Aruba Central User Guide

Aruba Central User Guide

172 10080 Dynamic Guest Login - Mindanao Times

PDF Viewing Options

Not Your Device? Search For Manuals or Datasheets below:


File Info : application/pdf, 1927 Pages, 54.04MB

Document DEVICE REPORTuser-guide
Aruba Central User Guide

Copyright Information
© Copyright 2021 Hewlett Packard Enterprise Development LP.
Open Source Code
This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US $10.00 to:
Hewlett Packard Enterprise Company 6280 America Center Drive San Jose, CA 95002 USA

Contents
Contents
About this Guide
Intended Audience Related Documents Conventions Terminology Change Contacting Support
What is Aruba Central?
Key Features Supported Web Browsers Operational Modes and Interfaces Supported Devices
Getting Started with Aruba Central
Key Terms and Concepts Workflow Summary Creating an Aruba Central Account Accessing Aruba Central Portal Accessing Aruba Central Mobile Application About the Network Operations App User Interface Overview of Aruba Central Foundation and Advanced Licenses Aruba Central Licenses Feature Details Starting Your Free Trial Setting up Your Aruba Central Instance Configuring Email Notifications for Software Upgrades Configuring Idle Timeout Opening Firewall Ports for Device Communication Connecting Devices to Aruba Central Device Configuration and Network Management Using the Search Bar
Administering Aruba Central
Apps Global Settings Users and Roles Managing License Keys Managing License Assignments Managing Your Device Inventory Data Collectors Webhooks Streaming API Viewing Audit Trails in the Account Home Page
Maintaining Aruba Central
Groups for Device Configuration and Management Sites and Labels Certificates Installation Management Viewing Configuration Status Viewing the Configuration Audit Page Applying Configuration Changes Viewing Configuration Overrides and Errors Backing up and Restoring Configuration Templates Managing Software Upgrades
Aruba Central | User Guide

Contents
3
11
11 11 11 12 12
13
13 14 14 16
27
27 28 29 32 34 34 73 82 92 98 104 105 105 112 120 120
138
138 139 139 192 196 212 219 255 288 292
294
294 317 322 324 329 329 330 333 336 337
3

Viewing Audit Trail in the Standard Enterprise Mode and MSP Mode Removing Devices
The AI Insights Dashboard
Insights Context Cards Baselines Access Points with High Number of Reboots Access Points with Excessive Number of Channel Changes Access Points with High CPU Utilization Access Points Impacted by High 2.4 GHz Usage Access Points Radios with Frequent Transmit Power Changes Access Point Transmit Power can be Optimized Access Points Impacted by High 5 GHz Usage Access Points with High Memory Usage Clients with High Roaming Latency Clients with Low SNR Minutes Clients with High MAC Authentication Failures Clients with DHCP Server Connection Problems Clients with High 802.1X Authentication Failures Clients with High Wi-Fi Security Key-Exchange Failures Clients with Captive Portal Authentication Problems Clients with High Number of Wi-Fi Association Failures Clients who Roamed Excessively Coverage Holes Identified Dual-band (2.4/5 GHz) Clients Primarily using 2.4 GHz Delayed DNS Request or Response DNS Servers Rejected High Number of Queries Gateways with High Memory Usage Gateways with High CPU Utilization Failure to Establish Gateway Tunnels DNS Queries Failed to Reach or Return from the Server Telemetry Information not Received from APs or Radios Outdoor Clients Impacting Wi-Fi Performance AOS-CX Switches with High CPU Utilization AOS-CX Switches with High Memory Usage AOS-CX Switch Ports with High Power-over-Ethernet Problems AOS-CX Switches with High Port Errors AOS-CX Switches with High Port Flaps AOS-Switches with High Port Errors AOS-Switches with High Port Flaps AOS-Switches with High CPU Utilization AOS-Switches with High Memory Usage AOS-Switch Ports with High Power-over-Ethernet Problems
Managed Service Provider
Terminology Getting Started with MSP Solution Enabling Managed Service Mode Managing MSP Licenses System Users and User Roles in MSP Mode Groups in the MSP Mode About Provisioning Tenant or Customer Accounts Assigning Devices to Tenant Accounts MSP Dashboard MSP Certificates Navigating to the Tenant Account MSP Alerts MSP Audit Trails MSP Reports Firmware Upgrades for MSP Mode Customizing the Portal in MSP Mode MSP Deployment Models Frequently Asked Questions

348 350
351
353 365 367 368 369 371 373 375 377 378 380 381 383 385 387 389 391 393 394 396 398 399 401 403 405 406 408 410 412 413 415 417 419 420 422 424 426 428 429 431
434
434 435 435 438 442 448 450 454 455 461 463 463 468 470 477 482 484 491
Contents | 4

Instant APs
Supported Deployment Modes Configuration and Management Supported Instant APs Provisioning Instant APs Configuring APs Using Templates Viewing APs Configuration Tabs Navigating to Virtual Controller Configuration Dashboard Deploying a Wireless Network Using Instant APs Monitoring APs
AOS-CX Overview
Supported AOS-CX Platforms Getting Started with AOS-CX Deployments Using Configuration Templates for AOS-CX Switch Management Configuring AOS-CX Switches in UI Groups AOS-CX VSF Stack
AOS-Switches Overview
Supported AOS-Switch Platforms Getting Started with AOS-Switch Deployments Provisioning Workflow Group Assignment Configuration and Management Switch Monitoring Troubleshooting and Diagnostics Configuring AOS-Switches
Monitoring Switches and Switch Stacks
Monitoring Switches in List View Monitoring Switches in Summary View Switch > Overview > Summary Switch > Overview > Hardware Switch > Overview > Routing Switch > Overview > AI Insights Switch > Clients > Clients Switch > Clients > Neighbours Switch > LAN > Ports Switch > LAN > PoE Switch > LAN > VLAN Switch > VSX Switch > Alerts & Events > Events Rebooting Switches Opening Remote Console for Switch Troubleshooting Aruba Switches Enabling Unsupported Transceivers on AOS-Switches Troubleshooting AOS-CX Switch Onboarding Issues
Aruba SD-Branch Solution
Why SD-WAN? Key Features and Benefits Understanding SD-WAN What are the Solution Requirements? Supported SD-Branch Components Supported 4G Modems for Aruba SD-Branch SD-Branch Enhancements
Getting Started
Creating an Aruba Central Account Accessing Aruba Central Portal Managing License Keys Managing License Assignments Onboarding Devices to Aruba Central Assigning Subscriptions to Aruba Gateways Assigning Gateways to a Group
Aruba Central | User Guide

494
494 494 495 498 499 505 506 506 667
695
695 697 712 716 761
768
768 770 770 770 771 771 771 784
842
842 845 845 850 853 855 856 858 859 862 866 868 871 871 872 873 873 874
876
876 876 877 879 880 881 882
897
897 901 902 907 910 911 914
5

Assigning Gateways to Sites Assigning Labels to Gateways Recovering an Aruba Gateway Assigning a Group Role to an Aruba Gateway Group Connecting Aruba Gateways to Aruba Central Configuring Communication Ports Certificates
Provisioning Aruba Gateways in Aruba Central
Different Modes of Configuring Gateways and Gateway Groups Configuring Branch Gateway Groups Using the Guided Setup Configuring Branch Gateways Using the Guided Setup Configuring VPNC Group Using the Guided Setup Configuring VPNCs Using the Guided Setup
Configuring an SD-Branch Network Using the Advanced Setup
Configuring Address Pools for Aruba Gateways Uploading Bulk Configuration Template Configuring System Information on Aruba Gateways Configuring VLANs on Aruba Gateways Configuring SLB using NAT Configuring Ports Configuring Uplinks Managing 9004-LTE Branch Gateway Configuring WAN Health Check Configuring WAN Interface Bandwidth Priorities SD-WAN Overlay Tunnel and Route Orchestration Configuring the SD-Branch Overlay Network Configuring the SD-WAN Hub Mesh Topology Branch Mesh Topology in SD-Branch Configuring Site-to-Site VPN Configuring Site-to-Site VPN with GRE Tunnel Configuring IKE Policies Routing Configuring Policies for PBR Configuring Policies for Dynamic Path Steering SaaS Application Traffic Management with SaaS Express Configuring Aruba Gateways for Application Visibility and Control Enforcing a Common Security Policy for Wired and Wireless Users Configuring Firewall Policies and ACLs Configuring User Roles for Clients Configuring Authentication Profiles Applying Policies to Gateway Interfaces SD-Branch Redundancy Configuring Aruba Gateways for Certificate-Based Authentication Configuring Aruba Gateways for SNMP-Based Reporting Configuring Captive Portal IP Redirect Address Viewing Gateway Configuration Status Managing Configuration Overrides Configuring Aruba Gateways for Syslog Message Collection
Configuring an SD-Branch Network Using the Basic Setup
Configuration Checklist Configuring System Information on Aruba Gateways Configuring a LAN Interface Configuring Routing Profiles Configuring LAN Redundancy for High Availability Configuring VPN Pools Configuring Policies for a Branch Gateway Group
Overview of Aruba IDPS
Why Aruba IDPS? Key Features and Benefits How does Aruba IDPS Work? Preparing to add the Aruba IDPS Supported Gateways

914 914 915 916 916 918 918
921
921 922 935 941 952
965
965 972 973 991 996 998 1004 1010 1015 1017 1019 1060 1067 1069 1071 1076 1082 1088 1129 1133 1138 1175 1185 1186 1199 1203 1239 1241 1247 1251 1253 1253 1254 1255
1258
1258 1260 1264 1274 1288 1289 1289
1296
1296 1296 1297 1297
Contents | 6

Configuring Aruba IDPS Monitoring Aruba IDPS Data Filters Threat Categories
Integration with AWS Public Cloud through Cloud Connect Service
Additional References Generating API Token in AWS Console Configuring Aruba Branch Gateway in Aruba Central Onboarding AWS Account in Aruba Central Orchestrating Tunnel to the AWS VPC through Cloud Connect Service Verifying the Instantiation Status
Integration with Microsoft Azure Public Cloud through Cloud Connect Service
Additional References Configuring Azure Application in Azure Admin Portal Configuring Azure Application for API Access in Azure Admin Portal Configuring Aruba Branch Gateway in Aruba Central Onboarding Azure Account in Aruba Central Orchestrating Tunnels to Azure Virtual WAN and Vhub through Cloud Connect Service Verifying the Instantiation Status
Integration with Zscaler through Cloud Connect Service
Additional References Configuring ZIA for API Access in Zscaler Admin Portal Onboarding a Cloud Provider Account in Aruba Central Orchestrating Tunnels to the Nearest ZIA Public Service Edge Configuring Zscaler Nexthop List Adding Nexthop List to PBR Policy Verifying Tunnel Status
Integration with Zscaler Cloud Security Service
Integrating SD-Branch with ZIA Setting up Tunnels to ZIA Additional References
Integration with Prisma Access
Deployment Scenarios Configuring Prisma Access
Integration with Check Point
Supported IKE and IPsec Cryptographic Profiles Configuration Steps Configuring Aruba Gateways for Integration with Check Point
Integration with Symantec WSS
Integration Overview Role-Based and Application-Based Routing Supported IKE and IPSec Cryptographic Profiles Configuring Symantec WSS
Micro Branch Redundancy Architectures
Configuring a Micro Branch with Instant APs
Configuring Support for Aruba VIA Service
Configuring VIA Configuring VPN IP Pool Defining IKEv1 Shared Secret Configuring VIA User Role Creating VIA Server Group for Authenticating VIA Users Configuring VIA Authentication Parameters Loading and Applying VIA Certificates Configuring and Attaching VIA Connection Profile Uploading VIA Installer to VPNC

1298 1312 1313 1320
1324
1325 1325 1325 1326 1327 1328
1331
1332 1332 1332 1333 1333 1334 1335
1339
1340 1340 1341 1342 1344 1344 1344
1345
1346 1346 1350
1351
1351 1354
1359
1359 1359 1362
1369
1369 1370 1372 1372
1381
1385
1389
1389 1389 1391 1391 1391 1391 1394 1394 1399

Aruba Central | User Guide

7

Provisioning Gateways Using Configuration Templates
Important Points to Note Configuring Gateways Using a Template Creating a Template Group Assigning a Gateway to a Template Group Creating a Configuration Template for Gateways Customizing a Template Using Variable Definitions Downloading a Sample Variables File Modifying a Variables File Uploading a Variables File Sample Template and Variables Files Sample Variables File Verifying Configuration Status Backing up and Restoring Templates
Monitoring SD-Branch
Monitoring Gateway WAN Health--Global WAN Health--Transport WAN Health--Site Monitoring Sites in the Topology Tab Monitoring SaaS Express Gateway Alerts Reports
Maintenance
Troubleshooting Devices Gateway Diagnostic Tests Updating Software Images on Aruba Gateways
APIs
Updating Software Images on Aruba Gateways
Feature Availability Across Multiple Software Versions Upgrading Software
Deploying Aruba Virtual Gateways
Features Supported by Virtual Gateway Virtual Gateway Redundancy Software Image for Virtual Gateways Deploying Aruba Virtual Gateways in AWS Deploying Aruba Virtual Gateways in Microsoft Azure Deploying Aruba Virtual Gateways in VMware ESXi (Unmanaged Mode) Deploying Aruba Virtual Gateways in Google Cloud Platform (Unmanaged Mode) Deploying Aruba Virtual Gateways in MSP (Unmanaged Mode) Provisioning Virtual Gateways to Groups Troubleshooting Deployment Issues High Availability Support for Aruba Virtual Gateways Monitoring Virtual Gateways
Monitoring Gateway
Monitoring Gateways in List View Monitoring Gateways in Summary View Gateway > Overview > Summary Gateways > Overview > IDPS Gateway > Overview > Routing Gateway > Overview > Sessions Viewing the Overview > Sessions Tab Session Summary Sessions Gateway > Overview > AI Insights Gateway > WAN > Summary Viewing the WAN > Summary Tab Port Status WAN Interfaces

1401
1401 1401 1402 1402 1403 1404 1404 1405 1405 1406 1408 1410 1410
1411
1411 1466 1467 1469 1470 1484 1492 1494
1507
1507 1507 1513
1515
1516
1516 1516
1517
1517 1517 1517 1518 1542 1587 1597 1604 1605 1605 1606 1612
1613
1613 1614 1615 1619 1621 1640 1640 1640 1641 1643 1644 1644 1645 1646
Contents | 8

Actions Go Live Gateway > WAN > Tunnels Gateway > WAN > Path Steering Gateway > LAN > Summary Gateway > LAN > DHCP Gateway > Applications > Visibility Downloading Gateway Details Deleting a Gateway Rebooting a Gateway Opening a Remote Console Clearing IPSec SA Clearing ISAKMP SA
Monitoring Your Network
Network Overview Network Health Dashboard Global--Summary Wi-Fi Connectivity Monitoring SaaS Express Monitoring Sites in the Topology Tab Gateway Firewall Logging About RAPIDS About Floorplans Alerts & Events Reports Viewing Audit Trail
All Clients
Clients Client Overview Client Status Changes Clients > Wireless Client > Overview Clients > Wired Client > Overview Clients > Remote Client > Overview Classifying Clients
Application Visibility
Viewing Visibility Dashboard Applications Websites Blocked Traffic
Using Troubleshooting Tools
Troubleshooting Network Issues Enabling Gateway Logs Troubleshooting Device Issues Advanced Device Troubleshooting Proximity Tracing
Service Apps
Guest Access Presence Analytics
API Gateway
API Gateway and NB APIs Accessing API Gateway Viewing Swagger Interface List of Supported APIs Creating Application and Token Using OAuth 2.0 for Authentication Obtaining Token Using Offline Token Mechanism Obtaining Token Using OAuth Grant Mechanism Viewing Usage Statistics Changes to Aruba Central APIs
Aruba Central | User Guide

1649 1650 1650 1653 1658 1662 1664 1667 1667 1668 1669 1669 1670
1671
1671 1671 1683 1685 1688 1696 1710 1716 1719 1727 1747 1759
1761
1761 1767 1768 1769 1784 1791 1796
1799
1799 1800 1801 1803
1805
1805 1818 1819 1822 1834
1840
1840 1856
1862
1862 1863 1864 1865 1867 1869 1872 1872 1879 1880
9

Troubleshooting Workflows
Client Connectivity Device Issues AI Insights Network Check

1888
1888 1915 1918 1920

Contents | 10

Chapter 1 About this Guide

About this Guide
This user guide describes the features supported by Aruba Central and provides detailed instructions to set up and configure devices such as Instant APs, Aruba Switches, and Aruba SD-WAN Gateways.

Intended Audience
This guide is intended for system administrators who configure and monitor their networks using Aruba Central.

Related Documents
In addition to this document, the Aruba Central product documentation includes the following documents:
n Aruba Central Help Center n Aruba Central Getting Started Guide n Aruba Central Managed Service Provider User Guide n Aruba Central SD Branch Solution Guide

Conventions
The following conventions are used throughout this guide to emphasize important concepts:

Table 1: Typographical Conventions

Type Style

Description

Italics

This style is used to emphasize important terms and to mark the titles of books.

System items

This fixed-width font depicts the following: n Sample screen output n System prompts

The following informational icons are used throughout this guide: Indicates a risk of damage to your hardware or loss of data.

Indicates helpful suggestions, pertinent information, and important things to remember.

Indicates a risk of personal injury or death.

