwFCv9CPGMjMmCJokYpdL82wksdJyOaWwF4AclmA19sU IuyUtwiXb5bZqwCM0N3+mVQhaUqti0Xu4K5K5E8kSje3QOAyUz0ogS9axGkJQUWx FpthJUF8ZKwH/tHU07K/So5LhahMcIa+qnCxycUC1X9G5R9EhvpGzEEQrUwy59lp zCz9w4M0ON/QwNh4IVssnZMTW6WLUv0r9fHEjnJAj/toIsRAVbKSAMgzXKNiwc/S dQEKZuFfFlPufJW4BWIoAn5PeThJQOrNlKxocI+e3H7eUKMZVof38MACsl6DJdy+ RCVrl4Wie3Ek/i2jXawz9QhBQza5c6BhdnjWqhQ+U9swEB0REnUbTqlaVhTXNVnW qMGdxD77nPuKKJuTluTONXJLdsF0KA== =gWUQ -----END PGP MESSAGE----Press [Enter] key to continue...
n Delete Support User 'copsupport'--Enter command option 7 from the Support Connection commands menu to delete support connection for the user, copsupport.
Enter option [ 0 - 8 ]: 7
Are you sure you want to delete support user 'copsupport' (Y/N)y Removing user `copsupport' ... Done. Support user 'copsupport' deleted successfully. Press [Enter] key to continue...
n Show contents of copsupport.gpg--Enter command option 8 from the Support Connection commands menu to show the contents of copsupport.gpg file.
Enter option [ 0 - 8 ]: 8
-----BEGIN PGP MESSAGE-----
hQIMA0wNcZIn82zzARAAmuLy9Jure2AHc9/oSKXc0OEZ9ZW35O6r+mvWFk98zrMz V1IW4wocFj1KhcpfMnMZ0O/nBY0oZIb1CK6CpLnaxFAM+T6NLv7Kroz6wqKfVSt8 pjsrmSh3eyfmMK9FlIkU3u2LglB9xUxMFGqjgvqTqcieqwzWFG5LmK1ALUWsUMoE 4PsWTTdVO+gRGkx17hsa7c9US0iVFaeOQJBdfCnOgP3rfqJzoVhbnL3JEnJSZrYs R/sBIB47LNyw+E0i5ei8mbZ6S3rlWOCexxqFIdmyw+S52xrDPcACW/oqcnW31ubh u6jD4JqSZqavaf+QZKM80/I0r9N0jAXMExCkOT0TQX3mmg5K5pFgo38j5hnifXTN O+3rAcjRAgWhu1Nq3+1qpdG0esBCYPGdVs5f2mOej+cNBIsfg+RTemejOa71IeVf R4/NWpMJa0STYk3/qSybEXjLiYxwwwsJILiqjfE5TVKOcAJhoUVyTH/8t9l4zn+/ qASXne52ocPaa4lxI3SxKGKz159cYcQxlXsJh+CS6RudZaAh8m/WKtWi2g2SqGhk UsnJXttG5ruFnbFQPk1DdUSPnSzy4SZaBnwC0fvwkbQNUhTuYJmgQEQe8M9on5su swhivSLvWYZTg6EYTlRveMRjh/iMbsDqp/ylsKH21jLQf9QA+tBM8yuPTmgAjPPS dQH6+RPsiSlhdjkWnH6ZItIwX1WB1DpZaBjjx/PTTG+7Wi5XerA+8v1liJJOo6X/ yIdMnqlrGrQALRO/xPAXJUc4pQxXIDgHpWTQd3VWlCX5oSl2tPIiUAeq5iDds3vS 5KgqEvskPIeY9BJyMWa+LX2sx175HQ== =t1Xn -----END PGP MESSAGE-----
| 120
Press [Enter] key to continue...
Collect All Logs
Enter the command option 2 from the Support commands menu to collect the log files into a tar.gz file.
Enter option [ 0 - 7 ]: 2 cluster_log_collection... Collect COP logs along with diagnostic information (Y/N):Y
Collecting all logs from Elasticsearch takes around 1-3 hours. It can be also collected from "Log Snapshot Operations" by selecting all as cate
Do you want to collect logs from Elasticsearch(Y/N):Y
gory.
Collecting COP diagnostic information may take 2-5 minutes
COP diagnostic information dumped and will be zipped to logs as well Starting Elasticsearch snapshot for all logs... Logs are being collected from 10.22.156.209 now @Tue Feb 8 11:15:25 UTC 2022 tar: /var/log/snmp: Cannot open: No such file or directory tar: Error is not recoverable: exiting now 0 kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead. mv: cannot stat 'cop-156-209.arubathena.com_log_collection_2022-02-08_11-15-25_ UTC.tar.gz': No such file or directory log_compression... The following archive(tar.gz) contains all the log information to help debugging the problem: cop-156-209.arubathena.com_log_collection_2022-02-08_11-14-18_UTC.tar.gz Please share it with COP customer support team. cp: cannot stat '/home/copadmin/log_collection': No such file or directory Press [Enter] key to continue...
Log Snapshot Operations
Enter the command option 3 from the Support commands menu to generate and download snapshots for a category or node, generate logs for various pods, delete snapshots, and download upgrade reports.
Enter option [ 0 - 7 ]: 3 1. Generate Snapshots for a Category 2. Generate System Operation Logs 3. Generate Pod Logs 4. Generate Node Snapshot 5. Download Logs/Snapshots 6. Delete Logs/Snapshots 7. Download Upgrade Reports ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 7 ]:
Aruba Central On-Premises 2.5.6 | User Guide
121
n Generate Snapshots for a Category--Enter command option 1 from the Log Snapshot Operations commands menu to collect log snapshots of specific categories (kube. nginx, alert, infra, syslog, and system).
Enter option [ 0 - 7 ]: 1
Enter a category to create the snapshot [kube nginx alert infra syslog system all]... alert Enter the time range for snapshot creation [3h, 1d, 1w, 1M, 3M]... 1w { "status": "Accepted", "snapshotId": "alert-snap-7d-1644406412" } Press [Enter] key to continue...
n Generate System Operation Logs--Enter command option 2 from the Log Snapshot Operations commands menu to collect system operation logs.
Enter option [ 0 - 7 ]: 2
Enter a category to create the snapshot [upgrade backuprestore migration]...
migration
% Total % Received % Xferd Average Speed Time Time
Time Current
Dload Upload Total Spent Left Speed
100 105 100 105 0
0 652
0 --:--:-- --:--:-- --:--:-- 660
{ "status": "Accepted", "snapshotId": "migration-plain-1m-1644910302",
"category": "migration" }
Press [Enter] key to continue...
n Generate Pod Logs--Enter command option 3 from the Log Snapshot Operations commands menu to collect pod logs.
Enter option [ 0 - 7 ]: 3
Enter a pod name to generate logs... postgres-cluster-0 { "status": "Accepted", "snapshotId": "postgres-cluster-0-1m-1644410009", "category": "pod" } Press [Enter] key to continue...
n Generate Node Snapshot--Enter command option 4 from the Log Snapshot Operations commands menu to collect log snapshots for specific nodes.
Enter option [ 0 - 7 ]: 4
Enter node to generate logs [10.22.154.57]... 10.22.154.57 { "status": "Accepted", "snapshotId": "10.22.154.57-snap-1m-1644410130" } Press [Enter] key to continue...
n Download Logs/Snapshots--Enter command option 5 from the Log Snapshot Operations commands menu to download the log snapshot file.
Enter option [ 0 - 7 ]: 5
| 122
List of available snapshots and their status
----------------------------------------------------------------
create time
snapshot name
status
----------------------------------------------------------------
2022-02-08 11:12:35, "all-snap-7d-1644318755": "in_progress"
----------------------------------------------------------------
Select a name to be downloaded (without quotes)...
n Delete Logs/Snapshots--Enter command option 6 from the Log Snapshot Operations commands menu to delete log snapshots.
Enter option [ 0 - 7 ]: 6
List of available snapshots and their status
----------------------------------------------------------------
create time
snapshot name
status
----------------------------------------------------------------
2022-02-08 11:12:35, "all-snap-7d-1644318755": "in_progress"
----------------------------------------------------------------
Select a name to be deleted (without quotes)...
n Download Upgrade Reports--Enter command option 7 from the Log Snapshot Operations commands menu to download upgrade reports.
Enter option [ 0 - 7 ]: 7
Added `minio` successfully. mc: Configuration written to `/home/copadmin/.mc/config.json`. Please update your access credentials. mc: Successfully created `/home/copadmin/.mc/share`. mc: Initialized share uploads `/home/copadmin/.mc/share/uploads.json` file. mc: Initialized share downloads `/home/copadmin/.mc/share/downloads.json` file. mc: <ERROR> Unable to validate source minio/deployment/ Press [Enter] key to continue...
Download COP Setup Logs
Enter the command option 4 from the Support commands menu to download the Aruba Central OnPremises setup logs.
Enter option [ 0 - 7 ]: 4 ################################################################################ SCP would be used to copy the logs to a remote host ################################################################################
Enter remote hostname and path (username@hostname:<filepath>):
Restart Application
Enter the command option 5 from the Support commands menu to restart applications.
Aruba Central On-Premises 2.5.6 | User Guide
123
Enter option [ 0 - 7 ]: 5 Enter an application name to restart:
System Operations Lock Management
Enter the command option 6 from the Support commands menu to manage the system operations lock management.
Enter option [ 0 - 7 ]: 6 1. Lock status 2. Release Lock 3. Update Lock Setting ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 3 ]:
n Lock status--Enter command option 1 from the System Operations Lock Management commands menu to lock the status of the system operation.
Enter option [ 0 - 3 ]: 1
No system operation is active currently Press [Enter] key to continue...
n Release Lock--Enter command option 2 from the System Operations Lock Management commands menu to release the lock of the system operation.
Enter option [ 0 - 3 ]: 2 1. Upgrade 2. Backup 3. Restore 4. Migration 5. Add node 6. Replace node 7. Reboot node ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 7 ]:
n Update Lock Setting--Enter command option 3 from the System Operations Lock Management commands menu to update the lock settings of the system operation.
1. on 2. off ==================================== b. back m. main menu
| 124
0. exit
Enter option [ 0 - 2 ]: 1
Do you really want to update system operation lock settings?(y/n):
Temporary Root Shell Commands
Enter command option 8 from the main menu to create a temporary user, cop_shell with a random password and the system encrypts this password. Provide this key to the customer support. The customer support will then be able to access the Aruba Central On-Premises SSH using the username, cop_shell for 2 days from the date of creation. Use this option to get access to the Shell for a limited period of time for checking pods, collecting logs, or for executing other CLI commands. This is useful if you want to troubleshoot or debug an issue.
Enter option [ 0 - 11 ]: 8 This will reset the previous COP root shell's pwd. proceed? (y/n): Y No changes made. Press [Enter] key to continue...
After the expiry, you can repeat the same process to extend the temporary root access by another 2 days.
Authentication Commands
Enter the command option 9 from the main menu to authenticate the SSH public keys required to connect to the Aruba Central On-Premises server.
Enter option [ 0 - 11 ]: 9 1. Display public key 2. Add public key to COP 3. List all public key added COP ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 3 ]:
Display public key
Enter the command option 1 from the Authentication commands menu to display SSH public key of the administrator of the Aruba Central On-Premises server. This is used to establish public key based SSH connection from the Aruba Central On-Premises server to an external SSH server.
Enter option [ 0 - 3 ]: 1 Public key for COP
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgvtkfzXgG4AbaLsoJrdqbtdegGQ/NojIYZUDNQuYdNDXZm/Ti88 5MLzwuqJbv8GOlOd8vEor+YcQtJcWCjaBz7gZ2ZKUfC8qHyoErA1TnY52b1a+djSLg05xnZSwMYmbsGW+1
Aruba Central On-Premises 2.5.6 | User Guide
125
46U2BgYsrcILltsWzoq8RZCNqZ2So6CiwjBLx6LGXQaszXePLm1VkpuVKE17SXmyGFEzYuq/p4VmE5u45s 71PsqV/wIcuvHvMjdZg9YBP1MOHNDpFclvjujZ/6tG8X55DAhszcwW30xjIQTEHBN0wHdSkLIaW4S9xq6x uw47Ez3lLGSpgB+fAclc34jL00lPHINVdUX2SY6lo93r [email protected] Press [Enter] key to continue...
Add public key to COP
Enter the command option 2 from the Authentication commands menu to add the SSH public key to the Aruba Central On-Premises server.
Enter option [ 0 - 3 ]: 2
Enter key in SSH format:
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDkg8xcD5bhfBX/SztxI4cME1IYs0+i7if28MXSHjmlwThlmKVSJE
kk+YuqeY8fq7seD2OuTP0snanQ4BbMdophZmJhR/Fx6Z9rDyAYRw+Uu7ViC0ot6WbQ3ilDiEihWIYTOYrA
mLMHx8Div4tHWBJ4sjI940Sr5bMpgEMczrl9TOSoHWLc1re1Y6UfTBNKHST0Nyfrnor1QgoUyiD6sN0KZX
vmp+8EGe8thq4wpNcbq/OJmndP5J40j05OSXLJCchvwgM5ZHK3ifd5KwNtj6JkZw9KHOVvIsvnzbe8kA7r
cTITn1C/XYOWpUUSX/TbhkXgSa/z7negg9YzXuqjgfkx [email protected]
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDkg8xcD5bhfBX/SztxI4cME1IYs0+i7if28MXSHjmlwThlmKVSJE
kk+YuqeY8fq7seD2OuTP0snanQ4BbMdophZmJhR/Fx6Z9rDyAYRw+Uu7ViC0ot6WbQ3ilDiEihWIYTOYrA
mLMHx8Div4tHWBJ4sjI940Sr5bMpgEMczrl9TOSoHWLc1re1Y6UfTBNKHST0Nyfrnor1QgoUyiD6sN0KZX
vmp+8EGe8thq4wpNcbq/OJmndP5J40j05OSXLJCchvwgM5ZHK3ifd5KwNtj6JkZw9KHOVvIsvnzbe8kA7r
cTITn1C/XYOWpUUSX/TbhkXgSa/z7negg9YzXuqjgfkx [email protected]
Adding keys to authorized user
Add keys to node : 10.22.154.57
authorized_keys
100% 1234
2.7MB/s 00:00
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDkg8xcD5bhfBX/SztxI4cME1IYs0+i7if28MXSHjmlwThlmKVSJE
kk+YuqeY8fq7seD2OuTP0snanQ4BbMdophZmJhR/Fx6Z9rDyAYRw+Uu7ViC0ot6WbQ3ilDiEihWIYTOYrA
mLMHx8Div4tHWBJ4sjI940Sr5bMpgEMczrl9TOSoHWLc1re1Y6UfTBNKHST0Nyfrnor1QgoUyiD6sN0KZX
vmp+8EGe8thq4wpNcbq/OJmndP5J40j05OSXLJCchvwgM5ZHK3ifd5KwNtj6JkZw9KHOVvIsvnzbe8kA7r
cTITn1C/XYOWpUUSX/TbhkXgSa/z7negg9YzXuqjgfkx [email protected]
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC02/Bp28axKaL8COmDl1OVxAygmcXd/s97cDxOcej5JT57LvpDLf
BqU4neyIZOTj+bWZxqnYcEpqd7p8tx8dWFgl0ap2GcENoO2YUlLMSUqW7JnCoHfkOV2xLvS3AU9MN3qj+u
XfRGt4u7N02jbIuMWcdy/xU1YkWAKTnc89zGuf50ujn+s0hQR8XVZFPIcxQyql5AJw1w4rKk1q26TkFZYE
1YNOpbWZSwV9nCW79bki7tzBhVqPwQPUSon40R9fjrLV3RlNh5kEXg5xwRfKmIdpdWu+VPSaKDXsusgX1F
VI9J9w07R27Trxiai8+d4FlRf07W7fIhb9AQhtWOGhf5 auto@slave-ui-p3
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDkg8xcD5bhfBX/SztxI4cME1IYs0+i7if28MXSHjmlwThlmKVSJE
kk+YuqeY8fq7seD2OuTP0snanQ4BbMdophZmJhR/Fx6Z9rDyAYRw+Uu7ViC0ot6WbQ3ilDiEihWIYTOYrA
mLMHx8Div4tHWBJ4sjI940Sr5bMpgEMczrl9TOSoHWLc1re1Y6UfTBNKHST0Nyfrnor1QgoUyiD6sN0KZX
vmp+8EGe8thq4wpNcbq/OJmndP5J40j05OSXLJCchvwgM5ZHK3ifd5KwNtj6JkZw9KHOVvIsvnzbe8kA7r
cTITn1C/XYOWpUUSX/TbhkXgSa/z7negg9YzXuqjgfkx [email protected]
Copying keys to user : copadmin
Copying keys to node : 10.22.154.57
Press [Enter] key to continue...
List all public key added COP
Enter the command option 3 from the Authentication commands menu to list all the SSH public key added to the Aruba Central On-Premises server.
Enter option [ 0 - 3 ]: 3 Local IP is - 10.22.156.209 Generating device cert for - 10.22.156.209 --
| 126
Certificate Configuration Commands
Enter the command option 10 from the main menu to configure device certificates.
Enter option [ 0 - 11 ]: 10 1. Enable client cert strict check 2. Disable client cert strict check 3. Generate device cert ==================================== b. back m. main menu 0. exit
Enter option [ 0 - 5 ]:
Enable client cert strict check
Enter the command option 1 from the Certificate configuration commands menu to enable strict check for client certificates.
Enter option [ 0 - 5 ]: 1 Current status is - true configmap/nginx-app-configuration replaced Successfully updated nginx-app-configuration for key strict-cert-check Existing nginx-app-ingress-deployment replicas - 0 deployment.apps/nginx-app-ingress-deployment scaled deployment.apps/nginx-app-ingress-deployment scaled nginx-app-ingress-deployment is scaled down to zero and scaled back to 0 , Please wait till nginx-app pods are up and running. Press [Enter] key to continue...
Disable client cert strict check
Enter the command option 2 from the Certificate configuration commands menu to disable strict check for client certificates.
Enter option [ 0 - 5 ]: 2 Current status is - true configmap/nginx-app-configuration replaced Successfully updated nginx-app-configuration for key strict-cert-check Existing nginx-app-ingress-deployment replicas - 1 deployment.apps/nginx-app-ingress-deployment scaled deployment.apps/nginx-app-ingress-deployment scaled nginx-app-ingress-deployment is scaled down to zero and scaled back to 1 , Please wait till nginx-app pods are up and running. Press [Enter] key to continue...
Generate device cert
Enter the command option 3 from the Certificate configuration commands menu to restore the default device certificate. If any custom device certificate is uploaded, this command restores the device certificate back to default device certificate.
Aruba Central On-Premises 2.5.6 | User Guide
127
Enter option [ 0 - 5 ]: 3 Local IP is - 10.22.156.209 Generating device cert for - 10.22.156.209 --
Disable client cert strict check for devices
Enter option 4 from the Certificate configuration commands menu to disable strict check for device certificates.
Enter option [ 0 - 5 ]: 4 Disabling client strict check for devices.
Apply default certificates to Web UI and API Gateway
Enter option 5 from the Certificate configuration commands menu to generate and apply the default certificates to the web user interface (UI) and API gateway.
Enter option [ 0 - 5 ]: 5 Generating and applying default UI and GW certificates... Are you sure you want to generate and apply default certificates for UI and API Gateway? (Y/N):
Search Commands
Enter option 11 from the main menu to view a list of available command options.
Enter option [ 0 - 11 ]: 11 Enter the text to get the list of available command options (case insensitive) : cluster 1) Show -> Configuration -> Network-config/Cluster-info 2) Show -> Cluster Status Use number to select a command and execute it, enter (stop) to quit: 1
Updated Network Settings -----------------------Hostname IP Address Subnet Mask Gateway DNS Secondary DNS Timezone
: cop-156-209.arubathena.com : 10.22.156.209 : 255.255.255.0 : 10.22.156.2 : 10.20.50.10 : 10.20.50.25 : UTC
COP Cluster Details
-----------------------
Cluster IP
: 10.22.156.192
Cluster FQDN
: copvip-156-192.arubathena.com
Pod CIDR
: 172.16.0.0/16
Service CIDR
: 10.3.0.0/23
Router ID
: 192
Time Zone
: UTC
Cluster Node Count : 1
| 128
Cluster Node List :
NAME
STATUS
10.22.156.209 Ready
ROLES AGE VERSION conductor 35d v1.18.6
Press [Enter] key to continue...
CLI Behavioral Changes
User/ Session Management Changes Overview With 2.5.5 release administrator can now manage password/ session/ banner related parameters from Local Authentication page. To do so login to HPE GreenLake with your credentials and navigate to Manage > Authentication > Local Authentication tab.
n There is no CLI mechanism for modifying these properties. n On the Manage > Authentication > Local Authentication page Inactive Account Lockout and
Password Expiration fields will be supported in the upcoming release. n On the Manage > Authentication > Session page CLI Total Concurrent Sessions field will be supported
in the upcoming release.
Banner Once banner is configured, it displays during login attempt by the user or administrator on the CLI. Password policy If password policy is changed or configured, subsequent change of password must match with the set configuration requirements. User Forced Reset User is immediately logged out from the CLI system when Forced Reset option is selected. Session Inactivity Once configured, active CLI sessions get terminated if there is no activity by the user or administrator. Lockout after failed attempts After configuration, the user or the administrator gets locked out, if there is unsuccessful login attempt as per configured value. The duration for the user or administrator to be locked out is also configurable.
IPv6 Support
IPv6 address is supported for Campus APs and Clients IP address in Aruba Central On-Premises.
Instant Access Points and AOS-CX switches are not supported for IPv6 address.
IPv6 only network can be managed in the following network topology, Mobility conductor/Standby controller > Switches > Access points/Campus APs > Clients. The mobility conductor and standby controller must be in dual mode to support IPv6 address. Aruba Central On-Premises supports the IPv6 address on the WebUI pages listed in the following table:
Aruba Central On-Premises 2.5.6 | User Guide
129
Table 27: IPv6 Support in Aruba Central On-Premises
WebUI
Description
Cluster Details > Summary
IPv6 address is available for access points.
Access Points > List
IPv6 address is available for access points.
Access Points > Summary
IPv6 address is available for access points.
Clients > List
IPv6 address is available for all devices and clients.
Client Details > Summary
IPv6 address is available for all devices and clients.
Global Search
IPv6 address of an access point can be entered to search the device.
Reports > List
IPv6 address is available for access points in network summary report.
| 130
Chapter 6 Managing Licenses
Managing Licenses
As part of the shift to an Edge-to-Cloud Platform-as-a-Service organization, Aruba has introduced the Aruba Central Foundation and Advanced Licenses (Aruba Central Licenses). This is a uniform software subscription licensing model that will be extended to all products under the Aruba Central-managed portfolio. The new 1, 3, 5, 7, and 10-year fixed-term licenses offer you the flexibility to choose services and device operations that are most meaningful to the type of business that you own.
Managing subscriptions is available on the HPE GreenLake account home. For more information, see the Managing Subscriptions.
This licensing model provides different licenses for APs, switches, and controllers.
The licenses for APs, switches, and controllers are not interchangeable. For example, you cannot use an AP Foundation License on a controller. Similarly, if you have an Aruba 25xx Switch but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch.
Aruba Central On-Premises features are available for all users tied to Foundation Licenses, but all the features have different monitoring and configuration options depending on the licensing tier. This licensing model provides the following types of licenses depending on the devices:
n Switches: o Foundation--This license provides all the features included in the legacy Device Management tokens.
n Access Points (APs): o Foundation--This license provides all the features included in the legacy Device Management tokens and some additional features that were available as value-added services for APs and switches in the earlier licensing model.
n Controllers: o Foundation WLAN Gateway--This license provides all features required for Controller functionality in all deployment types.
Changes to the Legacy Licensing Model
For existing Aruba Central On-Premises customers, the previous Device Management and Service Token model is changed to the new licensing model, which provides a uniform licensing structure for all types of devices such as APs, switches, and controllers. The following list provides information about important aspects of the legacy licensing model:
n Device Management Token--This is a mandatory token which allows you to manage and monitor your APs and switches from Aruba Central On-Premises.
n Service Token--This token allows you to enable value-added services for APs that are managed from Aruba Central On-Premises.
Aruba Central On-Premises 2.5.6 | User Guide
131
n Subscription Key--A valid subscription key allows you to manage, profile, and analyze your devices using Aruba Central On-Premises. A subscription key is a 14-character alphanumeric string provided for either a device management or service token.
The new licenses simplify the existing subscription-based licensing model. With the introduction of this licensing model, the existing Device Management tokens for APs and switches are no longer available. Similarly, the Service tokens for value-added services on the APs are unavailable. Instead, APs and switches have adopted the current Foundation License model.
Supported Devices
The Aruba Central On-Premises Licenses are supported for APs, switches, and controllers. The pricing structure for Foundation Licenses for the hardware devices may differ based on the types of models. For more information on the individual device models supported, refer to the following sections: n Supported APs n Supported AOS-S Platforms n Supported AOS-CX Platforms n Supported Aruba Mobility Controllers
WLAN Gateway Foundation License
The WLAN Gateway Foundation can be assigned to the following controllers: n Aruba 70xx Series n Aruba 72xx Series This license does not have a capacity limit for client devices. For an Aruba Central evaluation account, four licenses of each base SKU are assigned to the account. These evaluation licenses are valid for 90 days.
Managing Licenses | 132
Chapter 7 Managing Authentication Methods
Managing Authentication Methods
The Authentication page allows the administrator to manage and configure external authentication for users to have access to Aruba Central On-Premises. Following are the supported authentication options and methods:
n Local User Database--With this type of authentication, all users are authenticated by their username and password against the local database.
n SAML--Enable user federation across all services and single sign-on for users with claimed-domain accounts. Users without a claimed-domain account can still sign in using their username and password against the local user database.
n RADIUS--Use this section to configure RADIUS servers to authenticate Aruba Central On-Premises users.
Configuring Local Authentication
To configure local authentication, follow these steps:
1. From the Home page, navigate to Manage > Authentication > Local Authentication. The Manage Account page displays the local authentication settings.
2. Account administrators can use this section to configure password complexity and lockout requirements. Enter the following details and click Save Changes when you are done: n Password complexity--Define the minimum length and mandatory characters for the password.
Account administrators can use @, $, #, !, %, ^, &, *, ~, {, }, (, ), \, ', ;, :, <, and > as special characters in the password.
n Lockout & Expiration--Define the following lockout requirements: o Enable the Lockout after failed attempts option to set the number of failed attempts after which the account is locked out and specify the duration of the lockout in minutes. o Define limits for inactive account lockouts and password expiration in days. o Change password upon next login--Force users to reset their password when they next log in to the system. Connected users are immediately disconnected and required to reset their password with the new complexity.
Managing Sessions
Account administrators can use this section to configure sessions conditions for users who log in to the system. Configure the following details and click Save Changes when you are done.
n Web Inactivity Timeout--Specify the maximum time limit for Web inactivity. When set, users cannot configure their sessions to be greater than this limit.
Aruba Central On-Premises 2.5.6 | User Guide
133
n Web Total Concurrent Sessions--Specify the maximum number of concurrent sessions for all uses in the account.
n Concurrent Sessions per User--Specify the maximum number of concurrent sessions a user can be logged into at the same time.
n Login Banner--Provide the text for any required notifications or alerts to users which they can view on the sign-on page when they log in to the account.
n CLI Inactivity Timeout--Specify the maximum time limit for CLI inactivity. When set, users cannot configure their sessions to be greater than this limit.
n CLI Total Concurrent Sessions--Specify the maximum number of concurrent CLI sessions for all uses in the account.
Single Sign-On Management
The Single Sign-On (SSO) solution simplifies user management by allowing users to access multiple applications and services with a single set of login credentials. If different vendors offer applications services, IT administrators can use the SAML authentication and authorization framework to provide a seamless login experience for their users. To provide a seamless login experience for users whose identity is managed by an external authentication source, HPE GreenLake now offers a federated SSO solution based on the SAML 2.0 authentication and authorization framework. SAML is an XML-based open-standard for exchanging authentication and authorization data between trusted partners, particularly between an application service provider and identity management system used by an enterprise. With HPE GreenLake's SAML SSO solution, organizations can manage user access using a single authentication and authorization source. Important Note The NameId attribute specified on the IDP must include the email address of the user. SP metadata NameID must be of the format, <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress</md:NameIDFormat> for SSO authentication to work.
Configuring SAML SSO for HPE GreenLake
SAML SSO Overview
HPE GreenLake SAML SSO consists of the following key elements: Service Provider (SP)--The provider of a business function or service; For example, HPE GreenLake. The service provider requests and obtains an identity assertion from the IdP. Based on this assertion, the service provider allows access to the service. Identity Provider (IdP)--The Identity Management system maintains the user's identity information and authenticates the user. SAML Request--The authentication request is generated when a user tries to access the on-premises HPE GreenLake login page. SAML Assertion--The authentication and authorization information issued by the IdP to allow access to the (HPE GreenLake account homel) service. Relying Party--The business service that relies on SAML assertion for authenticating a user, For example, HPE GreenLake. Asserting Party--The Identity management system or the IdP creates SAML assertions for a service provider.
Managing Authentication Methods | 134
Metadata--Data in the XML format is exchanged between the trusted partners (IdP and HPE GreenLake) to establish interoperability. SAML Attributes--The attributes associated with the user; for example, username, customer ID, role, and group in which the devices belonging to a user account are provisioned. The SAML attributes must be configured on the IdP according to specifications associated with a user account in HPE GreenLake. These attributes are included in the SAML assertion when HPE GreenLake sends a SAML request to the IdP. Entity ID--A unique string to identify the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as a URL by all providers. User--User with SSO credentials.
How SAML SSO Works
HPE GreenLake supports the following type of SAML SSO workflow:
n SP initiated SSO n IdP-initiated SAML SLO
SP-Initiated SSO
In an SP Initiated SSO workflow, the SSO request originates from the service provider domain, that is, from HPE GreenLake. When a user tries to access HPE GreenLake, a federation authentication request is created and sent to the IdP server.
SAML SSO Single Logout
HPE GreenLake supports Single Logout (SLO) of SAML SSO users. SLO allows users to terminate server sessions established using SAML SSO by initiating the logout process once. SAML SLO can be initiated either from the Service Provider or the IdP. However, HPE GreenLake supports only the IdP-initiated SLO.
IdP-initiated SAML SLO
The IdP-initiated logout workflow includes the following steps:
1. User logs out of the IdP. 2. The IdP sends a logout request to HPE GreenLake. 3. HPE GreenLake validates the logout request from the IdP, terminates the user session, and sends
a logout response to the IdP. 4. The user is logged out of HPE GreenLake.
After the IdP receives a logout response from all service providers, the IdP logs out the user.
Configuring a SAML Authorization Profile
The SAML SSO configuration for HPE GreenLake includes the following steps:
1. Configuring user accounts and roles in HPE GreenLake. See the Managing User Identity and Access topic in HPE GreenLake Help Center for more information.
2. Configure SAML authorization profile in HPE GreenLake.
Aruba Central On-Premises 2.5.6 | User Guide
135
3. Configuring Service Provider metadata such as metadata URL, service consumer URL, Name, and other attributes on the IdP server.
Ways to Configure HPE GreenLake SAML SSO
HPE GreenLake supports the following methods for configuring SAML SSO. Select one method to configure SAML SSO. Note: Make sure you have your service provider detail available. n Upload Metadata File n Upload Metadate URL n Manual (Upload X.509 Certificate Details)
Configuration Steps
Follow these steps to configure SAML SSO: 1. On the HPE GreenLake home page, click Manage. The Manage Account page displays. 2. On the Manage Account page, select the Authentication tile. The Authentication page displays. 3. On the Authentication tab Authentication Method section, click Edit. The Authentication Method dropdown displays. 4. Select SAML from the dropdown and click Set Up SAML Connection at the bottom of the page. The Claim a Domain dialog is displayed. Here, you must enter a domain to create and manage an SSO connection. 5. Enter a domain to add an authorization profile and click Continue. n Ensure that the domain has at least one verified user. The user claiming the Domain must be the same user currently logged into HPE GreenLake. For example, to claim an att.com domain, the user should be logged in to HPE GreenLake with an @att.com email address. n HPE GreenLake does not support adding hpe.com, arubanetworks.com, and other free public domain names such as Gmail.com, Yahoo.com, or Facebook.com, for SAML authorization profiles. 6. In the Select a Configuration Method box, you have three options: Metadata File, Metadata URL, and Manual.
Managing Authentication Methods | 136
Depending on the configuration method you wish to use, follow these steps:
Metadata File
1. Select Metadata File, browse for the metadata file, and upload the file to the SAML SSO application. Note: Ensure that the metadata file is in the XML format and it includes valid certificate content and HTTPS URLs for the Entity ID, Login URL, and Logout URL fields.
2. Click Upload Metadata File and select the IdP metadata file. HPE GreenLake extracts the Entity ID, Domain Login URL, Domain Logout URL, and certificate content.
3. Verify the details, including the pre-populated information. 4. Click Save. The Configure Settings page displays. Next, configure the SAML attributes settings.
Proceed to Step 8.
Metadata URL
1. Select Metadata URL and enter the metadata URL in the provided field. 2. Click Validate URL. If you are using a valid configuration, the details will populate in the fields on
the screen. Note: Ensure that the Entity ID, Login URL, and Logout URL fields have valid HTTPS URLs. 3. Click Save. The Configure Settings page displays. Next, configure the SAML attributes settings. Proceed to Step 8.
Aruba Central On-Premises 2.5.6 | User Guide
137
Manual (Enter X.509 Certificate Details)
1. Select Manual (Enter X.509 Certificate Details). 2. Enter the Entity ID in the provided field . 3. Enter the Domain Login URL in the provided field. 4. Enter the Domain Logout URL in the provided field. 5. Enter the X.509 certificate details. 6. Click Save. The Configure Settings page displays. Proceed to Step 8. Configure SAML Attributes
8. Next, configure the SAML Attributes settings. a. Obtain the required attributes from your service provider. i. Email Address: Enter the attribute that contains the user's email address. If the email address is a part of the NameID attribute, select NameID from the dropdown list. If you want to enter a custom attribute containing the user's email address, select Custom from the dropdown list. ii. HPE GreenLake Attribute: HPE GreenLake Attribute has a default value, and it should be set to hpe_ccs_attribute. You can also substitute your own custom value. See Understanding HPE GreenLake SAML Attributes for more information. b. Enter Optional Attributes. If the optional First Name and Last Name fields are not entered for IdP, a default value of "Undefined FN, Undefined LN" is displayed as the user profile in the system. c. Specify Idle Session Timeout. d. Click Next. The Review & Create page displays.
9. Check the details displayed on the Review & Create page, and verify that all your configuration details are correct. Click the Modify link to edit your configuration details.
10. Click Finish to continue. The SSO Setup Complete configuration page displays.
Managing Authentication Methods | 138
Your SSO domain is now set up. Click the Download Metadata File link to download the metadata. 11. Click Exit. You are taken back to the Authentication page. Notice that the Authentication method
is still set to the previous option for Local user Database. 12. Next, you have to activate the SAML authentication method that you just configured. Click Edit
and in the Authentication Method dropdown, select SAML. The Notify All Active Users page displays.
13. You have the option to click the Send Email link to send an email immediately, or you can select the Skip For Now link to send an email at a later date. Select Skip for Now. The Authentication page displays once again.
14. Click Save Changes. The Change Authentication Method? confirmation box displays. 15. Select Confirm Changes. The authentication method for SAML is set. Configuration confirmation After successfully configuring SAML for your accounts, you should see a page similar to the following:
Aruba Central On-Premises 2.5.6 | User Guide
139
Understanding HPE GreenLake SAML Attributes
The following format should be followed when configuring the "hpe_ccs_attribute" on IdP.
Format: {version}#{pcid}:{app cid}:{role_name}:{scope_group_names}:{ALL_SCOPES}
Syntax requirements for HPE GreenLake SAML attributes
Define attributes with a colon (:) delimiter.
Here is an example of syntax for the SAML attribute: version_1 #pcid_123:Aruba_123:admin_role:ALL_SCOPES:pcid_123:custom_role1:seattle_group,Oregon_ group_compute_434 SAML Syntax
Syntax version pcid app cid
role_name
scope_ group_ names
Descriptions
Defines the version of the assertion attribute; currently, only version_1 is supported.
Platform Customer ID.
Application Customer ID. If you have multiple applications, define attributes separately for each application ID with a colon (:) delimiter.
Defines the access level for a particular NameID returned in the response. NameID is a valid email address used as the username to log into HPE GreenLake.
Group in HPE GreenLake. When a group is specified in the attribute, the user can only access the devices in that group. You can also configure custom attributes to add multiple groups if users require access to multiple groups.
Managing Authentication Methods | 140
Syntax
Descriptions
Note: If no Scope Group names are defined then by default scope_group_names will be ALL_ SCOPES
ALL_SCOPES ALL_SCOPES allows access to all scopes groups without any restriction on scope groups.
Example A user accesses the Aruba Central application using SSO with the following attributes:
n Access to a Customer Account with PCID# 64342190c66011ec99ffa247bd22c633, n Access to Aruba Central Application as Aruba Central Guest Operator for all scope_group_names. n Access GLCP as Account Administrator for all scope_group_names.
In this case, the hpe_ccs_attribute on IdP should be formatted as follows: version_1#64342190c66011ec99ffa247bd22c633:683da368-66cb-4ee7-90a9-ec1964768092:Aruba Central Guest Operator:ALL_SCOPES:00000000-0000-0000-0000-000000000000:Account Administrator:ALL_SCOPES SAML Attributes Values After configuring SAML attributes, you can use the following information to view and construct the hpe_ ccs_attribute with the platform Customer ID and the Application ID. To view SAML attributes, perform the following steps.
1. On the Manage Account page, select the Authentication tile. The Authentication page displays. 2. Select the account you wish to view and click the ellipsis to display the drop-down list.
Aruba Central On-Premises 2.5.6 | User Guide
141
3. Click the View SAML Attribute link to display SAML attributes values.
Attributes
Entity
Sign-On URL
Platform Customer ID
Description The entity ID is the company or organization entity ID URL. The sign-on URL is the URL where SAML SSO authentication is enabled. The Platform Customer ID is a unique identifier created during SAML configuration.
Managing Authentication Methods | 142
Attributes
GreenLake Platform ID
Applications
Description The GreenLake Platform ID is a unique identifier created during SAML configuration
The applications section lists additional application names and IDs where the SAML values are applied.
Configuring a RADIUS Authentication and Authorization
For RADIUS capability, you must configure the IP / Hostname of the Radius server, the server shared secret, and the authentication method.
Configuration Steps
To configure RADIUS servers to authenticate users, complete the following steps:
1. On the HPE GreenLake home page, click Manage. The Manage Account page displays. 2. On the Manage Account page, click the Authentication tile. The Authentication page displays. 3. On the Authentication tab, Authentication Method section, click Edit. The Authentication
Method drop-down is displayed. 4. Select RADIUS from the drop-down list. After you select RADIUS, there won't be any radius server
to select further. 5. Click Set up Radius Server button at the bottom of the page.
At this point, you cannot save changes to the authentication method unless you configure a RADIUS server.
6. Enter the server details: n Server Hostname or IP Address--Specific hostname or IP address that points to the validating server n Port Number--Port number to be used n Server Secret--Secret used to access the server n Authentication Protocol--Select one of the two supported authentication methods: PAP or PEAP-MSCHAPV2
7. Click Add. You are taken back to the Authentication page. 8. Here, you have the option to set up a secondary server for validation. Click Set Up Radius Server
once again to begin the setup process, enter the details for the secondary server, and click Add.
Aruba Central On-Premises 2.5.6 | User Guide
143
n The authentication protocol that you selected for the primary server will be auto-populated and set as the default for the secondary server.
n If authentication fails with the primary server, the request is made to the secondary server for authentication. If both fail, the request authenticates against the default Local User Database.
n All the node IP addresses need to be configured as Radius clients on the Radius server.
9. Click Save Changes. The Change Authentication Method confirmation box appears. 10. Click Confirm Change to confirm the authentication method change from the local user
database to Radius.
Configuring Radius Service in Aruba ClearPass Policy Manager
For Radius Authentication, you must configure the Radius Enforcement service in Aruba ClearPass Policy Manager. Note the following points while configuring enforcement service in ClearPass Manager: n Ensure that you have access to the ClearPass Policy Manager instance. n Only the admin user can configure the enforcement service. n If no role is defined in Radius response for the User, Central does not allow access to the user. n If no group is defined in Radius response for the User, Central does not allow access to the user. To configure the Radius enforcement service in ClearPass policy manager, follow the steps mentioned in ClearPass Policy Manager User guide available at Aruba Support portal. While configuring the enforcement service, make sure you choose the following options:
1. Under Configuration > Services, click Add at the top right corner of the page. 2. Select the Strip Username Rules check box to pre-process the username (to remove domain
suffix) before authenticating and authorizing against the authentication source.
Managing Authentication Methods | 144
Figure 13 Sample Figure for Services
3. Under Configuration > Enforcement > Profiles, click Add at the top right corner of the page. 4. Under Enforcement profiles, when enforcement profile is added for the user, click Attributes.
Select the options for attributes as shown in the table below:
Table 28: Attributes table
Type
Name
Value
Radius:Aruba Radius:Aruba
Aruba-Admin-Role
Aruba-Admin-DeviceGroup
Select the role assigned to the user
Select the group assigned to the user. Comma-seperated option can be used when multiple groups are assigned. If the user has access to all groups, then the allgroups value can be provided.
Figure 14 Sample Figure for role and groups assignment
Aruba Central On-Premises 2.5.6 | User Guide
145
Radius Server User Roles
A role refers to a logical entity used for determining user access to devices and application. Central roles for Radius server users must be modified based on the new roles supported by HPE GreenLake. These roles cannot be assigned with custom role names, if the role names match with previous predefined roles. The following tables describes the new radius server roles:
Table 29: User Roles
Existing Central Role
New Roles
admin
Aruba Central Administrator
readonly
Aruba Central View Only
readwrite
Aruba Central view edit role
guestoperator
Aruba Central Guest Operator
Managing Authentication Methods | 146
Chapter 8 Upgrading Device Firmware
Upgrading Device Firmware
The Firmware page provides an overview of the latest firmware version supported on the device, details of the device, and the option to upgrade the device.
Viewing Firmware Details
To view the firmware details for devices provisioned in Aruba Central On-Premises:
1. In the Aruba Central On-Premises app, select one of the following options: n To select a group in the filter, set the filter to one of the options under Group. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Controllers. A list of devices is displayed. c. Click a device listed under Device Name. The dashboard context for the device is displayed.
2. Under Maintain, click Firmware.
Firmware Maintenance Window
The following are the data pane items and description:
1. Access Points--Displays the following information: n Name--Name of the AP. The and icons allow you to sort the names in ascending or descending order. Clicking on the device name opens a window with connected APs and allows you to select and view the device Summary page. For more information, see Wireless Client Details. n Group--Displays the group information only on global context. The and icons allow you to sort the groups in ascending or descending order. n Site--Displays the site information only on global context. The and icons allow you to sort the sites in ascending or descending order. n Firmware Version--The current firmware version running on the device. The and icons allow you to sort the firmware versions in ascending or descending order. n Recommended Version--The version to which the device is recommended for the upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date
Aruba Central On-Premises 2.5.6 | User Guide
147
n Compliance Status--Status of the firmware compliance setting. Based on the setting, the column displays one of the following values: o Set o Not Set o Compliance scheduled on Hover over any device to view the version number and compliance configured level for set compliance and displays the date, time (UTC), firmware version number, and compliance configured level for a scheduled compliance.
Clicking on the device name from the Name columns, opens a window with connected APs and allows you to select and view the device Summary page. For more information, see Wireless Client Details. Click any site name from the Site column to view the site associated APs with their firmware details page.
1. Switches--Displays the following details about Aruba Central On-Premises switches managed through Aruba Central On-Premises: n Name--Host name of the switch. The and icons allow you to sort the names in ascending or descending order. n Family--Displays the following types of switches: o AOS-S o CX This information is only available for Aruba Central On-Premises switch and Aruba Central OnPremises CX switches. n Site--Displays the site information only on global context. The and icons allow you to sort the sites in ascending or descending order. n Group--Displays the group information only on global context. The and icons allow you to sort the groups in ascending or descending order. n MAC Address--MAC address of the switch. The and icons allow you to sort the address in ascending or descending order. n Model--Hardware model of the switch. The and icons allow you to sort the models in ascending or descending order. n Firmware Version--The current firmware version running on the switch. The and icons allow you to sort the firmware versions in ascending or descending order. n Recommended Version--The version to which the device is recommended for the upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date n Compliance Status--Status of the firmware compliance setting. Based on the setting, the column displays one of the following values:
Upgrading Device Firmware | 148
o Set o Not Set o Compliance scheduled on Hover over any device to view the version number and compliance configured level for set compliance and displays the date, time (UTC), firmware version number, and compliance configured level for a scheduled compliance.
n The Switches tab displays details of both AOS-S and AOS-CX switches.
2. Controllers--Displays the following details about the controllers managed through Aruba Central On-Premises in Standalone mode and in Cluster mode: a. Standalonemode: n Name--Host name of the controllers. The and icons allow you to sort the names in ascending or descending order. n Site--Displays the site information only on global context. The and icons allow you to sort the sites in ascending or descending order. n Group--Displays the group information only on global context. The and icons allow you to sort the groups in ascending or descending order. n MAC Address--MAC address of the controllers. The and icons allow you to sort the address in ascending or descending order. n Model--Hardware model of the controllers. The and icons allow you to sort the models in ascending or descending order. n Firmware Version--The current firmware version running on the controllers. The and icons allow you to sort the firmware versions in ascending or descending order. n Recommended Version--The version to which the device is recommended for the upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date n Compliance Status--Status of the firmware compliance setting. Based on the setting, the column displays one of the following values: o Set o Not Set o Compliance scheduled on Hover over any device to view the version number and compliance configured level for set compliance and displays the date, time (UTC), firmware version number, and compliance configured level for a scheduled compliance. b. Cluster mode: n Name--Host name of the controllers. The and icons allow you to sort the names in ascending or descending order.
Aruba Central On-Premises 2.5.6 | User Guide
149
n Group--Displays the group information only on global context. The and icons allow you to sort the groups in ascending or descending order.
n Firmware Version--The current firmware version running on the controllers. The and icons allow you to sort the firmware versions in ascending or descending order.
n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date
n Compliance Status--Status of the firmware compliance setting. Based on the setting, the column displays one of the following values: o Set o Not Set o Compliance scheduled on Hover over any device to view the version number and compliance configured level for set compliance and displays the date, time (UTC), firmware version number, and compliance configured level for a scheduled compliance.
3. Set Compliance--Allows you to set firmware compliance for devices within a group. Click Set Compliance and turn on the toggle switch to enable and view the list of supported firmware versions for each device in a group in the Manage Firmware Compliance page. a. Set Compliance for Access Points--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select a specific group or multiple groups for which the compliance must be set. Select All Groups if you want to set compliance for all the groups. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time. o Now--Select this if you want the compliance to be carried out immediately. o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time. n Click Save button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch. b. Set Compliance for Switches--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select the group for which the compliance must be set. Select the specific group to set compliance at group level. n AOS-S Firmware Version--Select the AOS-S firmware version number from the dropdown list to which the compliance is required to be set. n CX Firmware Version--Select the Aruba CX switch version number from the drop-down list to which the compliance is required to be set. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time:
Upgrading Device Firmware | 150
o Now--Select this if you want the compliance to be carried out immediately.
o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time.
n Install on--Use the drop-down to select a primary partition or a secondary partition to install on.
n Automatically reboot to complete the upgrade--Select this check box to reboot Aruba Central On-Premises automatically after the build is downloaded on the device. On reboot, the new build is installed on the device.
n Click Save button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch.
Aruba Central On-Premises lists all available Aruba CX switches software versions. Select the software version that is applicable to the Aruba CX switch to which compliance is required to be set. For example, version 10.04.0020 is not applicable to Aruba CX 6200 and 6400 switch series.
c. Set Compliance for Controllers in Standalone Mode--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select a specific group or multiple groups for which the compliance must be set. Select All Groups if you want to set compliance for all the groups. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time:
o Now--Select this if you want the compliance to be carried out immediately.
o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time.
n Install on--Use the drop-down to select a primary partition or a secondary partition to install on.
n Automatically reboot to complete the upgrade--Select this check box to reboot Aruba Central On-Premises automatically after the build is downloaded on the device. On reboot, the new build is installed on the device.
n Click Save button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch.
d. Set Compliance for Controllers in Cluster Mode--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select a specific group or multiple groups for which the compliance must be set. Select All Groups if you want to set compliance for all the groups. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central On-Premises automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time:
o Now--Select this if you want the compliance to be carried out immediately.
o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time.
Aruba Central On-Premises 2.5.6 | User Guide
151
n Install on--Use the drop-down to select a primary partition or a secondary partition to install on.
n Automatically reboot to complete the upgrade--Select this check box to reboot Aruba Central On-Premises automatically after the build is downloaded on the device. On reboot, the new build is installed on the device.
n Click Save button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch.
4. Upgrade All--Allows you to simultaneously upgrade firmware for all devices. Click Upgrade All to view a list of supported firmware versions for each device. a. To Upgrade all Access Points--Click Upgrade All and complete the following parameters in the Upgrade Access Points Firmware page: n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also search for the site in the search filter. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. Select None for none of the firmware versions. n When--Select one of the following radio buttons to specify if the upgrade must be carried out immediately or at a later date and time: o Now--Select this if you want the compliance to be carried out immediately. o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings. n Schedule--Click this button to schedule the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade.
While upgrading a large number of APs, cancel operation may not work as intended, and continues to upgrade.
b. To Upgrade all Switches--Click Upgrade All and complete the following parameters in the Upgrade Switch Firmware page: n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also search for the site in the search filter. n AOS-S Firmware Version--Select the AOS-S firmware version number from the dropdown list to which the compliance is required to be set. n CX Firmware Version--Select the CX switch firmware version number from the dropdown list to which the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central On-Premises automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When--Select one of the following radio buttons to specify if the upgrade must be carried out immediately or at a later date and time: o Now--Select this if you want the compliance to be carried out immediately. o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings. n Schedule--Click this button to schedule the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade.
Upgrading Device Firmware | 152
c. To Upgrade all Controllers in Standalone Mode--click Upgrade All and complete the following parameters in the Upgrade Controller Firmware page: n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also search for the site in the search filter. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central On-Premises automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When--Select one of the following radio buttons to specify if the upgrade must be carried out immediately or at a later date and time.
o Now--Select this if you want the compliance to be carried out immediately.
o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time.
n Upgrade--Click this button to start the upgrade with the above settings. n Schedule--Click this button to schedule the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade. d. To Upgrade all Controllers in Cluster Mode--click Upgrade All and complete the following parameters in the Upgrade Controller Firmware page: n Firmware Version--Select the firmware version number from the drop-down list to which
the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central On-Premises automatically
after the build is downloaded on the device. On reboot, the new build is installed on the device. n When--Select one of the following radio buttons to specify if the upgrade must be carried out immediately or at a later date and time.
o Now--Select this if you want the compliance to be carried out immediately.
o Later Date--Select this if you want the compliance to be carried out in a specific time zone at the later date and time.
n Upgrade--Click this button to start the upgrade with the above settings. n Schedule--Click this button to schedule the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade.
5. Upload--Allows you to upload the software image for multiple devices.
6. Search Filter--Allows you to define a filter criterion for searching devices based on the following properties: n Common to all devices--Name, Firmware Version, Recommended Version and Upgrade Status of the device.
n Specific to switches and controllers--MAC address and Model.
7. Column Filter--Clicking the filter icon enables you to customize the table columns or set it to the default view.
8. Continue--Allows you to continue with firmware upgrade.
9. Cancel Upgrade--Cancels a scheduled upgrade.
10. Cancel All--Cancels a scheduled upgrade for all devices.
Aruba Central On-Premises 2.5.6 | User Guide
153
Uploading a Software Image
To upload a software image for the device:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Firmware > Upload. 3. Select the device from the Device list drop-down for which you want to upload the software
image. 4. Click Choose File option to browse to your local directory and select the software image. 5. Click Upload. The updated file details is displayed in the Uploaded Files table.
This section also includes the following topics:
n Upgrading a Single Device or Multiple Devices n Upgrading Devices using Upgrade All Option n Setting Firmware Compliance For Access Points n Setting Firmware Compliance For Switches n Setting Firmware Compliance For Controllers
Upgrading a Single Device or Multiple Devices
Aruba Central On-Premises allows you to upgrade a single device or multiple devices in the following ways:
1. In the Aruba Central On-Premises app, select one of the following options: a. To select a group, site or global in the filter: n Set the filter to one of the options under Group or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n Under Maintain, click Firmware. n Select one or more devices from the device list and click the Upgrade icon at the bottom of the page or hover over one of the selected device and click the Upgrade icon. The Upgrade <Device> Firmware pop-up window opens. b. To select a device in the filter: n Set the filter to Global. n Under Manage, click Devices, and then click Access Points, Switches, or Controllers. A list of devices is displayed. n Click a device listed under Device Name. The dashboard context for the device is displayed. n Under Maintain, click Firmware and click Upgrade in the Firmware Details window. The Upgrade <Device> Firmware pop-up window opens.
2. In the Upgrade <Device> Firmware pop-up window, select the appropriate firmware version. You can either select a recommended version or manually choose a specific firmware version.
n To obtain custom build details, contact Aruba Central On-Premises Technical Support. n The recommended firmware versions can be different for different devices and depends on the
device model and software architecture.
Upgrading Device Firmware | 154
3. Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time. Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time.
4. From the Install On drop-down, select any one of the following partition options: n Primary partition--Select this if you want to install the firmware version in the primary partition. n Secondary partition-- Select this if you want to install the firmware version in the secondary partition.
5. Select the check box if you want Aruba Central On-Premises to automatically reboot after device upgrade.
The Auto Reboot option is available for AOS-S and AOS-CX switches, and Controllers.
6. Click Upgrade. The device downloads the image from the server, saves it to flash, and reboots. Depending on the progress and success of the upgrade, one of the following messages is displayed: n Upgrading--While image upgrade is in progress. n Upgrade failed--When the upgrade fails.
7. If the upgrade fails, retry upgrading your device.
After upgrading a switch, click Reboot.
Upgrading Devices using Upgrade All Option
To upgrade multiple devices using the Upgrade All option, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Group or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Maintain, click Firmware. The firmware dashboard for Access Points is displayed by default.
3. Click Upgrade All. The Upgrade <Device> Firmware pop-up window opens. 4. In the Upgrade <Device> Firmware pop-up window, select the specific site or multiple sites from
the Sites drop-down list. This option is available only at the global context. 5. Select the appropriate firmware version (for Access points and Controllers) and AOS-S firmware
version and CX firmware version (for AOS-S and AOS-CX switches) from their respective dropdown list. You can either select a recommended version or manually choose a specific firmware version.
n To obtain custom build details, contact Aruba Central Technical Support. n The recommended firmware versions can be different for different devices and depends on the
device model and software architecture.
Aruba Central On-Premises 2.5.6 | User Guide
155
6. Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time. Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time.
7. From the Install On drop-down, select any one of the following partition options: n Primary partition--Select this if you want to install the firmware version in the primary partition. n Secondary partition-- Select this if you want to install the firmware version in the secondary partition.
8. Select the check box if you want Aruba Central On-Premises to automatically reboot after device upgrade.
The Auto Reboot option is available for AOS-S and AOS-CX switches, and Controllers.
9. Specify if the upgrade must be carried out immediately or at a later date and time. 10. Click Upgrade. The device downloads the image from the server, saves it to flash, and reboots.
Depending on the progress and success of the upgrade, one of the following messages is displayed: n Upgrading--While image upgrade is in progress. n Upgrade failed--When the upgrade fails. 11. If the upgrade fails, retry upgrading your device.
After upgrading a switch, click Reboot.
Setting Firmware Compliance For Access Points
Aruba Central On-Premises allows you to run a firmware compliance check and force firmware upgrade for all APs in a group. To force a specific firmware version for all APs in a group, complete the following steps:
1. In the Global dashboard, under Maintain, click Firmware. The Access Points tab is selected by default.
2. Verify the firmware upgrade status for all APs. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage
Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select one of the following radio buttons to specify if the compliance must be carried out
immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time.
Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time.
Upgrading Device Firmware | 156
7. Click Save. Aruba Central On-Premises initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed.
Setting Firmware Compliance For Switches
To force a specific firmware version for all Aruba switches in a group, complete the following steps:
1. In the Global dashboard, under Maintain, click Firmware > Switches tab. 2. Verify the firmware upgrade status for all switches. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage
Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a AOS-S firmware version from the AOS-S Firmware Version drop-down list. 6. Select a CX firmware version from the CX Firmware Version drop-down list. 7. If you wish to upgrade the firmware version from your local, turn on the toggle switch and
provide the base URL and path of the selected CX firmware version. 8. Select one of the following radio buttons to specify if the compliance must be carried out
immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time.
Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time. 9. From the Install On drop-down, select any one of the following partition options: n Primary partition--Select this if you want to install the firmware version in the primary partition. n Secondary partition-- Select this if you want to install the firmware version in the secondary partition. 10. Select the check box if you want Aruba Central On-Premises to automatically reboot. 11. Click Save. Aruba Central On-Premises initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed.
Setting Firmware Compliance For Controllers
To force a specific firmware version for all controllers in standalone mode, complete the following steps:
1. In the Global dashboard, under Maintain, click Firmware > Controllers tab. All the controllers with standalone mode is displayed.
2. Verify the firmware upgrade status for all controllers. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage
Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list.
Aruba Central On-Premises 2.5.6 | User Guide
157
6. Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time. Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time.
7. From the Install On drop-down, select any one of the following partition options: n Primary partition--Select this if you want to install the firmware version in the primary partition. n Secondary partition-- Select this if you want to install the firmware version in the secondary partition.
8. Select the check box if you want Aruba Central On-Premises to automatically reboot. 9. Click Save. Aruba Central On-Premises initiates a firmware upgrade operation only for the
devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed.
To force a specific firmware version for all controllers in cluster mode, complete the following steps:
1. In the Global dashboard, under Maintain, click Firmware > Controllers tab. All the controllers with cluster mode is displayed.
2. Verify the firmware upgrade status for all controllers. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage
Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select one of the following radio buttons to specify if the compliance must be carried out
immediately or at a later date and time: n Now--Allows you to set the compliance to be carried out immediately. n Later Date--Allows you to set the compliance to be carried out at the later date and time.
Select a specific time zone from the Select Zone drop-down options to schedule the upgrade at a specif zone time. 7. From the Install On drop-down, select any one of the following partition options: n Primary partition--Select this if you want to install the firmware version in the primary partition. n Secondary partition-- Select this if you want to install the firmware version in the secondary partition. 8. Select the check box if you want Aruba Central On-Premises to automatically reboot. 9. Click Save. Aruba Central On-Premises initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed.
Upgrading Device Firmware | 158
Chapter 9 Network Structure
Network Structure
The Network Structure page shows tiles view for groups, sites, labels, install manager, and certificates sections. You can click on a tile to navigate to the respective page in Aruba Central On-Premises.
Viewing the Network Structure Page
To view the Network Structure page, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization. 3. Select the Network Structure tab. The Network Structure page is displayed.
Figure 15 Network Structure Page
The Network Structure page displays tiles view for the following sections:
n Groups--Displays the number of groups and number of unprovisioned devices. Click on the tile to navigate to the Groups page.
n Sites--Displays the number of sites and number of unassociated devices. Click on the tile to navigate to the Managing Sites page.
n Labels--Displays the number of labels and number of unassociated devices. Click on the tile to navigate to the Managing Labels page.
n Device Preprovisioning--Displays the number of devices that are pre-provisioned to a group. n Certificates--Displays the number of certificates available to upload. Click on the tile to navigate to
the Managing Certificates page.
Managing Groups
Aruba Central On-Premises simplifies the configuration workflow for managed devices by allowing administrators to combine a set of devices into groups. A group in Aruba Central is the primary
Aruba Central On-Premises 2.5.6 | User Guide
159
configuration element that functions as a container for device management, monitoring, and maintenance. Groups enable administrators to manage devices efficiently by using either a UI-based configuration workflow or CLI-based configuration template. Groups provide the following functions and benefits: n Ability to provision multiple devices in a single group. For example, a group can consist of multiple AP
Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to member APs in their respective AP clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location. n Ability to provision different types of devices in a group. For example, a group can consist of APs and Switches. n Ability to create a configuration base and add devices as necessary. When you assign a new device to a group, it inherits the configuration that is currently applied to the group. n Ability to create a clone of an existing group. If you want to build a new group based on an existing group, you can create a clone of the group and customize it as per your network requirements.
n A device can be part of only one group at any given time. n Groups in Aruba Central are mutually exclusive (independent) and do not follow a hierarchical model.
The following figure illustrates a generic group deployment scenario in Aruba Central. Figure 16 Group Deployment
Group Operations
The following list shows the most common tasks performed at a group level: n Configuration--Add, modify, or delete configuration parameters for devices in a group. n User Management--Control user access to device groups and group operations based the type of
user role.
Network Structure | 160
n Device Status and Health Monitoring--View device health and performance for devices in a specific group.
n Report Generation--Run reports per group. n Alerts and Notifications--View and configure notification settings per group. n Firmware Upgrades--Enforce firmware compliance across all devices in a group.
Group Configuration Modes
Aruba Central allows network administrators to manage device configuration using either UI workflows or configuration templates:
n UI-based configuration method--For device groups that use UI-based workflows, Aruba Central provides a set of UI menu options. You can use these UI menu options to configure devices in a group. You can also secure the UI-based device groups with a password and thus restrict user access.
n Template-based configuration method--For device groups that use a template-based workflow, Aruba Central allows you to manage devices using configuration templates. A device configuration template includes a set of CLI commands and variable definitions that can be applied to all other devices deployed in a group.
n If your site or store has different types of devices, such as the Instant APs, Switches, and Controllers, and you want to manage these devices using different configuration methods, that is, either using the UI or template-based workflows, you can create a single group and define a configuration method to use for each type of device. This allows you to use a single group for both UI and template based configuration and eliminates the need for creating separate groups for each configuration method.
n For example, you can create a group with the name Group1 and within this group, you can enable template-based configuration method for switches and UI-based configuration method for APs and Controllers. Aruba Central identifies both these groups under a single name ( Group1). If a device type in the group is marked for template-based configuration method, the group name is prefixed with TG prefix is added (TG Group1. You can use Group1 as the group ID for workflows such as user management, monitoring, reports, and audit trail.
n When you add APs, Controllers, and switches to a group, Aruba Central groups these devices based on the configuration method you chose for the device type, and displays relevant workflows when you try to access the respective configuration menu.
For information on how to create a group, see Groups.
Default Groups and Unprovisioned Devices
The default group is a system-defined group to which Aruba Central assigns all new devices with factory default configuration. When a new device with factory default configuration connects to Aruba Central, it is automatically added to the default group.
If a device has customized configuration and connects to Aruba Central, Aruba Central marks the device as Unprovisioned. If you want to preserve the device configuration, you can create a new group and assign this device to the newly created group. If you want to overwrite the configuration, you can move the unprovisioned device to an existing group.
The unprovisioned state does not apply to Aruba Switches as only the factory-default switches can join Aruba Central.
Aruba Central On-Premises 2.5.6 | User Guide
161
Best Practices and Recommendations
Use the following best practices and recommendations for deploying devices in groups:
n Determine the configuration method (UI or template-based) to use based on your deployment, configuration, and device management requirements.
n If there are multiple sites with similar characteristics. For example, with the same device management and configuration requirements, assign the devices deployed in these sites to a single group.
n Apply device-level or cluster-level configuration changes if necessary. n Use groups cloning feature if you need to create a group with an existing group configuration
settings. n If the user access to a particular site must be restricted, create separate groups for each site.
Groups
The Groups page allows you to create, edit, or delete a group, view the list of groups provisioned in Aruba Central, and assign devices to groups. This section describes the following topics:
n Creating a Group n Group Persona n Creating a Group Persona with ArubaOS 8.x Architecture n Creating Groups for Switches n Assigning Devices to Groups n Viewing Groups and Associated Devices n Creating a New Group by Importing Configuration from a Device n Cloning a Group n Moving Devices between Groups n Deleting a Group n Setting up Password for Devices in a Group
Creating a Group
Aruba Central On-Premises allows you to manage configuration for different types of devices, such as Aruba APs, controllers, and switches in your inventory. These devices can be configured using either UI workflows or configuration templates. You can define your preferred configuration method when creating a group. After you assign devices to group and when you access configuration containers, Aruba Central OnPremises automatically displays relevant configuration options based on the configuration method you defined for the device group. For more information, see Creating a Group Persona with ArubaOS 8.x Architecture
Group Persona
A persona of a device represents the role that the device plays in a network deployment. Creating persona for devices helps in customizing configuration workflows, automating parts of configurations, showing the default configuration, showing relevant settings for the device. Persona configuration also helps in customizing the monitoring screens and troubleshooting workflows appropriate for the device.
Network Structure | 162
Creating a Persona
Persona can be created when creating a group. Persona and architecture can be set at the group level. All devices within a group inherit the same persona from the group settings. While creating a group, the architecture and persona settings of the current group can be marked as preferred settings for adding subsequent groups. For subsequent groups, you can either automatically apply the preferred settings or manually select settings for the new group.
Persona for Access Points Access Points can have the Campus/Branch persona, where AP provides the WLAN functionality.
Persona for Controllers Controllers can have the Branch persona, where the controllers provide Aruba Instant OS SD-Branch (LAN + WAN) functionality.
Architecture The ArubaOS 8 architecture is supported for creating groups. It is an Instant AP-based deployment, including 6.x/8.x IAP, IAP-VPN, or 8.x SD-Branch deployments.
Creating a Group Persona with ArubaOS 8.x Architecture
To manage device configuration using configuration containers in Aruba Central, you can create a group and assign devices. During the group creation, you can assign a device persona and select an architecture for the group.
Adding a Group
To add a group and assign a persona and ArubaOS 8 architecture, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Groups tile.
The Groups page is displayed. 4. Click (+) Add Group on the Groups table.
The Add Group page is displayed. 5. Enter a name for the group.
The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports alphanumeric characters and only "-", "_", and space as special characters. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names.
By default, Aruba Central enables the UI-based configuration. The template-based configuration is displayed only when you select devices in the Add group page. Use the toggle button to enable the Configure using templates.
Aruba Central On-Premises 2.5.6 | User Guide
163
6. Select device types that will be part of this group. A group can contain following devices: n Access points n Controllers n Switches
For detailed device combinations, refer to the Device Combinations for a Group Persona table. 7. Click Next.
By default the ArubaOS 8 architecture is applied for access points and controllers. 8. Select the check box for Make these the preferred group settings optionally to save the
architecture and persona settings of the current group for subsequent group creations. 9. Click Add.
A group with persona configuration is created.
n The group created by an user role that has read and write access is displayed in the Groups list only after that group is assigned to the user by the administrator on HPE Greenlake. For information about how to assign a group to the user, see Managing User Identity Access.
n You can also create a group that uses different provisioning methods for switch, IAP, device categories. For example, you can create a group with template-based provisioning method for switches and UI-based provisioning method for Instant APs.
Device Combinations The following table lists the valid combinations for a group persona with ArubaOS 8 architecture.
Table 30: Device Combinations for a Group Persona
Device Type
Architecture
AP Network Role
Controller Network Role
APs
ArubaOS 8
Campus/Branch
N/A
Controllers
ArubaOS 8
N/A
Branch
Switches
N/A N/A
Monitoring Only
N/A N/A
Switches
No architecture N/A
N/A
n AOS-CX Monitoring only
only
for AOS-S (not applicable
n AOS-S
for AOS-CX only
only
switch types)
n Both
AOS-CX
and AOS-
S
n APs
ArubaOS 8
Campus/Branch
Branch
N/A
N/A
n Controllers
Network Structure | 164
Device Type n APs n Switches
n APs n Controllers n Switch
Architecture ArubaOS 8
ArubaOS 8
Controller
AP Network Role Network Role
Campus/Branch
N/A
Campus/Branch
Branch
Switches
Monitoring Only
n AOS-CX only
n AOS-S only
n Both AOS-CX and AOSS
Monitoring only for AOS-S (not applicable for AOS-CX only switch types)
n AOS-CX only
n AOS-S only
n Both AOS-CX and AOSS
Monitoring only for AOS-S (not applicable for AOS-CX only switch types)
Editing a Group
You can edit a group to add a new device type to the group. The group architecture and persona cannot be changed through group edit. You can mark the settings of an edited group as preferred settings for subsequent group creations. To edit a group, complete the following steps:
1. From the Aruba Central On-Premises app, filter All Groups. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Groups tile.
The Groups page is displayed. 4. To edit an existing group, hover over the group in the groups table and click the Edit Group
icon. The Edit Group page is displayed. 5. Add a new device type and its persona. 6. For valid edit operations, refer to the Editing a Group table. 7. Select check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations. 8. Click Save. The group edit changes are saved.
The following table lists the behavior for various edit operations.
Aruba Central On-Premises 2.5.6 | User Guide
165
Table 31: Editing a Group Original State
Architecture
Devices and Persona
Action
Edit Group Behaviour
ArubaOS 8
AP - Campus/Branch No Controllers
n Add Controller n Add Switches
Allowed Controller persona - Branch Switch types: AOS-CX only or AOS-S only or Both AOS-CX and AOS-S
ArubaOS 8
No AP Controllers - Branch
n Add AP n Add Switches
Allowed AP persona - Campus/Branch Switch types: AOS-CX only or AOS-S only or Both AOS-CX and AOS-S
No architecture
No Access Points No Controllers Switches - AOS-CX only or AOS-S only or Both AOS-CX and AOS-S
n Add AP n Add Controllers
Allowed AP persona - Campus/Branch Controllers persona - Branch
Creating Groups for Switches
You can create a group with switches only in it or you can also add a switch to an existing group containing other devices such as APs and controllers. A switch group will not have any architecture.
Adding a Switch Group
To add a switch group, complete the following steps:
1. From the Aruba Central On-Premises app, filter Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Groups tile.
The Groups page is displayed. 4. Click (+) Add Group on the Groups table.
The Add Group page is displayed. 5. Enter a name for the group.
The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports alphanumeric characters and only "-", "_", and space as special characters. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names.