Aruba Central | User Guide

11

Terminology Change
As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products and publications may continue to include terminology that seemingly evokes bias against specific groups of people. Such content is not representative of our HPE culture and moving forward, Aruba will replace racially insensitive terms and instead use the following new language:

Usage Campus Access Points + Controllers Instant Access Points Switch Stack Wireless LAN Controller Firewall Configuration Types of Hackers

Old Language Master-Slave Master-Slave Master-Slave Mobility Master Blacklist, Whitelist Black Hat, White Hat

New Language Conductor-Member Conductor-Member Conductor-Member Mobility Conductor Denylist, Allowlist Unethical, Ethical

Contacting Support

Table 2: Contact Information

Main Site

arubanetworks.com

Support Site

asp.arubanetworks.com

Airheads Social Forums and Knowledge community.arubanetworks.com Base

North American Telephone

1-800-943-4526 (Toll Free) 1-408-754-1200

International Telephone

arubanetworks.com/support-services/contact-support/

Software Licensing Site

lms.arubanetworks.com

End-of-life Information

arubanetworks.com/support-services/end-of-life/

Security Incident Response Team

Site: arubanetworks.com/support-services/security-bulletins/ Email: [email protected]

About this Guide | 12

Chapter 2 What is Aruba Central?

What is Aruba Central?
Aruba Central offers unified network management, AI-based analytics, and IoT device security for wired, wireless, and SD-WAN networks. All of these capabilities are combined into one easy-to-use platform, which includes the following apps:
n Network Operations--Provides unified network management by consolidating wired, wireless, and SDWAN deployment and management tasks, real-time diagnostics, and live monitoring, for simple and fast problem resolution.
n ClearPass Device Insight--Provides a single pane of glass for device visibility employing automated device discovery, machine learning (ML) based fingerprinting and identification. For more information, see Aruba ClearPass Device Insight Information Center.
This section includes the following topics:
n Key Features n What is Aruba Central? n Supported Web Browsers n Operational Modes and Interfaces
Key Features
Aruba Central offers the following key features and benefits:
n Streamlined configuration and deployment of devices--Leverages the ZTP capability of Aruba devices to bring up your network in no time. Aruba Central supports group configuration of devices, which allows you to provision and manage multiple devices with similar configuration requirements with less administrative overhead.
n Integrated wired, WAN, and wireless Infrastructure management--Offers a centralized management interface for managing wireless, WAN, and wired networks in distributed environments, and thus help organizations save time and improve efficiency.
n Advanced analytics and assurance--With continuous monitoring, AI-based analytics provide real-time visibility and insight into what's happening in the Wi-Fi network. The insights utilize machine learning that leverage a growing pool of network data and deep domain experience.
n Secure cloud-based platform--Offers a secure cloud platform with HTTPS connection and certificate based authentication.
n Interface for Managed Service Providers--Offers an additional interface for MSPs to provision and manage their respective tenant accounts. Using the MSP mode, service provider organizations can administer network infrastructure for multiple organizations in a single interface.
n SD-Branch Management--Offers a simplified solution for managing and monitoring SD Branch devices such as Branch Gateways, VPN Concentrators, Instant APs, and Aruba Switches. It also provides detailed dashboards showing WAN health and pictorial depictions of the branch setup. The Aruba SD-Branch solution extends the SD-WAN concepts to all elements in a branch setup to deliver a full-stack solution for managing WLAN, LAN and WAN connections. The SD-Branch solution provides a common cloudmanagement model that simplifies deployment, configuration, and management of all components of a

Aruba Central | User Guide

13

branch setup. The solution leverages the ZTP and cloud management capabilities of Aruba devices to integrate management and infrastructure for WAN, WLAN, and LAN and provide a holistic solution from access network to edge with end-to-end security. It also addresses all communications in distributed deployments, from micro branches to medium or large branches. For more information, see the Aruba SD-Branch Solution.
n Health and usage monitoring--Provides a comprehensive view of your network, device status and health, and application usage. You can monitor, identify, and address issues by using data-driven dashboards, alerts, reports, and troubleshooting workflows. Aruba Central also utilizes the DPI feature of the devices to monitor, analyze and block traffic based on application categories, application type, web categories and website reputation. Using this data, you can prioritize business critical applications, limit the use of inappropriate content, and enforce access policies on a per user, device or location basis.
n Guest Access--Allows you to manage access for your visitors with a secure guest Wi-Fi experience. You can create guest sponsor roles and social logins for your guest networks. You can also design your guest landing page with custom logos, color, and banner text.
n Presence Analytics--Offers a value added service for Instant AP based networks to get an insight into user presence and loyalty. The Presence Analytics dashboard allows you to view the presence of users at a specific site and the frequency of user visits at a given location or site. Using this data, you can make business decisions to improve customer engagement.

Supported Web Browsers
To view the Aruba Central UI, ensure that JavaScript is enabled on the web browser.

Table 3: Browser Compatibility Matrix

Browser Versions

Operating System

Google Chrome 39.0.2171.65 or later Windows and Mac OS

Mozilla Firefox 34.0.5 or later

Windows and Mac OS

Safari 7 or later

Mac OS

Microsoft Edge version 79 or later

Windows

Operational Modes and Interfaces
Aruba offers the following variants of the Aruba Central web interface:
n Standard Enterprise Mode n Managed Service Provider Mode
Standard Enterprise Mode
The Standard Enterprise interface is intended for users who manage their respective accounts end-to-end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision devices and subscriptions to manage their respective accounts. The following figure illustrates a typical Standard Enterprise mode deployment.

What is Aruba Central? | 14

Figure 1 Standard Enterprise Mode

Managed Service Provider Mode
Aruba Central offers the MSP mode for managed service providers who need to manage multiple customer networks. The MSP administrators can provision tenant accounts, allocate devices, assign licenses, and monitor tenant accounts and their networks. The administrators can also drill down to a specific tenant account and perform administration and configuration tasks. Tenants can access only their respective accounts, and only those features and application services to which they have subscribed.
The following figure illustrates a typical MSP mode deployment.

Aruba Central | User Guide

15

Figure 2 Managed Service Provider Mode

Supported Devices
This section provides the following information:
n Supported Instant APs n Supported AOS-Switch Platforms n Supported AOS-CX Platforms n Supported SD-Branch Components n Supported 4G Modems for Aruba SD-Branch

Supported Instant APs
The following table lists the Instant AP platforms, the installation mode, the minimum supported Aruba Instant software versions, and the Instant APs supporting power draw:

Table 4: Supported Instant AP Platforms

Instant AP Platform

Installation Mode

Minimum Supported Aruba Instant Software Version

Power Draw Support

AP-567EX

Outdoor

Aruba Instant 8.7.1.0

No

AP-567

Outdoor

Aruba Instant 8.7.1.0

Yes

AP-565EX

Outdoor

Aruba Instant 8.7.1.0

No

AP-565

Outdoor

Aruba Instant 8.7.1.0

Yes

AP-503H

Indoor

Aruba Instant 8.7.1.0

Yes

What is Aruba Central? | 16

Instant AP Platform

Installation Mode

AP 577EX AP-577 AP-575EX AP-575 AP-574 AP 518 AP-505H AP-505 AP-504 AP-555 AP-535 AP 534 AP 515 AP-514 AP-387 AP-303P AP-377EX AP-377 AP-375EX AP-375 AP-374 AP-345 AP-344 AP-318 AP-303 AP-203H AP-367

Outdoor Outdoor Outdoor Outdoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Indoor Outdoor Outdoor Outdoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Outdoor

Minimum Supported Aruba Instant Software Version

Power Draw Support

Aruba Instant 8.7.0.0

Yes

Aruba Instant 8.7.0.0

Yes

Aruba Instant 8.7.0.0

Yes

Aruba Instant 8.7.0.0

Yes

Aruba Instant 8.7.0.0

Yes

Aruba Instant 8.7.0.0

Yes

Aruba Instant 8.7.0.0

Yes

Aruba Instant 8.6.0.0

Yes

Aruba Instant 8.6.0.0

Yes

Aruba Instant 8.5.0.0

No

Aruba Instant 8.5.0.0

No

Aruba Instant 8.5.0.0

No

Aruba Instant 8.4.0.0

Yes

Aruba Instant 8.4.0.0

Yes

Aruba Instant 8.4.0.0

Yes

Aruba Instant 8.4.0.0

No

Aruba Instant 8.3.0.0

No

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

No

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

No

Aruba Instant 6.5.3.0

No

Aruba Instant 6.5.2.0

No

Aruba Central | User Guide

17

Instant AP Platform

Installation Mode

AP-365 AP-303HR AP-303H AP-203RP AP-203R IAP-305 IAP-304 IAP-207 IAP-335 IAP-334 IAP-315 IAP-314 IAP-325 IAP-324 IAP-277 IAP-228 IAP-205H IAP-215 IAP-214 IAP-205 IAP-204 IAP-275 IAP-274 IAP-103 IAP-225 IAP-224 IAP-115

Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Outdoor Indoor Indoor Indoor Indoor

Minimum Supported Aruba Instant Software Version

Power Draw Support

Aruba Instant 6.5.2.0

No

Aruba Instant 6.5.2.0

No

Aruba Instant 6.5.2.0

Yes

Aruba Instant 6.5.2.0

No

Aruba Instant 6.5.2.0

No

Aruba Instant 6.5.1.0-4.3.1.0

Yes

Aruba Instant 6.5.1.0-4.3.1.0

Yes

Aruba Instant 6.5.1.0-4.3.1.0

No

Aruba Instant 6.5.0.0-4.3.0.0

Yes

Aruba Instant 6.5.0.0-4.3.0.0

Yes

Aruba Instant 6.5.0.0-4.3.0.0

No

Aruba Instant 6.5.0.0-4.3.0.0

Yes

Aruba Instant 6.4.4.3-4.2.2.0

No

Aruba Instant 6.4.4.3-4.2.2.0

No

Aruba Instant 6.4.3.1-4.2.0.0

No

Aruba Instant 6.4.3.1-4.2.0.0

No

Aruba Instant 6.4.3.1-4.2.0.0

No

Aruba Instant 6.4.2.0-4.1.1.0

No

Aruba Instant 6.4.2.0-4.1.1.0

No

Aruba Instant 6.4.2.0-4.1.1.0

No

Aruba Instant 6.4.2.0-4.1.1.0

No

Aruba Instant 6.4.0.2-4.1.0.0

No

Aruba Instant 6.4.0.2-4.1.0.0

No

Aruba Instant 6.4.0.2-4.1.0.0

No

Aruba Instant 6.3.1.1-4.0.0.0

No

Aruba Instant 6.3.1.1-4.0.0.0

No

Aruba Instant 6.3.1.1-4.0.0.0

No

What is Aruba Central? | 18

Instant AP Platform

Installation Mode

IAP-114 RAP-155P RAP-155 RAP-109 RAP-108 RAP-3WN RAP-3WNP

Indoor Indoor Indoor Indoor Indoor Indoor Indoor

Minimum Supported Aruba Instant Software Version

Power Draw Support

Aruba Instant 6.3.1.1-4.0.0.0

No

Aruba Instant 6.2.1.0-3.3.0.0

No

Aruba Instant 6.2.1.0-3.3.0.0

No

Aruba Instant 6.2.0.0-3.2.0.0

No

Aruba Instant 6.2.0.0-3.2.0.0

No

Aruba Instant 6.1.3.1-3.0.0.0

No

Aruba Instant 6.1.3.1-3.0.0.0

No

n RAP-155, RAP-155P, IAP-214, IAP-215, IAP-224, IAP-225, IAP-228, IAP-274, IAP-275, and IAP-277 IAPs are no longer supported from Aruba Instant 8.7.0.0 onwards.
n IAP-103, RAP-108, RAP-109, IAP-114, IAP-115, IAP-204, IAP-205, and IAP-205H IAPs are no longer supported from Aruba Instant 8.3.0.0 onwards.
n By default, AP-318, AP-374, AP-375, and AP-377 IAPs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba does not recommend you to upgrade these IAPs to Aruba Instant 8.5.0.0 or 8.5.0.1 firmware versions, as the upgrade process changes the uplink port from Eth1 to Eth0 port thereby making the devices unreachable.
n For more information about Aruba's End-of-life policy and the timelines for hardware and software products at the end of their lives, see: https://www.arubanetworks.com/support-services/end-of-life/.
n Data sheets and technical specifications for the supported AP platforms are available at: https://www.arubanetworks.com/products/networking/access-points/.

Aruba Central | User Guide

19

Supported AOS-Switch Platforms

n Aruba Central uses the SSL certificate by GeoTrust Certificate Authority for device termination and web services. As the SSL certificate is about to expire, Aruba is replacing it with a new certificate from another trusted Certificate Authority. During the certificate upgrade window, all devices managed by Aruba Central will be disconnected. After the upgrade, the devices reconnect to Aruba Central and resume their services with Aruba Central. However, for AOS-Switches to reconnect to Aruba Central after the certificate upgrade, you must ensure that the switches are upgraded to the recommended software version listed in Table 5.
n Aruba Central does not support switch software versions below 16.08 release for firmware upgrade. In addition, only the latest three switch software versions of all major release versions will be available for firmware upgrade from Aruba Central. For example, if the latest switch software version released is 16.10.0011, the following versions will be available for firmware upgrade: 16.10.0009, 16.10.0010 and 16.10.0011.
n Changing AOS-Switches firmware from latest version to earlier major versions is not recommended if the switches are managed in UI groups. For features that are not supported or not managed in Aruba Central on earlier AOS-Switch versions, changing firmware to earlier major versions might result in loss of configuration.

The following tables list the switch platforms, corresponding software versions supported in Aruba Central, and switch stacking details.

Table 5: Supported AOS-Switch Series, Software Versions, and Switch Stacking

Switch Platform

Supported Software Versions

Recommended Switch

Software

Stacking

Versions

Support

Supported Stack Type (Frontplane (VSF) / Backplane (BPS))

Aruba

YA/YB.16.05.0008 YA/YB.16.10.0013 N/A

N/A

2530

or later

Switch

Series

Aruba

YC.16.03.0004 or YC.16.10.0013

N/A

N/A

2540

later

Switch

Series

Aruba 2920 Switch Series

WB.16.03.0004 or WB.16.10.0013 later

Yes

BPS

Switch

Software

Dependency:

WB.16.04.0008

or later

Supported Configuration Group Type for Stacking (UI / Template) N/A
N/A
UI and Template

Aruba

WC.16.03.0004 or WC.16.10.0014

Yes

VSF

2930F

later

Switch

Series

UI and Template

What is Aruba Central? | 20

Switch Platform

Supported Software Versions

Recommended Switch

Software

Stacking

Versions

Support

Supported Stack Type (Frontplane (VSF) / Backplane (BPS))

Switch Software Dependency: WC.16.07.0002 or later

Aruba 2930M Switch Series

WC.16.04.0008 or WC.16.10.0014 later

Yes

BPS

Switch

Software

Dependency:

WC.16.06.0006

or later

Aruba 3810 Switch Series

KB.16.03.0004 or KB.16.10.0014 later

Yes

BPS

Switch

Software

Dependency:

KB.16.07.0002

or later

Aruba 5400R Switch Series

KB.16.04.0008 or KB.16.10.0014 later

Yes

VSF

Switch

Software

Dependency:

KB.16.06.0008

or later

Supported Configuration Group Type for Stacking (UI / Template)
UI and Template
UI and Template
Template only

Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central.

Table 6: Supported Aruba Mobility Access Switch Series and Software Versions
Mobility Access Switch Series Supported Software Versions

n S1500-12P n S1500-24P n S2500-24P n S3500-24T

ArubaOS 7.3.2.6 ArubaOS 7.4.0.3 ArubaOS 7.4.0.4 ArubaOS 7.4.0.5 ArubaOS 7.4.0.6

Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/networking/switches/

Aruba Central | User Guide

21

Supported AOS-CX Platforms

To manage your AOS-CX switches using Aruba Central, ensure that the switch software is upgraded to 10.05.0021 or a later version. AOS-CX switches with version 10.05.0021 or earlier might not connect to Aruba Central after ten days of operation. You must upgrade the AOS-CX switch to a recommended software version to connect to Aruba Central.

The following table lists the AOS-CX platforms, corresponding software versions supported in Aruba Central, and switch stacking details.

Table 7: Supported AOS-CX Switch Series, Software Versions, and Switch Stacking

Switch Platform

Supported Software Versions

Recommended Software Versions

Switch Stacking Support

Supported Stack Type

Maximum Number of Stack Members

Supported Configuration Group Type (UI / Template)

AOS-CX 6100 Switch Series

10.06.0110 10.06.0110 or later

-N/A-

-N/A-

-N/A-

Template only

AOS-CX

10.05.0021 10.06.0101

Yes

VSF

8

6200

Switch

Switch

Software

Series

Dependency:

10.05.0021

UI and Template

AOS-CX

10.05.0021 10.06.0101

Yes

VSF

10

UI and Template

6300

Switch

Switch

Software

Series

Dependency:

10.05.0021

AOS-CX

10.06.0001 10.06.0101

Yes

VSF

10

UI and Template

6300

or later

Switch

Switch

Software

Series

Dependency:

[JL762A]

10.05.0021

Back 2

Front

Power

Supply

SKU only

AOS-CX 6405 Switch Series

10.05.0021 10.06.0101

-N/A-

-N/A-

-N/A-

Template only

AOS-CX 6410 Switch Series

10.05.0021 10.06.0101

-N/A-

-N/A-

-N/A-

Template only

What is Aruba Central? | 22

Switch Platform

Supported Software Versions

Recommended Software Versions

Switch Stacking Support

AOS-CX 8320 Switch Series
AOS-CX 8325 Switch Series
AOS-CX 8360 Switch Series
AOS-CX 8400 Switch Series

10.05.0021 10.06.0101
10.05.0021 10.06.0101
10.06.0001 10.06.0101 or later
10.06.0001 10.06.0101 or later

-N/A-N/A-N/A-N/A-

Supported Stack Type

Maximum Number of Stack Members

Supported Configuration Group Type (UI / Template)

-N/A-

-N/A-

UI and Template

-N/A-

-N/A-

UI and Template

-N/A-

-N/A-

UI and Template

-N/A-

-N/A-

Template only

Provisioning and configuring of AOS-CX 6405, 6410, and 8400 switch series and switch stacks is supported only through configuration templates.

Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/networking/switches/.

Supported SD-Branch Components
The Aruba SD-WAN Gateway portfolio includes Aruba Gateways that function as Branch Gateways and VPNCs. The following table lists the Aruba Gateway platforms and ArubaOS software versions that function as Branch Gateways:

Table 8: Supported Aruba Gateways

Platform

Minimum Supported Software Version

Aruba 9004-LTE

ArubaOS 8.5.0.0-2.1.0.0

Latest Software Version
ArubaOS 8.7.0.02.3.0.0

Recommended Software Version
ArubaOS 8.5.0.0-2.1.0.0

Aruba 9012

ArubaOS 8.5.0.0-2.0.0.0

ArubaOS 8.7.0.02.3.0.0

ArubaOS 8.5.0.0-2.0.0.4

Aruba 9004
Aruba 7210, 7220, and 7240XM

ArubaOS 8.5.0.0-1.0.7.0 ArubaOS 8.5.0.0-2.0.0.0

ArubaOS 8.7.0.02.3.0.0
ArubaOS 8.7.0.02.3.0.0

ArubaOS 8.5.0.0-2.0.0.4 ArubaOS 8.5.0.0-2.0.0.4

Aruba Central | User Guide

23

Platform Aruba 7030 Aruba 7024 Aruba 7010 Aruba 7008 Aruba 7005

Minimum Supported Software Version ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.1.0.0-1.0.4.0
ArubaOS 8.1.0.0-1.0.4.0

Latest Software Version
ArubaOS 8.7.0.02.3.0.0
ArubaOS 8.7.0.02.3.0.0
ArubaOS 8.7.0.02.3.0.0
ArubaOS 8.7.0.02.3.0.0
ArubaOS 8.7.0.02.3.0.0

Recommended Software Version ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4
ArubaOS 8.4.0.0-2.0.0.4

The following table lists the Aruba Gateway platforms and ArubaOS software versions that function as VPNCs:

Table 9: Supported Aruba VPNCs

Platform

Minimum Supported Software Version

Latest Software Version

Recommended Software Version

Aruba 9004

ArubaOS 8.7.0.0-2.3.0.0

Aruba 9012

ArubaOS 8.7.0.0-2.3.0.0

ArubaOS 8.7.0.02.3.0.0
ArubaOS 8.7.0.02.3.0.0

ArubaOS 8.7.0.0-2.3.0.0 ArubaOS 8.7.0.0-2.3.0.0

Aruba 7280

ArubaOS 8.4.0.0-1.0.6.0

ArubaOS 8.7.0.02.3.0.0

ArubaOS 8.4.0.0-2.0.0.4

Aruba 7240XM ArubaOS 8.1.0.0-1.0.4.0

Aruba 7220

ArubaOS 8.1.0.0-1.0.4.0

ArubaOS 8.7.0.02.3.0.0
ArubaOS 8.7.0.02.3.0.0

ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4

Aruba 7210

ArubaOS 8.1.0.0-1.0.4.0

ArubaOS 8.7.0.02.3.0.0

ArubaOS 8.4.0.0-2.0.0.4

vGW-4G vGW-2G

ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.4.0.0-1.0.6.0

ArubaOS 8.7.0.02.3.0.0
ArubaOS 8.7.0.02.3.0.0

ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4

vGW-500M

ArubaOS 8.4.0.0-1.0.6.0

ArubaOS 8.7.0.02.3.0.0

ArubaOS 8.4.0.0-2.0.0.4

Aruba 7030

ArubaOS 8.1.0.0-1.0.4.0

ArubaOS 8.7.0.02.3.0.0

ArubaOS 8.4.0.0-2.0.0.4

What is Aruba Central? | 24

Table 9: Supported Aruba VPNCs

Platform

Minimum Supported Software Version

Aruba 7024

ArubaOS 8.1.0.0-1.0.4.0

Aruba 7010

ArubaOS 8.1.0.0-1.0.4.0

Latest Software Version
ArubaOS 8.7.0.02.3.0.0
ArubaOS 8.7.0.02.3.0.0

Recommended Software Version ArubaOS 8.4.0.0-2.0.0.4
ArubaOS 8.4.0.0-2.0.0.4

Aruba Virtual Gateways also function as VPNCs. The minimum supported software version for Virtual Gateways is ArubaOS 8.1.0.0-1.0.4.1.
Aruba 9012 Gateway supports traffic inspection while deployed as a VPNC.

Data sheets and technical specifications for the supported Gateways are available at: https://www.arubanetworks.com/products/networking/gateways-and-controllers/

Supported 4G Modems for Aruba SD-Branch
The following table lists the 4G modems that are supported on the Aruba Branch Gateways:

Table 10: Supported 4G Modems for Aruba SD-Branch USB 4G Modem Model Inseego Skyus SC4V Inseego Skyus SC4A Digisol DG-BA4305 ZTE MF861 Franklin Wireless U772 Huawei E3372h-320 Huawei E3372s-153/ E3372h-153 Huawei E3372h-607 Huawei E8372h-153 Huawei E8372h-608 Huawei E8372h-511 Huawei E8372h-517 Huawei E3276-500 Huawei K5160 ZTE MF79S

Carrier Support Verizon AT&T ROW AT&T Sprint ROW ROW ROW ROW ROW T-Mobile T-Mobile ROW ROW ROW

Aruba Central | User Guide

25

USB 4G Modem Model ZTE MF825C ZTE MF831 ZTE MF832S ZTE MF832U ZTE MF823 Huawei E3276-150 Novatel (Inseego) U620L

Carrier Support ROW ROW ROW ROW ROW ROW Verizon

ROW (Rest of the World) indicates that the modem can be used outside of the United States region. However, the list of supported carriers and supported countries for the modem may vary. To select a modem for a specific country and carrier, refer to the modem documentation.

What is Aruba Central? | 26

Chapter 3 Getting Started with Aruba Central

Getting Started with Aruba Central
Thank you for choosing Aruba Central as your network management solution! Before you get started with Aruba Central, we recommend that you review the Key capabilities of Aruba Central and the list of Aruba devices supported in Aruba Central.

Key Terms and Concepts
Take a few minutes to familiarize yourself with the key terms and concepts used in the help topics.

Cluster Zone

Refers to an Aruba Central deployment area within a specific region. In other words, cluster zones are regional grouping of one or more container instances on which Aruba Central is deployed. Cluster zones allow your deployments to restrict customer data to a specific region and plan time zone specific maintenance windows.
Each cluster zone has separate URLs for signing up for Aruba Central, accessing Aruba Central portal, and for allowing devices to communicate with Aruba Central.
To view the zone in Aruba Central UI, click the User Settings menu at the bottom of the left navigation pane.

Enterprise Mode

Refers to the Aruba Central solution deployment mode in which the customers provision, manage, and maintain their networks end-to-end for their respective organizations or businesses.

Managed Services Mode

Refers to the Aruba Central deployment mode in which the service providers, resellers, administrators, and retailers to centrally manage and monitor multiple tenant or end-customer accounts from a single management interface.

Subscription Refers to the license granted to a customer for using a product or service.

Evaluation Account

Refers to the Aruba Central account created for evaluating Aruba Central solution and its services.

Paid Subscriber

Refers to the customers who have purchased a subscription to obtain access to Aruba Central and its services.

Subscription Refers to the license key. A subscription key is a 14-character alphanumeric string; for example,

Key

PQREWD6ADWERAS.

Customer ID Subscriber ID

Refers to the identity number of your Aruba Central account. To view your subscriber ID, click the User Settings menu at the bottom of the left navigation pane in the Aruba Central UI.

Zero Touch Provisioning

Refers to one of the following: n Zero Touch Provisioning of Aruba Central accounts-- When you purchase a subscription key
and add this subscription key in Aruba Central, Aruba Central queries the Aruba Activate database to retrieve the devices mapped to your purchase order and add these devices to the inventory. This process is referred to as zero touch provisioning in Aruba Central. n Zero Touch Provisioning of Devices--Most Aruba devices support self-provisioning; that is, when you connect a device to a provisioning network, it can automatically download provisioning parameters from the Activate server and connect to their management entity.

Aruba Central | User Guide

27

Onboarding Refers to the process of importing devices to Aruba Central's device inventory, activating subscriptions, and making devices available for management from Aruba Central.

Device Sync

Refers to the process of synchronizing devices from the Activate database. The device sync operation allows Aruba Central to retrieve devices from Activate and automatically add these devices to the device inventory in Aruba Central.

Provisioning Refers to the process of setting up a device for deploying networks as per the configuration requirements of your organization.

Group

Refers to the device configuration container in Aruba Central. You can combine devices with common configuration requirements into a single group and apply the same configuration to all the devices in that group.

Site

Refers to the physical locations where devices are installed. Organizing devices per sites allows

you to filter your dashboard view per site.

Label

Refers to the tags used for logically grouping devices based on various parameters such as ownership, specific areas within a site, departments, and so on.

Workflow Summary
The following illustration summarizes the steps required for getting started with Aruba Central:

Navigate through the following topics to know more about the onboarding and provisioning procedures: n Creating an Aruba Central Account n Accessing Aruba Central Portal n Starting Your Free Trial n Setting up Your Aruba Central Instance
Getting Started with Aruba Central | 28

Creating an Aruba Central Account
To start using Aruba Central, you need to register and create an Aruba Central account. Both evaluating and paid subscribers require an account to start using Aruba Central.

Zones and Sign-Up URLs
Aruba Central instances are available on multiple regional clusters. These regional clusters are referred to as zones. When you register for an Aruba Central account, Aruba creates an account for you in the zone that is mapped to the country you selected during registration.
To create an Aruba Central account in the zone that is mapped to your country, use the following zonespecific sign-up URLs.

Table 11: Sign-Up URLs & Apps Regional Cluster Sign-Up URL

US-1

https://portal.central.arubanetworks.com/signup

Available Apps Network Operations

US-2

https://portal-prod2.central.arubanetworks.com/signup OR https://signup.central.arubanetworks.com/

n Network Operations n ClearPass Device
Insight

Canada-1 China-1

https://portal-ca.central.arubanetworks.com/signup https://portal.central.arubanetworks.com.cn/signup

Network Operations Network Operations

EU-1

https://portal-eu.central.arubanetworks.com/signup

n Network Operations n ClearPass Device
Insight

APAC-1

https://portal-apac.central.arubanetworks.com/signup

Network Operations

APAC-EAST1

https://portal-apaceast.central.arubanetworks.com/signup Network Operations

APAC-SOUTH1

https://portal-apacsouth.central.arubanetworks.com/signup Network Operations

Signing up for an Aruba Central Account
You can choose one of the following ways to start your Aruba Central account trail:
1. Open the following page in a supported browser window:http://www.arubanetworks.com/products/sme/eval/. a. Click Start the Central Demo. The Aruba Central Demo page is displayed. b. Fill the form to start a product demo, and click Start Demo. c. The Aruba Central Account Home page is displayed.
2. Use the sign-up URL for your region from Sign-Up URLs & Apps and complete the following steps: a. Enter your email address. Based on the email address you entered, the Registration page guides you to the subsequent steps:

Aruba Central | User Guide

29

Table 12: Registration Workflow If...
If you are a new user:

Then...
The Registration page prompts you to create a password. To continue with the registration, enter a password in the Password and Confirm Password fields.

If you are an existing Aruba customer, but you do not have an Aruba Central account:
If your email account is already registered with Aruba, but you do not have an Aruba Central account:

The Registration page displays the following message: Email already exists. Please enter the password below. To continue with registration, validate your account: 1. Enter the password. 2. Click Validate Account.
NOTE: If you do not remember the password, click Forgot Password to reset the password.

If you are invited to join as a user in an existing Aruba Central customer account:

The Registration page displays the following message: An invitation email has already been sent to your email ID. Resend. To continue with the registration:
1. Go to your email box and check if you have received the email invitation.
2. If you have not received the email invitation, go to the Registration page and click Resend. A registration invitation will be sent your account.
3. Click the registration link. The user account is validated.
4. Complete the registration on the Sign Up page to sign in to Aruba Central.

If you are a registered user of Aruba Central and have not verified your email yet:

The Registration page displays the following message: You are an existing Aruba Central user. Please verify your account. Resend Verification email. To continue:
1. Go to your email box and check if you have received the email invitation.
2. If you have not received the email invitation, go to the Registration page and click Resend Verification email. A registration invitation will be sent your account.
3. Click the account activation link.
4. After the email verification is completed successfully, click Log in to access Aruba Central.

If you are already a registered user of Aruba Central and have verified your email:

The Registration page displays the following message: User has been registered and verified. Sign in to Central. Click Sign in to Central to skip the registration process and access the Aruba Central portal.

Getting Started with Aruba Central | 30

Table 12: Registration Workflow
If...
If your email address is in the arubanetworks.com or hpe.com domain:

Then...
The Single Sign-On option is enabled. You can use your respective Aruba or HP Enterprise credentials to log in to your Aruba Central account after the registration.

b. To continue with registration, enter your first name, last name, company name, address, country, state, ZIP code, and phone details.
c. Specify if you are an Aruba partner. d. Ensure that you select an appropriate zone. The Registration page displays a list of zones in
which the Aruba Central servers are available for account creation. Based on the country you select, the Aruba Central server is automatically selected. If you want your account and Aruba Central data to reside on a server from another zone, you can select an Aruba Central server from the list of available servers.

e. From the Interested Apps section, select the app(s) that you want to pre-provision. You must select at least one app to continue: n Network Operations n ClearPass Device Insight

Aruba Central | User Guide

31

See Table 11 for the app(s) available in the zone in which you are signing up.
If you are interested in evaluating the Aruba Central MSP solution, select only the Network Operations app.
f. Select the I agree to the Terms and Conditions check box. g. Set a preferred mode of communication for receiving notifications about Aruba products and
services. h. Optionally, to read about the privacy statement, click the HPE Privacy Statement link. To opt
out of marketing communication, you can either click the unsubscribe link available at the bottom of the email or click the link as shown in the following figure:

i. Click Sign Up. Your new account is created in the zone you selected and an email invitation is sent to your email address for account activation.
j. Access your email account and click the Activate Your Account link. After you verify your email, you can log in to Aruba Central.

Accessing Aruba Central Portal
After you create an Aruba Central account, the link to Aruba Central portal will be sent to your registered email address. You can use this link to log in to Aruba Central. If you are accessing the login URL from the www.arubanetworks.com website, ensure that you select the zone in which your account was created.

Login URLs
When you try to access Aruba Central portal, you are redirected to the Aruba Central URL that is mapped to your cluster zone.

Table 13: Cluster Zone-- Portal URLs Regional Cluster Login URL

US-1

https://portal.central.arubanetworks.com/platform/login/user

Getting Started with Aruba Central | 32

Regional Cluster Login URL

US-2

https://portal-prod2.central.arubanetworks.com/platform/login/user

Canada-1

https://portal-ca.central.arubanetworks.com/platform/login/user

China-1

https://portal.central.arubanetworks.com.cnath/platform/login/user

EU-1

https://portal-eu.central.arubanetworks.com/platform/login/user

APAC-1

https://portal-apac.central.arubanetworks.com/platform/login/user

APAC-EAST1

https://portal-apaceast.central.arubanetworks.com/platform/login/user

APAC-SOUTH1

https://portal-apacsouth.central.arubanetworks.com/platform/login/user

Logging in to Aruba Central
To log in to Aruba Central:
1. Access the Aruba Central login URL for your zone. 2. Notice that the zone is automatically selected based on your geographical location. 3. Enter the email address and click Continue. 4. Log in using your credentials.
If your user credentials are stored in your organization's Identity Management server and SAML SSO authentication is enabled for your IdP on Aruba Central, complete the SSO authentication workflow.
5. Enter the password.
If you have forgotten password, you can click the Forgot Password and reset your password. The Forgot Password link resets only your Aruba Central account; hence, it is not available to SSO users.
6. Click Continue. The Initial Setup wizard opens. n If you have a paid subscription, click Get Started and set up your account. n If you are a trial user, click Evaluate Now and start your trial.
Changing Your Password
To change your Aruba Central account:
1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click Change Password. 3. Enter a new password. 4. Log in to Aruba Central using the new password.

The Change Password menu option is not available for federated users who sign in to Aruba Central using their SSO credentials.

Aruba Central | User Guide

33

Logging Out of Aruba Central
To log out of Aruba Central: 1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click Logout.
Accessing Aruba Central Mobile Application
Aruba Central mobile application lets you manage, monitor, and optimize your Central account. You can log in to your Aruba Central account using your credentials from the mobile application. To download the Aruba Central application, visit the App Store on iOS devices running iOS 9.0 or later and Google Play Store on Android devices running android 5.0 Lollipop or later.
About the Network Operations App User Interface
The Network Operations app is one of the apps in Aruba Central that helps to manage, monitor, and analyze your network. Aruba offers the following variants of the Network Operations app user interface: n Standard Enterprise mode-- This mode is intended for customers who manage their respective
accounts end-to- end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision and manage their respective accounts. n Managed Service Provider (MSP) mode-- This mode is for managed service providers who need to manage multiple customer networks. With MSP mode enabled, the MSP administrators can provision customer accounts, allocate devices, assign licenses, and monitor customer accounts and their networks. The administrators can also drill down to a specific tenant account and perform administration and configuration tasks. The tenants can access only their respective accounts, and only those features and application services to which they have subscribed. The following image displays the navigational elements of the Network Operations app in the Standard Enterprise mode. However, the navigational elements also apply to the MSP mode. Figure 3 Navigation Elements of the Network Operations App
Getting Started with Aruba Central | 34

Callout Number 1
2 3 4 5
6 7
8
9

Description
Filter to select an option under Groups, Labels, Sites. For all devices, select Global. A corresponding dashboard is displayed.
Item under the left navigation contextual menu. The menu is dependent on the filter selection.
First-level tab on the dashboard.
Second-level tab on the dashboard.
Dashboard content for the selected view and filter. For example, the current dashboard in the image displays the UCC tab under Manage > Applications in the List view for the Global filter.
Time range filter. This is displayed for selected dashboards only.
List view to display tabular data for the selected filter. This is displayed for selected dashboards only.
Summary view to display charts for the selected filter. This is displayed for selected dashboards only.
Config view to enable configuration options for the selected filter. This is displayed for selected dashboards only.

Types of Dashboards in the Network Operations App
The Network Operations app uses a filter to set the dashboard context for the app. The menu for the left navigation pane changes according to the selected filter value. Selecting any item on the left navigation pane displays a corresponding dashboard. Accordingly, for different values of the filter, the content displayed for the left navigation menu and the dashboard context differs.
The dashboard for any item on the left navigation menu can have a combination of the following views:

n Summary view-- Click the

Summary icon to display the summary dashboard. The summary

dashboard displays a number of charts. For example, for the global dashboard, under Manage, the

Overview > Network Health tab in Summary view displays a map of the available sites and their

corresponding health. If available, use the time range filter to change the time-lines for the charts.

n List view-- Click the

List icon to display tabular data for a selected dashboard. For example, for the

global dashboard under Manage, the Overview > Network Health tab in List view displays a list of

the available sites managed by Aruba Central. If available, use the time range filter to change the time-

lines for the tabular data.

n Config view-- Click the

Config icon to enable the configuration options for a specific dashboard.

For example, for the global dashboard under Manage, the Applications > UCC tab in Config view

displays various configuration options for UCC.

Navigating to the Switch, Access Point, or Gateway Dashboard
In the Network Operations app, you can navigate to a device dashboard for a switch, access point, or gateway. The device dashboard enables you to monitor, troubleshoot, or configure a single device. In order

Aruba Central | User Guide

35

to do this, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. 2. Under Manage > Devices, select one of the following options: n To view an access point dashboard, click the Access Points tab. n To view a switch dashboard, click the Switches tab. n To view a gateway dashboard, click the Gateways tab. The list of devices is displayed in List view. 3. Click a device listed under Device Name. The dashboard context for the specific device is displayed. To exit the device dashboard, click the back arrow on the filter.
Workflow to Configure, Monitor, or Troubleshoot in the Network Operations App
The following image displays a flowchart to help you navigate the Network Operations app to complete any task.
Getting Started with Aruba Central | 36

Figure 4 Navigation Workflow for Network Operations App

The Standard Enterprise Mode
This section discusses the user interface for the Standard Enterprise mode for the Network Operations app. This mode is intended for customers who manage their respective accounts end-to- end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision and manage their respective accounts. The following topics are discussed in this section:
n Launching the Network Operations App n Parts of the Network Operations App User Interface n Search Bar n Help Icon n Account Home Icon

Aruba Central | User Guide

37

n User Icon n Filter n Time Range Filter n Left Navigation Pane
Launching the Network Operations App
If the Network Operations app is the only app provisioned, the Network Operations app is displayed at each user login. If there are a number of apps provisioned such as Network Operations, ClearPass Device Insight and so on, the Account Home page is displayed at each user login. From the Account Home page, you can manage network inventory, subscriptions, and user access. In the event of multiple apps provisioned, perform the following steps to launch the Network Operations app:
1. Log in to the Account Home page. The Account Home page displays the apps and Global Settings For more information, see Accessing Aruba Central Portal.
2. Click Launch on the Network Operations tile. The Network Operations app is launched.
Figure 5 Launching the Network Operations App
Getting Started with Aruba Central | 38

Parts of the Network Operations App User Interface
After you launch the Network Operations app, the Standard Enterprise view is displayed. Figure 6 Parts of the Network Operations App

Callout Number

Description

1

Filter to select an option under Groups, Labels, or Sites. For all devices, select Global.

To select a specific device, see Navigating to the Switch, Access Point, or Gateway Dashboard.

The example in the image shows the filter set to a group called "IAP_setup_GW".

For more information, see Filter.

2

Health Bar for the selected filter.

For more information, see The Health Bar.

3

First-level tab for the selected dashboard, corresponding to the selected item in the left navigation

pane.

The example in the image shows the first-level tab selection as Gateways under Manage > Devices

for the group dashboard.

4

Search bar.

For more information, see Search Bar.

5

Help icon.

For more information, see Help Icon.

6

Account Home icon

For more information, see Account Home Icon.

7

User settings icon.

For more information, see User Icon.

8

Menu item under left navigation contextual menu.

Menu is dependent on the filter selection.

For more information, see Types of Dashboards in the Network Operations App.

9

Second-level tab for the dashboard, corresponding to the selected first-level tab.

The example in the image shows the second-level tab selection as Gateways under Manage >

Devices > Gateways for the group dashboard.

Aruba Central | User Guide

39

Callout Number

Description

10

Icon is for filtering the data of the selected column.

11

List icon.

Click the List icon to view a tabular representation of the data.

This icon is not available for all pages.

12

Summary icon.

Click the Summary icon to view a graphical representation of the data.

This icon is not available for all pages.

13

Config icon.

Click the Config icon to enable configuration mode.

This icon is not available for all pages.

14

Icon is for downloading the data of the selected page in CSV format.

15

Icon is for selecting or resetting the column headers for the selected page.

Search Bar

The search bar
Help Icon

enables users to look for help information.

The help icon contains the following options:
n Tutorials--Displays the Aruba Central product learning center. n Feedback--Allows you to provide feedback on the Aruba Central. You can choose the rating from the
range of 1 to 10, where 1 being extremely unlikely and 10 being extremely likely and type your comment into the box and click Submit to submit the feedback. n Documentation Center--Directs you to the online help documentation. n Get help on this page--Selecting this option changes the appearance of some of the text on the UI to green italics. On the UI, when you point to the text in green italics, a dialog box displays the help information for that text. To disable this option, click Done. n Airheads Community--Directs you to the Aruba support forum at https://community.arubanetworks.com/t5/Cloud-Managed-Networks/bd-p/CloudManagedNetworks. n View / Update Case--Enables you to view or edit an existing support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. n Open New Case--Enables you to create a new support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal.
Account Home Icon

The Account Home icon enables you to go to the Account Home page and switch to another app if you have one subscribed. Most of the apps require service subscriptions to be enabled on the devices. Contact your administrator or the Aruba Central Support team to obtain access to an application service.

Getting Started with Aruba Central | 40

User Icon
The user icon enables you to view user account details such as account name, domain, customer ID, and zone details. It also includes the following options for managing your accounts:
n Switch Customer--Enables you to switch to another account. This is especially required during troubleshooting scenarios.
n Change Password--Enables you to change the password of the account. n User Settings
o Time Zone--Displays the zone, date, time, and time zone of the region. o Language--Administrators can set a language preference. The Aruba Central web interface is
available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. o Idle Timeout--Administrators can set a timeout value for inactive user sessions in the Idle Timeout
field. The value is in minutes. o Get system maintenance notifications--Administrators can select the check box to receive
system maintenance notification on their registered email ID. Email notifications are sent before any scheduled maintenance activity or unplanned outage. o Get software update notifications--Administrators can select the check box to receive software update notification on their registered email ID. n Enable MSP--Enables MSP mode and switches the user interface to the MSP mode. This option changes to Disable MSP when the MSP mode is enabled. You can select Disable MSP to switch to the Standard Enterprise interface. The MSP mode can be disabled only if there is no tenant data. The option is grayed out if there are any active tenant accounts. n Terms of Service--Displays the terms and conditions for using Aruba Central services. n Logout--Enables you to log out of from your account.
Filter
The filter enables you to set the dashboard context to a value under one of the following options:
n Groups--Sets the dashboard context to a group of devices. n Sites--Sets the dashboard context to all a site. n Labels--Sets the dashboard context to a label.
If no filter is applied, by default the filter is set to Global for all devices. Use the search box in the filter to enter an available group, site, or label name and then select the option to set the filter. Hovering over Groups, Labels, or Sites displays the associated config icon. Clicking on the config icon redirects you to Maintain > Organization in the global dashboard.
Time Range Filter
The time range filter enables you to set a time duration for showing monitoring and reports data. The option is displayed for selected dashboards only. You can set the filter to any of the following time ranges:
n 3 hours n 1 day n 1 week

Aruba Central | User Guide

41

n 1 month n 3 months
Left Navigation Pane
The left navigation pane is a contextual menu that displays a number of configuration, monitoring, and troubleshooting options depending on filter value.
This topic discusses the Network Operations app in MSP mode. To know more about the Account Home page, see the online Aruba Central documentation. The MSP mode is intended for the managed service providers who manage multiple distinct tenant accounts. The MSP mode allows service providers to provision and manage tenant accounts, assign devices to tenant accounts, manage subscription keys and other functions such as configuring network profiles and viewing alerts.
Launching the Network Operations App for MSP
Aruba Central in MSP mode consists of the Network Operations app and the Account Home page. After you create an Aruba Central account, the link to Aruba Central portal will be sent to your registered email address. You can use this link to log in to Aruba Central. If you are accessing the login URL from the www.arubanetworks.com website, ensure that you select the zone in which your account was created. The Network Operations app is displayed at each user login to Aruba Central. From the Network Operations app, you can navigate to the Account Home page by clicking the Account Home icon . From the Account Home page, you can navigate to the Network Operations app by clicking the Launch button for the Network Operations tile. Figure 7 Launching the Network Operations App for MSP from Account Home
Parts of the Network Operations App for MSP
After you launch the Network Operations app, the MSP view opens.
Getting Started with Aruba Central | 42

Figure 8 Parts of the Aruba Central User Interface for MSP

Callout Number 1
2 3 4 5 6 7
8
9

Description
Filter to select a group or all groups. For more information, see Filter. Here, the global dashboard is displayed as the filter is set to All Groups.
First-level tab on dashboard. The dashboard may also have second and third-level tabs dependent on the filter selection.
Menu item under left navigation contextual menu. Menu is dependent on the filter selection.
Help icon. For more information, see Help Icon.
Account Home icon.
User Settings icon. For more information, see User Icon.
List view. Click the List icon to view a tabular representation of the data. Only applicable for the global dashboard.
Summary view. Click the Summary icon to view a graphical representation of the data. Only applicable for the global dashboard.
Config view. Click the Config icon to enable configuration mode.

Help Icon
The help icon contains the following options:

Aruba Central | User Guide

43

n Get help on this page-- Selecting this option changes the appearance of some of the text on the UI to green italics. On the UI, when you point to the text in green italics, a dialog box displays the help information for that text. To disable this option, click Done.
n Tutorials-- Displays the Aruba Central product learning center. n Feedback-- Allows you to provide feedback on the Aruba Central. You can choose the rating from the
range of 1 to 10, where 1 being extremely unlikely and 10 being extremely likely and type your comment into the box and click Submit to submit the feedback. n Documentation Center-- Directs you to the online help documentation. n Airheads Community-- Directs you to the Aruba support forum. n View / Update Case--Enables you to view or edit an existing support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. n Open New Case-- Enables you to create a new support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal.

Account Home Icon

The Account Home icon
User Icon

enables you to go to the Account Home page.

The user icon enables you to view user account details such as account name, domain, customer ID, and zone details. It also includes the following options for managing your accounts:
n Switch Customer-- Enables you to switch to another account. This is especially required during troubleshooting scenarios.
n Change Password-- Enables you to change the password of the account. n User Settings
o Time Zone-- Displays the zone, date, time, and time zone of the region. o Language-- Administrators can set a language preference. The Aruba Central web interface is
available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. o Idle Timeout-- Administrators can set a timeout value for inactive user sessions in the Idle Timeout
field. The value is in minutes. o Get system maintenance notification-- Administrators can select the check box to get system
maintenance notification. o Get software update notifications-- Administrators can select the check box to get software
update notification. n Disable MSP-- Disables MSP mode and switches the user interface to the standard enterprise mode.
This option changes to Enable MSP when the MSP mode is disabled. You can select Enable MSP to switch to the MSP mode. The MSP mode can be disabled only if there is no tenant data. The option is grayed out if there are any active tenant accounts. n Terms of Service-- Displays the terms and conditions for using Aruba Central services. n Logout-- Enables you to log out of from your account.

Filter
The filter enables you to select a group or All Groups for performing specific configuration and monitoring tasks. If no filter is applied, by default the filter is set to All Groups. When you set the filter to

Getting Started with Aruba Central | 44

All Groups, the global dashboard is displayed and when you set the filter to a group, the group dashboard is displayed. You can type a group name to start your search for a filter value. Figure 9 MSP Filter set to Global on Selecting All Groups
Time Range Filter
The time range filter enables you to set a time duration for showing monitoring and reports data. This time filter is not displayed when you view the configuration or device details. It is displayed only when you view monitoring data. You can set the filter to any of the following time ranges: n 3 hours n 1 day n 1 week n 1 month n 3 months
The Global Dashboard in MSP Mode
In the Network Operations app in MSP mode, use the filter to select All Groups. The global dashboard is displayed. In the global dashboard under the left navigation pane, you can see a number of menu items divided under the following categories: Manage, Analyze, and Maintain.

Aruba Central | User Guide

45

Figure 10 Launching the Global Dashboard for MSP

Selecting each menu item in the left navigation pane displays a corresponding dashboard with tabs. Each tab may support all or some of the following functions:

n Summary -- Click the icon global dashboard.

to view a graphical representation of the data. Only applicable for the

n List-- Click the icon dashboard.

to view a tabular representation of the data. Only applicable for the global

n Config-- Click the icon

to enable configuration mode.

The Group Dashboard in MSP Mode
In the Network Operations app in MSP mode, use the filter to select a group. The group dashboard is displayed.

Getting Started with Aruba Central | 46

Figure 11 Launching the Group Dashboard for MSP

Some tabs or options may not be seen in your dashboard view if you are not an administrator for the Aruba Central account.
In the group dashboard under the left navigation pane, you can see the Device and Guest options under Manage. Selecting an option in the left navigation pane displays a corresponding dashboard with tabs. Each tab supports the Config view that enables the configuration mode. The next sections discuss the left navigation menu items in the group dashboard.
The Health Bar
The Health Bar provides a snapshot of the overall health of the devices configured as part of the specific dashboard. The applicable dashboards include global, group, site, client, and device dashboards. The topic discusses the following:
n Health Bar for the Global Dashboard n Health Bar for the Group Dashboard n Health Bar for the Site Dashboard n Health Bar for the AP Dashboard n Health Bar for the Switch Dashboard n Health Bar Dashboard for the Gateway Dashboard n Health Bar for the Wireless Client Dashboard n Health Bar for the Wired Client Dashboard n Health Bar for the Remote Client Dashboard
Viewing the Health Bar Dashboard
To view the Health Bar, perform the following steps:

Aruba Central | User Guide

47

1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed. n To select a client: a. Set the filter to Global. b. Under Manage, click Clients. A list of clients is displayed in the List view. c. Click a client listed under Client Name. The dashboard context for the client is displayed. The Health Bar icon displays the overall health of the network of the selected filter as either online or offline.
2. In the selected filter, click the Health Bar icon to expand the Health Bar dashboard. 3. Use the pin icon to pin the Health Bar dashboard to the Network Operations app display.
Health Bar for the Global Dashboard
The following image shows the Health Bar for the global dashboard. Figure 12 Expanded but Unpinned Health Bar in the Global Dashboard
Getting Started with Aruba Central | 48

Health Bar Icons

Icon Type

Description

This icon is specific to Site, Device, and Client dashboard. It indicates that there are no issues in the connection.

This icon is specific to Site, Device, and Client dashboard. It indicates that there is an issue in the connection.

This icon is specific to the Global and Group dashboards, and the health is not calculated at these levels.

Device and Clients Status Icons

Icon Type

Description

n For devices, indicates the number of devices that are online. n For clients, indicates the number of clients that are connected.

n For devices, indicates the number of devices that are offline. n For clients, indicates the number of failed clients. n For AI Insights, indicates the number of insights that are of high priority.
For AI Insights, indicates the number of insights that are of medium priority.
For AI Insights, indicates the number of insights that are of low priority.

The following table includes information on the various parameters of the Health Bar displayed for a global dashboard. The Health Bar in a global dashboard is in the context of all devices.

Parameter Description

Access Points

n Displays the number of access points that are online and the number of access points that are offline.
n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online
in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in
List view.

Switches

n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in
List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List
view.