By default, Aruba Central enables the UI-based configuration. The template-based configuration is displayed only when you select devices in the Add group page. Use the toggle button to enable the Configure using templates.
6. From the Group will contain section, select the switch check box. 7. Click Next.
Network Structure | 166
8. Select the type of switches used in this group: n AOS-CX only n AOS-S only n Both AOS-CX and AOS-S
You can select the 'Monitoring only for AOS-S' option for the AOS-S switches. 9. Select the check box for Make these the preferred group settings optionally to save the
architecture and persona settings of the current group for subsequent group creations. 10. Click Add.
A group for the selected switch type is created.
The group created by an user role that has read and write access is displayed in the Groups list only after that group is assigned to the user by the administrator on HPE Greenlake. For information about how to assign a group to the user, see Managing User Identity Access.
To add a switch type to an existing group, see Creating a Group Persona with ArubaOS 8.x Architecture
Assigning Devices to Groups
In Aruba Central On-Premises, devices are assigned to groups for configuration, monitoring, and management purposes. A group in Aruba Central On-Premises is a primary configuration element that acts like a container. In other words, groups are a subset of one or several devices that share common configuration settings. Aruba Central On-Premises supports assigning devices to groups for the ease of configuration and maintenance. For example, you can create a common group for controllers or Instant APs that have similar configuration requirements.
Assigning Instant APs to Groups
The Instant AP groups may consist of the configuration elements:
n Instant AP Cluster--Consists of a master Instant AP and a set of slave Instant APs in the same VLAN. n Virtual Controller--A virtual controller provides an interface for entire cluster. The slave Instant APs
and master Instant APs function together to provide a virtual interface. n Master Instant AP and Slave Instant AP--In a typical Instant AP deployment scenario, the first Instant
AP that comes up is elected as the master Instant AP. All other Instant APs joining the cluster function as the slave Instant APs. When a master Instant AP is elected, the slave Instant APs download the configuration changes.
The following table describes the group assignment criteria for Instant APs.
Table 32: Instant AP Group Assignment APs with Default Configuration
APs with Non-Default Configuration
If an Instant AP with factory default configuration joins Aruba Central OnPremises, it is automatically assigned to the default group or to an existing group with similar configuration settings. The administrators can perform any of the following actions:
n Manually assign them to a pre-
If an Instant AP with non-default or custom configuration joins Aruba Central On-Premises, it is automatically assigned to an unprovisioned group.
The administrators can perform any of the following actions: n Create a new group for the device and preserve device
configuration. n Move the device to an existing group and override the
Aruba Central On-Premises 2.5.6 | User Guide
167
APs with Default Configuration
provisioned group. n Create a new group.
APs with Non-Default Configuration device configuration.
Assigning Switches to Groups
Aruba Central On-Premises allows switches to join groups only if the switches are running factory default configuration. Switches with factory default configuration are automatically assigned to the default group. Administrators can either move the switch to an existing group or create a new group.
n Aruba Central On-Premises does not support UI-based configuration workflows for Aruba 5400R Switch Series and switch stacks. Aruba recommends that you assign these devices to template groups and provision them using configuration templates.
n Aruba Central On-Premises does not support moving Aruba 5400R Switch Series from the template group to a UI group. If Aruba 5400R Switch Series is pre-assigned to a UI group, the device is moved to an unprovisioned group after it joins Aruba Central On-Premises.
Assigning Controllers to Groups
Aruba Central On-Premises allows controllers to join groups and the controllers with factory default configuration are automatically assigned to the default group. Administrators can either move the controller to an existing group or create a new group.
Assigning Devices to a Group
To assign a device to a group from the Device Preprovisioning page, complete the following steps:
The following procedure is only for assigning groups to the devices that are connected for the first time. The group management actions like moving devices between groups, or moving devices from unprovisioned group to other groups is done on the Groups page. For more information, see Managing Groups.
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Device Preprovisioning tile.
The Device List table is displayed. The Device List table lists the total number of devices in the inventory. 4. Select the device(s) which you want to move to a selected group. You can select and move up to 50 devices at a time.
If the selected device is already connected to Aruba Central On-Premises, the Move devices option will not be available for the device.
5. Click the Move devices icon. The Assign Group page is displayed.
Network Structure | 168
6. Select the Destination Group from the drop-down list.
You can assign only particular device type for which the group is created. For example, if a group is created for Access Points only, then only Access Points can be assigned to that group. You cannot assign other device types to it.
7. Click Move. The selected device(s) are moved to the destination group. These devices will adopt the destination group configuration.
For every device pre-provisioning operation, a warning pop-up is displayed to check the audit trail log for the status. If you are assigning the devices in bulk, ensure to check the audit trail to confirm if the all devices are successfully assigned and reason for the rejected devices.
To assign a device to a group from the Groups page, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Groups tile.
The Groups page is displayed. 4. Expand a group from which you want to move devices to the selected group. For example,
expand the Unprovisioned Devices group, select the devices, and then click the Move devices icon. The Move Devices page is displayed.
You can assign only particular device type for which the group is created. For example, if a group is created for Access Points only, then only Access Points can be assigned to that group. You cannot assign other device types to it.
5. Select the Destination Group from the drop-down list. 6. Click Move.
The selected devices are moved to the destination group. These devices will adopt the destination group configuration.
Viewing Groups and Associated Devices
To view the groups dashboard, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Groups tile.
The Groups page is displayed. The groups table lists all the groups and displays the following information:
Aruba Central On-Premises 2.5.6 | User Guide
169
n Group Name--Name of the group. n Group Name--Name of the group. You can filter the list with a group name and sort the
groups list in ascending and descending order. For each group, the next column displays the devices icons that are part of the group. Hover over a group to see the Edit, Clone, Go to Config, or Delete a group. n Search--You can use the search functionality to search for a device name, MAC address, and serial number. n Devices--Number of devices assigned to a group. n All Connected Devices--Total number of devices provisioned in Aruba Central On-Premises. The table list shows all the devices provisioned in Aruba Central On-Premises. n Unprovisioned devices--This group lists the licensed devices that are connected to Aruba Central On-Premises but not assigned to any group. This group cannot be edited or deleted. 4. To view the devices assigned to a group, select the group from the table on the left. The devices table displays the following information: n Device Name--Name of the device. n Type--Type of the device such as AP, Switch, or Controller. n Serial Number--Serial number of the device. n MAC Address--MAC address of the device.
Creating a New Group by Importing Configuration from a Device
You can create a new group by importing configuration from a device. The import configuration is supported only for IAPs with ArubaOS 8 architecture. You can create a new group for IAPs with ArubaOS 8 architecture by importing configuration from an IAP. You can add more devices later by editing the group. To import configuration from an existing device to a new group, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Groups tile.
The Groups page is displayed. 4. Expand a group which has IAP devices. 5. Select the IAP with ArubaOS 8 architecture.
6. Click the Import Group icon. The Add Group pop-up window is displayed.
7. Enter a name for the group. The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports alphanumeric characters and only "-", "_", and space as special characters. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names.
8. Click Add. A group is created with the configuration imported from a device.
Network Structure | 170
The group created by an user role that has read and write access is displayed in the Groups list only after that group is assigned to the user by the administrator on HPE Greenlake. For information about how to assign a group to the user, see Managing User Identity Access.
Cloning a Group
Cloning a group will clone the same architecture and persona from the source group. To clone a group, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Groups tile.
The Groups page is displayed. 4. To create a clone of an existing group, hover over the group on the Groups table and click the
Clone Group icon. The Clone Group page is displayed. 5. Enter a name for the cloned group. The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports alphanumeric characters and only "-", "_", and space as special characters. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names.
1. Click Clone. A new group is created from the source group settings.
When you clone a group, Aruba Central On-Premises also copies the configuration templates applied to the devices in the group.
Moving Devices between Groups
This feature allows the user to move the Mobility Conductor and all the associated devices like the standby Mobility Conductor, Managed Devices, and access points to a different group. When you move the Mobility Conductor to a new group, the associated devices will automatically move to the same new group. Similarly, when you move the managed device, all the managed devices in that cluster and the corresponding APs will move automatically to the destined group. To move a device to a different group, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Groups tile.
The Groups page is displayed. 4. Expand a group from which you want to move devices to the selected group. For example,
expand the Unprovisioned Devices group, select the devices, and then click the Move devices icon.
Aruba Central On-Premises 2.5.6 | User Guide
171
The Move Devices page is displayed. 5. Select the Destination Group from the drop-down list. Based on the device, the following actions
are performed automatically: a. If you have selected a Mobility Conductor to move to a different group, all the associated
devices like the standby Mobility Conductor, clusters and access points will automatically move to the destined group. b. If you have selected a managed device to move to a different group, all the managed devices in that cluster and the corresponding APs will move automatically to the destined group. 6. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. 7. You can verify the device or group move information by navigating to Analyze > Audit Trail page.
The sites and labels page should also display the updated group information.
Deleting a Group
Aruba Central On-Premises allows you to delete a group if there are no devices attached to that group.
When you delete a group, Aruba Central On-Premises removes all configuration, templates, and variable definitions associated with the group. Before deleting a group, ensure that there are no devices attached to the group.
To delete a group, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Groups tile.
The Groups page is displayed.
4. From the list of groups, hover over the group in the groups table and click the icon. The Delete Group confirmation window is displayed.
Delete Group
The delete icon is available only when all the devices are disassociated from the group you want to delete.
5. Click Yes to confirm. The group is deleted.
Restricting Access to Group-Level Configuration
Using the HPE GreenLake portal, you can restrict users to group-level configuration by configuring appropriate options in the Central Permissions page. This feature allows users to edit configuration only at the device level. However, users are allowed to view the device configuration pages and the Configuration Audit page at the group level.
Network Structure | 172
To restrict access to group-level configuration, you must configure the following resource permissions for a custom role in the HPE GreenLake portal:
1. Select the Edit option under NMS Service > NMS Service Configuration. This allows access to the configuration at both group and device levels. By default, the Edit option is cleared and the View option is selected.
2. Clear the Edit option in NMS Group Level Access under NMS Service > NMS Service Configuration. This allows access to configuration at the device level. At the group level, access is provided only to view the device configuration. By default, both Edit and View options are selected.
For more information about managing users and roles in the HPE GreenLake portal, see the Assignments section in the HPE GreenLake Edge to Cloud Platform User Guide, using the following link: https://www.arubanetworks.com/techdocs/central/latest/content/nms/intro-pages/related-info.htm You can also gather additional details on managing users and roles in the HPE GreenLake portal, from the Aruba Central On-Premises User Roles in HPE GreenLake Account Home section.
Setting up Password for Devices in a Group
To set the password for the devices in the groups, complete the following steps:
n Setting the Password for Access Points n Setting the Password for AOS-S Switches n Setting the Password for AOS-CX Switches n Setting the Password for Controllers
When you create a new group and assign devices to the group, you must set the password for the devices before proceeding with any device configuration.
Setting the Password for Access Points To set the password for access points in a group, complete the following steps:
1. Navigate to the access points configuration page using either of the following methods: n Set the filter to a Group containing access points, navigate to Manage > Devices, select the Access Points tab, click the Config icon. n Set the filter to Global, navigate to Maintain > Organization > Network Structure > Groups, then select a group and click the Go to config icon. The Set Device Password pop-up is displayed to set the password for the access points.
2. Enter the password, confirm and click Set Password. The password is set for the access points.
Setting the Password for AOS-S Switches To set the password for AOS-S switches in a group, complete the following steps.
Aruba Central On-Premises 2.5.6 | User Guide
173
If the password is not set for the AAOS-S switches, any user can access the switch using the SSH or Telnet and perform the configuration. So, it is mandatory to set the password before proceeding with any configuration.
1. Navigate to the AOS-S switches configuration page using either of the following methods: n Set the filter to a Group containing at least one AOS-S switch, , navigate to Manage > Devices, select the Switches tab. n Set the filter to Global, navigate to Maintain > Organization > Network Structure > Groups, select a group containing at least one AOS-S switch, click the Go to config icon, and select the Switches tab.
2. Select the AOS-S Config icon. 3. Navigate to System > Access/DNS. 4. Enter the Admin Username, Admin Password, then Confirm Password. 5. Click Save Settings.
The password is set for the AOS-S switches.
Setting the Password for AOS-CX Switches To set the password for AOS-CX switches in a group, complete the following steps:
1. Navigate to the AOS-CX switches configuration page using either of the following methods: n Set the filter to a Group containing at least one AOS-CX switch, navigate to Manage > Devices, select the Switches tab. n Set the filter to Global, navigate to Maintain > Organization > Network Structure > Groups, select a group containing at least one AOS-CX switch, click the Go to config icon, and select the Switches tab.
2. Select the AOS-CX Config icon. The Set Device Password pop-up is displayed.
3. Enter the Administrator password and click Save. The password is set for the AOS-CX switches.
Setting the Password for Controllers To set the password for controllersin a group, complete the following steps:
1. Navigate to the controllers configuration page using either of the following methods: n Set the filter to a Group, navigate to Manage > Devices, then select the Controllers tab, click Config. n Set the filter to Global, navigate to Maintain > Organization > Network Structure > Groups, then select a group and click Go to config, select the Controllers tab.
2. In the Advanced Mode, select System > General > Basic Info. 3. Enter the password in the Password for user admin field. 4. Retype the password and click Save Settings.
The password is set for the controllers.
Provisioning Devices
This section on provisioning devices in groups, see the following topics This section describes the following topics:
Network Structure | 174
n Provisioning Devices Using UI-based Workflows n Provisioning Devices Using Configuration Templates
Provisioning Devices Using UI-based Workflows
This section describes the important points to consider when assigning devices to UI groups:
n Provisioning APs using UI-based Configuration Method n Provisioning Switches Using UI-based Configuration Method
Provisioning APs using UI-based Configuration Method
An AP device group may consist of any of the following:
n AP Cluster--Consists of a conductor AP and member APs in the same VLAN. n VC--A virtual controller. VC provides an interface for the entire cluster. The member APs and
conductor APs function together to provide a virtual interface. n Conductor AP and Member AP--In a typical AP deployment scenario, the first AP that comes up is
elected as the conductor AP. All other APs joining the cluster function as the member APs. When a conductor AP is configured, the member APs download the configuration changes. The conductor AP may change as necessary from one device to another without impacting network performance.
Aruba Central On-Premises allows configuration operations at the following levels for a device group with APs:
n Per group configuration--Aruba Central On-Premises allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all VCs within a group can have common SSID settings.
n Per VC Configuration--Any changes that need to be applied at the AP cluster level can be configured on a VC within a group. For example, VCs within a group can have different VLAN configuration for the SSIDs.
n Per Device Configuration--Although devices are assigned to a group, the users can maintain device-specific configuration such as radio, power, or uplink settings for an individual AP within a group.
When the APs that are not pre-provisioned to any group join Aruba Central On-Premises, they are assigned to groups based on their current configuration.
The following table lists the regular and default configurations for an Instant AP.
Table 33: Instant AP Provisioning APs with Default Configuration
APs with Non-Default Configuration
If an AP with factory default configuration joins Aruba Central On-Premises, it is automatically assigned to the default group or an existing group with similar configuration settings. The administrators can perform any of the following actions:
n Manually assign them to an existing
group.
n Groups.
If an AP with non-default or custom configuration joins Aruba Central On-Premises, it is automatically assigned to an unprovisioned group. The administrators can perform any of the following actions:
n Groups for the device and preserve device configuration. n Move the device to an existing group and override the device
configuration.
Aruba Central On-Premises 2.5.6 | User Guide
175
Ensure that the conductor AP and member APs are assigned to the same group. You must convert the member AP to a standalone AP in order to move the member AP to another group independently. In the following illustration, APs from three different geographical locations are grouped under California, Texas, and New York states. Each state has unique SSIDs and can support devices from multiple locations in a state. As shown in Figure 17, the California group has devices from different locations and has the same SSID, while devices in the other states/groups have different SSIDs. When a device with the factory default configuration connects to Aruba Central On-Premises, it is automatically assigned to the default group. If the device has a custom configuration, it is marked as unprovisioned. If you want to preserve the custom configuration, create a new group for the device. If you want to overwrite the custom configuration, you can assign the device to an existing group. The following illustration shows that APs from three different geographical locations are grouped under California, Texas, and New York states. Figure 17 AP provisioning
Provisioning Switches Using UI-based Configuration Method
Aruba Central On-Premises allows switches to join UI groups only if the switches are running factory default configuration. Aruba Central On-Premises assigns switches with a factory default configuration to the default group. The administrators can either move the switch to an existing group or create a new group.
n Aruba Central On-Premises does not support UI-based configuration workflows for Aruba 5400R Switch Series and switch stacks. Aruba recommends that you assign these devices to template groups and provision them using configuration templates.
n Aruba Central On-Premises does not support moving Aruba 5400R Switch Series from the template group to a UI group. If Aruba 5400R Switch Series is pre-assigned to a UI group, the device is moved to an unprovisioned group after it joins Aruba Central On-Premises.
Network Structure | 176
Aruba Central On-Premises allows the following configuration operations at the following levels for switches in a UI group:
n Per group configuration-- Aruba Central On-Premises allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all switches within a group can have common VLAN settings.
n Per Device Configuration--Although the Switches inherit group configuration, the users can maintain device-specific configuration, for example, ports or DHCP pools.
Provisioning Devices Using Configuration Templates
Aruba Central On-Premises allows you to provision devices using UI-based or template-based configuration method. If you have groups with template-based configuration enabled, you can create a template with a common set of CLI scripts, configuration commands, and variables. Using templates, you can apply CLI-based configuration parameters to multiple devices in a group.
If the template-based configuration method is enabled for a group, the UI configuration wizards for the devices in that group are disabled.
Creating a Group with Template-Based Configuration Method
To create a template group, complete the following steps:
1. From the Aruba Central On-Premises app, filter Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Groups tile.
The Groups page is displayed. 4. Click (+) Add Group on the Groups table.
The Add Group page is displayed. 5. Enter the name of the group.
The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports alphanumeric characters and only "-", "_", and space as special characters. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names.
By default, Aruba Central On-Premises enables the UI-based configuration. The template-based configuration is displayed only when you select devices in the Add group page. Use the toggle button to enable the Configure using templates.
6. Select the device type for which you want to create a template group: n Access points n Controllers n Switches
7. Click Next. By default the ArubaOS 8 architecture is applied for access points and controllers.
8. Select the switch type for the group.
Aruba Central On-Premises 2.5.6 | User Guide
177
9. Select the check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations.
10. Click Add.
If the group is set as a template group, a configuration template is required for managing device configuration.
Provisioning Devices Using Configuration Templates and Variable Definitions
For information on configuration template, see the following topics:
n Configuring IAPs Using Templates n Configuring AOS-S Switches using Templates n Configuring AOS-CX Switches using Templates n Managing Variable Files
Configuring IAPs Using Templates
Templates in Aruba Central On-Premises refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate access point (AP) deployments.
To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba IAPs.
For template-based provisioning, IAPs must be assigned to a group with template-based configuration method enabled. To create a template for the IAPs in a template group, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the template group under Groups.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure APs in a template group are displayed.
4. In the Templates table, click + to add a new template. The Add Template pop-up window is displayed.
5. Under Basic Info, enter the following information: n Template Name--Enter the template name. n Model--Set the model parameter to ALL. n Version--Set the model parameter to ALL.
6. Under Template, add the CLI script content. 7. Check the following guidelines before adding content to the template:
n Ensure that the command text indentation matches the indentation in the running configuration.
Network Structure | 178
n The template allows multiple per-ap-settings blocks. The template must include the per-apsettings %_sys_lan_mac% variable. The per-ap-settings block uses the variables for each AP. The general VC configuration uses variables for conductor AP to generate the final configuration from the provided template. Hence, Aruba recommends that you upload all variables for all devices in a cluster and change values as required for individual AP variables.
n You can obtain the list of variables for per-ap-settings by using the show amp-audit command. The following example shows the list of variables for per-ap-settings.
(Instant AP)# show amp-audit | begin per-ap per-ap-settings 70:3a:0e:cc:ee:60 hostname EE:60-335-24 rf-zone bj-qa ip-address 10.65.127.24 255.255.255.0 10.65.127.1 10.65.6.15 "" swarm-mode standalone wifi0-mode access wifi1-mode access g-channel 6+ 21 a-channel 140 26 uplink-vlan 0 g-external-antenna 0 a-external-antenna 0 ap1x-peap-user peap22 282eaf1077b8d898b91ec41b5da19895
The commands in the template are case-sensitive. IF ELSE ENDIF conditions are supported in the template. If the template text includes the if condition, % sign is required at the beginning and the end of the text. For example, %if guest%. The following example shows the template text with the IF ELSE ENDIF condition.
wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes %else% opmode opensystem %endif%
Templates also support nesting of the IF ELSE END IF condition blocks. The following example shows how to nest such blocks:
%if condition1=true% routing-profile
route 10.10.0.0 255.255.255.0 10.10.0.255 %if condition2=true% routing-profile
route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile
route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else%
Aruba Central On-Premises 2.5.6 | User Guide
179
routing-profile route 10.40.0.0 255.255.255.0 10.40.0.255
%if condition3=true% routing-profile
route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile
route 10.60.0.0 255.255.255.0 10.60.0.255 %endif% %endif%
For profile configuration CLI text, for example, vlan, interface, access-list, ssid and so on, the first command must start with no white space. The subsequent local commands in given profile must start with at least one initial space (' ') or indented as shown in the following examples:
Example 1
wlan auth-server %auth_server_name% ip %auth_server_ip% port 1812 acctport 1813 %if auth_server_key% key %auth_server_key% %else% key 123456 %endif%
Example 2
%if vlan_id1% vlan %vlan_id1% %if vlan_id1=1% ip address dhcp-bootp %endif% no untagged %_sys_vlan_1_untag_command% exit %endif%
To comment out a line in the template text, use the pound sign (#). Any template text preceded by # is ignored when processing the template. To allow or restrict APs from joining the Instant Access Point (IAP) cluster, Aruba Central uses the _sys_allowed_ap system-defined variable. Use this variable only when allowed APs configuration is enabled. For example, _sys_allowed_ap: "a_mac, b_mac, c_mac". Use this variable only once in the template. 8. Click OK.
Managing Variable Files
Aruba Central On-Premises allows you to configure multiple devices in bulk using templates. However, in some cases, the configuration parameters may vary per device. To address this, Aruba Central OnPremises identifies some customizable CLI parameters as variables and allows you to modify the definitions for these variables as per your requirements.
Network Structure | 180
You can download a sample file with variables for a template group or for the devices deployed in a template group, update the variable definitions, upload the file with the customized definitions, and apply these configuration changes in bulk.
Downloading Sample Variables File The sample variables file includes a set of sample variables that the users can customize. You can download the sample variables file in the JSON or CSV format. To download a sample variables file, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the template group under Groups.
2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select one of the following formats to download the sample variables file:
n JSON--shows the file in JSON format. n CSV--Shows the variables in different columns. 6. Click Download Sample Variables File. The sample variables file is saved to your local directory.
Modifying a Variable File
The CSV file includes the following columns for which the variable definitions are mandatory: n _sys_serial--For serial number of the device. n _sys_lan_mac--For MAC address of the device. n modified--To indicate the modification status of the device. The value for this column is set to N in
the sample variables file. When you edit a variable definition, set the modified column to Y to allow Aruba Central On-Premises to parse the modified definition.
n The CSV file must contain only one modified column with the value Y in each row where the variables are modified.
n The modified column is not required when using JSON files to upload the variables.
Following is an example format of the CSV file with the modified column.
Predefined Variables for Aruba Switches
The system defined variables in the sample variables files are indicated with _sys prefix.
Aruba Central On-Premises 2.5.6 | User Guide
181
The following table lists the predefined variables for switches.
Table 34: Predefined Variables Example
Variable Name
Description
Variable Value
_sys_gateway
Populates gateway IP address.
10.22.159.1
_sys_hostname Maintains unique host name.
HP-2920-48G-POEP
_sys_ip_address Indicates the IP address of the device. 10.22.159.201
_sys_module_ command
_sys_netmask
_sys_oobm_ command
Populates module lines
module 1 type j9729a
Netmask of the device.
255.255.255.0
Represents Out of Band Management (OOBM) block.
oobm ip address dhcp-bootp exit
_sys_snmpv3_ engineid
Populates engine ID.
00:00:00:0b:00:00:5c:b9:01:22:4c:00
_sys_stack_ command
Represents stack block
stacking member 1 type "J9729A" mac-address 5cb901224c00 exit
_sys_template_ header
Represents the first two lines of the configuration file. Ensure that this variable is the first line in the template.
; J9729A Configuration Editor; Created on release #WB.16.03.0003+ ; Ver #0f:3f.f3.b8.ee.34.79.3c.29.eb.9f.fc.f3.ff.37.ef:91
_sys_use_dhcp
Indicates DHCP status (true or false) of 0 VLAN 1
_sys_vlan_1_ untag_ command
Indicates untagged ports of VLAN 1
1-28,A1-A2
_sys_vlan_1_tag_ Indicates tagged ports of VLAN 1 command
28-48
The _sys_template_header_ and _sys_snmpv3 engineid are mandatory variables that must have the values populated, irrespective of their use in the template. If there is no value set for these variables, Aruba Central On-Premises re-imports the values for these mandatory variables when it processes the running configuration of the device.
Predefined Variables for APs
For APs, the sample variables file includes the _sys_allowed_ap variable for which you can specify a value to allow new APs to join the AP cluster.
Network Structure | 182
Important Points to Note
The following conditions apply to the variable files:
n The variable names must be on the left side of condition and its value must be defined on the right side. For example, %if var=100% is supported and %if 100=var% is not supported.
n The < or <= or > or >= operators should have only numeric integer value on the right side. The variables used in these 4 operations are compared as integer after flooring. For example, if any float value is set as %if dpi_value > 2.8%, it is converted as %if dpi_value > 2 for comparison.
n The variable names should not include white space, and the & and % special characters. The variable names must match regular expression [a-zA-Z0-9_]. If the variables values with % are defined, ensure that the variable is surrounded by space. For example, wlan ssid-profile %ssid_name%.
n The first character of the variable name must be an alphabet. Numeric values are not accepted. n The values defined for the variable must not include spaces. If quotes are required, they must be
included as part of the variable value. For example, if the intended variable name is wlan ssid-profile "emp ssid", then the recommended format for the syntax is "wlan ssid-profile %ssid_name%" and variable as "ssid_name": "\"emp ssid\"". n If the configuration text has the percentage sign % in it--for example, "url "/portal/scope.cust5001098/Splash%20Profile%201/capture"--Aruba Central On-Premises treats it as a variable when you save the template. To allow the use of percentage % as an escape character, use \" in the variable definition as shown in the following example: Template text
wlan external-captive-portal "Splash Profile 1_#guest#_" server naw1.cloudguest.central.arubanetworks.com port 443 url %url%
Variable
"url": "\"/portal/scope.cust-5001098/Splash%20Profile%201/capture\""
n Aruba Central On-Premises supports adding multiple lines of variables in AP configuration templates. If you want to add multiple lines of variables, you must add the HAS_MULTILINE_VARIABLE directive at the beginning of the template. Example
#define HAS_MULTILINE_VARIABLE 1 %if allowed_aps% %allowed_aps% %endif%
Variable
"allowed_aps": "allowed-ap 24:de:c6:cb:76:4e\n allowed-ap ac:a3:1e:c5:db:d8\n allowed-ap 84:d4:7e:c4:8f:2c"
Aruba Central On-Premises 2.5.6 | User Guide
183
n For APs, you can configure a variable file with a set of values defined for a conductor AP in the network. When the variable file is uploaded, the configuration changes are applied to all AP devices in the cluster.
Examples
The following example shows the contents of a variable file in the JSON format for APs:
{ "CK0036968": { "_sys_serial": "CK0036968", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:7a", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_1" }, "CJ0219729": { "_sys_serial": "CJ0219729", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:cb:04:92", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "hostname": "Uber_2" }, "CK0112486": { "_sys_serial": "CK0112486", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c8:29:76", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_3" }, "CT0779001": { "_sys_serial": "CT0779001", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c5:c6:b0", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_4" },
Network Structure | 184
"CM0640401": { "_sys_serial": "CM0640401", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c4:8f:2c", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_6" }, "CK0037015": { "_sys_serial": "CK0037015", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:d8", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_7" }, "CK0324517": { "_sys_serial": "CK0324517", "ssid": "s1", "_sys_lan_mac": "f0:5c:19:c0:71:24", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_8" } }
The following illustration shows a sample variables file in the CSV format.
Figure 18 Variables File in the CSV Format
Uploading Variable Files
To upload a variable file, complete the following steps:
While uploading the variables file to Aruba Central On-Premisesin the CSV format, make sure to: n Choose the default language in Microsoft Excel as English (United States). n Add only one modified column in the CSV file with the value Y in each row where the variables are modified.
Aruba Central On-Premises 2.5.6 | User Guide
185
1. Ensure that the _sys_serial and _sys_lan_mac variables are defined with the serial number and MAC address of the devices, respectively.
2. In the Aruba Central On-Premises app, set the filter to one of the template groups under Groups.
3. Under Manage, click Devices > Switches. 4. Click the Config icon. 5. Click Variables. 6. Click Upload Variables File and select the variable file to upload. 7. Click Open.
The contents of the variable file is displayed in the Variables table. 8. To search for a variable, specify a search term and click Search icon. 9. To download variable file with device-specific definitions, click the download icon in the Variables
table
Modifying Variables
To modify variables without downloading a variable file, modifying the variable file, or uploading the customized variable file, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the template groups under Groups.
2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select a device and variable. 6. Modify the value and click Add to Modifications. 7. Click Save.
Alternatively, to modify a single variable without downloading a variable file, modifying the variable file, or uploading the customized variable file, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the template groups under Groups.
2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Hover over a desired variable and click Edit. 5. Modify the value and click Save. 6. Click Save.
Managing Sites and Labels
This section describes the various options to configure and manage sites and labels in the Aruba Central On-Premises WebUI.
Managing Sites
In Aruba Central On-Premises, a site refers to a physical location where a set of devices are installed; for example, campus, branch, or a venue. You can create a branch or a campus site; for example Branch A
Network Structure | 186
or Campus A, for a specific geographical location and assign devices to it. You can use these sites as filters for viewing your deployment topology, monitoring network and device health.
The Manage Sites page allows you to create, edit, and delete sites, view the list of sites configured in your setup, and assign devices to sites.
To access the Manage Sites page in the Aruba Central On-Premises app, navigate to Network Structure tab under Maintain > Organization. Click the Sites tile to view the Manage Sites page.
The following table describes the various functions on the Manage Sites page.
Table 35: Sites Page
Parameter
Description
Convert Labels to Sites
New Site Bulk upload
Allows you to convert existing labels to sites. To convert labels, download the CSV file with the list of labels configured in your setup, add the site information, and upload the CSV file. For more information, see Convert Existing Labels to Sites.
Allows you to create a new site.
Allows you to add sites in bulk from a CSV file.
Sites Table
The sites table displays a list of sites configured. It provides the following information:
Table 36: Sites Table
Parameter
Description
Site Name
Name of the site.
Address
Physical address of the site.
Device Count
Number of devices assigned to a site.
The table also includes the following sorting options to reset the table view on the right:
n All Devices--Displays all the devices provisioned in Aruba Central On-Premises. n Unassigned--Displays the list of devices that are not assigned to any site.
You can also use the filter and sort icons on the Sites and Address columns to filter and sort sites respectively.
Devices Table
The devices table displays a list of devices provisioned. It provides the following information:
Table 37: Devices Table
Parameter
Description
Name
Name of the device.
Group
Group to which the device is assigned.
Type
Type of the device.
Aruba Central On-Premises 2.5.6 | User Guide
187
Creating a Site
A site refers to a physical location where a set of devices are installed; for example, campus or branch. If your devices are deployed in a campus, you could create a site with the campus name. On a campus with more than one building with the same address, site creation using the latitude and longitude values helps to display the buildings correctly on the map. You can use the sites to monitor devices installed on a physical location. To create a site, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Sites tile.
The Manage Sites page is displayed. 4. To add a new site, click (+) New Site.
The Create New Site pop-up window is displayed. 5. In the Create New Site pop-up window, configure the following parameters:
a. Site Name--Name of the site. To name a site, see the following guidelines: n The site name can be a maximum of 255 single-byte characters. n The site name supports alphanumeric characters, and special characters. Special characters that are not supported are <, >, and &. n Default, Default Site, Default_Site and Default-Site cannot be used as a site names.
The above names are not case-sensitive; hence you cannot use words like DeFauLT_sIte as site name.
b. Street Address--Address of the site. c. City--City in which the site is located. d. Country--Country in which the site is located. e. State/Province--State or province in which the site is located. f. ZIP/Postal Code--(Optional) ZIP or postal code of the site. g. Latitude--(Optional) The latitudinal value of the site. h. Longitude--(Optional) The longitudinal value of the site.
The latitudinal and longitudinal values are auto-filled, if not entered manually. If a caution icon appears next to a newly created site, click the edit icon next to the site name and manually enter the latitudinal and longitudinal values of the site.
6. Click Add. The new site is added to the Sites table.
Adding Multiple Sites in Bulk
You can add multiple sites by creating and importing a CSV file with mandatory information such as the site name, address, city, state, and country details.
Network Structure | 188
To import site information from a CSV file in bulk, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Sites tile.
The Manage Sites page is displayed. 4. Click (+) Bulk upload.
The Bulk Upload pop-up window is displayed. 5. Download a sample file. 6. Fill the site information and save the CSV file in your local directory.
The CSV file for bulk upload of sites must include the mandatory information such as the name, address, city, state, and country details.
7. In the Bulk Upload window, click Next. 8. In the Aruba Central On-Premises UI, click Browse and add the file from your local directory. 9. Click Upload.
The sites from the CSV file are added to the site table.
Assigning a Device to a site
Sites are used to group devices by a physical location. You can assign devices to a site to group them and monitor based on the site name. To assign a device to a site, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Sites tile.
The Manage Sites page is displayed. 4. Select Unassigned.
The list of devices that are not assigned to any site is displayed. 5. Select device(s) from the list of devices. 6. Drag and drop the devices to the site on the left.
A pop-up window is displayed that prompts you to confirm the site assignment. 7. Click Yes.
Convert Existing Labels to Sites
To convert existing labels to sites, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed.
Aruba Central On-Premises 2.5.6 | User Guide
189
3. Click the Sites tile. The Manage Sites page is displayed.
4. Click Convert Labels to Sites. The Confirm Conversion pop-up window is displayed.
5. To download a CSV file with the list of labels configured in your setup, click Download file with existing labels. A CSV file with a list of all the labels in your setup is downloaded to your local directory.
6. Enter address, city, state, country, and ZIP code details for the labels that you want to convert to sites.
In the CSV file, you must enter the following details: address, city, state, and country.
7. Save the CSV file. 8. On the Confirm Conversion pop-up window, click Next. 9. Click Browse and select the CSV file with the list of labels to convert. 10. Click Upload. 11. Click Convert.
The labels are converted to sites.
Points to Note
n If the conversion process fails for some labels, Aruba Central On-Premises generates and opens an Excel file showing a list of labels that could not be converted to sites. Verify the reason for the errors, update the CSV file, and re-upload the file.
n Aruba Central On-Premises does not allow conversion of sites to labels. If the existing labels are converted to sites, you cannot revert these sites to labels.
n When the existing labels are converted to sites, Aruba Central On-Premises retains only the historical data for these labels. Aruba Central On-Premises displays the historical data for these labels only in reports and on the monitoring dashboard.
Editing a Site
You can edit a site to modify the site details such as site name, street address, city, county, state, or zip or postal code. To modify a site details, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Sites tile.
The Manage Sites page is displayed. 4. Select the site to edit and click the edit icon. 5. Modify the site information and click Update.
Deleting a Site
If you no longer need a site, you can delete it.
Network Structure | 190
To delete a site, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Sites tile.
The Manage Sites page is displayed. 4. Select the site to be deleted and click the delete icon.
A confirmation window is displayed.
The delete icon is available only when all the devices are disassociated from the site you want to delete.
5. Click Yes to confirm. The site is deleted and devices associated with the site are moved to the unassigned devices list.
Site Search Terms
The search bar helps you to search a site's information on the Network Operation app. Using the search bar, you can perform the following tasks:
n Hover over a client search card to view the monitoring summary for the site. n Click the client name to open the Site Details page.
The following illustration is an example for the site search. Figure 19 Search Card for a Site
Managing Labels
Labels are tags attached to a device provisioned in the network. Labels determine the ownership, departments, and functions of the devices. You can use labels for creating a logical set of devices and use these labels as filters when monitoring devices and generating reports.
The Manage Labels page allows you to create and modify labels, sites, and assign devices to labels.
To access the Manage Labels page in the Aruba Central On-Premises app, navigate to Network Structure tab under Maintain > Organization. Click the Labels tile to view the Manage Labels page.
The following table describes the various functions on the Manage Labels page.
Aruba Central On-Premises 2.5.6 | User Guide
191
Table 38: Labels
Name
Contents of the Table
Labels
Displays a list of labels configured. The table provides the following information: n Name of the label n Number of devices assigned to a label
The table also includes the following sorting options to reset the table view on the right: n All Devices--Displays all the devices provisioned in Aruba Central. n Unassigned--Displays the list of devices that are not assigned to any label.
Devices
Displays a list of devices provisioned. The table provides the following information about the devices:
n Name--Name of the device n Group--Group to which the device is assigned n Type--Type of the device n Labels--Number of labels assigned to a device
Device Classification
The devices can also be classified using Groups and Sites as described in the following points:
n The group classification can be used for role-based access to a device, while labels can be used for tagging a device to a location or a specific area at a physical site. However, if a device is already assigned to a group and has a label associated with it, it is classified based on both groups and labels.
n The site classification is used for logically grouping devices deployed at a given physical location. You can also convert labels to sites.
Creating a Label
To create a label, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Labels tile.
The Manage Labels page is displayed. 4. To add a new label, click (+) Add Label.
The Create New Label pop-up window is displayed. 5. Enter a name for the label.
The label name can be a maximum of 255 single byte characters. Special characters are allowed. 6. Click Add.
The new label is created.
Assigning a Device to a Label
To assign a device to a label, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed.
Network Structure | 192
3. Click the Labels tile. The Manage Labels page is displayed.
4. Locate the label to which you want to assign a device. 5. In the table that lists the labels, you can perform one of the following actions:
n Click All Devices to view all devices. n Click Unassigned to view all the devices that are not assigned to any labels. 6. Select Unassigned. The list of devices that are not assigned to any label is displayed. 7. Select device(s) from the list of devices. 8. Drag and drop the selected device(s) to a specific label. A pop-up window asking you to confirm the label assignment is displayed. 9. Click Yes.
Aruba Central On-Premises allows you to assign up to five label tags per device.
Detaching a Device from a Label
To remove a label assigned to a device or devices, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Labels tile.
The Manage Labels page is displayed. 4. Select the label from which you want to detach a device.
The list of devices assigned to the label appears in the table on the right. 5. Select the device from the table.
6. Click the delete
icon.
To detach labels from multiple devices at once, select the devices and click Batch Remove Labels
7. Confirm deletion.
Editing a Label
To edit a label, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Labels tile.
The Manage Labels page is displayed. 4. Select the label to edit. 5. Click the edit icon. 6. Edit the label and click Update.
Aruba Central On-Premises 2.5.6 | User Guide
193
Deleting a Label
To delete a label, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Labels tile.
The Manage Labels page is displayed. 4. Select the label to delete. 5. Click the delete icon.
The delete icon is available only when the label is not assigned to any device.
6. Confirm deletion.
Device Preprovisioning
The device on-boarding procedures like adding devices and assigning licenses, which were earlier available on the Account Home page of Aruba Central are now available on the HPE GreenLake account home. For more information, see the Managing Devices and Device Subscriptions.
Viewing Devices List
The devices provisioned in your account are listed in the Organization > Network Structure > Device Preprovisioning pane. To view the Device Preprovisioning page, complete the following steps:
1. In the Aruba Central app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Device Preprovisioning tile.
The Device List table is displayed. The Device List table lists the total number of devices; and the number of access points, switches, and gateways in the inventory.
In the Serial Number column, you must enter the device serial number in full for filtering the data. Entering a partial serial number does not show any search results in the table.
The following table describes the columns in the Device List table.
Table 39: Device Details
Parameter
Description
Serial Number
Serial number of the device.
MAC Address
MAC address of the device.
Network Structure | 194
Parameter Device Type Model Part Number IP Address Name Group
Description Type of device. For example Instant AP, switch, or controller. Hardware model of the device. Part number of the device. IP address of the device. Name of the device. Group assigned to the device.
Assigning Devices to Groups
To assign factory default devices to a group, complete the following steps in the Device Preprovisioning page:
The following procedure is only for assigning groups to the devices that are not connected. The group management actions like moving devices between groups, or moving devices from unprovisioned group to other groups is done on the Groups page. For more information, see Groups.
1. In the Aruba Central app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Device Preprovisioning tile.
The Device List table is displayed. 4. Select the device(s) which you want to move to a selected group. You can select and move up to
50 devices at a time.
If the selected device is already connected to Aruba Central, the Move devices option will not be available for the device.
5. Click the Move devices icon. The Assign Group page is displayed.
6. Select the Destination Group from the drop-down list.
You can assign only particular device type for which the group is created. For example, if a group is created for Access Points only, then only Access Points can be assigned to that group. You cannot assign other device types to it.
7. Click Move. The selected device(s) are moved to the destination group. These devices will adopt the destination group configuration.
Aruba Central On-Premises 2.5.6 | User Guide
195
For every device preprovisioning operation, a warning pop-up is displayed to check the audit trail log for the status. If you are assigning the devices in bulk, ensure to check the audit trail to confirm if the all devices are successfully assigned and reason for the rejected devices.
Managing Certificates
Certificates provide a secure way of authenticating devices and eliminate the need for less secure password-based authentication. In certificate-based authentication, digital certificates are used to identify a user or device before granting access to a network or application. Server certificates and the digital certificates issued by a CA validate the identities of servers and clients. For example, when a client connects to a server for the first time, or the first time since its previous certificate has expired or been revoked, the server requests that the client transmit its authentication certificate and verifies it. Clients can also request and verify the authentication certificate of the server.
To avoid any error in the server certification, ensure to include the following Subject Alternate Name (SAN) in the certificate:
n apigw-<FQDN> n central-<FQDN> n ccs-user-api-<FQDN> n sso-<FQDN>
This topic includes the following sections:
n Certificate Revocation n Captive Portal Certificates n Managing Certificates n Certificate Signing Request n Supported Certificate Formats n Wildcard Certificates
Certificate Revocation
Aruba Central On-Premises now validates the revocation status of the client certificates. A certificate revocation check validates a TLS or SSL protocol before its scheduled expiration date. A certificate should be revoked immediately when its private key is compromised or when the domain for which it was issued is no longer operational. In an Online Certificate Status Protocol (OCSP) check, the clients send the certificate to the trusted CA for validation and then CA validates and returns the status of the certificate as good, revoked, or unknown. In a client certificate validation, Aruba Central On-Premises validates the client certificate and if the validation fails, the communication between the client and Aruba Central On-Premises is terminated. The OCSP check and client certificate validation has the following two modes:
n In a non-strict mode, when a call to the OCSP server fails from the Aruba Central On-Premises server as it is unreachable or the server has not processed the request, the communication to the external
Network Structure | 196
server is not terminated. Also, the validation of the client certificate is not performed in a non-strict mode for a client connecting to Aruba Central On-Premises server from the UI browser. n In a strict-mode, when a call to the OCSP server fails from the Aruba Central On-Premises server as it is unreachable or the server has not processed the request, the communication to the external server is terminated. Also, the validation of the client certificate is performed in a strict-mode for a client connecting to Aruba Central On-Premises server from the UI browser.
When you enable the certificate revocation check in a Aruba Central On-Premises setup, the revocation settings are applied only for Syslog and UI Client Cert Mutual Auth services.
Enabling Certificate Revocation Check
To enable the revocation check, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
The Network Structure tab is displayed. 3. Click the Certificates tile.
The Certificates page is displayed. 4. Enable the Enable revocation check toggle button. 5. Click Yes in the Confirm Action pop-up window.
The OCSP service is enabled to check the revocation status of the certificate.
6. Click the Enable Strict Checking checkbox to enable the certificate revocation check in a strictmode.
7. Click Submit. 8. Click Yes in the Confirm Action pop-up window to submit the revocation settings.
To enable the revocation check, use the following CLI Certificate Configuration Commands :
n Enable client cert strict check- Enter option 10-1 n Disable client cert strict check- Enter option 10-2 n Generate device cert- Enter option 10-3
Captive Portal Certificates
Aruba devices use digital certificates for authenticating a client's access to user-centric network services. Most devices such as controllers and Instant APs include the certificate of the CA who issued the server certificate for captive portal server authentication. However, Aruba recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CA. Certificates can be stored locally on the devices and used for validating device or user identity during authentication.
Aruba Central On-Premises 2.5.6 | User Guide
197
Viewing the Certificate Store Parameters
To view the certificate store parameters, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
The Network Structure tab is displayed. 3. Click the Certificates tile.
The Certificates page is displayed. 4. If required, expand the Captive Portal Certificates accordion to view the Certificate Store
table.
The Certificate Store table displays the following information. Table 40: Certificate Store Parameters
Parameter
Description
Certificate Name Name of the certificate.
Status
Status of the certificate.
Expiry Date
Expiry date of the certificate.
Services
Type of services supported by the certificate.
Type
Type of certificate.
SHA-1 Checksum The Secure Hash Algorithm 1 is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value.
MD5 Checksum
The Message-Digest Algorithm 5 is a cryptographic hash function which takes an input and produces a 128-bit (16-byte) hash value.
NOTE: In the Certificate Store table, click on the icon to display the required columns.
Uploading Captive Portal Certificates
To upload certificates, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
The Network Structure tab is displayed. 3. Click the Certificates tile.
The Certificates page is displayed. 4. If required, expand the Captive Portal Certificates accordion to view the Certificate Store
table. 5. Click the + icon to add the certificate to the Certificate Store.
Network Structure | 198
6. In the Add Certificate dialog-box, specify the following information: n Name--Name of the certificate. n Type--Select of certificate type. You can select any one of the following certificates: o Server Certificate--Server certificates required for communication between devices and authentication servers.
The Format, Passphrase, and Retype Passphrase options are applicable only when you select Server Certificate from the Type drop-down list.
o CA Certificate--Digital certificates issued by the CA. o CRL--Certificate Revocation List that contains the serial numbers of certificates that have
been revoked. This certificate is required for performing a certificate revocation check. o OCSP Responder Cert--OCSP responder certificates. o OCSP Signer Cert--OCSP Response Signing Certificate.
The OCSP certificates are required for OCSP server authentication.
n Format--Select a certificate format. You can select any one of the following certificates: o PEM--Privacy Enhanced Mail is a Base64 encoded DER certificate. o DER--Distinguished Encoding Rules files are digital certificates in binary format. Both digital certificates and private keys can be encoded in DER format. o PKCS12--Public-Key Cryptography Standards 12 is an archive file format for storing many cryptography objects as a single file.
The PKCS12 certificate format option is not applicable when you select CA Certificate from the Type drop-down list.
n Passphrase--Enter a passphrase. n Retype Passphrase--Retype the passphrase for confirmation.
The Passphrase and Retype Passphrase options are displayed only when you select Server Certificate from the Type drop-down list.
n Certificate File--Click Choose File and browse to the location where the certificates are stored and select the certificate files.
7. Click Add. The certificate is added to the Certificate Store table.
Deleting Captive Portal Certificates
To delete certificates, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
The Network Structure tab is displayed. 3. Click the Certificates tile.
The Certificates page is displayed.
Aruba Central On-Premises 2.5.6 | User Guide
199
4. If required, expand the Captive Portal Certificates accordion to view the Certificate Store table.
5. In the Certificate Store table, select the certificate that you want to delete and then click the delete icon. The Confirm Action pop-up window is displayed.
6. Click Yes in the Confirm Action pop-up window to delete the certificate.
Editing Captive Portal Certificates
To edit certificates, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization. The Network Structure tab is displayed. 3. Click the Certificates tile. The Certificates page is displayed. 4. If required, expand the Captive Portal Certificates accordion to view the Certificate Store table. 5. In the Certificate Store table, select the certificate that you want to edit and then click the edit icon. The Edit Certificate pop-up window is displayed. 6. Click Add to edit the certificate.
Appliance Certificates
To connect securely from a browser to access the Aruba Central On-Premises UI, a server certificate must be uploaded to Aruba Central On-Premises. By default, Aruba Central On-Premises includes a selfsigned certificate. The default certificate is not signed by a root certificate authority (CA). For devices to validate and authorize Aruba Central On-Premises, administrators must upload a valid certificate signed by a root CA.
Viewing the Certificate Store Parameters
To view the certificate store parameters, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization. The Network Structure tab is displayed. 3. Click the Certificates tile. The Certificates page is displayed. 4. Expand the Appliance Certificates accordion to view the Certificate Store table.
The Certificate Store table displays the following information.
Network Structure | 200
Table 41: Certificate Store Parameters
Parameter
Description
Certificate Name Name of the certificate.
Status
Status of the certificate.
Expiry Date
Expiry date of the certificate.
Services
Type of services supported by the certificate.
Type
Type of certificate.
SHA-1 Checksum The Secure Hash Algorithm 1 is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value.
NOTE: In the Certificate Store table, click on the icon to display the required columns.
Uploading Appliance Certificates
To upload certificates, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
The Network Structure tab is displayed. 3. Click the Certificates tile.
The Certificates page is displayed. 4. Expand the Appliance Certificates accordion to view the Certificate Store table. 5. Click the + icon to add the certificate to the Certificate Store. 6. In the Add Certificate dialog box, specify the following information:
n Name--Name of the certificate. n Type--Select of certificate type. You can select any one of the following certificates:
o Server Certificate--Server certificates are used between browsers and Aruba Central OnPremises to access the Aruba Central On-Premises UI. A server certificate is also required for communication between a device and Aruba Central On-Premises, when a device is selected in supported services.
The Format, Services Supported, Passphrase, and Retype Passphrase options are applicable only when you select Server Certificate from the Type drop-down list.
o CA Certificate--Digital certificates issued by the CA. If a user intends to upload multiple CA certificates, Aruba Central On-Premises allows you to combine and upload as a single CA certificate.
The Operation Type option is applicable only when you select CA Certificate from the Type drop-down list.
n Services Supported--Select the services to be supported by the server certificate. A single server certificate can be used for one or both the following supported services:
Aruba Central On-Premises 2.5.6 | User Guide
201
o Web UI And API Gateway--The server certificate is applied to WebUI and API Gateway service.
o Device--The server certificate is applied to device service. n Format--Select a certificate format. You can select any one of the following certificates:
o PEM--Privacy Enhanced Mail is a Base64 encoded DER certificate. o DER--Distinguished Encoding Rules files are digital certificates in binary format. Both digital
certificates and private keys can be encoded in DER format. o PKCS12--Public-Key Cryptography Standards 12 is an archive file format for storing many
cryptography objects as a single file.
The DER certificate format is not applicable when you select Server Certificate from the Type drop-down list. The PKCS12 certificate format option is not applicable when you select CA Certificate from the Type drop-down list.
n Operation Type--Select the action required while adding CA certificates. You can select any one of the following options:
The Operation Type option is applicable when you select CA Certificate from the Type drop-down list.
o Append--Adds the new CA certificates to the uploaded CA certificates along with its default list of certificates.
You can add a maximum of 10 CA certificates to the default list.
o Replace--Retains the default list and replaces the user-uploaded certificates only. n Passphrase--Enter a passphrase that was used while generating the Private Key. n Retype Passphrase--Retype the passphrase for confirmation. n Certificate File--Click Choose File and browse to the location where the certificates are
stored and select the certificate files. 7. Click Add.
The certificate is added to the Certificate Store table.
Aruba Central On-Premises does not allow you to edit or delete the appliance certificates.
Certificate Signing Request
Aruba Central On-Premises also supports Certificate Signing Request (CSR) generation that will be used when generating server certificates that needs to be used with Aruba Central On-Premises. To generate CSR for certificates, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
The Network Structure tab is displayed.
Network Structure | 202
3. Click the Certificates tile. The Certificates page is displayed.
4. Expand the Appliance Certificates accordion to view the Certificate Store table. 5. Under Appliance Certificate, click Generate and Download Certificate Signing Request
(CSR). 6. The Add Certificate Signing Request is displayed. 7. Enter the following details:
n Distinguished Name--Unique name. n Organization--Name of your organization. n Department Name--Department name of your organization. n City--Name of the city of your organization. n State--Name of the state of your organization. n Country--Country code of your organization. See List of accepted country codes. n Email Address--Contact email address. 8. Click Add. A PEM file with both the public and private key is generated and downloaded automatically. 9. Remove the private key for root CA certification. After the root CA signs the certificate, add the private key, and upload the PEM file again.
Supported Certificate Formats
The following section describes the different certificate formats supported in Aruba Central OnPremises.
PEM Format
The PEM format is the most common format used by Certificate Authorities issue certificates. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.
Apache and other similar servers use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files. For more information, see Sample PEM file.
DER Format
The DER format is a binary form of a certificate instead of the ASCII PEM format. All types of certificates and private keys can be encoded in DER format. DER is typically used with Java platforms. If you need to convert a private key to DER, use the OpenSSL commands on this page.
PKCS#12 or PFX Format
The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.
Aruba Central On-Premises 2.5.6 | User Guide
203
Wildcard Certificates
A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains. SSL certificates use the wildcards to extend SSL encryptions to subdomains. All the wildcard certificates have a * in their common names. For example, a certificate that has *.arubathena.com in its common name, is a wildcard certificate.
Requesting for Wildcard certificate
If the certificate is not secure or invalid, ensure to request for a wildcard certificate or a certificate for the FQDN of the Aruba Central On-Premises server from an authorized certificate provider to resolve the certificate error.
Uploading the Wildcard Certificate
Once you get the certificates required, upload the certificate in the Aruba Central On-Premises system. To add the wildcard certificate, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
The Network Structure tab is displayed. 3. Click the Certificates tile.
The Certificates page is displayed. 4. Expand the Appliance Certificates accordion to view the Certificate Store table. 5. Click the + icon to add the certificate to the Certificate Store. 6. In the Add Certificate dialog box, enter the name. 7. Select Server Certificate from the Type drop-down list. 8. Select PEM from the Format drop-down list. 9. Select the Services supported for the Server Certificate. 10. Enter the Passphrase and Retype Passphrase. 11. In the Certificate File field, click Choose File and browse to the location where the certificates
are stored and select the wildcard certificate.
The PEM file contains the certificates and the private key. The private key must be in the PEM format and appended after all the certificates. For more information, see Sample PEM format.
12. Click Add. The new valid certificate is successfully added.
13. Once the valid certificate is uploaded, ensure to check the status of the certificate. For the steps, see Checking the Status of the Certificate The wildcard certificate information is displayed.
This wildcard certificate can be applied to any server where the FQDN has one hostname followed by .domainname.com. The same wildcard certificate cannot be used for servers which have other formats. For example, .aw.domainname.com.
The following is a sample of the certificate file in PEM format:
Network Structure | 204
-----BEGIN CERTIFICATE----MIIG2jCCBcKgAwIBAgIRAObNusiWw5M1dV3y8sEeS0cwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg -----END CERTIFICATE---------BEGIN CERTIFICATE----MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT /qJakXzlByjAA6quPbYzSf+AZxAeKCINT+b72x -----END CERTIFICATE---------BEGIN CERTIFICATE----MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXn IxEDAO -----END CERTIFICATE---------BEGIN PRIVATE KEY----MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDXApH0YGJDko8W nYWSR+k3AFxYzVoVMRiJnodHEc+lYccWoBHWzlP/P8GkhRInHsPpA3RvG5idz/Jj bi8RKbkWMnUU6DpBLPHexed8wpbmZ/O9CZAYTbe5OHNcC+igzhZ5U6nk4b7lxfth mchBWAgmAKbzfmGiCQ/Gak/RTEqKtULDgBu3Em1GFzlmzE+yDRsHLqYtDGK+D2U6 v8rUXr+IGZfD2aWHtuZtCuOA+7rP9HexR2K776kqXLxj9jflj5rPH5N1VTNO1FUS -----END PRIVATE KEY-----
Checking the Status of the Certificate
Once Aruba Central On-Premises is installed by the user, a self-signed certificate gets generated automatically and this certificate is not provided by any authorized CA providers. So, when you access the Aruba Central On-Premises server using an FQDN, the browser displays a warning, Your Connection is not private, because this certificate is not trusted by the browser.
The following illustration displays the warning message.
Aruba Central On-Premises 2.5.6 | User Guide
205
Figure 20 Connection Status
To check the status or validity of a certificate, complete the following steps: 1. Login to the Aruba Central On-Premises server. 2. Click the view site information icon next to the URL in the browser. 3. Click Certificates.
The certificate information is displayed. Here, you can check if the certificate is self-signed certificate and more details like Country, Issues Name, etc. Figure 21 Certificate Details
Network Structure | 206
Chapter 10 System Management
System Management
System management tab allows you to perform administrative tasks such as setting up the system, enabling SMTP settings, notifications, migration, and even backup and restore.
All system operations will be disabled till the current or the ongoing system operation is complete.
Viewing System Management
To view the system management tab, which was earlier located under the Account Home page, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management.
The System Management page is displayed. 3. In the system management page, the following tabs are displayed:
n Performance n Version n Network n External Services n Backup and Restore n Migration
Viewing System Performance
To view the Aruba Central On-Premises system performance, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Global Settings, click System Management > Performance.
The Performance tab displays the following components: n Central System--The Central System section displays the overall status of all the appliances,
Central Processing Units, memory units, and data storage units as Good or Poor. For more information, see Viewing Central System Status. n Appliance Resources--The Appliance Resources table displays details such as the percentage of CPU and memory utilization, status of the appliances in the cluster, percentage of disk space usage, and so on. For more information, see Viewing Appliance Resources. n Service Monitoring--The Service Monitoring table displays details such as the status of various deployments, the number of restarts undergone by the services, and the age of the services, and so on. For more information, see Service Monitoring.
Aruba Central On-Premises 2.5.6 | User Guide
207
n Logs--The Logs table displays the various log files that are related to the appliances and services. The table also displays the time and date at which the log files were created. For more information, see Viewing Appliance Resources.
n System Operations--The System Operations table displays details of various system operations running across the cluster. For more information, see Viewing System Operations.
Viewing Central System Status
The Central System section displays the following details:
n Appliance Status--The Appliance Status indicates whether the overall status of the appliances in the cluster is Goodor Poor.
n CPU Status--The CPU Status indicates whether the overall status of the processing units usage is Good, Fair, or Poor.
n Memory Status--The Memory Status indicates whether the overall status of the memory units usage is Good, Fair, or Poor.
n Disk Status--The Disk Status indicates whether the overall status of the disk usage is Good, Fair, or Poor.
The Central System displays Poor in Appliance Status, CPU Status, Memory Status, and Disk Status even if one of the appliances' status is Down or the status in CPU Status, Memory Status, and Disk Status is Poor, respectively.
Viewing Appliance Resources
The Appliance Resources section displays a table with the following columns:
n Appliance--The Appliance column displays the FQDN of the appliance in the cluster. n Status--The Status column displays the status of the appliance as Up or Down. n CPU--The CPU column displays the percentage of CPU utilization of the appliance in the cluster. n Memory--The Memory column displays the percentage of memory usage of the appliance in the
cluster. n Storage--The Storage column displays the percentage of storage utilization of the appliance in the
cluster. n Disk(Read)--The Disk(Read) column displays the percentage of disk utilization for the read
operation. n Disk(Write)--The Disk(Write) column displays the percentage of disk utilization for the write
operation. n Network Usage Up--The data transmitted from the appliance measured in bytes. n Network Usage Down--The data received by the appliance measured in bytes. n Uptime--The Uptime column displays the total duration for which the appliance was operational.
Clicking the at the top right corner of the table pops up the Add Appliance Resource page. Enter the number of appliances to be added to the cluster along with corresponding FQDNs of the appliances and click Add.
System Management | 208
The option is available for clusters that contain 3 or 5 appliances only. The option is unavailable in a setup that contains a single or seven devices.
You can click the icon and select or de-select the columns required to be displayed in the table.
You can restart the appliance and generate logs by clicking the and icons, respectively. To replace a device, click the icon corresponding to the device. The Replace Appliance Resource page pops up. Enter the FDQN of the new appliance and click Replace.
Service Monitoring
The Appliance Resources section displays a table with the following columns:
n Deployment--The Deployment column displays the various deployment services running in the cluster.
n Appliance--The Appliance column displays the FQDN of the appliance in which the service is running.
n Namespace--The Namespace column displays the namespace of the services. n Status--The Status column displays the status of the service as Up, Down, or Partially Up. n Restarts--The Restarts column displays the number of restarts that the services have undergone. n Age--The Age column displays the time duration for which the services were operational.
Click the icon at the top right corner of the Service Monitoring table to generate log files related to all the listed services.
n You can restart the service, and generate logs related to a specific service in the Service Monitoring table by clicking the and icons, respectively.
Viewing Log Files
The Logs section displays a table with the following columns:
n File--The File column displays the name of the log file that is generated. n Type--The Type column displays whether the file is readable for a single pod log or non-readable
format snapshot for global level logs. n Created--The Created column displays the time and date at which the log files were created.
You can click the icon and select or clear the columns required to be displayed in the table. To download a specific log file, hover the mouse over the row in the Logs table and click the
icon.
To delete a specific log file, hover the mouse over the row in the Logs table and click the icon.
Viewing System Operations
The System Operations section displays a table with the following columns:
n Operation Type--The Operation Type column displays the type of operation system running in the cluster.
n Status--The Status column displays the current status of the system operations as Success, Failed, In Progress, or Timeout.
n More Details--The More Details column displays additional details about the system operation status.
Aruba Central On-Premises 2.5.6 | User Guide
209
n Start Time--The Start Time column displays the time at which the system operation had begun. n End Time--The End Time column displays the time at which the system operation had ended.
Aruba Central On-Premises Upgrade
Aruba Central On-Premises strongly recommends that you upgrade your On-premise version to the next available major version for a smooth and hassle free operation of your account. Upgrade watcher checks for any major versions release and notifies you for its availability on your next Aruba Central OnPremises account login. The upgrade workflow differs based on the regular-Online, occasional-online user accounts, and offline users.
The Upgrade operation can only be done by the user with admin rights.
Online Upgrade through the Versions Page
Upgrade Watcher Workflow for Regular-Online User
This section describes the upgrade workflow and the requirements for the regular-online Aruba Central On-Premises user accounts. Based on the version availability, upon logging onto your Aruba Central OnPremises account, one of the following pages is displayed:
1. Upgrade Available--This window is displayed when you log in to your Aruba Central OnPremises account within the deadline of the version upgrade (60 days from the date of version release). The upgrade available window provides the following information: n Internet Connection is needed--Informs the connectivity requirement for the process. n Current version--Current running version. n New versions--Next major available version. n Status--Provides the status and progress bar for file transfer, extract, and upgrade. n Deadline--Displays the number of days remaining for upgrade. The number of days varies depending on the version available date and the day of login. For example, if the version was available on 10th of December and the user logs in on 12th of December, the remaining days gets changed to 57 days within which the account needs to be upgraded. n Upgrade Now--Allows you to initiate the upgrade process. n Go to Versions--This tab is displayed if any one of the extraction stage is interrupted, in progress or failed. Clicking on the Go to version navigates to System Management > Version tab with version upgrade in process. n Remind in x days--Allows you to snooze the notification for some days. Notification can be snoozed for 7 days (60-20 remaining days), 5 days (20-10 remaining days), 3 days (10-5 remaining days), 2 days(5-3 remaining days), and 1 (for the rest remaining days). On snoozing the notification, you can use the account normally and the next notification comes after the set dates. To upgrade the version once notified, click Upgrade Now to initiate the upgrade process. You can also navigate to System Management > Version tab to initiate the upgrade. For more information on how to navigate to version tab, see Version. The following example image displays the Upgrade available window.
System Management | 210
Figure 22 Upgrade Available
2. Upgrade Required--This window is displayed when you log in to your Aruba Central OnPremises account after the deadline is missed. This window indicates that you have missed the upgrade deadline and an immediate upgrade is required. All the account GUI functionality is blocked till the Aruba Central On-Premises is upgraded to the latest version. To upgrade, click Upgrade Now to initiate the upgrade. The upgrade required window provides the following information: n Internet Connection is needed--Informs the connectivity requirement for the process. n Current version--Current running version. n New versions--Next major available version. n Status--Provides the status and progress bar for file transfer, extract, and upgrade. n Deadline--Displays the number of overdue days post deadline. n Upgrade Now--Allows you to initiate the upgrade process. n Retry--This tab is displayed only when any one of the upgrade stage fails. Click Retry to retry the upgrade process. If the Upgrade fails after multiple retries, contact Aruba Central support representative.
Once the upgrade is successful, the account comes to its normal functionality.
The following example image displays the Upgrade required window with retry option.
Aruba Central On-Premises 2.5.6 | User Guide
211
Figure 23 Upgrade Required
Upgrade Watcher Workflow for Occasional-Online User
This section describes the upgrade workflow and the requirements for the occasional-online Aruba Central On-Premises user accounts. This scenario is based on the users that logs into Aruba Central OnPremises after 39 days or a maximum of 45 days from the date of connectivity loss. All the account GUI functionality is allowed and the user has to upgrade to the major available version within the prescribed period. Based on the account login period, one of the following pages is displayed:
1. Upgrade Check Failed---This window is displayed when the user logs into Aruba Central OnPremises within the above mentioned periods. The upgrade check failed window provides the following information: n Internet Connection is needed--Informs the connectivity requirement for the process. n Last Upgrade Check--Displays the date of last upgrade check. n Deadline--Displays the remaining days for mandatory upgrade check. n Check for Upgrade--Once connected, it check for the status and redirects you to the Upgrade available/ Upgrade required page. n Remind in x days--Allows you to snooze the notification. Snoozing can be done for 5 days (on 39th day) and 1 day for the remaining. The following example image displays the Upgrade check failed window.
System Management | 212
Figure 24 Upgrade Check Failed
2. Upgrade Check Required--This window is displayed when the user logs into Aruba Central OnPremises account after 45 days from the day of connectivity loss. In this scenario, the user account is blocked and an immediate upgrade check is required. The upgrade check required window displays the following information: n Internet Connection is needed--Informs the connectivity requirement for the process. n Last Upgrade Check--Displays the date of last upgrade check. n Deadline--Displays the remaining days for mandatory upgrade check. n Check for Upgrade--Once connected, it check for the status and redirects you to the Upgrade available/ Upgrade required page. The following example image displays the Upgrade check required window.
Aruba Central On-Premises 2.5.6 | User Guide
213
Figure 25 Upgrade Check Required
Offline Upgrade through Command Line Interface (CLI)
Upgrade Watcher Workflow for Offline User
This section describes the upgrade workflow and the requirements for offline Aruba Central OnPremises user accounts. This scenario is applicable for users who have enabled Airgap mode through CLI to enable offline upgrade. For more information on enabling Airgap, see Command Line Interface. All the account GUI functionality is allowed and the user has to upgrade to the major available version within the prescribed period and time range (49 days - 55 days). Based on the account login period, one of the following pages is displayed:
1. Upgrade Available--This window is displayed when you log in to your Aruba Central OnPremises account within the deadline of the version upgrade (55 days from the date of version release). The upgrade available window provides the following information: n Current version--Current running version. n New versions--Next major available version. n Status--Provides the status and progress bar for the file transfer, verification, extract, and upgrade. n Deadline--Displays the number of days remaining for upgrade. The number of days varies depending on the version available date and the day of login. For example, if the version was available on 8th of December and the user logs in on 10th of December, the remaining days gets changed to 53 days within which the account needs to be upgraded. n Remind in x days--Allows you to snooze the notification for some days. Notification can be snoozed for 7 days (55-20 remaining days), 5 days (20-10 remaining days), 3 days (10-5 remaining days), 2 days(5-3 remaining days), and 1 (for the rest remaining days). On snoozing the notification, you can use the account normally and the next notification comes after the set dates. The following example image displays the Upgrade available window.
System Management | 214
2. Upgrade Check Required--This window is displayed when you log in to your Aruba Central OnPremises account after the deadline is missed. This window indicates that you have missed the upgrade deadline and an immediate upgrade is required. All the account GUI functionality is blocked till the Aruba Central On-Premises is upgraded to the latest version. To upgrade, follow the steps mentioned on the screen, and upload the update checker file. The upgrade required window provides the following information: n Current Version--Current running version. n New Version--Next major available version. n Last Upgrade Check--Displays the date of last upgrade check. n Deadline--Displays the remaining days for mandatory upgrade check. n Upgrade Steps--Displays the steps to update the check file.
To upgrade the version once notified, you can either drag and drop the update checker file from your local browser, or you can click the upload update checker file. Once the upgrade is successful, you can use the account normally and the next notification comes after the set dates.
Once the upgrade is successful, the account comes to its normal functionality.
The following example image displays the Upgrade check required window.
Aruba Central On-Premises 2.5.6 | User Guide
215
3. Upgrade Check Failed--This window is displayed when the user logs into Aruba Central OnPremises within the above mentioned periods. The upgrade check can fail because of the following reasons: n Customer uploaded an old version of upgrade file as compared to the latest available file
n Customer uploaded a lower version of upgrade check file as compared to the running version
System Management | 216
Version
The Version tab displays the installed version, available version for upgrade, upgrade status, and you can also generate logs related to events that occurred during an upgrade.
Viewing Installed and Available Version Information
To view the Aruba Central On-Premises versions, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management. 3. Click the Version tab.
The Version pane displays the following information:
n The Installed Version displays the currently installed version in the Aruba Central On-Premises server.
n The Available Version displays the version that is currently available and the user can upgrade to this version.
Upgrading Aruba Central On-Premises
To upgrade Aruba Central On-Premises to the latest version, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management. 3. Click the Version tab. 4. In the Upgrade pane, click Upgrade Now to upgrade to the latest version of Aruba Central On-
Premises.
The Upgrade pane also displays the following information:
Aruba Central On-Premises 2.5.6 | User Guide
217
n Status-- Displays the overall status of the upgrade. n File Transfer--Displays the status of the file transfer. n Extract--Displays the status of the file extraction. n Upgrade--Displays the status of the upgrade.