Aruba Central | User Guide

49

Parameter Description

Gateways

n Displays the number of gateways that are online and the number of gateways that are offline.
n The number in green indicates the number of gateways that are online. n Clicking the number in green redirects you to Manage > Devices > Gateways > Online in
List view. n The number in red indicates the number of gateways that are offline. n Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List
view.

Clients

n Displays the number of clients that are connected and the number of clients that are failed. n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view.

Health Bar for the Group Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a group dashboard. The Health Bar in a group dashboard is in the context of all devices configured as part of that group.

Parameter Description

Access Points

n Displays the number of access points that are online and the number of access points that are offline.
n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online
in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in
List view.

Switches

n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in
List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List
view.

Gateways

n Displays the number of gateways that are online and the number of gateways that are offline.
n The number in green indicates the number of gateways that are online. n Clicking the number in green redirects you to Manage > Devices > Gateways > Online in
List view. n The number in red indicates the number of gateways that are offline. n Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List
view.

Getting Started with Aruba Central | 50

Parameter Description

Clients

n Displays the number of clients that are connected and the number of clients that are failed. n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view.

Health Bar for the Site Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a site dashboard. The Health Bar in a site dashboard is in the context of all devices configured as part of that site. The values are refreshed every minute.

The Health Bar icon indicating the site status changes to red when the value for one of the following parameters in the List view is greater than zero for the Down status:
n Number of devices o Status o High Mem Usage o High CPU Usage o High CH Utilization o High Noise
n Uplink Status n Tunnels Status

Parameter Description

Access Points

n Displays the number of access points that are online and the number of access points that are offline.
n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online
in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in
List view.

Switches

n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in
List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List
view.

Gateways

n Displays the number of gateways that are online and the number of gateways that are offline.
n The number in green indicates the number of gateways that are online.

Aruba Central | User Guide

51

Parameter Description

n Clicking the number in green redirects you to Manage > Devices > Gateways > Online in List view.
n The number in red indicates the number of gateways that are offline. n Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List
view.

Clients AI Insights

n Displays the number of clients that are connected and the number of clients that are failed for the last three hours.
n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view.
n Displays the number of insights categorized by status. n The number in red indicates the insights are of high priority. n The number in orange indicates the insights are of medium priority. n The number in yellow indicates the insights are of low priority. n Clicking the numbers redirects you to Manage > Overview > AI Insights at the site context.

Health Bar for the AP Dashboard
The following table includes information on the various parameters of the Health Bar displayed for an AP. If the AP is not online and running, not all of the following data is available.

Parameter Description

AP Status

n Value can be Online Since, Offline, or Operating under Thermal Management. n If the value is Online Since, it also displays the time period, in the format of days-hours-
minutes, for which the AP has been online and running. n When an AP operates under thermal management, the device health is displayed as Poor
and the radios are in disabled mode. For more information, see Thermal Shutdown Support in IAP.

Device Health

n Displays the performance of the AP in terms of the CPU and memory usage. n For example, the device health is Good when the CPU usage is less than or equal to 70% and
the memory usage is less than or equal to 90%. If the value of the CPU and/or memory usage falls below the threshold, the device health is displayed as Poor. If the AP is down, the value is Offline. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Device Health status to get the exact percentage value of the memory and CPU usage.

Radio 2.4 GHz

n Displays the performance of the AP in terms of the channel utilization and noise floor in the 2.4 GHz channel.
n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed.
n Hover over the Radio 2.4 GHz status to get the exact value of the channel utilization and

Getting Started with Aruba Central | 52

Parameter Description

noise floor.

Radio 5 GHz

n Displays the performance of the AP in terms of the channel utilization and noise floor in the 5 GHz channel.
n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed.
n Hover over the Radio 5 GHz status to get the exact value of the channel utilization and noise floor.

Radio 5 GHz (Secondary)

n Displays the performance of the AP in terms of the channel utilization and noise floor in the 5 GHz (Secondary) channel.
n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed.
n Hover over the Radio 5 GHz (Secondary) status to get the exact value of the channel utilization and noise floor.

NOTE: In the Health Bar dashboard, the Radio 5 GHz (Secondary) data is available only for AP555 and only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode.

Virtual Controller

Indicates if the AP is connected to a virtual controller. If the AP is connected, clicking on the virtual controller name redirects you to the Manage > Overview > Summary page for the virtual controller.

Health Bar for the Switch Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a switch. If the switch is not online and running, not all of the following data is available.

Parameter Description

Switch Status

Displays the time period for which the switch has been online and running or its offline status.

Device Health

n Displays the performance of the switch in terms of the CPU and memory usage. n For example, the device health is Good when the CPU usage is less than or equal to 70% and
the memory usage is less than or equal to 70%. If the value of the CPU and/or memory usage falls below the threshold, the device health is displayed as Poor. n Hover over the Device Health status to get the exact percentage value of the memory and CPU usage.

Port Status

n Displays the number of ports on the switch that are online and the number of ports that are offline.
n The number in green indicates the number of switch ports that are online.

Aruba Central | User Guide

53

Parameter Description

Port Alerts

n The number in red indicates the number of switch ports that are offline. n Displays the total number of open alerts.

Health Bar Dashboard for the Gateway Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a gateway. If the gateway is not online and running, not all of the following data is available.

Parameter Description

Gateway Status

Displays the time period, in the format of days-hours-minutes, for which the gateway has been running or its offline status.

WAN

n Displays the number of WAN ports as online or offline. n The number in green indicates the number of WAN ports that are online. n The number in red indicates the number of WAN ports that are offline. n Clicking the numbers redirects you to Manage > WAN > Summary.

LAN

n Displays the number of LAN ports as online or offline. n The number in green indicates the number of LAN ports that are online. n The number in red indicates the number of LAN ports that are offline. n Clicking the numbers redirects you to Manage > LAN > Summary.

Tunnels

n Displays the number of VPN tunnels as online or offline. n The number in green indicates the number of VPN tunnels that are online. n The number in red indicates the number of VPN tunnels that are offline. n Clicking the numbers redirects you to Manage > WAN > Tunnels.

Path Steering

n Displays the number of path steering policies that are compliant of the total number of policies.
n Clicking the numbers redirects you to Manage > WAN > Path Steering.

Alerts

n Displays the total number of open alerts. n Clicking the number redirects you to Analyze > Alerts & Events in List view.

Health Bar for the Wireless Client Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a wireless client.

Parameter Description

Client Status

Displays the connection status of the client.

Device Health

Displays the device health of the client.

Getting Started with Aruba Central | 54

Parameter Description

Signal Quality

Displays the signal quality in dB.

Tx | Rx Rate

Displays the transmit and receive rate in Mbps.

Connected To

n Displays the device to which the wired client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that
device.

Refresh icon

Refreshes the data on the Health Bar for the client.

Health Bar for the Wired Client Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a wired client.

Parameter Description

Client Status

Displays the connection status of the client.

Connected Port

Displays the port to which the client is connected.

Connected To

n Displays the device to which the wired client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that
device.

Refresh icon

Refreshes the data on the Health Bar for the client.

Health Bar for the Remote Client Dashboard
The following table includes information on the various parameters of the Health Bar displayed for a remote client.

Parameter Description

Client Status

Displays the connection status of the client.

Connected To

n Displays the name of the gateway to which the remote client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that
device.

Refresh icon

Refreshes the data on the Health Bar for the client.

Aruba Central | User Guide

55

The Global Dashboard
In the Network Operations app, the global dashboard is displayed when the filter is set to Global. The global dashboard displays information related to all devices registered to that account in Aruba Central.
Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account.
Table 14: Contents of the Global Dashboard

Left Navigation Menu
Manage > Overview

First-Level Tabs
Network Health

WAN Health

Summary

Wi-Fi Connectivity
AI Insights

Manage > Devices

Access Points

Switches

Gateways

Manage > Clients

Clients

Description
Displays information of the networks sorted by site, including information on network devices and WAN connectivity of individual sites. For more information, see Network Health Dashboard.
Displays detailed information of the network health status and usage for the sites in which Branch Gateways and VPN Concentrators are configured in your setup. For more information, see WAN Health--Global.
Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range Filter. For more information, see Global--Summary
Displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include Association, Authentication, DHCP, and DNS. For more information, see Wi-Fi Connectivity.
Displays a report of network events that may affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level observed in the network for the selected time range. Each insight report provides specific details on the occurrences of these events for ease in debugging. For more information, see The AI Insights Dashboard.
Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View
Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View
Displays the gateways information in the following views: n Summary view: Monitoring Gateways in Summary View n List view: Monitoring Gateways in List View
Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients.

Getting Started with Aruba Central | 56

Left Navigation Menu Manage > Guests
Manage > Applications
Manage > Security
Manage > Network Services

First-Level Tabs

Description

Guest Access

Enables guest users to connect to the network and at the same time, allows the administrator to control guest user access to the network. For more information, see Guest Access.

Presence Analytics

Enables businesses to collect real-time data on user footprints within the wireless network range of Aruba Instant APs that are managed using Aruba Central. For more information, see Presence Analytics.

Visibility

Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility.

SAAS Express

Enables the following to provide an improved user experience: discovering SaaS application servers, monitoring application performance, and steering traffic to the best available servers..
For more information, see SaaS Application Traffic Management with SaaS Express.

RAPIDs

Helps to identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. For more information, see Rapids.

Gateway IDS/IDPS

Enables traffic inspection, threat detection, and threat prevention on the Aruba Branch Gateways. For more information, see Overview of Aruba IDPS.

Firewall

Monitors traffic coming into and going out of the Aruba Central-managed network and acts as an investigative resource for users to track blocked sessions within the network. For more information, see Firewall.

SD-WAN Overlay

Configured IPsec tunnels between the Branch Gateways and VPN Concentrators provisioned in an Aruba Central account. For more information, see SD-WAN Overlay Tunnel and Route Orchestration .

Virtual Gateways

Helps deploy a virtualized instance of a headend gateway in the customer's public cloud infrastructure. The virtualized instance of Aruba Gateway is referred to as Virtual Gateway. For more information, see Deploying Aruba Virtual Gateways.

Cloud Connect

Helps integrate SD-Branch with Zscaler and allows to set up and maintain a secure tunnels between Aruba Branch Gateways and Zscaler Public Service Edges. For more information, see Aruba SD-Branch Integration with Zscaler through Cloud Connect Service.

Cloud Security (Legacy)

Helps integrate SD-Branch with Zscaler and allows to set up tunnels automatically or manually between Aruba Branch Gateways and Zscaler Public Service Edges. For more information, see Aruba SD-Branch Integration with Zscaler Cloud Security Service.

Aruba Central | User Guide

57

Left Navigation Menu

First-Level Tabs

Description

Analyze > Alerts and Events

Alerts & Events

Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events.

Analyze > Audit Trail

Audit Trail

Shows the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. For more information, see Viewing Audit Trail.

Analyze > Tools

n Network Check
n Device Check
n Commands n Health
Checks

Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools.

Analyze > Reports

Reports

Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports.

Maintain > Firmware

n Access Points
n SwitchMAS
n Switches n Gateways

Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Managing Software Upgrades.

Maintain

Groups

>Organization

A group in Aruba Central is the primary configuration element that functions as a container for device management, monitoring, and maintenance. Groups enable administrators to manage devices efficiently by using either a UI-based configuration workflow or CLI-based configuration template.
For more information, see Groups for Device Configuration and Management.

Sites and Labels

A site refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Labels are tags attached to a device provisioned in the network. Labels determine the ownership, departments, and functions of the devices.
For more information, see Sites and Labels.

Certificates

Enables administrators to upload a valid certificate signed by a root CA so that devices are validated and authorized to use Aruba Central. For more information, see Groups for Device Configuration and Management.

Install Manager

Simplifies and automates site deployments, and helps IT administrators manage site installations with ease. For more information, see Installation Management.

Getting Started with Aruba Central | 58

The Label Dashboard
In the Network Operations app, the label dashboard is displayed when the filter is set to any of the options under Labels. The site dashboard displays information related to all devices configured for that site in Aruba Central. Table 15: Contents of the Label Dashboard

Left Navigation Menu

First-Level Tabs

Description

Manage > Devices

All Devices

Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter.
For more information, see Global--Summary

Access Points

Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View

Switches

Displays the switches information in the following views: Summary view: Monitoring Switches in Summary View
n List view: Monitoring Switches in List View

Gateways

Displays the gateways information in the following views: n Summary view: Monitoring Gateways in Summary View n List view: Monitoring Gateways in List View

Manage > Clients

Clients

Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients.

Manage > Security

RAPIDs

Identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central sends alerts to the network administrators about the possible threat and provides essential information needed to locate and manage the threat.
For more information, see Rapids.

Analyze > Alerts and Events

Alerts & Events

Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events.

Analyze > Tools

n Network Check
n Device Check
n Commands

Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools.

Analyze > Reports

Reports

Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports.

Aruba Central | User Guide

59

The Site Dashboard
In the Network Operations app, the site dashboard is displayed when the filter is set to any of the options under Sites. The site dashboard displays information related to all devices configured for that site in Aruba Central. Table 16: Contents of the Site Dashboard

Left Navigation Menu

First-Level Tabs

Manage > Overview

Site Health

Summary

Wi-Fi Connectivity
WAN Health
AI Insights

Topology

Floor Plans

Manage > Devices

Access Points

Switches

Gateways

Description
Displays details of wired and wireless devices deployed on the site. This page includes information on client connectivity statistics, change logs, health of devices, and RF health of the site. For more information, see Site Health Dashboard.
Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter. For more information, see Global--Summary
Displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include Association, Authentication, DHCP, and DNS. For more information, see Wi-Fi Connectivity.
Displays details for the wired, wireless, and gateway devices deployed on the site. For more information, see WAN Health--Site.
Displays a report of network events that may affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level in the network for the selected time range. Each insight report provides specific details on the occurrences of these events for ease in debugging. For more information, see The AI Insights Dashboard.
Provides a graphical representation of the site including the network layout, details of the devices deployed, and the health of the WAN uplinks and tunnels. For more information, see Monitoring Sites in the Topology Tab.
Provides information regarding the current location of the Instant AP. For more information, see Access Point > Overview > Floor Plan.
Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View
Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View
Displays the gateways information in the following views: n Summary view: Monitoring Gateways in Summary View

Getting Started with Aruba Central | 60

Left Navigation Menu

First-Level Tabs

Description

n List view: Monitoring Gateways in List View

Manage > Clients

Clients

Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients.

Manage >

Visibility

Applications

Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility.

Manage > Security

RAPIDS

Identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central sends alerts to the network administrators about the possible threat and provides essential information needed to locate and manage the threat.
For more information, see Rapids.

Manage > Guests

Presence Analytics

Enables businesses to collect real-time data on user footprints within the wireless network range of Aruba Instant APs that are managed using Aruba Central. For more information, see Presence Analytics.

Analyze > Alerts and Events

Alerts & Events

Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events.

Analyze >

Live Events

Live Events

Enables you to troubleshoot issues related to a wireless client connected to an access point or a wired client connected to a switch. For more information, see Client Live Troubleshooting.

Analyze > Tools

n Network Check
n Commands

Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools.

Analyze > Reports

Reports

Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports.

The Access Point Dashboard
In the Network Operations app, the access point dashboard is displayed when the filter is set to an access point. To navigate to an access point dashboard, see Navigating to the Switch, Access Point, or Gateway Dashboard.
The following table lists all the available menu items in the Network Operations app for the access point dashboard.

Aruba Central | User Guide

61

Table 17: Contents of the Access Point Dashboard

Left Navigation Menu Manage > Overview
Manage > Device

First-Level Tabs Summary
AI Insights
Floor Plan Performance RF
Spectrum
Access Point Configuration using UI groups

Description
Displays the AP device details, network information, radio details including the topology of clients connected to each radio, and the health status of the AP in the network. See Access Point > Overview > Summary.
Displays information on AP performance issues such as excessive channel changes, excessive reboots, airtime utilization, and memory utilization. See Access Point > Overview > AI Insights
Displays information regarding the current location of the Instant AP. See Access Point > Overview > Floor Plan.
Displays the size of data transmitted through the AP. See Access Point > Overview > Performance.
Displays details corresponding to 2.4 GHz, 5 GHz, and 5 GHz Secondary radios of the AP. See Access Point > Overview > RF.
Displays details for all Wi-Fi and non-Wi-Fi devices associated to each radio. See Access Point > Overview > Spectrum
Enables AP configuration in the Config view. See Deploying a Wireless Network Using Instant APs. Configuration using UI groups contains the following second-level tabs: n WLANs--Configure wireless network profiles on Instant APs. See
Configuring Wireless Network Profiles on Instant APs. n Access Points--Configure device parameters on Instant APs. See
Configuring Device Parameters . n Radios--Configure ARM and RF parameters on Instant APs. See
Configuring ARM and RF Parameters on Instant APs. n Interfaces--Configuring interfaces parameters on Instant APs. See
Configuring Uplink Interfaces on Instant APs. n Security--Configure authentication and security profiles on Instant
APs. See Configuring Authentication and Security Profiles on Instant APs. n VPN--Configure VPN host settings on an Instant AP to enable communication with a controller in a remote location. See Configuring Instant APs for VPN Tunnel Creation. n Services--Configure AirGroup, location services, Lawful Intercept, OpenDNS, and Firewall services on Instant APs. See Configuring Services. n System--Configure system parameters on Instant APs. See Configuring Systems. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status.