Generating Logs
Aruba Central On-Premises allows you to view and download logs related to the events that occurred during the upgrade process. To generate the logs for the events, click Generate Logs in the Logs pane. Once generated, the logs can be viewed in the Logs table. The Logs table displays the following information and also allows you to download or delete logs:
n File-- Displays the generated file name. n Created-- Displays the date and time of the log creation. n Status-- Displays the status of the generated logs. n Action-- Allows you to do the following actions:
o
Download-- Select the file and click the icon to download the generated file. o Delete-- Select the file that you want to delete and click the delete icon. In the Confirm Action
pop-up window, click Yes.
Network
The Network tab displays the summary of the network settings configured for a cluster and allows you to test the proxy server and configure the support connection.
Viewing Network Settings Information
To view the Aruba Central On-Premises network, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management > Network tab.
The Network pane displays the following information: n FQDN n VIP n Subnet Mask n Gateway n Primary DNS n Secondary DNS n NTP IP or FQDN n NTP time Zone
The information displayed in the Network pane is read-only and based on the data that you configure while setting up the network. For more information, see Aruba Central On-Premises Installation and Setup Guide.
Viewing Proxy settings
To view the Aruba Central On-Premises network, complete the following steps:
System Management | 218
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management > Network tab. 3. Click Network tab. In the Proxy pane, enter the following information:
n Port-- Enter the proxy server port. n Proxy Server-- Enter the proxy server host name or IP address. n Username-- Enter the username. n Password-- Enter the password. n Confirm Password-- Re-enter the password to confirm. 4. Click Save or Test Proxy to validate the proxy settings.
n To validate the Proxy server, ensure that you provide a valid server details. You can also setup the Proxy Server in the Proxy Server Setup Option while configuring the cluster. For more information, see Aruba Central On-Premises Installation and Setup Guide.
n You can configure secondary and tertiary NTP servers in the Aruba Central On-Premises CLI.
To validate the Proxy server, ensure that you provide a valid server details. You can also setup the Proxy Server in the Proxy Server Setup Option while configuring the cluster. For more information, see Aruba Central OnPremises Installation and Setup Guide.
Viewing Support Connection
To view the Aruba Central On-Premises network, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management > Network tab. 3. The Support Connection pane with Status is displayed.
You can start the connection from the UI by clicking the Start button in the Support Connection pane. After a connection is established between the tunnels, you can stop by clicking the Stop button in the same pane. On successful operation, the status shown as active. You can also start, stop, restart, upload support connection file, or check the status of the Support Connection using the CLI command. For more information, see Support Command section in Aruba Central On-Premises User Guide.
External Services
This tab helps you configure the SMTP server settings, syslog servers, and SNMP traps destination. To view the External Services, complete the following steps:
1. In the the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management. 3. Click the External Services tab.
The tab displays the following components:
Aruba Central On-Premises 2.5.6 | User Guide
219
n SMTP--The SMTP section displays a table of SMTP servers, the ports used by the servers, and the serverstatus. You can configure only one SMTP server in COP. For more information, see SMTP.
n SNMP Traps Destination--The SNMP Traps Destination table displays details such as the trap destination IP addresses of the SNMP server where the trap is sent, and the SNMP server versions. For more information, see SNMP Traps Destination.
n SysLog--The SysLog table displays a list of syslog servers with the corresponding IP addresses and the associated ports. For more information, see SysLog Server Details.
SMTP
To ensure correct delivery of emails to the user accounts configured in your setup, you must configure the server settings in Aruba Central On-Premises. Starting from Aruba Central On-Premises 2.5.3.0, unencrypted email server communication is supported. A new option, No encryption is supported for SMTP. When you configure SMTP, you can choose TLS, SSL, or No encryption. The SMTP table displays the following details:
n Server--The Server column displays the SNMP server names. n Port--The Port column displays the configured SNMP port for the server. The default Aruba SNMP
Port is 587. n Status--The Status indicates the status of the SNMP server. The status is indicated as Failure or
Success.
To edit the SMTP server, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management.
The System Management page is displayed. 3. Click the External Services tab. 4. In the SMTP pane, hover over the SMTP server name and click the edit icon.
The Edit SMTP Server section is displayed. 5. Configure the following parameters:
n Host name or IP address--Host name or Address of the SMTP server. n Port--Port number of the SMTP server. n From address--From address for the email. n User Name--Email address of the user. n Password--Password. n Confirm Password--Retype the password to confirm. n Encryption--Enable TLS for secure communication. n Test email--Add recipients email addresses and click Test. 6. Click Save.
SNMP Traps Destination
An SNMP trap is a notification that is sent to an SNMP server when certain events occur, such as faults or security events. The trap destination IP address is the IP address of the SNMP server where the trap will be sent. The SNMP Traps Destination section displays a table with the following columns:
System Management | 220
n Server--The Server column displays the SNMP trap server name or IP of the traps server. n Version--The Version column displays the version of the SNMP. The version supported are v2 and
v3.
Click the + icon to display the Add SNMP Trap page:
n To add a new SNMPV2 trap destination, enter the SNMP server name, hostname, port details, community string, and then click Save.
n To add a new SNMPV3 trap destination, enter the SNMP server name, hostname, port details, SNMP username, authentication protocol(SHA/MD5), authentication password, privacy protocol (AES/DES), privacy password, and then click Save.
Click the icon to download MIB files. You can download and use the MIB files in your SNMP manager to monitor memory status, hardware status, etc. within the device.
SysLog Server Details
To enable Aruba Central On-Premises to send system events to a logging server, ensure that you configure the syslog server details on Aruba Central On-Premises.
In addition to UDP, Aruba Central On-Premises also supports TCP and Secure TCP connection types to the syslog server.
When you select Secure TCP as the type of connection to the syslog server, ensure to upload a CA certificate for the syslog server in the Organization > Network Structure > Certificates page. For more information, see Managing Certificates.
To configure the syslog server, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management.
The System Management page is displayed. 3. Click the External Services tab. 4. In the Syslog table, click +.
The Add Syslog Server window is displayed. 5. In the Add Syslog Server window, configure the following parameters:
n Syslog server--Name of the Syslog server. n Hostname or IP Address--Hostname or IP address of the Syslog server. n Port--Port of the Syslog server. n Connection Type--Select a connection type to the Syslog server. Select any one of the
following connection types: o Secure TCP o TCP o UDP n Syslog Type--Select the message types to be sent to Syslog Server. You can select one or both of the following options:
Aruba Central On-Premises 2.5.6 | User Guide
221
o Audit Trail o System Log
By default, alerts are always sent as syslog messages to the syslog server and it does not depend if the Syslog Type is selected or not.
6. Click Save to submit the details of the Syslog server.
The Syslog table displays the following details:
n Server--Name of the Syslog server. n Hostname or IP Address--Hostname or IP address of the Syslog server. n Port--Port of the Syslog server. n Connection Type--Connection type to the Syslog server. n Syslog Type--Syslog message types to be received on the Syslog Server.
In addition to alerts and audit trail messages, Aruba Central On-Premises also sends System logs as syslog messages to the syslog server. Aruba Central On-Premises sends the syslog messages to the syslog server in the Common Event Format (CEF) format. The CEF format is a log management standard that uses a standardized logging format so that data can easily be collected and aggregated for analysis by an enterprise management system.
You can configure a maximum number of seven syslog servers in Aruba Central On-Premises.
Backing up and Restoring Aruba Central System Data
Aruba Central On-Premises supports backing up of system information, group configuration data, alerts, events, audit trail, sites, labels, and historical reports. You can back up Aruba Central OnPremises data either manually or set a schedule for an automatic backing up of the data.
Important Points to Note
n Use Linux-based external backup server such as Ubuntu, CentOS, or RHL. n Use the SCP protocol because it is faster than SFTP at transferring files, especially on the high latency
networks. n Before taking a data backup, you must have a file server configured and ready to save the files.
Aruba Central On-Premises supports the following Ciphers, MAC, and kexAlgorithms for SCP or SFTP transfers: o Ciphers--aes128-cbc, aes256-cbc, aes128-ctr, aes256-ctr o MAC--hmac-sha2-256, hmac-sha2-512 o KexAlgorithm--ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521 n Backup consumes large amounts of space (up to 5 terabyte). Ensure you have sufficient space for a successful backup operation. n The restore operation deletes any configuration applied before the restore. It also deletes and replaces device variables with the backup that is being restored.
System Management | 222
n For restore operation, make sure you provide the file path that you used for backup and select the appropriate backup file version.
n During backup and restore operation, the consider the IO system alert as normal because of the intense read and write operation carried out on the file system
Manually Backup Data
To manually back up data, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, select System Management > Backup and Restore. 3. In the Backup pane, click the Backup Now menu option.
The Immediate Backup window opens. 4. In the Immediate Backup window, configure the following parameters:
a. Host name or IP address--Specify the host name or IP address of the server. b. Protocol Type--Specify SFTP or SCP. By default, SFTP is selected. c. File Path--Specify the file path or folder name in the server to which you want to save the
data. d. From the Select Authentication Method drop-down, select one of the following
authentication method: n Username and Password--If you select this option, specify the server SFTP or SCP
username and password. n SSH--If you select this option, enter the username of the backup server.
When you select SSH, use the Copy SSH public key to the clipboard option to copy the authorized key. Next, add this key in the backup server where you want to back up the data, else the backup operation fails.
5. Use the Copy host key to the clipboard option to copy the host key. 6. Click Backup Now to start backing up the data to the server.
In case of successful backup, the Status in the backup pane shows Completed. You can also view the status of the supported data types by clicking the Backed up Systems arrow. The status sign against each data type turns green representing a successful backup and red representing a failed backup.
If the backup fails due to a host key miss match, a pop-up message appears stating that the backup operation has failed. The Status in the backup pane is displayed as Failed. The Reset host key for <ip address> option appears in the Backup pane.
7. The following are the supported data types: a. PostgreSQL b. Cassandra c. Elasticsearch d. Elasticsearch Aggregation e. Minio
Aruba Central On-Premises 2.5.6 | User Guide
223
Figure 26 Backup Now
Creating a Backup Schedule
To set a schedule for regular backing up of Aruba Central data, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management. 3. Click Backup and Restore tab. The Backup and Restore page is displayed. 4. In the Backup pane, click the Backup Later menu option. The Scheduled Backup window opens. 5. In the Scheduled Backup window, configure the following parameters: a. Specify a backup Frequency from the following options: n Back up daily--Select this option to have a backup daily. Specify the starting time at which the backup must be run. n Back up weekly--Select this option to have a backup weekly. Specify the backup day and starting time at which the backup must be run. n Disable backup schedule--Select this to disable the backup schedule. b. Host name or IP address--Specify the host name or IP address of the server. c. Protocol Type--Specify SFTP or SCP. By default, SFTP is selected. d. File Path--Specify the file path or folder name in the server to which you want to save the data. e. From the Select Authentication Method drop-down, select any one of the following authentication method: n Username and Password--If you select this option, specify the server SFTP or SCP username and password n SSH--If you select this option, enter the username of the backup server.
System Management | 224
When you select SSH, use the Copy SSH public key to the clipboard option to copy the authorized key. This key must be added in the backup server where you want to back up the data else the back up operation will fail.
6. Click Save.
If the backup fails due to a host key miss match, a pop-up message appears stating that the backup operation has failed. The Status in the backup pane is displayed as Failed. The Reset host key for <ip address> option appears in the Backup pane.
Figure 27 Backup Later
Restoring Data
To restore the backed up data, complete the following steps:
1. In the Aruba Central On-Premisesapp, set the filter to Global. 2. Under Maintain, click System Management. 3. Click Backup and Restore tab.
The Backup and Restore page is displayed. 4. In the Restore pane, click the Restore Now menu option.
The Restore window opens. 5. In the Restore window, configure the following parameters:
a. Host name or IP address-- Specify the host name or IP address of the server used to save the backup data.
b. Protocol Type--Specify SFTP or SCP. By default, SFTP is selected. c. File Path--Specify the file path or folder name in the server from which you want to restore
the saved data. d. Select Authentication Method--Specify either of the following authentication method:
n Username and Password--If you select this option, specify the server SFTP or SCP username and password.
n SSH--If you select this option, enter the username of the backup server.
Aruba Central On-Premises 2.5.6 | User Guide
225
6. Use the Copy host key to the clipboard option to copy the host key. 7. Click Restore System. Figure 28 Restore
Resetting the Host Key for Backup or Restore Operation
When the Aruba Central On-Premises connects to an external server such as SCP and SFTP, the Aruba Central On-Premises imports the host key automatically. For any reason, if the host key changes, Aruba Central On-Premises cannot connect to the back up or restore server and the back up and restore operation fails. To reset the host key, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management. 3. Select the Backup and Restore sub tab. 4. If there is a change in the host key, then you can see the Reset host key for <ip address> option
in the Backup or Restore panes. 5. Select the Reset host key for <ip address> option. 6. The Reset host key for <ip address> pop-up opens. 7. Click Reset.
Generating Logs
During the restore process, most of the services will be offline for the restore and get back online when the restore is complete. You can view the progress of the restore operation by logging into Aruba Central CLI through a serial console and use the show command to navigate to Backup-Restore status. For more information, see Accessing the Aruba Central On-Premises CLI and Show Commands in the Aruba Central OnPremises user guide The Logs table displays the following information and also allows you to download or delete logs:
System Management | 226
n File--Displays the generated file name. Use the filter option to filter the file names. You can also use the icon to sort the files in ascending or descending order.
n Created--Displays the date and time of the log creation. Use the icon to sort the list in ascending or descending order.
n Status--Displays the status of the generated logs. Use the icon to sort the list in ascending or descending order.
n Action--Allows you to do the following actions:
o
Download--Select the file and click the icon to download the generated file. o Delete--Select the file that you want to delete and click the delete icon. In the Confirm Action
pop-up window, click Yes.
Migrating the AirWave Server
Important Information for Migration
The following are the requirements and guidelines for the migration process:
n The AirWave system must be running a minimum AirWave version of 8.2.8.2 for the migration to proceed. If the AirWave system is running an earlier version, refer to the AirWave documentation to upgrade the version to 8.2.8.2 or later versions.
n Only those APs, controllers, and switches that are supported in Aruba Central On-Premises are migrated. For information on supported hardware, see Supported Devices section.
n As part of migration, Visual RF and the device inventory for CAPs, IAPs, controllers, and Aruba/HPE switches are migrated.
n For controllers, the device credentials for SNMP and HTTPS profiles are mapped. n Migration of multiple AirWave systems to a single Aruba Central On-Premises server is supported.
That is, you can migrate multiple AirWave systems to Aruba Central On-Premises by adding the IP addresses or AMP Hostnames of each AirWave system individually. n All the historical data including data related to reports, monitoring, and stats are not migrated from Airwave to Aruba Central On-Premises during the migration process. n Templates are not migrated from Airwave to Aruba Central On-Premises during the migration process. You must manually create a new template in Aruba Central On-Premises based on the requirement. n All data related to VisualRF is migrated from Airwave to Aruba Central On-Premises during the migration process.
Accessing Aruba Central On-Premises
The Dashboard gives you access to the feature application card, Aruba Central On-Premises added to your account. After launching the application, you can interact and use it through HPE GreenLake. To launch the Aruba Central On-Premises app, perform the following steps.
1. From the HPE GreenLake home page, Aruba Central On-Premises is available on the Dashboard.
2. Click Launch on the Aruba Central On-Premises tile to launch the application.
Aruba Central On-Premises 2.5.6 | User Guide
227
System Management | 228
Logging Aruba Central On-Premises
To log out of Aruba Central On-Premises, complete the following steps:
1. On the Aruba Central On-Premises WebUI, click the user icon ( ) in the header pane. 2. Click Logout.
Accessing the Migration Page
To access the Migration page, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management. 3. Click the Migration tab.
The Migration page is displayed. 4. Click the Migration tab at the top right corner of the table to add a new migration task.
For more information, see Performing the Migration.
The following image displays the Migration page. Figure 29 Viewing the Migration Page
The following table provides Airwave Migration parameter details.
Table 42: Migration Parameters
Name
Description
Migration
FQDN or IP address of the AMP server.
Migration Status
Indicates the current status of the migration. For example, Migration Success, Waiting to start migration, or Migration Failed.
Description Summary
Provides a description of the current status of migration.
Provides a summary of the migration. Following are some of the messages displayed: n Number of devices existing on Aruba Central On-Premises n Number of devices on AirWave 8.x
Aruba Central On-Premises 2.5.6 | User Guide
229
Name
Start Time End Time
Description
n Number of devices to migrate n Number of devices successfully migrated n Number of devices failed to migrate
Displays the start time of the migration.
Displays the end time of the migration.
Migration Status
In the Airwave Migration table, the Status column displays the following list of migration status:
n Waiting to start migration n Migration Stopped n Migration Started n AW8.X generating migration dump n AW8.X migration dump is ready n COP migration is in progress n Migration Success n Migration Failed
Migration Descriptions
In the Airwave Migration table, the Description column displays the following list of migration status:
n Migration of AMP not started n Starting migration of AMP to COP n Connecting to AMP n Could not establish connection to AMP n Could not prepare backup on AMP n Waiting for AMP backup to be prepared n AMP backup not prepared after 2 hours, please check AMP logs n AMP backup is ready for download from AMP n AMP backup is being downloaded to COP n AMP backup download failed n AMP backup downloaded successfully n Restoring AMP backup in COP n AMP version not supported for migration n Migrating devices to COP Migrating profiles to COP n Checking for VRF data to migrate VRF migration in progress n Migration of VRF data failed VRF n Migration did not complete after 4 hours, please check the VRF logs n Migration of AMP completed successfully, VRF data not found n Migration was terminated abruptly, please retry migration n Migration of AMP completed successfully
System Management | 230
n Exception occurred during migration, please check the logs n Another system operation is active, retry after sometime
During the migration process, a new AMP back up is created in AirWave and transferred to the Aruba Central On-Premises. The scheduled nightly backup is independent of the backup operation performed as a part of the migration process.
Performing the Migration
For performing the migration, you need to add the AirWave server that is running the older software version to Aruba Central. Aruba Central On-Premises supports both offline and online migration.
Online Migration
Aruba Central On-Premises establishes a connection with AirWave to perform an online migration of the onboarded devices and VisualRF data from AirWave to Aruba Central On-Premises. To perform an online migration, complete the following steps with active internet connection:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management. 3. Click the Migration tab.
The Migration page is displayed.
4. Click in the Airwave Migration table. The Add Migration window is displayed.
5. In the Add Migration window, select the Online Migration option. 6. Enter the following details:
n Hostname or IP Address--Enter the IP address of the AirWave Management Platform (AMP). n AMP User name--During the migration process, a new AMP back up is created in AirWave
and transferred to the Aruba Central On-Premises. The scheduled nightly backup is independent of the backup operation performed as a part of the migration process. n Password--Enter the password associated with the administrative account. n Confirm password--Re-enter the password. 7. Click Save to start the migration process.
The following image displays the online migration of the AirWave server using the hostname of the AMP server.
Aruba Central On-Premises 2.5.6 | User Guide
231
Figure 30 Online Migration using Hostname
The following image displays the online migration of the AirWave server using the IP address of the AMP server.
System Management | 232
Figure 31 Online Migration using IP Address
n You can add multiple IP addresses to migrate from multiple AirWave servers to one Aruba Central OnPremises server. In this case, each AMP will be migrated sequentially.
n You can not delete an AMP when the migration is in-progress.
n In the Airwave Migration table, the , , and migration.
icons allow you to edit, restart, and delete the
n All system operations are disabled until the active system operation is complete. The migration, backup and restore, high availability processes, and the upgrade operations are the system operations in Aruba Central On-Premises
Offline Migration
Aruba Central On-Premises performs an offline migration of the onboarded devices and VisualRF data from AirWave to Aruba Central On-Premises by uploading the backup file that was earlier downloaded from AirWave.
Offline Migration is also called as the Inplace Migration. The user need not have the AirWave server up and running for an offline migration. Offline migration is required when the user wants to deploy Aruba Central On-Premises on the same AirWave server. The advantage of an offline migration is that the user can onboard all the devices to Aruba Central On-Premises from AirWave in a single operation.
Aruba Central On-Premises 2.5.6 | User Guide
233
In offline migration, the Aruba Central On-Premises is installed on the servers where the AMP is operational. The minimum supported version for the migration is AirWave 8.2.8.2. To perform an offline migration, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click System Management. 3. Click the Migration tab.
The Migration page is displayed. 4. Click in the Airwave Migration table.
The Add Migration window is displayed. 5. In the Add Migration window, select the Offline Migration option. 6. Browse to the location to choose the migration file that was downloaded from AirWave. 7. Click Save to start the migration process. The following images displays the offline migration of the AirWave server. Figure 32 Offline Migration
n In the Airwave Migration table, the icon allows you to delete the migration. n You must not refresh the page when the upload is in-progress.
Validating the Migration Process
After you click Save on the migration window, the migration process starts. If multiple AMPs are added, each AMP will be migrated sequentially. The following image displays the offline migration main components of the Migration page.
System Management | 234
Figure 33 Screen Capture of Offline Migration
Figure 34 Screen Capture of a successful Migration
n During the migration process, a fresh AMP back up is created in AirWave 8.x and transferred to Aruba Central On-Premises. The scheduled nightly backup is not performed as a part of the migration process.
n The default time out period for the backup process during the migration is 120 minutes.
Aruba Central On-Premises 2.5.6 | User Guide
235
Logs
The Logs table displays all the logs related to the migrations that are either complete or failed. You can generate the log files in one of the following ways: n In the System Management > Migration > Logs table, click Generate Logs to create the log files. n In the System Management > Performance > Service Monitoring table, select the deployment
service and click the icon. The log files that are generated contains the cumulative data of all the AMP migrations.
n You can view the device migration POD logs from the Aruba Central On-Premises backend or from the Aruba Central On-Premises UI.
n The VisualRF migration POD logs are available in one of the Aruba Central On-Premises cluster node and can be viewed in the /var/log/visualrf path.
The following image displays the Logs table. Figure 35 Log Files
The following table provides the Logs information.
Table 43: Logs Table
Name File
Description Name of the log file.
Created Status
The date and time when the log file is created.
Indicates the status of the logs that are generated. The status indicated is Download Ready, In Progress, Successful, or Failed.
Action
Enables you to perform the following actions: n Click the icon to download the log files. The files are then saved to the local drive as a TAR
file. n Click the icon to delete the log files.
System Management | 236
Chapter 11
The AI Insights Dashboard
The AI Insights Dashboard
In an environment of rapidly changing business and user expectations driven by an explosion of connectivity requirements from the edge to the cloud, a new approach to network management is required. Aruba AIOps (Artificial Intelligence for IT operations) is the next generation of AI-powered solutions that integrates proven Artificial Intelligence solutions with recommended and automated action to provide both fast response to identified problems, along with proactive prediction and prevention. With data leveraged from huge network management systems, Aruba Central On-Premises and built-in AI Insights proactively identifies and solves issues, and provides pinpoint configuration recommendations. The result of this AI based mechanism has enabled a consistent, reliable, and timely flow of information about the network performance, that helps IT work faster despite the increasing demand and complexity that a network often brings. All of this comes from Aruba advantage in accessing an enormous volume and variety of data that is factored into insights. Aruba does not collect or process personal data. The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level observed in the network for the selected time range. Each insight report provides specific details on the occurrences of these events for ease in debugging. To launch the AI Insights dashboard, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Manage, click Overview > AI Insights.
The Insights table is displayed. AI Insights listed in the dashboard are sorted from high priority to low priority. 3. Click the arrow against each insight to view the details.
Figure 36 Insight Anomaly
Aruba Central On-Premises 2.5.6 | User Guide
237
Callout Number 1 2
3 4
5 6 7 8
Description
Click this arrow to expand any specific insight to view further details.
Displays the insight severity, using the following colors: Red--High priority Orange--Medium priority Yellow--Low priority
Short description of the insight.
Insight Summary displays the reason why the insight was generated along with recommendation. It also shows the number and percentage of failures that occurred against each failure reason.
n Static--These reasons rely on Aruba's domain expertise. n Dynamic--These reasons are generated based on error codes that is received from infrastructure devices.
Time Series graph is a graphical representation of the events that occurred for the selected time range.
Category of the insight. Insight category can be filtered by clicking the filter icon.
Short description of the impact.
Cards display additional information specific to each insight. Cards might vary for each insight based on the context the insight is accessed from. For more information, see Cards.
All AI Insights observed for the network are listed in the AI Insights dashboard in the Global context. Alternatively, AI Insights reports for a specific site, device, or a client can be viewed by selecting the appropriate context. For more information on available insights and the context, see Insight Context.
AI Insights are displayed for a selected time period based on the time selected in the Time Range Filter ( ). You can select one of the following: 3 Hours, 1 Week, 1 Day, or 1 Month.
Wi-Fi Connectivity
The Wi-Fi Connectivity page displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include Association, Authentication, DHCP, and DNS.
To view the connectivity details page complete the following procedure:
1. In the Aruba Central On-Premises app, select one of the following options: To select a group, site, or all devices in the filter, set the filter to one of the options under Group or Site. For all devices, set the filter to Global.
2. Under Manage > Overview, click Wi-Fi Connectivity. The dashboard context for the selected filter is displayed.
The AI Insights Dashboard | 238
By default, the graphs on the Wi-Fi Connectivity page is plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range Filter icon. You can choose to view graphs for a time period of 3 hours, 1 day, 1 week, 1 month and 3 months. This section includes the following topics:
n Connectivity Summary Bar n Connection Experience n AI Insights n Connection Problems n Connection Events
Connectivity Summary Bar
The connectivity summary bar displays the details of all clients in percentage. It displays the percentage success rate of each stage for the users to know the network performance.
Figure 37 Connectivity Summary Bar
The following table describes the information displayed in each section:
Table 44: Connectivity Summary Bar
Field
Description
All
Displays the aggregated success percentage of Association, Authentication, and DHCP for
all clients connected to the network.
Association
Displays the percentage of successful attempts made by a client to connect to the network.
Authentication
Displays the percentage of successful attempts of client authentication.
DHCP
Displays the percentage of successful attempts of DHCP requests and responses when onboarding a client.
DNS
Displays the percentage of successful attempts in the detected DNS resolutions, when a client is connected to the network.
Connection Experience
The Connection Experience tile displays the overall success percentage, total number of attempts, number of successful attempts, total delays, and the total failures for each stage based on the selected time range filter. To view the connection experience for individual stage, select the stage type from the Connectivity Summary bar, the Connection Experience displays the chart for the selected stage. Select All to view the success percentage for all the stages. You can hover over the time series graph to view the success percentage for a specific time. The individual stage displays the Attempts, Failures, Success, and Delays on the time series graph.
Aruba Central On-Premises 2.5.6 | User Guide
239
Figure 38 Connection Experience tile
AI Insights
The AI Insights tile provides a list of AI Insights generated for a selected time range. To view the details, click on a selected AI Insight. The page gets redirected to the AI Insights under the AI Insights page. Click each of the listed AI Insight for a detailed analysis based on the impact on the network. For more information on AI Insights, see The AI Insights Dashboard. AI-Insights is not implemented for Association and DNS. AI Insights is not implemented at a Group level also. The page displays No AI Insights observed. For a visual representation of viewing an AI Insight, click here.
Connection Problems
The Connection Problems tile displays the details of Failures and Delays graphically for each of the categories from the drop-down list. Each graph displays the top five MAC addresses or SSID based on the selected category. Each category in the Connection Problems drop-down lists changes based on the selected stage in the Connectivity Summary bar. Selecting the required category from the dropdown displays the failures and delays in a pie chart with percentage, and a bar graph with the number of failures and delays. Hover the cursor over each graph to view the number of failures or delays for each stage.
The AI Insights Dashboard | 240
Figure 39 Connection Problems Tile
The following table describes the information displayed in each connection category based on the selected stage:
Table 45: Connection Problems Rolls-ups
Data Pane Content
Description
All
Displays the details of the failures and delays that occurred during a client connection.
The chart displays the failure details of Association, Authentication, and DHCP for each
client. The Connection Problems drop-down list includes the following categories:
n By Stage
n By Clients
n By Access Points
n By Band
n By SSID
Association
Charts the details of the failures and delays that occurred during a client association. The Connection Problems drop-down list includes the following categories:
n By Clients n By Access Points n By Band n By SSID n By Reason
Authentication
Charts the details of the failures and delays that occurred during a client authentication. The Connection Problems drop-down list includes the following categories:
n By Type n By Clients n By Access Points n By Band n By SSID n By Server
DHCP
Charts the details of the failures and delays that occurred during the attempts of DHCP requests and responses by a client. The Connection Problems drop-down list includes the following categories:
n By Clients n By Access Points n By Reason
Aruba Central On-Premises 2.5.6 | User Guide
241
Data Pane Content
DNS
Description
Charts the details of the failures and delays that occurred during the attempts in detected DNS resolutions when a client is connected to the network. The Connection Problems drop-down list includes the following categories:
n By Access Points n By Reason n By Server
Connection Events
Connection Events table details out the list of delays and failures for each client based on the client
MAC addresses. Click the
icon to view the connection events table. Click the Connection Events
drop down to filter the events By Clients or By Access Points. The Connection Events table displays
the following information:
Table 46: Connection Events
Data Pane Content
Description
MAC Address
Displays the MAC address of the client.
Name
Displays the name of the access point.
Delays
Displays the delays that occurred during the event.
Failures
Displays the failure details that occurred during the event.
Connectivity Alerts
Aruba Central allows network administrators and users with admin permissions to configure alerts. For more information, see Configuring Alerts.
Following are the connectivity alerts that you can configure:
n DNS Delay Detected--Generates an alert when clients experience significant delays in response from the DNS server. Set the severity values to generate an alert if the percentage of delay from the DNS server exceeds the threshold value. The Duration field displays the duration after which the alert is generated. The default value is 30 minutes. You can add additional rule(s) for this alert.
n DNS Failure Detected--Generates an alert when wireless APs experience a high number of connection failures with the DNS server. Set the severity values to generate an alert if the DNS failure percentage exceeds the threshold value. The Duration field displays the duration after which the alert is generated. The default value is 30 minutes. You can add additional rule(s) for this alert.
n DHCP Delay Detected--Generates an alert when there is excessive DHCP delay from client to AP in the network. Set the severity values to generate an alert if the percentage of the DHCP delay exceeds the threshold value. The Duration field displays the duration after which the alert is generated. The default value is 30 minutes. You can add additional rule(s) for this alert.
n DHCP Failure Detected--Generates an alert when there is high number of DHCP failure observed from client to AP in the network. Set the severity values to generate an alert if the DHCP failure
The AI Insights Dashboard | 242
percentage exceeds the threshold value. The Duration field displays the duration after which the alert is generated. The default value is 30 minutes. You can add additional rule(s) for this alert.
n Authentication Delay Detected--Generates an alert when there is excessive delay in the client authentication process with the AP in the network. Authentication failures include the following: o Wi-Fi security key-exchange failures o 802.1x authentication failures o MAC authentication failures o Captive failures Set the severity values to generate an alert if the percentage of the authentication delay exceeds the threshold value. The Duration field displays the duration after which the alert is generated. The default value is 30 minutes. You can add additional rule(s) for this alert.
n Authentication Failure Detected--Generates an alert when there are high number of client authentication failures in the network. Authentication failures include the following: o Wi-Fi security key-exchange failures o 802.1x authentication failures o MAC authentication failures o Captive failures Set the severity values to generate an alert if the authentication failure percentage exceeds the threshold value. The Duration field displays the duration after which the alert is generated. The default value is 30 minutes. You can add additional rule(s) for this alert.
n Association Delay Detected--Generates an alert when client association delay is detected in the network. Set the severity values to generate an alert if the percentage of the association delay exceeds the threshold value. The Duration field displays the duration after which the alert is generated. The default value is 30 minutes. You can add additional rule(s) for this alert.
n Association Failure Detected--Generates an alert when client association failure is detected in the network. Set the severity values to generate an alert if the association failure percentage exceeds the threshold value. The Duration field displays the duration after which the alert is generated. The default value is 30 minutes. You can add additional rule(s) for this alert.
Aruba Central On-Premises 2.5.6 | User Guide
243
Insight Context
Insights can be accessed from different contexts such as Global, Site, Clients, and Device. The following table lists the different types of insights generated by Aruba Central and the path from where it can be accessed.
Table 47: Insight Context
Insights
Category
Context
Navigation
Clients with High Wi-Fi Security Key-Exchange Failures
Connectivity -- Wi-Fi
Global Site
Aruba Central On-Premises app > Global > Overview > AI Insights
Aruba Central On-Premises app > Sites > Overview > AI Insights
Access Points
Aruba Central On-Premises app > Global > Devices > Access Points > Device Name > AI Insights
Clients
Aruba Central On-Premises app > Global > Clients > Client Name > AI Insights Aruba Central On-Premises app > Site > Clients > Client Name > AI Insights
Clients with High 802.1X Authentication Failures
Connectivity -- Wi-Fi
Global Site
Access Points
Aruba Central On-Premises app > Global > Overview > AI Insights
Aruba Central On-Premises app > Sites > Overview > AI Insights
Aruba Central On-Premises app > Global > Devices > Access Points > Device Name > AI Insights
Clients with DHCP Server Connection Problems
Clients
Connectivity -- Wi-Fi
Global Site
Aruba Central On-Premises app > Global > Clients > Client Name > AI Insights Aruba Central On-Premises app > Site > Clients > Client Name > AI Insights
Aruba Central On-Premises app > Global > Overview > AI Insights
Aruba Central On-Premises app > Sites > Overview > AI Insights
Access Points
Clients
Aruba Central On-Premises app > Global > Devices > Access Points > Device Name > AI Insights
Aruba Central On-Premises app > Global > Clients > Client Name > AI Insights Aruba Central On-Premises app > Site > Clients > Client Name > AI Insights
The AI Insights Dashboard | 244
Insights
Category
Clients with High Number of MAC Authentication Failures
Connectivity -- Wi-Fi
Clients with Captive Portal Authentication Problems
Connectivity -- Wi-Fi
Clients with High Number of Wi-Fi Association Failures
Connectivity -- Wi-Fi
Context Global Site Access Points Clients
Global Site Access Points Clients
Global Site Access Points Clients
Navigation
Aruba Central On-Premises app > Global > Overview > AI Insights
Aruba Central On-Premises app > Sites > Overview > AI Insights
Aruba Central On-Premises app > Global > Devices > Access Points > Device Name > AI Insights
Aruba Central On-Premises app > Global > Clients > Client Name > AI Insights Aruba Central On-Premises app > Site > Clients > Client Name > AI Insights
Aruba Central On-Premises app > Global > Overview > AI Insights
Aruba Central On-Premises app > Sites > Overview > AI Insights
Aruba Central On-Premises app > Global > Devices > Access Points > Device Name > AI Insights
Aruba Central On-Premises app > Global > Clients > Client Name > AI Insights Aruba Central On-Premises app > Site > Clients > Client Name > AI Insights
Aruba Central On-Premises app > Global > Overview > AI Insights
Aruba Central On-Premises app > Sites > Overview > AI Insights
Aruba Central On-Premises app > Global > Devices > Access Points > Device Name > AI Insights
Aruba Central On-Premises app > Global > Clients > Client Name > AI Insights Aruba Central On-Premises app > Site > Clients > Client Name > AI Insights
Cards
All the insights in Aruba Central On-Premises display certain cards with additional information specific to that insight. The top view of each card usually shows the most impacted data in a pie chart or a bar graph view. The data in a pie chart can be modified based on your requirement. To highlight specific entries in a card, click the checkbox next to each label. For few cards there is further drill down available, in the form of a drop-down. The cards might vary for each insight based on the context the insight is accessed from.
Aruba Central On-Premises 2.5.6 | User Guide
245
The following table displays the card details available in different insights:
Table 48: Cards Cards Access Points
Description
The Access Point card displays the number of APs impacted by an Insight. Click the arrow to expand the card and view the top 5 APs where the issue occurred. You can also click the drop-down list to view further details about the impacted access points.
Site
The Site card displays the number of sites impacted by an Insight.
Click the arrow to expand the card and view the top 5 sites where the issue occurred.
Client Server
The Client card displays the number of clients impacted by an insight. Click the arrow to expand the card and view the top 5 clients where the issue occurred.
The Server card displays the number of servers impacted by an insight. Click the arrow to expand the card and view the top 5 servers where the issue occurred.
If you click on the number displayed on each card, further details specific to that card is displayed in a tabular format. The filter icon allows you to filter data in each column. The and icons allows you to sort the columns in ascending and descending order. Few columns are displayed by default whereas, there are few columns which does not appear in the table by default.
To customize a table, click the ellipses icon to select the required columns, or click Reset to default to set the table to the default column. Click to download the card details in a CSV format.
Clients with High Number of Wi-Fi Association Failures
The Clients had a high number of Wi-Fi Association failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on Wi-Fi association failures observed in the network. It is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
The time series graph displays the number of association failures observed in the network during the selected time period. You can hover your mouse over each bar graph to see the exact number of
The AI Insights Dashboard | 246
failures.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 49: Cards Context
Cards
Context
Site
Global
Access Point Global, Site, Client
Client
Global, Site, Device
Site
Lists the number of sites that experienced association authentication failures in the network. Click the arrow to view a pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of association failures in each site.
Access Point
Lists the number and the details of APs that experienced association failures in the network. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point dropdown list to view the following:
n SSID--Pictorial graph of the percentage of association failures sorted by SSIDs. n Model--Pictorial graph of the percentage of association failures sorted by AP models. n FW Version--Pictorial graph of the percentage of association failures sorted by AP firmware version.
Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC address, name, host name, and auth ID of clients that experienced association failures in the network. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the
Aruba Central On-Premises 2.5.6 | User Guide
247
number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device.
Clients with High Number of MAC Authentication Failures
The Clients had an unusual number of MAC authentication failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive MAC authentication failures observed in the network and is categorized under connectivity since the users are unable to connect to the Wi-Fi network. It also helps in order to identify the rogue users in a network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
The time series graph displays the number of MAC authentication failures that occurred during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Cards Context
Cards
Context
Site
Global
Access Point Global, Site, Client
Client
Global, Site, Device
Site
Lists the number of sites that experienced MAC authentication failures in the network. Click the arrow to view a pictorial graph with the Most Impacted sites. Click the number displayed on the Site card,
The AI Insights Dashboard | 248
to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Failures--Number of failures occurred in each site. n Total--Total number of MAC authentication in each site.
Access Point
Lists the number and the details of APs that faced the MAC authentication failures in the network. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point dropdown list to view the following:
n SSID--Pictorial graph of the percentage of MAC authentication failures sorted by SSIDs. n Model--Pictorial graph of the percentage of MAC authentication failures sorted by AP models. n FW Version--Pictorial graph of the percentage of MAC authentication failures sorted by AP firmware
version.
Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n Name--Name of the access points and link to the specific insight at the AP context. n MAC--MAC address of the AP and link to the specific insight at the AP context. n Failures--Number of failures occurred in each AP. n Total--Total number of MAC authentication in each AP. n Serial--Serial number of the AP n IP--IP address of each AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC address, name, host name, and auth ID of clients that failed MAC authentication. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Name--Name of the impacted client and link to the specific insight at the client context. n MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number of failures occurred in each client. n Client OS--OS type of the device.
Aruba Central On-Premises 2.5.6 | User Guide
249
Clients with DHCP Server Connection Problems
The Clients had DHCP server connection problems insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive client to AP DHCP failures observed in the network. This insight occurs when Wi-Fi clients attempt to acquire a DHCP IP address multiple times but fails to do so. Clients had DHCP server connection problemsinsight is categorized under connectivity since the users fail to get an IP address and are unable to connect to the Wi-Fi network. It displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
The time series graph displays the number of DHCP failures that occurred during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 50: Cards Context
Cards
Context
Site
Global
Server
Global, Site, Device, Client
Access Point Global, Site, Client
Client
Global, Site, Device
Site
Lists the number of sites that experience DHCP server connection problems in the network. Click the arrow to view a pictorial graph with the Most Impactedsites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of DHCP requests.
The AI Insights Dashboard | 250
Server
Lists the number of DHCP servers involved in this insight. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Server IP--IP address of the server impacted by this insight. n Failures--Number of failures occurred in each server. n Total--Total number of DHCP requests.
Access Point
Lists the number and the details of the DHCP server connection problems observed in an AP. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point dropdown list to view the following:
n SSID--Pictorial graph of the percentage of DHCP failures sorted by SSIDs. n Model--Pictorial graph of the percentage of DHCP failures sorted by AP models. n FW Version--Pictorial graph of the percentage of DHCP failures sorted by AP firmware version.
Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Failures--Number of failures occurred in each AP. n Total--Total number of DHCP requests. n Serial--Serial number of the AP n IP--IP address of each AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Site name of the AP where the failure occurred.
Client
Lists the MAC address, host name, and auth ID of clients that failed DHCP handshake. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number of failures occurred in each client. n Total--Total number of DHCP requests. n Client OS--OS type of the device.
Clients with High Wi-Fi Security Key-Exchange Failures
The Clients had excessive Wi-Fi security key-exchange failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive Wi-Fi security key-exchange failures observed in the network. When this failure occurs, users connecting to Wi-Fi using PSK or 802.1x authentication, experience higher EAPOL Key exchange failures. This insight is
Aruba Central On-Premises 2.5.6 | User Guide
251
categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes of Wi-Fi security key-exchange failure in the network. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
This time series bar graph displays the number of Wi-Fi security key-exchange failures that occurred in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of failures.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 51: Cards Context
Cards
Context
Site
Global
Access Point Global, Site, Client
Client
Global, Site, Device
Site
Lists the number of sites that experienced excessive Wi-Fi security key-exchange failures in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of failures in each site.
The AI Insights Dashboard | 252
Access Point
Lists the number APs that experienced Wi-Fi security key-exchange failures in the network. Click the arrow to view the pictorial graph of the Most Impactedaccess points. Click the Access Point dropdown list, to view the following:
n SSID: Pictorial graph of 4-way handshake authentication failures sorted by SSIDs. n Model: Pictorial graph of 4-way handshake failures classified by AP models. n FW Version: Pictorial graph of 4-way handshake failures classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC Address, name, host name, and auth ID of clients that failed Wi-Fi security key-exchange authentication. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device.
Clients with High 802.1X Authentication Failures
The Clients had excessive 802.1x authentication failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive 802.1X authentication failures observed in the network. It is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Aruba Central On-Premises 2.5.6 | User Guide
253
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
The time series graph displays the number of 802.1X authentication failures observed in the network during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 52: Cards Context
Cards
Context
Site
Global
Server
Global, Site, Device, Client
Access Point Global, Site, Client
Client
Global, Site, Device
Site
Lists the number of sites that experienced 802.1X authentication failures in the network. Click the arrow to view a pictorial graph with the Most Impacted sites. Click the number displayed on the Site card,
to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of 802.1X authentication in each site.
Server
Lists the number of servers that failed 802.1X authentication in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Server IP--IP address of each server. n Failures--Number of 802.1X authentication failures in each server. n Total--Total number of 802.1X authentication.
The AI Insights Dashboard | 254
Access Point
Lists the number and the details of APs that failed 802.1X authentication in the network. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point drop-down list
to view the following:
n SSID--Pictorial graph of the percentage of 802.1X authentication failures sorted by SSIDs. n Model--Pictorial graph of the percentage of 802.1X authentication failures sorted by AP models. n FW Version--Pictorial graph of the percentage of 802.1X authentication failures sorted by AP
firmware version.
Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n MAC--MAC address of the AP and link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC address, name, host name, and auth ID of clients that failed 802.1X authentication. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device.
Clients with Captive Portal Authentication Problems
The Clients had problems authenticating with the Captive Portal insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on captive portal failures observed in the network. It is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
Aruba Central On-Premises 2.5.6 | User Guide
255
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
The time series graph displays the number of client captive portal failures observed in the network during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 53: Cards Context
Cards
Context
Site
Global
Access Point Global, Site, Client
Client
Global, Site, Device
Site
Lists the number of sites that experienced captive portal failures in the network. Click the arrow to view a pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of captive portal authentication in each site.
Access Point
Lists the number and the details of APs that failed captive portal authentication in the network. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point dropdown list to view the following:
n SSID--Pictorial graph of the percentage of captive portal authentication failures sorted by SSIDs. n Model--Pictorial graph of the percentage of captive portal authentication failures sorted by AP
models. n FW Version--Pictorial graph of the percentage of captive portal authentication failures sorted by AP
firmware version.
Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP link to the specific insight at the AP context.
The AI Insights Dashboard | 256
n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC address, name, host name, and auth ID of clients that failed captive portal authentication. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device.
AOS-CX Switch Ports with High Power-over-Ethernet Problems
The CX Switch ports had a high number with Power-over-Ethernet problems insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that have not received required power from PoE devices connected to them. PoE issues occur in switches when power is denied, or power is demoted from the device connected to them. It is categorized under availability since the impacted switches are unable to receive sufficient power. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing power issues in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing power issues during the selected time period.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Aruba Central On-Premises 2.5.6 | User Guide
257
Table 54: Cards Context
Cards
Context
Site
Global
Switch
Global, Site
Wired Clients Global, Site
Site
Lists the number of sites where switches have PoE issue. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context.
n Events--Number of events generated pertaining to PoE failures in each site. n Ports--Number of ports for which power is denied. n Switches--Number of switches for which power is denied. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each site.
Switch
Lists the number of switches that experience PoE issues in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of PoE issues classified by switch models. n FW Version--Pictorial graph of PoE issues classified by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context.
n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Events--Number of events generated pertaining to PoE failures in each switch. n Wired Clients--Number of clients impacted by the PoE failures. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each switch. n Stack ID--Stack ID of the impacted switch. n Number of Events--Number of events generated pertaining to PoE failures in each switch. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Wired Clients
Lists the MAC Address, name, host name, and auth ID of the clients connected to a switch that experience PoE issues. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the Wired Clients drop-down list to view the following:
The AI Insights Dashboard | 258
n Model--Pictorial graph of all the device types models connected to the impacted switch. n Vendor--Pictorial graph of the device type vendors connected to the impacted switch.
Click the number displayed on the Wired Clients card to view a detailed description of the impacted switches:
n Wired Client--Name of the client. n Client MAC--MAC address of the client. n Description--An overview of the connected devices, including the OS type, model, and version. n Switch Name--Name of the impacted switch where the client resides and link to the specific insight
at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch where the client resides. n Port Number--Port number of the switch the client device is connected to. n Power Requested/Offered--PoE consumption for each client. n Reason--Cause of the denied PoE power in each client. n Status--Status of client. n Model--Hardware model of the impacted switch where the client resides. n Vendor--Vendor of the wired client. n Site--Name of the site where the client resides.
AOS-S Switch Ports with High Power-over-Ethernet Problems
The PVOS Switch ports had a high number with Power-over-Ethernet problems insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that have not received required power from PoE devices connected to them. PoE issues occur in switches when power is denied, or power is demoted from the device connected to them. It is categorized under availability since the impacted switches are unable to receive sufficient power. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing power issues in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing power issues during the selected time period.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Aruba Central On-Premises 2.5.6 | User Guide
259
Table 55: Cards Context
Cards
Context
Site
Global
Switch
Global, Site
Wired Clients Global, Site
Site
Lists the number of sites where switches have PoE issue. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context.
n Events--Number of events generated pertaining to PoE failures in each site. n Ports--Number of ports for which power is denied. n Switches--Number of switches for which power is denied. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each site.
Switch
Lists the number of switches that experience PoE issues in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of PoE issues classified by switch models. n FW Version--Pictorial graph of PoE issues classified by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context.
n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Events--Number of events generated pertaining to PoE failures in each switch. n Wired Clients--Number of clients impacted by the PoE failures. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each switch. n Stack ID--Stack ID of the impacted switch. n Number of Events--Number of events generated pertaining to PoE failures in each switch. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Wired Clients
Lists the MAC Address, name, host name, and auth ID of the clients connected to a switch that experience PoE issues. Click the arrow to view the pictorial graph of the Most Impacted impacted clients. Click the Wired Clients drop-down list to view the following:
The AI Insights Dashboard | 260
n Model--Pictorial graph of all the device types models connected to the impacted switch. n Vendor--Pictorial graph of the device type vendors connected to the impacted switch.
Click the number displayed on the Wired Clients card to view a detailed description of the impacted switches:
n Wired Client--Name of the client. n Client MAC--MAC address of the client. n Description--An overview of the connected devices, including the OS type, model, and version. n Switch Name--Name of the impacted switch where the client resides and link to the specific insight
at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch where the client resides. n Port Number--Port number of the switch the client device is connected to. n Power Requested/Offered--PoE consumption for each client. n Reason--Cause of the denied PoE power in each client. n Status--Status of client. n Model--Hardware model of the impacted switch where the client resides. n Vendor--Vendor of the wired client. n Site--Name of the site where the client resides.
Aruba Central On-Premises 2.5.6 | User Guide
261
Chapter 12
Managing APs
Managing APs
This section describes how to configure WLAN SSIDs, radio profiles, DHCP profiles, VPN routes, security and firewall settings, uplink interfaces, logging servers on access points (APs). APs offer an enterprise-grade networking solution with a simple setup. The WLAN solution with APs supports simplified deployment, configuration, and management of Wi-Fi networks. APs run the ArubaOS and Aruba Instant software that virtualizes ArubaMobility Controller capabilities on 802.11 APs and offers a feature-rich enterprise-grade Wi-Fi solution. In an Instant deployment scenario, only the first AP or the conductor AP that is connected to a provisioning network is configured. All other Instant APs in the same VLAN that join the conductor AP inherit the configuration changes. The IAP clusters are configured through a common interface called Virtual Controller. A Virtual Controller represents the combined intelligence of the IAPs in a cluster. For more information on APs, see the following topics:
n Configuring IAPs n Monitoring APs
Supported APs
Aruba Central On-Premises supports the following types of Aruba access points (APs).
n Instant APs--The Instant Access Point (IAP) based WLAN solution consists of a cluster of access points in a Layer 2 subnet. The IAPs serve a dual role as both Virtual Controller (VC) and member APs. The IAP WLAN solution does not require dedicated controller hardware and can be deployed through a simplified setup process appropriate for smaller organizations, or for multiple geographically dispersed locations without an on-site administrator. IAPs run on the Aruba Instant. Aruba Central On-Premises supports both monitoring and management of IAPs. With Aruba Central On-Premises, network administrators can configure, monitor, and troubleshoot IAP WLANs, upload new software images, monitor devices, generate reports, and perform other vital management tasks from remote locations.
n Campus APs--The Campus Access Point (CAP)s are used in private networks where APs connect over private links (LAN, WLAN, WAN, or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. Aruba Central On-Premises supports only onboarding and monitoring the Campus APs.
n Remote APs--The Remote Access Point (RAP)s allow AP users at remote locations to connect to an Aruba controller over the Internet. Since the Internet is involved, data traffic between the controller and the remote AP is VPN encapsulated. That is the traffic between the controller and AP is encrypted. Remote AP operations are supported on all of Aruba APs.
Aruba Central On-Premises 2.5.6 | User Guide
262
Supported APs
Aruba Central On-Premises supports the following AP platforms and Aruba Instant software versions:
Table 56: Supported AP Platforms
AP Platform
Installation Mode
Minimum Supported Aruba Instant Software Version
Latest Validated Aruba Instant Software Version
AP-655
Indoor
8.10.0.1
8.11.1.0
AP-635
Indoor
8.9.0.0
8.11.0.0
AP-615
Indoor
8.11.0.0
8.11.0.0
AP-587EX AP-587 AP-585EX AP-585 AP-584 AP-577EX
Outdoor Outdoor Outdoor Outdoor Outdoor Outdoor
8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.7.0.0
8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0
AP-577
Outdoor
8.7.0.0
8.11.0.0
AP-575EX
Outdoor
8.7.0.0
8.11.0.0
AP-575
Outdoor
8.7.0.0
8.11.0.0
AP-574
Outdoor
8.7.0.0
8.11.0.0
AP-567EX
Outdoor
8.7.1.0
8.11.0.0
AP-567
Outdoor
8.7.1.0
8.11.0.0
AP-565EX
Outdoor
8.7.1.0
8.11.0.0
AP-565
Outdoor
8.7.1.0
8.11.0.0
AP-555
Indoor
8.6.0.0
8.11.0.0
AP-535
Indoor
8.6.0.0
8.11.0.0
AP-534
Indoor
8.6.0.0
8.11.0.0
AP-518
Indoor
8.7.0.0
8.11.0.0
AP-515
Indoor
8.6.0.0
8.11.0.0
AP-514
Indoor
8.6.0.0
8.11.0.0
AP-505H
Indoor
8.7.0.0
8.11.0.0
AP-505
Indoor
8.6.0.0
8.11.0.0
Managing APs | 263
AP Platform AP-504 AP-503H AP-387 AP-377EX AP-377 AP-375ATEX AP-375EX AP-375 AP-374 AP-367 AP-365 AP-345 AP-344 AP-318 AP-303P AP-303H AP-303 AP-203RP AP-203R AP-203H IAP-335 IAP-334 IAP-325 IAP-324 IAP-315 IAP-314 IAP-305
Installation Mode
Minimum Supported Aruba Instant Software Version
Indoor
8.6.0.0
Indoor
8.7.1.0
Outdoor
8.6.0.0
Outdoor
8.6.0.0
Outdoor
8.6.0.0
Outdoor
8.10.0.0
Outdoor
8.6.0.0
Outdoor
8.6.0.0
Outdoor
8.6.0.0
Outdoor
6.5.4.8
Outdoor
6.5.4.8
Indoor
8.6.0.0
Indoor
8.6.0.0
Indoor
8.6.0.0
Indoor
8.6.0.0
Indoor
6.5.4.8
Indoor
8.6.0.0
Indoor
6.5.4.8
Indoor Indoor
6.5.4.8 6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Latest Validated Aruba Instant Software Version 8.11.0.0 8.11.0.0 8.10.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.10.0.0 8.10.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.11.0.0 8.11.0.0 8.11.0.0
Aruba Central On-Premises 2.5.6 | User Guide
264
AP Platform IAP-304 IAP-277 IAP-275 IAP-274 IAP-207 IAP-205H IAP-205 IAP-204 RAP-109 RAP-108 RAP-3WN RAP-3WNP
Installation Mode
Minimum Supported Aruba Instant Software Version
Indoor
6.5.4.8
Outdoor
6.5.4.3
Outdoor
6.5.4.3
Outdoor
6.5.4.3
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor
6.5.4.8
Indoor Indoor Indoor Indoor
4.2.4.21 4.2.4.21 4.2.4.21 4.2.4.21
Latest Validated Aruba Instant Software Version 8.11.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.10.0.0 6.5.4.8 6.5.4.8 6.5.4.8 4.2.4.21 4.2.4.21 4.2.4.21 4.2.4.21
n IAP-203H, IAP-203R, IAP-203RP, IAP-207, IAP-324, IAP-325, IAP-334, IAP-335, IAP-344, IAP-345, IAP-387 IAPs are no longer supported from Aruba Instant 8.11.0.0 onwards.
n IAP-214, IAP-215, IAP-224, IAP-225, IAP-228, IAP-274, IAP-275, and IAP-277 IAPs are no longer supported from Aruba Instant 8.7.0.0 onwards.
n IAP-103, IAP-204, IAP-205, and IAP-205H IAPs are no longer supported from Aruba Instant 8.3.0.0 onwards.
n By default, AP-318, AP-374, AP-375, and AP-377 IAPs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba does not recommend you to upgrade these IAPs to Aruba Instant 8.5.0.0 or 8.5.0.1 firmware versions, as the upgrade process changes the uplink port from Eth1 to Eth0 port thereby making the devices unreachable.
Supported Campus APs and Remote APs
Aruba Central On-Premises supports the following Campus AP and Remote AP platforms and ArubaOS software versions:
AP Platform AP-655 AP-635 AP-615
Minimum Supported ArubaOS Software Versions 8.10.0.0 8.9.0.0 8.11.0.0
Latest Validated ArubaOS Software Versions 8.11.0.0 8.11.0.0 8.11.0.0
Managing APs | 265
AP Platform AP-587EX AP-587 AP-585EX AP-585 AP-584 AP-577EX AP-577 AP-575EX AP-575
Minimum Supported ArubaOS Software Versions 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.7.0.0 8.7.0.0 8.7.0.0 8.7.0.0
AP-574
8.7.0.0
AP-567EX AP-567 AP-565EX AP-565 AP-555 AP-535 AP-534 AP-518 AP-515 AP-514 AP-505HR AP-505H
8.8.0.0 8.8.0.0 8.8.0.0 8.8.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.7.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0
AP-505 AP-504
8.6.0.0 8.6.0.0
AP-503HR
8.8.0.0
Latest Validated ArubaOS Software Versions 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0
8.11.0.0
8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0
8.11.0.0 8.11.0.0
8.11.0.0
Aruba Central On-Premises 2.5.6 | User Guide
266
AP Platform AP-503H AP-387 AP-377EX AP-377 AP-375EX AP-375 AP-374 AP-367 AP-365 AP-345 AP-344 AP-335 AP-334 AP-325 AP-324 AP-318 AP-315 AP-314 AP-305 AP-304 AP-303P
Minimum Supported ArubaOS Software Versions 8.8.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0
AP-303H AP-303 AP-277 AP-275
8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0
AP-274
8.6.0.0
Latest Validated ArubaOS Software Versions 8.11.0.0 8.10.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0 8.11.0.0
8.11.0.0 8.11.0.0 8.10.0.0 8.10.0.0
8.10.0.0
Managing APs | 267
AP Platform AP-207 AP-205H AP-205 AP-204 AP-203RP AP-203R AP-203H RAP-109 RAP-108 AP-103H RAP-3WN RAP-3WNP
Minimum Supported ArubaOS Software Versions 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.6.0.0 8.3.0.0 8.6.0.0 8.6.0.0
Latest Validated ArubaOS Software Versions 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.10.0.0 8.6.0.0 8.6.0.0 8.3.0.0 8.6.0.0 8.6.0.0
n AP-615, AP-635, and AP-655 IAPs are Wi-Fi 6E capable APs that support 6 GHz radio band, in addition to 2.4 GHz and 5 GHz radio bands.
n The tri-radio feature is available only for AP-555. In the 5 GHz tab, the Radio 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode section in the latest Aruba Central On-Premises user guide.
n For more information about Aruba's End-of-life policy and the timelines for hardware and software products at the end of their lives, see: https://www.arubanetworks.com/support-services/end-of-life/
n Data sheets and technical specifications for the supported AP platforms are available at: https://www.arubanetworks.com/products/networking/access-points/
Supported IAP Events
Aruba Central On-Premises provides an Events dashboard for viewing the events triggered from Instant Access Point (IAP) devices. The following table lists the IAP events that are supported in Aruba Central:
Table 57: IAP Events
Event
Description
AP IP Conflict
IP Conflict detected for IP [Device IP] to MAC [Device MAC].
Aruba Central On-Premises 2.5.6 | User Guide
268
Event
Description
AP Crash
AP crash detected on [AP Name].
AP Reboot
[AP Name] has rebooted: Change in number of reboots detected (Detected: xxx, Expected: xxx).
AP Upgrade Failure
Upgrade failure.
AP Insufficient AP [AP Name] at Site XX has received low POE power. Power Supply
AP Modem Plugged
Modem plugged.
AP Modem Unplugged
Modem unplugged.
AP User Reboot User reboot triggered.
AP Tri-Radio Enabled
Access point is online with tri-radio mode enabled.
AP Tri-Radio Disabled
Access point is online with tri-radio mode disabled.
AP Thermal Shutdown Event
Thermal management enabled.
AP Thermal Shutdown Recovery Event
Thermal management disabled.
Radio Radar Detected
802.11 Radar detected on channel [Channel].
Radio Radar Cleared
802.11 Radar cleared on channel [Channel].
Radio Tx Hang 802.11 Radio Tx hanged on channel [Channel].
Radio Tx Clear 802.11 Radio Tx cleared on channel [Channel].
Radio 40MHz Intolerance
40MHz Intolerance observed on channel [Channel].
Radio Cancel 40MHz Intolerance
40MHz Intolerance cleared on channel [Channel].
Radio 40MHz Align
40MHz aligned on channel [Channel].
Radio ARM Interference
ARM Interference detected on channel [Channel].
Managing APs | 269
Event
Description
Radio ARM
ARM invalid channel [Channel].
Invalid Channel
Radio ARM Error Threshold Exceeded
Radio errors threshold exceeded on channel [Channel].
Radio ARM Noise Threshold Exceeded
Radio noise threshold exceeded.
Radio ARM
ARM empty channel.
Empty Channel
Radio ARM Rogue Containment Triggered
Rogue containment triggered.
Radio ARM Decreased Power
Radio output power decreased to [EIRP] dBm.
Radio ARM Increased Power
Radio output power increased to [EIRP] dBm.
Radio RADAR Turn Off Radio
Radar detected radio up.
Radio ARM Turn On Radio
Radar detected radio down.
Radio ARM Channel Quality Threshold Exceeded
Radio channel quality threshold exceeded
Radio ARM Dynamic BW
Channel width set to channel [Channel].
Radio ARM Interference CCA
Channel width set to channel [Channel].
Radio Freeze
Radio stopped service.
Radio UnFreeze
Radio resumed service.
Mesh Link Up Mesh link established to Portal [Portal Device MAC].
Mesh Link Down
Mesh link to Portal [Portal Device MAC] is down.
Aruba Central On-Premises 2.5.6 | User Guide
270
Event
VPN IPSec Tunnel Up
VPN IPSec Tunnel Down
VPN GRE Tunnel Up
VPN GRE Tunnel Down
WLAN SSID Scheduled Active
WLAN SSID Scheduled Deactive
Description VPN IPSec Tunnel to Gateway peer [Peer Device Hostname] ([Peer Device IP]) is up. VPN IPSec Tunnel to Gateway peer [Peer Device Hostname] ([Peer Device IP]) is down. VPN L3 GRE Tunnel to Gateway peer [Peer Device Hostname] ([Peer Device IP]) is up. VPN L3 GRE Tunnel to Gateway peer [Peer Device Hostname] ([Peer Device IP]) is down. SSID [SSID] scheduled activation.
SSID [SSID] scheduled deactivation.
Configuring IAPs
This section describes how to configure WLAN SSIDs, radio profiles, DHCP profiles, VPN routes, security and firewall settings, uplink interfaces, and logging servers on Instant APs (IAPs). For more information on IAP configuration, see the following topics:
n Configuring Device Parameters n Configuring Network Profiles on IAPs n Configuring Time-Based Services for Wireless Network Profiles n Configuring ARM and RF Parameters on IAPs n Configuring IDS Parameters on IAPs n Configuring Authentication and Security Profiles on IAPs n Configuring IAPs for VPN Services n Configuring DHCP Pools and Client IP Assignment Modes on IAPs n Configuring Services n Configuring Uplink Interfaces on IAPs n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Mapping IAP Certificates
Getting Started with AP Deployments
Before you get started with the deployment operations, browse through the list of Supported APs in Aruba Central On-Premises. The UI-based provisioning of APs is available for AP Foundation licenses.
In Aruba Central On-Premises, you can only configure Instant APs. However, monitoring is supported for Campus APs, Remote APs, and Instant APs.
Managing APs | 271
Deploying APs in Aruba Central
The following figure illustrates a basic AP deployment and WLAN setup workflow in Aruba Central. Figure 40 Getting Started--APs
To deploy the AP and to configure a basic WLAN setup, complete the following steps:
1. On-board
To manage APs from Aruba Central On-Premises, you should on-board the APs to the device inventory and assign a valid license. For more information about on-boarding devices and assigning licenses to devices, see the Managing Devices and Device Subscriptions. You can access Aruba Central On-Premises from the HPE GreenLake account homel. For more information, see Getting Started with Aruba Central On-Premises. 2. Provision
The devices provisioned in your Aruba Central On-Premises account are listed on the Organization > Network Structure > Device Preprovisioning page. For more information about pre-provisioning the devices, see Getting Started with Aruba Central On-Premises. Using Aruba Central On-Premises, you can manage the devices as follows:
Aruba Central On-Premises 2.5.6 | User Guide
272
n Create groups and assign devices to groups. For more information about assigning devices to groups, see Assigning Devices to Groups.
n Create sites and assign devices to sites. For more information about assigning devices to sites, see Assigning Sites.
n Create labels and assign labels to devices. For more information about assigning labels to devices, see Assigning Labels.
3. Configure
The following are the basic WLAN configuration steps to deploy an IAP. For more information about advanced IAP configuration and deployment steps, see Configuring IAPs. n The initial setup requires you to specify the country code for the country in which the AP
operates. For more information about setting a country code for the AP, see Setting Country Code. n On Access Points > Config > Show Advanced > System tab, you can configure the system parameters for an IAP. For more information about configuring general system parameters for an IAP in Aruba Central On-Premises, see Configuring Device Parameters . n A wireless network profile allows you to establish a secure network connection between the IAP and the client. You can create a wireless SSID network profile on Access Points > Config > Show Advanced > WLANs tab. For more information about creating a wireless network profile in Aruba Central On-Premises, see Configuring Device Parameters . n On Access Points > Config > Show Advanced > WLANs tab, you can create a secure wireless network profile and access rules for the guest users to use the enterprise Wi-Fi network. For more information about configuring a guest network profile, see Configuring Wireless Networks for Guest Users on IAPs. n After configuring the network profile in WLANs tab, you can review the configuration changes for the devices provisioned. For more information about auditing the configuration changes, see Verifying Device Configuration Status. 4. Monitor
Following are the steps to monitor the APs in Aruba Central On-Premises: n The AP dashboard and the health bar provides the overall health of the devices configured in
Aruba Central On-Premises. For more information about monitoring the APs in Aruba Central On-Premises, see Monitoring APs. n The Summary tab in the AP dashboard provides the device details, network information, radio details including the topology of clients connected to each radio, and the health status of the AP in the network. For more information about AP summary page, see Access Point > Overview > Summary. n The Clients page displays the client summary details, AI Insights, and client sessions details for the client. For more information about client summary details, see Client Details. n On Analyze > Alerts & Events page, you can configure various types of alerts in Aruba Central On-Premises. For more information about configuring alerts and events, see Alerts & Events. n On Analyze > Reports page, you can configure and view various types of reports in Aruba Central On-Premises. For more information about creating and viewing reports, see Reports . 5. Maintain
Following are the steps to maintain the APs in Aruba Central On-Premises: n On Maintain > Firmware dashboard page, you can view the AP firmware details, upgrade the
device firmware to the latest version supported, and set firmware compliance. For more information about steps to upgrade the device to latest firmware, see Upgrading Device
Managing APs | 273
Firmware. n On Analyze > Audit Trail page, you can view the logs generated for device management,
configuration, and user management events triggered in Aruba Central On-Premises. For more information about audit logs, see Viewing Audit Trail. n On Analyze > Tools menu, you can troubleshoot and diagnose the device and network issues in Aruba Central On-Premises. For more information about troubleshooting, see Using Troubleshooting Tools.
Configuring IAPs Using Templates
Templates in Aruba Central On-Premises refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate access point (AP) deployments.
To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba IAPs.
For template-based provisioning, IAPs must be assigned to a group with template-based configuration method enabled.
To create a template for the IAPs in a template group, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the template group under Groups.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure APs in a template group are displayed.
4. In the Templates table, click + to add a new template. The Add Template pop-up window is displayed.
5. Under Basic Info, enter the following information: n Template Name--Enter the template name. n Model--Set the model parameter to ALL. n Version--Set the model parameter to ALL.
6. Under Template, add the CLI script content. 7. Check the following guidelines before adding content to the template:
n Ensure that the command text indentation matches the indentation in the running configuration.
n The template allows multiple per-ap-settings blocks. The template must include the per-apsettings %_sys_lan_mac% variable. The per-ap-settings block uses the variables for each AP. The general VC configuration uses variables for conductor AP to generate the final configuration from the provided template. Hence, Aruba recommends that you upload all variables for all devices in a cluster and change values as required for individual AP variables.
n You can obtain the list of variables for per-ap-settings by using the show amp-audit command.
Aruba Central On-Premises 2.5.6 | User Guide
274
The following example shows the list of variables for per-ap-settings.
(Instant AP)# show amp-audit | begin per-ap per-ap-settings 70:3a:0e:cc:ee:60 hostname EE:60-335-24 rf-zone bj-qa ip-address 10.65.127.24 255.255.255.0 10.65.127.1 10.65.6.15 "" swarm-mode standalone wifi0-mode access wifi1-mode access g-channel 6+ 21 a-channel 140 26 uplink-vlan 0 g-external-antenna 0 a-external-antenna 0 ap1x-peap-user peap22 282eaf1077b8d898b91ec41b5da19895
The commands in the template are case-sensitive. IF ELSE ENDIF conditions are supported in the template. If the template text includes the if condition, % sign is required at the beginning and the end of the text. For example, %if guest%. The following example shows the template text with the IF ELSE ENDIF condition.
wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes %else% opmode opensystem %endif%
Templates also support nesting of the IF ELSE END IF condition blocks. The following example shows how to nest such blocks:
%if condition1=true% routing-profile
route 10.10.0.0 255.255.255.0 10.10.0.255 %if condition2=true% routing-profile
route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile
route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else% routing-profile
route 10.40.0.0 255.255.255.0 10.40.0.255 %if condition3=true% routing-profile
route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile
route 10.60.0.0 255.255.255.0 10.60.0.255
Managing APs | 275
%endif% %endif%
For profile configuration CLI text, for example, vlan, interface, access-list, ssid and so on, the first command must start with no white space. The subsequent local commands in given profile must start with at least one initial space (' ') or indented as shown in the following examples:
Example 1
wlan auth-server %auth_server_name% ip %auth_server_ip% port 1812 acctport 1813 %if auth_server_key% key %auth_server_key% %else% key 123456 %endif%
Example 2
%if vlan_id1% vlan %vlan_id1% %if vlan_id1=1% ip address dhcp-bootp %endif% no untagged %_sys_vlan_1_untag_command% exit %endif%
To comment out a line in the template text, use the pound sign (#). Any template text preceded by # is ignored when processing the template. To allow or restrict APs from joining the Instant Access Point (IAP) cluster, Aruba Central uses the _sys_allowed_ap system-defined variable. Use this variable only when allowed APs configuration is enabled. For example, _sys_allowed_ap: "a_mac, b_mac, c_mac". Use this variable only once in the template.
8. Click OK.
Viewing APs Configuration Tabs
Aruba Central On-Premises now constantly displays the default tabs under the Show Advanced and Hide Advanced options in the Devices > Access Points page. When you click the Show Advanced or Hide Advanced option, a set of default configuration tabs are displayed. The respective default tabs under these two options are still displayed when you navigate out of the page, and visit the same page next time.
Following are the default tabs displayed when you navigate to Devices > Access Points page and click the Config icon:
n WLANs n Access Points
Aruba Central On-Premises 2.5.6 | User Guide
276
n Radios
When you click the Show Advanced option, the following tabs are displayed:
n WLANs n Access Points n Radios n Interfaces n Security n VPN n Services n System n IoT n Configuration Audit
To view the default tabs, click Hide Advanced.
Configuring Device Parameters
To configure device parameters on an Instant AP (IAP), complete the following steps:
1. In the Aruba Central On-Premises app, select one of the following options: n To select an IAP group in the filter: a. Set the filter to a group containing at least one IAP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view. n To select an IAP in the filter: a. Set the filter to Global or a group containing at least one IAP. b. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view. c. Click an IAP listed under Device Name. The dashboard context for the IAP is displayed. d. Under Manage, click Devices > Access Point.
2. Click the Config icon. The tabs to configure the IAPs are displayed.
3. Click the Access Points tab. The Access Points page is displayed.
4. To edit an IAP, select an IAP in the Access Points table, and then click the edit icon. 5. Configure the parameters described in the Table 58. 6. Click Save Settings and then reboot the IAP.
The following table lists the access points configuration parameters.
Managing APs | 277
Table 58: Access Points Configuration Parameters
UI
Parameters
Description
Basic Info
Name
Configures a name for the IAP. For IAPs running 8.7.0.0 or later versions, you can enter up to 128 ASCII or non-ASCII characters. For IAPs running 8.6.0.0 or earlier versions, you can enter up to 32 ASCII or non-ASCII characters.
AP Zone
Configures the IAP zone.
For IAPs running firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple AP zones by adding zone names as comma separated values.
Aruba recommends that you do not configure zones in both SSID and in the Per AP settings of an IAP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide.
RF Zone
Allows you to create an RF zone for the AP. With RF zone, you can configure different power transmission settings for APs in different zones or sections of a deployment site. For example, you can configure power transmission settings to make Wi-Fi available only for the devices in specific areas of a store. You can also configure separate RF zones for the 2.4 GHz and 5 GHz radio bands for the IAPs in a cluster. For more information, see Configuring Radio Parameters on page 346. Aruba recommends that you configure RF zone for either individual AP or for the cluster. Any discrepancy in the RF zone names may lead to configuration errors.
Swarm Mode
Allows you to set one of the following operation modes: n Cluster--Allows an IAP to operate in the cluster mode. When an
Instant AP operates in the cluster mode, it can form a cluster with other virtual controller Instant APs in the same VLAN. n Standalone--Allows an IAP to operate in the standalone mode. When an Instant AP operates in the standalone mode, it cannot join a cluster of Instant APs even if the Instant AP is in the same VLAN. n Single-AP--Allows an Instant AP to operate in the single AP mode. It is a type of Standalone AP deployment with additional security rules to prevent local access to AP management. In the single AP mode, the management access of the AP is exclusively reserved to the remote management platform and is facilitated through a secure tunnel between the AP and the management platform. The Local WebUI and SSH access to the AP through the uplink port is disabled. Additionally, the AP will not send or receive management frames such as mobility packets, roaming packets, and hierarchy beacons through the uplink port.
NOTE: After changing the AP operation mode, ensure that you reboot the IAP.
LACP Mode
Allows you to set one of the following LACP modes: n Active--Allows you to enable the LACP on an IAP. In this mode, both
the ethernet ports on the Instant AP forms a static LAG.
Aruba Central On-Premises 2.5.6 | User Guide
278
UI Radio
Parameters Preferred Conductor IP Address for Access Point
Flexible Dual Band
Dual 5G Mode Split Radio Enable Radio Mode
Description
n Passive--Allows you to set the LACP on an IAP in a passive mode. n Disabled--Allows you to disable the LACP on an IAP.
Turn on the toggle switch to provision the IAP as a conductor IAP. After provisioning the IAP as a conductor IAP, ensure that you reboot the IAP.
Select one of the following options: n Get IP Address from DHCP server--Allows IP to get an IP address
from the DHCP server. By default, the IAPs obtain IP address from a DHCP server. n Static--You can also assign a static IP address to the IAP. To specify a static IP address for the IAP, complete the following steps: o Enter the new IP address for the IAP in the IP Address text-box. o Enter the subnet mask of the network in the Netmask text-box. o Enter the IP address of the DNS server in the DNS Server text-box. o Enter the domain name in the Domain Name text-box.
NOTE: You can configure up to two DNS servers separated by a comma. If the first DNS server goes down, the second DNS server takes control of resolving the domain name.
Configures a flexible dual radio band mode on AP-615 access points. Select one of the following: n 5 GHz and 2.4 GHz--Acts as two radios (interfaces), one operating
on 5 GHz band, and the other on the 2.4 GHz band. By default, the flexible radio is set to this mode.
n 5 GHz and 6 GHz--Acts as two radios (interfaces), one operating on 5 GHz band, and the other on the 6 GHz band.
n 2.4 GHz and 6 GHz--Acts as two radios (interfaces), one operating on 2.4 GHz band, and the other on the 6 GHz band.
Select the Dual 5G Mode check-box to enable the dual 5G mode. In the Dual 5G Mode, the Mode remains as Access and is non-editable. The Dual 5G Mode is only supported on AP-344 and AP-345 running on Aruba InstantOS 8.3.0.0. For more information, see Configuring Dual 5 GHz Radio Bands on an IAP.
Select the Split Radio check-box to allow the radios of the IAP to operate in the tri-radio mode. The Split Radio is only supported on AP-555 access points running Aruba InstantOS 8.5.0.0. For more information, see About Tri-Radio Mode.
Select the Enable Radio check-box under 2.4GHz Band and 5GHz Band to enable and disable the radio.
From the Mode drop-down list, select any of the following options: n Access--In this mode, the IAP serves clients, while also monitoring
for rogue IAPs in the background. n Monitor--In this mode, the IAP acts as a dedicated monitor,
scanning all channels for rogue IAPs and clients.
Managing APs | 279
UI
Installation Type Uplink
Parameters
Description
n Spectrum--In this mode, the IAP functions as a dedicated full-
spectrum RF monitor, scanning all channels to detect interference,
whether from the neighboring IAPs or from non-Wi-Fi devices such as
microwaves and cordless phones. To get accurate monitoring details and statistics, it is highly recommended to reboot the IAPs once the IAPs are toggled from the 2.4 or 5 GHz mode to dual 5 GHz radio mode or vice-versa. The access, spectrum, and monitor mode of the radios of an access point is available for Foundation and Advanced licenses for APs.
Adaptive radio management assigned
You can configure a radio profile on an Instant AP either manually or by configuring the Adaptive radio management assigned option.
Adaptive Radio Management (ARM) feature is enabled on Aruba Central by default. It automatically assigns appropriate channel and power settings for the IAPs.
Administrator assigned
You can also assign an administrator by using the Administrator assigned option and selecting the number of channels in the Channel drop-down list. In the Transmit Power field, enter the signal strength measured in dBm.
Installation Type
Configure the Installation Type of the Instant AP. The Installation Type drop-down consists of the following options:
n Default--Select this option to change the installation type to the default mode.
n Indoor--Select this option to change the installation type to the indoor mode.
n Outdoor--Select this option to change the installation type to the outdoor mode.
The options in the Installation Type drop-down are listed based on the Instant AP model.
Uplink Management VLAN
The uplink traffic on Instant AP is carried out through a management VLAN. However, you can configure a non-native VLAN as an uplink management VLAN. After an Instant AP is provisioned with the uplink management VLAN, all management traffic sent from the Instant AP is tagged to the management VLAN.
To configure a non-native uplink VLAN, click Uplink and specify the VLAN in Uplink Management VLAN
Eth0 Mode
Allows you to change the Eth0 bridging mode in your wired network. The Eth0 Mode drop-down consists of the following options:
n Uplink--Select this option to change the Eth0 bridging mode to the uplink port.
n Downlink--Select this option to change the Eth0 bridging mode to the downlink port.
Eth1 Mode
Allows you to change the Eth1 bridging mode in your wired network. The Eth1 Mode drop-down consists of the following options:
n Default--Select this option to change the Eth1 bridging mode to the default port.
n Uplink--Select this option to change the Eth1 bridging mode to the uplink port.
Aruba Central On-Premises 2.5.6 | User Guide
280
UI
Mesh
External Antenna
Parameters
USB Port USB Power Override PEAP User
Mesh enable
Clusterless mesh name Clusterless mesh key Retype Mesh mobility RSSI threshold Antenna Gain
Antenna Polarization Type
Description
n Downlink--Select this option to change the Eth1 bridging mode to the downlink port.
Select the check box to enable the USB port if you do not want to use the cellular uplink or 3G/4G modem in your current network setup.
Select the check box to enable the USB power override. This parameter is disabled by default.
Create the PEAP user credentials for certificate based authentication. Enter the user name, password, and retype password in the Username, Password, and Retype Password field for creating the PEAP user.
Select the Mesh enable check-box to allow mesh access points to form mesh network. The mesh feature ensures reliability and redundancy by allowing the network to continue operating even when an Instant AP is non-functional or if the device fails to connect to the network. For more information, see Aruba Mesh Network and Mesh IAP
Enter the name of mesh access points that do not belong to any cluster. The Clusterless mesh name field is disabled when the Mesh enable option is enabled.
Enter the key of the mesh access points that do not belong to any cluster. The Clusterless mesh key field is disabled when the Mesh enable option is enabled.
Re-enter the clusterless mesh key. The Retype is disabled when the Mesh enable option is enabled.
Fast roaming is triggered on a mobility mesh point when the RSSI of the parent is lower than the threshold value. Enter the threshold value either in number between 10--50, high, or low.
Enter the Antenna Gain values in dBi for the 2.4 GHz Antenna Gain and the 5 GHz Antenna Gain sections. For more information, see Configuring External Antenna on page 286
From the Antenna Polarization Type drop-down list, select any one of the following: n co-polarization--Select this option for the polarization of both the
transmitting and receiving antenna to be same. n cross-polarization--Select this option for the polarization of both
the transmitting and receiving antenna to be different. The integrated antenna of the wireless bridge sends a radio signal that is polarized in a particular direction. The receive sensitivity of the antenna is also higher for radio signals that have the same polarization. To maximize the performance of the wireless link, both antennas must be set to the same polarization direction.
Setting Country Code
The initial Wi-Fi setup of an Instant Access Point (IAP) requires you to specify the country code for the country in which the IAP operates. This configuration sets the regulatory domain for the radio frequencies that the IAP uses. The available 20 MHz, 40 MHz, or 80 MHz channels are dependent on the specified country code.
Managing APs | 281
Country Code Configuration in Aruba Central On-Premises from UI
If you provision a new IAP without the country code, Aruba Central On-Premises exhibits the behavior described in the following table.
Table 59: IAP Provisioned To Aruba Central
Country Code Configured at IAP
Country Code Configured in Group
Behavior
No
Yes
The country code of the group is pushed to
the newly added IAP.
No
No
Aruba Central On-Premises displays the
Country Code not set. Config not
updated message in Audit Trail. A
notification is also displayed at the bottom
of the main window to set the country
code of the new IAP.
To set the country code, perform the
following actions:
1. Click Set Country Code now link on
the notifications pane.
The Set Country Code pop up is
displayed.
2. In the Device(s) without country
code table, click the edit icon.
3. Specify a country code from the
Country Code drop-down list.
4. Click Save.
If an IAP has a country code and joins Aruba Central On-Premises using ZTP configuration, then the country code of the IAP is retained. In this case, Aruba Central On-Premises will not push the group country code.
Setting Country Code at a Group Level
To set the country code of the IAP at the group level, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The default tabs to configure the virtual controller are displayed.
4. Click Show Advanced to view the advanced configuration options. 5. Click the System tab.
The System details page is displayed. 6. Expand the General accordion. 7. In the Set Country code for group drop-down list, select the country code for the IAP. 8. Click Save Settings and then reboot the IAP.
Aruba Central On-Premises 2.5.6 | User Guide
282
n By default, the value corresponding to the Set Country code for group field is empty. This indicates that any IAP with different country codes can be a part of the group.
n When the Set Country code for group field is set, the field cannot revert to the default value. When the country code of the group is changed, the country code of the already connected IAP also will be updated.
Setting Country Code at a Device Level
To set the country code of the IAP at the device level, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view. 3. In the Controller column, click the virtual controller link to navigate to the Access Points > List view of the virtual controller.
When you click the virtual controller link in the Virtual Controller column, the dashboard context for the virtual controller is dispalyed.
4. Click the Config icon. The default tabs to configure the virtual controller are displayed.
5. Click Show Advanced to view advanced configuration options. 6. Click the System tab.
The System details page is displayed. 7. Expand the General accordion. 8. In the Virtual Controller table, select a virtual controller and then click the edit icon. 9. In the Edit IP Address window, select the country code from the Country Code drop-down list. 10. Click OK. 11. Click Save Settings and then reboot the IAP.
n By default, the value corresponding to the Country code is the country code set at the group level which can be then modified at the device level from the drop-down list. The country code of the IAP will always be the most recently set country code at the group level or device level.
n If there is a discrepancy in the country code configuration, Aruba Central On-Premises displays it as an override in the Configuration Audit page.
Country Code Configuration at Group Level from API
Aruba Central On-Premises provides an option to set and get the country code at group level through the APIs in API Gateway. To set or get the country code at group level through API, complete the following steps:
1. In the Aruba Central On-Premises app, under Maintain, click Organization > Platform Integration. Click API Gateway.
Managing APs | 283
The API Gateway page is displayed.
2. Click the Authorized Apps & Tokens tab and generate a token key.
The token key is valid only for 2 hours from the time it was generated.
3. Download and copy the generated token. 4. In the All Published APIs window, click the URL link listed under the Documentation column.
The Central Network Management APIs page is displayed. 5. On the left navigation pane, select Configuration from the URL drop-down list. 6. Paste the token key in the Token field and press enter. 7. Click NB UI Group Configuration.
The following options are displayed: n Set country code at group level ([PUT]/configuration/v1/country)--This API allows to set
country code for multiple groups at once. Aruba Central On-Premises currently allows country codes of up to 50 IAP device groups to be configured simultaneously. To set the country codes of multiple groups, enter the group names and country code as inputs corresponding to the groups and country labels respectively in the script { "groups": [ "string" ], "country": "string" } within the set_ group_config_ country_ code text box. n Get country code set for group([GET]/configuration/v1/{group}/country)--This API allows to retrieve the country code set for a specific IAP group. To get the country code information of the IAP group, enter the name of the group for which the country code is being queried corresponding to the country label in the script { "country": "string"} within the group text box.
The APIs for setting and retrieving country code information are not available for the IAP devices deployed in template groups.
The following are the response messages displayed in the Set country code at group level and Get country code set for group sections.
Table 60: Response Messages
Set country code at group level
Get country code set for group
n 201 - Successful operation
n 400 - Bad Request
n 401 Unauthorized access, authentication required
n 403 - Forbidden, do not have write access for group
n 400 - Bad Request n 401 - Unauthorized access authentication required n 403 - Forbidden, do not have read access for group n 413 - Request-size limit exceeded n 417 - Request-size limit exceeded n 429 - API Rate limit exceeded n 500 - Internal Server Error n 503 - Service unavailable, configuration update in progress
Aruba Central On-Premises 2.5.6 | User Guide
284
Set country code at group level
Get country code set for group
n 413 - Requestsize limit exceeded
n 417 - Requestsize limit exceeded
n 429 - API Rate limit exceeded
n 500 - Internal Server Error
n 503 - Service unavailable, configuration update in progress
For more information about APIs, see https://app1-apigw.central.arubanetworks.com/swagger/central.
Configuring Systems
This section describes how to configure the General, Administrator, Time-Based Services, DHCP, Layer-3 Mobility, Enterprise Domains, Logging, SNMP, WISPr, Proxy, and Named VLAN Mapping parameters on an Instant Access Point (IAP).
n Configuring System Parameters for an IAP n Configuring Users Accounts for the IAP Management Interface n Configuring Mesh for Multiple Radios n Configuring Time-Based Services for Wireless Network Profiles n Configuring DHCP Pools and Client IP Assignment Modes on IAPs n Mobility and Client Management n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Configuring SNMP Parameters n Supported Authentication Methods n Configuring HTTP Proxy on an IAP n Configuring VLAN Name and VLAN ID
Configuring VLAN Name and VLAN ID
Aruba Central On-Premises allows you to map VLAN name to a VLAN ID for the ease of identifying the existing VLANs.
To map a VLAN name to a VLAN ID, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
Managing APs | 285
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Expand the Named VLAN Mapping accordion. 7. Click the + icon in the VLAN Name to VLAN ID Mapping pane.
The VLAN Name to VLAN ID Mapping window is displayed. 8. In the VLAN Name to VLAN ID Mapping window, enter the VLAN Name and VLAN ID. 9. Click OK.
The VLAN Name to VLAN ID Mapping table in the Named VLAN Mapping section lists all the mapped VLAN.
You can find the Named VLAN Mapping feature applied in the following fields of corresponding UI pages of Aruba Central On-Premises:
n The VLAN ID field in the VLANs tab, when for when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during WLAN SSID creation. For more information, see Creating a Wireless Network Profile.
n The VLAN ID field in the VLANs tab, when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during wired port profile creation. For more information, see Configuring Wired Port Profiles on IAPs.
n The Access rules page in the Interfaces > Access tab and the WLANs > Access tab, when you add rules for selected roles. Select VLAN Assignment as the rule type in the Access rules page to find the mapped VLAN name in the VLAN ID field.
You can also map VLAN ID to a VLAN name when you customize the Client VLAN Assignment configuration in VLANs tab during network profile creation. For more information, see VLANs Parameters.
Points to Remember
n The maximum number of Named VLAN ID Mapping allowed in Aruba Central On-Premises is 32. n VLAN mapping cannot be performed if the VLAN name does not exist. n The VLAN mapping record is deleted from the VLAN Name to VLAN ID Mapping table when the
VLAN name is deleted. n You can only map a single VLAN id to a VLAN name. n The VLAN name field is not case-sensitive.
Configuring External Antenna
If the Instant Access Point (IAP) has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system's EIRP is in compliance with the limit specified by the regulatory authority of the country in which the IAP is deployed. You can also measure or calculate additional attenuation between the device and antenna before configuring the
Aruba Central On-Premises 2.5.6 | User Guide
286
antenna gain. To know, if the IAP device supports external antenna connectors, see the Installation Guide that is shipped along with the IAP device.
EIRP and Antenna Gain
The following formula can be used to calculate the EIRP limit related RF power based on selected antennas (Antenna Gain) and feeder (Coaxial Cable Loss). EIRP = Tx RF Power (dBm)+GA (dB) - FL (dB) The following table describes the EIRP and antenna gain formula.
Table 61: Formula Variable Definitions
Formula Element
Description
EIRP
Limit specific for each country of deployment.
Tx RF Power
RF power measured at RF connector of the unit.
GA
Antenna gain
FL
Feeder loss
Configuring Antenna Gain
To configure antenna gain for IAPs with external connectors, complete the following steps:
1. In the Aruba Central On-Premises app, select one of the following options: n To select an IAP group in the filter: a. Set the filter to a group containing at least one IAP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
n To select an IAP in the filter: a. Set the filter to Global or a group containing at least one IAP. b. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view. c. Click an IAP listed under Device Name. The dashboard context for the IAP is displayed. d. Under Manage, click Devices > Access Point.
2. Click the Config icon. The tabs to configure the IAPs are displayed.
3. Click the Access Points tab. The Access Points page is displayed.
4. To edit an IAP, select an IAP in the Access Points table, and then click the edit icon. 5. Click the External Antenna tab.
Managing APs | 287
6. Enter the Antenna Gain values in dBi for the 2.4 GHz Antenna Gain and the 5 GHz Antenna Gain.
7. From the Antenna Polarization Type drop-down list, select one of the following options: n co-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be same. n cross-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be different.
8. Click Save Settings.
After configuring the external antenna parameters, ensure that you reboot the IAP.
Configuring Dual 5 GHz Radio Bands on an IAP
Aruba Central On-Premises provides an option to retrieve the radio numbers of Instant Access Point (IAP) through the APIs. It also provides an option to filter IAP details using radio numbers in the IAP monitoring dashboard.
For regular IAPs with non-dual band, Aruba Central On-Premises automatically assigns Radio 1 to 2.4 GHz band and Radio 0 to 5 GHz band respectively.
To retrieve the radio numbers through API, complete the following steps:
1. In the Aruba Central On-Premises app, under Maintain, click Organization > Platform Integration. Click API Gateway. The API Gateway page is displayed.
2. Click the APIs tab.
The token key is valid only for 2 hours from the time it was generated.
3. In the All Published APIs window, click the url link listed under the Documentation column. The Central Network Management APIs page is displayed.
4. On the left navigation pane, select Monitoring from the URL drop-down list. 5. Click API Reference > AP.
The APIs listed in the Table 62 allow you to retrieve the radio number for the total number of IAP. 6. On the left navigation pane, click API Reference > Client.
The APIs listed in the Table 63 allow you to retrieve the radio number for the total number of IAP.
The following APIs allow you to retrieve the radio number for the total number of IAP.
Table 62: APIs to Get Radio Number in IAPs
API
Description
[GET]/monitoring/v1/aps/ {serial}/neighbouring_clients
Allows you to filter data of neighbouring clients for a specific radio number in a given time period.
Aruba Central On-Premises 2.5.6 | User Guide
288
API
[GET]/monitoring/v1/aps/rf_summary
[GET]/monitoring/v1/aps/bandwith_ usage
Description
When there is no radio number entered in the radio_number field, the API filters the data of neighbouring clients for both radio 0 and radio 1. It is mandatory to provide the serial number of the IAP to get the data of neighboring clients for a specific radio number.
Retrieves information on RF summary such as channel utilization and noise floor in positive, errors, drops for a given time period. This API can also be used to filter RF health statistics for a specific radio number in a given time period. When there is no radio number entered in the radio_number field, the API filters the RF health statistics for both radio 0 and radio 1. It is mandatory to provide the serial number of the IAP to get the RF health statistics for a specific radio number.
This API can also be used to filter out bandwidth usage data for a specific radio number in a given time period. When there is no radio number entered in the radio_number field, the API filters the bandwidth usage for both radio 0 and radio 1. It is mandatory to provide the serial number of the IAP to get the bandwidth usage for a specific radio number.
The following APIs allow you to retrieve the radio number for the total number of clients connected.
Table 63: APIs to Get Radio Number in Connected Clients
API
Description
[GET]/monitoring/v1/clients/count
This API is used to filter out the data for connected clients for a specific radio number of IAP in a given time period.
When there is no radio number entered in the radio_number field, the API filters the clients count for both radio 0 and radio 1. It is mandatory to provide the serial number of the IAP to get the total count of clients for a specific radio number.
For more details about APIs, see https://app1-apigw.central.arubanetworks.com/swagger/central.
Support for Dual 5 GHz IAP
Aruba Central On-Premises supports automatic opmode selection for dual 5 GHz IAP. When the opmode is set to automatic, AirMatch determines whether to convert a radio in an IAP to 5 GHz operation instead of the 2.4 GHz and 5 GHz dual band operation. Automatic is the default dual 5G mode where Airmatch detects what is an optimal mode for the radios dual band or dual 5G and updates the running opmode without requiring an IAP reboot between the mode changes. Manual setting of dual band and dual 5G is possible and the manual setting overrides the automatic mode and explicitly enables or disables the dual 5G mode. In this scenario, the IAP immediately switches to the specified mode without a reboot and AirMatch maintains the specified channel and power assignments in the specified mode.
Automatic mode is not supported on AP-344. By default, AP-344 assumes the automatic mode to be the same as dual 5G disabled and operates in the dual band mode. To switch AP-344 to dual 5G mode, explicitly enable the dual 5G mode.
The following procedure describes how to configure automatic opmode selection for dual 5 GHz IAP:
Managing APs | 289
1. In the Aruba Central On-Premises app, select one of the following options: n To select an IAP group in the filter: a. Set the filter to a group containing at least one IAP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
n To select an IAP in the filter: a. Set the filter to Global or a group containing at least one IAP. b. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view. c. Click an IAP listed under Device Name. The dashboard context for the IAP is displayed. d. Under Manage, click Devices > Access Point.
2. Click the Config icon. The tabs to configure the IAPs are displayed.
3. Click the Access Points tab. The Access Points page is displayed.
4. To edit an IAP, select an IAP in the Access Points table, and then click the edit icon. 5. Click the Radio tab. 6. Set Dual 5G Mode to Automatic. 7. (Optional) Specify the manual channel by setting Channel Assignment to Manual. 8. (Optional) Specify the transmit power by setting Transmit Power Assignment to Manual. 9. Click Save Settings.
Configuring Intelligent Power Monitoring
The Intelligent Power Monitoring (IPM) feature actively measures the power utilization of an IAP and dynamically adapts to the power resources. IPM allows you to define the features that must be disabled to save power, allowing the IAPs to operate at a lower power consumption without hampering the performance of the related features. This feature constantly monitors the IAP power consumption and adjusts the power saving IPM features within the power budget. IPM dynamically limits the power requirement of an IAP as per the available power resources. IPM applies a sequence of power reduction steps as defined by the priority definition until the IAP functions within the power budget. This happens dynamically as IPM constantly monitors the IAP power consumption and applies the next power reduction step in the priority list if the IAP exceeds the power threshold. To manage this prioritization, you can create IPM policies to define a set of power reduction steps and associate them with a priority. The IPM policies, when applied to the IAP, are based on IPM priorities, where the IPM policy can be configured to disable or reduce certain features in a specific sequence to reduce the IAP power consumption below the power budget. IPM priority settings are defined by integer values, where the lower values have the highest priority and are implemented first.
The Intelligent Power Monitoring feature is available only on APs running Aruba Instant OS 8.6.0.3.
To configure Intelligent Power Monitoring, complete the following steps:
Aruba Central On-Premises 2.5.6 | User Guide
290
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Expand the IPM accordion. 7. Select the IPM Activation check box to enable IPM. 8. Click the + icon in the IPM Power Reduction Steps With Priorities pane.
The IPM Power Reduction Steps With Priorities window is displayed. 9. In the IPM Step Priority field, enter a value from 1 to 16 to define IPM priority.
A lower value implies the highest priority, and is implemented first over a priority with higher value. 10. From the IPM Step drop-down list, select a setting as described in Table 64. 11. Click OK.
The IPM Power Reduction Steps With Priorities table in the IPM section lists all the IPM settings. 12. Click Save Settings. 13. Reboot the IAP for changes to take effect. The following figure shows the IPM steps and priorities listed in the IPM Power Reduction Steps With Priorities table. Figure 41 IPM Steps and Priorities
The following table lists the intelligent power monitoring parameters.
Managing APs | 291
Table 64: Intelligent Power Monitoring Parameters
Parameters
Description
cpu_throttle_25
Reduces CPU frequency to 25% of normal.
cpu_throttle_50
Reduces CPU frequency to 50% of normal.
cpu_throttle_75
Reduces CPU frequency to 75% of normal.
disable_alt_eth
Disables the second Ethernet port.
disable_pse
Disables Power Sourcing Equipment (PSE).
disable_usb
Disables USB.
radio_2ghz_chain_1
Reduces 2 GHz chains to 1x1.
radio_2ghz_chain_2
Reduces 2 GHz chains to 2x2.
radio_2ghz_chain_3
Reduces 2 GHz chains to 3x3.
radio_2ghz_power_3dB Reduces 2 GHz radio power by 3 dB from the maximum value.
radio_2ghz_power_6dB Reduces 2 GHz radio power by 6 dB from the maximum value.
radio_5ghz_chain_1
Reduces 5 GHz chains to 1x1.
radio_5ghz_chain_2
Reduces 5 GHz chains to 2x2.
radio_5ghz_chain_3
Reduces 5 GHz chains to 3x3.
radio_5ghz_power_3dB Reduces 5 GHz radio power by 3 dB from the maximum value.
radio_5ghz_power_6dB Reduces 5 GHz radio power by 6 dB from the maximum value.
To reduce the CPU power gradually, the smallest reduction is allocated a higher priority value so that the minimum reduction step is implemented first. For example, the cpu_throttle_50 parameter should have a higher priority value than the cpu_throttle_25 parameter, so that IPM gradually reduces the CPU throttle or power usage based on the priority list.
Points to Remember
n By default, Intelligent Power Monitoring is disabled. n When enabled, IPM enables all IAP functionality initially. IPM then proceeds to shut down or restrict
functionality if the power usage of the IAP goes beyond the power budget of the IAP.
Configuring System Parameters for an IAP
To configure system parameters for an Instant Access Point (IAP), complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
Aruba Central On-Premises 2.5.6 | User Guide
292
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the General accordion and configure the parameters in the Table 65. 7. Click Save Settings.
The following table lists the system parameters.
Table 65: System Parameters
Data Pane Item
Description
Virtual Controller
This parameter configuration is only applicable for IAPs that operate in a cluster deployment environment. To configure the virtual controller name and IP address, click edit icon and update the name and IP address. The IP address serves as a static IP address for the multi-AP network. When configured, this IP address is automatically provisioned on a shadow interface on the IAP that takes the role of a virtual controller. The IAP sends three ARP messages with the static IP address and its MAC address to update the network ARP cache.
n Name--Name of the virtual controller.
n IP address--IPv4 address configured for the virtual controller. The IPv4 address
uses the 0.0.0.0 notation.
n IPv6 address--IPv6 address configured for the virtual controller. You can configure
IPv6 address for the virtual controller only if the Allow IPv6 Management feature is
enabled. IPv6 is the latest version of IP that is suitable for large-scale IP networks. IPv6 supports a 128-bit address to allow 2128, or approximately 3.4×1038 addresses while IPv4 supports only 232 addresses. The IP address of the IPv6 host is always represented as eight groups of four hexadecimal digits separated by colons. For example 2001:0db8:0a0b:12f0:0000:0000:0000:0001. However, the IPv6 notation can be abbreviated to compress one or more groups of zeroes or to compress leading or trailing zeroes; for example 2001:db8:a0b:12f0::0:0:1.
Set Country code for group
To configure a country code for the IAP at the group level, select the country code from the Set Country code for group drop-down list. By default, no country code is configured for the IAP device groups.
When a country code is configured for the group, it takes precedence over the country code setting configured t the device level.
Timezone
To configure a time zone, select a time zone from the Timezone drop-down list. If the selected timezone supports DST, the UI displays the "The selected country observes Daylight Savings Time" message.
Preferred Band
Assign a preferred band by selecting an appropriate option from the Preferred Band drop-down list. Reboot the IAP after modifying the radio profile for changes to take effect.
Managing APs | 293
Table 65: System Parameters Data Pane Item Description
NTP Server
To facilitate communication between various elements in a network, time synchronization between the elements and across the network is critical. Time synchronization allows you to:
n Trace and track security gaps, network usage, and troubleshoot network issues.
n Validate certificates.
n Map an event on one network element to a corresponding event on another.
n Maintain accurate time for billing services and similar.
n NTP helps obtain the precise time from a server and regulate the local time in each
network element. Connectivity to a valid NTP server is required to synchronize the
IAP clock to set the correct time. If NTP server is not configured in the IAP network,
an IAP reboot may lead to variation in time data. By default, the IAP tries to connect to pool.ntp.org to synchronize time. The NTP server can also be provisioned through the DHCP option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server pool.ntp.org is used if no NTP server is configured or provisioned through DHCP option 42. To configure an NTP server, enter the IP address or the URL of the NTP server and reboot the IAP to apply the configuration changes.
Virtual Controller Netmask Virtual Controller Gateway Virtual Controller DNS Virtual Controller VLAN
This parameter configuration is only applicable for IAPs that operate in a cluster deployment environment. The IP configured for the virtual controller can be in the same subnet as IAP or can be in a different subnet. Ensure that you configure the virtual controller VLAN, controller, and subnet mask details only if the virtual controller IP is in a different subnet. Ensure that virtual controller VLAN is not the same as native VLAN of the IAP.
DHCP Option 82 XML
The DHCP Option 82 XML is not applicable for cloud IAPs.
DHCP Option 82 XML can be customized to cater to the requirements of any ISP using the conductor IAP. To facilitate customization using a XML definition, multiple parameters for Circuit ID and Remote ID options of DHCP Option 82 XML are introduced. The XML file is used as the input and is validated against an XSD file in the conductor IAP. The format in the XML file is parsed and stored in the DHCP relay which is used to insert Option 82 related values in the DHCP request packets sent from the client to the server. From the drop-down list, select one of the following XML files:
n default_dhcpopt82_1.xml n default_dhcpopt82_2.xml For more information, see Configuring DHCP Scopes on IAPs.
Dynamic CPU Utilization
IAPs perform various functions such as wired and wireless client connectivity and traffic flows, wireless security, network management, and location tracking. If an IAP is overloaded, prioritize the platform resources across different functions. Typically, the IAPs manage resources automatically in real time. However, under special circumstances, if dynamic resource management needs to be enforced or disabled altogether, the dynamic CPU management feature settings can be modified. To configure dynamic CPU management, select any of the following options from Dynamic CPU Utilization.
n Automatic--When selected, the CPU management is enabled or disabled
automatically during run-time. This decision is based on real time load calculations
Aruba Central On-Premises 2.5.6 | User Guide
294
Table 65: System Parameters
Data Pane Item
Description
taking into account all different functions that the CPU needs to perform. This is the default and recommended option. n Always Disabled in all APs--When selected, this setting disables CPU management on all IAPs, typically for small networks. This setting protects user experience. n Always Enabled in all APs--When selected, the client and network management functions are protected. This setting helps in large networks with high client density.
Auto-Join Mode
APs allowed for Auto-Join Mode
When enabled, IAPs can automatically discover the virtual controller and join the network. The Auto-Join Mode feature is enabled by default.
Displays the number of IAPs allowed for Auto-Join Mode. n Click View Allowed APs to view the details of IAP allowed for Auto-Join mode. n Click Hide Allowed APs to hide the details of IAP allowed for Auto-Join mode. When Auto-Join Mode is enabled, the IAPs are automatically discovered and are allowed to join the cluster. When the Auto-Join Mode is disabled on the IAP, the list of allowed IAPs on Aruba Central may not be synchronized or up-to-date. In such cases, you can manually add a list of IAPs that can join the IAP cluster in the Aruba Central UI. To manually add the list of allowed IAP devices, complete the following steps:
1. Under View Allowed APs, click + in the Allowed APs pane.
2. In the Add Allowed AP window, enter the MAC address of the IAP in the MAC Address field.
3. Click Save.
Allow IPv6 Management
Uplink switch native VLAN
Terminal Access Login Session Timeout Console Access WebUI Access
Telnet Server LED Display
Enables IPv6 address configuration for the virtual controller. You can configure an IPv6 address for a virtual controller IP only when Allow IPv6 Management feature is enabled.
Allows you to specify a VLAN ID, to prevent the IAP from sending tagged frames for clients connected on the SSID that uses the same VLAN as the native VLAN of the switch. By default, the IAP considers the native VLAN of the upstream switch, to which it is connected, as the VLAN ID 1.
When enabled, the users can access the IAP CLI through SSH.
Allows you to set a timeout for login session.
When enabled, the users can access IAP through the console port.
If an IAP is connected to Aruba Central, you can use this option to disable IAP Web UI access and any communication via HTTPS or SSH. If you enable this feature, you can manage the IAP only from Aruba Central.
When enabled, the users can start a Telnet session with the IAP CLI.
Enables or disables the LED display for all IAPs in a cluster. The LED display is always enabled during the IAP reboot.
Managing APs | 295
Table 65: System Parameters Data Pane Item Description
Extended SSID
Extended SSID is enabled by default in the factory default settings of IAPs. This disables mesh in the factory default settings.
NOTE: For AP devices that support Aruba InstantOS 8.4.0.0 firmware versions and above, you can configure up to 14 SSIDs. By enabling Extended SSID, you can create up to 16 networks.
Advanced Zone
Turn on the Advanced Zone toggle switch to enable the advance zone. When the advanced-zone feature is enabled and a zone is already configured with 16 SSIDs, ensure to remove the zone from two WLAN SSID profiles if you want to disable extended SSID.
Deny Inter User Bridging
If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same IAP on the same VLAN. When inter-user bridging is denied, the clients can connect to the Internet but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision.
To disable inter-user bridging, turn off the Deny Inter User Bridging toggle switch.
Deny Local Routing
If you have security and traffic management policies defined in upstream devices, you can disable routing traffic between two clients connected to the same IAP on different VLANs. When local routing is disabled, the clients can connect to the Internet but cannot communicate with each other, and the routing traffic between the clients is sent to the upstream device to make the forwarding decision.
To disable local routing, move the slider to the right.
Dynamic RADIUS Proxy
If your network has separate RADIUS authentication servers (local and centralized servers) for user authentication, you may want to enable Dynamic RADIUS proxy to route traffic to a specific RADIUS server. When Dynamic RADIUS proxy is enabled, the IP address of the virtual controller is used for communication with external RADIUS servers.
To enable Dynamic RADIUS Proxy, you must configure an IP address for the Virtual Controller and set it as a NAS client in the RADIUS server profile.
Dynamic TACACS Proxy
If you want to route traffic to different TACACS servers, enable Dynamic TACACS Proxy. When enabled, the IAP cluster uses the IP address of the Virtual Controller for communication with external TACACS servers.
If an IP address is not configured for the Virtual Controller, the IP address of the bridge interface is used for communication between the IAP and TACACS servers. However, if a VPN tunnel exists between the Instant AP and TACACS server, the IP address of the tunnel interface is used.
Cluster Security
This parameter is required to be set only for IAPs that operate in a cluster deployment environment. Enables or disables the cluster security feature. When enabled, the control plane communication between the IAP cluster nodes is secured. The Disallow Non-DTLS Members toggle switch appears. Turn on the toggle switch to allow member IAPs to join a DTLS enabled cluster. For secure communication between the cluster nodes, the Internet connection must be available, or at least a local NTP server must be configured. After enabling or disabling cluster security, ensure that the configuration is synchronized across all devices in the cluster, and then reboot the cluster. The Disallow Non-DTLS Members feature is only supported in IAP devices supporting Aruba InstantOS 8.4.0.0 firmware versions and above.
Aruba Central On-Premises 2.5.6 | User Guide
296
Table 65: System Parameters
Data Pane Item
Description
Low Assurance PKI
Turn on the toggle switch to allow low assurance devices that use non-TPM chip, in the network. To enable the cluster security feature, turn on the Low Assurance PKI toggle switch. For more information on Low Assurance PKI, refer to Cluster Security section in Aruba Instant User Guide. The Low Assurance PKI toggle switch is supported in IAP devices running Aruba InstantOS 6.5.3.0 firmware versions and later.
Mobility Access Switch Integration
Turn on the toggle switch to enable LLDP protocol for Mobility Access Switch integration. With this protocol, IAPs can instruct the switch to turn off ports where rogue access points are connected, as well as take actions such as increasing PoE priority and automatically configuring VLANs on ports where IAPs are connected.
URL Visibility
Turn on the toggle switch to enable URL data logging for client HTTP and HTTPS sessions and allows IAPs to extract URL information and periodically log them on ALE for DPI and application analytics.
Restrict uplink port Turn on the toggle switch to restrict the uplink port to the specified VLANs. to specified VLANs
VOIP QOS Trust
Turn on the toggle switch to enable the RTP traffic based on the DSCP value set by the end user device.
Swarm Mode
Allows you to set one of the following operation modes: n Cluster--Allows an IAP to operate in the cluster mode. When an IAP operates in the
cluster mode, it can form a cluster with other virtual controller IAPs in the same VLAN. n Standalone--Allows an IAP to operate in the standalone mode. When an IAP operates in the standalone mode, it cannot join a cluster of IAPs even if the IAP is in the same VLAN. n Single-AP--Allows an IAP to operate in the single AP mode that is specifically designed for IAP deployments with only one IAP in the site.
This mode is a type of standalone IAP deployment with additional security when the
IAP is directly facing a WAN connection. When configured as a single IAP, the IAP
does not send or receive management frames such as mobility packets, roaming
packets, and hierarchy beacons through the uplink port.
NOTE: After changing the AP operation mode, ensure that you reboot the IAP.
UTB Filter Block
This parameter is used to control the band on which the Ultra Tri-Band (UTB) limitation is applied in the regulatory-domain-profile. The utb filter supports channel band on both 5 GHz and 6 GHz. Listed below are the two options available: n 5 GHz - Select 5 GHz for upper band blocking. n 6 GHz - Select 6 GHz for lower band blocking. Default value: 6 GHz
NOTE: The UTB Filter Block is supported only for AP-635 access points.
Enabling 802.1X Authentication on Uplink Ports of an IAP
If your network requires all wired devices to authenticate using PEAP or TLS protocol, you must enable 802.1X authentication type on uplink ports of an IAP, so that the IAPs are granted access only after completing the authentication as a valid client.
Managing APs | 297
To enable 802.1X authentication on uplink ports using PEAP or TLS protocol, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Interfaces tab.
The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Expand the AP1X section.
n To set PEAP based authentication, select PEAP in the AP1X Type drop-down list.
If you select PEAP protocol, ensure that the PEAP User is configured on the uplink port by selecting an IAP group and navigating to Uplink section in the Access Points tab.
n To set TLS based authentication: a. Select TLS in the AP1X Type drop-down list. b. Select User in the Certificate Type drop-down list.
8. Select the Validate Server check-box to validate the server credentials using server certificate. Ensure that the server certificates for validating server credentials are available in the IAP database.
9. Click Save Settings.
Configuring HTTP Proxy on an IAP
If your network requires a proxy server for Internet access, ensure that you configure the HTTP proxy on the Instant Access Point (IAP) to download the image from the cloud server. After setting up the HTTP proxy settings, the IAP connects to the Aruba Central On-Premises or OpenDNS server through a secure HTTP connection. You can also exempt certain applications from using the HTTP proxy (configured on an IAP) by providing their host name or IP address under Exception. Aruba Central allows the user to configure HTTP proxy on an IAP. To configure HTTP proxy on IAP through Aruba Central On-Premises, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced.
Aruba Central On-Premises 2.5.6 | User Guide
298
5. Click the System tab. The System page is displayed.
6. Click the Proxy accordion and specify the following: n Enter the HTTP proxy server IP address in the Server text box. n Enter the port number in the Port text box. n Enter the Username and Password.
7. Click Save Settings.
Aruba Central On-Premises displays the Username, Password, and Retype Password fields under System > Proxy for APs running ArubaInstantOS 8.3.0.0. The APs running ArubaInstantOS 8.3.0.0 firmware require user credentials for proxy server authentication.
Configuring Network Profiles on IAPs
This section describes the following procedures: n Configuring Wireless Network Profiles on IAPs on page 299 n Configuring Wireless Networks for Guest Users on IAPs on page 311 n Configuring Wired Port Profiles on IAPs on page 329 n Editing a Wireless Network Profile n Deleting a Network Profile
Configuring Wireless Network Profiles on IAPs
You can configure up to 14 SSIDs. By enabling Extended SSID in the System > General accordion, you can create up to 16 networks.
If more than 16 SSIDs are assigned to a zone and the extended zone option is disabled, an error message is displayed.
This section describes the following topics: n Creating a Wireless Network Profile n Configuring VLAN Settings for Wireless Network n Configuring Security Settings for Wireless Network n Configuring ACLs for User Access to a Wireless Network n Viewing Wireless SSID Summary
Creating a Wireless Network Profile
To configure WLAN settings, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
Managing APs | 299
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs tab, click +Add SSID. The Create a New Network pane is displayed.
6. In General tab, enter a name that is used to identify the network in the Name (SSID) text-box. 7. Under Advanced Settings, configure the parameters in the Table 66.
The following table lists the advanced settings parameters.
Table 66: Advanced Settings Parameters
Parameter
Description
Broadcast/Multicast
Broadcast filtering
Select any of the following values: n All--The IAP drops all broadcast and multicast frames except DHCP and ARP, IGMP
group queries, and IPv6 neighbor discovery protocols. n ARP--The IAP drops broadcast and multicast frames except DHCP and ARP, IGMP
group queries, and IPv6 neighbor discovery protocols. Additionally, it converts ARP requests to unicast and sends frames directly to the associated clients. By default, the IAP is configured to ARP mode. n Unicast ARP Only--This option enables Instant AP to convert ARP requests to unicast frames thereby sending them to the associated clients. n Disabled--The IAP forwards all the broadcast and multicast traffic is forwarded to the wireless interfaces.
DTIM Interval
The DTIM Interval indicates the DTIM period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the IAP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode. Range is 1 to 10 beacons.
The default value is 1, which means the client checks for buffered data on the IAP at every beacon. You can also configure a higher DTIM value for power saving.
Multicast Transmission Optimization
Select the check-box if you want the IAP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients. When this option is enabled, multicast traffic can be sent up to a rate of 24 Mbps.
The default rate for sending frames for 2.4 GHz is 1 Mbps and that for 5 GHz is 6 Mbps. This option is disabled by default.
Dynamic Multicast Optimization (DMO)
Select the check-box to allow IAP to convert multicast streams into unicast streams over the wireless link. Enabling DMO enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients.
When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN.
DMO channel utilization threshold
Specify a value to set a threshold for DMO channel utilization. With DMO, the IAP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the IAP sends multicast traffic over the wireless link.
This option will be enabled only when Dynamic Multicast Optimization is enabled.
Aruba Central On-Premises 2.5.6 | User Guide
300
Parameter
Description
Transmit Rates (Legacy Only)
2.4 GHz
If the 2.4 GHz band is configured on an IAP, specify the minimum and maximum transmission rates. Default value: The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps.
5 GHz
If the 5 GHz band is configured on an IAP, specify the minimum and maximum transmission rates. Default value: The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps.
Beacon Rate
2.4 GHz
If the 2.4 GHz band is configured on an IAP, specify the transmission rates from the 2.4 GHz drop-down list. By default, the transmission rate is set as 1 Mbps. The minimum transmission rate supported is 1 Mbps and the maximum transmission rate supported is 54 Mbps.
5 GHz
If the 5 GHz band is configured on an IAP, specify the transmission rates from the 5 GHz drop-down list. By default, the transmission rate is set to 6 Mbps. The minimum transmission rate supported is 6 Mbps and the maximum transmission rate supported is 54 Mbps.
Zone
Zone
Specify the zone for the SSID. If a zone is configured in the SSID, only the IAP in that zone broadcasts this SSID. If there are no IAPs in the zone, SSID is broadcast.
If the IAP cluster has devices running IAP firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple IAP zones by adding zone names as comma separated values.
Aruba recommends that you do not configure zones in both SSID and in the device specific settings of an IAP. If the same zones are configured in SSID and Per AP settings, IAPs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on IAP zones, see Aruba Instant User Guide.
Bandwidth Control
Airtime
Select this to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage.
Downstream
Enter the downstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per User check-box. The bandwidth limit set in this method is implemented at the device level and not cluster level.
Upstream
Enter the upstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per user check-box. The bandwidth limit set in this method is implemented at the device level and not cluster level.
Each Radio
Select this to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients. The value ranges from 1 through 65535.
Managing APs | 301
Parameter Enable 11n
Enable 11ac
Enable 11ax
WiFi Multimedia Background Wifi Multimedia Share
Best Effort Wifi Multimedia Share
Video Wifi Multimedia Share Voice Wifi Multimedia Share
Traffic Specification (TSPEC) TSPEC Bandwidth Spectralink Voice Protocol(SVP) WiFi Multimedia Power Save (UAPSD) Miscellaneous
Description
When this option is selected, there is no disabling of High-Throughput (HT) on 802.11n devices for the 5 GHz radio band. If HT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, HT is enabled on all SSIDs. If you want the 802.11ac IAPs to function as 802.11n IAPs, clear this check-box to disable VHT on these devices.
When this option is selected, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs. If you want the 802.11ac IAPs to function as 802.11n IAPs, clear this check-box to disable VHT on these devices.
When this option is selected, VHT is enabled on the 802.11ax devices. If VHT is enabled for a radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs.
Allocates bandwidth for background traffic such as file downloads or print jobs. Specify the appropriate DSCP mapping values within a range of 063 for the background traffic in the corresponding DSCP mapping text-box. Enter up to 8 values with no white space and no duplicate single DHCP mapping value.
Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS. Specify the appropriate DSCP mapping values within a range of 063 for the best effort traffic in the corresponding DSCP mapping text-box.
Allocates bandwidth for video traffic generated from video streaming. Specify the appropriate DSCP mapping values within a range of 063 for the video traffic in the corresponding DSCP mapping text-box.
Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication. Specify the appropriate DSCP mapping values within a range of 063 for the voice traffic in the corresponding DSCP mapping text-box. In a non-WMM or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best Effort Wifi Multimedia share and Voice Wifi Multimedia Share to allocate a higher bandwidth to clients transmitting best effort and voice traffic.
Select this check-box to set if you want the TSPEC for the wireless network. The term TSPEC is used in wireless networks supporting the IEEE 802.11e Quality of Service standard. It defines a series of parameters, characteristics and Quality of Service expectations of a traffic flow.
Enter the bandwidth for the TSPEC.
Select this check-box to opt for SVP protocol.
Select this check-box to enable WiFi Multimedia Power Save (U-APSD). The U-APSD is a power saving mechanism that is an optional part of the IEEE amendment 802.11e, QoS.
Aruba Central On-Premises 2.5.6 | User Guide
302
Parameter Band
Description
Select a check box to specify the band at which the network transmits radio signals in the Band. You can set the band to 2.4 GHz, 5 GHz, or 6 GHz. The 2.4 GHz and 5 GHz options are selected by default.
NOTE: The 6 GHz band is only supported for devices with 6 GHz capability.
Content Filtering
Select this check-box to route all DNS requests for the non-corporate domains to OpenDNS on this network.
Primary Usage
Based on the type of network profile, select one of the following options:
Mixed Traffic--Select this option to create an employee or guest network profile. The employee network is used by the employees in an organization and it supports passphrase-based or 802.1X-based authentication methods. Employees can access the protected data of an enterprise through the employee network after successful authentication. The guest network is created for guests, visitors, contractors, and any non-employee users who use the enterprise Wi-Fi network. The VC assigns the IP address for the guest clients. Captive portal or passphrase-based authentication methods can be set for this wireless network. Typically, a guest network is an unencrypted network. However, you can specify the encryption settings when configuring a guest network.
Voice Only--Select this option to configure a network profile for devices that provide only voice services such as handsets or applications that require voice traffic prioritization.
When a client is associated with the voice network, all data traffic is marked and placed into the high priority queue in QoS.
Inactivity timeout
Specify an interval for session timeout. If a client session is inactive for the specified duration, the session expires and the users are required to log in again. You can specify a value within the range of 603600 seconds. The default value is 1000 seconds.
Hide SSID
Select this check-box if you do not want the SSID to be visible to users.
Disable Network
Select this check-box if you want to disable the SSID. When selected, the SSID is disabled, but is not removed from the network. By default, all SSIDs are enabled.
Max clients threshold
Specify the maximum number of clients that can be configured for each BSSID on a WLAN. You can specify a value within the range of 0255. The default value is 64.
ESSID
Specify the identifier that serves as an identification and address for the device to connect to a wireless router which can then access the internet. If the ESSID value defined is not the same as the profile name, the SSID can be searched based on the ESSID value and not by its profile name.
Local Probe Request Threshold
Select either automatic or manual to set the Local Probe Request Threshold.
automatic: The local probe request threshold value changes to the recommended value provided by the AI insights to improve the performance for the indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value.
manual: Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests, if required.
Min RSSI for auth request
Select either automatic or manual to set the minimum RSSI for authentication request. automatic: The minimum RSSI for authentication request value changes to the recommended value provided by the AI insights to improve the performance for the
Managing APs | 303
Parameter
Description
indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value.
manual: Enter the minimum RSSI threshold for authentication requests. You can specify an RSSI value within the range of 0100 dB.
Deauth inactive clients
Select this option to allow the IAP to send a de-authentication frame to the inactive client and the clear client entry.
Can be used without uplink
Select this check-box if you do not want the SSID profile to use the uplink.
Deny inter user bridging
Disables bridging traffic between two clients connected to the same SSID on the same VLAN. When this option is enabled, the clients can connect to the Internet, but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision.
Enable SSID when Select an option from the drop-down list and specify the time period.
Disable SSID when Select an option from the drop-down list and specify the time period.
Deny Intra VLAN Traffic
Disables intra VLAN traffic to enable the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to controller traffic from clients to flow in the network. All other traffic from the client that is not destined to the controller or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. For more information, see Configuring Client Isolation.
Management Frame Protection
Turn on the Management Frames Protection toggle switch to provide high network security by maintaining data confidentiality of management frames. The Management Frame Protection (MFP) establishes encryption keys between the client and Instant AP using 802.11i framework. For more information, see Management Frames Protection.
Fine Timing Measurement (802.11mc) Responder Mode
Turn on the toggle switch to enable the fine timing measurement (802.11mc) responder mode.
Advertise AP Name Turn on the toggle switch to enable the advertising of IAP name.
Time Range Profiles
Time Range Profiles
Ensure that the NTP server connection is active. Select a time range profile from the Time Range Profiles list and apply a status form the drop-down list. Click +New Time Range Profile to create a new time range profile. For more information, see Configuring Time-Based Services for Wireless Network Profiles.
Configuring VLAN Settings for Wireless Network To configure VLANs settings for an SSID, complete the following steps:
1. In the VLANs tab, select any of the following options for Client IP Assignment: n Instant AP assigned--When selected, the client obtains the IP address from the VC. n External DHCP server assigned--When selected, the client obtains the IP address from the network.
Aruba Central On-Premises 2.5.6 | User Guide
304
2. Based on the type of client IP assignment mode selected, configure the parameters in the Table 67.
3. Click Next.
The following table lists the VLAN parameters.
Table 67: VLANs Parameters Parameter Description
Instant AP assigned
When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on IAPs. If this option is selected, specify any of the following options in Client VLAN Assignment:
n Internal VLAN--Assigns IP address to the client in the same subnet as the IAPs. By
default, the client VLAN is assigned to the native VLAN on the wired network.
n Custom--Allows you to customize the client VLAN assignment to a specific VLAN, or a
range of VLANs. When this option is selected, select the scope from the VLAN ID drop-
down list.
External DHCP server assigned
When this option is selected, specify any of the following options in Client VLAN Assignment: n Static--In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of clients
need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. n Dynamic--Assigns the VLANs dynamically from a DHCP server. n Native VLAN--Assigns the client VLAN is assigned to the native VLAN. To add a new VLAN assignment rule, complete the following steps:
1. Click +Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed.
2. Enter the Attribute, Operator, String, and VLAN details, and then click OK.
To add a new Named VLAN, complete the following steps:
1. Click +Add Named VLAN. The Add Named VLAN window is displayed. 2. Enter the VLAN Name and VLAN details, and then click OK.
NOTE: To show or hide the Named VLANs, click Show Named VLANs. Click the Show Named VLANs, to view the Named VLAN table. To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules window, and then click the delete icon. To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon.
NOTE: From Aruba Central On-Premises 2.5.4, the Add Named VLAN window supports adding multiple VLAN IDs and VLAN range.
Managing APs | 305
Configuring Security Settings for Wireless Network
To configure security settings for mixed traffic or voice network, complete the following steps:
1. In the Security tab, specify any one of the following options in the Security Level: n Enterprise--On selecting Enterprise security level, the authentication options applicable to the network are displayed. n Personal--On selecting Personal security level, the authentication options applicable to the personalized network are displayed. n Visitors--On selecting Visitors security level, the authentication options applicable to the captive portal is displayed. For more information on captive portal, see Configuring Wireless Networks for Guest Users on IAPs. n Open--On selecting Open security level, the authentication options applicable to an open network are displayed.
The default security setting for a network profile is Personal.
2. Based on the security level specified, configure the basic WLAN security parameters in the Table 68.
3. Based on the security level specified, in the Advanced Settings section specify the parameters described in the Table 69.
4. Click Next.
The following table lists the basic WLAN security parameters.
Table 68: Basic WLAN Security Parameters
Data Pane Item Description
Key Management
For Enterprise security level, select an encryption key from Key Management drop-down list:
n WPA-2 Enterprise--Select this option to use WPA-2 security. The WPA-2 Enterprise
requires user authentication and requires the use of a RADIUS server for
authentication. n WPA Enterprise--Select this option to use both WPA Enterprise. n Both (WPA-2 & WPA)--Select this option to use both WPA-2 and WPA security. n Dynamic- WEP with 802.1X--If you do not want to use a session key from the
RADIUS Server to derive pairwise unicast keys, turn on the Use Session Key for
LEAP toggle switch. This is required for old printers that use dynamic WEP through
LEAP authentication. The Use Session Key for LEAP feature is Disabled by default. n WPA-3 Enterprise(CNSA)--Select this option to use WPA-3 security employing CNSA
encryption. n WPA-3 Enterprise(CCM 128)--Select this option to use WPA-3 security employing
CCM encryption operation mode limited to encrypting 128 bits of plain text. n WPA-3 Enterprise(GCM 256)--Select this option to use WPA-3 security employing
GCM encryption operation mode limited to encrypting 256 bits of plain text. When WPA-2 Enterprise and Both (WPA2-WPA) encryption types are selected and if 802.1x authentication method is configured, OKC is enabled by default. If OKC is enabled, a cached PMK is used when the client roams to a new IAP. This allows faster roaming of clients without the need for a complete 802.1x authentication. OKC roaming can be configured only for the Enterprise security level.
Aruba Central On-Premises 2.5.6 | User Guide
306
Data Pane Item Description
For Personal security level, select an encryption key from Key Management drop-down list. For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 Personal keys, specify the following parameters:
n Passphrase Format--Select a passphrase format. The options available are 8-63
alphanumeric characters and 64 hexadecimal characters. n Passphrase--Enter a passphrase in n Retype--Retype the passphrase to confirm. For Static WEP, specify the following parameters:
n WEP Key Size--Select an appropriate value for WEP key size from the drop-down list.
Select an appropriate value from the Tx Key drop-down list. n WEP Key--Enter an appropriate WEP key. n Retype WEP Key--Retype the WEP key to confirm. For MPSK-AES, select a primary server from the drop-down list. For MPSK-LOCAL, select an MPSK Local server from the drop-down list.
For Visitors security level, select Open or Enhanced Open encryption key from Key Management drop-down list. For information on configuring captive portal, see Configuring Wireless Networks for Guest Users on IAPs on page 311.
For Open security level, the Key Management includes Open and Enhanced Open options.
EAP offload
This option is applicable to Enterprise security levels only. To terminate the EAP portion of 802.1X authentication on the Instant AP instead of the RADIUS server, turn on the EAP offload toggle switch. Enabling EAP offload can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the Instant AP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the Instant AP acts as a relay for this exchange. When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. It can also reduce the number of exchange packets between the Instant AP and the authentication server.
Instant supports the configuration of primary and backup authentication servers in an EAP termination-enabled SSID.
If you are using LDAP for authentication, ensure that Instant AP termination is configured to support EAP.
Authentication Server
Configure the following parameters: n MAC Authentication--Turn on the MAC Authentication toggle switch to allow MAC
address based authentication for Personal, Visitors, and Open security levels. n Primary Server--Set a primary authentication server. The Primary Server option
appears only for Enterprise security level, internal and external captive portal types. Select the following option from the drop-down list:
Internal Server--To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users.
To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs.
Aruba Central On-Premises allows you to configure an external RADIUS server, TACACS or LDAP server, and External Captive Portal for user authentication.
Managing APs | 307
Data Pane Item Description
n Secondary Server--To add another server for authentication, configure another authentication server.
n Authentication Survivability--If an external server is configured for authentication, you can enable authentication survivability. Specify a value in hours for Cache Timeout to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours. By default, authentication survivability is disabled.
n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring External Authentication Servers for IAPs.
Users
Click Users to add the users. The registered users of Employee type will be able to access the users of Enterprise network. To add a new user, click +Add User and enter the new user in the Add Userpane. The Primary Server option appears only for Enterprise security level, Internal Captive Portal, and External Captive Portal.
The following table lists the advanced WLAN security parameters.
Table 69: Advanced WLAN Security Parameters
Data pane item Description
Use Session Key for LEAP
Turn on the toggle switch to use the session key for Lightweight Extensible Authentication Protocol. This option is available only for Enterprise level.
Opportunistic Key Caching (OKC)
Turn on the Opportunistic key caching (OKC) toggle switch to reduce the time needed for authentication. When OKC is used, multiple IAPs can share Pairwise Master Keys (PMKs) among themselves, and the station can roam to a new access points that has not visited before and reuse a PMK that was established with the current IAP. OKC allows the station to roam quickly to an access point it has never authenticated to, without having to perform pre-authentication. OKC is available specifically on WPA2 SSIDs only.
MAC Authentication for Enterprise Networks
To enable MAC address based authentication for Personal and Open security levels, turn on the toggle switch to enable MAC Authentication. For Enterprise security level, the following options are available: n Perform MAC authentication before 802.1X--Select this to use 802.1X
authentication only when the MAC authentication is successful. n MAC Authentication Fail-Through--On selecting this, the 802.1X authentication is
attempted when the MAC authentication fails. n If MAC Authentication is enabled, configure the following parameters: n Delimiter Character--Specify a character (for example, colon or dash) as a delimiter
for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. n Uppercase Support--Turn on the toggle switch to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
Aruba Central On-Premises 2.5.6 | User Guide
308
Data pane item Description
Reauth Interval
Specify a value for Reauth Interval. When set to a value greater than zero, IAPs periodically re-authenticate all associated and authenticated clients.
If the re-authentication interval is configured:
On an SSID performing L2 authentication (MAC or 802.1X authentication): When reauthentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role.
On an SSID performing both L2 and L3 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.
On an SSID performing only L3 authentication (captive portal authentication): When reauthentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through captive portal to regain access.
Denylisting
By default, this option is disabled. To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.
Enforce DHCP
Enforces WLAN SSID on IAP clients. When DHCP is enforced. A layer-2 user entry is created when a client associates with an IAP. The client DHCP state and IP address are tracked. When the client obtains an IP address from DHCP, the DHCP state changes to complete. If the DHCP state is complete, a layer-3 user entry is created. When a client roams between the IAPs, the DHCP state and the client IP address is synchronized with the new IAP.
WPA3 Transition
Enable this option to allow transition from WPA3 to WPA2 and vice versa. The WPA3 Transition appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level.
Legacy Support
Enable this option to allow backward compatibility of encryption modes in networks. The Legacy Support appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level.
Use IP for Calling Station ID
Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed: n Called Station ID Type--Select any of the following options for configuring called
station ID: o Access Point Group--Uses the VC ID as the called station ID. o Access Point Name--Uses the host name of the IAP as the called station ID. o VLAN ID--Uses the VLAN ID of as the called station ID. o IP Address--Uses the IP address of the IAP as the called station ID. o MAC address--Uses the MAC address of the IAP as the called station ID. n Called Station ID Include SSID--Appends the SSID name to the called station ID.
NOTE: The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled.
n Called Station ID Delimiter--Sets delimiter at the end of the called station ID. n Max Authentication Failures--Sets a value for the maximum allowed authentication
failures.
Managing APs | 309
Data pane item Description
Delimiter Character
Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
Uppercase Support
Select this option to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
Fast Roaming
Enable the following fast roaming features as per your requirement: n 802.11k--Turn on the 802.11k toggle switch to enable 802.11k roaming. The 802.11k
protocol enables IAPs and clients to dynamically measure the available radio resources. When 802.11k is enabled, IAPs and clients send neighbor reports, beacon reports, and link measurement reports to each other. n 802.11v--Turn on the 802.11v toggle switch to enable 802.11v based BSS transition. The 802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows the client devices to exchange information about the network topology and RF environment. The BSS transition management mechanism enables an IAP to request a voice client to transition to a specific IAP, or suggest a set of preferred IAPs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best IAP to transition to as they roam. n RRM Quiet IE--Configures a radio resource management IE profile elements advertised by an IAP.
Configuring ACLs for User Access to a Wireless Network You can configure up to 64 access rules for a wireless network profile. To configure access rules for a network, complete the following steps:
1. In the Access tab, turn on the Downloadable Role toggle switch to allow downloading of preexisting user roles. For more information, see Configuring Downloadable Roles.
n The Downloadable Role feature is optional.
n The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
n At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs.
2. Click the action corresponding to the server. The Edit Server page is displayed.
Aruba Central On-Premises 2.5.6 | User Guide
310
Viewing Wireless SSID Summary In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Save Settings to complete the network profile creation and save the settings.
Configuring Wireless Networks for Guest Users on IAPs
Instant Access Points (IAPs) support the captive portal authentication method in which a webpage is presented to the guest users, when they try to access the Internet in hotels, conference centers, or Wi-Fi hotspots. The webpage also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well. The captive portal solution for an IAP cluster consists of the following:
n The captive portal web login page hosted by an internal or external server. n The RADIUS authentication or user authentication against internal database of the IAP. n The SSID broadcast by the IAP.
The IAP administrators can create a wired or WLAN guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise Wi-Fi network. Administrators can also create guest accounts and customize the captive portal page with organization-specific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URL through HTTP or HTTPS, the captive portal webpage prompts the user to authenticate with a user name and password.
Splash Page Profiles
Instant APs support the following types of splash page profiles:
n Internal Captive portal--Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication: o Internal Authenticated--When Internal Authenticated is enabled, a guest user who is preprovisioned in the user database has to provide the authentication details. o Internal Acknowledged--When Internal Acknowledged is enabled, a guest user has to accept the terms and conditions to access the Internet.
n External Captive portal--Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication.
n None--Select to disable the captive portal authentication.
To create splash page profiles, see the following sections:
n Creating a Wireless Network Profile for Guest Users n Configuring an Internal Captive Portal Splash Page Profile on page 313 n Configuring an External Captive Portal Splash Page Profile n Configuring Wireless Networks for Guest Users on IAPs n Configuring Wireless Networks for Guest Users on IAPs n Configuring ACLs for Guest User Access n Configuring Captive Portal Roles for an SSID n Disabling Captive Portal Authentication
Managing APs | 311
Creating a Wireless Network Profile for Guest Users To create an SSID for guest users, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs page, click + Add SSID. The Create a New Network pane is displayed.
6. Under General, enter a network name in the Name (SSID) text-box. 7. If configuring a wireless guest profile, set the required WLAN configuration parameters described
in Table 68. 8. Click Next.
The VLANs details are displayed. 9. Under VLANs, select the options for Client IP Assignment as described in Table 70.
The following table lists the VLAN assignment options.
Table 70: VLANs Assignment
Parameter
Description
Instant AP assigned
When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on IAPs. If this option is selected, specify any of the following options in Client VLAN Assignment:
n Internal VLAN--Assigns IP address to the client in the same subnet as the IAPs.
By default, the client VLAN is assigned to the native VLAN on the wired network.
n Custom--Allows you to customize the client VLAN assignment to a specific
VLAN, or a range of VLANs. When this option is selected, select the scope from
the VLAN ID drop-down list.
External DHCP server assigned
When this option is selected, specify any of the following options in Client VLAN Assignment: n Static--In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of
clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. n Dynamic--Assigns the VLANs dynamically from a DHCP server.
Aruba Central On-Premises 2.5.6 | User Guide
312
Parameter
Description
n Native VLAN--Assigns the client VLAN is assigned to the native VLAN. To add a new VLAN assignment rule, complete the following steps:
1. Click +Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed.
2. Enter the Attribute, Operator, String, and VLAN details, and then click OK.
To add a new Named VLAN, complete the following steps:
1. Click +Add Named VLAN. The Add Named VLAN window is displayed. 2. Enter the VLAN Name and VLAN details, and then click OK.
NOTE: To show or hide the Named VLANs, click Show Named VLANs. Click the Show Named VLANs, to view the Named VLAN table. To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules window, and then click the delete icon. To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon.
NOTE: From Aruba Central On-Premises 2.5.4, the Add Named VLAN window supports adding multiple VLAN IDs and VLAN range.
For more information, see Configuring VLAN Assignment Rule.
Configuring an Internal Captive Portal Splash Page Profile To configure an internal captive portal profile, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon. 6. Under Security tab, in the Security Level, select Visitors and configure the parameters
described in Table 71. 7. Click Save Settings.
The following table lists the Internal captive portal configuration parameters.
Table 71: Internal Captive Portal Configuration Parameters
Parameter
Description
Type
Select Internal Captive Portal from the drop-down list.
Managing APs | 313
Table 71: Internal Captive Portal Configuration Parameters
Parameter
Description
Captive Portal Location
Select Acknowledged or Authenticated from the drop-down list.
Customize Captive Portal
Under Splash Page, when Customize Captive Portal is clicked, use the editor to specify text and colors for the initial page that is displayed to the users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type (Authenticated or Acknowledged) for which you are customizing the splash page design. Complete the following steps to customize the splash page design:
n Top banner title--Enter a title for the banner. n Header fill color--Specify a background color for the header. n Welcome text--To change the welcome text, click the first square box in the
splash page, enter the required text in the Welcome text box, and click OK.
Ensure that the welcome text does not exceed 127 characters. n Policy text--To change the policy text, click the second square in the splash
page, enter the required text in the Policy text box, and click OK. Ensure that the
policy text does not exceed 255 characters. n Page fill color--To change the color of the splash page, click the Splash page
rectangle and select the required color from the color palette. n Redirect URL--To redirect users to another URL, specify a URL in Redirect URL. n Logo image--To upload a custom logo, click Choose Fileto upload. Ensure that
the image file size does not exceed 16 KB. To delete an image, click Delete Logo. To preview the captive portal page, click preview_splash_page. To configure a captive portal proxy server or global proxy server to match your browser configuration, enter the IP address and port number in the Captive-portal proxy server IP and Captive Portal Proxy Server Port fields.
Encryption
By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters:
n Key Management--Specify an encryption and authentication key. n Passphrase format--Specify a passphrase format. n Passphrase--Enter a passphrase. n Retype--Retype the passphrase to confirm.
Key Management
Select Open or Enhanced Open from the drop-down list.
Advanced Settings
Captive Portal Proxy Specify the IP address of the Captive Portal proxy server. Server IP
Captive Portal Proxy Server Port
Specify the port number of the Captive Portal proxy server.