Getting Started with Aruba Central | 62

Left Navigation First-Level

Menu

Tabs

Description

Access Point Configuration using template groups

Configuration using template groups contains the following secondlevel tabs: n Templates--Configure Access Points using template groups. See
Configuring APs Using Templates. n Variables--Modify, download, or upload variables associated with
devices that you can use in template configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status.

Manage > Clients Clients

Displays details of all the clients connected to a specific AP. See Access Point > Clients > Clients.

Manage > Security VPN

Displays information on VPN connections associated with the virtual controller along with information on the tunnels and the data usage through each of the tunnels. See Access Point > Security > VPN

Analyze > Alerts & Alerts &

Events

Events

The Alerts & Events tab displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. See Access Point > Alerts & Events > Alerts & Events.

Analyze > Audit Trail

Audit Trail

The Audit Trail tab displays the logs for all the device management, configuration, and user management events triggered in Aruba Central.
See Viewing Audit Trail in the Standard Enterprise Mode and MSP Mode.

Analyze > Tools

Commands

The Commands tab allows network administrators and user with troubleshooting permission to identify, diagnose, and debug issues on Aruba Instant APs at an advanced level using commands. See Using Troubleshooting Tools.

Maintain > Firmware

Access Points

The Access Points tab allows the user to view the firmware details and upgrade the devices provisioned in Aruba Central. See Viewing Firmware Details.

The Switch Dashboard
In the Network Operations app, the switch dashboard is displayed when the filter is set to a switch. To navigate to a switch dashboard, see Navigating to the Switch, Access Point, or Gateway Dashboard. The following table lists all the available menu items in the Network Operations app for the switch dashboard.

n Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. Also, some tabs or some fields inside tabs are only applicable either for AOS-Switch or AOS-CX switches.
n AOS-CX switches can be configured using templates only.

Aruba Central | User Guide

63

Table 18: Contents of the Switch Dashboard

Left Navigation Menu

First-Level Tabs

Description

Manage > Overview

Summary

Displays details about a specific switch, including device information, network summary, and port and hardware status. It also displays uplink and usage details. Use the time range filter to change the time period for the displayed information.
See Switch > Overview > Summary.

Hardware

Displays switch hardware details, including status of power supplies and fans, CPU and memory utilization, and device temperature. See Switch > Overview > Hardware.

Routing

Displays routing information for the switch, such as, type of route, number of static and connected routes, and distance of the route. See Switch > Overview > Routing.

NOTE: The Routing tab is displayed only for AOS-Switches.

Manage > Clients
Manage > LAN
Manage > VSX

AI Insights

Displays information on switch performance issues, such as, PoE issues, port errors, port flaps, airtime utilization, and memory utilization. See Switch > Overview > AI Insights.

Clients

Displays details about the wired clients that are connected to the switch. See Switch > Clients > Clients.

Neighbours Displays details about the devices neighboring the switch. See Switch > Clients > Neighbours.

Ports

Displays details about ports and the LAGs configured in the switch. See Switch > LAN > Ports.

PoE

Displays details about PoE status, PoE ports, and the power consumption from

these ports.

See Switch > LAN > PoE.

VLAN

Displays VLAN information configured on the switch and details about tagged and untagged ports. See Switch > LAN > VLAN.

VSX

Displays VSX configuration details between AOS-CX switches and the status of

the inter-switch link (ISL).

See Switch > VSX.

NOTE: The VSX tab is displayed only for AOS-CX switch series.

Manage > Device

AOSSwitch-- Configuration using UI groups

Enables AOS-Switch configuration in the AOS-S Config view. See Configuring or Viewing AOS-Switch Properties in UI Groups. Configuration using UI groups contains the following second-level tabs: n Switches--Configure and view general switch properties, such as,
hostname, IP address, and netmask. See Configuring or Viewing Switch Properties. n Stacks--Create stacks, add members, or view stacking details, such as, stack type, stack id, and topology. See Configuring AOS-Switch Stacks Using

Getting Started with Aruba Central | 64

Left Navigation Menu

First-Level Tabs

Description

UI Groups. n Interface:
o Ports--Assign or view port properties, such as, PoE, access policies, and trunk groups. See Configuring Switch Ports on AOS-Switches.
o PoE--Configure or view PoE settings for each port. See Configuring PoE Settings on AOS-Switch Ports.
o Trunk Groups--Configure or view trunk groups and their associated properties, such as, members of the trunk group, and type of trunk group. See Configuring Trunk Groups on AOS-Switches in UI Groups.
o VLANs--Configure or view VLAN details and the associated ports and access policies. See Configuring VLANs on AOS-Switches.
o Spanning Tree--Configure or view spanning tree protocol and its associated properties. See Enabling Spanning Tree Protocol on AOSSwitches.
o Loop Protection--Configure or view loop protection and its associated properties. See Configuring Loop Protection on AOS-Switch Ports.
n Security: o Access Policies--Add or view access policies. See Configuring Access Policies on AOS-Switches. o DHCP Snooping--Configure or view DHCP snooping, authorized DHCP servers IP addresses, and their associated properties. See Configuring DHCP Snooping on AOS-Switches. o Port Rate Limit--View or specify bandwidth to be used for inbound or outbound traffic for each port. See Configuring Port Rate Limit on AOSSwitches. o RADIUS--Configure RADIUS (Remote Authentication Dial-In User Service) server settings on AOS-Switches. See Configuring RADIUS Server Settings on AOS-Switches. o Downloadable User Role--Enable DUR and configure ClearPass settings to download user roles, policy, and class from the ClearPass Policy Manager server. See Configuring Downloadable User Role on AOS-Switches. o Tunneled Node Server--Configure user-based tunnel or port-based tunnel on switches. See Configuring Tunnel Node Server on AOSSwitches. o Authentication--Configure and enable 802.1X and MAC authentication on switches. You can also configure authentication order and priority for authentication methods. Configuring Authentication for AOS-Switches.
n System: o Access/DNS--Configure or view the administrator and operator logins. See Configuring System Parameters for AOS-Switches. o Time--Configure time synchronization in switches. See Configuring Time Synchronization on AOS-Switches. o SNMP--Add or view SNMP v2c and v3 community and its trap destination. See Configuring SNMP on AOS-Switches. o CDP--Configure CDP and its associated properties. See Configuring

Aruba Central | User Guide

65

Left Navigation Menu

First-Level Tabs

Description

CDP on AOS-Switches. o DHCP--Add or view a DHCP pool and its associated properties. See
Configuring DHCP on AOS-Switches. n Routing--Configure or view a specific routing path to a gateway. See
Configuring Routing on AOS-Switches. n IGMP--Configure IGMP and its associated properties. See Configuring
IGMP on AOS-Switches. n QoS--Configure QoS traffic policies on switches to classify and prioritize
traffic throughout a network. See Configuring QoS Settings on AOSSwitches. n Device Profile--Configure device profile on switches to dynamically detect devices based on certain parameters. See Configuring Device Profile. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status.

AOSSwitch-- Configuration using templates

See Using Configuration Templates for AOS-Switch Management. Configuration of AOS-Switches using template groups contains the following second-level tabs: n Templates--Configure switch using template groups. See Creating a
Configuration Template. n Variables--Modify, download, or upload variables associated with devices
that you can use in template configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See
Viewing Configuration Status.

AOS-Switch Stack-- Configuration using templates

Configuration of AOS-Switch stacks using template groups contains the following second-level tabs: n Templates--Configure switch stack using template groups. See
Configuring AOS-Switch Stacks using Template Groups. n Variables--Modify, download, or upload variables associated with devices
that you can use in template configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See
Viewing Configuration Status.

AOS-CX-- Configuration using UI groups

Enables AOS-CX configuration in the AOS-CX Config view. See Configuring AOS-CX Switches in UI Groups. Configuration using UI groups allows you to configure the following features: n System:
o Properties--Edit system property settings such as contact, location, time zone, and administrator password. You can also select the VRF to be used and add the DNS and NTP servers. See Configuring System Properties on AOS-CX.
o SNMP--Add, edit, or delete SNMP v2 communities, v3 users, and trap notifications. See Configuring SNMP on AOS-CX.
o Logging--Add, edit, or delete logging servers to view event logs from the AOS-CX switches. Configure FQDN or IP address, log severity level, and the VRF to be used for each of the logging servers. Also configure

Getting Started with Aruba Central | 66

Left Navigation Menu

First-Level Tabs

Description

the global level debug log severity. See Configuring Logging Servers for AOS-CX. o Administrator--Add, edit, or delete server groups to be used for authentication, authorization, and accounting. You must also configure the protocol required to enable connection to these server groups. See Configuring AAA for AOS-CX. n Routing: o Static Routing--Add, edit, or delete static routes manually and configure destination IP addresses and next hop values, VRF, and the administrative distance. You can add different static routes for different VRFs on the switch. See Configuring Static Routing on AOS-CX. n Interfaces: o Ports & Link Aggregations--View and edit port settings such as description, VLAN mode, speed duplex, routing, and the operational status of the port. Add, edit, or delete LAGs by combining different ports and configuring the speed duplex, VLAN mode, aggregation mode, and the operational status of the LAG. See Configuring Ports and LAGs on AOS-CX. n Security: o Authentication Servers--Add, edit, or view the RADIUS and TACACS servers for authentication. Add settings such as FQDN or IP address of the servers, authentication port number, response timeout, retry count, and the VRF to be used when communicating with the servers. See Configuring Authentication Servers on AOS-CX. o Authentication--View or edit details about 802.1X and MAC authentication methods. Configure the precedence order and other parameters such as reauthentication timeout, cached reauthentication timeout, and quiet period. See Configuring Authentication on AOS-CX. o Access Control--View or add access policies and rules to permit or deny passage of traffic. See Configuring Access Control on AOS-CX. n Bridging: o VLANs--Add, edit, delete, or view VLANs, and associated parameters such as type of IP assignment, operational status, IP address of the DHCP relay. See Configuring VLANs on AOS-CX. o Loop Prevention--Enable or disable loop protection and spanning tree protocol, and associated parameters such as the mode and priority. Enable or disable various MSTP mode-related settings such as BPDU filter, BPDU protection, admin edge, and root guard. See Configuring Loop Prevention on AOS-CX.

AOS-CX-- Configuration using MultiEdit mode

Enables AOS-CX configuration using the MultiEdit mode in the AOS-CX Config view. View and edit configuration on the AOS-CX switches using the CLI syntax. You can also apply predefined set of configuration settings such as NAE to the switches. See Using MultiEdit View for AOS-CX. Configuration using the MultiEdit mode contains the following options:
n View Config--View configuration of AOS-CX switches and find differences

Aruba Central | User Guide

67

Left Navigation Menu

First-Level Tabs

Description

in the configuration across switches. See Viewing Configuration on AOS-CX. n Edit Config--Edit configuration for one or more AOS-CX switches in the
MultiEdit mode. Edit the entire configuration in a familiar looking CLI with syntax checking, colorization, and command completion. See Editing Configuration on AOS-CX. n Express Config--Apply predefined set of configuration settings such as NAE scripts and device profile to a single or multiple switches. See Express Configuration on AOS-CX.

AOS-CX-- Configuration using templates

Enables AOS-CX switch configuration in the AOS-CX view. See Using Configuration Templates for AOS-CX Switch Management. Configuration of AOS-Switches using template groups contains the following second-level tabs: n Templates--Configure switch using template groups. See Creating a
Configuration Template. n Configuration Audit--View configuration sync errors and overrides. See
Viewing Configuration Status. n Configuration Status--View configuration status of AOS-CX switches that
are managed through UI groups in Aruba Central. See Using Configuration Status on AOS-CX.

Analyze > Alerts & Events
Analyze > Audit Trail
Analyze > Tools

AOS-CX VSF Enables AOS-CX switch stack configuration in the AOS-CX view. See AOS-CX

Stack--

VSF Stack.

Configuration

Alerts & Events

The Alerts & Events tab displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. See Alerts & Events.

You can also configure and enable certain categories of switch alerts. See Switch Alerts.

Audit Trail

Displays the details of logs generated for all device management, configuration, and user management events triggered in Aruba Central. See Viewing Audit Trail.

Network Check

The Network Check tab allows administrators and users with troubleshooting permission to diagnose issues related to wired network connections. See Troubleshooting Switch Connectivity Issues.

Device Check

The Device Check tab allows network administrators and users with troubleshooting permission to identify, diagnose, and debug issues on AOSSwitch and AOS-CX switches using predefined tests. See Troubleshooting Device Issues.

Commands

The Commands tab allows network administrators and user with troubleshooting permission to identify, diagnose, and debug issues on AOSSwitch and AOS-CX switches at an advanced level using commands. See Troubleshooting Switches.

Getting Started with Aruba Central | 68

Left Navigation Menu

First-Level Tabs

Description

Analyze > Reports

Reports

The Reports tab allows you to create, manage, and view various reports. You can create recurrent reports, generate reports on demand, or schedule reports to run at a later time. See Reports.

Maintain > Firmware

Switches

The Switches tab allows the user to view the firmware details and upgrade the devices provisioned in Aruba Central. See Managing Software Upgrades.

The Gateway Dashboard
In the Network Operations app, the gateway dashboard is displayed when the filter is set to a gateway. To navigate to a gateway dashboard, see Navigating to the Switch, Access Point, or Gateway Dashboard. The following table lists all the available menu items in the Network Operations app for the gateway dashboard.

Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account.
Table 19: Contents of the Gateway Dashboard

Left Navigation Menu

FirstLevel Tabs

Description

Manage > Overview

Summary

Displays details about a specific gateway, including device information, WAN summary, and health status. Use the time range filter to change the time period for the displayed information. See Gateway > Overview > Summary.

IDPS

Displays the graphs related to IDPS. This feature is only applicable to IDPS gateways. Use the time range filter to change the time period for the displayed information. See Gateways > Overview > IDPS.

Routing

Displays routing information for the following second-level tabs in List view. n BGP-- See Gateway > Overview > Routing > BGP. n OSPF--See Gateway > Overview > Routing > OSPF. n Overlay--See Gateway > Overview > Routing > Overlay n RIP--See Gateway > Overview > Routing > RIP n Route Table--See Gateway > Overview > Routing > Route Table Use the time range filter to change the time period for the displayed information.

Sessions

Displays information for the running sessions. See Gateway > Overview > Sessions.

AI Insights

Displays information on gateway performance issues such as tunnel up, tunnel down, airtime utilization, and memory utilization. See Gateway > Overview > AI Insights.

Aruba Central | User Guide

69

Left Navigation Menu

FirstLevel Tabs

Manage > WAN

Summary

Tunnels

Path Steering

Manage > LAN

Summary

Manage > Device

Gateway

Manage > Clients

Clients

Manage >

Visibility

Applications

Manage > Security
Analyze > Alerts and Events

SAAS Express
Firewall
Alerts & Events

Description
Displays status information about WAN ports and WAN interfaces. See Gateway > WAN > Summary.
Display status information for VPN tunnels. See Gateway > WAN > Tunnels
Displays information about dynamic path steering policies configured on a Branch Gateway. See Gateway > WAN > Path Steering.
Displays information about LAN port and LAN status. See Gateway > LAN > Summary.
Enables gateway configuration in Config view for the basic mode, advanced mode, and guided setup. See Provisioning Aruba Gateways in Aruba Central.
Displays a list of clients connected to a gateway. See All Clients.
Displays charts showing client traffic trends to application, application categories, website categories, and websites of a specific security reputation score. n Applications-- See Applications n Websites-- See Websites
Displays charts with QoE scores for all of the SaaS applications that you have configured. See Monitoring SaaS Express .
Displays graphical and tabular representations of all the session activities belonging to gateways managed by Aruba Central. See Firewall.
Displays alerts for SD-WAN and gateway-related events. See Gateway Alerts.
NOTE: You can configure alerts in the global dashboard only.

Analyze > Audit Trail
Analyze > Tools
Analyze > Reports
Maintain > Firmware

Audit Trail

Displays the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. See Viewing Audit Trail.

Network Check

Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. See Troubleshooting Gateway Connectivity Issues.

Logs

Enables network administrators and users with permission to download and upload TAR logs and crash logs related to gateways. See Enabling Gateway Logs.

Commands See Troubleshooting Gateways.

Reports

Enables network administrators to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports.

Firmware

Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Managing Software Upgrades.

Getting Started with Aruba Central | 70

The Client Dashboard
In the Network Operations app, the clients dashboard is displayed when the filter is set to one of the options under Groups, Labels, Sites, or Global.
The following table lists all the available menu items in the Network Operations app for the clients dashboard. Table 20: Contents of the Clients Dashboard

Left Navigation Menu
Wireless Clients
Manage > Overview

First-Level Tabs
Summary

AI Insights

Location

Sessions

Manage > Applications

Analyze > Live Events

Analyze > Events

Analyze > Tools

Wired Clients
Manage > Overview

Summary

AI Insights

Description
Displays the client details about the type of data path that the client uses, the network and connectivity details, and basic client details such as IP address of the client, type of encryption etc. See Summary .
Displays the information about client performance and connectivity issues such as, excessive 2.4 GHz dwell and low SNR links. See The AI Insights Dashboard.
Displays the current physical location of the client device on the floor map. See Location.
Displays the firewall session details for the client connected to an AP or a Branch Gateway. The Sessions page displays information filtered by the IP address of the client. See Sessions.
Displays the client details for passive motoring of the client connected to a wireless network. The Visibility dashboard provides a summary of client traffic and their data usage to and from applications, and websites. See Application Visibility.
Allows troubleshooting issues related to a client or a site in real time for detailed analysis. See Live Events.
Displays the details of events generated by the AP and client association. See Alerts & Events
Enables network administrators to perform checks on the client and debug client connectivity issues. See Using Troubleshooting Tools
Displays the information about the type of data path that the client uses, the network details, and basic client details such as IP address of the client, type of encryption etc. See Summary .
Displays information about client performance and connectivity issues such as, excessive 2.4 GHz dwell and low SNR links.