MAC Authentication
Configure the following parameters: n MAC Authentication--To enable MAC address based authentication for
Personal and Open security levels, turn on the MAC Authentication toggle switch. n Secondary Server--To add another server for authentication, configure another authentication server. n Load Balancing--Turn on the toggle switch to enable, if you are using two
Aruba Central On-Premises 2.5.6 | User Guide
314
Table 71: Internal Captive Portal Configuration Parameters
Parameter
Description
Use IP for Calling Station ID Delimiter Character
Called Station ID Type
RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring DHCP Server for Assigning IP Addresses to IAP Clients. To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs.
Enable this option to configure client IP address as calling station ID.
Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
Select any of the following options for configuring called station ID: n Access Point Group--Uses the VC ID as the called station ID. n Access Point Name--Uses the host name of the IAP as the called station ID. n VLAN ID--Uses the VLAN ID of as the called station ID. n IP Address--Uses the IP address of the IAP as the called station ID. n MAC address--Uses the MAC address of the IAP as the called station ID.
Reauth Interval Accounting
Denylisting Max Authentication Failures Enforce DHCP WPA3 Transition Called Station ID Include SSID
Specify a value for Reauth Interval. When set to a value greater than zero, IAPs periodically re-authenticate all associated and authenticated clients.
Select an accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client disconnects. This is applicable for WLAN SSIDs only.
If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Managing APs | 315
Table 71: Internal Captive Portal Configuration Parameters
Parameter
Description
Uppercase Support
If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Disable if uplink type To exclude uplink(s), expand Disable if uplink type is, and turn on the toggle switch
is
for the uplink type(s). For example, Ethernet, Wi-Fi, and 3G/4G.
Configuring an External Captive Portal Splash Page Profile
You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles and associate these profiles with an SSID or a wired profile. You can configure up to eight external captive portal profiles.
When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNS and DHCP traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted.
To configure an external captive portal profile, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon. 6. Under Security tab, in the Security Level, select Visitors. 7. Select the Splash Page type as External. 8. If required, configure a captive portal proxy server or a global proxy server to match your browser
configuration by specifying the IP address and port number in the Captive Portal Proxy Server IP and Captive Portal Proxy Server Port fields.
9. Select a captive portal profile. To add a new profile, click + and configure the parameters described in Table 72.
10. Click Save. 11. On the external captive portal splash page configuration page, specify encryption settings if
required.
12. Specify the following authentication parameters under Advanced Settings: n MAC Authentication--To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch.
Aruba Central On-Premises 2.5.6 | User Guide
316
n Primary Server--Sets a primary authentication server. o To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. o To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs.
n Secondary Server--To add another server for authentication, configure another authentication server.
n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers.
13. If required, under Walled Garden, create a list of domains that are denylisted and also a allowlist of websites that the users connected to this splash page profile can access.
14. To exclude uplink, select an uplink type.
15. If MAC authentication is enabled, you can configure the following parameters: n Delimiter Character--Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. n Uppercase Support--Turn on the toggle switch to enable to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
16. Configure the Reauth Interval. Specify a value for Reauth Interval. When set to a value greater than zero, IAPs periodically re-authenticate all associated and authenticated clients.
17. If required, enable denylisting. Set a threshold for denylisting clients based on the number of failed authentication attempts.
18. Click Save Settings.
The following table lists the external captive portal profile configuration parameters.
Table 72: External Captive Portal Profile Configuration Parameters
Data Pane Item
Description
Name
Enter a name for the profile.
Type
Select any one of the following types of authentication: n Radius Authentication--Select this option to enable user authentication against a
RADIUS server. n Authentication Text--Select this option to specify an authentication text. The
specified text will be returned by the external server after a successful user authentication.
IP or Hostname Enter the IP address or the host name of the external splash page server.
URL
Enter the URL of the external captive portal server.
Managing APs | 317
Data Pane Item Port
Use HTTPS
Captive Portal Failure
Server Offload
Prevent Frame Overlay Automatic URL Allowlisting Auth Text
Redirect URL
Description
Enter the port number that is used for communicating with the external captive portal server.
Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.
This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.
Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted.
If the External Authentication splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected.
Specify a redirect URL if you want to redirect the users to another URL.
Configuring ACLs for Guest User Access
To configure access rules for a guest network, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. 6. Click the Access tab. 7. Under Access rules, select any of the following types of access control:
n Unrestricted--Select this to set unrestricted access to the network. n Network Based--Select Network Based to set common rules for all users in a network. By
default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps: n Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields.
Aruba Central On-Premises 2.5.6 | User Guide
318
n Click Save. n Role Based--Select Role Based to enable access based on user roles.
For role-based access control, complete the following steps:
1. To create a user role: a. Click +Add Role in Role pane. b. Enter a name for the new role and click OK.
2. To create access rules for a specific user role: a. Click +Add Rule in Access Rules for Selected Roles, and select appropriate options for Rule Type, Service, Action, Destination, and Options fields. b. Click Save.
3. To create a role assignment rule: a. Under Role Assignment Rules, click +Add Role Assignment. The New Role Assignment Rule pane is displayed. b. Select appropriate options in Attribute, Operator, String, and Role fields. c. Click Save.
4. To assign pre-authentication role, select the Assign Pre-Authentication Role check-box and select a pre-authentication role from the drop-down list.
5. Click Save Settings.
Configuring Captive Portal Roles for an SSID You can configure an access rule to enforce captive portal authentication for SSIDs with 802.1X authentication enabled. You can configure rules to provide access to an external captive portal, internal captive portal, so that some of the clients using this SSID can derive the captive portal role. The following conditions apply to the 802.1X and captive portal authentication configuration:
n If captive portal settings are not configured for a user role, the captive portal settings configured for an SSID are applied to the client's profile.
n If captive portal settings are not configured for a SSID, the captive portal settings configured for a user role are applied to the client's profile.
n If captive portal settings are configured for both SSID and user role, the captive portal settings configured for a user role are applied to the profile of the client.
To create a captive portal role for the Internal and External splash page types:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. 6. Click the Access tab.
Managing APs | 319
7. Under Access rules, select Role Based. 8. Click +Add Rule in Access Rules for Selected Roles. 9. In the Add Rules window, specify the parameters described in Table 73. 10. Click Save.
The enforce captive portal rule is created and listed as an access rule. 11. Click Save Settings.
The following table lists the access rule configuration parameters.
Table 73: Access Rule Configuration Parameters
Data Pane Item
Description
Rule Type Select Captive Portal from the drop-down list.
Splash Page Type Internal
External
Select a splash page type from the drop-down list.
If Internal is selected as Splash Page Type drop-down list, complete the following steps: n Top banner title--Enter a title for the banner. To preview the page with the new banner
title, click Preview splash page. n Header fill color--Specify a background color for the header. n Welcome text--To change the welcome text, click the first square box in the splash page,
enter the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters. n Policy text--To change the policy text, click the second square in the splash page, enter the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters. n Page fill color--To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. n Redirect URL--To redirect users to another URL, specify a URL in Redirect URL. n Logo image--To upload a custom logo, click Choose Fileto upload. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete Logo. To preview the captive portal page, click preview_splash_page.
If External is selected as Splash Page Type drop-down list, complete the following steps: n Captive Portal Profile--Select a profile from the drop-down list. To create a profile, click the + icon and enter the following information in the External Captive Portal window. n Name n Authentication Type--From the drop-down list, select either RADIUS Authentication (to
enable user authentication against a RADIUS server) or Authentication Text (to specify the authentication text to returned by the external server after a successful user authentication). n IP OR Hostname--Enter the IP address or the hostname of the external splash page server. n URL--Enter the URL for the external splash page server. n Port--Enter the port number for communicating with the external splash page server. n Captive Portal Failure--This field allows you to configure Internet access for the guest clients when the external captive portal server is not available. From the drop-down list, select Deny Internet to prevent clients from using the network, or Allow Internet to allow
Aruba Central On-Premises 2.5.6 | User Guide
320
Table 73: Access Rule Configuration Parameters
Data Pane Item
Description
the guest clients to access Internet when the external captive portal server is not available. n Automatic URL Allowlisting--Turn on the toggle switch to enable or disable automatic
allowlisting of URLs. On selecting this for the external captive portal authentication, the URLs allowed for the unauthenticated users to access are automatically allowlisted. The automatic URL allowlisting is disabled by default. n Server offload--Turn on the toggle switch to offload the server. n Prevent Frame Overlay--Turn on the toggle switch to prevent frame overlay. n Use VC IP in Redirect URL--Turn on the toggle switch to use the virtual controller IP address as a redirect URL. n Auth TEXT--Indicates the authentication text returned by the external server after a successful user authentication. n Redirect URL--Specify a redirect URL to redirect the users to another URL. To edit a profile, click the edit icon and modify the parameters in the External Captive Portal window.
The client can connect to this SSID after authenticating with user name and password. After the user logs in successfully, the captive portal role is assigned to the client.
Disabling Captive Portal Authentication To disable captive portal authentication, perform the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon. 6. Under Security tab, in the Security Level, select Visitors. 7. Under Splash Page, select None from the Captive Portal Type drop-down list. 8. Click Save Settings.
Configuring Client Isolation
Aruba Central On-Premises supports the Client Isolation feature isolates clients from one another and disables all peer-to-peer communication within the network. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant Access Point (IAP).
This feature enhances the security of the network and protects it from vulnerabilities. Client Isolation can only be configured through the CLI. When Client Isolation is configured, the IAP learns the IP, subnet mask, MAC, and other essential information of the gateway and the DNS server. A subnet table
Managing APs | 321
of trusted destinations is then populated with this information. Wired servers used in the network should be manually configured into this subnet table to serve clients. The destination MAC of data packets sent by the client is validated against this subnet table and only the data packets destined to the trusted addresses in the subnet table are forwarded by the IAP. All other data packets are dropped.
Client Isolation feature is supported only in IPv4 networks. This feature does not support AirGroup and affects Chromecast and Airplay services.
Enabling Client Isolation Feature for Wireless Networks in Aruba Central On-Premises
To enable the Client Isolation feature, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs page, click +Add SSID. The Create a New Network page is displayed.
6. Click Advanced Settings and expand Miscellaneous. 7. Turn on the Deny Intra VLAN Traffic toggle switch. 8. Click Next.
Management Frames Protection
Aruba Central On-Premises supports the Management Frame Protection (MFP) feature in networks that include Aruba Instant 8.5.0.0 firmware version and later. This feature protects networks against forged management frames spoofed from other devices that might otherwise disrupt a valid user session. The MFP increases the security by providing data confidentiality of management frames. MFP uses 802.11i framework that establishes encryption keys between the client and Instant AP.
Enabling Management Frames Protection Feature for Wireless Networks in Aruba Central On-Premises
To enable the MFP feature, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
Aruba Central On-Premises 2.5.6 | User Guide
322
5. In the WLANspage, click +Add SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
6. In the General tab, click Advanced Settings. 7. Expand Miscellaneous. 8. Turn on the Management Frames Protection toggle switch to enable the MFP feature. 9. Click Next. 10. Click Save Settings.
The MFP configuration is a per-SSID configuration. The MFP feature can be enabled only on WPA2-PSK and WPA2-Enterprise SSIDs. The 802.11r fast roaming option will not take effect when the MFP is enabled.
Configuring Wired Networks for Guest Users on IAPs
Instant Access Points (IAPs) support the captive portal authentication method in which a webpage is presented to the guest users, when they try to access the Internet in hotels, conference centres, or Wi-Fi hotspots. The webpage also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well. The captive portal solution for an IAP cluster consists of the following:
n The captive portal web login page hosted by an internal or external server. n The RADIUS authentication or user authentication against internal database of the IAP. n The SSID broadcast by the IAP.
The IAP administrators can create a wired or WLAN guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise Wi-Fi network. Administrators can also create guest accounts and customize the captive portal page with organization-specific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URL through HTTP or HTTPS, the captive portal webpage prompts the user to authenticate with a user name and password.
Splash Page Profiles
IAPs support the following types of splash page profiles:
n Internal Captive portal--Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication: o Internal Authenticated--When Internal Authenticated is enabled, a guest user who is preprovisioned in the user database has to provide the authentication details. o Internal Acknowledged--When Internal Acknowledged is enabled, a guest user has to accept the terms and conditions to access the Internet.
n External Captive portal--Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication.
n None--Select to disable the captive portal authentication.
For information on how to create splash page profiles, see the following sections:
n Creating a Wired Network Profile for Guest Users n Configuring an Internal Captive Portal Splash Page Profile
Managing APs | 323
n Configuring an External Captive Portal Splash Page Profile n Configuring Wired Networks for Guest Users on IAPs
Creating a Wired Network Profile for Guest Users To create a wired SSID for guest access, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Interfaces tab.
The Interfaces page is displayed. 6. Click the Wired accordion. 7. To create a new wired SSID profile, click + Add Port Profile.
The Create a New Network pane is displayed. 8. Under General, enter the following information:
n Name--Enter a name. n ports--Select port(s) form the drop-down list. 9. Click Next to configure the VLANs settings. The VLANs details are displayed. 10. In the VLANs tab, select a type of mode from the Mode drop-down list.
11. Select the options for Client IP Assignment as described in Table 74
The following table lists the VLAN assignment options.
Table 74: VLANs Parameters
Parameter
Description
Instant AP assigned
Select this option to allow the Virtual Controller to assign IP addresses to the wired clients. When the Virtual Controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The Virtual Controller can also assign a guest VLAN to a wired client. If this option is selected, specify any of the following options in Client VLAN Assignment:
n Default--When the client VLAN must be assigned to the native VLAN on the
network.
n Custom--To customize the client VLAN assignment to a specific VLAN, or a
range of VLANs.
External DHCP server assigned
Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the New button to create a VLAN is displayed. Create a new VLAN if required.
Aruba Central On-Premises 2.5.6 | User Guide
324
Configuring an Internal Captive Portal Splash Page Profile To configure internal captive portal profile, complete the following steps:
1. Open the guest SSID to edit and configure the parameters in the Ports > Security page described in Table 75.
2. Click Save Settings.
The following table lists the Internal captive portal configuration parameters.
Table 75: Internal Captive Portal Configuration Parameters
Parameter
Description
Captive Portal Type
Select any of the following from the drop-down list: n Internal - Authenticated--When Internal Authenticated is selected, the guest
users are required to authenticate in the captive portal page to access the Internet. The guest users who are required to authenticate must already be added to the user database. n Internal - Acknowledged--When Internal Acknowledged is selected, the guest users are required to accept the terms and conditions to access the Internet. n External--When External is selected, the guest users are required to enter the proxy server details such as IP address and captive portal proxy server port details. Also enter the details in Walled Garden, and Advanced section. n None--Select this option if you do not want to set any splash page.
Captive Portal Location
Select Acknowledged or Authenticated from the drop-down list.
Splash Page Properties
Encryption
Policy text for which you are customizing the splash page design. Perform the following steps to customize the splash page design: n Top Banner Title--Enter a title for the banner. To preview the page with the new
banner title, click Preview Splash Page. n Header fill color--Specify a background color for the header. n Welcome Text--To change the welcome text, click the first square box in the
splash page, enter the required text in the Welcome Text box, and click OK. Ensure that the welcome text does not exceed 127 characters. n Policy Text--To change the policy text, click the second square in the splash page, enter the required text in the Policy Text box, and click OK. Ensure that the policy text does not exceed 255 characters. n Page Fill Color--To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. n Redirect URL--To redirect users to another URL, specify a URL in Redirect URL. n Logo Image--To upload a custom logo, click Upload, browse the image file, and click upload image. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete. To preview the captive portal page, click Preview splash page. To configure a captive portal proxy server or global proxy server to match your browser configuration, enter the IP address and port number in the Captive-portal proxy server IP and Captive Portal Proxy Server Port fields.
By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters: n Key Management--Specify an encryption and authentication key.
Managing APs | 325
Table 75: Internal Captive Portal Configuration Parameters
Parameter
Description
n Passphrase format--Specify a passphrase format. n Passphrase--Enter a passphrase and retype to confirm.
Authentication
Configure the following parameters: n MAC Authentication--To enable MAC address based authentication for
Personal and Open security levels, turn on the MAC Authentication toggle switch. n Secondary Server--To add another server for authentication, configure another authentication server. n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring DHCP Server for Assigning IP Addresses to IAP Clients. To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs.
Users
Create and manage users in the captive portal network. Only registered users of type Guest Employee will be able to access this network.
Advanced Settings > MAC Authentication
To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch.
Advanced Settings > Reauth Interval
Specify a value for Reauth Interval. When set to a value greater than zero, IAPs periodically re-authenticate all associated and authenticated clients.
Advanced Settings > Denylisting
If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only.
Advanced Settings > Disable If Uplink Type Is
To exclude uplink, select an uplink type.
Configuring an External Captive Portal Splash Page Profile
You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles in the Security > External Captive Portal data pane and associate these profiles with an SSID or a wired profile. You can also create a new captive portal profile under the Security tab of the WLAN wizard or a Wired Network pane. You can configure up to eight external captive portal profiles.
When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNS and DHCP traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted.
Aruba Central On-Premises 2.5.6 | User Guide
326
To configure an external captive portal profile, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon. 6. Under Security tab, in the Security Level, select Visitors. 7. Select External Captive Portal from the Type drop-down list. 8. If required, configure a captive portal proxy server or a global proxy server to match your
browser configuration by specifying the IP address and port number in the Captive Portal Proxy Server IP and Captive Portal Proxy Server Port fields.
9. Select a captive portal profile from the Captive Portal Profile drop-down list. To add a new profile, click + and configure the parameters described in Table 76.
10. Click Save. 11. On the external captive portal splash page configuration page, specify encryption settings if
required.
12. Specify the following authentication parameters in Advanced Settings: n MAC Authentication--To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch. n Primary Server--Sets a primary authentication server. o To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. o To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs. n Secondary Server--To add another server for authentication, configure another authentication server. n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers.
13. If required, under Walled Garden, create a list of domains that are denylisted and also an allowlist of websites that the users connected to this splash page profile can access.
14. To exclude uplink, select an uplink type.
15. If MAC authentication is enabled, you can configure the following parameters: n Delimiter Character--Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.
Managing APs | 327
n Uppercase Support--Turn on the toggle switch to enable, to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.
16. Configure the Reauth Interval. Specify a value for Reauth Interval. When set to a value greater than zero, IAPs periodically re-authenticate all associated and authenticated clients.
17. If required, enable denylisting. Set a threshold for denylisting clients based on the number of failed authentication attempts.
18. Click Save Settings.
The following table lists the external captive portal profile configuration parameters.
Table 76: External Captive Portal Profile Configuration Parameters Data Pane Item Description
Name
Enter a name for the profile.
Authentication Type
Select any one of the following types of authentication from the drop-down list: n Radius Authentication--Select this option to enable user authentication against a
RADIUS server. n Authentication Text--Select this option to specify an authentication text. The
specified text will be returned by the external server after a successful user authentication.
IP or Hostname URL
Enter the IP address or the host name of the external splash page server. Enter the URL of the external captive portal server.
Port
Enter the port number that is used for communicating with the external captive portal server.
Use HTTPS
Captive Portal Failure
Automatic URL Allowlisting
Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.
This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.
On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted.
Server Offload
Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
Prevent Frame Overlay
Auth Text
Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
If the External Authentication Splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected from the Authentication Type dropdown list.
Redirect URL
Specify a redirect URL if you want to redirect the users to another URL.
Aruba Central On-Premises 2.5.6 | User Guide
328
Configuring ACLs for Guest User Access To configure access rules for a guest network, complete the following steps:
1. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. The Create a New Network pane is displayed.
2. Click the Access tab. 3. Under Access, select any of the following types of access control:
n Unrestricted--Select this to set unrestricted access to the network. n Network Based--Select Network Based to set common rules for all users in a network. By
default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps:
a. Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields.
b. Click Save. n Role Based--Select Role Based to enable access based on user roles.
i. Create a user role: a. Click New in Role pane. b. Enter a name for the new role and click OK
ii. Create access rules for a specific user role: a. Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields. b. Click Save.
iii. Create a role assignment rule. a. Under Role Assignment Rule, click New. The New Role Assignment Rule pane is displayed. b. Select appropriate options in Attribute, Operator, String, and Role fields. c. Click Save.
4. Click Save Settings.
Configuring Wired Port Profiles on IAPs
If the wired clients must be supported on the Instant Access Points (IAPs), configure wired port profiles and assign these profiles to the ports of an IAP. The wired ports of an IAP allow third-party devices such as VoIP phones or printers (which support only wired port connections) to connect to the wireless network. You can also configure an ACL for additional security on the Ethernet downlink. To configure wired port profiles on IAP, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced.
Managing APs | 329
5. Click the Interfaces tab. The Interfaces page is displayed.
6. Click the Wired accordion. 7. To create a new wired port profile, click +Add Port Profile.
The Create a New Network pane is displayed.
Complete the configuration for each of the tabs in the Create a New Network page as described in the below sections:
n Configuring General Network Profile Settings on page 330 n Configuring VLAN Network Profile Settings on page 331 n Configuring Security Settings on page 331 n Configuring Access Settings on page 333 n Configuring Network Port Profile Assignment on page 334
Configuring General Network Profile Settings
To configure general network profile settings, complete the following steps in the General tab:
1. Under General, enter the following information: n Name--Enter a name. n ports--Select port(s) form the drop-down list.
2. Under Advanced Settings section, configure the following parameters: n Speed/Duplex--Select the appropriate value from the Speed and Duplex drop-down list. Contact your network administrator if you need to assign speed and duplex parameters. n Power over Ethernet--Turn on the Power over Ethernet toggle switch to enable PoE. n Admin Status--The Admin Status indicates if the port is up or down. n Content Filtering--Turn on the Content Filtering toggle switch to ensure that all DNS requests to non-corporate domains on this wired port network are sent to OpenDNS. n Uplink--Turn on the toggle switch to configure uplink on this wired port profile. If the Uplink toggle switch is turned on and this network profile is assigned to a specific port, the port is enabled as an uplink port. n Spanning Tree--Turn on the toggle switch to enable STP on the wired port profile. STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports, regardless of forwarding mode. STP does not operate on uplink ports and is supported only on IAPs with three or more ports. By default, STP is disabled on wired port profiles. n Inactivity Timeout--Enter the time duration after which an inactive user needs to be disabled from the network. The user must undergo the authentication process to re-join the network. n 802.3az--Turn on the toggle switch to enable, to support 802.3az Energy Efficient Ethernet (EEE) standard on the device. This option allows the device to consume less power during periods of low data activity. This setting can be enabled for provisioned IAPs or IAP groups through the wired port network. If this feature is enabled for an IAP group, IAPs in the group that do not support 802.3.az ignore this setting. This option is available for IAPs that support a minimum of Aruba Instant 8.4.0.0 firmware version. n Deny Intra VLAN Traffic--Turn on the toggle switch to disable intra VLAN traffic. It enables the client isolation and disable all peer-to-peer communication. Client isolation disables interclient communication by allowing only client to gateway traffic from clients to flow in the
Aruba Central On-Premises 2.5.6 | User Guide
330
network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities.
3. Click Next. The VLANs details page is displayed.
Configuring VLAN Network Profile Settings
To configure VLAN settings, complete the following steps in the VLANs tab:
1. Mode--Specify any of the following modes: n Access--Select this mode to allow the port to carry a single VLAN specified as the native VLAN. If the Access mode is selected, perform one of the following options: o If the Client IP Assignment is set to Virtual Controller Assigned, proceed to step 6. o If the Client IP Assignment is set to Network Assigned, specify a value for Access VLAN to indicate the VLAN carried by the port in the Access mode. n Trunk--Select this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs. If the Trunk mode is selected: n Specify the Allowed VLAN, enter a list of comma separated digits or ranges, for example 1, 2, 5, or 1-4, or all. The Allowed VLAN refers to the VLANs carried by the port in Access mode. n If the Client IP Assignment is set to Network Assigned, specify a value for Native VLAN. A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN. You can specify a value within the range of 1-4093.
2. Client IP Assignment--specify any of the following values: n Instant AP Assigned--Select this option to allow the virtual controller to assign IP addresses to the wired clients. When the virtual controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The virtual controller can also assign a guest VLAN to a wired client. In the Client VLAN Assignment section, select Default when the client VLAN must be assigned to the native VLAN on the network. Select Custom to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. Click the Show Named VLANs section to view all the named VLANs mapped to VLAN ID. Click +Add Named VLAN and enter the VLAN Name and VLAN ID that is required to be mapped. Clicking OK populates the named VLAN in the VLAN Name to VLAN ID Mapping table. n External DHCP server Assigned--Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the New button to create a VLAN is displayed. Create a new VLAN if required.
3. Click Next. The Security details page is displayed.
Configuring Security Settings
To configure security-specific settings, complete the following steps in the Security tab:
1. On the Security pane, select the following security options as per your requirement: n 802.1X Authentication--Set the toggle button to enable 802.1X Authentication. Configure the basic parameters such as the authentication server, and MAC Authentication Fail-Through. Select any of the following options for authentication server:
Managing APs | 331
o New--On selecting this option, an external RADIUS server must be configured to authenticate the users. For information on configuring an external server, see Configuring External Authentication Servers for IAPs.
o Internal Server--If an internal server is selected, add the clients that are required to authenticate with the internal RADIUS server. Click the Manage Users link to add the users.
o Load Balancing--Set the toggle button to enable, if you are using two RADIUS authentication servers, so that the load across the two RADIUS servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Authentication Servers.
o MAC Authentication--To enable MAC authentication, enable the toggle button. The MAC authentication is disabled by default.
o Captive Portal--Set the toggle button to enable captive portal authentication. For more information on configuring security on captive portal, see Configuring Wired Networks for Guest Users on IAPs.
o Open--Set the toggle button to enable, to set security for open network.
2. Enable the Port Type Trusted option to connect uplink and downlink to a trusted port only.
3. In the Primary Server field, perform one of the following steps: n Internal Server--To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for IAPs. n Secondary Server--To add another server for authentication, configure another authentication server. n Authentication Survivability--If an external server is configured for authentication, you can enable authentication survivability. Specify a value in hours for Cache Timeout to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours. and the default value is 24 hours. By default, authentication survivability is disabled. n Load Balancing--Set the toggle button to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Authentication Servers.
4. MAC Authentication Fail-Thru--Set the toggle button to enable, to attempt 802.1X authentication is attempted when the MAC authentication fails.
5. Under the Advanced Settings section, configure the following options: n Use IP for Calling Station ID--Set the toggle button to enable, to configure client IP address as calling station ID. n Called Station ID Type--Select one of the following options:
o Access Point Group--Uses the VC ID as the called station ID.
o Access Point Name--Uses the host name of the IAP as the called station ID.
o IP Address--Uses the IP address of the IAP as the called station ID.
o MAC address--Uses the MAC address of the IAP as the called station ID.
o VLAN ID--Uses the VLAN ID of as the called station ID.
Aruba Central On-Premises 2.5.6 | User Guide
332
The Called Station ID Type parameter can be configured even if the Use IP for Calling Station ID is set to disabled.
n Reauth Interval--Specify the interval at which all associated and authenticated clients must be re-authenticated.
6. Click Next. The Access pane is displayed.
Configuring Access Settings
To configure access-specific settings, complete the following steps:
1. In the Access tab, turn on the Downloadable Role toggle switch to allow downloading of preexisting user roles. For more information, see Configuring Downloadable Roles.
n The Downloadable Role feature is optional. The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
n At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs
2. Click the action corresponding to the server. The Edit Server page is displayed.
The Edit Server page displays the radius server name. The Name field is non-editable.
3. Enter the CPPM username along with the CPPM authentication credentials for the radius server. 4. Click Ok. 5. Under Access Rules, configure the following access rule parameters:
a. Select any of the following types of access control: n Role-based--Allows the users to obtain access based on the roles assigned to them. n Unrestricted--Allows the users to obtain unrestricted access on the port. n Network-based--Allows the users to be authenticated based on access rules specified for a network.
b. If the Role-based access control is selected: n Under Role, select an existing role for which you want to apply the access rules, or click New and add the required role. To add a new access rule, click Add Rule under Access Rules For Selected Roles.
The default role with the same name as the network is automatically defined for each network. The default roles cannot be modified or deleted.
c. Configure role assignment rules. To add a new role assignment rule, click New under Role Assignment Rules. Under New Role Assignment Rule: n Select an attribute. n Specify an operator condition.
Managing APs | 333
n Select a role. n Click Save. 6. Click Finish to create the wired port profile successfully.
Configuring Network Port Profile Assignment
To map the wired port profile to ethernet ports, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Interfaces tab.
The Interfaces page is displayed. 6. Click the Wired accordion.
The Wired Port Profiles table is displayed. 7. Select a wired port profile under Name and click the edit icon.
The Networks > Configuration - <wired_port_profile> page is displayed. 8. Under General tab, select Ethernet 0/0 and Ethernet 0/1 from the ports drop-down list. 9. If the IAP supports Ethernet 2, Ethernet 3, and Ethernet 4 ports, assign profiles to these ports by
selecting Ethernet 0/2, Ethernet 0/3, and Ethernet 0/4 from the ports drop-down list respectively. 10. Click Save Settings.
Viewing Wired Port Profile Summary In the Summary tab under Networks > Configuration - <wired_port_profile> page, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Save Settings to complete the network profile creation and save the settings.
Configuring Downloadable Roles
Aruba Central On-Premises allows you to download pre-existing user roles when you create network profiles.
The Downloadable Role feature is available only for networks that include access points (APs) that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
Aruba Instant and ClearPass Policy Manager include support for centralized policy definition and distribution. When ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. If the role is not defined on the IAP, the role attributes can also be downloaded automatically. In order to provide highly granular per-user level access, user roles can be created when a user has been successfully authenticated. During the configuration of a policy
Aruba Central On-Premises 2.5.6 | User Guide
334
enforcement profile in ClearPass Policy Manager, the administrator can define a role that should be assigned to the user after successful authentication. In RADIUS authentication, when ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. If the role is not defined on the IAP, the role attributes can also be downloaded automatically. This feature supports roles obtained by the following authentication methods:
n 802.1X (WLAN and wired users) n MAC authentication n Captive Portal
This section describes the following topics:
n ClearPass Policy Manager Certificate Validation for Downloadable Role n Enabling Downloadable Role Feature for Wireless Networks in Aruba Central On-Premises n Enabling Downloadable Role Feature for Wired Networks in Aruba Central
ClearPass Policy Manager Certificate Validation for Downloadable Role
When a ClearPass Policy Manager server is configured as the domain for RADIUS authentication for downloading user roles, in order to validate the ClearPass Policy Manager customized CA, IAPs are required to publish the root CA for the HTTPS server to the well-known URL (http://<clearpassfqdn>/.wellknown/ aruba/clearpass/https-root.pem). The IAP must ensure that an FQDN is defined in the above URL for the RADIUS server and then attempt to fetch the trust anchor by using the RADIUS FQDN. Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the IAP tries to retrieve the CA from the above well-known URL and store it in flash memory. However, if there is more than one ClearPass Policy Manager server configured for authentication, the CA must be uploaded manually.
Enabling Downloadable Role Feature for Wireless Networks in Aruba Central OnPremises
To enable the Downloadable Role feature, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs tab, click + Add SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
6. In the Security tab, select the RADIUS server in Primary Server field.
At least one RADIUS server must be configured to apply the Downloadable User Roles feature. For more information on configuring radius server, see Authentication Servers for IAPs
Managing APs | 335
7. Click Next. The Access tab is displayed.
8. Turn on the Downloadable Role toggle switch to allow downloading of pre-existing user roles. The CPPM Settings table with Name, CPPM Username, and Actions columns related to the radius servers are displayed.
n The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba InstantOS 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
n At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs
9. Click the action corresponding to the radius server listed in the CPPM Settings table. The Edit Server page is displayed.
The Edit Server page displays the name of the radius server name. The Name field is non-editable.
10. Enter the following details: n CPPM Username--Enter the ClearPass Policy Manager admin username. n Password--Enter the password. n Retype--Retype the password.
11. Click OK.
Enabling Downloadable Role Feature for Wired Networks in Aruba Central To enable the Downloadable Role feature, perform the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed.
5. Click the Wired accordion. 6. Under Wired, click + Add Port Profile.
To modify an existing profile, select the network that you want to edit in the Wired Port Profiles pane, and then click the edit icon. 7. In the Security tab, select the RADIUS server in Primary Server field.
At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs
Aruba Central On-Premises 2.5.6 | User Guide
336
8. Click Next. The Access tab is displayed.
9. Enable the Downloadable Role option to allow downloading of pre-existing user roles. The CPPM Settings table with Name, CPPM Username, and Actions columns related to the radius servers are displayed.
n The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba InstantOS 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
n At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs
10. Click the action corresponding to the radius server listed in the CPPM Settings table. The Edit Server page with the radius server name is displayed.
The Edit Server page displays the radius server name. The Name field is non-editable.
11. Enter the following details: n CPPM Username--Enter the ClearPass Policy Manager admin username. n Password--Enter the password. n Retype--Retype the password.
12. Click OK.
Editing a Wireless Network Profile
To edit a network profile, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one IAP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view. 3. Click the Config icon. The tabs to configure the IAPs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select the network that you want to edit, and then click the edit icon under the Actions column. 6. Modify the profile and click Save Settings.
You can directly edit the SSID name under the Display Name column of the Wireless SSIDs table. Double-click the relevant SSID that you want to rename, and type the new name. Press Enter to complete the process
Editing a Wired Port Profile
To edit a network profile, complete the following steps:
Managing APs | 337
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one IAP. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure IAPs are displayed. 4. Click Show Advanced, and click the Interfaces tab.
The Interfaces details page is displayed. 5. Click the Wired accordion. 6. In the Wired Port Profiles pane, select the network that you want to edit, and then click the edit
icon. 7. Modify the profile and click Save Settings.
Deleting a Network Profile
To delete a network profile, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select the network that you want to delete, and then click the delete icon.
6. Click Yes in the confirmation dialog box.
Aruba Mesh Network and Mesh IAP
Mesh Network Overview
The mesh solution effectively expands and configures network coverage for outdoor and indoor enterprises in a wireless environment. The mesh network automatically reconfigures broken or blocked paths when traffic traverses across mesh Instant Access Point (IAP). This feature provides increased reliability by allowing the network to continue operating even when an IAP is non-functional or if the device fails to connect to the network.
A mesh network requires at least one valid wired or 3G uplink connection. The mesh network must be provisioned by plugging into the wired network for the first time.
Mesh IAPs
The IAPs that are configured for mesh can either operate as mesh portals or as mesh points based on the uplink type.
Aruba Central On-Premises 2.5.6 | User Guide
338
IAP as Mesh Portal Any provisioned IAP that has a valid wired or 3G uplink connection functions as a mesh portal. A mesh portal acts as a gateway between the wireless mesh network and the enterprise wired LAN. The mesh roles are automatically assigned based on the IAP configuration. The mesh portal can also act as a virtual controller.
The mesh portal reboots after 5 minutes, when it loses its uplink connectivity to a wired network.
IAP as Mesh Point The IAP without an ethernet link functions as a mesh point. The mesh point establishes an all-wireless path to the mesh portal and provides traditional WLAN services such as client connectivity, IDS capabilities, user role association, and QoS for LAN-to-mesh communication to the clients, and performs mesh backhaul or network connectivity. The mesh points authenticate to the mesh portal and establish a secured link using AES encryption.
n A mesh point also supports LAN bridging by connecting any wired device to the downlink port of the mesh point. In the case of single ethernet port platforms such as Instant AP-105, you can convert the Eth0 uplink port to a downlink port by enabling Eth0 Bridging.
n Redundancy is observed in a mesh network when two Instant APs have valid uplink connections, and most mesh points try to mesh directly with one of the two portals.
There can be a maximum of eight mesh points per mesh portal in a mesh network. When mesh IAPs boot up, they detect the environment to locate and associate with their nearest neighbor. The mesh IAPs determine the best path to the mesh portal ensuring a reliable network connectivity.
In a dual-radio, the 2.4 GHz radio is always used for client traffic, and the 5 GHz radio is always used for both mesh-backhaul and client traffic.
Automatic Mesh Role Assignment
Aruba Central On-Premises supports enhanced role detection during IAP boot-up and IAP running time. When a mesh point discovers that the Ethernet 0 port link is up, it sends loop detection packets to check the availability of Ethernet 0 link. If the Ethernet 0 link is available, the mesh point reboots as a mesh portal. Else, the mesh point does not reboot.
Mesh Role Detection during System Boot-Up If the ethernet link is down during Instant AP boot-up, the IAP acts as a mesh point. If the Ethernet link is up, the IAP continues to detect if the network is reachable in the following scenarios: n In a static IP address scenario, the IAP acts as a mesh portal if it successfully pings the controller.
Otherwise, it acts as a mesh point. n In case of DHCP, the IAP acts as a mesh portal when it obtains the IP address successfully. Otherwise,
it acts as a mesh point. n In case of IPv6, IAPs do not support the static IP address but only support DHCP for detection of
network reachability.
Managing APs | 339
If the IAP has a 3G or 4G USB modem plugged, it always acts as a mesh portal. If the IAP is set to Ethernet 0 bridging, it always acts as a mesh point.
Mesh Role Detection during System Running Time The mesh point uses the Loop Protection for Secure Jack Port feature to detect the loop when the ethernet is up. If the loop is detected, the Instant AP reboots. Otherwise, the Instant AP does not reboot and the mesh role continues to act as a mesh point.
Setting up Instant Mesh Network
To provision Instant APs as mesh Instant APs, complete the following steps:
1. Connect the Instant APs to a wired switch. 2. Ensure that the virtual controller key is synchronized and the country code is configured. 3. Ensure that a valid SSID is configured on the Instant AP. 4. If the Instant AP has a factory default SSID (SetMeUp or Instant SSID), delete the SSID. 5. If an Extended SSID is enabled on the virtual controller, disable Extended SSID in the System >
General accordion and reboot the Instant AP cluster. 6. Disconnect the Instant APs that you want to deploy as mesh points from the switch, and place the
Instant APs at a remote location. The Instant APs come up without any wired uplink connection and function as mesh points. The Instant APs with valid uplink connections function as mesh portals.
Configuring Wired Bridging on Eth0 for Mesh Point
Aruba Central On-Premises supports wired bridging on the Eth0 port of an Instant AP. You can configure wired bridging, if the Instant AP is configured to function as a mesh point. To configure support for wired bridging on the Eth0 port of an Instant AP from Aruba Central OnPremises UI, complete the following steps:
1. In the Aruba Central On-Premises app, select one of the following options: n To select an IAP group in the filter: a. Set the filter to a group containing at least one IAP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view. n To select an IAP in the filter: a. Set the filter to Global or a group containing at least one IAP. b. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view. c. Click an IAP listed under Device Name. The dashboard context for the IAP is displayed. d. Under Manage, click Devices > Access Point.
2. Click the Config icon. The tabs to configure the IAPs are displayed.
Aruba Central On-Premises 2.5.6 | User Guide
340
3. Click the Access Points tab. The Access Points table is displayed.
4. To edit an IAP, select an IAP in the Access Points table, and then click the edit icon. 5. Click the Uplink tab. 6. To configure a non-native uplink VLAN, specify the management VLAN number in the Uplink
Management VLAN text-box. 7. From the Eth0 Mode drop-down list, select any of the following:
n Uplink--Select this option to change the Eth0 bridging mode to the uplink port. n Downlink--Select this option to change the Eth0 bridging mode to the downlink port. 8. Click Save Settings.
After configuring the support for wired bridging on the Eth0 port of an Instant AP, ensure that you reboot the Instant AP.
Mesh Cluster Function
Aruba Central On-Premises introduces the mesh cluster function for easy deployments of Instant APs. You can configure the ID, password, and also provision Instant APs to a specific mesh cluster. In a cluster-based scenario, you can configure unlimited mesh profiles in a network. When an Instant AP boots up, it attempts to find a mesh cluster configuration. The Instant AP fetches a pre-existing mesh cluster configuration, if any. Otherwise, it uses the default mesh configuration in which the SSID, password, and cluster name are generated by the virtual controller key.
Instant APs that belong to the same mesh network can establish mesh links with each other. The Instant APs can establish a mesh link in a standalone scenario also. However, the network role election does not take place in a standalone environment. Users can set the same mesh cluster configuration to establish mesh links with other networks. For more information on mesh cluster configuration, refer to the Mesh Instant AP Configuration chapter of Aruba Instant User Guide.
Configuring Mesh for Multiple Radios
Mesh clusters are grouped and defined by a mesh cluster profile, which provides the framework of the mesh network. The mesh cluster profile contains the MSSID, authentication methods, security credentials, and cluster priority required for mesh points to associate with their neighbors and join the cluster. Associated mesh points store this information in flash memory. Although most mesh deployments require only a single mesh cluster profile, you can configure and apply multiple mesh cluster profiles to an individual IAP. To configure a mesh for multiple radios, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced.
Managing APs | 341
5. Click the System tab. The System page is displayed.
6. Click the Mesh accordion. 7. Select the radio band to deploy mesh network from the Mesh Band drop-down list. 8. Click + in the Mesh table.
The Mesh pane is displayed. 9. Configure the following parameters described in Table 77 10. Click OK. 11. Click Save Settings.
The following table describes the mesh configuration parameters.
Table 77: Mesh Configuration Parameters
Data pane item
Description
Name
Name for the mesh cluster profile. Range: 832 characters
Key
Configures a WPA2 PSK or passphrase as the cluster key.
Range: 864 characters
Priority
Configures the priority of the mesh cluster profile. If more than two mesh cluster profiles are configured, mesh points use this number to identify primary and backup profiles. The lower the number, the higher the priority. Range: 1--15
Opmode
Configures the operation mode. Select WPA2 PSK or WPA3 SAE from the drop-down list.
Configuring ARM and RF Parameters on IAPs
This section provides the following information:
n ARM Overview n Configuring ARM Features n Configuring Radio Parameters
ARM Overview
ARM is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.11 channel and transmitting power for each Instant Access Point (IAP) in its current RF environment. ARM works with all standard clients, across all operating systems, while remaining in compliance with the IEEE 802.11 standards. It does not require any proprietary client software to achieve its performance goals. ARM ensures low-latency roaming, consistently high performance, and maximum client compatibility in a multi-channel environment. By ensuring the fair distribution of available Wi-Fi bandwidth to mobile devices, ARM ensures that data, voice, and video applications have sufficient network resources at all times. ARM allows mixed 802.11a, b, g, n, and ac client types to inter operate at the highest performance levels.
Aruba Central On-Premises 2.5.6 | User Guide
342
When ARM is enabled, an IAP dynamically scans all 802.11 channels within its 802.11 regulatory domain at regular intervals and sends reports on WLAN coverage, interference, and intrusion detection to the virtual controller. ARM computes coverage and interference metrics for each valid channel, chooses the best performing channel, and transmit power settings for each IAP RF environment. Each IAP gathers other metrics on its ARM-assigned channel to provide a snapshot of the current RF health state. IAPs support the following ARM features:
n Channel or Power Assignment--Assigns channel and power settings for all the IAPs in the network according to changes in the RF environment.
n Voice Aware Scanning--Improves voice quality by preventing an IAP from scanning for other channels in the RF spectrum during a voice call and by allowing an IAP to resume scanning when there are no active voice calls.
n Load Aware Scanning--Dynamically adjusts the scanning behavior to maintain uninterrupted data transfer on resource intensive systems when the network traffic exceeds a predefined threshold.
n Band Steering--Assigns the dual-band capable clients to the 5 GHz band on dual-band IAPs thereby reducing co-channel interference and increasing the available bandwidth for dual-band clients.
n Client Match--Continually monitors the RF neighborhood of the client to support the ongoing band steering and load balancing of channels, and enhanced IAP reassignment for roaming mobile clients.
When Client Match is enabled on 802.11n capable IAPs, the Client Match feature overrides any settings configured for the legacy band steering, station hand-off assist or load balancing features. The 802.11ac capable IAPs do not support the legacy band steering, station hand off or load balancing settings, so these IAPs must be managed using Client Match.
n Airtime Fairness--Provides equal access to all clients on the wireless medium, regardless of client type, capability, or operating system to deliver uniform performance to all clients.
For more information on ARM features supported by the IAPs, see the Aruba Instant User Guide.
Configuring ARM Features
To configure the ARM features, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the Radios tab. The Radios details page is displayed.
5. Under RF > Adaptive Radio Management (ARM), the Client Control section displays the following components: n Band Steering Mode n Airtime Fairness Mode n ClientMatch n ClientMatch Calculating Interval
Managing APs | 343
n ClientMatch Neighbor Matching n ClientMatch Threshold n ClientMatch Key n Spectrum Load Balancing Mode
6. For Band Steering Mode, configure the following parameters: n Prefer 5 GHz--Enables band steering in the 5 GHz mode. On selecting this, the IAP steers the client to the 5 GHz band (if the client is 5 GHz capable), but allows the client connection on the 2.4 GHz band if the client persistently attempts for 2.4 GHz association. n Force 5 GHz--Enforces 5 GHz band steering mode on the IAPs. n Force 6 GHz--Enforces 6 GHz band steering mode on the IAPs.
The 6 GHz band is supported by Wi-Fi 6E APs (AP-635 and AP-655 access points) only.
n Balance Bands--Allows the IAP to balance the clients across the two radios to best utilize the available 2.4 GHz bandwidth. This feature takes into account the fact that the 5 GHz band has more channels than the 2.4 GHz band, and that the 5 GHz channels operate in 40 MHz, while the 2.5 GHz band operates in 20 MHz.
n Disable--Allows the clients to select the band to use.
7. For Airtime Fairness Mode, specify any of the following values: n Default Access--Allows access based on client requests. When Airtime Fairness Mode is set to Default Access option, per user and per SSID bandwidth limits are not enforced. n Fair Access--Allocates air time evenly across all the clients. n Preferred Access--Sets a preference where 802.11n clients are assigned more air time than 802.11a/11g. The 802.11a/11g clients get more airtime than 802.11b. The ratio is 16:4:1.
8. For ClientMatch, configure the following parameters: n Client Match--Turn on the toggle switch to enable the Client Match feature on IAPs. When enabled, client count is balanced among all the channels in the same band. When Client Match is enabled, ensure that the Scanning option is enabled. For more information, see Click Access Point Control, and configure the following parameters: on page 345.
When Client Match is disabled, channels can be changed even when the clients are active on a BSSID. The Client Match option is disabled by default.
n ClientMatch Calculating Interval--Configures a value for the calculating interval of Client Match. The interval is specified in seconds and the default value is 3 seconds. You can specify a value within the range of 1-600.
n ClientMatch Neighbor Matching--Configures the calculating interval of Client Match. This number takes into account the least similarity percentage to be considered as in the same virtual RF neighborhood of Client Match. You can specify a percentage value within the range of 20-100. The default value is 60%.
n ClientMatch Threshold--Configures a Client Match threshold value. This threshold is the maximum difference allowed in the number of associated clients between channels, radios, or channel + radios. When the client load on an IAP reaches or exceeds the threshold in comparison, Client Match is enabled on that IAP. You can specify a value within range of 1-20. The default value is 5.
Aruba Central On-Premises 2.5.6 | User Guide
344
n ClientMatch Key--Enables the Client Match feature to work across different standalone IAPs in the same management VLAN. All such standalone IAPs must be set with the same Client Match key. Client Match uses the wired layer 2 protocol to synchronize information exchanged between IAPs. Users have an option to configure the Client Match keys. IAPs verify if the frames that they broadcast contain a common Client Match key. IAPs that receive these frames verify if the sender belongs to the same network or if the sender and receiver both have the same Client Match key. You can specify a value within the range of 1 2147483646.
n Spectrum Load Balancing Mode--Enables the Spectrum Load Balancing mode to determine the balancing strategy for Client Match. The following options are available: o Channel--Balances client count based on each channel. o Radio--Balances client count based on each radio. o Channel + Radio--Balances client count based on each channel and each radio.
9. Click Access Point Control, and configure the following parameters: n Customize Valid Channels--Allows you to select a custom list of valid 20 MHz and 40 MHz channels for 2.4 GHz and 5 GHz bands, and up to 160 MHz channels for 6 GHz bands. By default, the IAP uses valid channels as defined by the Country Code (regulatory domain). On selecting Customize Valid Channels, a list of valid channels for both 2.4 GHz and 5 GHz are displayed. The valid channel customization feature is disabled by default. The valid channels automatically show in the Static Channel Assignment pane. n Min Transmit Power--Allows you to configure a minimum transmission power within a range of 3 to 33 dBm in 3 dBm increments. If the minimum transmission EIRP setting configured on an IAP is not supported by the IAP model, this value is reduced to the highest supported power setting. The default value for minimum transmit power is 18 dBm. n Max Transmit Power--Allows you to configure the maximum transmission power within a range of 3 to 33 dBm in 3 dBm increments. If the maximum transmission EIRP configured on an IAP is not supported by the local regulatory requirements or IAP model, the value is reduced to the highest supported power settings. n Client Aware--Allows ARM to control channel assignments for the IAPs with active clients. When the Client Match mode is disabled, an IAP may change to a more optimal channel, which disrupts current client traffic. The Client Aware option is enabled by default. n Scanning--Allows the IAP to dynamically scan all 802.11 channels within its 802.11 regulatory domain at regular intervals. This scanning report includes WLAN coverage, interference, and intrusion detection data. For Client Match configuration, ensure that Scanning is enabled. n Wide Channel Bands--Allows the administrators to configure 40 MHz channels in the 2.4 GHz, 5 GHz, and 6 GHz bands. 40 MHz channels are two 20 MHz adjacent channels that are bonded together. The 40 MHz channel effectively doubles the frequency bandwidth available for data transmission. For high performance, you can select 5 GHz or 6 GHz. If the IAP density is low, enable in the 2.4 GHz band. n 80 MHz Support--Enables or disables the use of 80 MHz channels on IAPs. This feature allows ARM to assign 80 MHz channels on IAPs with 5 GHz radios, which support a very high throughput. This setting is enabled by default. Only the IAPs that support 802.11ac can be configured with 80 MHz channels. n 160 MHz Support--Enables or disables the use of 160 MHz channels on APs. This feature allows ARM to assign 160 MHz channels on APs with 5 GHz and 6 GHz radios, which support very high throughput. By default, it is set to is None.
Managing APs | 345
o Select one of the following options in the drop-down list: l Auto--Allows automatic selection of contiguous frequency. l Contiguous-only--To assign contiguous only 160 MHz channel bandwidth. l Non-contiguous-only--To assign non-contiguous 160 MHz channel bandwidth. l None--To disallow assigning 160 MHz channel bandwidth.
You can enable the 160 MHz support only if 80 MHz Support is enabled. The 160 MHz Support does not apply to the 2.4 GHz frequency band.
10. Click Channel Control, and configure the following parameters: n Backoff Time--Allows you to configure the time within a range of 10 to 3600 seconds, when an IAP backs off after requesting a new channel or power. It can increase the time window of channel interference check, and the time window of power check. The default value for minimum back off time is 240 seconds. n Free Channel Index--Allows you to check the difference in threshold in the channel interference index between the new channel and the existing channel. An IAP only moves to a new channel if the new channel has a lower interference index value than the current channel. This parameter specifies the required difference between the two interference index values before the IAP moves to the new channel. The lower this value, the more likely the IAP moves to the new channel. It has a default value of 25. n Ideal Coverage Index --Allows you to specify the ideal coverage index in the range of 2 to 20, which an IAP tries to achieve on its channel. The denser the IAP deployment, the lower this value should be. It has a default value of 10. n Channel Quality Aware Arm Disable--Allows ARM to ignore the internally calculated channel quality metric and initiates channel changes based on thresholds defined in the profile. ARM chooses the channel based on the calculated interference index value. The option Channel Quality Aware Arm Disable is disabled by default. n Channel Quality Threshold--Allows you to specify the channel quality percentage within a range of 0 to 100, below which ARM initiates a channel change. It has a default value of 70%. n Channel Quality Wait Time--Specifies the time that the channel quality is below the channel quality threshold value to initiate a channel change. It has a range of 1 to 3600 seconds, with a default value of 120 seconds. If current channel quality is below the specified channel quality threshold for this wait time period, ARM initiates a channel change.
11. Click Error Rate, and configure the following parameters: n Error Rate Threshold--Configures the minimum percentage of errors in the channel that triggers a channel change. It has a range of 0 to 100 % with a default value of 70%. n Error Rate Wait Time--Configures the time that the error rate has to be at least equal to the error rate threshold to trigger a channel change. The error rate must be equal to or more than the error rate threshold to trigger a channel change. It has a range of 1 to 3600 seconds, with a default value of 90 seconds.
12. Click Save Settings.
Configuring Radio Parameters
To configure RF parameters for the 2.4 GHz, 5 GHz, and 6 GHz radio bands on an Instant Access Point (IAP), complete the following steps:
Aruba Central On-Premises 2.5.6 | User Guide
346
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the Radios tab. The Radios details page is displayed.
5. Expand the Radio accordion in the RF dashboard.
6. Under 2.4 GHz band and 5 GHz band, and 6 GHz band, click the + sign and configure the parameters in the Table 78.
7. Click Save Settings.
The following table lists the radio configuration parameters.
Table 78: Radio Configuration Parameters
Data Pane Item Description
Zone
Allows you to configure a zone per radio band for IAPs in a cluster. You can also configure an RF zone per IAP.
NOTE: Aruba recommends that you configure RF zone for either individual IAP or for the cluster. Any discrepancy in the RF zone names may lead to configuration errors.
Legacy Only
Turn on the Legacy Only toggle switch. When enabled, the IAP runs the radio in the non802.11n mode. This option is disabled by default.
NOTE: This parameter is not visible for 6 GHz band option.
802.11d / 802.11h
Turn on the 802.11d / 802.11h toggle switch. When enabled, the radios advertise their 802.11d (Country Information) and 802.11h (Transmit Power Control) capabilities. This option is disabled by default.
Beacon Interval
Configures the beacon period for the IAP in milliseconds. This indicates how often the 802.11 beacon management frames are transmitted by the IAP. You can specify a value within the range of 60500. The default value is 100 milliseconds.
Interference Immunity Level
Configures the immunity level to improve performance in high-interference environments. The default immunity level is 2. Increasing the immunity level makes the IAP lose a small amount of range. n Level 0--No ANI adaptation. n Level 1--Noise immunity only. This level enables power-based packet detection by
controlling the amount of power increase that makes a radio aware that it has received a packet. n Level 2--Noise and spur immunity. This level also controls the detection of OFDM packets, and is the default setting for the Noise Immunity feature. n Level 3--Level 2 settings and weak OFDM immunity. This level minimizes false detects on the radio due to interference, but may also reduce radio sensitivity. This level is recommended for environments with a high-level of interference related to 2.4
Managing APs | 347
Table 78: Radio Configuration Parameters
Data Pane Item Description
GHz appliances such as cordless phones. n Level 4--Level 3 settings, and FIR immunity. At this level, the IAP adjusts its sensitivity
to in-band power, which can improve performance in environments with high and constant levels of noise interference. n Level 5--The IAP completely disables PHY error reporting, improving performance by eliminating the time the IAP spends on PHY processing.
NOTE: This parameter is not visible for 6 GHz band option.
Channel Switch Announcement Count Background Spectrum Monitoring
Customize ARM Power Range
Enable 11ac
Configures the number of channel switching announcements to be sent before switching to a new channel. This allows the associated clients to recover gracefully from a channel change.
Turn on the Background Spectrum Monitoring toggle switch. When enabled, the IAPs in the access mode continue with their normal access service to clients, while performing additional function of monitoring RF interference (from both neighboring IAPs and non Wi-Fi sources such as, microwaves and cordless phones) on the channel they are currently serving the clients.
Configures a minimum (Min Power) and maximum (Max Power) power range value for the 2.4 GHz and 5 GHz, and 6 GHz band frequencies. The default value is 3 dBm. Unlike the configuration in the ARM profile, the transmit power of all radios in the Radio profile do not share the same configuration.
Turn on the Enable 11ac toggle switch. When enabled, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs.
NOTE: If you want the 802.11ac IAPs to function as 802.11n IAPs, clear this check box to disable VHT on these devices.
NOTE: This parameter is not visible for 2.4 GHz band and 6 GHz band options.
Smart antenna
Turn on the Smart antenna toggle switch to combine an antenna array with a digital signal-processing capability to transmit and receive in an adaptive, spatially sensitive manner.
NOTE: This parameter is not visible for 6 GHz band option.
ARM/WIDS Override
RRM IE
When ARM/WIDS Override is disabled, the IAP always processes frames for WIDS. WIDS is an application that detects the attacks on a wireless network or wireless system purposes even when it is heavily loaded with client traffic. When ARM/WIDS Override is enabled, the IAP stops processing frames for WIDS.
Select the Radio Resource Management Information Element (RRM IE) profiles advertised by an AP from the drop-down for 6 GHz Band.
NOTE: This option is only available for 6 GHz Band.
Aruba Central On-Premises 2.5.6 | User Guide
348
Configuring IDS Parameters on IAPs
Aruba Central On-Premises supports the IDS feature that monitors the network for the presence of unauthorized access points (APs). It also logs information about the unauthorized IAPs and clients, and generates reports based on the logged information.
Rogue IAPs
The IDS feature in the Aruba Central On-Premises network enables you to detect rogue IAPs, interfering IAPs, and other devices that can potentially disrupt the Aruba Central On-Premises app. A rogue IAP is an unauthorized IAP plugged into the wired side of the network. An interfering IAP is an IAP seen in the RF environment, but it is not connected to the wired network. While the interfering IAP can potentially cause RF interference, it is not considered a direct security threat, because it is not connected to the wired network. However, an interfering IAP may be reclassified as a rogue IAP. The built-in IDS scans for IAPs that are not controlled by the VC. These are listed and classified as either Interfering or Rogue, depending on whether they are on a foreign network or your network.
Configuring Wireless Intrusion Detection and Protection Policies
To configure a Wireless Intrusion Detection and Protection policy:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one IAP. 2. The dashboard context for the group is displayed. 3. Under Manage, click Devices > Access Points. 4. Click the Config icon.
The tabs to configure IAPs is displayed. 5. Click Show Advanced. 6. Click Security.
The Security details page is displayed. 7. Click the Wireless IDS/IPS accordion. The following three sections are displayed:
n Detection n Protection n Firewall Settings
You can configure the following options in the above mentioned sections:
n Infrastructure Detection Policies--Specifies the policy for detecting wireless attacks on APs. n Client Detection Policies--Specifies the policy for detecting wireless attacks on clients. n Infrastructure Protection Policies--Specifies the policy for protecting APs from wireless attacks. n Client Protection Policies--Specifies the policy for protecting clients from wireless attacks. n Firewall Policies--Specifies the policies to set a firewall for a secured network access. n Containment Methods--Prevents unauthorized stations from connecting to your Aruba Central
network.
Each of these options contains several default levels that enable different sets of policies. An administrator can customize enable or disable these options accordingly.
Detection
The detection levels can be configured using the Detection section. The following levels of detection can be configured in the WIP Detection page:
Managing APs | 349
n High n Medium n Low n Off n Custom
The following table describes the detection policies enabled in the Infrastructure Detection field.
Table 79: Infrastructure Detection Policies
Detection level
High
Detection policy
n Detect Windows Bridge--Enables detection of Windows station bridging. n Signature Deassociation Broadcast--Configures signature matching for the
deassociation broadcast frame type. n Signature Deauthentication Broadcast--Configures signature matching for the
deauthentication broadcast frame type. n Detect AP Spoofing--Enables IAP Spoofing detection. n Detect adhoc using VALID SSID--Enables detection of adhoc networks. n Detect malformed large duration--Enables detection of unusually large durations in
frames. n Detect Overflow EAPOL key--Enables detection of overflow EAPOL key requests. n Detect Invalid Address Combination--Enables detection of invalid address
combinations. n Detect AP Impersonation--Enables detection of IAP impersonation. In IAP impersonation
attacks, the attacker sets up an IAP that assumes the BSSID and ESSID of a valid IAP. IAP impersonation attacks can be done for man-in-the-middle attacks, a rogue IAP attempting to bypass detection, or a honeypot attack. n Detect AP Flood--Enables detection of flooding with fake IAP beacons to confuse the legitimate users and to increase the amount of processing needed on client operating systems. n Detect Beacon Wrong Channel--Enables detection of beacons advertising the incorrect channel. n Detect ht Greenfield--Enables detection of high throughput devices advertising greenfield preamble capability. n Detect Overflow IE--Enables detection of overflow Information Elements (IE). n Detect RTS Rate Anomaly--Enables detection of rate anomalies. n Detect Malformed HT IE--Enables detection of malformed HT Information Elements (IE). n Detect CTS Rate Anomaly--Enables detection of CTS rate anomaly. n Detect Malformed Frame Auth--Enables detection of malformed authentication frames. n Detect invalid MAC OUI--Enables checking of the first three bytes of a MAC address, known as the organizationally unique identifier (OUI), assigned by the IEEE to known manufacturers. Often clients using a spoofed MAC address do not use a valid OUI and instead use a randomly generated MAC address. Enabling MAC OUI check triggers an alarm to be triggered if an unrecognized MAC address is in use. n Detect Malformed Association Request--Enables detection of malformed association requests. n Detect Bad WEP--Enables detection of WEP initialization vectors that are known to be weak and/or repeating. A primary means of cracking WEP keys is to capture 802.11 frames
Aruba Central On-Premises 2.5.6 | User Guide
350
Table 79: Infrastructure Detection Policies
Detection level
Detection policy
over an extended period of time and search for implementations that are still used by many legacy devices. n Detect Wireless Bridge--Enables detection of wireless bridging. n Detect HT 40 MHz intolerance--Enables detection of 802.11n 40 MHz intolerance setting when the stations and APs advertise 40 MHz intolerance. n Detect Valid SSID Misuse--Enables detection of interfering or neighbor APs using valid or protected SSIDs. n Detect Adhoc Network--Enables detection of adhoc networks. n Detect Client Flood--Enables detection of client flood attack.
Medium
n Detect Windows Bridge--Enables detection of Windows station bridging. n Signature Deassociation Broadcast--Configures signature matching for the
deassociation broadcast frame type. n Signature Deauthentication Broadcast--Configures signature matching for the
deauthentication broadcast frame type. n Detect AP Spoofing--Enables AP Spoofing detection. n Detect adhoc using VALID SSID--Enables detection of adhoc networks. n Detect malformed large duration--Enables detection of unusually large durations in
frames.
Low
n Detect Windows Bridge--Enables detection of Windows station bridging. n Signature Deassociation Broadcast--Configures signature matching for the
deassociation broadcast frame type. n Signature Deauthentication Broadcast--Configures signature matching for the
deauthentication broadcast frame type. n Detect AP Spoofing--Enables AP Spoofing detection.
Off Custom
All detection policies are disabled.
Allows you to select custom detection policies. To select, click the check box of respective detection policy.
The following table describes the detection policies enabled in the Client Detection field.
Table 80: Client Detection Policies
Detection level
Detection policy
High
n Detect Valid Client Misassociation--Enables detection of misassociation between a valid client and an unsafe IAP. This setting can detect the following misassociation types: o Misassociation to rogue IAP o Misassociation to external IAP o Misassociation to honeypot IAP o Misassociation to adhoc IAP o Misassociation to Hosted IAP
Managing APs | 351
Detection level
Medium
Low
Detection policy
n Detect Hotspotter Attack--Enables detection of hotspot attacks. n Detect Power Save DOS Attack--Enables detection of Power Save DoS attack. n Detect Omerta Attack--Enables detection of Omerta attack. n Detect Disconnect Station--Enables a station disconnection attack. In a station
disconnection, attacker spoofs the MAC address of either an active client or an active IAP. The attacker then sends deauthenticate frames to the target device, causing it to lose its active association. n Detect unencrypted Valid --Enables detection of unencrypted valid clients. n Detect Block ACK Attack--Enables detection of attempts to reset traffic receive windows using the forged Block ACK Add messages. n Detect FATA-Jack--Enables detection of fatjack attacks. n Detect Rate Anomalies--Enables detection of rate anomalies. n Detect ChopChop Attack--Enables detection of ChopChop attack. n Detect EAP Rate Anomaly--Enables Extensible Authentication Protocol (EAP) handshake analysis to detect an abnormal number of authentication procedures on a channel and generate an alarm when this condition is detected. n Detect TKIP Replay Attack--Enables detection of TKIP replay attack. n Signature-Air Jack--Enables signature matching for the Air Jack frame type. n Signature-ASLEAP--Enables signature matching for the ASLEAP frame type.
n Detect Valid Client Misassociation--Enables detection of misassociation between a valid client and an unsafe IAP. This setting can detect the following misassociation types: o Misassociation to rogue IAP o Misassociation to external IAP o Misassociation to honeypot IAP o Misassociation to adhoc IAP o Misassociation to Hosted IAP
n Detect Hotspotter Attack--Enables detection of hotspot attacks. n Detect Power Save DOS Attack--Enables detection of Power Save DoS attack. n Detect Omerta Attack--Enables detection of Omerta attack. n Detect Disconnect Station--Enables a station disconnection attack. In a station
disconnection, attacker spoofs the MAC address of either an active client or an active IAP. The attacker then sends deauthenticate frames to the target device, causing it to lose its active association. n Detect unencrypted Valid --Enables detection of unencrypted valid clients. n Detect Block ACK Attack--Enables detection of attempts to reset traffic receive windows using the forged Block ACK Add messages. n Detect FATA-Jack--Enables detection of fatjack attacks.
Detect Valid Client Misassociation--Enables detection of misassociation between a valid client and an unsafe IAP. This setting can detect the following misassociation types: n Misassociation to rogue IAP n Misassociation to external IAP n Misassociation to honeypot IAP n Misassociation to adhoc IAP n Misassociation to Hosted IAP
Aruba Central On-Premises 2.5.6 | User Guide
352
Detection level
Off
Custom
Detection policy
All detection policies are disabled. Allows you to select custom detection policies. To select, click the check box of the respective detection policy.
Protection
The following levels of protection can be configured in the WIP Protection page:
n Off n Low n High n Custom
The following table describes the protection policies that are enabled in the Infrastructure Protection field.
Table 81: Infrastructure Protection Policies
Protection level
Off
Protection policy All protection policies are disabled
Low
n Protect SSID--Enforces policy where the valid/protected SSIDs are used only by valid IAPs. An offending IAP is contained by preventing clients from associating to it.
n Rogue Containment--Controls Rogue APs. When rogue APs are detected, they are not automatically disabled. This option automatically disables a rogue IAP by preventing clients from associating to it.
High
n Protect SSID--Enforces policy where the valid/protected SSIDs are used only by valid APs. An offending IAP is contained by preventing clients from associating to it.
n Rogue Containment--Controls Rogue APs. When rogue IAPs are detected, they are not automatically disabled. This option automatically disables a rogue IAP by preventing clients from associating to it.
n Protect AP Impersonation--Enables protection from IAP impersonation attacks. When IAP impersonation is detected, both the legitimate and impersonating IAP are disabled using a Denial of Service (DoS).
n Protect from Adhoc Networks--Enables protection from adhoc networks. When adhoc networks are detected, they are disabled using a denial of service attack.
Custom
Allows you to select custom protection policies. To select, click the check box of respective protection policy.
Managing APs | 353
The following table describes the protection policies that are enabled in the Client Protection field.
Table 82: Client Protection Policies
Protection level
Protection policy
Off Low
All protection policies are disabled
Protect Valid Station--Enables protection of valid stations. When enabled valid stations are not allowed to connect to an invalid IAP.
High
n Protect Valid Station--Enables protection of valid stations. When enabled valid stations are not allowed to connect to an invalid IAP.
n Protect Windows Bridge--Enables protection of a Windows station bridging.
Custom
Allows you to select custom protection policies. To select, click the check box of respective protection policy.
Containment Methods
You can enable wired and wireless containment measures to prevent unauthorized stations from connecting to your Aruba Central network.
Aruba Central supports the following types of containment mechanisms:
n Wired containment -- When enabled, APs generate ARP packets on the wired network to contain wireless attacks.
n Wireless containment -- When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified IAP. o None -- Disables all the containment mechanisms. o Deauthenticate only -- With deauthentication containment, the IAP or client is contained by disrupting the client association on the wireless interface. o Tarpit containment -- With tarpit containment, the IAP is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the IAP being contained. o Tarpit all stations--Enables wireless containment by tarpit for all stations.
The FCC and some third parties have alleged that under certain circumstances, the use of containment functionality violates 47 U.S.C. §333. Before using any containment functionality, ensure that your intended use is allowed under the applicable rules, regulations, and policies. Aruba is not liable for any claims, sanctions, or other direct, indirect, special, consequential or incidental damages related to your use of containment functionality.
Protection Against Wired Attacks In the Protection Against Wired Attacks section, enable the following options:
n Drop Bad ARP--Drops the fake ARP packets. n Fix Malformed DHCP--Fixes the malformed DHCP packets. n ARP Poison Check--Triggers an alert on ARP poisoning caused by the rogue APs.
Aruba Central On-Premises 2.5.6 | User Guide
354
Firewall Settings
To configure firewall settings by specifying the policies for a secured network access, see Enabling ALG Protocols on IAPs on page 398 and Configuring Firewall Parameters for Wireless Network Protection.
n For all subnets, a deny rule is created by default as the last rule. If at least one rule is configured, the deny all rule is applied to the upstream traffic by default.
n Management access to the Instant AP is allowed irrespective of the inbound firewall rule. n The inbound firewall is not applied to traffic coming through the GRE tunnel.
Configuring Time-Based Services for Wireless Network Profiles
Aruba Central On-Premises allows you to configure the availability of a WLAN SSID at a particular time of the day. You can now create a time range profile and assign it to a WLAN SSID, so that you can enable or disable access to the SSID and thus control user access to the network during a specific time period. Instant Access Points (IAPs) support the configuration of both absolute and periodic time range profiles. You can configure an absolute time range profile to execute during a specific time frame, or create a periodic profile to execute at regular intervals based on the periodicity specified in the configuration. This section describes the following topics:
n Creating a Time Range Profile n Associating a Time Range Profile to an SSID n Associating a Time Range Profile to ACL
Before You Begin
Before you configure time-based services, ensure that the NTP server connection is active.
Creating a Time Range Profile
To create a time range profile, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the Time-Based Services accordion. 7. Click + in the Time Based Profiles table.
The New Profile window for creating a time range profile is displayed. 8. Configure the parameters that are listed in the Table 83
The following table liste the time range profile configuration parameters.
Managing APs | 355
Table 83: Time Range Profile Configuration Parameters
Parameter
Description
Name
Specify a name for the time range profile.
Type
Select the type of time range profile: n Periodic--Allows you configure a specific periodicity and recurrence pattern for
a time range profile. n Absolute--Allows you to configure an absolute day and time range.
Repeat Day Range
Start Time
Specify the frequency for the periodic time range profile:
n Daily--Enables daily recurrence. n Weekly--Allows you define a specific time range with specific start and end
days in a week.
Absolute For an absolute time range profile, this field allows you to specify the start day and end day, both in mm/dd/yyyy format. You can also use the calendar to specify the start and end days. Periodic For a periodic time range profile, the following Day Range options are available:
n For daily recurrence--If the Repeat option is set to Daily, this field allows you to
select the following time ranges: o Monday--Sunday (All Days) o Monday--Friday (Weekdays) o Saturday--Sunday (Weekend) For example, if you set the Repeat option to Daily and then select Monday--Friday (Weekday) for Day Range, and Start Time as 1 and End time as 2, the applied time range will be Monday to Friday from 1 am to 2 am; that is, on Monday at 3 am, the profile will not be applied or disabled.
n For weekly occurrence--If the Repeat option is set to Weekly, this field allows
you to select the start and end days of a week and time range. For example, if you set Start Day as Monday and End Day as Friday, and Start Time as 1 and End Time as 2, the applied time range profile is Monday 1 am to Friday 2 am every week; that is, on Monday at 3 am, the profile will be applied or enabled.
Select the start time for the time range profile from the Hours and Minutes dropdown lists, respectively.
End Time
Select the end time for the time range profile from the Hours and Minutes dropdown lists, respectively.
Visualization Graph for The Visualization graph (approximated to the hour) provides a visual display of the
Time
selected time range (Day Range, Start Time, and End Time) for periodic profiles.
Associating a Time Range Profile to an SSID
To apply a time range profile to an SSID, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
Aruba Central On-Premises 2.5.6 | User Guide
356
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a network profile for which you want to apply the time range profile, and then click the edit icon. You can also add a time range profile when configuring an SSID.
6. In General, click Time Range Profiles under Advanced Settings. 7. Expand the Time Range Profiles accordion, and enter the following information:
n Select a time range profile from the Time Range Profile list. n Select a value from the Status drop-down list. n When a time range profile is enabled on SSID, the SSID is made available to the users for the
configured time range. For example, if the specified time range is 12:00 to 13:00, the SSID becomes available only between 12 PM to 1 PM on a given day. n If a time range is disabled, the SSID becomes unavailable for the configured time range. For example, if configured time-range is 14:00 to 17:00, the SSID is made unavailable from 2 PM to 5 PM on a given day.
Associating a Time Range Profile to ACL
Aruba Central allows you to configure time-based services for specific ACL. To apply a time range profile to an access rule, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. In the Roles accordion, click the edit icon listed for access rules under Access Rules For Selected
Roles to which you want to apply the time range profile. The Access Rules page is displayed. 7. In the Options section, select the Time Range check-box and select the time range profile from the drop-down list. n When a time range profile is associated with an ACL, the configured time range is applied on
all the WLAN SSID with the specific ACL. n If a time range is disabled or if the time range profile is deleted for an ACL, all WLAN SSID with
the specific ACL will be able to access the network without any time constraint. 8. Click Save.
For more information on time range configuration, see the Aruba Instant User Guide.
Configuring Authentication and Security Profiles on IAPs
This section describes the authentication and security parameters to configure on an Instant Access Point (IAP):
Managing APs | 357
n Supported Authentication Methods n Authentication Servers for IAPs n Configuring External Authentication Servers for IAPs n Configuring Role Derivation Rules for AP Clients n Configuring Users Accounts for the IAP Management Interface n Configuring Guest and Employee User Profiles on IAPs n Firewall and ACL Rules n Configuring Firewall Parameters for Wireless Network Protection n Support for Multiple PSK in WLAN SSID n Configuring an MPSK Local Profile n Configuring WPA3 Encryption n Intra VLAN Traffic Allowlist n Creating Role Derivation Rules for IAP Clients n Configuring User Roles for AP Clients n Configuring Firewall Parameters for Inbound Traffic n Configuring Roles and Policies on IAPs for User Access Control n Configuring Network Service ACLs n Enabling ALG Protocols on IAPs n Denylisting IAP Clients
Supported Authentication Methods
Authentication is a process of identifying a user through a valid username and password. Clients can also be authenticated based on their MAC addresses. The authentication methods supported by the Instant Access Points (IAPs) managed through Aruba Central On-Premises are described in the following sections.
802.1X Authentication
802.1X is a method for authenticating the identity of a user before providing network access to the user. The Aruba Central On-Premises network supports internal RADIUS server and external RADIUS server for 802.1X authentication. For authentication purpose, the wireless client can associate to a NAS or RADIUS client such as a wireless IAP. The wireless client can pass data traffic only after successful 802.1X authentication.
The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network first connects to the NAS.
Configuring 802.1X Authentication for a Network Profile To configure 802.1X authentication for a wireless network profile, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
Aruba Central On-Premises 2.5.6 | User Guide
358
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a network profile for which you want to enable 802.1X authentication, and then click the edit icon.
You can directly edit the SSID name under the Display Name column in the Wireless SSIDs table. Double-click the relevant SSID that you want to rename, and type the new name. Press Enter to complete the process.
6. Under Security, for the Enterprise security level, select the preferred option from the Key Management drop-down list.
7. Specify the type of authentication server to use. 8. Click Save Settings.
MAC Authentication MAC authentication is used for authenticating devices based on their physical MAC addresses. MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses. This authentication method is not recommended for scalable networks and the networks that require stringent security settings. MAC authentication can be used alone or it can be combined with other forms of authentication such as WEP authentication.
Configuring MAC Authentication for a Network Profile
To configure MAC authentication for a wireless profile, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs tab, select a network profile for which you want to enable MAC authentication and click the edit icon.
6. Under Security, turn on the MAC Authentication toggle switch under Advanced Settings to enable Personal or Open security level.
7. Specify the type of authentication server to use. 8. Click Save Settings.
MAC Authentication with 802.1X Authentication The administrators can enable MAC authentication for 802.1X authentication. MAC authentication shares all the authentication server configurations with 802.1X authentication. If a wireless or wired
Managing APs | 359
client connects to the network, MAC authentication is performed first. If MAC authentication fails, 802.1X authentication does not trigger. If MAC authentication is successful, 802.1X authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X authentication role. If 802.1X authentication fails, the client is assigned a deny-all role or mac-auth-only role.
You can also configure the following authentication parameters for MAC and 802.1X authentication:
n MAC authentication only--Allows you to create a mac-auth-only role to allow role-based access rules when MAC authentication is enabled for 802.1X authentication. The mac-auth-only role is assigned to a client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication is successful, the mac-auth-only role is overwritten by the final role. The macauth-only role is primarily used for wired clients.
n L2 authentication fall-through--Allows you to enable the l2-authentication-fallthrough mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled, 802.1X authentication is not allowed. The l2-authenticationfallthrough mode is disabled by default.
Configuring MAC Authentication with 802.1X Authentication
To configure MAC authentication with 802.1X authentication for wireless network profile, configure the following parameters:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs tab, select a network profile for which you want to enable MAC and 802.1X authentication, and the click the edit icon.
6. Under Security, for the Enterprise security level, turn on the Perform MAC Authentication Before 802.1X toggle switch to use 802.1X authentication only when the MAC authentication is successful.
7. Turn on the MAC Authentication Fail Through toggle switch to use 802.1X authentication even when the MAC authentication fails.
8. Click Save Settings.
Captive Portal Authentication
Captive portal authentication is used for authenticating guest users. For more information, see Configuring Wireless Networks for Guest Users on IAPs.
MAC Authentication with Captive Portal Authentication
The following conditions apply to a network profile with MAC authentication and Captive Portal authentication enabled:
n If the captive portal splash page type is Internal-Authenticated or External-RADIUS Server, MAC authentication reuses the server configurations.
Aruba Central On-Premises 2.5.6 | User Guide
360
n If the captive portal splash page type is Internal-Acknowledged or External-Authentication Text and MAC authentication is enabled, a server configuration page is displayed.
n If the captive portal splash page type is None, MAC authentication is disabled. n The MAC authentication with captive portal authentication supports the mac-auth-only role.
Configuring MAC Authentication with Captive Portal Authentication
To configure the MAC authentication with captive portal authentication for a network profile, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs tab, select an existing wireless profile for which you want to enable MAC authentication with captive portal authentication, and then click the edit icon.
6. Under Access, specify the following parameters for a network with Role Based rules: a. Select the Enforce Machine Authentication check box, when MAC authentication is enabled for captive portal. If the MAC authentication fails, the captive portal authentication role is assigned to the client. b. For wireless network profile, turn on the Enforce MAC Auth Only Role toggle switch, when MAC authentication is enabled for captive portal. After successful MAC authentication, the MAC Auth Only role is assigned to the client.
7. Click Next.
802.1X Authentication with Captive Portal Authentication This authentication method allows you to configure different captive portal settings for clients on the same SSID. For example, you can configure an 802.1X SSID and create a role for captive portal access, so that some of the clients using the SSID derive the captive portal role. You can configure rules to indicate access to external or internal Captive portal, or none. For more information on configuring captive portal roles for an SSID with 802.1X authentication, see Configuring Wireless Networks for Guest Users on IAPs.
WISPr Authentication WISPr authentication allows a smart client to authenticate on the network when they roam between wireless Internet service providers, even if the wireless hotspot uses an ISP with whom the client may not have an account. If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the Internet at that hotspot, the WISPr AAA server configured for the ISP authenticates the client directly and allows the client to access the network. If the client only has an account with a partner ISP, the WISPr AAA server forwards the client's credentials to the partner ISPs WISPr AAA server for authentication. When the client is authenticated on the partner ISP, it is also authenticated on your
Managing APs | 361
hotspot own ISP as per their service agreements. The IAP assigns the default WISPr user role to the client when your ISP sends an authentication message to the IAP. IAPs support the following smart clients:
n iPass n Boingo
These smart clients enable client authentication and roaming between hotspots by embedding iPass Generic Interface Specification (GIS) redirect, authentication, and logoff messages within HTML messages that are sent to the IAP.
Configuring WISPr Authentication
To configure WISPr authentication, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the WISPr accordion. 7. Under WISPr, configure the following parameters:
n ISO Country Code--The ISO Country Code for the WISPr Location ID. n E.164 Area Code--The E.164 Area Code for the WISPr Location ID. n Operator Name--The operator name of the hotspot. n E.164 Country Code--The E.164 Country Code for the WISPr Location ID. n SSID/Zone--The SSID/Zone for the WISPr Location ID. n Location Name--Name of the hotspot location. If no name is defined, the name of the IAP, to
which the user is associated, is used. 8. Click Save Settings.
The WISPr RADIUS attributes and configuration parameters are specific to the RADIUS server used by your ISP for the WISPr authentication. Contact your ISP to determine these values. You can find a list of ISO and ITU country and area codes at the ISO and ITU websites (www.iso.org and http://www.itu.int).
A Boingo smart client uses a NAS identifier in the format <CarrierID>_<VenueID> for location identification. To support Boingo clients, ensure that you configure the NAS identifier parameter in the RADIUS server profile for the WISPr server.
Walled Garden On the Internet, a walled garden typically controls access to web content and services. The Walled garden access is required when an external captive portal is used. For example, a hotel environment
Aruba Central On-Premises 2.5.6 | User Guide
362
where the unauthenticated users are allowed to navigate to a designated login page (for example, a hotel website) and all its contents. The users who do not sign up for the Internet service can view the allowed websites (typically hotel property websites). The website names must be DNS-based and support the option to define wildcards. When a user attempts to navigate to other websites that are not in the allowlist of the walled garden profile, the user is redirected to the login page. IAP supports Walled Garden only for the HTTP requests. For example, if you add yahoo.com in Walled Garden allowlist and the client sends an HTTPS request (https://yahoo.com), the requested page is not displayed and the users are redirected to the captive portal login page. In addition, a denylisted walled garden profile can also be configured to explicitly block the unauthenticated users from accessing some websites.
Configuring Walled Garden Access
To configure walled garden access, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Walled Garden accordion. 7. To allow access to a specific set of websites, click + under Allowlist, and enter the domain name
in the New Allowlist window. This allows access to a domain while the user remains unauthenticated. Specify a POSIX regular expression (regex(7)). For example: n yahoo.com matches various domains such as news.yahoo.com, travel.yahoo.com and
finance.yahoo.com
n www.apple.com/library/test is a subset of www.apple.com site corresponding to path /library/test/*
n favicon.ico allows access to /favicon.ico from all domains. 8. To deny users access to a domain, click + under Denylist, and enter the domain name in the New
Denylist window. This prevents the unauthenticated users from viewing specific websites. When a URL specified in the denylist is accessed by an unauthenticated user, IAP sends an HTTP 403 response to the client with an error message. 9. Click Save Settings.
Authentication Servers for IAPs
Based on the security requirements, you can configure internal or external RADIUS servers. This section describes the types of authentication servers and authentication termination, that can be configured for a network profile.
Managing APs | 363
External RADIUS Server
In the external RADIUS server, the IP address of the Virtual Controller (VC) is configured as the NAS IP address. Aruba Central RADIUS is implemented on the VC, and this eliminates the need to configure multiple NAS clients for every Instant Access Points (IAPs) on the RADIUS server for client authentication. Aruba Central RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server. The RADIUS server responds to the authentication request with an Access-Accept or Access-Reject message, and users are allowed or denied access to the network depending on the response from the RADIUS server.
When you enable an external RADIUS server for the network, the client on the IAP sends a RADIUS packet to the local IP address. The external RADIUS server then responds to the RADIUS packet.
Aruba Central On-Premises supports the following external authentication servers:
n RADIUS n LDAP
To use an LDAP server for user authentication, configure the LDAP server on the VC, and configure user IDs and passwords.
To use a RADIUS server for user authentication, configure the RADIUS server on the VC.
RADIUS Server Authentication with VSA
An external RADIUS server authenticates network users and returns to the IAP the VSA that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA.
Internal RADIUS Server
Each IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server option for the network, the client on the IAP sends a RADIUS packet to the local IP address. The internal RADIUS server listens and replies to the RADIUS packet.
The following authentication methods are supported in the Aruba Central network:
n EAP-TLS--The EAP-TLS method supports the termination of EAP-TLS security using the internal RADIUS server. The EAP-TLS requires both server and CA certificates installed on the IAP. The client certificate is verified on the virtual controller (the client certificate must be signed by a known CA), before the username is verified on the authentication server.
n EAP-TTLS (MSCHAPv2)--The EAP-TTLS method uses server-side certificates to set up authentication between clients and servers. However, the actual authentication is performed using passwords.
n EAP-PEAP (MSCHAPv2)--EAP-PEAP is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.
n LEAP--LEAP uses dynamic WEP keys for authentication between the client and authentication server.
To use the internal database of an IAP for user authentication, add the names and passwords of the users to be authenticated.
Aruba does not recommend the use of LEAP authentication because it does not provide any resistance to network attacks.
Aruba Central On-Premises 2.5.6 | User Guide
364
RADIUS Communication over TLS (RadSec) RADIUS over TLS, also known as RadSec, is a RADIUS protocol that uses TLS protocol for end-to-end secure communication between the RADIUS server and IAP. RadSec wraps the entire RADIUS packet payload into a TLS stream. Enabling RadSec increases the level of security for authentication that is carried out across the cloud network. When configured, this feature ensures that the RadSec protocol is used for safely transmitting the authentication and accounting data between the IAP and the RadSec server. The following conditions applies to RadSec configuration:
n The RADIUS packets go through the tunnel when TLS tunnel is established.
n By default, the TCP port 2083 is assigned for RadSec. Separate ports are not used for authentication, accounting, and dynamic authorization changes.
n Aruba Central supports dynamic CoA (RFC 3576) over RadSec and the RADIUS server uses an existing TLS connection opened by the IAP to send the request.
n By default, the IAP uses its device certificate to establish a TLS connection with RadSec server. You can also upload your custom certificates on to IAP. For more information on uploading certificates, see Mapping IAP Certificates.
Authentication Termination on IAP Aruba Central allows EAP termination for PEAP-Generic Token Card (PEAP-GTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2 (PEAPMSCHAPv2). PEAP-GTC termination allows authorization against an LDAP server and external RADIUS server while PEAP-MSCHAPv2 allows authorization against an external RADIUS server. This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft Active Directory server with LDAP authentication.
n EAP-GTC--This EAP method permits the transfer of unencrypted usernames and passwords from client to server. The EAP-GTC is mainly used for one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the IAP to an external authentication server for user data backup.
n EAP-MSCHAPv2--This EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server.
Dynamic Load Balancing between Authentication Servers You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers. Load balancing of authentication servers ensures that the authentication load is split across multiple authentication servers and enables the IAPs to perform load balancing of authentication requests destined to authentication servers such as RADIUS or LDAP. The load balancing in IAP is performed based on the outstanding authentication sessions. If there are no outstanding sessions and if the rate of authentication is low, only primary server will be used. The secondary is used only if there are outstanding authentication sessions on the primary server. With this, the load balance can be performed across asymmetric capacity RADIUS servers without the need to obtain inputs about the server capabilities from the administrators.
Configuring External Authentication Servers for IAPs
You can configure an external RADIUS server, TACACS, and LDAP server for user authentication. You can configure guest network using External Captive Portal profile for external authentication.
Managing APs | 365
To configure a server, complete the following procedure:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. In the Authentication Server panel, click + to create a new server. 7. Select any of the server types and configure the parameters for your deployment scenario
described in Table 84. 8. Click Save.
To assign the authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile.
You can also add an external RADIUS server when configuring a WLAN SSID profile.
The following table lists the authentication server configuration parameters.
Table 84: Authentication Server Configuration Type of Server Parameters
RADIUS Name
Name of the external RADIUS server.
Radsec
Set Radsec to Enabled to enable secure communication between the RADIUS server and IAP by creating a TLS tunnel between the IAP and the server. If Radsec is enabled, the following configuration options are displayed: Radsec Port--Communication port number for RadSec TLS connection. By default, the port number is set to 2083.
n NAS Identifier n NAS IP Address n Service Type Framed User n Query Status of RADIUS Servers (RFC 5997) n Dynamic Authorization
IP Address/FQDN IP address or the FQDN of the external RADIUS server.
Auth Port
Authorization port number of the external RADIUS server. The default port number is 1812.
Accounting Port
Shared Key and Retype Shared Key
The accounting port number used for sending accounting records to the RADIUS server. The default port number is 1813.
Shared key for communicating with the external RADIUS server.
Aruba Central On-Premises 2.5.6 | User Guide
366
Type of Server NAS IP Address NAS Identifier Timeout
Retry Count Dead Time
Service Type Framed User
Query Status of RADIUS Servers (RFC 5997)
Dynamic Authorization
LDAP Name IP Address Timeout
Parameters
Enter the IP address. For IAP-based cluster deployments, ensure that you enter the VC IP address as the NAS IP address.
Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server.
The timeout duration for one RADIUS request. The IAP retries sending the request several times (as configured in the Retry count) before the user is disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds.
The maximum number of authentication requests that can be sent to the server group by the IAP. You can specify a value within the range of 15. The default value is 3 requests.
Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable. If Dynamic RADIUS Proxy (DRP) is enabled on the IAPs, configure the following parameters: n DRP IP--IP address to be used as source IP for RADIUS packets. n DRP MASK--Subnet mask of the DRP IP address. n DRP VLAN--VLAN in which the RADIUS packets are sent.
Select any of the following check boxes to send the service type as Framed User in the access requests to the RADIUS server: n 802.1X--Changes the service type to frame for 802.1X authentication. n MAC--Changes the service type to frame for MAC authentication. n Captive Portal--Changes the service type to frame for Captive Portal authentication.
Select any of the following check boxes to detect the server status of the RADIUS server: Authentication--Select this check-box to ensure the IAP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable. Accounting--Select this check-box to ensure the IAP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable.
To allow the IAPs to process RFC 3576-compliant CoA and disconnect messages from the RADIUS server, select this check box. Disconnect messages terminate the user session immediately, whereas the CoA messages modify session authorization attributes such as data filters. When you enable the Dynamic Authorization option, the AirGroup CoA Port field is displayed with the port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
Name of the LDAP server.
IP address of the LDAP server.
Timeout interval within a range of 130 seconds for one RADIUS request. The default value is 5.
Managing APs | 367
Type of Server Parameters
Retry Count
The maximum number of authentication requests that can be sent to the server group. You can specify a value within the range of 15. The default value is 3.
Auth Port
Authorization port number of the LDAP server. The default port number is 389.
AdminDistinguishedName
A distinguished name for the admin user with read and search privileges across all the entries in the LDAP database (the admin user need not have write privileges, but the admin user must be able to search the database, and read attributes of other users in the database).
Admin Password and Retype Admin Password
Password for the admin user.
BaseDistinguishedName
Distinguished name for the node that contains the entire user database.
Filter
The filter to apply when searching for a user in the LDAP database. The default filter string is (objectclass=*).
Key Attribute
The attribute to use as a key while searching for the LDAP server. For Active Directory, the value is sAMAccountName.
TACACS
Name
Name of the server.
IP Address
IP address of the server.
Shared Key and Retype Key
The secret key to authenticate communication between the TACACS client and server.
Timeout
A number between 1 and 30 seconds to indicate the timeout period for TACACS+ requests. The default value is 20 seconds.
Retry Count
The maximum number of authentication attempts to be allowed. The default value is 3.
Auth Port
The TCP IP port used by the server. The default port number is 49.
Dead Time (in mins)
Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable.
Session Authorization
Enable this option to allow the authorization of sessions.
External Captive Portal--The external captive portal servers are used for authenticating guest users in a WLAN.
Name IP or Hostname
Enter a name for the profile. Enter the IP address or the host name of the external splash page server.
Aruba Central On-Premises 2.5.6 | User Guide
368
Type of Server Parameters
URL
Enter the URL of the external captive portal server.
Port
Enter the port number that is used for communicating with the external captive portal server.
Authentication Type
Select any one of the following types of authentication: n Radius Authentication--Select this option to enable user authentication against a
RADIUS server. n Authentication Text--Select this option to specify an authentication text. The
specified text will be returned by the external server after a successful user authentication.
Use HTTPS
Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected from the Authentication Type drop-down list.
Captive Portal Failure
This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.
Automatic URL Allowlisting
On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted.
Server Offload
Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.
Prevent Frame Overlay
Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.
Use VC IP in Redirect URL
Select this check box to use the virtual controller IP address as a redirect URL.
Auth Text
If the External Authentication splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected from the Authentication Type dropdown list.
Redirect URL
Specify a redirect URL if you want to redirect the users to another URL.
Dynamic Authorization Only
Name
Name of the server.
IP Address/FQDN IP address or FQDN of the server.
Shared Key and Retype Key
A shared key for communicating with the external RADIUS server. Change of Authorization(CoA) is a subset of Dynamic Authorization include disconnecting messages.
AirGroup CoA Port
A port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999.
Managing APs | 369
Creating Role Derivation Rules for IAP Clients
Aruba Central On-Premises allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user role or VLAN to the clients connecting to an SSID or a wired profile.
Creating a Role Derivation Rule
You can configure rules for determining the role that is assigned for each authenticated client.
When creating more than one role assignment rule, the first matching rule in the rule list is applied.
To create a role assignment rule, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Click the Access tab. 7. Under Access rules, select Role Based to enable access based on user roles. 8. Under Role Assignment Rules, click +Add Role Assignment. 9. The New Role Assignment Rule pop-up window is displayed. 10. In New Role Assignment Rule, define a match method by which the string in Operand is
matched with the attribute value returned by the authentication server. 11. Select the attribute from the Attribute drop-down list that the rule it matches against.
The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authenticationtype, mac-address, and mac-address-and-dhcp-options. For information on a list of RADIUS attributes, see RADIUS Server Authentication with VSA. 12. Select the operator from the Operator drop-down list. The following types of operators are supported: n contains--The rule is applied only if the attribute value contains the string specified in
Operand. n Is the role--The rule is applied if the attribute value is the role. n equals--The rule is applied only if the attribute value is equal to the string specified in
Operand. n not-equals--The rule is applied only if the attribute value is not equal to the string specified in
Operand. n starts-with--The rule is applied only if the attribute value starts with the string specified in
Operand. n ends-with--The rule is applied only if the attribute value ends with string specified in Operand. n matches-regular-expression--The rule is applied only if the attribute value matches the
regular expression pattern specified in Operand. This operator is available only if the macaddress-and-dhcp-options attribute is selected in the Attribute list. The mac-address-and-
Aruba Central On-Premises 2.5.6 | User Guide
370
dhcp-options attribute and matches-regular-expression are applicable only for WLAN clients. 13. Enter the string to match in the String box. 14. Select the appropriate role from the Role drop-down list. 15. Click Save.
Configuring VLAN Derivation Rules The users are assigned to a VLAN based on the attributes returned by the RADIUS server after users authenticate. To configure VLAN derivation rules for an SSID profile:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Under VLANs, select Dynamic under Client VLAN Assignment. 7. Click +Add Rule to create a VLAN assignment rule.
The New VLAN Assignment Rule pop-up window is displayed. In the New VLAN Assignment Rule window, you can define a match method by which the string in Operand is matched with the attribute values returned by the authentication server. 8. Select an attribute from the Attribute drop-down list. 9. Select an operator from the Operator drop-down list. The following types of operators are supported: n contains--The rule is applied only if the attribute value contains the string specified in
Operand. n equals--The rule is applied only if the attribute value is equal to the string specified in
Operand. n not-equals--The rule is applied only if the attribute value is not equal to the string specified in
Operand. n starts-with--The rule is applied only if the attribute value starts with the string specified in
Operand. n ends-with--The rule is applied only if the attribute value ends with string specified in
Operand. n matches-regular-expression--The rule is applied only if the attribute value matches the
regular expression pattern specified in Operand. This operator is available only if the macaddress-and-dhcp-options attribute is selected in the Attribute list. The mac-address-anddhcp-options attribute and matches-regular-expression are applicable only for the WLAN clients. 10. Enter the string to match in the String field.
Managing APs | 371
11. Select the appropriate VLAN ID from the VLAN drop-down list. Ensure that all other required parameters are configured.
12. Click OK.
Configuring Users Accounts for the IAP Management Interface
You can configure RADIUS or TACACS authentication servers to authenticate and authorize the management users of an Instant Access Point (IAP). The authentication servers determine if the user has access to administrative interface. The privilege level for different types of management users is defined on the RADIUS or TACACS server. The IAPs map the management users to the corresponding privilege level and provide access to the users based on the attributes returned by the RADIUS or TACACS server.
In Aruba Central On-Premises, the IAP management user passwords are stored and displayed as hash instead of plain text. The hash-mgmt-user command is enabled by default on the IAPs provisioned in the template and UI groups. If a pre-configured IAP joins Aruba Central and is moved to a new group, Aruba Central uses the hash-mgmt-user configuration settings and discards mgmt-user configuration settings, if any, on the IAP. In other words, Aruba Central hashes management user passwords irrespective of the management user configuration settings running on an IAP.
To configure authentication parameters for local admin, read-only, and guest management administrator account settings, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the Administrator accordion and configure the parameters described in Table 85. 7. Click Save Settings.
The following table lists the parameters to configure the IAP users.
Table 85: Configuration Parameters for the IAP Users
Type of the User
Authentication Options
Steps to Follow
Client Control
Internal
In the Authentication drop-down list, select Internal if you want to specify a single set of user credentials. If using an internal authentication server:
1. In Username and Password, enter a username and password.
2. In Retype Password, retype the password to confirm.
Aruba Central On-Premises 2.5.6 | User Guide
372
Type of the User
Authentication Options
Steps to Follow
Authentication Server
In the Authentication drop-down list, select the RADIUS or TACACS authentication servers. You can also create a new server by selecting New from the Authentication server drop-down list.
Authentication Server with fallback to Internal
In the Authentication drop-down list, select Authentication server with fallback to internal option if you want to use both internal and external servers. When enabled, the authentication switches to Internal if there is no response from the RADIUS server (RADIUS server timeout).
To use this option, select the authentication servers from Auth Server 1 and Auth Server 2 drop-down lists, and configure the user credentials for internal server based authentication.
1. In Username and Password, enter a username and password.
2. In Retype Password, retype the password to confirm.
Authentication Server with fallback to Internal when timeout
In the Authentication drop-down list, select Authentication server with fallback to internal when timeout option if you want to use both internal and external servers after RADIUS server timeout.
To use this option, select the authentication servers from Auth Server 1 and Auth Server 2 drop-down lists, and configure the user credentials for internal server based authentication.
1. In Username and Password, enter a username and password.
2. In Retype Password, retype the password to confirm.
View Only
Load Balancing
If two servers are configured, the users can use them in the primary or backup mode, or load balancing mode. To enable load balancing, select Enabled from the Load balancing drop-down list. For more information on load balancing, see Authentication Servers for IAPs.
TACACS Accounting If a TACACS server is selected, enable TACACS accounting to report management commands, if required.
To configure a user account with the read-only privileges:
1. In Username and Password, enter a username and password.
2. In Retype Password, retype the password to confirm.
Guest Registration Only
To configure a guest user account with the read-only privileges:
1. In Username and Password, enter a username and password.
2. In Retype Password, retype the password to confirm.
Managing APs | 373
Configuring Guest and Employee User Profiles on IAPs
The local database of an Instant Access Point (IAP) consists of a list of guest and employee users. The addition of a user involves specifying a login credentials for a user. The login credentials for these users are provided outside the Aruba Central system. A guest user can be a visitor who is temporarily using the enterprise network to access the Internet. However, if you do not want to allow access to the internal network and the Intranet, you can segregate the guest traffic from the enterprise traffic by creating a guest WLAN and specifying the required authentication, encryption, and access rules. An employee user is the employee who is using the enterprise network for official tasks. You can create employee WLANs, specify the required authentication, encryption and access rules and allow the employees to use the enterprise network.
The user database is also used when an IAP is configured as an internal RADIUS server. The local user database of APs can support up to 512 user entries except IAP-92 and IAP-93. IAP-92 and IAP-93 supports only 256 user entries. If there are already 512 users, IAP-92 and IAP-93 will not be able to join the cluster.
To configure users, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click User For Internal Server. 7. In the Users pane, click the + icon. 8. In the Add User window, enter the following information, and then click OK.
n In the Username text-box, enter a username. n In the Password text-box, enter the password. n In the Retype text-box, retype the password to confirm. n In the Type drop-down list, select a type of user from the drop-down list. 9. To edit a user settings: a. In the Users pane, select the username to edit. b. Click the edit icon to modify the user settings. c. Click OK. 10. To delete a user: a. In the Users pane, select the username to delete. b. Click the delete icon. c. Click OK. 11. To delete all users, select Delete All in the Users pane, and then click Yes.
Aruba Central On-Premises 2.5.6 | User Guide
374
Deleting a user only removes the user record from the user database, and will not disconnect the online user associated with the username.
Firewall and ACL Rules
The Aruba Central On-Premises firewall provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using the Aruba Central On-Premises firewall, you can enforce network access policies that define access to the network, areas of the network that users may access, and the performance thresholds of various applications. Aruba Central On-Premises supports a role-based stateful firewall. Aruba Central On-Premises firewall recognizes flows in a network and keeps track of the state of sessions. The Aruba Central On-Premises firewall manages packets according to the first rule that matches packet. The firewall logs on the Instant Access Points (IAPs) are generated as syslog messages. The Aruba Central On-Premises firewall also supports the Application Layer Gateway (ALG) functions such as SIP, Vocera, Alcatel NOE, and Cisco Skinny protocols.
ACL Rules
You can use Access Control List (ACL) rules to either permit or deny data packets passing through the IAP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses. You can create access rules to allow or block data packets that match the criteria defined in an access rule. You can create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to an IP address through the firewall. The IAP clients are associated with user roles, which determine the client's network privileges and the frequency at which clients re-authenticate. Aruba Central On-Premises supports the following types of ACLs:
n ACLs that permit or deny traffic based on the source IP address of the packet. n ACLs that permit or deny traffic based on source or destination IP address, or source or destination
port number.
You can configure up to 64 access control rules for a firewall policy.
Configuring Network Address Translation Rules
Network Address Translation (NAT) is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and private (local network), which allows translation of private network IP addresses to a public address space. Aruba Central On-Premises supports the NAT mechanism to allow a routing device to use the translation tables to map the private addresses into a single IP address and packets are sent from this address, so that they appear to originate from the routing device. Similarly, if the packets are sent to the private IP address, the destination address is translated as per the information stored in the translation tables of the routing device.
Managing APs | 375
Support for Multiple PSK in WLAN SSID
Aruba Central On-Premises allows you to configure multiple PSK (MPSK) in WLAN network profiles that include APs running a minimum of Aruba InstantOS 8.4.0.0 firmware version and later. MPSK enhances the WPA2 PSK mode by allowing device-specific or group-specific passphrases, which are generated by ClearPass Policy Manager and sent to the Instant Access Point (IAP).
WPA2 PSK-based deployments generally consist of a single passphrase configured as part of the WLAN SSID profile. This single passphrase is applicable for all clients that associate with the SSID. Starting from Aruba InstantOS 8.4.0.0, multiple PSKs in conjunction with ClearPass Policy Manager are supported for WPA and WPA2 PSK-based deployments. Every client connected to the WLAN SSID can have its own unique PSK. A MPSK passphrase requires MAC authentication against a ClearPass Policy Manager server. The MPSK passphrase works only with wpa2-psk-aes encryption and not with any other PSK-based encryption. The Aruba-MPSK-Passphrase radius VSA is added and the ClearPass Policy Manager server populates this VSA with the encrypted passphrase for the device.
The workflow is as follows:
1. A user registers the device on a ClearPass Policy Manager guest-registration or device-registration webpage and receives a device-specific or group-specific passphrase.
2. The device associates with the SSID using wpa2-psk-aes encryption and uses MPSK passphrase. 3. The IAP performs MAC authentication of the client against the ClearPass Policy Manager server.
On successful MAC authentication, the ClearPass Policy Manager returns Access-Accept with the VSA containing the encrypted passphrase. 4. The IAP generates a PSK from the passphrase and performs 4-way key exchange. 5. If the device uses the correct per-device or per-group passphrase, authentication succeeds. If the ClearPass Policy Manager server returns Access-Reject or the client uses incorrect passphrase, authentication fails. 6. The IAP stores the MPSK passphrase in its local cache for client roaming. The cache is shared between all the IAPs within a single cluster. The cache can also be shared with standalone IAPs in a different cluster provided the IAPs belong to the same multicast VLAN. Each IAP first searches the local cache for the MPSK information. If the local cache has the corresponding MPSK passphrase, the IAP skips the MAC authentication procedure, and provides access to the client.
When multiple PSK is enabled on the wireless SSID profile, make sure that MAC authentication is not configured for RADIUS authentication. Multiple PSK and MAC authentication are mutually exclusive and follows a special procedure which does not require enabling MAC authentication in the WLAN SSID manually. Also, ensure that the RADIUS server configured for the wireless SSID profile is not an internal server.
Points to Remember
The following configurations are mutually exclusive with MPSK for the WLAN SSID profile and does not require to be configured manually:
n MPSK and MAC authentication n MPSK and Denylisting n MPSK and internal RADIUS server
Configuring Multiple PSK for Wireless Networks
To configure multiple PSK for wireless networks, complete the following steps:
Aruba Central On-Premises 2.5.6 | User Guide
376
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click WLANs tab. The WLANs detail page is displayed.
5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
6. Click the Security tab. 7. Select Personal from the Security Level.
The authentication options applicable to the Enterprise network are displayed. 8. From the Key Management drop down list, select the MPSK-AES option. 9. From the Primary Server drop down list, select a server.
The RADIUS server selected from the list is the CPPM server. 10. Click Save Settings.
Enabling MPSK Local for Wireless Networks
To configure MPSK Local for wireless networks, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click WLANs tab. The WLANs detail page is displayed.
5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
6. Click the Security tab. 7. Select Personal from the Security Level.
The authentication options applicable to the personal network are displayed. 8. From the Key Management drop down list, select the MPSK Local option. 9. From the MPSK Local drop down list, select an MPSK Local profile.
MPSK Local feature is supported for Aruba InstantOS 8.7.0.0 or later versions. You cannot select an MPSK Local profile from the Mpsk Local drop-down list if the AP version is less than 8.7.0.0.
10. Click Save Settings.
Managing APs | 377
Configuring an MPSK Local Profile
MPSK Local allows the user to configure 24 PSKs per SSID locally on the device. These local PSKs would serve as an extension of the base MPSK functionality.
Configuring a MPSK Local Profile
To configure an MPSK Local profile, complete the following steps
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the MPSK Local accordion. 7. In the MPSK Local window, click + and enter a name for the MPSK Local profile. 8. To create an MPSK Local passphrase, click + in the MPSK Local Passphrase table.
The MPSK Local Passphrase pop-up window is displayed. 9. Enter the following information in the Mpsk Local Passphrase window:
n Name--Enter a name. n Passphrase--Enter a passphrase. n Retype Passphrase--Retype the passphrase to confirm. n Role--Select a role from the drop-down list. 10. Click OK. 11. In the MPSK Local Passphrase window, select the MPSK Local passphrase name created in the previous step, and then click OK. 12. Click Save Settings.
Configuring WPA3 Encryption
Aruba Central On-Premises supports WPA3 encryption for security profiles in SSID creation for networks that include access points (APs) running Aruba InstantOS 8.4.0.0 firmware version and above. The WPA3 security provides robust protection with unique encryption per user session thereby ensuring a highly secured connection even on a public Wi-Fi hotspot. The following are the WPA3 encryptions based on the Enterprise, Personal, or Open network types:
n WPA-3 Enterprise when the security level is Enterprise. n WPA-3 Personal when the security level is Personal. n Enhanced Open when the security level is Open.
WPA3 Enterprise
WPA3-Enterprise enforces top secret security standards for an enterprise Wi-Fi in comparison to secret security standards. Top secret security standards includes:
Aruba Central On-Premises 2.5.6 | User Guide
378
n Deriving at least 384-bit PMK/MSK using Suite B compatible EAP-TLS. n Securing pairwise data between STA and authenticator using AES-GCM-256. n Securing group addressed data between STA and authenticator using AES-GCM-256. n Securing group addressed management frames using BIP-GMAC-256.
Aruba Instant supports WPA3-Enterprise only in non-termination 802.1X and tunnel-forward modes. WPA3Enterprise compatible 802.1x authentication occurs between STA and CPPM.
WPA3-Enterprise advertises or negotiates the following capabilities in beacons, probes response, or 802.11 association:
n AKM Suite Selector as 00-0F-AC:12 n Pairwise Cipher Suite Selector as 00-0F-AC:9 n Group data cipher suite selector as 00-0F-AC:9 n Group management cipher suite (MFP) selector as 00-0F-AC:12
If WPA3-Enterprise is enabled, STA is successfully associated only if it uses one of the four suite selectors for AKM selection, pairwise data protection, group data protection, and group management protection. If a STA mismatches any one of the four suite selectors, the STA association fails. To configure WPA3 for enterprise security, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click WLANs tab. The WLANs detail page is displayed.
5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table, and then click the edit icon.
6. Click the Security tab. 7. Select Enterprise from the Security Level.
The authentication options applicable to the Enterprise network are displayed. 8. Select one of the following from the Key Management drop-down list:
n WPA3-Enterprise(GCM 256)--Select this option to use WPA-3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text.
n WPA3-Enterprise(CCM 128)--Select this option to use WPA-3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text.
9. Click Save Settings.
Configuring WPA3 for Personal Security To configure WPA3 for personal security, complete the following steps:
Managing APs | 379
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click WLANs tab. The WLANs detail page is displayed.
5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
6. Click the Security tab. 7. Select Personal from the Security Level.
The authentication options applicable to the Personal network are displayed. 8. Select WPA3-Personal from the Key Management drop-down list. 9. Click Save Settings.
Intra VLAN Traffic Allowlist
The Intra VLAN Traffic Allowlist is a global allowlist for all WLAN SSIDs and wired networks configured with the feature. For servers to serve the network, you must add them to the Intra VLAN Traffic Allowlist using their IP or MAC address. When you configure wired servers with their IP address or MAC address, the Instant Access Point (IAP) allows client traffic to the destination MAC addresses.
Configuring a Wired Server with the IP Address
To configure a wired server with the IP address, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Intra VLAN Traffic Allowlist accordion. 7. In the Wired Server IP window, click + and enter the IP address of the server. 8. Click OK. 9. Click Save Settings.
To edit a wired server, select the IP address of the wired server in the Wired Server IP window, and then click the edit icon. To delete a wired server, select the IP address of the wired server in the Wired Server IP window, and then click the delete icon.
Aruba Central On-Premises 2.5.6 | User Guide
380
Configuring a Wired Server with the MAC Address
To configure a wired server with the MAC address, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Intra VLAN Traffic Allowlist accordion. 7. In the Wired Server MAC window, click + and enter the MAC address of the server. 8. Click OK. 9. Click Save Settings.
To edit a wired server, select the IP address of the wired server in the Wired Server MAC window, and then click the edit icon. To delete a wired server, select the IP address of the wired server in the Wired Server MAC window, and then click the delete icon.
Mapping IAP Certificates
When an Instant Access Points (IAPs) joins a group that does not have a certificate, the IAPs existing certificate is retained. When an IAP joins a group that already has a certificate, the certificate of the IAP is overwritten by the group certificate. To map an IAP certificate name to a specific certificate type or category, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Expand the Certificate Usage accordion. 7. To map a certificate, for each usage type under Usage Type, select the suitable certificate from
the Certificate drop-down list: n Certificate Authority--To verify the identity of a client. n Authentication Server--To verify the identity of the server to a client. n Captive Portal--To verify the identity of internal captive portal server.
Managing APs | 381
n Radsec use EST Server--Turn on the Radsec use EST Server toggle switch to allow EST certificates to be used in RADSEC applications.
n To enable Radsec use EST Server, you must enable EST Activate in EST Profile. n If Radsec use EST Server is enabled, RadSec and RadSec Certificate Authority will not be
available in Certificate Usage.
n RadSec--To verify the identity of the TLS server. n RadSec Certificate Authority--To verify the authentication between the IAP and the TLS
server. n Clearpass--To verify the identity of the ClearPass server. n AP1X CA--Sets the CA certificate used for 802.1X authentication. n AP1X Client Cert--Sets the certificate used for 802.1X authentication. n WebCC CA Cert--Selects a CA certificate for WebCC. n IOT CA Cert--Selects a CA certificate for IoT. 8. Click Save Settings.
Configuring an EST Profile
EST supports automatic enrollment of certificates with the EST Server. The certificates can now be enrolled or re-enrolled automatically by configuring an EST profile on the IAP. Certificate enrollment with EST allows you to use your own PKI instead of the factory or self-signed certificates available on the AP. This enables you to have maximum visibility and control over the management of the PKI used and can address any issues related to security in a scaled environment. To configure an EST profile, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one IAP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of IAPs is displayed in the List view.
3. Click the Config icon. The tabs to configure the IAPs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Expand the Certificate Usage > EST Profile accordion. 7. Configure the following parameters:
n EST Activate--Activates the EST profile. n EST CA Certificate--Sets the EST CA Certificate from the drop-down list. n Server Name/IP Address--Hostname of the EST server. n Server Port--Indicates the port value of the EST server. The default value is 443. n Arbitrary Label--Sets an arbitrary label for the EST URI to distinguish it from the other EST
profiles running on the EST server. n Arbitrary Label Enrollment--Sets an arbitrary enrollment label for EST URL. n Arbitrary Label Reenrollment--Sets an arbitrary re-enrollment label for EST URL.
Aruba Central On-Premises 2.5.6 | User Guide
382
n Challenge Password--Sets a challenge password used in CSR. n Retype Challenge Password--Retype challenge password used in CSR. n Trust Anchor--Denotes the server's trust anchor. n Organizational Unit Name--Sets the organizational unit name. n Username--Sets a username for the EST Client. n Password--Sets a password for the EST Client. n Retype Password--Retype password for the EST Client. 8. Click Save Settings.
Configuring Roles and Policies on IAPs for User Access Control
Instant Access Points (IAPs) support identity-based access control to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using the IAP firewall policies, you can enforce network access policies to define access to the network, areas of the network that the user may access, and the performance thresholds of various applications. IAPs supports a role-based stateful firewall. In other words, Instant firewall can recognize flows in a network and keep track of the state of sessions. The firewall logs on the IAPs are generated as syslog messages. The firewall feature also supports ALG functions such as SIP, Auto Topology Rules, Restrict Corporate Access, and Tunnel Trusted.
ACL Rules
You can use ACL rules to either permit or deny data packets passing through the IAP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses. You can create access rules to allow or block data packets that match the criteria defined in an access rule. You can create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to an IP address through the firewall. The IAP clients are associated with user roles, which determine the client's network privileges and the frequency at which clients re-authenticate. IAP supports the following types of ACLs:
n ACLs that permit or deny traffic based on the source IP address of the packet. n ACLs that permit or deny traffic based on source or destination IP address, or source or destination
port number.
You can configure up to 64 access control rules for a firewall policy.
Configuring Network Address Translation Rules
NAT is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and private (local network), which allows translation of private network IP addresses to a public address space. IAP supports the NAT mechanism to allow a routing device to use the translation tables to map the private addresses into a single IP address and packets are sent from this address, so that they appear to originate from the routing device. Similarly, if the packets are sent to the private IP address, the
Managing APs | 383
destination address is translated as per the information stored in the translation tables of the routing device. For more information, see:
n Configuring Network Service ACLs on page 384 n Configuring ACLs for Deep Packet Inspection on page 386 n Configuring User Roles for AP Clients on page 389 n Configuring Role Derivation Rules for AP Clients on page 391 n Configuring Firewall Parameters for Inbound Traffic on page 395
Configuring Network Service ACLs
To configure access rules for network services, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Roles accordion. 7. Under Access Rules For Selected Roles, click + to add a new rule.
The Access Rule window is displayed. 8. Under Rule Type, select Access Control. 9. To configure access to applications or application categories, select a service category from the
following list: n Network n App Category n Application n Web Category n Web Reputation
10. Based on the selected service category, configure the parameters described in Table 86.
11. Click Save to save the rules. 12. Click Save Settings.
The following table lists the access rule configuration parameters.
Aruba Central On-Premises 2.5.6 | User Guide
384
Table 86: Access Rule Configuration Parameters
Data Pane Item
Description
Rule Type
Select a rule type from the list, for example Access Control.
Service
Select a service from the list of available services. You can allow or deny access to any or all of the following services based on your requirement:
n Any--Access is allowed or denied to all services. n CUSTOM--Available options are TCP, UDP, and Other. If you select the TCP or UDP
options, enter appropriate port numbers. If you select the Other option, enter the
appropriate ID. If TCP and UDP uses the same port, ensure that you configure separate access rules to permit or deny access.
Action
Select any of following attributes: n Select Allow to allow access users based on the access rule. n Select Deny to deny access to users based on the access rule. n Select Destination-NAT to allow the changes to destination IP address. n Select Source-NAT to allow changes to the source IP address.
Destination
Select a destination option. You can allow or deny access to any the following destinations based on your requirements. n To all destinations--Access is allowed or denied to all destinations. n To a particular server--Access is allowed or denied to a particular server. After selecting
this option, specify the IP address of the destination server. n Except to a particular server--Access is allowed or denied to servers other than the
specified server. After selecting this option, specify the IP address of the destination server. n To a network--Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network. n Except to a network--Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. n To a Domain Name--Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box. n To AP IP--Traffic to the specified IAP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP IP all--Traffic to all IAP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP Network--Traffic to the specified IAP network is allowed. After selecting this option, specify the domain name in the IP text box. n To conductor IP--Traffic to the specified conductor IAP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box.
Log
Select Log to create a log entry when this rule is triggered. The Aruba Central firewall
supports firewall based logging. Firewall logs on the IAPs are generated as security logs.
Denylist
Select Denylist to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as Auth failure denylist time on the Denylisting tab of the Security window.
Managing APs | 385
Table 86: Access Rule Configuration Parameters
Data Pane Item
Description
Disable Scanning
Select Disable Scanning to disable ARM scanning when this rule is triggered. The selection of the Disable Scanning applies only if ARM scanning is enabled.
DSCP TAG
Select DSCP TAGto specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0 to 63.
802.1p priority
Select 802.1p priority to specify an 802.1 priority. Specify a value between 0 and 7.
Time Range
Select this check-box to allow a specific user to access the network for a specific time range. You can select the time range profile from the drop-down list that appears when the Time Range check box is selected.
Configuring ACLs for Deep Packet Inspection
To configure ACL rules for a user role for Deep Packet Inspection (DPI), complete the following procedure:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed.
6. Under Roles, select the role for which you want to configure access rules. 7. Under Access Rules For Selected Roles, click + to add a new rule.
The Access Rule window is displayed.
8. Under Rule Type, select Access Control. 9. To configure access to applications or application categories, select a service category from the
following list: n Network n App Category n Application n Web Category n Web Reputation
10. Based on the selected service category, configure the parameters in Table 87.
11. Click Save to save the access rules.
12. Click Save Settings.
The following table lists the access rule configuration parameters.
Aruba Central On-Premises 2.5.6 | User Guide
386
Table 87: Access Rule Configuration Parameters
Service category
Description
App Category Select the application categories to which you want to allow or deny access.
Application
Select the applications to which you want to allow or deny access.
Application Throttling
Application throttling allows you to set a bandwidth limit for an application and application categories. For example, you can limit the bandwidth rate for video streaming applications such as YouTube or Netflix, or assign a low bandwidth to high risk sites. To specify a bandwidth limit:
n Select the Application Throttling check box.
n Specify the Downstream and Upstream rates in Kbps per user.
Action
Select one of the following actions: n Destination-NAT--Translation of the destination IP address of a packet entering the
network. n Source-NAT--Used by internal users to access the internet. n Allow--Select Allow to allow access users based on the access rule. n Deny--Select Deny to deny access to users based on the access rule.
Destination
Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements. n To all destinations-- Access is allowed or denied to all destinations. n To a particular server--Access is allowed or denied to a particular server. After selecting
this option, specify the IP address of the destination server. n Except to a particular server--Access is allowed or denied to servers other than the
specified server. After selecting this option, specify the IP address of the destination server. n To a network--Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network. n Except to a network--Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. n To a Domain Name--Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box. n To AP IP--Traffic to the specified IAP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP IP all--Traffic to all IAP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP Network--Traffic to the specified IAP network is allowed. After selecting this option, specify the domain name in the IP text box. n To conductor IP--Traffic to the specified conductor IAP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box.
Log
Select this check box if you want a log entry to be created when this rule is triggered. Aruba
Central supports firewall based logging. Firewall logs on the IAPs are generated as security
logs.
Managing APs | 387
Table 87: Access Rule Configuration Parameters
Service category
Description
Denylist
Select the Denylist check-box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as Auth failure denylist time on the Denylisting tab of the Security window. .
Disable Scanning
Select Disable Scanning check box to disable ARM scanning when this rule is triggered. The selection of the Disable Scanning applies only if ARM scanning is enabled.
DSCP Tag
Select this check box to add a DSCP tag to the rule. DSCP is an L3 mechanism for classifying and managing network traffic and providing QoS on the network. To assign a higher priority, specify a higher value.
802.1p priority
Select this check box to enable 802.1p priority. 802.1p priority is an L2 protocol for traffic prioritization to manage QoS on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value.
Time Range
Select this check box to enable user to access network for a specific time period. You can select the time range profile from the drop-down list that appears when the Time Range check box is selected..
Configuring ACLs on APs for Website Content Classification
You can configure web policy enforcement on an access point (AP) to block certain categories of websites based on your organization specifications by defining ACL rules. To configure ACLs for website content classification, follow the below procedure:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. 6. Under Roles, select the role to modify. 7. Under Access Rules For Selected Roles, click + to add a new rule.
The Access Rule window is displayed. 8. Under Rule Type, select Access Control. 9. Configure the following on the Access Rule window.
a. To set an access policy based on web categories: i. Under Service, select Web Category.
ii. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option.
iii. Under Action, select Allow or Deny.
iv. Click Save to save the rules.
Aruba Central On-Premises 2.5.6 | User Guide
388
b. To filter access based on the security ratings of the website:
i. Select Web Reputation under Service.
ii. Move the slider to select a specific web reputation value to deny access to websites with a reputation value lower than or equal to the configured value or to permit access to websites with a reputation value higher than or equal to the configured value. The following options are available: n Trustworthy Web Reputation Index--These are well known sites with strong security practices and may not expose the user to security risks. There is a very low probability that the user will be exposed to malicious links or payloads. n Low Risk Web Reputation Index--These are benign sites and may not expose the user to security risks. There is a low probability that the user will be exposed to malicious links or payloads. n Moderate Web Reputation Index--These are generally benign sites, but may pose a security risk. There is some probability that the user will be exposed to malicious links or payloads. n Suspicious Web Reputation Index--These are suspicious sites. There is a higher than average probability that the user will be exposed to malicious links or payloads. n High Risk Web Reputation Index--These are high risk sites. There is a high probability that the user will be exposed to malicious links or payloads.
iii. Under Action, select Allow or Deny as required.
10. To set a bandwidth limit based on web category or web reputation score, select the Application Throttling check box and specify the downstream and upstream rates in Kbps. For example, you can set a higher bandwidth for trusted sites and a low bandwidth rate for high risk sites.
11. If required, select the following check boxes: n Denylist --Select this check box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as Auth Failure Denylist Time on the Denylisting pane of the Security window. For more information, see Denylisting IAP Clients. n Disable Scanning--Select Disable scanning check box to disable ARM scanning when this rule is triggered. The selection of the Disable scanning applies only if ARM scanning is enabled, For more information, see Configuring Radio Parameters. n DSCP Tag--Select this check box to add a DSCP tag to the rule. DSCP is an L3 mechanism for classifying and managing network traffic and providing QoS on the network. To assign a higher priority, specify a higher value. n 802.1p priority--Select this check box to enable 802.1p priority. 802.1p priority is an L2 protocol for traffic prioritization to manage QoS on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value.
12. Click Save to save the rules. 13. Click Save Settings in the Roles pane to save the changes to the role for which you defined ACL
rules.
Configuring User Roles for AP Clients
Every client in the Aruba Central On-Premises network is associated with a user role, which determines the client's network privileges, the frequency of re-authentication, and the applicable bandwidth contracts. The user role configuration on an Instant Access Point (IAP) involves the following procedures:
Managing APs | 389
n Creating a User Role n Configuring User Roles for AP Clients
Creating a User Role To create a user role, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Roles accordion. 7. In the Roles pane, click +. 8. In the Add Role window, enter a name for the new role in Roles, and then click OK to save the
roles. 9. Click Save Settings.
You can also create a user role when configuring wireless profile. For more information, see Configuring Wireless Network Profiles on IAPs.
Assigning Bandwidth Contracts to User Roles
The administrators can manage bandwidth utilization by assigning maximum bandwidth rates, or bandwidth contracts to user roles. The administrator can assign a bandwidth contract configured in Kbps to upstream (client to the IAP) or downstream (IAP to clients) traffic for a user role. The bandwidth contract will not be applicable to the user traffic on the bridged out (same subnet) destinations. For example, if clients are connected to an SSID, you can restrict the upstream bandwidth rate allowed for each user to 512 Kbps. By default, all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic. The assigned bandwidth will be served and shared among all the users. You can also assign bandwidth per user to provide every user a specific bandwidth within a range of 1 to 65535 Kbps. If there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed. To assign bandwidth contracts to a user role, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
Aruba Central On-Premises 2.5.6 | User Guide
390
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Roles accordion. 7. Create a user role or select an existing role. 8. In the Access Rues For Selected Roles pane, click +. 9. In the Access Rule window, select Bandwidth Contract under Rule Type. 10. Specify the downstream and upstream rates in Kbps. If the assignment is specific for each user,
select Per User. 11. Click Saveto save the access rules and associate the user role to a WLAN SSID or wired profile. 12. Click Save Settings. You can also create a user role and assign bandwidth contracts while configuring an SSID.
Configuring Role Derivation Rules for AP Clients
Aruba Central On-Premises allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user role or VLAN to the clients connecting to an SSID or a wired profile.
Creating a Role Derivation Rule You can configure rules for determining the role that is assigned for each authenticated client.
When creating more than one role assignment rule, the first matching rule in the rule list is applied.
To create a role assignment rule, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Click the Access tab. 7. Under Access rules, select Role Based to enable access based on user roles. 8. Under Role Assignment Rules, click +Add Role Assignment. In New Role Assignment Rule, define a match method by which the string in Operand is matched with the attribute value returned by the authentication server. 9. Select the attribute from the Attribute list that the rule it matches against. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options.
Managing APs | 391
10. Select the operator from the Operator list. The following types of operators are supported: n contains--The rule is applied only if the attribute value contains the string specified in Operand. n Is the role--The rule is applied if the attribute value is the role. n equals--The rule is applied only if the attribute value is equal to the string specified in Operand. n not-equals--The rule is applied only if the attribute value is not equal to the string specified in Operand. n starts-with--The rule is applied only if the attribute value starts with the string specified in Operand. n ends-with--The rule is applied only if the attribute value ends with string specified in Operand. n matches-regular-expression--The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the macaddress-and-dhcp-options attribute is selected in the Attribute list. The mac-address-anddhcp-options attribute and matches-regular-expression are applicable only for WLAN clients.
11. Enter the string to match in the String box. 12. Select the appropriate role from the Role list. 13. Click Save.
Configuring VLAN Assignment Rule
To configure VLAN assignment rules for an SSID profile:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Click the Access tab. 7. Select the access rule from Access rules.
8. In the Access Rules For Selected Roles, click + Add Rule to add a new rule. The Access Rule page is displayed.
The VLAN Assignment option is also listed in the Access Rule page when you create or edit a rule for wired port profiles in the Ports > Create a New Network > Access tab.
9. From the Rule Type drop-down list, select VLAN Assignment option. 10. Enter the VLAN ID in the VLAN ID field under Service section. Alternatively, you can select the
VLAN ID or the VLAN name from the drop-down list provided next to the VLAN ID field. 11. Click Save.
Aruba Central On-Premises 2.5.6 | User Guide
392
Configuring VLAN Derivation Rules
The users are assigned to a VLAN based on the attributes returned by the RADIUS server after users authenticate. To configure VLAN derivation rules for an SSID profile:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Under VLANs, select Dynamic under Client VLAN Assignment. 7. Click + Add Rule to create a VLAN assignment rule. The New VLAN Assignment Rule window is
displayed. In this window, you can define a match method by which the string in Operand is matched with the attribute values returned by the authentication server. 8. Select an attribute from the Attribute list. 9. Select an operator from the Operator list. The following types of operators are supported: n contains--The rule is applied only if the attribute value contains the string specified in
Operand. n equals--The rule is applied only if the attribute value is equal to the string specified in
Operand. n not-equals--The rule is applied only if the attribute value is not equal to the string specified in
Operand. n starts-with--The rule is applied only if the attribute value starts with the string specified in
Operand. n ends-with--The rule is applied only if the attribute value ends with string specified in
Operand. n matches-regular-expression--The rule is applied only if the attribute value matches the
regular expression pattern specified in Operand. This operator is available only if the macaddress-and-dhcp-options attribute is selected in the Attribute list. The mac-address-anddhcp-options attribute and matches-regular-expression are applicable only for the WLAN clients. 10. Enter the string to match in the String field. 11. Select the appropriate VLAN ID from VLAN. Ensure that all other required parameters are configured. 12. Click OK.
Configuring Firewall Parameters for Wireless Network Protection
To configure firewall settings, complete the following steps:
Managing APs | 393
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Firewall Settings accordion. 7. Turn on the toggle switch to enable SIP, Auto Topology Rules, Restrict Corporate Access, and
Tunnel Trusted protocols. 8. Under Protection, in the Protection Against Wired Attacks section, enable the following
options: n Drop Bad ARP--Drops the fake ARP packets. n Fix Malformed DHCP--Fixes the malformed DHCP packets. n ARP Poison Check--Triggers an alert on ARP poisoning caused by the rogue APs.
Configuring Management Subnets
You can configure subnets to ensure that the IAP management is carried out only from these subnets. When the management subnets are configured, Telnet, SSH, and UI access is restricted to these subnets only. To configure management subnets, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Firewall Settings accordion. 7. Under Management Subnets pane, to add a new management subnet, complete the following
steps: a. Enter the subnet address in Subnet field. b. Enter the subnet mask in Mask field. c. Click Add. 8. Click Save Settings.
Aruba Central On-Premises 2.5.6 | User Guide
394
Configuring Custom Redirection URLs for IAP Clients
You can create a list of URLs to redirect users to when they access the blocked websites. You can define an access rule to use these redirect URLs and assign the rule to a user role in the WLAN network.
Creating a List of Error Page URLs To create a list of error page URLs, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Under Custom Blocked Page URL, click + and enter the URL to block. 7. Repeat the procedure to add more URLs. You can add up to 8 URLs to the list of blocked web
pages. 8. Click OK to save the URL. 9. Click Save Settings.
Configuring ACL Rules to Redirect Users to a Specific URL To configure ACL rules to redirect users to a specific URL, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Under Roles, select the role for which you want to configure access rules. 7. Click + in the Access Rules section. 8. In the New Rule Window, select the rule type as Blocked Page URL. 9. Select the URLs from the existing list of custom redirect URLs. To add a new URL, click +. 10. Click Save to save the rules. 11. Click Save Settings.
Configuring Firewall Parameters for Inbound Traffic
Instant Access Points (IAPs) support an enhanced inbound firewall for the traffic that flows into the network through the uplink ports of an IAP.
Managing APs | 395
To configure the firewall rules, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Firewall Settings accordion. 7. In the Access Rule section, click the + icon.
The Inbound Firewall page is displayed.
8. In the Inbound Firewall page, configure the parameters described in Table 88. 9. Click Ok. 10. Click Save Settings.
For all subnets, a deny rule is created by default as the last rule. If at least one rule is configured, the deny all rule is applied to the upstream traffic by default. The inbound firewall is not applied to traffic coming through the GRE tunnel.
The following table lists inbound firewall rule configuration parameters.
Table 88: Inbound Firewall Rule Configuration Parameters Parameter Description
Service Action
Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement:
n Any--Access is allowed or denied to all services. n Custom--Customize the access based on available options such as TCP, UDP, and other options. If you select the TCP or UDP options, enter appropriate port numbers. If the Other option is selected, ensure that an appropriate ID is entered.
Select any of following actions: n Select Allow to allow user access based on the access rule. n Select Deny to deny user access based on the access rule. n Select Destination-NAT to allow making changes to the destination IP address and the
port. Select Source-NAT to allow making changes to the source IP address. The destination NAT and source NAT actions apply only to the network services rules.
Source
Select any of the following options: n From all sources--Traffic from all sources is either allowed, denied, or the IP address is
translated at the source or the destination as defined in the rule. n From a particular host--Traffic from a particular host is either allowed, denied, or the IP
address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the host. n From a network--Traffic from a particular network is either allowed, denied, or the IP
Aruba Central On-Premises 2.5.6 | User Guide
396
Parameter Description
address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask of the source network.
Destination
Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements. n To all destinations--Traffic for all destinations is allowed, denied, or the IP address is
translated at the source or the destination as defined in the rule. n To a particular server--Traffic to a specific server is allowed, denied, or the IP address is
translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the destination server. n Except to a particular server--Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server. n To a network--Traffic to the specified network is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask for the destination network. n Except to a network--Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. n To a Domain name--Traffic to the specified domain is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the domain name in the Domain Name text box. n To AP IP--Traffic to the specified IAP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP Network--Traffic to the specified IAP network is allowed. After selecting this option, specify the domain name in the IP text box. n To conductor IP--Traffic to the specified conductor IAP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box.
Log
Select the Log check box if you want a log entry to be created when this rule is triggered.
Instant supports firewall-based logging function. Firewall logs on the Instant APs are
generated as security logs.
Denylist
Select the Denylist check box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified in the Auth failure denylist time on the Denylisting tab of the Security window.
Classify Media Select the Classify Media check box to classify and tag media on HTTPS traffic as voice and video packets.
Disable scanning
Select the Disable scanning check box to disable ARM scanning when this rule is triggered. The selection of Disable scanning applies only if ARM scanning is enabled.
DSCP TAG
Select the DSCP TAG check box to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 063. To assign a higher priority, specify a higher value.
802.1p priority Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value.
Managing APs | 397
Configuring Restricted Access to Corporate Network You can configure restricted corporate access to block unauthorized users from accessing the corporate network. When restricted corporate access is enabled, corporate access is blocked from the uplink port of conductor IAP, including clients connected to a member IAP. To configure restricted corporate access, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Firewall Settings accordion. 7. To restrict corporate access, turn on the Restrict Corporate Access toggle switch. 8. Click Save Settings.
Enabling ALG Protocols on IAPs
To configure ALG protocols on Instant Access Points (IAPs), complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Firewall Settings accordion. 7. Turn on the toggle switch to enable SIP, Auto Topology Rules, Restrict Corporate Access, and
Tunnel Trusted protocols. 8. Click Save Settings.
When the protocols for the ALG are disabled, the changes do not take effect until the existing user sessions have expired. Reboot the IAP and the client, or wait a few minutes for changes to take effect.
Denylisting IAP Clients
The client denylisting denies connection to the denylisted clients. When a client is denylisted, it is not allowed to associate with an Instant Access Point (IAP) in the network. If a client is connected to the network when it is denylisted, a deauthentication message is sent to force client disconnection.
Aruba Central On-Premises 2.5.6 | User Guide
398
Denylisting Clients Manually Manual denylisting adds the MAC address of a client to the denylist. These clients are added into a permanent denylist. These clients are not allowed to connect to the network unless they are removed from the denylist. To add a client to the denylist manually, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Security tab.
The Security page is displayed. 6. Click the Denylisting accordion. 7. Under Manual Denylisting, click + and enter the MAC address of the client to be denylisted. 8. Click OK. 9. Click Save Settings.
To delete a client from the manual denylist, select the MAC Address of the client under the Manual Denylisting, and then click the delete icon.
For the denylisting to take effect, you must enable the denylisting option when you create or edit the WLAN SSID profile. Go to WLANs > Security > Advanced Settings and enable the Denylisting option. For more information, see Configuring Wireless Network Profiles on IAPs.
Denylisting Clients Dynamically
The clients can be denylisted dynamically when they exceed the authentication failure threshold or when a denylisting rule is triggered as part of the authentication process. When a client takes time to authenticate and exceeds the configured failure threshold, it is automatically denylisted by an IAP. In session firewall based denylisting, an ACL rule automates denylisting. When the ACL rule is triggered, it sends out denylist information and the client is denylisted. To configure the denylisting duration, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced.
Managing APs | 399
5. Click the Security tab. The Security page is displayed.
6. Click the Denylisting accordion. 7. Under Dynamic Denylisting, enter the following information:
n For Auth Failure Denylist Time, enter the duration after which the clients that exceed the authentication failure threshold must be denylisted.
n For Policy Enforcement Failure Rule Denylisted Time, enter the duration after which the clients can be denylisted due to an ACL rule trigger.
8. Click Save Settings.
n You can configure a maximum number of authentication failures by the clients, after which a client must be denylisted. For more information on configuring maximum authentication failure attempts, see Configuring Wireless Network Profiles on IAPs.
n To enable session-firewall-based denylisting, select the Denylist check box in the Access Rule page during the WLAN SSID profile creation. For more information, see Access Rule Configuration Parameters.
Configuring IAPs for VPN Services
This section describes the following VPN configuration procedures:
n IAP VPN Overview n Configuring IAPs for VPN Tunnel Creation n Configuring Routing Profiles for IAP VPN
Configuring IAPs for VPN Tunnel Creation
Instant Access Point (IAP) supports the configuration of tunneling protocols such as GRE, IPsec, and L2TPv3. This section describes the procedure for configuring VPN host settings on an IAP to enable communication with a controller in a remote location:
n Configuring IPsec VPN Tunnel on page 401 n Configuring Automatic GRE VPN Tunnel on page 403 n Configuring a GRE VPN Tunnel on page 404 n Configuring an L2TPv3 VPN Tunnel on page 406
IAP VPN Overview
As Instant Access Point (IAP) use a virtual controller architecture, the IAP network does not require a physical controller to provide the configured WLAN services. However, a physical controller is required for terminating VPN tunnels from the IAP networks at branch locations or data centers, where the Aruba controller acts as a VPN Concentrator. When the VPN is configured, the IAP acting as the virtual controller creates a VPN tunnel to Aruba Mobility Controller in your corporate office. The controller acts as a VPN endpoint and does not supply the IAP with any configuration. The VPN features are recommended for:
n Enterprises with many branches that do not have a dedicated VPN connection to the corporate office.
Aruba Central On-Premises 2.5.6 | User Guide
400
n Branch offices that require multiple APs. n Individuals working from home, connecting to the VPN.
Supported VPN Protocols IAPs support the following VPN protocols for remote access.
Table 89: VPN Protocols VPN Protocol Description
Aruba IPsec
IPsec is a protocol suite that secures IP communications by authenticating and encrypting each IP packet of a communication session.
You can configure an IPsec tunnel to ensure that to ensure that the data flow between the networks is encrypted. However, you can configure a split-tunnel to encrypt only the corporate traffic.
When IPsec is configured, ensure that you add the IAP MAC addresses to the allowlist database stored on the controller or an external server. IPsec supports Local, L2, and L3 modes of IAP-VPN operations.
NOTE: The IAPs support IPsec only with Aruba Controllers.
Layer-2 (L2) GRE L2TP
GRE is a tunnel protocol for encapsulating multicast, broadcast, and L2 packets between a GRE-capable device and an endpoint. IAPs support the configuration of L2 GRE (Ethernet over GRE) tunnel with an Aruba Controller to encapsulate the packets sent and received by the IAP. You can use the GRE configuration for L2 deployments when there is no encryption requirement between the Instant AP and controller for client traffic. IAPs support two types of GRE configuration:
n Manual GRE--The manual GRE configuration sends unencrypted client traffic with an
additional GRE header and does not support failover. When manual GRE is configured
on the IAP, ensure that the GRE tunnel settings are enabled on the controller. n Aruba GRE--With Aruba GRE, no configuration on the controller is required except for
adding the IAP MAC addresses to the allowlist database stored on the controller or an
external server. Aruba GRE reduces manual configuration when Per-AP Tunnel
configuration is required and supports failover between two GRE endpoints. IAPs support manual and Aruba GRE configuration only for L2 mode of operations. Aruba GRE configuration is supported only with Aruba Controllers.