Aruba Central | User Guide

71

Left Navigation First-Level

Menu

Tabs

Sessions

Manage > Applications

Analyze > Live Events

Analyze > Events

Analyze > Tools

Remote Clients
Manage > Overview

Summary AI Insights

Location Sessions

Manage > Applications

Analyze > Security Analyze > Tools

Description
See The AI Insights Dashboard.
Displays the firewall session details for the client connected to a Branch Gateway. The Sessions page displays information filtered by the IP address of the client. See Sessions .
Displays the client details for passive motoring of the client connected to a wired network. The Visibility dashboard provides a summary of client traffic and their data usage to and from applications, and websites. See Application Visibility.
Allows troubleshooting issues related to a wired client connected to a switch in real time for detailed analysis. See Live Events.
Displays the details of events generated by the AP and client association. See Alerts & Events.
Enables network administrators to perform checks on the client and debug client connectivity issues. See Using Troubleshooting Tools.
Displays the information about the type of data path that the client uses, the network details, and basic client details such as IP address of the client, type of encryption, and so on. See Summary.
Displays information about client performance and connectivity issues such as, excessive 2.4 GHz dwell and low SNR links. See The AI Insights Dashboard.
Displays the current physical location of the client device on the floor map. See Location.
Displays the firewall session details for the client connected to a Branch Gateway. The Sessions page displays information filtered by the IP address of the client. See Sessions.
Displays the client details for passive motoring of the client connected to a wired network. The Visibility dashboard provides a summary of client traffic and their data usage to and from applications, and websites. See Applications.
Displays the authentication and accounting details of the remote client. See Security.
Enables network administrators to perform checks on the client and debug client connectivity issues. See Tools.

Getting Started with Aruba Central | 72

Overview of Aruba Central Foundation and Advanced Licenses
As part of the shift to an Edge-to-Cloud Platform-as-a-Service organization, Aruba has introduced the Aruba Central Foundation and Advanced Licenses (Aruba Central Licenses). This is a uniform software subscription licensing model that will be extended to all products under the Aruba Central-managed portfolio. The new 1, 3, 5, 7, and 10-year fixed-term licenses offer you the flexibility to choose services and device operations that are most meaningful to the type of business that you own. This licensing model provides different licenses for APs, switches, and gateways.
The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if you have an Aruba 25xx Switch but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch.
The features that are available in both the Foundation and Advanced Licenses have different monitoring and configuration options depending on the licensing tier. For more information, see Supported Features. This licensing model provides the following types of licenses depending on the devices:
n Switches: o Foundation--This license provides all the features included in the legacy Device Management tokens.
n Aruba Central does not provide Switch Advanced Licenses. n Mobility Access Switch (MAS) license will get converted to Switch Foundation 61xx/25xx license and
continue to work.
n Access Points (APs): o Foundation--This license provides all the features included in the legacy Device Management tokens and some additional features that were available as value-added services for APs and switches in the earlier licensing model. o Advanced--This license provides all the features included in the Foundation License, with additional features related to AI Insights and WLAN services.
n SD-Branch Gateways: o Foundation--This license provides all features required for SD-Branch functionality in branch or headend deployments. o Foundation Base--This license provides all the features included in a Foundation License, but can support only up to 75 client devices per branch site. o Foundation with Security--This license provides all features required for SD-WAN functionality in branch or headend deployments and some additional security features. o Foundation Base with Security--This license provides all the features included in a Foundation with Security License, but can support only up to 75 client devices per branch. o Advanced--This license provides all the features included in a Foundation License, with additional features related to SaaS Express and AI Insights. o Advanced with Security--This license provides all the features of an Advanced License, with additional security features related to IPS and IDS, security dashboard, and anti-malware.

Aruba Central | User Guide

73

o Virtual Gateway (VGW) License--This license is available for AWS, Azure, and ESXi platforms and is licensed based on the bandwidth required. The license types available for VGW are, VGW-500M, VGW2G, and VGW-4G.
For more information, see SD-WAN Ordering Guide.
The Foundation and Advanced Licenses for APs, switches, and SD-Branch gateways are different and cannot be used interchangeably.
For a detailed list of the features supported in each type of license, see Supported Features. For more information about evaluation licenses, see Starting Your Free Trial.
Changes to the Legacy Licensing Model
For existing Aruba Central customers, please note that the previous Device Management and Service Token model is changed to the new licensing model, which provides a uniform licensing structure for all types of devices such as APs, switches, and gateways. The following list provides information about important aspects of the legacy licensing model:
n Device Management Token--This is a mandatory token which allows you to manage and monitor your APs and switches from Aruba Central.
n Service Token--This token allows you to enable value-added services for APs managed from Aruba Central. These services include UCC, AirGroup, Wi-Fi Connectivity Dashboard (formerly, Clarity), Cloud Guest, WebCC, and Presence Analytics.
n Subscription Key--A valid subscription key allows you to manage, profile, and analyze your devices using Aruba Central. A subscription key is a 14-character alphanumeric string provided for either a device management or service token.
The new Aruba Central Licenses simplify the existing subscription-based licensing model. With the introduction of this licensing model, the existing Device Management tokens for APs and switches are no longer available. Similarly, the Service tokens for value-added services on the APs are unavailable. Instead, APs and switches have adopted the current Gateway Foundation and Advanced licensing model.
Supported Devices
The Aruba Central Licenses are supported for APs, switches, and gateways. For more information on the individual device models supported, refer to the next sections. The pricing structure for Foundation and Advanced Licenses for the hardware devices may differ based on the types of models.
APs and IAPs
All AP and IAP models that are currently being shipped are supported. See Supported Instant APs.
Switches
Aruba Central supports AOS-Switch and AOS-CX switches.
AOS-Switches
The following AOS-Switches are supported:
n Aruba 2530 Switch Series n Aruba 2540 Switch Series
Getting Started with Aruba Central | 74

n Aruba 2920 Switch Series n Aruba 2930F Switch Series n Aruba 2930M Switch Series n Aruba 3810 Switch Series n Aruba 5400R Switch Series
For more information, see Supported AOS-Switch Platforms.
AOS-CX Switches
The following AOS-CX switches are supported:
n AOS-CX 6200 Switch Series n AOS-CX 6300 Switch Series n AOS-CX 6400 Switch Series n AOS-CX 8320 Switch Series n AOS-CX 8325 Switch Series n AOS-CX 8360 Switch Series n AOS-CX 8400 Switch Series
For more information, see Supported AOS-CX Platforms.
Gateways
Aruba Central supports SD-Branch Gateways based on the license type. For more information, see Supported SD-Branch Components.
Gateway Foundation and Advanced License
The Gateway Foundation and Advanced License can be assigned to the following gateways:
n Aruba 70xx Series n Aruba 72xx Series n Aruba 90xx Series
This license does not have a capacity limit for client devices.
Gateway Foundation Base License
The Gateway Foundation Base License can be assigned to the following gateways:
n Aruba 7005, 7008, 9004, 9004-LTE, 9012
This license includes all the features available in the Gateway Foundation License. However, this license can support only up to 75 client devices per branch. When the client capacity reaches the threshold, Aruba Central triggers an alert to indicate the Gateway Base License capacity limit has exceeded. If the notification option for the license capacity limit exceeded alert is configured, Aruba Central sends an email notification with a list of Aruba gateways that exceed the clientcapacity threshold. You can also configure alerts to trigger an incident using Webhook. For more information, see Gateway Alerts.
Gateway Foundation, Foundation Base, and Advanced with Security License
The Gateway Foundation with Security License can be assigned to the following gateways:

Aruba Central | User Guide

75

n Aruba 9004 Gateway n Aruba 9004-LTE Gateway n Aruba 9012 Gateway
Virtual Gateway (VGW) License (VPNC only)
The Virtual Gateway License is available on AWS, Azure, and ESXi platforms and are licensed based on bandwidth required: 500 Mbps, 2 Gbps, or 4 Gbps. Aruba Virtual Gateway is a virtual instance of the headend gateway for ArubaSD-Branch. Aruba Central supports licenses based on the bandwidth capacity for virtual gateways. All license assignments are undertaken by the virtual gateway orchestration app. The following are the options available for Virtual Gateway Licenses:
n License duration--1 year, 3 years, and 5 years n Available bandwidths--500 Mbps, 2 Gbps, and 4 Gbps n Available Aruba Virtual Gateways based on the bandwidth--VGW-500M for 500 Mbps, VGW-2G for 2
Gbps, and VGW-4G for 4Gbps
Aruba Central maintains a pool of Virtual Gateway Licenses. When a Virtual Gateway License expires and there are no available Virtual Gateway Licenses, the expired license is unassigned from the Aruba Central account. The availability of SKUs is dependent on the installation consuming the license. If a Virtual Gateway License expires and there is a similar new license available, the new license is assigned to the Virtual Gateway, provided that the Auto-Assign Licenses option is enabled. For more information about the Auto-Assign Licenses option, see Enabling the Auto-Assign Licenses Option. For an Aruba Central evaluation account, four licenses of each base SKU are assigned to the account. These evaluation licenses are valid for 90 days. You can track licenses on the Key Management page or the License Assignment page available from the Account Home page. The list of licenses available against consumed licenses is also displayed during the deployment of a Virtual Gateway. When the client capacity reaches the threshold, Aruba Central triggers an alert to indicate the Gateway Base License capacity limit has exceeded. If the notification option for the license capacity limit exceeded alert is configured, Aruba Central sends an email notification with a list of Aruba gateways that exceed the clientcapacity threshold. You can also configure alerts to trigger an incident using Webhook. For more information, see Gateway Alerts. For more information, see SD-WAN Ordering Guide.
Supported Features
This section includes detailed information about the different configuration and monitoring options available for Aruba Central features tied to Foundation and Advanced Licenses.
AP Foundation and Advanced License
The AP Foundation and Advanced License for Aruba Central includes the following features:
Getting Started with Aruba Central | 76

Feature Category

Foundation License Features

Advanced License Features

Configuration

n UI- and template-based group configuration o SSID (Bridge Mode) o IAP VPN
n Auto-commit n Configuration audit

All the features in Foundation

Monitoring and Reporting

n Network Health, Summary, Wi-Fi Connectivity Dashboards
n Network Topology View n Visual RF Floorplans n Client List and Details n AP List and Details n Go Live mode for Client, AP n Application Visibility n WebCC Firewall rules, visualization by
reputation and category n Access to all monitoring data for up to 30
days n Access to reporting data for up to 90 days n Access to historical Client Summary
Report data for up to one year n Audit Trail n Alerts and Events n Access, Spectrum, Monitor mode of radio
operations n UXI Sensor Integration

n All the features in Foundation n AirSlice
o Visibility and Prioritization of applications
NOTE: AirSlice is supported in this release as Early-Access features. Contact your Aruba SE or Account Manager to enable these in your Aruba Central account.

AI Operations

n AI Search n AI Insights
o Connectivity--Wi-Fi o Wireless Quality o Availability--Access Points o Class and Company Baselines n AI Assist o Dynamic logs

n All the features in Foundation n AI Insights--Wireless Quality
o Outdoor clients impacting Wi-Fi performance
o Coverage Hole Detection o Transmit power optimization n AI Assist o Aruba support notification

NOTE: Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.

NOTE: Aruba support notification is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.

Troubleshooting

n Network Check, CLI commands n Live Events for Client and AP, Packet
Capture

All the features in Foundation

Aruba Central | User Guide

77

Feature Category Services
Security

Foundation License Features

Advanced License Features

n AirGroup (In InstantOS-based APs, the service is hosted on the IAP Virtual controller and all services are supported.)
NOTE: AirGroup is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
n RF Management Services o Adaptive Radio Management (ARM) o ClientMatch
n Presence Analytics

n All the features in Foundation n UCC
NOTE: UCC is supported in this release as Early-Access features. Contact your Aruba SE or Account Manager to enable these in your Aruba Central account.

n Guest Access n Clients Profile n Rogues n WIPS/WIDS

All the features in Foundation

NOTE: CPDI-based Client Profile and Rouges are supported in this release as an EarlyAccess feature. Contact your Aruba SE or Account Manager to enable these in your Aruba Central account.

API

Northbound (NB) API: 1000 API calls/day per

n All the features in Foundation

customer

n Streaming API

Switch Foundation License
The Switch Foundation License for Aruba Central includes the following features:
Aruba Central does not support Switch Advanced License.

Feature Category Configuration
Monitoring and Reporting

AOS-Switch Features
n UI- and template-based group configuration
n Auto-commit n Configuration audit
n Network Health, Summary Dashboards n Network Topology View n Client List and Details n Switch List and Details n Access to all monitoring data for up to
30 days

AOS-CX Features
n UI-, Template-, and MultiEdit-based group configuration
n Configuration audit
n Network Health, Summary Dashboards n Network Topology View n Client List and Details n Switch List and Details n Access to all monitoring data for up to
30 days

Getting Started with Aruba Central | 78

Feature Category

AOS-Switch Features

AOS-CX Features

n Access to reporting data for up to 90 days
n Access to historical Client Summary Report data for up to one year
n Audit Trail n Alerts and Events

n Access to reporting data for up to 90 days
n Access to historical Client Summary Report data for up to one year
n Audit Trail n Alerts and Events

AI Operations

n AI Search n AI Insights
o Availability ­ Switch o Class and Company Baselines

n AI Search n AI Insights
o Availability ­ Switch o Class and Company Baselines

Troubleshooting

n Network Check, Device Check, CLI commands
n Live Events and Packet Capture for wired client

Network Check, Device Check, CLI commands

API

Northbound (NB) API: 1000 API calls/day per Northbound (NB) API: 1000 API calls/day per

customer

customer

Gateway Foundation, Foundation Base, and Advanced License
The Gateway Foundation, Foundation Base, and Advanced License for Aruba Central includes the following features:
The Foundation Base License provides all the features included in the Foundation License, but this license can support only up to 75 client devices per branch.

Feature Category
SD-Branch

Foundation and Foundation Base License Features
n Branch Gateway and VPNC Management n Stateful Firewall n IPsec VPN n Client VPN n Static and Dynamic Routing (BGP, OSPF, RIPv2) n SD-WAN Route and Tunnel orchestration n Orchestrated Cloud IaaS connectivity (AWS, Azure) n Orchestrated SASE Integration n Dynamic Path Steering n Link Redundancy n 4 WAN links plus 1 LTE link n Application-based policies n High Availability (Active-Standby or Active-Active) n Web content filtering n Role-based Access Policy n Full SD-LAN Control

Advance License Features
All the features in Foundation

Aruba Central | User Guide

79

Feature Category

Foundation and Foundation Base License Features

Configuration

n CPDI-based Client Profile
n UI- and template-based group configuration n Configuration audit

Monitoring and Reporting
AI Operations

n Network, WAN Health, Summary Dashboards n Network Topology View n Client List and Details n Gateway List and Details n Go Live mode for Client n Application Visibility n WebCC Firewall rules, visualization by reputation and category n Access to all monitoring data for up to 30 days n Access to reporting data for up to 90 days n Access to historical Client Summary Report data for up to one year n Audit Trail n Alerts and Events
n AI Search n AI Insights
o Availability ­ Gateways o Class and Company Baselines n AI Assist o Dynamic logs
NOTE: Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.

Advance License Features
All the features in Foundation All the features in Foundation
All the features in Foundation

Troubleshooting Network Check, CLI commands

API Services

Northbound (NB) API: 1000 API calls/day per customer Not Applicable

All the features in Foundation
Streaming API
SaaS Express

Gateway Foundation, Foundation Base, and Advanced License with Security
The Gateway Foundation, Foundation Base, and Advanced License with Security for Aruba Central includes the following features:

Foundation and Foundation Base with Security All the features in Foundation n Intrusion Detection and Prevention (IDS/IPS)

Advanced with Security All the features in Advanced n Intrusion Detection and Prevention (IDS/IPS)

Getting Started with Aruba Central | 80

Foundation and Foundation Base with Security
n Anti-malware n Security Dashboard

Advanced with Security
n Anti-malware n Security Dashboard

Virtual Gateway (VGW) License
The Virtual Gateway (VGW) License for Aruba Central includes the following features:

Feature Category

VGW License Features

SD-Branch

n VPNC Management n Stateful Firewall n IPsec VPN n Client VPN n GRE Tunnel n Static and Dynamic Routing (BGP, OSPF, RIPv2) n VGW orchestration in public cloud n SD-WAN Route and Tunnel orchestration n Orchestrated Cloud IaaS connectivity (AWS, Azure) n Orchestrated SASE integration n Link Redundancy n High Availability (Active-Standby or Active-Active)

Configuration

n UI- and template-based group configuration n Configuration audit

Monitoring and Reporting

n Network, WAN Health, Summary Dashboards n Network Topology View n Access to all monitoring data for up to 30 days n Access to reporting data for up to 90 days n Access to historical Client Summary Report data for up to one year n Audit Trail n Alerts and Events

AI Operations

n AI Search n AI Insights
o Availability ­ Gateways o Class and Company Baselines n AI Assist o Dynamic logs

NOTE: Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.

Troubleshooting Network Check, CLI commands

API

Northbound (NB) API: 1000 API calls/day per customer

For more information about the features supported, see Aruba Central Licenses Feature Details.