The L2TP version 3 feature allows IAP to act as L2TP Access Concentrator (LAC) and tunnel all wireless clients L2 traffic from AP to LNS. In a centralized L2 model, the VLAN on the corporate side are extended to remote branch sites. Wireless clients associated with IAP gets the IP address from the DHCP server running on LNS. For this, AP has to transparently allow DHCP transactions through the L2TPv3 tunnel.
Configuring IPsec VPN Tunnel
An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPsec tunnel to the controller secures corporate data. You can configure an IPsec tunnel from virtual controller using Aruba Central On-Premises. To configure an IPsec tunnel from virtual controller, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
Managing APs | 401
2. Under Manage, click Devices > Access Points.
A list of APs is displayed in the List view.
3. Click the Config icon.
The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the VPN tab.
The VPN page is displayed.
6. Click the Controller accordion. 7. In the Protocol drop-down list, select Aruba IPsec. 8. In the Primary host field, enter the IP address or FQDN for the main VPN/IPsec endpoint.
9. In the Backup host field, enter the IP address or FQDN for the backup VPN/IPsec endpoint. This entry is optional. When you enter the primary host IP address and backup host IP address, other fields are displayed.
10. Specify the following parameters: n Select the Preemption check-box to allow the VPN tunnel to switch back to the primary host when it becomes available again. This step is optional. If Preemption is enabled, specify a value in seconds for Hold time. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold-time. The default value for Hold time is 600 seconds. n Select the Fast Failover check-box to allow the IAP to create a backup VPN tunnel to the controller along with the primary tunnel, and maintain both the primary and backup tunnels separately. When fast failover is enabled and if the primary tunnel fails, the IAP can switch the data stream to the backup tunnel. This reduces the total failover time to less than one minute. n Specify a value in seconds for Seconds Between Test Packets. Based on the configured frequency, the IAP can verify if an active VPN connection is available. The default value is 5 seconds, which means that the IAP sends one packet to the controller every 5 seconds. n Enter a value for Max Allowed Test Packet Loss to define a number for lost packets, after which the IAP can determine that the VPN connection is unavailable. The default value is 2. n Select the Reconnect User On Failover check-box to disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary. n Specify a value in seconds for Reconnect Time On Failover to configure an interval for which wired and wireless users are disconnected during a VPN tunnel switch. By default, the reconnection duration is set to 60 seconds. The Reconnect Time on Failover field is displayed only when Reconnect User On Failover is enabled. n From the Branch Name drop-down list, select any one of the following options:
o Master-MAC--Configures the MAC address of the conductor Instant AP as the branch key name.
o VC-Name--Configures the name of the virtual controller in the branch as the branch key name.
o String--Configures a custom name for the VPN branch key. The custom string should be a maximum of 64 ASCII printable characters using UTF-8 encoding.
o None--The virtual-controller key parameter will be used as the default branch name.
Aruba Central On-Premises 2.5.6 | User Guide
402
Ensure that the string is unique to each IAP branch. IAPs may lose connectivity with the controller if multiple IAP branches have the same string as branch name. The branch name configured at the device level takes higher precedence than a branch name configured at the group level.
11. Click Save Settings. When the IPsec tunnel configuration is completed, the packets that are sent from and received by an IAP are encrypted.
Configuring Automatic GRE VPN Tunnel
In Aruba Central On-Premises, you can configure an Instant Access Point (IAP) to automatically set up a GRE tunnel from the IAP to the controller. To configure an IAP to automatically set up a GRE tunnel, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the VPN tab.
The VPN page is displayed. 6. Click the Controller accordion.
7. In the Protocol drop-down list, select Aruba GRE.
8. In the Primary host field, enter the IP address or FQDN for the main VPN/IPsec endpoint.
9. In the Backup host field, enter the IP address or FQDN for the backup VPN/IPsec endpoint. This entry is optional. When you enter the primary host IP address and backup host IP address, other fields are displayed.
10. Specify the following parameters: a. Select the Preemption check-box to allow the VPN tunnel to switch back to the primary host when it becomes available again. This step is optional. If Preemption is enabled, specify a value in seconds for Hold time. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold time. The default value for Hold time is 600 seconds. b. Select the Fast Failover check-box to allow the IAP to create a backup VPN tunnel to the controller along with the primary tunnel, and maintain both the primary and backup tunnels separately. If the primary tunnel fails, the IAP can switch the data stream to the backup tunnel. This reduces the total failover time to less than one minute. c. Select the Reconnect User On Failover to disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary, d. Specify a value in seconds for Reconnect Time On Failover to configure an interval for which wired and wireless users are disconnected during a VPN tunnel switch. By default, the reconnection duration is set to 60 seconds.
Managing APs | 403
e. Specify a value in seconds for Seconds Between Test Packets. Based on the configured frequency, the IAP can verify if an active VPN connection is available. The default value is 5 seconds, which means that the IAP sends one packet to the controller every 5 seconds.
f. Enter a value for Max Allowed Test Packet Loss to define a number for lost packets, after which the IAP can determine that the VPN connection is unavailable. The default value is 2.
g. Select the Per-AP-Tunnel check-box to create a GRE tunnel from each IAP to the VPN/GRE Endpoint rather than the tunnels created just from the conductor IAP. When enabled, the traffic to the corporate network is sent through a Layer-2 GRE tunnel from the IAP itself and need not be forwarded through the conductor IAP.
h. From the Branch Name drop-down list, select any one of the following options: n Master-MAC--Configures the MAC address of the conductor Instant AP as the branch key name. n VC-Name--Configures the name of the virtual controller in the branch as the branch key name. n String--Configures a custom name for the VPN branch key. The custom string should be a maximum of 64 ASCII printable characters using UTF-8 encoding. n None--The virtual-controller key parameter will be used as the default branch name.
Ensure that the string is unique to each IAP branch. IAPs may lose connectivity with the controller if multiple IAP branches have the same string as branch name. The branch name configured at the device level takes higher precedence than a branch name configured at the group level.
11. Click Save Settings.
Configuring a GRE VPN Tunnel
You can also manually configure a GRE tunnel by configuring the GRE tunnel parameters on the Instant Access Point (IAP) and controller. This procedure describes the steps involved in the manual configuration of a GRE tunnel from virtual controller by using Aruba Central On-Premises.
During the manual GRE setup, you can either use the virtual controller IP or the IAP IP to create the GRE tunnel at the controller side depending upon the following IAP settings:
n If a virtual controller IP is configured and if Per-AP tunnel is disabled, the virtual controller IP is used to create the GRE tunnel.
n If a virtual controller IP is not configured or if Per-AP tunnel is enabled, the IAP IP is used to create the GRE tunnel.
To configure the GRE tunnel manually, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the VPN tab.
The VPN page is displayed.
Aruba Central On-Premises 2.5.6 | User Guide
404
6. Click the Controller accordion. 7. In the Protocol drop-down list, select Manual GRE. 8. Specify the following parameters:
n Host--Enter the IPv4 or IPv6 address or FQDN for the main VPN/GRE tunnel. n Backup Host--(Optional) Enter the IPv4 or IPv6 address or FQDN for the backup VPN/GRE
tunnel. You can edit this field only after you enter the IP address or FQDN in the Host field. n Reconnect User On Failover--When you enter the host IP address and backup host IP
address, this field appears. Select this check-box to disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary. To disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary, select the Reconnect User On Failover. n Reconnect Time On Failover--If you select the Reconnect User On Failover check-box, this field appears. To configure an interval for which wired and wireless users must be disconnected during a VPN tunnel switch, specify a value within a range of 30-90 seconds. By default, the reconnection duration is set to 60 seconds. n GRE Type--Enter a value for the parameter. n GRE Mtu--Specify a size for the GRE MTU within the range of 10241500. After GRE encapsulation, if packet length exceeds the configured MTU, IP fragmentation occurs. The default MTU size is 1300. n Per-AP-Tunnel--The administrator can enable this option to create a GRE tunnel from each IAP to the VPN/GRE endpoint rather than the tunnels created just from the conductor IAP. When enabled, the traffic to the corporate network is sent through a Layer-2 GRE tunnel from the IAP itself and need not be forwarded through the conductor IAP.
By default, the Per-AP tunnel option is disabled.
n From the Branch Name drop-down list, select any one of the following options: o Master-MAC--Configures the MAC address of the conductor Instant AP as the branch key name. o VC-Name--Configures the name of the virtual controller in the branch as the branch key name. o String--Configures a custom name for the VPN branch key. The custom string should be a maximum of 64 ASCII printable characters using UTF-8 encoding. o None--The virtual-controller key parameter will be used as the default branch name.
Ensure that the string is unique to each IAP branch. IAPs may lose connectivity with the controller if multiple IAP branches have the same string as branch name. The branch name configured at the device level takes higher precedence than a branch name configured at the group level.
9. Click Save Settings. When the GRE tunnel configuration is completed on both the IAP and Controller, the packets sent from and received by an IAP are encapsulated, but not encrypted.
Managing APs | 405
Configuring an L2TPv3 VPN Tunnel
The Layer 2 Tunneling Protocol version 3 (L2TPv3) feature allows Instant Access Point (IAP) to act as L2TP Access Concentrator (LAC) and tunnel all wireless clients L2 traffic from AP to LNS. In a centralized L2 model, the VLAN on the corporate side are extended to remote branch sites. Wireless clients associated with IAP gets the IP address from the DHCP server running on LNS. For this, AP has to transparently allow DHCP transactions through the L2TPv3 tunnel.
To configure an L2TPv3 tunnel by using Aruba Central On-Premises, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points.
A list of APs is displayed in the List view.
3. Click the Config icon.
The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the VPN tab.
The VPN page is displayed.
6. Click the Controller accordion. 7. In the Protocol drop-down list, select L2TPv3. 8. To configure a tunnel profile, complete the following steps:
a. Turn on the Enable Tunnel Profile toggle switch. b. Enter the profile name in the Profile Name text-box. c. Enter the primary server IP address in the Primary Peer Address text-box. d. Enter the remote end backup tunnel IP address in the Backup Peer Address text-box. This is
an optional field and is required only when backup server is configured. e. Enter the peer UDP port numbers in the Peer UDP Port text-box. The default value is 1701. f. Enter the local UDP port numbers in the Local UDP Port text-box. The default value is 1701. g. Enter the interval in the Hello Interval text-box at which the hello packets are sent through
the tunnel. The default value is 60 seconds. h. Select the message digest as MD5 or SHA from the Message Digest Type drop-down list for
message authentication. i. Enter a shared key in the Shared Key text-box for the message digest. This key should match
with the tunnel end point shared key. j. Set the Failover Mode. The following two failover modes are supported:
n Preemptive--In this mode, if the primary comes up when the backup is active, the backup tunnel is deleted and the primary tunnel resumes as an active tunnel. If you configure the tunnel to be preemptive, and when the primary tunnel goes down, it starts the persistence timer which tries to bring up the primary tunnel.
n Non-Preemptive--In this mode, when the backup tunnel is established after the primary tunnel goes down, it does not make the primary tunnel active again.
n Set an interval between every failover retry in Failover Retry Interval. The default value is 60 seconds.
n Configure a number of retries in Failover Retry Count before the tunnel fails over. k. Ensure that Checksum check-box is enabled. l. Specify a tunnel MTU value in the MTU check-box. The default value is 1460.
Aruba Central On-Premises 2.5.6 | User Guide
406
9. To configure a session profile, complete the following steps: a. Turn on the Enable Session Profile toggle switch. b. Enter the session profile name. c. Enter the tunnel profile name where the session will be associated. d. Configure the tunnel IP address with the corresponding network mask and VLAN ID. This is required to reach an AP from a corporate network. For example, SNMP polling. e. Select the cookie length and enter a cookie value corresponding to the length. By default, the cookie length is not set. f. From the Branch Name drop-down list, select any one of the following options: n Master-MAC--Configures the MAC address of the conductor Instant AP as the branch key name. n VC-Name--Configures the name of the virtual controller in the branch as the branch key name. n String--Configures a custom name for the VPN branch key. The custom string should be a maximum of 64 ASCII printable characters using UTF-8 encoding. n None--The virtual-controller key parameter will be used as the default branch name.
Ensure that the string is unique to each IAP branch. IAPs may lose connectivity with the controller if multiple IAP branches have the same string as branch name. The branch name configured at the device level takes higher precedence than a branch name configured at the group level.
10. Click Save Settings.
Configuring Routing Profiles for IAP VPN
Aruba Central On-Premises can terminate a single VPN connection on Aruba Mobility Controller. The routing profile defines the corporate subnets which need to be tunneled through IPsec. You can configure routing profiles to specify a policy based on routing into the VPN tunnel.
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. Click the Config icon. The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the VPN tab. The VPN details page is displayed.
5. Click the Routing accordion. 6. Click + in the Routing pane.
The New Route page with the route parameters is displayed. 7. Update the following parameters:
n Destination--Specify the destination network that is reachable through the VPN tunnel. This defines the IP or subnet that must reach through the IPsec tunnel. Traffic to the IP or subnet defined here will be forwarded through the IPsec tunnel.
n Netmask--Specify the subnet mask to the destination defined for Destination.
Managing APs | 407
n Gateway--Specify the gateway to which traffic must be routed. In this field, enter one of the following based on the requirement: o The controller IP address on which the VPN connection will be terminated. If you have a primary and backup host, configure two routes with the same destination and netmask, but ensure that the gateway is the primary controller IP for one route and the backup controller IP for the second route. o The "tunnel" string if you are using the IAP in Local mode during local DHCP configuration.
n Metric--Specify the best optimal path for routing traffic. A value of 1 indicates the best path, 15 indicates the worst path, and 16 indicates that the destination is unreachable on the route.
8. Click OK. 9. Click Save Settings.
Configuring DHCP Pools and Client IP Assignment Modes on IAPs
This section provides the following information: n Configuring DHCP Scopes on IAPs n Configuring DHCP Server for Assigning IP Addresses to IAP Clients
Configuring DHCP Scopes on IAPs
The Virtual Controller (VC) supports the following types of DHCP address assignments: n Configuring Distributed DHCP Scopes on page 408 n Configuring a Centralized DHCP Scope on page 411 n Configuring Local DHCP Scopes on page 413
Configuring Distributed DHCP Scopes
Aruba Central On-Premises allows you to configure the DHCP address assignment for the branches connected to the corporate network through VPN. You can configure the range of DHCP IP addresses used in the branches and the number of client addresses allowed per branch. You can also specify the IP addresses that must be excluded from those assigned to clients, so that they are assigned statically.
Aruba Central On-Premises supports the following distributed DHCP scopes:
n Distributed, L2--In this mode, the VC acts as the DHCP server, but the default gateway is in the data center. Based on the number of clients specified for each branch, the range of IP addresses is divided. Based on the IP address range and client count configuration, the DHCP server in the VC controls a scope that is a subset of the complete IP Address range for the subnet distributed across all the branches. This DHCP Assignment mode is used with the L2 forwarding mode.
n Distributed, L3--In this mode, the VC acts as the DHCP server and the default gateway. Based on the number of clients specified for each branch, the range of IP addresses is divided. Based on the IP address range and client count configuration, the DHCP server in the VC is configured with a unique subnet and a corresponding scope.
To configure distributed DHCP scopes such as Distributed, L2 or Distributed, L3, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
Aruba Central On-Premises 2.5.6 | User Guide
408
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the DHCP accordion.
The DHCP configuring options are displayed. 7. Click + on Distributed DHCP Scopes.
The Distributed DHCP Scopes table is displayed. 8. To configure distributed DHCP scope, click + under Distributed DHCP Scopes table.
The New Distributed DHCP Scopes page is displayed.
9. Based on the type of distributed DHCP scope, configure the parameters described in Table 90. 10. Click Next.
The Branch Size tab is displayed. 11. Specify the number of clients to use per branch in Clients Per Branch.
The client count configured for a branch determines the use of IP addresses from the IP address range defined for a DHCP scope. For example, if 20 IP addresses are available in an IP address range configured for a DHCP scope and a client count of 9 is configured, only a few IP addresses (in this example, 9) from this range will be used and allocated to a branch. The IAP does not allow the administrators to assign the remaining IP addresses to another branch, although a lower value is configured for the client count.
12. Click Next. The Static IP tab is displayed.
13. Specify the number of first and last IP addresses to reserve in the subnet in Reserve First and Reserve Last.
14. Click Finish.
The following table lists the distributed DHCP scope configuration parameters.
Table 90: Distributed DHCP Scope Configuration Parameters
Data pane item Description
Name
Enter a name for the DHCP scope.
Type
Select any of the following options: n Distributed, L2--On selecting Distributed, L2, the VC acts as the DHCP Server but the
default gateway is in the data center. Traffic is bridged into VPN tunnel. n Distributed, L3--On selecting Distributed, L3, the VC acts as both DHCP Server and
default gateway. Traffic is routed into the VPN tunnel.
Managing APs | 409
Table 90: Distributed DHCP Scope Configuration Parameters
Data pane item Description
VLAN
Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile.
Netmask
If Distributed, L2 is selected for type of DHCP scope, specify the subnet mask. The subnet mask and the network determine the size of subnet.
Default Router
If Distributed, L2 is selected for type of DHCP scope, specify the IP address of the default router.
DNS Server
If required, specify the IP address of a DNS server.
Domain Name
If required, specify the domain name.
Lease Time
Specify a lease time for the client in minutes.
DHCP Relay
Select the DHCP Relay toggle switch to allow the IAPs to intercept the broadcast packets and relay DHCP requests.
Helper Address Enter the IP address of the DHCP server.
Dynamic DNS
Turn on the toggle switch to sent the updates of the clients periodically during the specified time to the DNS server that is configured in the DHCP profile.
Key
Enter the TSIG shared secret key..
DDNS Pointer Record (PTR)
The Dynamic DNS updates of the clients are periodically sent during the specified time to the DNS server that is configured in the DHCP profile. Turn on the toggle switch to enable the Distributed L3 DHCP clients to send PTR updates to the DDNS server.
IP Address Range
Specify a range of IP addresses to use. To add another range, click the + icon. You can specify up to four different ranges of IP addresses.
n For Distributed, L2 mode, ensure that all IP ranges are in the same subnet as the
default router. On specifying the IP address ranges, a subnet validation is performed
to ensure that the specified ranges of IP address are in the same subnet as the default
router and subnet mask. The configured IP range is divided into blocks based on the
configured client count. n For Distributed, L3 mode, you can configure any dis-contiguous IP ranges. The
configured IP range is divided into multiple IP subnets that are sufficient to
accommodate the configured client count. You can allocate multiple branch IDs (BID) per subnet. The Instant Access Point (IAP) generates a subnet name from the DHCP IP configuration, which the controller can use as a subnet identifier. If static subnets are configured in each branch, all of them are assigned the with BID 0, which is mapped directly to the configured static subnet.
DHCP Reservation
Displays the total number of DHCP reservations. Click the number to view the list of DHCP reservations. You can configure DHCP reservation only on virtual controllers. From the filter bar, select a virtual controller and click the + icon to configure DHCP reservation. Specify the following details:
n MAC--Specify the MAC address of the device for which the IP address has to be
reserved. n IP--Specify the IP address that has to be reserved for the MAC address. The IP address
should be in the IP address range.
Aruba Central On-Premises 2.5.6 | User Guide
410
Table 90: Distributed DHCP Scope Configuration Parameters Data pane item Description
Option
NOTE: Aruba Central allows you to configure a maximum of 32 DHCP reservations.
To delete a DHCP reservation, click the delete icon.
Specify the type and a value for the DHCP option. You can configure the organizationspecific DHCP options supported by the DHCP server. For example, 176, 242, 161, and so on. To add multiple DHCP options, click the + icon. You can add up to eight DHCP options.
Configuring a Centralized DHCP Scope
The centralized DHCP scope supports L2 and L3 clients.
When a centralized DHCP scope is configured:
n The virtual controller does not assign an IP address to the client and the DHCP traffic is directly forwarded to the DHCP Server.
n For L2 clients, the virtual controller bridges the DHCP traffic to the controller over the VPN/GRE tunnel. The IP address is obtained from the DHCP server behind the controller serving the VLAN/GRE of the client. This DHCP assignment mode also allows you to add the DHCP option 82 to the DHCP traffic forwarded to the controller.
n For L3 clients, the virtual controller acts as a DHCP relay agent that forwards the DHCP traffic to the DHCP server located behind the controller in the corporate network and reachable through the IPsec tunnel. The centralized L3 VLAN IP is used as the source IP. The IP address is obtained from the DHCP server.
To configure a centralized DHCP scope, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the DHCP accordion.
The DHCP configuring options are displayed. 7. Click + on Centralized DHCP Scopes.
The Centralized DHCP Scopes table is displayed. 8. To configure centralized DHCP scopes, click + under Centralized DHCP Scopes table.
The New Centralized DHCP Scopes pane is displayed.
9. Based on type of centralized DHCP scope, configure the parameters described in Table 91. 10. Click OK.
Managing APs | 411
The following table lists the centralized DHCP scope configuration parameters.
Table 91: DHCP mode configuration parameters
Data pane item Name
Description Enter a name for the DHCP scope.
Type
Select one of the following options: n Centralized, Layer-2 n Centralized, Layer-3
VLAN
Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile.
Split Tunnel
Enable the split tunnel function if you want allow a VPN user to access a public network and a local LAN or WAN network at the same time through the same physical network connection. For example, a user can use a remote access VPN software client connecting to a corporate network using a home wireless network. When the split tunnel function is enabled, the user can connect to file servers, database servers, mail servers, and other servers on the corporate network through the VPN connection.
When the user connects to resources on the Internet (websites, FTP sites, and so on), the connection request goes directly to the gateway provided by the home network. The split DNS functionality intercepts DNS requests from clients for non-corporate domains (as configured in Enterprise Domains list) and forwards to the IAP's own DNS server.
When split tunnel is disabled, all the traffic including the corporate and the Internet traffic is tunneled irrespective of the routing profile specifications. If the GRE tunnel is down and when the corporate network is not reachable, the client traffic is dropped.
DHCP Relay
Select the DHCP Relay check box to allow the IAPs to intercept the broadcast packets and relay DHCP requests.
Helper Address
Enter the IP address of the DHCP server.
VLAN IP
Field is applicable only if you select Centralized, Layer-3. Specify the VLAN IP address of the DHCP relay server.
VLAN Mask
Field is applicable only if you select Centralized, Layer-3. Specify the VLAN subnet mask of the DHCP relay server.
Option 82
Select one of the following options: n None--If you have configured the DHCP Option 82 XML file, the ALU option scope is
disabled in the drop-down list. To enable ALU, set the drop-down list to None and delete the DHCP Option 82 XML file. To enable the XML option, select None from the drop-down list and select the XML file from the DHCP Option 82 XML drop-down list. n ALU--ALU option is disabled if an XML file is selected from the DHCP Option 82 XML drop-down list in the System > General pane. Select ALU to enable DHCP Option 82 to allow clients to send DHCP packets with the Option 82 string. The Option 82 string is available only in the Alcatel (ALU) format. The ALU format for the Option 82 string consists of the following: n Remote Circuit ID; X AP-MAC; SSID; SSID-Type n Remote Agent; X IDUE-MAC n XML--XML option is enabled only if an XML file is selected from the DHCP Option 82 XML drop-down list in the System > General pane. Alternatively, to enable the XML option, select None from the drop-down list and select the XML file from the DHCP Option 82 XML drop-down list. For information related to XML files, see Configuring System Parameters for an IAP
Aruba Central On-Premises 2.5.6 | User Guide
412
The following table describes the behavior of the DHCP Relay Agent and Option 82 in the IAP.
Table 92: DHCP Relay and Option 82
DHCP Relay
Option 82
Behavior
Enabled Enabled
Enabled Disabled
DHCP packet relayed with the ALU-specific Option 82 string.
DHCP packet relayed without the ALUspecific Option 82 string.
Disabled
Enabled
DHCP packet not relayed, but broadcast with the ALU-specific Option 82 string.
Disabled
Disabled
DHCP packet not relayed, but broadcast without the ALU-specific Option 82 string.
Configuring Local DHCP Scopes
You can configure the following types of local DHCP scopes on an IAP:
n Local--In this mode, the VC acts as both the DHCP Server and default gateway. The configured subnet and the corresponding DHCP scope are independent of subnets configured in other IAP clusters. The VC assigns an IP address from a local subnet and forwards traffic to both corporate and non-corporate destinations. The network address is translated appropriately and the packet is forwarded through the IPsec tunnel or through the uplink. This DHCP assignment mode is used for the NAT forwarding mode.
n Local, L2--In this mode, the VC acts as a DHCP server and the gateway is located outside the IAP. n Local, L3--In this mode, the VC acts as a DHCP server and default gateway, and assigns an IP
address from the local subnet. The IAP routes the packets sent by clients on its uplink. This DHCP assignment mode is used with the L3 forwarding mode.
To configure a new local DHCP scope, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the DHCP accordion.
The DHCP configuring options are displayed. 7. Click + on Local DHCP Scopes.
The Local DHCP Scopes table is displayed. 8. To configure local DHCP scopes, click + under Local DHCP Scopes table.
The New DHCP Scopes pane is displayed.
Managing APs | 413
9. Based on type of local DHCP scope, configure the parameters described in Table 93. 10. Click OK.
The following table lists the local DHCP scope configuration parameters.
Table 93: Local DHCP Configuration Parameters
Data pane item
Name
Description Enter a name for the DHCP scope.
Type
Select any of the following options: n Local--On selecting Local, the DHCP server for local branch network is used for
keeping the scope of the subnet local to the IAP. In the NAT mode, the traffic is forwarded through the uplink. n Local, L2--On selecting Local, L2, the VC acts as a DHCP server and a default gateway in the local network is used. n Local, L3--On selecting Local, L3, the VC acts as a DHCP server and gateway.
VLAN Network
Enter the VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile.
Specify the network to use.
Netmask
Excluded Address
DHCP Reservation
Specify the subnet mask. The subnet mask and the network determine the size of subnet.
Specify a range of IP addresses to exclude. You can add up to two exclusion ranges. Based on the size of the subnet and the value configured for Excluded address, the IP addresses either before or after the defined range are excluded.
Displays the total number of DHCP reservations. Click the number to view the list of DHCP reservations. You can configure DHCP reservation only on virtual controllers. From the filter bar, select a virtual controller and click the + icon to configure DHCP reservation. Specify the following details: n MAC--Specify the MAC address of the device for which the IP address has to be
reserved. n IP--Specify the IP address that has to be reserved for the MAC address. The IP address
should be in the IP address range.
NOTE: Aruba Central allows you to configure a maximum of 32 DHCP reservations. To delete a DHCP reservation, click the delete icon.
Default Router DNS Server
Enter the IP address of the default router. Enter the IP address of a DNS server.
Domain Name Lease Time
Enter the domain name. Enter a lease time for the client in minutes.
DHCP Relay
Select the DHCP Relay check box to allow the IAPs to intercept the broadcast packets and relay DHCP requests.
Aruba Central On-Premises 2.5.6 | User Guide
414
Table 93: Local DHCP Configuration Parameters
Data pane item
Description
Helper Address Enter the IP address of the DHCP server.
VLAN IP
Field is applicable only if you select Local, L2. Specify the VLAN IP address of the DHCP relay server.
VLAN Mask
Field is applicable only if you select Local, L2. Specify the VLAN subnet mask of the DHCP relay server.
Option
Specify the type and a value for the DHCP option. You can configure the organizationspecific DHCP options supported by the DHCP server. To add multiple DHCP options, click the + icon.
Configuring DHCP Server for Assigning IP Addresses to IAP Clients
The DHCP server is a built-in server, used for networks in which clients are assigned IP address by the Virtual Controller (VC). You can customize the DHCP pool subnet and address range to provide simultaneous access to more number of clients. The largest address pool supported is 2048. The default size of the IP address pool is 512.
n When the DHCP server is configured and if the Client IP assignment parameter for an SSID profile is set to Virtual Controller Assigned, the virtual controller assigns the IP addresses to the WLAN or wired clients. By default, the Instant Access Point (IAP) automatically determines a suitable DHCP pool for Virtual Controller Assigned networks.
n The IAP typically selects the 172.31.98.0/23 subnet. If the IP address of the IAP is within the 172.31.98.0/23 subnet, the IAP selects the 10.254.98.0/23 subnet. However, this mechanism does not avoid all possible conflicts with the wired network. If your wired network uses either 172.31.98.0/23 or 10.254.98.0/23, and you experience problems with the Virtual Controller Assigned networks after upgrading to Aruba Central, manually configure the DHCP pool by following the steps described in this section.
To configure a domain name, DNS server, and DHCP server for client IP assignment, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the DHCP accordion.
The DHCP configuring options are displayed.
Managing APs | 415
7. Click + on DHCP For WLANs and enter the following information: n Domain Name--Enter the domain name of the client. n DNS Server--Enter the IP addresses of the DNS servers. To add another DNS server, click the + icon. n Lease Time--Enter the duration of the DHCP lease. Select Minutes, Hours, or Days for the lease time from the list next to Lease Time. The default lease time is 0. n Network--Enter the network name. n Mask--Enter the mask name. n DHCP Relay--Select the check box to allow the IAPs to intercept the broadcast packets and relay DHCP requests. n Helper Address--Enter the IP address of the DHCP server.
8. Click Save Settings.
To provide simultaneous access to more than 512 clients, use the Network and Mask fields to specify a larger range. While the network (prefix) is the common part of the address range, the mask (suffix) specifies how long the variable part of the address range is.
Configuring Services
This section describes how to configure AirGroup, location services, Lawful Intercept, OpenDNS, and Firewall services.
n Configuring AirGroup Services n Configuring an IAP for RTLS Support n Configuring an IAP for ALE Support n Managing BLE Beacons n Configuring OpenDNS Credentials on IAPs n Configuring CALEA Server Support on IAPs n Configuring IAPs for Palo Alto Networks Firewall Integration n Configuring XML API Interface n Enabling Application Visibility on Instant APs n Enabling Application Visibility on Campus APs n Configuring RRM IE Profile
Configuring AirGroup Services
AirGroup is a zero configuration networking protocol that enables service discovery, address assignment, and name resolution for desktop computers, mobile devices, and network services. It is designed for flat, single-subnet IP networks such as wireless networking at home.
Bonjour can be installed on computers running Microsoft Windows and is supported by the new network-capable printers. Bonjour uses multicast DNS (mDNS) to locate devices and the services offered by these devices. The AirGroup solution supports both wired and wireless devices. Wired devices that support Bonjour services are part of AirGroup when connected to a VLAN that is terminated on the Virtual Controller.
In addition to the mDNS protocol, Instant Access Points (IAPs) also support UPnP, and DLNA enabled devices. DLNA is a network standard derived from UPnP, which enables devices to discover the services available in a network.
Aruba Central On-Premises 2.5.6 | User Guide
416
DLNA also provides the ability to share data between the Windows or Android-based multimedia devices. All the features and policies applicable to mDNS are extended to DLNA to ensure full interoperability between compliant devices.
AirGroup Features
AirGroup provides the following features:
n Send unicast responses to mDNS queries and reduces mDNS traffic footprint. n Ensure cross-VLAN visibility and availability of AirGroup devices and services. n Allow or block AirGroup services for all users. n Allow or block AirGroup services based on user roles. n Allow or block AirGroup services based on VLANs.
For more information on AirGroup solution, see Aruba Instant User Guide.
AirGroup Services
Bonjour supports zero-configuration services. The services are pre-configured and are available as part of the factory default configuration. The administrator can also enable or disable any or all services. The following services are available for IAP clients:
n AirPlay -- Apple AirPlay allows wireless streaming of music, video, and slide shows from your iOS device to Apple TV and other devices that support the AirPlay feature.
n AirPrint -- Apple AirPrint allows you to print from an iPad, iPhone, or iPod Touch directly to any AirPrint compatible printer.
n iTunes-- The iTunes service is used by iTunes Wi-Fi sync and iTunes home-sharing applications across all Apple devices.
n RemoteMgmt-- Use this service for remote login, remote management, and FTP utilities on Apple devices.
n Sharing-- Applications such as disk sharing and file sharing, use the service ID that are part of this service on one or more Apple devices.
n Chat-- The iChat® (Instant Messenger) application on Apple devices uses this service. n ChromeCast--The ChromeCast service allows you to use a ChromeCast device to play audio or video
content on a high-definition television by streaming content through Wi-Fi from the Internet or local network. n DLNA Media--Applications such as Windows Media Player use this service to browse and play content on a remote device. n DLNA Print--This service is used by printers that support DLNA.
To enable AirGroup services:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab. The Services page is displayed. 5. Click the AirGroup accordion.
Managing APs | 417
6. Select the AirGroup check-box.
The mDNS (Bonjour) and SSDP (DLNA/UPNP) check-boxes are selected by default.
Select at least mDNS (Bonjour) or SSDP (DLNA/UPNP) to proceed further.
Optionally, select the Guest Bonjour Multicast check-box to allow guest users to use the Bonjour services that are enabled in a guest VLAN. When Guest Bonjour Multicast is enabled, the Bonjour devices are visible only in the guest VLAN and AirGroup does not discover or enforce policies in guest VLAN.
7. Under the AirGroup Settings sub-accordion, select the check-box against one or more AirGroup services listed in AirGroup Services. n Optionally, when enabling an AirGroup service, define disallowed roles. The disallowed roles are not allowed to use the specific AirGroup service. To disallow roles, complete the following steps: 1. Click Edit against Disallowed Roles. 2. Move the roles from the Available pool to the Selected pool. 3. Click Ok.
n Optionally, when enabling an AirGroup service, define disallowed VLANs. The disallowed VLANs are not allowed to use the specific AirGroup service. To disallow VLANs, complete the following steps: 1. Click Edit against Disallowed VLANs. 2. Type the VLANs in Enter comma-separated list of VLAN IDs. Separate multiple VLANs with a comma. 3. Click Ok.
n Optionally, configure and enable a new AirGroup service. If defined, disallowed roles or VLANs are not allowed to use the new AirGroup service. To configure and enable a new AirGroup service, complete the following steps: 1. Click Add New Service. 2. Type the service name in Service Name. Use alphanumeric characters. 3. Type a service ID in Service ID. Use + to add additional service IDs.
n Sample service ID: urn:schemas-upnp-org:service:RenderingControl:1 or _sleep-proxy._ udp. 1. Click Ok. 2. Select the check-box against the new AirGroup service.
n Optionally, under ClearPass Settings sub-accordion, configure the parameters listed in Table 95.
8. Click Save Settings.
The following table lists the AirGroup services.
Aruba Central On-Premises 2.5.6 | User Guide
418
Table 94: AirGroup Services Mode AirGroup Across Mobility Domains AirPrint
Enable AirPlay
iTunes Remote Management Sharing Chat Googlecast
DIAL
AmazonTV
DLNA Print
DLNA Media
Allow All
Description
AirGroup service availability in inter cluster domains.
Wireless printing between AirPrint capable devices and AirPrint compatible printers.
Wireless streaming of music, video, or slide shows from AirPlay capable devices and AirPlay compatible devices.
iTunes service for home-sharing applications.
Remote login, remote management, or FTP utilities on compatible devices.
Applications like disk sharing or file sharing on compatible devices.
Instant messenger application between compatible devices.
Wireless streaming of audio or video content from the Internet or local network on a HDTV through a Chromecast device.
Wireless streaming between DIAL compatible devices likes devices like Roku, Chromecast, or FireTV.
Wireless playing of content from the Internet or local network on a HDTV through a FireTV device.
Wireless printing between DLNA capable devices and DLNA compatible printers.
Wireless browsing or playing audio or video content by applications like Windows Media Player on remote devices.
All AirGroup services.
The following table lists the ClearPass settings.
Table 95: ClearPass Settings
Mode
Description
ClearPass Policy Manager Server 1
Specify the ClearPass Policy Manager server to use. Select one from the drop-down or define a new ClearPass Policy Manager server.
Enforce ClearPass Registration
Specify is ClearPass registration should be enforced.
Configuring an IAP for RTLS Support
Aruba Central supports the real time tracking of devices. With the help of the RTLS, the devices can be monitored in real time or through history.
To configure RTLS, complete the following steps:
Managing APs | 419
1. In the Aruba Central On-Premises app, use the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services. The Services page is displayed. 5. Click Real Time Locating System > Aruba. 6. Select Aruba RTLS to send the RFID tag information to the Aruba RTLS server. 7. Click 3rd Party and select Aeroscout to send reports on the stations to a third-party server. 8. In the IP/FQDN and Port field, specify the IP address and port number of the RTLS server, to
which location reports must be sent. 9. In the Passphrase field, enter the passphrase required for connecting to the RTLS server. 10. Retype the passphrase in the Retype Passprahrse field. 11. Specify the update interval within the range of 660 seconds in the Update every field. The
default interval is 30 seconds. 12. If 3rd Party is selected, specify the IP address and port number of the 3rd party server. 13. Select Include Unassociated Stations to send reports on the stations that are not associated to
any Instant AP. 14. Click Save Settings.
Configuring an IAP for ALE Support
ALE is designed to gather client information from the network, process it and share it through a standard API. The client information gathered by ALE can be used for analyzing a client's Internet behavior for business such as shopping preferences.
ALE includes a location engine that calculates the associated and unassociated device location every 30 seconds by default. For every device on the network, ALE provides the following information through the Northbound API:
n Client user name n IP address n MAC address n Device type n Application firewall data, showing the destinations and applications used by associated devices. n Current location n Historical location n ALE requires the access point (AP) placement data to be able to calculate location for the devices in a
network.
ALE with Aruba Central
Aruba Central supports Analytics and Location Engine (ALE). The ALE server acts as a primary interface to all third-party applications and the IAP sends client information and all status information to the ALE server.
To integrate IAP with ALE, the ALE server address must be configured on an IAP. If the ALE sever is configured with a host name, the Virtual Controller performs a mutual certificated-based authentication with ALE server, before sending any information.
Aruba Central On-Premises 2.5.6 | User Guide
420
Enabling ALE support on an IAP
To configure an IAP for ALE support:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab. The Services page is displayed. 5. Click the Real Time Locating System accordion. 6. Click Aruba, and then select Analytics & Location. 7. Specify the ALE server name or IP address in the Server. 8. Specify the reporting interval within the range of 660 seconds in the Report Interval. The IAP
sends messages to the ALE server at the specified interval. The default interval is 30 seconds. 9. Click Save Settings.
Managing BLE Beacons
Instant Access Points (IAPs) support Aruba BLE devices, such as BT-100 and BT-105, which are used for location tracking and proximity detection. The BLE devices can be connected to an IAP and are managed by a cloud-based Beacon Management Console. The BLE Beacon Management feature allows you to configure parameters for managing the BLE beacons and establishing secure communication with the Beacon Management Console.
Support for BLE Asset Tracking
IAP assets can be tracked using BLE tags, IAP beacons scan the network. When a tag is detected, the IAP sends a beacon with information about the tag including the MAC address and RSSI of the tag to the Virtual Controller. To manage beacons and configure BLE operation mode, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab.
The Services page is displayed. 5. Click the Real Time Locating System accordion. 6. Click Aruba. 7. Select Manage BLE Beacons to manage the BLE devices using BMC.
n Enter the authorization token in Authorization token. The authorization token is a text string of 1255 characters used by the BLE devices in the HTTPS header when communicating with the BMC. This token is unique for each deployment.
n Enter the server URL in Endpoint URL. The BLE data is sent to the server URL for monitoring.
8. Select the options from BLE Operation Mode drop-down list described in Table 96. 9. To configure BLE web socket management server, enter the URL of BLE web socket management
server in BLE Asset Tag Mgmt Server(wss).
Managing APs | 421
10. Select BLE Asset Tag Mgmt Server(https) to configure BLE HTTPS management server. n Enter the URL of BLE HTTPS management server in Server URL. n Enter the authorization token in Authorization token. n Enter the location ID in Location ID.
11. Click Save Settings.
The following table lists the BLE Operation Mode options.
Table 96: BLE Operation Modes
Mode
Description
beaconing
The built-in BLE chip in the IAP functions as an iBeacon combined with the beacon management functionality.
disabled
The built-in BLE chip of the IAP is turned off. The BLE operation mode is set to Disabled by default.
dynamicconsole
The built-in BLE chip of the IAP functions in the beaconing mode and dynamically enables access to IAP console over BLE when the link to LMS is lost.
persistentconsole
The built-in BLE chip of the IAP provides access to the IAP console over BLE and also operates in the Beaconing mode.
Configuring OpenDNS Credentials on IAPs
Instant Access Points (IAPs) use the OpenDNS credentials to provide enterprise-level content filtering. To configure OpenDNS credentials:
1. In the Aruba Central On-Premises app, use the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services. The Services page is displayed. 5. Click the OpenDNS accordion. 6. Enter the Username and Password. 7. Click Save Settings.
Configuring CALEA Server Support on IAPs
LI allows the Law Enforcement Agencies to perform an authorized electronic surveillance. Depending on the country of operation, the ISPs are required to support LI in their respective networks. In the United States, Service Providers are required to ensure LI compliance based on CALEA specifications. Aruba Central supports CALEA integration with an Instant Access Point (IAP) in a hierarchical and flat topology, mesh IAP network, the wired and wireless networks.
Enable this feature only if lawful interception is authorized by a law enforcement agency.
For more information on the communication and traffic flow from an IAP to CALEA server, see Aruba Instant User Guide.
Aruba Central On-Premises 2.5.6 | User Guide
422
To enable an IAP to communicate with the CALEA server, complete the following steps:
n Creating a CALEA Profile n Creating ACLs for CALEA Server Support
Creating a CALEA Profile
To create a CALEA profile, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab. The Services page is displayed. 5. Click the CALEA accordion. 6. Specify the following parameters:
n IP address-- Specify the IP address of the CALEA server. n Encapsulation type-- Specify the encapsulation type. The current release of Aruba Central
supports GRE only. n GRE type-- Specify the GRE type. n MTU-- Specify a size for the MTU within the range of 68--1500. After GRE encapsulation, if
packet length exceeds the configured MTU, IP fragmentation occurs. The default MTU size is 1500. fragmentation occurs. The default MTU size is 1500. 7. Click Save Settings.
Creating ACLs for CALEA Server Support
To create an access rule for CALEA, complete the following steps:
1. In the Aruba Central On-Premises app, use the filter to select a group or a device. 2. If you select a group, perform the following steps:
a. Under Manage, click Devices > Access Points. b. Click the Config icon. The tabs to configure the group is displayed. 3. If you select a device, under Manage, click Devices. 4. Click Show Advanced, and click Security tab. The Security page is displayed. 5. Click the Roles accordion. 6. Under Access Rules for Selected Roles, click + icon. The New Rule window is displayed. 7. Set the Rule Type to CALEA. 8. Click Save. 9. Create a role assignment rule if required. 10. Click Save Settings.
Configuring IAPs for Palo Alto Networks Firewall Integration
Instant Access Points (IAPs) maintains the network (such as mapping IP address) and user information for its clients in the network. To integrate the IAP network with a third-party network, you can enable an IAP to provide this information to the third-party servers.
Managing APs | 423
To integrate an IAP with a third-party network, you must add a global profile. This profile can be configured on an IAP with information such as IP address, port, user name, password, firewall enabled or disabled status.
Configuring an IAP for Network Integration
To configure an IAP for network integration:
1. In the Aruba Central On-Premises app, use the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services. The Services page is displayed. 5. Click the Network Integration accordion. 6. Select Enable to enable PAN firewall. 7. Specify the Username and Password. Ensure that you provide user credentials of the PAN
firewall administrator. 8. Re-enter the password in Retype. 9. Enter the PAN firewall IP Address. 10. Enter the port number within the range of 1--65535. The default port is 443. 11. Enter the client domain in Client Domain. 12. Click Save Settings.
Enabling Application Visibility on Instant APs
To view application usage metrics for WLAN clients, enable the Application Visibility feature on Instant APs. To enable the Application Visibility feature, complete the following steps:
1. In the Aruba Central On-Premises app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point.
2. Click the Config icon. The tabs to configure the APs are displayed.
3. Click Show Advanced. 4. Click the Services tab.
The Services page is displayed.
Aruba Central On-Premises 2.5.6 | User Guide
424
5. Expand the AppRF accordion. 6. Select any of the following options for Deep Packet Inspection:
n All--Performs deep packet inspection on client traffic to application, application categories, website categories, and websites with a specific reputation score.
n App--Performs deep packet inspection on client traffic to applications and application categories.
n WebCC--Performs deep packet inspection on client traffic to specific website categories and websites with specific reputation ratings.
n None--Disables deep packet inspection. 7. Click Save Settings.
Enabling Application Visibility on Campus APs
To enable Application Visibility feature on Campus APs, you must configure DPI classification and firewall visibility feature on the managed device. The managed devices running ArubaOS 8.x.x.x send sessions telemetry periodically to the Aruba Central On-Premises management server by using the AMON protocol. The following command enables DPI classification on the managed device.
(host) [mynode](config) #firewall dpi
The following command enables policy enforcement firewall visibility feature on the managed device.
(host) [mynode] (config) #firewall-visibility
The following command configures management server profile on the managed device and sends firewall session messages to the Aruba Central On-Premises management server.
(host) [mynode](config) #mgmt-server profile <name> (host) [mynode](Mgmt Config profile "<name>") #sessions-enable
The following command displays whether the sessions are enabled in the default-amp management server configuration profile.
Ensure that the profile name is same as the profile used for connecting to the Aruba Central On-Premises management server.
(host) [mynode] (config) #show mgmt-server profile default-ampMgmt Config profile
"default-amp" (Predefined (changed))
--------------------------------------------------------
Parameter
Value
---------
-----
Stats
Enabled
Stats_Ext
Disabled
Managing APs | 425
Generic_amon Tag Sessions Monitored Info - Add/Update
Enabled Enabled Enabled Disabled
You cannot enable the Application Visibility feature on Campus APs using Aruba Central On-Premises WebUI. You must configure Application Visibility feature using ArubaOS WebUI.
For more information on the WebUI steps and the output displayed for the CLI commands, see the following documents at the Aruba Support site: n ArubaOS CLI Reference Guide n ArubaOS User Guide
Enabling Application Visibility at Client and Site Level
To enable Application Visibility feature at client or site level for Campus APs, the firewall visibility sessions telemetry must be grouped based on the same BSSID, and sent to Aruba Central On-Premises server. The following command enables grouping of firewall visibility sessions telemetry based on the same BSSID on managed devices.
(host) [mynode] (config) #firewall-visibility feed sort-by-bssid (host) [mynode] (config) #write memory
The following command displays whether BSSID-based grouping of firewall visibility sessions telemetry is enabled on the managed devices.
(host) [mynode] #show firewall-visibility status
Firewall Visiblity Status:
enabled
Sort by Bssid Status:
sorting enabled: Enabled sort by bssid needed: Enabled
Aruba Central On-Premises 2.5.6 | User Guide
426
This feature is supported in the following ArubaOS release versions: n ArubaOS 8.6.0.17 n ArubaOS 8.7.1.9 n ArubaOS 8.10.0.0 and later versions
Enabling AirSlice on APs
Aruba AirSlice, based on IEEE 802.11ax standard, is similar to 5G network slicing architecture which allows network operators to build virtual networks tailored for specific application requirements. AirSlice allows network operators to monitor applications used by clients. AirSlice supports multiple services such as gaming, IoT, voice, video, and so on. AirSlice is available for all clients; however, 802.11ax clients have enhanced benefits due to efficient uplink and downlink traffic scheduling mechanism. The AirSlice feature is available for only Advanced access points (APs) licenses. For devices that have Advanced licenses, the AirSlice feature provides custom-applications prioritization with visibility, configuration, and supports unlimited applications. For customers with legacy licenses, the Aruba AirSlice feature is allow listed till the expiry of the legacy licenses.
AirSlice is supported only on 550 Series and 530 Series APs running Aruba InstantOS 8.7.0.0 and later version. You must enable Deep Packet Inspection before configuring AirSlice.
AirSlice support is available only for the following applications:
n Zoom n Slack n Skype n WebEx n GoToMeeting Online Meeting n Microsoft Office 365 n Dropbox n Amazon Web Services/Cloudfront CDN n GitHub n Microsoft Teams n ALG Wi-fi Calling
To enable AirSlice, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Services tab.
The Services page is displayed.
Managing APs | 427
6. Expand the AppRF accordion. 7. Select App from the Deep Packet Inspection drop-down list. 8. Enable the Application Monitoring toggle switch. 9. Enable the AirSlice Policy toggle switch. 10. Click Save Settings.
Configuring XML API Interface
The XML API interface allows Instant Access Points (IAPs) to communicate with an external server. The communication between IAP and an external server through XML API Interface includes the following steps:
n An API command is issued in the XML format from the server to the virtual controller. n The virtual controller processes the XML request and identifies where the client is and sends the
command to the correct member IAP. n Once the operation is completed, the virtual controller sends the XML response to the XML server. n The administrators can use the response and take appropriate action to suit their requirements. The
response from the virtual controller is returned using the predefined formats.
To configure XML API for servers, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed 4. Click Show Advanced, and click Services. The Services page is displayed. 5. Go to Network Integration > XML API Server Configuration. 6. Click + to add a new XML API server. 7. Enter a name for the XML API server in the Name text box. 8. Enter the IP address of the XML API server in the IP Address text box. 9. Enter the subnet mask of the XML API server in the Mask text box. 10. Enter a passcode in the Passphrase text box, to enable authorized access to the XML API Server. 11. Re-enter the passcode in the Retype Passphrase box. 12. To add multiple entries, repeat the procedure. 13. Click Add. 14. Click Save Settings. 15. To edit or delete the server entries, use the Edit and Delete buttons, respectively.
For information on adding an XML API request, see Aruba Instant User Guide.
Client Match
Client Match is an Aruba Central service which helps to improve the experience of wireless clients. Client match identifies wireless clients that are not getting the required level of service at the AP to which they are currently associated and intelligently steers them to an access point (AP) radio that can provide better service and thereby improves user experience.
Steer Types
Client match periodically checks the health of current association of the clients and determines if a sticky steer or band steer should be considered.
Aruba Central On-Premises 2.5.6 | User Guide
428
Sticky Steer
Sticky clients tend to stay associated to an AP despite deteriorating signal levels. Client match continuously monitors the RSSI of sticky clients while they are associated to an AP, and if needed, move them to a radio that would offer better experience. This prevents clients from remaining associated to an AP with less than ideal RSSI, which can cause poor connectivity and reduce performance for other clients associated with that AP.
Band Steer
Dual-band clients can associate with a 2.4 GHz radio or 5 GHz radio. In band steer, client match moves dual-band clients from the 2.4 GHz radio to the 5 GHz radio of the same AP.
Steering Methods
After determining the steer type, client match determines the best neighbor radio to steer the client to and orchestrates the client steer by sending action messages to the APs to carry out the steer. The way client match steers the clients depends on whether the clients are 802.11v-capable.
Steering for 802.11v-capable Client
To steer 802.11v-capable clients, client match triggers the AP to send out an 802.11v BSS transition management request to the client and waits for a response.
Steering for Non-802.11v-capable Client
To steer non-802.11v-capable clients, client match triggers all neighboring AP radios (except the intended destination) to block the client from associating for 5 seconds. 2 seconds after that, the AP to which the client is currently associated sends an 802.11 deauthentication management frame to the client. When the client tries to re-associate, only the intended AP radio allows the client to associate with it.
Monitoring Client Match in Aruba Central
To view client match events in Aruba Central:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Analyze, click Alerts & Events > Events. 3. Click Click here for advanced filtering. 4. Select Client Match Steer. 5. Click Filter. 6. Hover over the required event.
Configuring RRM IE Profile
Aruba Central On-Premises supports the Radio Resource Management Information Element (RRM IE) profiles advertised by the AP. The RRM IE signal support is for the radio measurements in a device. The clients use this IE to specify their radio measurement capabilities. The RRM IE profiles are available only for 6 GHz radio profiles. You can assign the RRM IE profiles to the radio profiles on the Radios > RF > Radio WebUI page. For more information, see Configuring Radio Parameters.
The RRM IE profiles are available only for 6 GHz radio profiles.
To configure RRM IE profiles, complete the following steps:
Managing APs | 429
1. In the Aruba Central On-Premises app, use the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon.
The tabs to configure access points are displayed. 4. Click Show Advanced, and click Services.
The Services page is displayed. 5. Click RRM IE Profile accordion.
The RRM IE profile table is displayed. 6. Click + on the RRM IE profile table.
The RRM IE profile configuration window is displayed. 7. Configure the following parameters:
a. Name--Enter the name for the RRM IE profile. b. Country--When enabled, the AP will advertise in beacon and probe responses the device's
regulatory domain. c. Enabled Capabilities--When enabled, the AP will advertise in beacon and probe responses
support for radio measurements in a device. 8. Click OK. 9. Click Save Settings.
n To edit the RRM IE profile, select a profile from the RRM IE Profile table and click the edit icon. n To delete the RRM IE profile, select a profile from the RRM IE Profile table and click the delete icon.
Configuring Uplink Interfaces on IAPs
This section provides the following information: n Uplink Interfaces n Uplink Preferences and Switching
Uplink Interfaces
Aruba Central On-Premises supports 3G/4G USB modems, ethernet, and the Wi-Fi uplink to provide access to the corporate network.
By default, the AP-318, AP-374, AP-375, and AP-377 access points (APs) have Eth1 as the uplink port and Eth0 as the downlink port. Aruba recommends you not to upgrade the mentioned access points to 8.5.0.0 and 8.5.0.1 firmware versions as the upgrade process changes the uplink from Eth1 to Eth0 port thereby making the devices non-reachable.
The following types of uplinks are supported on Aruba Central:
n LTE (4G) Uplink n Ethernet Uplink n Wi-Fi Uplink
Aruba Central On-Premises 2.5.6 | User Guide
430
LTE (4G) Uplink
Aruba Central On-Premises supports the use of LTE (4G) USB modems to provide the Internet back haul to Aruba Central On-Premises. The LTE (4G) USB modems can be used to extend client connectivity to places where an Ethernet uplink cannot be configured. This enables the IAPs to automatically choose the available network in a specific region.
For more information about the supported interoperability devices, select 4G Modem from the Product Category drop-down to see the list of supported 4G modems on https://www.arubanetworks.com/support-services/interoperability/.
Configuring Cellular Uplink Profiles To configure 3G or 4G uplinks using Aruba Central, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Interfaces tab.
The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Under 3G/4G, perform any of the following steps:
n To configure a 3G or 4G uplink automatically, select the Country and ISP. The parameters are automatically populated.
n To configure a 3G or 4G uplink manually, perform the following steps: o Select the country from the Country drop-down list. o Select the service protocol from the ISP drop-down list. o Enter the type of the 3G/4G modem driver type:
n For 3G--Enter the type of 3G modem in the USB Type text box. n For 4G--Enter the type of 4G modem in the 4G USB Type text box. Enter the following details:
o USB DEV--Enter the device ID of modem. o USB TTY--Enter the TTY port of the modem. o USB INIT--Enter the parameter to initialize the modem. o USB Dial--Enter the parameter to dial the cell tower. o USB Mode Switch--Enter the parameter used to switch a modem from the storage mode
to modem mode. o USB Auth Type--Select the USB authentication type from the drop-down list. o USB User--Enter the username used to dial the ISP. o USB Password--Enter the password used to dial the ISP. 8. Click Save Settings. 9. Reboot the IAP for changes to affect.
Managing APs | 431
Ethernet Uplink
The Ethernet 0 port on an IAP is enabled as an uplink port by default. The Ethernet uplink supports the following:
n PPPoE n DHCP n Static IP
You can use PPPoE for your uplink connectivity in a single AP deployment.
Uplink redundancy with the PPPoE link is not supported.
When the Ethernet link is up, it is used as a PPPoE or DHCP uplink. After the PPPoE settings are configured, PPPoE has the highest priority for the uplink connections. The IAP can establish a PPPoE session with a PPPoE server at the ISP and get authenticated using PAP or the CHAP. Depending upon the request from the PPPoE server, either the PAP or the CHAP credentials are used for authentication. After configuring PPPoE, reboot the IAP for the configuration to take effect. The PPPoE connection is dialed after the AP comes up. The PPPoE configuration is checked during IAP boot and if the configuration is correct, Ethernet is used for the uplink connection.
When PPPoE is used, do not configure Dynamic RADIUS Proxy and IP address of the VC. An SSID created with default VLAN is not supported with PPPoE uplink
You can also configure an alternate Ethernet uplink to enable uplink failover when an Ethernet port fails.
Configuring PPPoE Uplink Profile To configure PPPoE settings, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Interfaces tab.
The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Under PPPoE, configure the following parameters:
n Enter the PPPoE service name provided by your service provider in the Service Name. n In the CHAP Secret and Retype CHAP Secret fields, enter the secret key used for CHAP
authentication. You can use a maximum of 34 characters for the CHAP secret key. n To set a local interface for the PPPoE uplink connections, select a value from Local Interface.
The selected DHCP scope is used as a local interface on the PPPoE interface and the Local, L3 DHCP gateway IP address as its local IP address. When configured, the local interface acts as an unnumbered PPPoE interface and allocated the entire Local, L3 DHCP subnet to the clients.
Aruba Central On-Premises 2.5.6 | User Guide
432
n Enter the user name for the PPPoE connection in the User field. n In the Password and Retype Password fields, enter a password for the PPPoE connection and
confirm it.
The options in Local Interface are displayed only if a Local, L3 DHCP scope is configured on the IAP.
8. Click Save Settings. 9. Reboot the IAP.
Wi-Fi Uplink
The Wi-Fi uplink is supported for all IAP models, except 802.11ac APs. Only the conductor IAP uses the Wi-Fi uplink. The Wi-Fi allows uplink to open, PSK-CCMP, and PSK-TKIP SSIDs.
Important Points n For single radio IAPs, the radio serves wireless clients and Wi-Fi uplink. n For dual radio IAPs, both radios can be used to serve clients but only one of them can be used for Wi-
Fi uplink.
When Wi-Fi uplink is in use, the client IP is assigned by the internal DHCP server.
Configuring a Wi-Fi Uplink Profile The following configuration conditions apply to the Wi-Fi uplink: n To bind or unbind the Wi-Fi uplink on the 5 GHz band, reboot the IAP. n If Wi-Fi uplink is used on the 5 GHz band, mesh is disabled. The two links are mutually exclusive. To provision an IAP with Wi-Fi Uplink, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Interfaces tab.
The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Under Wi-Fi, enter the name of the wireless network that is used for Wi-Fi uplink in the Name
(SSID) box. 8. From Band, select the band in which the VC currently operates. The following options are
available: n 2.4 GHz (default) n 5 GHz n 6 GHz
Managing APs | 433
9. From Key Management drop-down list, select the type of key for uplink encryption and authentication. n When WPA Personal, WPA-2 Personal, or WPA3 Personal key management type is selected, the passphrase options are available for configuration. n Select a passphrase format from the Passphrase Format drop-down list. The following passphrase options are available: o 8 - 63 alphanumeric characters o 64 hexadecimal characters
Ensure that the hexadecimal password string is exactly 64 digits in length.
n Enter a PSK passphrase in Passphrase text box. n When WPA Enterprise or WPA-2 Enterprise key management type is selected, the 802.1x
authentication options are available for configuration. n From the WiFi1X drop-down list, select 802.1x authentication protocol to be used:
o Specify the certificate type to be used by selecting Cert TPM or Cert User. o If PEAP authentication type is selected, enter the user credentials in the Username and
Password text box. n Toggle the Validate Server button to enable or disable server certificate verification by the AP. 10. Click Save Settings and reboot the IAP.
If the uplink wireless router uses mixed encryption, WPA-2 Personal or WPA-2 Enterprise is recommended for Wi-Fi uplink.
Uplink Preferences and Switching
This section describes the following topics:
n Enforcing Uplinks n Setting an Uplink Priority n Enabling Uplink Pre-emption
Enforcing Uplinks
The following conditions apply to the uplink enforcement:
n When an uplink is enforced, the Instant Access Points (IAP) uses the specified uplink regardless of uplink pre-emption configuration and the current uplink status.
n When an uplink is enforced and multiple Ethernet ports are configured and uplink is enabled on the wired profiles, the IAP tries to find an alternate Ethernet link based on the priority configured.
n When no uplink is enforced and pre-emption is not enabled, and if the current uplink fails, the IAP tries to find an available uplink based on the priority configured.
n When no uplink is enforced and pre-emption is enabled, and if the current uplink fails, the IAP tries to find an available uplink based on the priority configured. If current uplink is active, the IAP periodically tries to use a higher priority uplink and switches to the higher priority uplink even if the current uplink is active.
To enforce a specific uplink on an IAP, complete the following steps:
Aruba Central On-Premises 2.5.6 | User Guide
434
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Interfaces tab.
The Interfaces page is displayed. 6. Expand the Uplink accordion. 7. Under Management > Enforce Uplink, select the type of uplink from the drop-down list.
If Ethernet uplink is selected, the Port field is displayed. 8. Specify the Ethernet interface port number. 9. Click Save Settings.
The selected uplink is enforced on the IAP.
Setting an Uplink Priority
To set an uplink priority, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Interfaces tab.
The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Under Management > Uplink Priority List, move the uplink up or down to increase or decrease
the priority. By default, the Eth0 uplink is set as a high priority uplink. 8. Click Save Settings.
The selected uplink is prioritized over other uplinks.
Enabling Uplink Pre-emption
The following configuration conditions apply to uplink pre-emption:
n Pre-emption can be enabled only when no uplink is enforced. n When pre-emption is disabled and the current uplink fails, the IAP tries to find an available uplink
based on the uplink priority configuration. n When pre-emption is enabled and if the current uplink is active, the IAP periodically tries to use a
higher priority uplink, and switches to a higher priority uplink even if the current uplink is active.
To enable uplink pre-emption, complete the following steps:
Managing APs | 435
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Interfaces tab.
The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Under Management, ensure that the Enforce Uplink is set to None. 8. Select the Pre-emption check-box. 9. Specify value for Pre-emption Interval. 10. Click Save Settings.
Switching Uplinks based on the Internet Availability
You can configure Aruba Central to switch uplinks based on the Internet availability.
When the uplink switchover based on Internet availability is enabled, the IAP continuously sends ICMP packets to some well-known Internet servers. If the request is timed out due to a bad uplink connection or uplink interface failure, and the Internet is not reachable from the current uplink, the IAP switches to a different connection.
To configure uplink switching, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Interfaces tab.
The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Under Management, specify a value for Failover Internet IP. 8. Select the Internet Failover check-box. 9. Specify values for Failover Internet Packet Send Frequency, Failover Internet Packet Lost
Count, and Internet Check Timeout. 10. Click Save Settings.
Aruba Central On-Premises 2.5.6 | User Guide
436
n By default, the conductor AP sends the ICMP packets to 8.8.8.8 IP address only if the out-of-service operation based on Internet availability (internet-down state) is configured on the SSID. You can use Failover Internet IP as an alternative to the default option to configure an IP address to which the AP must send AP packets, and verify if the Internet is reachable when the uplink is down.
n When Internet Failover is enabled, the IAP ignores the VPN status, although uplink switching based on VPN status is enabled.
Configuring Preferred Uplink on AP-318 and 370 Series APs
The AP-318 and 370 Series APs have an ethernet port for Eth0 and a fibreport for Eth1. Either of these ports can be configured as the uplink port as required. By default, Eth1 port is configured as the uplink for these AP platforms. All functionality of the Eth0 port is supported by Eth1 port with exception to the following:
n Eth0 bridging feature is not supported when the Eth1 port is configured as preferred uplink. n If LACP is enabled, the Eth1 port cannot be configured as the preferred uplink.
By default, the AP-318, AP-374, AP-375, and AP-377IAPs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba recommends you not to upgrade the mentioned access points to 8.5.0.0 and 8.5.0.1 firmware versions as the upgrade process changes the uplink from Eth1 to Eth0 port thereby making the devices nonreachable
Configuring Enterprise Domains
In a typical Instant Access Point (IAP) deployment without tunneling, all DNS requests from a client are forwarded to the client's DNS server by default. However, if an IAP is configured for tunneling, the IAPVPN enables split DNS by default, and the DNS behavior for both the clients on the IAP network is determined by the enterprise domain settings. The enterprise domain setting on the IAP specifies the domains for which DNS resolution must be forwarded to the default DNS server of the client. For example, if the enterprise domain is configured for arubanetworks.com, the DNS resolution for host names in the arubanetworks.com domain is forwarded to the default DNS server of the client. The DNS resolution for host names in all other domains is forwarded to the local DNS server of the IAP.
In a full-tunnel mode, all DNS traffic is forwarded over IPSec tunnel to DNS server of the client regardless of the enterprise domain configuration. If an asterisk is configured in the enterprise domain list instead of a domain name, then all DNS requests are forwarded to the default DNS server of the client. Split DNS functionality is supported for IAP-VPN scenarios only.
To configure an enterprise domain, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
Managing APs | 437
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the Enterprise Domains accordion. 7. Click + in the Enterprise Domains pane, and enter a name in the New Domain Name window. 8. Click OK. 9. Click Save Settings.
To delete an enterprise domain, select the domain in the Enterprise Domains pane, and then click the delete icon.
Configuring SNMP Parameters
This section describes the following topics:
n SNMP Configuration Parameters on page 438 n Configuring Community String for SNMP on page 439 n Configuring SNMP Trap Receivers on page 440
SNMP Configuration Parameters
Aruba Central On-Premises supports SNMPv1, SNMPv2c, and SNMPv3 for reporting purposes only. An Instant Access Point (IAP) cannot use SNMP to set values in an Aruba system.
The following table lists the SNMP configuration parameters for an IAP.
Table 97: SNMP Parameters
Data Pane Item Description
Community Strings for SNMPV1 and SNMPV2
An SNMP Community string is a text string that acts as a password, and is used to authenticate messages sent between the virtual controller and the SNMP agent.
If you are using SNMPv3 to obtain values from the IAP, you can configure the following parameters.
Name
A string representing the name of the user.
Authentication Protocol
An indication of whether messages sent on behalf of this user can be authenticated, and if so, the type of authentication protocol used. This can take one of the two values:
n MD5--HMAC-MD5-96 Digest Authentication Protocol n SHA--HMAC-SHA-96 Digest Authentication Protocol
Authentication protocol password
If messages sent on behalf of this user can be authenticated, the (private) authentication key for use with the authentication protocol. This is a string password for MD5 or SHA depending on the choice above.
Privacy protocol
An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol which is used. This takes the value DES (CBC-DES Symmetric Encryption).
Privacy protocol password
If messages sent on behalf of this user can be encrypted/decrypted with DES, the (private) privacy key for use with the privacy protocol.
Aruba Central On-Premises 2.5.6 | User Guide
438
Configuring Community String for SNMP
This section describes the procedure for configuring SNMPv1, SNMPv2, and SNMPv3 community strings in Aruba Central.
Creating Community strings for SNMPv1 and SNMPv2 using Aruba Central
To create community strings for SNMPv1 and SNMPv2, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the SNMP accordion. 7. Under SNMP, click + to add a new community string. 8. In the New SNMP window, enter a name for the community string. 9. Click OK. 10. Click Save Settings.
To delete a community string, select the string in the SNMP pane, and then click the delete icon.
Creating community strings for SNMPv3 using Aruba Central
To create community strings for SNMPv3, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the SNMP accordion. 7. Under User for SNMPV3, click + to add a new community string for SNMPv3. 8. In the New SNMPv3 User window, enter the following information:
n In the Name field, enter the name for the SNMPv3 user. n In the Auth protocol drop-down list, select the type of authentication protocol. n In the Password text-box, enter the authentication password and retype the password in the
Retype Password text-box. n In the Privacy protocol drop-down list, select the type of privacy protocol.
Managing APs | 439
n In the Password text-box, enter the privacy protocol password and retype the password in the Retype Password text box.
n Click OK. 9. Click Save Settings.
To edit the details for a particular user, select the user, and then click the edit icon. To delete a particular user, select the user, and then click the delete icon.
Configuring SNMP Trap Receivers
Aruba Central On-Premises supports the configuration of external trap receivers. Only the Instant AP acting as the VC generates traps. The OID of the traps is 1.3.6.1.4.1.14823.2.3.3.1.200.2.X. To configure SNMP traps, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the SNMP accordion. 7. Under SNMP Traps Receivers, click + to add a new community string for SNMP Traps
Receivers. 8. In the New SNMP Trap Receiver window, enter the following information:
n In the IP Address text-box, enter the IP address of the new SNMP Trap Receiver. n In the Version drop-down list, select the SNMP version, such as v1, v2c, v3. The version
specifies the format of traps generated by the access point. n In the Community/Username text-box, specify the community string for SNMPv1 and
SNMPv2c traps and a username for SNMPv3 traps. n In the Port text-box, enter the port to which the traps are sent. The default value is 162. n In the Inform drop-down list, select Yes or No. When enabled, traps are sent as SNMP
INFORM messages. It is applicable to SNMPv3 only. The default value is Yes. n Click OK. 9. Click Save Settings.
Configuring Syslog and TFTP Servers for Logging Events
This section describes the following topics:
n Configuring Syslog Server on IAPs n Configuring TFTP Dump Server IAPs
Configuring Syslog Server on IAPs
To specify a syslog server for sending syslog messages to the external servers, complete the following steps:
Aruba Central On-Premises 2.5.6 | User Guide
440
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the Logging accordion. 7. In the Servers section, enter the IP address of the syslog server in the Syslog Server text-box.
8. Click Syslog Facility Levels, and enter the required logging level from the drop-down in each of the fields. Syslog facility is an information field associated with a syslog message. It is an application or operating system component that generates a log message. The IAP supports the following syslog facilities: n Syslog Level--Detailed log about syslog levels. n AP-Debug--Detailed log about the AP device. n Network--Log about change of network, for example, when a new IAP is added to a network. n Security--Log about network security, for example, when a client connects using wrong password. n System--Log about configuration and system status. n User--Important logs about client. n User-Debug--Detailed log about client.
n Wireless--Log about radio.
9. Click Save Settings.
The following table describes the logging levels in order of severity, from the most severe to the least.
Table 98: Logging Levels
Logging level Description
Emergency
Panic conditions that occur when the system becomes unusable.
Alert
Any condition requiring immediate attention and correction.
Critical
Any critical condition such as a hard drive error.
Error
Error conditions.
Warning
Warning messages.
Notice
Significant events of a non-critical nature. The default value for all syslog facilities.
Information
Messages of general interest to system users.
Debug
Messages containing information useful for debugging.
Managing APs | 441
Configuring TFTP Dump Server IAPs
To configure a TFTP server for storing core dump files, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the Logging accordion. 7. In the Servers section, enter the IP address of the TFTP server in the TFTP Dump Server text-box. 8. Click Save Settings.
Mobility and Client Management
This section provides the following information on Layer-3 Mobility for Instant Access Points (IAPs) clients:
n Layer-3 Mobility on page 442 n Configuring L3 Mobility Domain on page 442
Layer-3 Mobility
IAPs form a single Aruba Central On-Premises network when they are in the same Layer-2 (L2) domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead. In such a scenario, a client must be allowed to roam away from the Aruba Central On-Premises network to which it first connected (home network) to another network supporting the same WLAN access parameters (foreign network) and continue its existing sessions.
Layer-3 (L3) mobility allows a client to roam without losing its IP address and sessions. If WLAN access parameters are the same across these networks, clients connected to IAPs in a given Aruba Central OnPremises network can roam to IAPs in a foreign Aruba Central On-Premises network and continue their existing sessions using their IP addresses. You can configure a list of Virtual Controller IP addresses across which L3 mobility is supported.
Home Agent Load Balancing
Home Agent Load Balancing is required in large networks where multiple tunnels might terminate on a single border or lobby AP and overload it. When load balancing is enabled, the VC assigns the home AP for roamed clients by using a round robin policy. With this policy, the load for the APs acting as Home Agents for roamed clients is uniformly distributed across the IAP cluster.
Configuring L3 Mobility Domain
To configure a mobility domain, you have to specify the list of all Aruba Central On-Premises networks that form the mobility domain. To allow clients to roam seamlessly among all the APs, specify the VC IP for each foreign subnet. You may include the local Aruba Central On-Premises or VC IP address, so that
Aruba Central On-Premises 2.5.6 | User Guide
442
the same configuration can be used across all Aruba Central On-Premises networks in the mobility domain. Aruba recommends that you configure all client subnets in the mobility domain. When client subnets are configured:
n If a client is from a local subnet, it is identified as a local client. When a local client starts using the IP address, the L3 roaming is terminated.
n If the client is from a foreign subnet, it is identified as a foreign client. When a foreign client starts using the IP address, the L3 roaming is set up.
n To configure a Layer-3 Mobility domain, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the Layer-3 Mobility accordion. 7. Turn on the Home Agent Load Balancing toggle switch. By default, home agent load balancing
is disabled. 8. Under IP Address, click +, and enter an IP address name in the New IP Address window, and
then click OK. Repeat Step 8 to add the IP addresses of all VCs that form the L3 mobility domain. 9. Under Subnets, click +, and specify the following: n Enter the client subnet in the IP Address box. n Enter the mask in the Subnet Mask box. n Enter the VLAN ID in the home network in the VLAN ID box. n Enter the home VC IP address for this subnet in the Virtual Controller IP box. 10. Click OK.
Renaming an AP
You can change the name of an access point (AP) provisioned in Aruba Central. The AP can be online or offline. When you rename an AP or a VC, the AP or VC does not reboot, and the client traffic is not affected. The new name must be a character string of upto 32 ASCII or non-ASCII characters, including spaces. To rename an AP, complete the following steps:
1. In the Aruba Central On-Premises app, select one of the following options: To select a group in the filter: a. Set the filter to one of the options under Groups. Ensure that the filter selected contains at least one active access point.
Managing APs | 443
The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points.
A list of access points is displayed in the List view. To select an access point in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points.
A list of access points is displayed in the List view. c. Click an access point listed under Device Name.
The dashboard context for the access point is displayed. d. Under Manage, click Device > Access Point. 2. Click the Config icon. The tabs to configure access points are displayed. 3. Click the Access Points tab. The Access Points table is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Under Basic Info, modify the AP or VC name in the Name field. 6. Click Save Settings.
The AP name is updated on the AP immediately. It may take up to 1 minute for the new AP name to get reflected in Aruba Central On-Premises. Renaming an AP depends on various privileges and access permissions that are assigned to each user to make configuration changes.
Monitoring APs
The access point (AP) dashboard enables you to manage, configure, monitor and troubleshoot APs provisioned and managed through Aruba Central On-Premises. For a list of all the available menu items in the AP dashboard, see The Access Point Dashboard. The AP Health Bar provides a snapshot of the overall health of the APs configured in Aruba Central OnPremises. For more information, see Health Bar Dashboard for Access Point. The AP Foundation license is applicable for Access Point Monitoring.
Monitoring APs in Summary View
The access point (AP) Summary page provides all the metrics about the health, status, and clients information associated with the AP provisioned and managed in Aruba Central On-Premises.
Viewing the AP Summary Page
To navigate to the AP Summary page, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP.
Aruba Central On-Premises 2.5.6 | User Guide
444
The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points.
A list of APs is displayed in the List view. 3. Click the Summary icon.
The AP Summary page is displayed.
The AP Summary page displays the following information:
n Access Points--Displays the overall usage metrics for the APs provisioned in your Aruba Central OnPremises account. Consists of the following tabs: o Usage--Displays the incoming and outgoing data traffic detected on the APs. o Total Clients--Displays the number of clients connected to an AP over a specific time period. o Bandwidth Usage Per Network--Displays the incoming and outgoing traffic for all APs per SSID over a specific duration. o Client Count Per Network--Displays the number of clients connected to an AP per SSID over a specific time period.
You can change the time range for the AP Summary page by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months.
Monitoring APs in List View
The access point (AP) List page provides information associated with the online and offline APs, radios provisioned, and managed in Aruba Central On-Premises. The AP List page displays the following sections:
n Access Points Table on page 446 n Deleting an Offline AP on page 448 n Rebooting an AP on page 448 n Radios Table on page 448
Viewing the AP List Page
To navigate to the AP List page, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
The AP List page displays the following information:
n Access Points--Displays the total number of APs. When you click the Access Points tab, it provides information about all APs in the Access Points table.
n Online--Displays the total number of online APs. When you click the Online tab, it provides information about the online APs in the Access Points table.
Managing APs | 445
n Offline--Displays the total number of offline APs. When you click the Offline tab, it provides information about the offline APs in the Access Points table.
n Radios--Displays the total number of radios. When you click the Radios tab, it provides information about all radios in the Radios table. o 2.4 GHz--Displays the total number of 2.4 GHz radios. When you click the 2.4 GHz tab, it provides information about 2.4 GHz radios in the Radios table. o 5 GHz--Displays the total number of active 5 GHz and 5 GHz (Secondary) radios. When you click the 5 GHz tab, it provides information about 5 GHz and 5 GHz (Secondary) radios in the Radios table. o 6 GHz--Displays the total number of 6 GHz radios. When you click the 6 GHz tab, it provides information about 6 GHz radios in the Radios table.
n The tri-radio feature is available only for AP-555. In the 5 GHz tab, the Radio 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode.
n The 6 GHz radios is only supported for devices with 6 GHz capability. For more information about the APs that supports 6 GHz, see Supported APs.
Access Points Table
The Access Points table displays the following information:
n Device Name--Name of the AP. n Status--Displays the operational status of the AP. The status is as follows:
o Online--Indicates that the AP is online. o Offline--Indicates that the AP is offline. o Online--Indicates that the AP is operating under thermal management. For more information,
see Thermal Shutdown Support in IAP. n IP Address--IP address of the AP. n Model--The model number of the AP. n Serial--The serial number of the device. n Firmware Version--The firmware version running on the AP. n Clients--Clients connected to the AP. n Alerts--Opens alerts related to APs. n MAC Address--MAC address of the AP. n Controller--The name of the controller. n Secondary Controller--The name of the secondary controller. n Config Status--The configuration changes associated with the AP. The Config Status column is not
supported in the exported CSV file. n Group--Group to which the AP belongs. n Labels--Labels associated with the AP. If multiple labels are associated with the AP, hover over the
label link to view all the labels.
Aruba Central On-Premises 2.5.6 | User Guide
446
n Site--The site to which the device belongs. n Uptime--Time since when the device is operational. The Uptime column is not applicable for offline
devices and remains blank for all the devices in the Offline page. n Last Seen--The last active time and date of the device. The Last Seen column is not applicable for
online devices and remains blank for all the devices in the Online page. n Public IP--IP address logged by servers when the device is connected through internet connection. n Persona--Displays the type of role of the AP. For example, Campus AP and IAP. n LLDP Neighbor--Displays the name of the LLDP neighbor. Click the LLDP Neighbor name to view the
switch details page, if the switch is managed by Aruba Central On-Premises. n LLDP Port--Displays the port number of LLDP neighbor. n AI Insights--The number of insights generated for the AP in the last three hours. The AI Insights
column is not supported in the exported CSV file. n Note--Displays the information captured in the Note parameter, in the AP Details section. The
search filter allows you to search for exact and partial text search with prefix. The text search with suffix is not supported. n Zone--Zone to which the AP belongs. Zone details are displayed in the column only for APs with firmware version ArubaOS 8.7.0.0 or later.
n From Aruba Central On-Premises 2.5.4 release, LLDP Neighbor and LLDP Port details are also available for Campus APs, Remote APs and not only Instant APs.
n A search filter is provided only for the Device Name, IP Address, Model, Serial, MAC Address, Controller, Secondary Controller, Group, Labels, Site, LLDP Neighbor, Note, and Zone columns. The and icons allow you to sort the Device Name, IP Address, Serial, MAC Address, Controller, Secondary Controller, and Zone columns in an ascending and descending order.
n By default, the AP List table displays the Device Name, Status, IP Address, Model, Serial, and Firmware Version. You can customize the view of AP List table with additional columns such as the Clients, Alerts, MAC Address, Controller, Secondary Controller, Config Status, Group, Labels, Site, Uptime, Last Seen, Public IP, Persona, LLDP Neighbor, LLDP Port, AI Insights, Note, and Zone. These additional columns can be selected by clicking the icon provided at the right corner of the table that displays the AP list. Click the Reset to default button provided in the drop-down list to reset the AP List with default columns only. To autofit the columns, click the icon and select Autofit columns.
To download the .csv file of the AP list table, click the icon. If the table contains unicode value, you must use a UTF-8 enabled software to view the contents. To view the file in Microsoft Excel spreadsheet software, perform the following steps to view table with unicode values:
1. Open the Microsoft Excel software. 2. Click on the Data menu bar option. 3. Click on the From Text icon. 4. Browse to the location of the file that you want to import. 5. Select the file name and click Import. 6. The Text Import wizard is displayed.
Managing APs | 447
7. Select the file type. For .csv format, select the Delimited option. 8. Select the 65001: Unicode (UTF-8)option from the drop-down list that is displayed next to the
File origin. 9. Click Next. The Text ImportWizard-Step 1 of 3 page is displayed. 10. Place a check mark next to the delimiter such as the comma or full stop that was used in the file
you wish to import into Microsoft Excel. 11. The Data Preview window displays the data based on the selected delimiter. 12. Click Next. The Text ImportWizard-Step 3 of 3 page is displayed. Select the appropriate data
format for each column that you want to import.
Importing one or more columns is optional.
13. Click Finish to import the data into Microsoft Excel.
Deleting an Offline AP
To delete an offline AP, see Deleting an Offline AP.
Rebooting an AP
To reboot an AP, see Rebooting an AP in the List View.
Radios Table
When you click the Radios, 2.4 GHz, 5 GHz, and 6 GHz tab on the Radios list page, the respective tables with the following columns are displayed:
n Access Point--Name of the AP.
The online radios are displayed with a green dot and offline radios are displayed with a red dot.
n Radio MAC Address--The MAC address of the radios connected to the AP. n Band--The type of radio band. For example, 2.4 GHz, 5 GHz, and 5 GHz (Secondary), and 6 GHz.
n The tri-radio feature is available only for AP-555. In the Band column, the Radio 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode.
n The 6 GHz radios is only supported for devices with 6 GHz capability. For more information about the APs that supports 6 GHz, see Supported APs.
n Bandwidth--The bandwidth of data transferred through the radios. n Channel--Channels assigned for the radios. n Utilization (%)--The percentage of time (normalized to 255) that the channels of the radios are
sensed to be busy. The AP uses either the physical or the virtual carrier sense mechanism to sense a busy channel. This percentage not only depends on the data bits transferred but also with the transmission overhead that makes use of the channel. n Power (dBm)--The transmit power of the radios measured in decibels. n Noise Floor (dBm)--The noise at the radio receivers of the radios. Along with the thermal noise, Noise Floor may be affected by certain types of interference sources, though not all interference
Aruba Central On-Premises 2.5.6 | User Guide
448
types result in increased noise floor. Noise Floor value may vary depending on the noise introduced by components used in the computer or client device.
n A search filter is provided only for the Access Point column. n If the Radios list has at least one IAP, Campus AP, or Remote AP that supports the 6 GHz radio band, then
the 6 GHz tab will be available on the Radios list page.
Deleting an Offline AP
To delete an offline access point (AP), complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. In the Access Points table, hover over the offline AP that you want to delete.
4. Click the delete icon.
To delete multiple offline APs, select the offline APs that you want to delete and click the icon.
delete
5. Click Delete in the confirmation dialog box.
Rebooting an AP in the List View
You can reboot an Instant Access Point, Campus Access Point, or Remote Access Point using the Aruba Central On-Premises UI. For information about how to reboot an AP in the Details page, see Rebooting an AP in the List View and Rebooting an AP in the Details Page. To reboot an access point (AP), complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under groups, labels, or sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.
n You can reboot only the APs that are in the online status (active). n A WebSocket connection is required to reboot IAPs, Campus APs, and Remote APs.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. In the Access Points table, hover over the AP that you want to reboot.
Managing APs | 449
4. Click the reboot icon.
To reboot multiple online APs, select the APs that are in online status and click the
reboot icon.
5. Click Reboot in the confirmation dialog box.
Thermal Shutdown Support in IAP
Aruba AP-555 and AP-535 Instant Access Point (IAP) devices are equipped with an internal thermal sensor. The sensor initiates a shutdown when the operating temperature crosses the temperature threshold recommended for an Instant AP. When an IAP operates under thermal management, all the radios are in Disabled mode in the AP Health Bar.
In Aruba Central On-Premises, the thermal shutdown feature is supported on IAPs running Aruba Instant 8.6.0.0 or later versions.
n In swarm mode, the thermal shutdown support is as follows:
n In swarm mode, when the member IAP operates beyond the recommended temperature threshold, the Virtual AP profile is disabled. Once the member IAP attains the optimum temperature again, it reboots with the Recovery from Thermal Management Mode message, and then reconnects with the virtual controller. This process of reboot and reconnection is executed for five times. If the connection between the member IAP and the virtual controller does not restore after five times, the member IAP remains in the shutdown state until it is manually turned on.
n In swarm mode, when the conductor IAP operates beyond the recommended temperature threshold, it reboots with the Reboot due to Thermal Management message. Once the conductor IAP attains the optimum temperature again, it turns into a member IAP, reboots with the Recovery from Thermal Management Mode message, and then reconnects with the virtual controller. This process of reboot and reconnection is executed for five times. If the connection between the member IAP and the virtual controller does not restore after five times, the member IAP remains in the shutdown state until it is manually turned on.
n In swarm mode, when the conductor IAP operates beyond the recommended temperature threshold and the number of IAPs is one in the swarm scale, the Virtual AP profile is disabled. Once the conductor IAP attains the optimum temperature again, it reboots with the Recovery from Thermal Management Mode message. This process of reboot is executed for five times. If the conductor IAP does not reboot after five times, the conductor IAP remains in the shutdown state until it is manually turned on.
n In standalone mode, when the IAP operates beyond the recommended temperature threshold, the Virtual AP profile is disabled. Once the IAP attains the optimum temperature again, it reboots with the Recovery from Thermal Management Mode message. This process of reboot is executed for five times. If the IAP does not reboot after five times, it remains in the shutdown state until it is manually turned on.
Aruba Central On-Premises 2.5.6 | User Guide
450
Thermal Shutdown Events
To view the thermal shutdown events, complete the following steps:
1. In the Aruba Central On-Premises app, select one of the following options: n To select a group, label, site, or all devices in the filter: a. set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed.
2. Under Analyze, click Alerts & Events. The Alerts & Events page is displayed in the List view.
3. Click the Events tab. A list of events is displayed in the Events table.
When the thermal shutdown feature is either enabled or disabled in an IAP, the Events table displays the following details:
n The Event Type column includes the AP Thermal Shutdown type which can be used to filter thermal shutdown events.
n The Description column includes the status of the thermal shutdown feature in the IAP. For example, Thermal management enabled or Thermal management disabled.
About Tri-Radio Mode
Aruba Central On-Premises offers tri-radio mode support in ArubaAP-555, a flagship 802.11ax access point (AP). In tri-radio mode or split 5 GHz mode, the 8x8 5 GHz radio is split into two independent 4x4 5 GHz radios. In the split 5 GHz Mode, Radio 5 GHz Secondary operates on channels from 36 to 64 and Radio 5 GHz operates on channels from 100 to 165. To enable tri-radio, go to Access Points > Radio in the IAP configuration dashboard, and select the Split Radio check-box.
Tri-radio mode is only available for IAPs and not for Campus APs and Remote APs.
The split 5 GHz radio can operate in the following modes:
n Access n Monitor n Spectrum
Enabling Tri-Radio Mode
To enable the tri-radio mode, complete the following steps:
Managing APs | 451
1. In the Aruba Central On-Premises app, select one of the following options: n To select a group in the filter: a. Set the filter to one of the options under Groups. Ensure that the filter selected contains at least one active access point. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
n To select an access point in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name. The dashboard context for the access point is displayed. d. Under Manage, click Devices > Access Point.
2. Click the Config icon. The tabs to configure access points are displayed.
3. Click the Access Points tab. The Access Points page is displayed.
4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click Radio. 6. Select the Split Radio check-box. 7. Click Save Settings.
Tri-Radio Events
To view the tri-radio events, complete the following steps:
1. In the Aruba Central On-Premises app, select one of the following options: n To select a group, label, site, or all devices in the filter: a. set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points. c. A list of APs is displayed in the List view. d. Click an AP listed under Device Name. The dashboard context for the AP is displayed.
2. Under Analyze, click Alerts & Events.The Alerts & Events page is displayed in the List view.
3. Click the Events tab. A list of events is displayed in the Events table.
Aruba Central On-Premises 2.5.6 | User Guide
452
When the tri-radio mode is either enabled or disabled in an AP, the Events table displays the following details: n The Event Type column includes the AP Tri-Radio type which can be used to filter tri-radio events. n The Description column includes the status of the tri-radio mode in AP.
In Aruba Central On-Premises, the tri-radio feature is available only on AP-555 running Aruba Instant 8.6.0.0 or later versions. By default, the AP-555 operates in dual radio mode.
Access Point > Overview > Summary
In the access point (AP) dashboard, the Summary tab displays the device details, network information, radio details including the topology of clients connected to each radio, and the health status of the AP in the network. The Summary tab displays the following sections: n Device n Network n Radios n Data Path n Health Status n WLANS n Actions n Go Live
Viewing the Overview > Summary Tab
To navigate to the Summary tab in the AP dashboard, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The Summary tab is displayed. To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the Summary tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months.
Device
The Device section displays all or some of the following details: n AP Model--The AP hardware model. n Country Code--Country code in which the AP operates.
Managing APs | 453
n MAC--MAC address of the AP. n Serial Number--Serial number of the AP. n Uptime--Time since when the AP is operational. n Last Reboot Reason--The reason for the latest rebooting of AP. n Firmware Version--The firmware version running on the AP. If the device is running an older
firmware version, this field prompts the user to upgrade to the latest firmware version along with the link to the Maintenance > Firmware page. n Configuration Status--Displays the configuration status and the timestamp of the last device configuration changes. n Band Selection--Displays the operating band of the AP. The supported bands are Dual Band, Dual 5 GHz, Tri-Radio, or Tri Band. n Power Draw--The power utilized by the device in watts (W) or kilowatts (kW). n Power Negotiation--The power in watts (W) negotiated on the ethernet port of the device in a wired network. n Recommended Power--The recommended power in watts (W) negotiated on the ethernet port of the device in a wired network. n Controller--The name of the controller. n Secondary Controller--The name of the secondary controller.
n Group--The group to which the AP belongs. Click the group name to go to the Overview > Summary page for that group.
When an AP belongs to an unprovisioned group, the hyperlink to the unprovisioned group is disabled
n Labels--The labels associated with the AP. You can also add a new label to the AP by clicking the edit icon. To view all the labels associated with a device, hover your mouse over the Labels column.
n LEDs on Access Point--Enables the blinking of LEDs on the APs to identify the location. Click Blink LED to enable the blinking of LEDs on the AP. The default blinking time is set to 5 minutes and it stops automatically after 5 minutes. To stop the blinking, click Stop Blinking.
A WebSocket connection is required to enable Blink LED.
n Site--The site to which the AP belongs. Click the site name to go to the Overview > Site Health page for that site.
n Location--The currently configured physical location of an AP. Location detail is displayed only for APs with firmware version ArubaOS 8.9.0.0 or later.
n Contact--The currently configured contact of an AP. For example, E-mail ID, or contact number. Contact detail is displayed only for APs with firmware version ArubaOS 8.9.0.0 or later.
n Note--When you click the edit icon, a text-box is displayed. It allows you to add information that can be used as reference. For example, AP location, and upgrade information.
Aruba Central On-Premises 2.5.6 | User Guide
454
n From Aruba Central On-Premises 2.5.6 release, Country Code, Last Reboot Reason, Power Draw, and Power Negotiation details are supported for Campus APs and Remote APs as well.
n Recommended Power is only available for IAPs and not for Campus APs and Remote APs. n Recommended Power is supported on IAPs from ArubaOS 8.4.0.0 version onwards, and the
Recommended Power will not be available on the Device page if the IAP is already running on recommended power.
Network
The Network section displays information of the network and interfaces to which the AP is connected. Along with the network profile name, the following fields are displayed in the Network section:
n ETH0--Displays the status of the ETH0 network. n Speed (Mbps)/Duplex--The speed of the network measured in Mbps. This field also indicates
whether the network has a full-duplex or half-duplex communication. n VLAN--The number of VLAN connections associated with the network.
o LLDP Details--Click the LLDP Details link to view the ETH0 LLDP details. The pop-up window displays the Neighbor Name, Neighbor MAC, Neighbor Port, and Neighbor VLAN details.
n ETH1--Displays the status of the ETH1 network. n Speed (Mbps)/Duplex--The speed of the network measured in Mbps. This field also indicates
whether the network has a full-duplex or half-duplex communication. n VLAN--The number of VLAN connections associated with the network.
o LLDP Details--Click the LLDP Details link to view the ETH1 LLDP details. The pop-up window displays the Neighbor Name, Neighbor MAC, Neighbor Port, and Neighbor VLAN details.
n Current Uplink--The current uplink connection on the AP. n Uplink connected to--The switch name to which the AP is connected. Click this link to view the
switch details page, if the switch is managed by Aruba Central On-Premises. o Port--The port number of the switch to which the AP is connected. n IP Address--IP address of the AP. n Public IP Address--IP address logged by servers when the AP device is connected through internet connection. n DNS Name Servers--The server that has a directory of domain names and their associated IP addresses. n Default Gateway--A 32 bit value that is used to uniquely identify the device on a public network. n NTP Server--Displays information about the NTP Server.
n From Aruba Central On-Premises 2.5.6 release, Public IP Address, DNS Name Servers, and Default Gateway details are supported for Campus APs and Remote APs as well.
n From Aruba Central On-Premises 2.5.4 release, LLDP Details feature is supported for Campus APs as well.
Radios
The Radios section displays the following information related to Radio 2.4 GHz, Radio 5 GHz, Radio 5 GHz Secondary, and Radio 6 GHz:
Managing APs | 455
n Mode--The type of mode for the radios. For example, Client Access, Monitor, and Spectrum. n Status--Displays the operational status of the radios connected to the AP. The status is as follows:
o Up--Indicates that the radio is online. o Down--Indicates that the radio is offline. o Down - Thermal shutdown--Indicates that the radio is offline as the AP is operating under
thermal management. For more information, see Thermal Shutdown Support in IAP. n Radio MAC Address--The MAC address of the radios connected to the AP. n Channel--The channels assigned to the radios. n Power--The transmit power of the radios. n Type--The type of wireless LAN used for the radios. n Clients--The number of clients connected to the AP. n Wireless Networks--The number of SSIDs configured in the network. n Antenna--The type of antennae. For example, internal and external. n Spatial Stream--Displays the number of spatial streams. By default, the spatial stream value for
Radio 5 GHz is 8x8. When tri-radio mode is enabled, the spatial stream values for Radio 5 GHz and Radio 5 GHz (Secondary) is 4x4.
n When the AP radios are set to spectrum scan mode, the Channel and Power values are empty. n The tri-radio feature is available only for AP-555. In the Radios section, the Radio 5 GHz (Secondary) data
is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode. n The 6 GHz radio band is only supported for devices with 6 GHz capability.
Data Path
The Data Path section displays the topology of the clients connected to each of the radios of the AP, which in turn is connected to switches or controllers through VLAN. When you hover over the upstream device in the data path topology, a pop-up displays the Name, Serial Number, and Port details of the upstream devices. PORT shows the number of ports available in the AP that also includes USB ports. CLIENTS connected to the PORT in the data path shows the number of wired clients connected to the port.
Aruba Central On-Premises 2.5.6 | User Guide
456
Figure 42 Data Path
n The tri-radio feature is available only for AP-555. In the Data Path section, the 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode.
n In the Data Path section, the 6 GHz radio band is only supported for devices with 6 GHz capability.
Health Status
The Health Status trend graph indicates the health status of the device in the network for the time selected in the time range filter. When you hover over the graph, you can view information such as date and time, Health Status, Noise Floor, CPU, Memory, Channel Utilization (Radio 1), Channel Utilization (Radio 2), and Channel Utilization (Radio 3). In the Health Status graph, the Poor Health Limit text indicates the poor health limit of the device in the network. Figure 43 Health Status
Managing APs | 457
n In the Health Status graph, the Channel Utilization (Radio 3) data is available if the tri-radio mode is enabled or if 6 GHz radio is available. For more information, see About Tri-Radio Mode.
n The tri-radio feature is available only for AP-555. n The 6 GHz radio band is only supported for devices with 6 GHz capability.
WLANS
The WLANS table provides a list of all the SSIDs configured for the AP. Figure 44 WLANS
The WLANS table provides the following information: n Name--Displays the name of the SSID.
In the WLANS table, the Type, VLANs, and Security values are empty.
Click to expand an SSID in the WLANS table. When you expand an SSID in the WLANS table, you can view the following information for 2.4 GHz, 5 GHz, 5 GHz (Secondary), and 6 GHz radios: n BSSID--Displays the MAC address of the radio. n Radio Type--Dispalys the type of radio. n Clients--Displays the number of connected clients. Click to download the .csv file of the WLANS table.
n In the .csv file of the WLANS table, the 5 GHz (Secondary) columns are available only if the tri-radio mode is enabled.
n The tri-radio feature is available only for AP-555. In the WLANS table, the 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode.
n The 6 GHz radio band is only supported for devices with 6 GHz capability.
Actions
The Actions drop-down list contains the following options:
Aruba Central On-Premises 2.5.6 | User Guide
458
n Reboot AP--Reboots the AP point. For more information, see Rebooting an AP in the List View and Rebooting an AP in the Details Page.
A WebSocket connection is required to reboot IAPs, Campus APs, and Remote APs.
n Reboot Swarm--Reboots the IAP cluster. For more information, see Rebooting an IAP Cluster . n Tech Support--Enables the administrator to generate a tech support dump required for
troubleshooting the AP. For more information, see Tech Support for an AP .
Go Live
Aruba Central On-Premises supports live monitoring of IAPs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central On-Premises allows you to monitor live data of an AP updated at every 5 seconds. For more information, see Enabling Live IAP Monitoring.
Access Point > Overview > AI Insights
In the access point (AP) dashboard, the AI Insights tab displays information on AP performance issues such as excessive channel changes, excessive reboots, airtime utilization, and memory utilization.
n AI Insights is supported in Aruba Central On-Premises for five node instance and above. n AI Insights is supported for IAPs, Campus APs, and Remote APs.
Viewing Access Points > AI Insights
To navigate to the AI Insights tab in the AP dashboard, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points.A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. In the AP dashboard context, click the AI Insights tab. The Insights page is displayed. 5. To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the AI Insights tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months.
AI Insights are displayed for the time range selected. Select the time range from the Time Range Filter ( ) to filter reports.
AI Insights Categories
AI Insights are categorized in high, medium, and low priorities depending on the number of occurrences.
Managing APs | 459
n Red--High priority n Orange--Medium priority n Yellow--Low priority
AI Insights listed in the dashboard are sorted from high priority to low priority. The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. Each insight report provides specific details on the occurrences of these events for ease in debugging. For more information, see The AI Insights Dashboard The AP Insights page displays the following insights:
n Clients with High Wi-Fi Security Key-Exchange Failures n Clients with High 802.1X Authentication Failures n Clients with DHCP Server Connection Problems n Clients with High Number of MAC Authentication Failures n Clients with High Number of Wi-Fi Association Failures n Clients with Captive Portal Authentication Problems
Access Point > Overview > Floor Plan
In the access point (AP) dashboard, the Floor Plan tab provides information regarding the current location and the floor plan of the instant access points, campus access points, and remote access points.
Viewing the Overview > Floor Plan Tab
To navigate to the Floor Plan tab in the AP dashboard, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click an AP listed under Device Name. The dashboard context for the AP is displayed.
4. In the AP dashboard context, click the Floor Plan tab. The Floor Plan tab is displayed.
To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the Floor Plan tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. The Floor Plan tab displays a sitemap and the floor plan showing the current location of the IAP . The sitemap is derived from the Visual RF application, if Visual RF service is enabled for the Aruba Central On-Premises account. You can also edit the location of the IAP device by clicking the edit icon provided next to the address in the Floor Plan tab.
Actions
The Actions drop-down list contains the following options:
Aruba Central On-Premises 2.5.6 | User Guide
460
n Reboot AP--Reboots the AP. For more information, see Rebooting an AP in the Details Page and Rebooting an AP in the List View.
A WebSocket connection is required to reboot IAPs, Campus AP, and Remote AP.
n Reboot Swarm--Reboots the IAP cluster. For more information, see Rebooting an IAP Cluster . n Tech Support--Enables the administrator to generate a tech support dump required for
troubleshooting the AP. For more information, see Tech Support for an AP .
Go Live
Aruba Central On-Premises supports live monitoring of IAPs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central On-Premises allows you to monitor live data of an AP updated at every 5 seconds. For more information, see Enabling Live IAP Monitoring.
Access Point > Overview > Performance
In the access point (AP) dashboard, the Performance tab displays the size of data transmitted through the AP.
Viewing the Overview > Performance Tab
To navigate to the Performance tab in the AP dashboard, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under groups, labels, or sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click an AP listed under Device Name. The dashboard context for the AP is displayed.
4. In the AP dashboard context, click the Performance tab. The Performance tab is displayed.
To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the Performance tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. The Performance tab provides the following details:
n Throughput The Throughput graph indicates the size of data sent to and received by the device in bits per second for the wired or wireless networks. For example, Eth 0 or Eth 1 wired network profiles and specific SSIDs of wireless networks. You can also view data for all the wireless SSIDs by selecting All SSIDS from the drop-down list. You can view the overall data usage measured in bytes in the Overall Usage field.
n Clients The Clients graph indicates the number of clients connected to the device for the wired, wireless, or radio network profiles for a selected time range in the time range filter. For example, wired for wired network profile, specific SSID or All SSIDs for wireless network profile, and 2.4 GHz, 5 GHz, 6 GHz or
Managing APs | 461
2.4 GHz & 5 GHz for radio network profile. You can select a specific network profile from the dropdown list provided in the Clients section to view the date, time and number of clients connected.
n When you hover over the Throughput and Clients graphs, it displays specific data for the selected timestamp.
n The 6 GHz radios is available in Clients drop-down only if the AP supports 6 GHz. For more information about the APs that supports 6 GHz, see Supported APs.
Actions
The Actions drop-down list contains the following options:
n Reboot AP--Reboots the AP. For more information, see Rebooting an AP in the Details Page on page 730 and Rebooting an AP in the List View on page 730.
A WebSocket connection is required to reboot IAPs, Campus APs, and Remote APs.
n Reboot Swarm--Reboots the IAP cluster. For more information, see Rebooting an IAP Cluster . n Tech Support--Enables the administrator to generate a tech support dump required for
troubleshooting the AP. For more information, see Tech Support for an AP .
Go Live
Aruba Central On-Premises supports live monitoring of IAPs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central On-Premises allows you to monitor live data of an AP updated at every 5 seconds. For more information, see Enabling Live IAP Monitoring.
Access Point > Overview > RF
In the access point (AP) dashboard, the RF tab provides details corresponding to 2.4 GHz, 5 GHz, 5 GHz (secondary), and 6 GHz radios of the IAPs, Campus APs, and Remote APs Starting from Aruba Instant 8.9.0.0, the Wi-Fi 6E standard is supported that introduces 6 GHz radio band for few IAPs, Campus APs, and Remote APs. The 6 GHz radio band provides greater efficiency, higher throughput, and increased levels of security to address bandwidth challenges. The 6 GHz radio band also provides wider channels up to 160 MHz for dense environments and large number of IoT devices. The Wi-Fi 6E IAPs support 2.4 GHz, 5 GHz, and 6 GHz radio bands simultaneously, allowing client devices to switch seamlessly between the three radio bands. The Wi-Fi 6E IAPs are supported with Enhanced Open and WPA3 encryption methods only.
AP-635 and AP-655 IAPs are Wi-Fi 6E IAPs that support 6 GHz radio band, in addition to 2.4 GHz and 5 GHz radio bands.
Viewing the Overview > RF Tab
To navigate to the RF tab in the AP dashboard, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under groups, labels, or sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP.
Aruba Central On-Premises 2.5.6 | User Guide
462
The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points.
A list of APs is displayed in the List view. 3. Click an AP listed under Device Name.
The dashboard context for the AP is displayed. 4. In the AP dashboard context, click the RF tab.
The RF tab is displayed. To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the RF tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. You can hover over the graph to view more information. You can select or clear an option in each graph to filter the data displayed on the graph. For example, if you uncheck the box corresponding to Receiving and Non-Wifi interference in the Channel Utilization graph, only Transmitting data is displayed on the graph. The RF tab provides the following details corresponding to 2.4 GHz and 5 GHz, and 6 GHz radio channels of the IAPs, Campus APs, and Remote APs:
Channel Utilization
The Channel Utilization graph indicates the percentage of channel utilization for the selected time range from the time range filter. The channel utilization information is categorized as follows: n Transmitting: The percentage of channel currently being transmitted. n Receiving: The percentage of channel currently being received. n Non-Wifi Interference: The percentage of channel currently being used by non-Wi-Fi interferers.
Total Utilization is the sum of Transmitting, Receiving, and Non-Wifi interference, which indicates the total percentage of channel utilization for the selected time range.
The following figure displays the channel utilization graph for 2.4 GHz radio channel. Figure 45 Channel Utilization Graph
Noise Floor
The Noise Floor graph indicates the noise floor detected in the network to which the device belongs.
Managing APs | 463
Frames - 802.11
The Frames - 802.11 line graph indicates the trend of frames transmitted through the network. The frames can be one of the following types: Drops, Errors, and Retries. The graph indicates the status of data frames that were dropped, encountered errors, retried to be transferred, in a wireless network. You can see the graph in percentage or frames/sec. Only Campus APs and Remote APs support the Issues & Transmitted Frames and Issue % filter options. Select one of the following option from the drop-down: n Issues & Transmitted Frames--Select to view the trend value for transmitted frames along with
retries, errors, and drops in frames per second n Issue %--Select to view the trend value for retries, errors, and drops in percentage. Figure 46 Frames - 802.11 Graph
Radio Errors
The Radio Errors graph indicates the Total Packets, Physical Errors, and MAC Errors in packets per second. Only Campus APs and Remote APs support the Physical Errors, and MAC Errors options. Figure 47 Radio Errors Graph
Channel Quality
The Channel Quality graph indicates the quality of channel in percentage.
Aruba Central On-Premises 2.5.6 | User Guide
464
n When you hover over the Channel Utilization, Noise Floor, Frames - 802.11, and Channel Quality graphs, it displays specific data for the selected timestamp.
n The tri-radio feature is available only for AP-555. In the RF tab, the Radio 5 GHz (Secondary) tab is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode.
n The 6 GHz radio band is only supported for devices with 6 GHz capability.
Actions
The Actions drop-down list contains the following options: n Reboot AP--Reboots the AP. For more information, see Rebooting an AP in the Details Page.
A WebSocket connection is required to reboot IAPs, Campus APs, and Remote APs.
n Reboot Swarm--Reboots the IAP cluster. For more information, see Rebooting an IAP Cluster . n Tech Support--Enables the administrator to generate a tech support dump required for
troubleshooting the AP. For more information, see Tech Support for an AP .
Go Live
Aruba Central On-Premises supports live monitoring of IAPs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central On-Premises allows you to monitor live data of an AP updated at every 5 seconds. For more information, see Enabling Live IAP Monitoring.
Access Point > Overview > Spectrum
In the access point (AP) dashboard, the Spectrum tab provides details for all Wifi and non-Wifi devices associated to each radio. When the radios of Instant Access Point (IAP) are set to spectrum scan mode, the IAP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference from neighboring IAPs or interfering devices such as microwaves and cordless phones. To enable the spectrum scan feature on a specific radio of an AP, see Access Points Configuration Parameters.
The spectrum scan feature is available only on IAP devices running Aruba Instant 8.5.0.1 firmware version and later.
When the spectrum scan feature is enabled, the Instant AP does not provide services to clients. The Spectrum tab displays the following sections: n Channel Utilization and Quality n Interfering Devices n Actions n Go Live
Managing APs | 465
Viewing the Overview > Spectrum Tab
To navigate to the Spectrum tab in the AP dashboard, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click an AP listed under Device Name. The dashboard context for the AP is displayed.
4. In the AP dashboard context, click the Spectrum tab. The Spectrum tab is displayed.
To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the Spectrum tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months.
Channel Utilization and Quality
Click the Chart icon to view the Channel Utilization and Quality details corresponding to 2.4 GHz and 5 GHz radios of the AP. Click the 2.4 GHz and 5 GHz tabs on the Channel Utilization and Quality label to view the Channel Utilization and Quality graphs for the radios.
n Channel Utilization--The Channel Utilization graph indicates the percentage of channel utilization for the Available, Interference, and Wi-Fi Utilization categories associated to 2.4 GHz and 5 GHz radios. You can view the following channel metrics when you hover over the Channel Utilization bar graph: o Channel--The channel number of the radio. o Available--The percentage of the channel currently available for use. o Interference--The percentage of the channel currently being used by interfering devices. o Microwave--The percentage of the channel currently being used by microwaves. Common residential microwave ovens with a single magnetron are classified as a Microwave. These types of microwave ovens may be used in cafeterias, break rooms, dormitories, and similar environments. Some industrial, healthcare, or manufacturing environments may also have other equipment that functions like a microwave and may also be classified as a Microwave device. o Bluetooth--The percentage of the channel currently being used by bluetooth devices. Any device that uses the Bluetooth protocol to communicate in the 2.4 GHz band is classified as a Bluetooth device. Bluetooth uses a frequency hopping protocol. o Cordless Phone--The percentage of the channel currently being used by cordless phones. o Wi-Fi Utilization--The percentage of the channel currently being used by Wi-Fi devices.
n Quality--The Quality graph display the channel quality corresponding to each of the WiFi and nonWiFi devices connected to the radios. When you hover over the Quality bar graph, the following channel metrics are displayed: o Channel--The channel number of the radio. o Quality--Current relative quality of the channel. o Known APs--Number of valid Instant APs identified on the radio channel.
Aruba Central On-Premises 2.5.6 | User Guide
466
o Unknown APs--Number of invalid or rogue Instant APs identified on the radio channel. o Max AP Signal--Signal strength of the Instant AP that has the maximum signal strength on a
channel in dBm. o Max Interference-- Signal strength of the non-Wi-Fi device that has the highest signal strength in
dBm. o Max AP SSID-- The network SSID with maximum APs. o Max AP BSSID-- The network BSSID with maximum APs. o SNIR-- The measure of SNIR detected in the network in dB. o Noise Floor-- The noise at the radio receivers of the radios.
Interfering Devices
Click the List icon to view Interfering Devices details detected by the spectrum scanner. The page displays a table with following details of interfering devices:
n Type--Device type. This parameter can be any of the following: o Audio FF (fixed frequency) o Bluetooth o Cordless base FH (frequency hopper) o Cordless phone FF (fixed frequency) o Cordless network FH (frequency hopper) o Generic FF (fixed frequency) o Generic FH (frequency hopper) o Generic interferer o Microwave o Microwave inverter o Video o Xbox
n ID--ID number assigned to the device by the spectrum monitor. Spectrum monitors assign a unique spectrum ID per device type.
n Central Frequency--Center frequency of the signal sent from the device. n Bandwidth--Channel bandwidth used by the device in KHz. n Affected Channels--Radio channels affected by the wireless device. n Signal Strength--Strength of the signal sent from the device measured in dBm. n Duty Cycle--The device duty cycle. This value represents the percent of time the device broadcasts a
signal. n First Seen--Time at which the device was first detected. n Last Seen--Time at which the device status was updated.
The data displayed in the Spectrum tab is refreshed every 15 seconds. Aruba Central On-Premises displays the last recorded data for 30 minutes, if the device turns offline.
Actions
The Actions drop-down list contains the following options:
Managing APs | 467
n Reboot AP--Reboots the AP. For more information, see Rebooting an AP in the Details Page on page 730 and Rebooting an AP in the List View on page 730.
A WebSocket connection is required to reboot IAPs, Campus APs, and Remote APs.
n Reboot Swarm--Reboots the IAP cluster. For more information, see Rebooting an IAP Cluster . n Tech Support--Enables the administrator to generate a tech support dump required for
troubleshooting the AP. For more information, see Tech Support for an AP .
Go Live
Aruba Central On-Premises supports live monitoring of IAPs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central On-Premises allows you to monitor live data of an AP updated at every 5 seconds. For more information, see Enabling Live IAP Monitoring.
Access Point > Security > VPN
The VPN tab provides information on VPN connections associated with the virtual controller along with information on the tunnels and the data usage through each of the tunnels.
VPN tab is only available for IAPs and not for Campus APs and Remote APs.
Viewing the Security > VPN Tab
To navigate to the VPN tab, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click an AP listed under Device Name. The dashboard context for the AP is displayed.
4. Under Manage, click Security > VPN. The VPN tab is displayed.
You can change the time range for the VPN tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. The VPN tab provides the following information:
n VPNC Tunnels Summary--The section displays information on tunnels with the following details: o Total--Total tunnels established. o Up--Number of tunnels currently active. o Down--Number of tunnels currently inactive. o Peers--Number of peer tunnels currently active.
n The Tunnel table displays information on tunnels with the following columns:
Aruba Central On-Premises 2.5.6 | User Guide
468
o Tunnel--The type of the tunnels used in the VPN. For example, primary, secondary, or backup. o Status--The status of the tunnel. o Source--The source address of the tunnel. o Destination--The destination address of the tunnel. n Throughput Usage Per VPN--The Throughput Usage Per VPN graph indicates the successful data usage per VPN in Mbps for the primary or backup tunnel selected from the drop-down list. The Throughput Usage Per VPN displays a linear graph of sent and received data in the virtual private network.
Rebooting an AP in the Details Page
You can reboot an Instant Access Point, Campus Access Point, or Remote Access Point using the Aruba Central On-Premises UI.
A WebSocket connection is required to reboot IAPs, Campus APs, and Remote APs.
For information about how to reboot an AP in the List view, see Rebooting an AP in the List View. To reboot, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under groups, labels, or sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click an AP listed under Device Name. The dashboard context for the AP is displayed.
4. In the Actions drop-down list, click Reboot AP. A Reboot dialog box is displayed.
5. Click Reboot to reboot the AP.
The AP dashboard takes approximately a minute to update the interface status, after the AP is rebooted and reconnected to Aruba Central On-Premises.
Rebooting an IAP Cluster
You can reboot an Instant Access Point (IAP) cluster using the Aruba Central On-Premises UI. To reboot an IAP cluster, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
Managing APs | 469
3. Click an AP listed under Device Name. The dashboard context for the AP is displayed.
4. In the Actions drop-down list, click Reboot Swarm. A Reboot dialog box is displayed.
5. Click Yes to reboot the AP cluster.
The AP dashboard takes less than a minute to update the interface status, after the VC is rebooted and reconnected to Aruba Central On-Premises.
Tech Support for an AP
In Aruba Central On-Premises UI, the administrators can generate a tech support dump required for troubleshooting the Instant Access Point (IAP). To generate a tech support dump for an IAP, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click an AP listed under Device Name. The dashboard context for the AP is displayed.
4. In the Actions drop-down list, click Tech Support. The Commands page is displayed. In the Commands page, the Device Type and Available Devices fields are automatically selected. The AP Tech Support Dump command is automatically selected in the Selected Commands pane.
5. Click Run. The output is displayed in the Device Output section.
For more information, see Advanced Device Troubleshooting.
Enabling Live IAP Monitoring
Aruba Central On-Premises supports live monitoring of Instant APs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central On-Premises allows you to monitor live data of an AP updated at every 5 seconds.
Enabling and Disabling Go Live
To enable and disable the live monitoring of an AP, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active access point. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
Aruba Central On-Premises 2.5.6 | User Guide
470
3. Click an access point listed under Device Name. The dashboard context for the access point is displayed.
4. Click the Go Live button to start live monitoring of the AP. 5. To exit, click the Stop Live button to exit the live monitoring of the AP.
n The Go Live feature is not applicable for offline Instant APs. The Go Live button remains grayed-out for all the APs that are not associated with Instant AP devices running Aruba Instant 8.4.0.0 firmware version and above.
n Aruba Central On-Premises allows you to monitor live data for 15 minutes. After this time period, Aruba Central On-Premises redirects to the AP dashboard in a non-live mode to display the monitoring details for the time selected in the Time Range Filter. For more information on AP dashboard in a non-live mode, see Access Point > Overview > Summary.
AP Details in Go Live Mode
When you click the Go Live button, the page displays live graphs based on noise floor, frames, and channel quality of the neighboring RF devices for 15 minutes, until you select Stop Live button. The page displays Noise Floor, Frames, and Channel Quality live graphs for Radio 2.4 GHz, Radio 5 GHz, Radio 5 GHz Secondary, and Radio 6 GHz.
Important Information
The following are the important information to consider while enabling live IAP monitoring:
n The Go Live feature is not applicable for offline APs. n Aruba Central allows you to monitor live data for 15 minutes. After this time period, Aruba Central
redirects to the AP dashboard in a non-live mode to display the monitoring details for the time selected in the Time Range Filter. For more information on AP dashboard in a non-live mode, see Access Point > Overview > Summary. n In Go Live mode, AP dashboard updates and displays data at every 5 seconds. n The tri-radio feature is available only for AP-555. In the Go Live page, the Radio 5 GHz (Secondary) tab is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode. n The Radio 6 GHz band is only supported for devices with 6 GHz capability. n The time range selected in the Time Range Filter is not applicable when the Go Live button is enabled. n You can monitor live data for multiple APs simultaneously on different tabs.
Replacing an Access Point
Aruba Central On-Premises now supports Campus AP, Remote AP, and Instant Access Point replacement workflow. You can now replace the APs from the AP dashboard in the Aruba Central OnPremises WebUI. Navigate to Manage > Overview > Summary page to replace the AP.
Before you Replace a Campus AP or Remote AP
The following are the important points to consider before you replace a Campus AP or Remote AP:
Managing APs | 471
n The device that has to be replaced can be either offline or online.
n The model number of the old AP and the new AP can be different. The AP that replaces another AP need not be of the same model.
n The old AP must be a licensed device, and ensure to have an additional license available because the new AP will procure a license during replacement.
n The new AP must be part of the device inventory. n After the AP is replaced, the new AP gets licensed and inherits the Group, Label, and Site parameters
along with floor plan from the old device. n The new AP does not inherit any configuration from the old AP. n After the AP is replaced, the old AP is removed from:
o Device inventory o Monitoring view o Visual RF if the AP is associated with the Visual RF floor plan o Site, Label, and Group, if associated n The new AP replaces the old AP in the VisualRF floor plan if the old AP was associated with the VisualRF floor plan. n The old AP is deleted from the monitoring view only after the validation process is complete. This validation process takes about 15 minutes.
Before you Replace an Instant AP
The following are the important points to consider before you replace an Instant Access Point:
n The device that has to be replaced can be either offline or online. n The model number of the old AP and the new AP must be the same. For example, an AP-505 must be
replaced with an AP-505 only. n The new AP must be part of the device inventory. n Subscription must be assigned for the new AP. n If the AP that is going to be replaced is a member, the new AP automatically inherits the
configuration from the leader of the group. n If the AP that is going to be replaced is a leader, the new AP does not automatically become the
leader. Although the replacement procedure ensures that the new AP inherits the configuration settings, a new leader is elected after the new AP joins the cluster. n After the AP is replaced, the new AP inherits the Group, Label, Site parameters, firmware version, and device name from the old device. n The old AP is deleted from the monitoring view only after the validation process is complete. This validation process takes 15 minutes. n After the device is replaced, the old AP is not removed from the device inventory. The AP can be reused in the future.
Replacing an AP from the Summary Page
To replace an AP from the summary page, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
Aruba Central On-Premises 2.5.6 | User Guide
472
3. Click Offline to view a list of offline APs in the Access Points table. 4. In the Device Name column, click the AP that you want to replace.
The Overview > Summary page is displayed in the AP dashboard. 5. In the Actions drop-down list, click Replace Device. 6. In the Replace Device pop-up window, click Replace. 7. In the Replace Access Point page, perform the following steps:
a. Select a replacement AP and click Next. b. Verify the attributes as described in Table 99 and Table 100. c. Click Next.
In the Confirmation page, the following warning is displayed: This is an irreversible operation. Do you want to proceed with the device replacement?
d. In the Confirmation page, review the old and new device details and click Replace. e. In the Request Accepted pop-up window, click Done to continue the workflow. 8. In the Access Point Details page, a progress bar displays the device replacement status. Hover over the progress bar to view more details. 9. Optionally, hover over the progress bar and click Terminate if you wish you to discontinue replacing the device.
If the device replacement process fails, click Terminate to end the procedure and retry.
10. Connect the new AP. The status in the progress bar changes to Device replacement in progress. Hover over the progress bar to view more details.
If the firmware upgrade fails for an Instant Access Point, Aruba Central automatically retries one more time. If the firmware upgrade fails for the second time, the Firmware Updated status changes to Failed. You can manually upgrade the firmware. For more information, see Upgrading Device Firmware.
11. Navigate to the AP Summary page of the new device. a. In the Aruba Central On-Premises app, set the filter to Global. The dashboard context for the selected filter is displayed. b. Under Manage, click Devices > Access Points. A list of AP is displayed in the List view. c. Click Online to view a list of online APs in the Access Points table. d. In the Device Name column, click the new AP. The Overview > Summary page is displayed in the AP dashboard. e. In the Device section, you can view the following details: n AP Model n Country Code n MAC Address n Serial Number n Last Seen n Last Reboot Reason
Managing APs | 473
n Firmware version n Configuration Status n Band Selection n Power Negotiation n Group n Labels n Site
12. The Audit Trail page displays all the logs generated during the device replacement process. To view the logs, set the filter to Global. Under Analyze, click Audit Trail.
The Audit Trail table is displayed.
The following table lists the attributes on the Replace Access Point page for Campus AP and Remote AP.
Table 99: Parameters for Campus AP and Remote AP Parameters Description
Device name
The device name of the new AP.
Serial number
The serial number for each AP is a unique value. The serial number reflects the value of the new AP.
Subscription assigned
The new AP is assigned the same subscription as the old one. For example, if the old AP had a Foundation license, the new AP is assigned the same Foundation license.
Model number The model number of the new AP.
Group name
The group name that is inherited from the old AP.
Site assigned
The site that is inherited from the old AP.
Label(s) assigned
The label(s) that is inherited from the old AP.
The following table lists the attributes on the Replace Access Point page for an Instant Access Point.
Table 100: Parameters for an Instant Access Point Parameters Description
Device name
The name that is inherited from the old AP.
Serial number
The serial number for each AP is a unique value. The serial number reflects the value of the new AP.
Subscription assigned
The same subscription is assigned to the new AP. For example, if the old AP had a Foundation license, the new AP is assigned the same Foundation license.
Model number The model number is inherited from the old AP.
Group name
The group name that is inherited from the old AP.
Site assigned
The site that is inherited from the old AP.
Aruba Central On-Premises 2.5.6 | User Guide
474
Table 100: Parameters for an Instant Access Point Parameters Description
Firmware version
Firmware version is displayed as Unknown for the new AP. However, after the new AP is connected and the configuration in synchronized, the firmware is upgraded to the same version as the old device.
Bulk Replacement of Access Points
Aruba Central On-Premises now allows you to perform bulk replacement of Campus APs and Remote APs in the WebUI. You can replace the APs in bulk by using one of the following pages :
n In the global dashboard, navigate to Maintain > Organization > Device Replacement. n Manage Sites under Maintain > Organization > Network Structure.
Important Points
Following are the important points to consider for replacing Campus APs or Remote APs in bulk:
n You can replace only the APs that can be either offline or online. n The model number of the old APs and the new APs can be different. n You cannot rename APs by using Device Replacement or Manage Sites page. To rename APs, see
Renaming an AP. n The old APs must be licensed devices. Also, ensure to have additional licenses available because the
new APs will procure licenses during replacement. n The new APs must be part of the device inventory. n After the APs are replaced, the new APs inherit the Group, Label, Site, Visual RF parameters along
with licenses from the old APs. n After the APs are replaced, the old APs are removed from:
o Device inventory o Monitoring view o Visual RF if the APs are associated with the Visual RF floor plan o Site, Label, and Group, if associated n The new APs replace the old or faulty APs that were associated with the VisualRF floor plan.
Replacing an AP from the Device Replacement Tile
To replace one or more APs from the device replacement tile, complete the following steps:
1. In the Aruba Central app, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Maintain, click Organization. By default, the Network Structure tab is displayed.
3. In the Device Replacement tile, click Devices. The Replace Devices page is displayed.
4. In the Select a device type drop-down, select Access Point.
Managing APs | 475
5. In the Select a site drop-down, select a site in which the APs need to be replaced. The Devices table lists the offline APs available for replacement from the selected site.
6. In the Devices table, select one or more APs that you want to replace and click the Replace
Offline Devices icon. You can select up to a maximum of 30 APs at a time for a replacement. The New Device and Compliance Status columns are displayed. 7. In the New Device column, select a new AP from the drop-down for the selected faulty APs. The new AP can be filtered using the serial number or MAC address. Once the new AP is selected, Aruba Central On-Premises checks whether the faulty device can be replaced with the new AP. n If the selected AP is a good match for the faulty AP, then the Compliance Status column for
the selected AP is displayed as Good Match.
You can replace the faulty AP only when the Compliance Status is displayed as Good Match.
n If the selected AP is not a good match for the faulty AP, then the Compliance Status column for the selected AP displays one or some of the following reasons: o The model number of the faulty AP is not matching with the new AP. o A valid license is not assigned to the faulty device. o The new device is blocked by another replacement process. o Not able to fetch faulty device details from the device inventory if the device is not available in the device inventory. o Not able to fetch details about the faulty device group.
8. Click Replace to initiate the device replacement. In the Compliance Status column, the status changes to: Your replacement request has been accepted. You cannot terminate the device replacement process once the status changed to Your replacement request has been accepted.
9. Plug in the new AP once the status changes to: Your replacement request has been accepted. 10. Click Status to check the progress of the device replacement process.
The Devices Under Replacement page is displays the following details: n Old Device Name n New Device Name n Requested On n Updated On n Device Type n Device Connection Status n Site Name n Group Name n Old Device Serial n New Device Serial n Old Device MAC n New Device MAC n Model n Group assignment
Aruba Central On-Premises 2.5.6 | User Guide
476
n Site assignment n Labels assignment n License assignment n VRF assignment n Configuration assignment n Firmware assignment n Uplink assignment (This column is not applicable for APs) n Status
Once all the assignments are Updated for an AP, it will take up to five minutes for the Status column to change to Success. If any of the assignments failed, the Status column changes to Failed.
n You can also navigate to the Devices Under Replacement page from the Device Replacement tile and AP summary page to view the status of the device replacement.
n Optionally, you can terminate the replacement process when the Status is displayed as Requested by hovering over the row in the Devices Under Replacement page.
n The old device is not removed from the monitoring view if the device replacement fails.
11. To view the device replacement history, navigate to the Device Replacement tile and click Replacement History. The Replacement History page lists the details of all the device replacement details carried out in Aruba Central On-Premises.
12. To view the audit logs, in the global dashboard context, navigate to Analyze > Audit Trail and filter the Category column to Device Replacement. The Audit Trail page displays all the logs generated during the device replacement process.
Using Device Search
In the Devices Under Replacement and Replacement History pages, the search icon allows you to filter devices using search queries. For example, the search query "Site name is Santa Clara AND device type is Access Point" returns all APs in the Santa Clara site. The search query can contain the following information:
n Device Attributes--Device serial, MAC address, device name, site name, and group name are allowed.
n Operators--is, as, and equal sign (=) are allowed. n Separators--AND, comma (,), semicolon (;), and ampersand (&) are allowed.
Sample Queries
The following table lists some sample queries that can be used as search queries:
Table 101: List of Sample Queries
Query
Result
new_AP1
Returns the device with the name new_AP1.
Managing APs | 477
Query Serial is H9XHL Site name is Bangalore AND device type = switch Group name as Outdoor & device type is Gateway
Result Returns the device with the serial number H9XHL Returns all the switches in the Bangalore site. Returns all the gateways in the Outdoor group.
Bulk Replacement of APs from the Manage Sites Page
To replace APs in bulk by using the Manage Sites page, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Network Structure tab is displayed. 3. Click the Sites tile.
The Manage Sites page is displayed. 4. From the list of sites, select the site whose APs you want to replace. 5. Click the icon.
The Replace Offline Devices pop-up window is displayed. 6. Click Replace.
The Bulk Device Replacement page under Manage > Overview > Device Replacement is displayed. 7. Select the number of offline APs under Devices table that you want to replace, and click the icon. The Replace Devices page is displayed.
You can select a maximum of 30 devices from the Devices table for bulk replacement.
8. In the Devices table, select the serial number of the new AP from the New Device drop-down list.
In the Confirmation page, the following warning is displayed-- This is an irreversible operation. Do you want to proceed with the device replacement?
9. Click Replace. The Replacement Status pop-up window is displayed.
The Replacement Status pop-up window displays the New device blocked for replacement message for each of the newly replaced APs.
10. Click Done.
Access Point > Clients > Clients
In the access point (AP) dashboard, the Clients tab displays details of all the clients connected to a specific AP.
Aruba Central On-Premises 2.5.6 | User Guide
478
Viewing the Access Point > Clients > Clients Tab
To navigate to the Clients tab in the AP dashboard, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. Under Manage, click Clients. The Clients page is displayed in the List view. To exit the Clients dashboard, click the back arrow on the filter. You can change the time range for the Clients tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months.
For more information, see All Clients.
Access Point > Alerts & Events > Alerts & Events
In the access point (AP) dashboard, the Alerts & Events tab displays details of the alerts and events generated for the AP.
Viewing the Access Point > Alerts & Events > Alerts & Events Tab
To navigate to the Alerts & Events tab in the AP dashboard, complete the following steps: 1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. Under Analyze, click Alerts & Events. The Alerts & Events page is displayed in the List view. To exit the Alerts & Events dashboard, click the back arrow on the filter.
For more information, see Alerts & Events. You can also configure and enable certain categories of AP alerts. For more information, see Access Point Alerts.
Managing APs | 479
Live Events
Aruba Central On-Premises allows you to troubleshoot issues related to Instant APs (IAPs) and IAP wireless clients. The Live Events feature is similar to client live troubleshooting, but in this case, we can enable live events at the Instant Access Point level. Currently, users can subscribe to Radio, VPN, and Spectrum events.
n The IAP must be running ArubaInstantOS 8.5.0.0 or later versions to support this feature. Live Events is not supported on single-node deployments.
n Live Events is only available for IAPs and not for Campus APs and Remote APs.
Troubleshooting an IAP
Aruba Central allows you to troubleshoot issues related to an IAP in real-time for detailed analysis. To troubleshoot an IAP at the device level, perform the following steps:
1. In the Aruba Central On-Premises app, select an IAP from the Device list. The dashboard context for the selected IAP is displayed.
2. Under Analyze, click Live Events. The Live Events page is displayed.
The live monitoring session starts automatically. The status of the troubleshooting is displayed every minute. The troubleshooting session runs for a duration of 15 minutes. You can stop live troubleshooting at any point by clicking Stop Troubleshooting to go back to the historical view. After the live troubleshooting session ends, the details of the events are displayed in the Live Events table.
Live Events Details
The following details are captured and displayed in the Live Events table:
n Occurred On--Displays the timestamp of the event. Use the filter option to filter the events by date or time.
n Category--Displays the category of the event. Use the filter option to filter the events by category. n Description--Displays a description of the event. Use the filter option to filter the events based on
description.
You can download the list of live events to a CSV file for offline analysis. To download live events, click the Download CSV icon on the Live Events table.
Aruba Central On-Premises 2.5.6 | User Guide
480
Chapter 13
Managing AOS-CX Switches
Managing AOS-CX Switches
AOS-CX is a modern and fully programmable operating system built using a database-centric design, which ensures higher availability and dynamic software process changes for reduced downtime. In addition to robust hardware reliability, the AOS-CX operating system includes additional software elements not available with traditional systems, including:
n Automated visibility to help IT organizations scale n Simplified programmability n Faster resolution with network insights n High availability n Ease of roll-back to previous configurations
The AOS-CX operating system is a modular, database-centric operating system. Every aspect of the switch configuration and state information is modeled in the AOS-CX switch configuration and state database, including configuration information, status of all features, and network analytics. The AOS-CX operating system also includes a time series database, which acts as a built-in network record. The time series database makes the data seamlessly available to Aruba Network Analytics Engine agents that use rules that evaluate network conditions over time. Aruba Central On-Premises offers an on-premises management platform for managing AOS-CX infrastructure. It simplifies switch management with flexible configuration options, monitoring dashboards, and troubleshooting tools. This section includes the following topics:
n Getting Started with AOS-CX Deployments n Provisioning Factory Default AOS-CX Switches n Provisioning Pre-Configured AOS-CX Switches n Configuring AOS-CX Switches using Templates n Configuring AOS-CX Switches in UI Groups n Configuration Workflow for AOS-CX Switches in UI Groups n Caveats for Using AOS-CX Switches in Aruba Central On-Premises n Managing an AOS-CX VSF Stack n Aruba Central NetConductor Overview
Aruba Central On-Premises 2.5.6 | User Guide
481
Getting Started with AOS-CX Deployments
Before you get started with your onboarding and provisioning operations, browse through the list of Supported AOS-CX Platforms in Aruba Central On-Premises.
Provisioning Workflow
The following sections list the steps required for provisioning AOS-CX switches in Aruba Central OnPremises.
Provisioning a Factory Default AOS-CX Switch
Like most Aruba devices, AOS-CX switches support ZTP. Switches with factory default configuration have very basic configuration for all ports in VLAN-1. You must manually add either the serial number, MAC address, or part number of the new factory default switch in Aruba Central On-Premises. When the switch identifies Aruba Central On-Premises as its management entity, it connects to Aruba Central OnPremises. To manage AOS-CX switches from Aruba Central On-Premises, you must onboard the switches to the device inventory and assign a valid subscription. For step-by-step instructions, see Provisioning Factory Default AOS-CX Switches.
Provisioning a Pre-configured or Locally-Managed AOS-CX Switch
Pre-configured switches have customized configuration; for example, an additional VLAN or static IP address configured on the default. Aruba Central On-Premises management service is enabled by default on AOS-CX switches. When the switch is powered on, it identifies Aruba Central On-Premises as its management entity and connects to Aruba Central On-Premises. To manage AOS-CX switches from Aruba Central On-Premises, you must onboard the switches to the device inventory and assign a valid subscription. For step-by-step instructions, see Provisioning Pre-Configured AOS-CX Switches.
Managing AOS-CX Switches | 482
Group Assignment
Aruba Central On-Premises supports provisioning AOS-CX switches in UI and template groups. Template groups allow you to configure devices using CLI-based configuration templates. UI groups allow you to configure devices using UI-based configuration options.
The following figure illustrates the group assignment workflow in Aruba Central On-Premises.
Figure 48 Group Assignment-AOS-CX Switches
Moving AOS-CX Switches Between Groups
AOS-CX switches can also be moved between groups in Aruba Central On-Premises. When moving switches from an unprovisioned, template, or UI group to another UI group, the existing switch configuration can be retained by selecting the Retain CX-Switch Configuration check box on the Move Devices page. If the configuration on the device and the group are different, Aruba Central On-Premises retains the device configuration as device overrides. Consider the following points when selecting this check box:
n When moving the switches to the UI group, all supported UI group configurations except the following, if present at the group-level for the destination group, are applied to the switches: o System Properties--Only the device administrator password, if configured in the group, is updated on the switch. o Authentication (MAC and 802.1X) o Spanning Tree (Loop Prevention) o HTTP Proxy o User-based tunneling o Logging servers
Aruba Central On-Premises 2.5.6 | User Guide
483
o SNMP o Port interfaces n If any group configuration has dependent configuration, then the dependent configuration will not be applied to the device. For example, any LAG configuration that is present at the group-level (not at the device level) will be applied. However, the port configuration in a LAG will not be applied, as port configuration is a dependent configuration of LAGs. n Device-level RADIUS and TACACS server configuration will be retained, if present. And also any new group-level configuration will be applied. However, if any retained device configuration conflicts with group-level configuration, then group-level configuration takes precedence, and those conflicting configuration will be replaced.
AOS-CX Switch Configuration
Aruba Central On-Premises supports managing AOS-CX switches configuration using configuration templates and UI group configuration. When an AOS-CX switch is connected to Aruba Central On-Premises and managed using the Aruba Central On-Premises app, Aruba Central On-Premises becomes the single source of configuration for the switch. In the Aruba Central On-Premises Manged mode, the switch cannot be configured using any of the other switch configuration interfaces, such as the switch CLI, REST APIs, NBAPIs, and SNMP. You can use any configuration options available in Aruba Central On-Premises to configure the AOS-CX switches in the Managed mode. You can use the MultiEdit mode on the UI to run commands on the switch through Aruba Central On-Premises. For information, see Using MultiEdit View for AOS-CX. The Aruba Central On-Premises Manged mode is applicable to AOS-CX switches running the firmware version 10.07 or later, and to those switches that have been added to an Aruba Central On-Premises group. This mode is not applicable to switches in the unprovisioned state.
Configuration Using Templates
Aruba Central On-Premises supports managing AOS-CX switches configuration using configuration templates. Ensure that you assign the AOS-CX switches to a template group.
n When initially onboarding an AOS-CX switch to Aruba Central On-Premises, you must manually create the template for the switch in a group, along with the password in plaintext format. You can use the output of the show running-config command to create the template. You can also add variables to use the same template for onboarding multiple AOS-CX switches.
n In the AOS-CX template configuration, the pound sign (#) is used for adding comments. When using the banner motd code in the template configuration, use a delimiter such as at (@) symbol or any other special character, than using the pound sign (#). Using the pound sign (#) with the banner motd code will cause the code to be dropped when processing the template.
For more information on managing AOS-CX switches in Aruba Central On-Premises using templates, see Configuring AOS-CX Switches using Templates.
Configuration Using UI Groups
Aruba Central On-Premises supports managing AOS-CX switches configuration using UI groups. You can configure AOS-CX switches that are added to a UI group, using the UI options and MultiEdit mode. You can pre-configure groups in the absence of switches.
Managing AOS-CX Switches | 484
For more information on managing AOS-CX switches in Aruba Central On-Premises using UI group configuration, see Configuring AOS-CX Switches in UI Groups.
Replacing a VSX member
When replacing a VSX switch member that is configured and managed through Aruba Central OnPremises, ensure that the new replacement switch is assigned to the same group as the old switch. If the assigned group is the template group, ensure that the variables for the new replacement switch are same as the old switch. In the case of the UI group, if the VSX switch is configured using MultiEdit, you need to copy the original configuration from the MultiEdit configuration editor and paste it to the new replacement switch after moving it into the group.
AOS-CX Stack Configuration
Aruba Central On-Premises supports managing AOS-CX switch stacks configuration using UI group configuration and templates. For more information on managing AOS-CX switch stacks in Aruba Central On-Premises using UI group configuration, see Configuring AOS-CX VSF Stacks Using UI Groups. For more information on managing AOS-CX switch stacks in Aruba Central On-Premises using templates, see Configuring AOS-CX Switches using Templates.
AOS-CX Switch Monitoring
To view the operation status of switches and health of wired access network, complete the following steps:
1. In the Aruba Central On-Premises app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active switch. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Switches. A list of switches is displayed in the List view.
3. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed.
For more information, see Monitoring Switches and Switch Stacks.
Viewing VSX Details
Aruba Central On-Premises displays information about VSX configuration of AOS-CX switches. For more information, see Switch > VSX.
Last synced data is displayed in the Switch > VSX page only when VSX synchronization is enabled for the AOS-CX switch. However, enabling VSX synchronization using template configuration in Aruba Central On-Premises is not recommended. By enabling VSX synchronization, the peer switch may get into an unknown configuration state.
Aruba Central On-Premises 2.5.6 | User Guide
485
Viewing Topology Map
In Aruba Central On-Premises, the Topology tab in the site dashboard provides a graphical representation of the site including the network layout, details of the devices deployed and health of the WAN uplinks and tunnels. Aruba Central On-Premises supports AOS-CX switches to be displayed in the Topology tab. For more information, see Monitoring Sites in the Topology Tab.
Troubleshooting and Diagnostics
If you are unable to view all details of the AOS-CX switch, then maybe the template configuration was not applied correctly, the password was missing in the template configuration, or the password was not in plaintext. See the audit trail to check the status of the switch. The audit trail should show the device onboarded message for the switch serial number followed by the configuration push and login successful messages. For more information on troubleshooting AOS-CX switch onboarding issues, see Troubleshooting AOS-CX Switch Onboarding Issues.
Configuration Status
The Configuration Audit page under Aruba Central On-Premises app > Device(s) > Switches in the Aruba Central On-Premises UI displays e