Aruba Central | User Guide

81

Aruba Central Licenses Feature Details
This section provides a description about the different configuration and monitoring options available for Aruba Central features tied to Foundation and Advanced Licenses.
Configuration
AP Configuration
License Applicability: AP configuration is available for AP Foundation License. Network administrators can manage APs through the Aruba Instant UI, Aruba Central, or AirWave management system. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AP deployments. For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled.
AOS-Switch Configuration
License Applicability: AOS-Switch configuration is available for Switch Foundation License. Network administrators can manage AOS-Switches through the Aruba Central UI menu options. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AOS-Switch deployments.
AOS-CX Configuration
License Applicability: AOS-CX configuration is available for Switch Foundation License. Network administrators can manage AOS-CX switches through the Aruba Central UI menu options and the MultiEdit mode. The MultiEdit mode in Aruba Central provides a single window for viewing and editing the configuration for one or more AOS-CX switches. In this mode, viewing and editing the configuration is performed using the CLI syntax. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AOS-CX deployments.
Auto-Commit
License Applicability: Auto-Commit is available for Foundation and Advanced Licenses for APs, switches, and gateways. Aruba Central supports a two-staged configuration commit workflow for Instant APs. When the autocommit state is enabled for a group, the configuration changes are instantly applied to all devices where the auto-commit state is enabled.
Configuration Audit
License Applicability: Configuration Audit is available for Foundation and Advanced Licenses for APs, switches, and gateways.
Getting Started with Aruba Central | 82

In Aruba Central, the Configuration Audit page provides an audit dashboard for reviewing configuration changes of the devices provisioned in the UI and template groups. The Configuration Audit page allows you to view configuration push errors, template synchronization errors, configuration sync, and device-level configuration overrides.
Gateway Configuration
License Applicability: Gateway configuration is available for Gateway Foundation and Foundation Base Licenses. Aruba Central supports the following methods to configure Gateway groups and Gateways in SD-Branch deployments:
n Guided Setup--You can use the Guided Setup to quickly configure basic and essential parameters on Aruba Gateways for deploying the SD-WAN solution. The Guided Setup provides a wizard-based workflow for provisioning Gateways.
n Basic Mode--Allows you to configure your Gateways in a non-linear fashion. This mode allows you to make configuration changes after you provision your gateways for the first time using a Guided setup.
n Advanced Mode--Allows you to configure advanced features for SD-WAN deployments.
Template groups in Aruba Central allow network administrators to create a common configuration output by using a combination of CLI commands and variables, and apply this configuration to the other Gateway devices provisioned in that group.
Monitoring and Reporting
Access, Spectrum, Monitor Mode of Radio Operations
License Applicability: The Access, Spectrum, and Monitor modes of the radios of an access point are available for AP Foundation and Advanced Licenses. In the Access mode, the Instant AP serves clients, while also monitoring for rogue Instant APs in the background. In the Monitor mode, the Instant AP acts as a dedicated monitor, scanning all channels for rogue Instant APs and clients. In the Spectrum mode, the Instant AP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference, whether from the neighboring Instant APs or from non Wi-Fi devices such as microwaves and cordless phones.
Alerts and Events
License Applicability: Alerts and events for APs, Gateways, and switches is part of Foundation License and does not require any extra configuration. This tab shows data for all devices irrespective of device license type. The Alerts and Events dashboard displays a list of alerts and events generated for events pertaining to device provisioning, configuration, and user management. You can view the alerts and events in the List view and Summary view. Configuration view is used to configure alerts and is available only at the Global context.
Application Visibility
License Applicability: The Application Visibility feature is a part of a Foundation License. However, as API streaming is available for Advanced Licenses only, the Application Visibility streaming service is supported only for APs with an Advanced License. Application Visibility is a custom-built Layer-7 firewall capability in Aruba Central that allows you to create firewall policies based on the types of applications in IAPs. Application Visibility provides features like deep packet inspection, application monitoring, and AirSlice Policy.

Aruba Central | User Guide

83

Audit Trail
License Applicability: Audit Trail logs for APs, gateways, and switches, is part of Foundation License and does not require any extra configuration. This tab shows data for all devices irrespective of device license type. The Audit Trail page in Aruba Central shows the total number of logs generated for all device management, configuration, and user management events triggered in the network.
Client List and Details
License Applicability: Clients monitoring is available for the Foundation License of AP, switch, and gateway. The Clients page is also called the unified clients list and it provides a list of all clients that are connected to access points, switches, or gateways in the network. The List and Summary views under the Clients tab serve as dashboards. It displays details about the network performance, client connection status, instantaneous client refresh, Go Live (only AP), and other information required for monitoring the clients.
Floorplans
License Applicability: Floorplans is available for AP and gateway Foundation Licenses. Floorplans allow you to plan sites, create and manage floorplans, and provision access points. Floorplans provide a real-time picture of the radio environment of your wireless network and the ability to plan the wireless coverage of new sites.
Reports
License Applicability: Reports is available for the Foundation License. The Reports feature enables you to generate reports for the Clients, Infrastructure, Security Compliance, and Applications categories. The Reports feature is present under the Analyze section of the Network Operations app. The functionalities present are creating a report, generating a report, scheduling the report generation, previewing a report, and downloading a report in PDF and CSV formats. The Custom range for the Summary report is available for the last one year, except the current date (today). All other reports are available for 90 days in Aruba Central 2.5.3.
Topology
License Applicability: Topology is available for Foundation and Advanced Licenses for APs, switches, and gateways. In Aruba Central, the Topology tab in the site dashboard provides a graphical representation of the site, including the network layout, details of the devices deployed, and the health of the WAN uplinks and tunnels. The topology map provides information about third-party devices and devices that are not managed by Aruba. It also provides information about orphan and offline third-party devices, and the VLANs configured on switches running AOS-Switch and AOS-CX software.
Web Content Classification (WebCC)
License Applicability: The WebCC feature is available for Foundation Licenses for APs and gateways. The WebCC allows you to classify website content based on reputation and take measures to block malicious sites. It fetches information about website content classification and geolocation of IPs. The IP reputation database contains known IP addresses associated with various malicious activities or threats such as botnet, DOS, and spam sources. The geolocation IP database contains the geographical location of the IP address from where the traffic is received or to which the traffic is sent. This provides geolocation and reputation filtering as part of the security suite. The table below lists the features supported for AP and gateway licenses:
Getting Started with Aruba Central | 84

AP Foundation
WebCC Firewall rules, visualization by reputation and category

Gateway Foundation and Foundation Base
WebCC Firewall rules, visualization by reputation and category

Wi-Fi Connectivity
License Applicability: The Wi-Fi Connectivity dashboard for APs is part of Foundation License and does not require any extra configuration. The Wi-Fi Connectivity page displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include the following:
n All--Displays the aggregated success percentage of Association, Authentication, and DHCP for all clients connected to the network.
n Association--Displays the percentage of successful attempts made by a client to connect to the network.
n Authentication--Displays the percentage of successful attempts of client authentication. n DHCP--Displays the percentage of successful attempts of DHCP requests and responses when
onboarding a client. n DNS--Displays the percentage of successful attempts in the detected DNS resolutions, when a client is
connected to the network.
AI Operations
AI Insights
License Applicability: AI Insights is available for Foundation and Advanced Licenses for APs, switches, and gateways. The Insights that require an Advanced License are marked as Advanced in the UI. The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level for the selected time range. Each insight provides specific details on the occurrences of these events for easy debugging. Different types of insights are generated by Aruba Central and they can be accessed from different contexts such as Global, Site, Clients, and Device. Some of the insights are part of an Advanced License only and they are marked as Advanced in the user interface. The following figure displays various AI Insights available and some are marked as Advanced.

Aruba Central | User Guide

85

Figure 13 AI Insights List

The table below lists the features supported for AP, switch, and gateway licenses:

AP Foundation License AP Advanced License

n Connectivity--Wi-Fi n Wireless Quality n Availability--Access
Points n Class and Company
Baselines

n Wireless Quality o Outdoor clients impacting Wi-Fi performance o Coverage Hole Detection o Transmit power optimization

Switch Foundation
n Availability--Switch n Class and Company
Baselines

Gateway Foundation, Foundation Base, and VGW
n Availability-- Gateways
n Class and Company Baselines

In this release, all AI Insights are available irrespective of the user role or Aruba Central subscription. In the upcoming Aruba Central release, AI Insights marked as Advanced in the user interface would require an advanced subscription.
AI Search
License Applicability: AI Search feature is available for Foundation License for AP, switch, and gateway. The AI search feature in Aruba Central enables you to search for clients, devices, and infrastructure connected to the network. Using the search results, you can navigate to the configuration and troubleshooting pages. The search also retrieves relevant documentation to help you efficiently operate your networks. The search engine uses Natural Language Processing (NLP) to analyze queries and return relevant search results.

Getting Started with Aruba Central | 86

Dynamic Logs
License Applicability: Dynamic Log is available for both Foundation and Advanced Licenses for APs and gateways. The Dynamic Logs feature enables Aruba Central to dynamically run CLI show commands on APs and gateways, and collect the output as logs. You can also enable Aruba support notification option to notify TAC support regarding the logs generated. These logs can be used to troubleshoot the APs and gateways.
Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
The following figure displays the available options for Dynamic Logs. Figure 14 Dynamic Logs Option

For devices assigned with the Foundation License, the Dynamic Logs feature only supports the log collection activity. Even if you enable the Notify Aruba Support option, the option is not activated for devices licensed with Foundation License. For devices assigned with Advanced Licenses, Dynamic Logs support both log collection and the Aruba support notification option. For example, assume an Aruba Central account with Dynamic Logs enabled, where you configure a group of three Access Points (APs), AP1, AP2, and AP3. AP1 has a Foundation License while AP2 and AP3 have Advanced Licenses. For this group, both Dynamic logs collection and Notify Aruba Support options are enabled. However, the Aruba support notification option is only applicable for AP2 and AP3, which have Advanced Licenses.
Troubleshooting
Live Events
Licensing Applicability: Live Events for clients, APs and switches is part of Foundation License and does not require any extra configuration. The clients Live Events page shows information required to troubleshoot issues related to a client or a site in real time for detailed analysis. Aruba Central also allows to troubleshoot issues related to access points. The AP Live Events feature is similar to client live troubleshooting, but in this case we can enable Live Events at the AP level. Currently, users can subscribe to Radio, VPN, and Spectrum events.

Aruba Central | User Guide

87

Live Packet Capture (PCAP)
Licensing Applicability: Live PCAP for APs and switches is part of Foundation License and does not require any extra configuration. Aruba Central allows users to interact and launch a targeted packet capture on a client connected to a specific AP or a switch. When the user starts packet capture from the UI, Aruba Central notifies the AP and the switch. The default packet capture duration is 15 minutes.
Troubleshooting Tools
License Applicability: Troubleshooting for APs, gateways, and switches is part of Foundation License and does not require any extra configuration. The Tools menu option allows network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. The Tools page is divided into the following tabs:
n Network Check--Allows you to run diagnostic checks on networks and troubleshoot client connectivity issues.
n Device Check--Allows you to run diagnostic checks and troubleshoot switches. n Commands--Allows you to perform network health check on devices at an advanced level using
command categories.
Services
AirGroup
License Applicability: AirGroup is available for both AP Foundation and Advanced Licenses. AirGroup is a zero­configuration networking protocol that enables service discovery, address assignment, and name resolution for desktop computers, mobile devices, and network services. It is designed for flat, single-subnet IP networks such as wireless networking at home. AirGroup supports both wired and wireless devices.
AirGroup is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
In InstantOS-based APs, the service is hosted on the IAP Virtual controller and all services are supported.
AirMatch
License Applicability: AirMatch is available for AP Foundation License. AirMatch channel planning evens out channel distributions in any size of network and in any subset of the contiguous network. AirMatch also minimizes channel coupling where adjacent radios are assigned to the same channel.
AirSlice
License Applicability: The AirSlice feature is available for only AP Advanced Licenses. The AirSlice feature allows network operators to build virtual networks suitable for specific application requirements. It allows network operators to monitor applications used by clients and supports multiple services such as gaming, IoT, voice, video, and so on.
Getting Started with Aruba Central | 88

AirSlice is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
For devices that have Advanced Licenses, the AirSlice feature supports unlimited applications and provides prioritization of custom-applications with visibility and configuration. The table below lists the features supported for AP licenses:
Advanced
n Visibility and prioritization of applications n Maximum number of applications as
supported by the Aruba Central platform
ClientMatch
License Applicability: ClientMatch is available for AP Foundation License. ClientMatch continually monitors the RF neighborhood for each client to provide ongoing client band steering, load balancing, and enhanced AP reassignment for roaming mobile clients.
Presence Analytics
License Applicability: Presence Analytics is available for Foundation AP License. Presence Analytics enables businesses to collect and analyze user presence data in public venues, enterprise environments, and retail hubs. Presence Analytics also enables businesses to collect real-time data on user footprints within the wireless network range.
SaaS Express
License Applicability: SaaS Express is available for Advanced Gateway License and Advanced with Security Gateway License only. The SaaS Express feature, on SD-WAN Gateways, enables discovery of the SaaS application servers, monitors application performance, and steers traffic to the best-available servers, and thus provides an improved user experience.
Unified Communications
License Applicability: Unified Communications is available for AP Advanced Licenses. The Unified Communications feature enables a seamless user experience for voice calls, video calls, and application-sharing when using communication and collaboration tools. It allows you to actively monitor voice, video, and application-sharing sessions, provide traffic visibility, prioritize the required sessions, and provide rich visual metrics for analytical purposes.
Unified Communications is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
Security
Cloud Guest
License Applicability: Cloud Guest is available for the AP Foundation License. The Cloud Guest access enables the guest users to connect to the network. This is provided through the splash page profile that is created by the administrators for the guest users in the Guests tab under

Aruba Central | User Guide

89

Manage. The Summary page in the Manage > Guest Access application is the monitoring dashboard that displays the number of guests, guest SSID, client count, type of clients, and guest connection. Cloud Guest deals with the AP, so the license that is assigned to the AP is also applicable to Cloud Guest. By default, the Foundation License is applicable. The Advanced License features will also be available if the Cloud Guest is assigned to it.
ClearPass Device Insight-Based Clients Profile
License Applicability: ClearPass Device Insight (CPDI) based Clients Profile is available for Foundation License for APs and gateways.. The CPDI-based Clients Profile enables network and security administrators to discover, monitor, and automatically classify new and existing devices that connect to a network. You can identify devices that include IoT devices, medical devices, printers, smart devices, laptops, VoIP phones, computers, gaming consoles, routers, servers, switches, and so on.
CPDI-based Clients Profile is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
The table below lists the features supported for AP and gateway licenses:

Foundation
n Basic client MAC Classification based on telemetry data
n Client Family, Client Category, Client OS n Cloud Auth Integration

Advanced
n Access to Collector support in Central (not including physical collector costs)
n ML-based client classification n Advanced Security Features (Risk /
Posture / Vulnerability) n Security baseline of device behavior with
Firewall recommendation

Intrusion Detection and Prevention (IDS or IPS)
License Applicability: IDS and IPS is available for Foundation with Security Gateway License, Foundation Base with Security Gateway License, and Advanced with Security Gateway License. The IDS and IPS monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDS or IPS adds an extra layer of security that focuses on users, applications, network connections, and can be integrated with the Aruba SD-Branch solution.
RAPIDS
License Applicability: RAPIDS is available for Foundation and Advanced Licenses for APs. The RAPIDS feature enables Aruba Central to quickly identify and act on interfering APs in the network that can be later considered for investigation, restrictive action, or both. Once the interfering APs are discovered, Aruba Central sends alerts for security events to the network administrators about the possible threat and provides essential information needed to locate and manage the threat.
RAPIDS is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
This feature is part of the AP Foundation License. However, as API streaming is available for Advanced License only, Aruba Central would not stream any security events for APs with Foundation License. For APs

Getting Started with Aruba Central | 90

with Advanced License, API streaming of security events is available for further diagnosis and threat management.
API
Streaming APIs
License Applicability: The Streaming API service requires that devices such as IAPs and gateways are assigned with Advanced License. The Streaming API feature enables you to subscribe to a select set of services, instead of polling the NB API to get an aggregated state, or statistics of the events, pertinent to the monitoring activities of Aruba Central. With Streaming API, you can write value-added applications based on the aggregated context. For example, with Streaming API, you are notified about the following types of events:
n The UP and DOWN status of the devices n Change in location of stations
The Streaming API feature in Aruba Central is enabled only when any one of the devices in the account has an Advanced License. If the account has devices with only Foundation License, the Steaming API tab is not displayed in Aruba Central. If the Streaming API feature is enabled, and the account has a mix of Foundation License and Advanced License for devices, the devices that are assigned with Foundation License do not stream any data for any topics.
SD-Branch
Application-based Policy
License Applicability: The application-based policy configuration is available for Foundation License for Branch Gateways. The Application-based policy configuration helps in deep packet inspection of application usage by clients. Using this configuration, you can define applications, security, and service aliases. You can configure Access Control Lists (ACLs) to restrict user access to an application or application category.
Dynamic Path Steering
License Applicability: Dynamic Path Steering is available for Gateway Foundation and Foundation Base License. In the Path Steering tab, you can view traffic path steering details for the Dynamic Path Steering policies configured on the Branch Gateway. This tab also displays the number of policies that are compliant along with the total number of policies configured on the Branch Gateway.
Full SD-LAN Control
License Applicability: SD-LAN monitoring is available for Foundation License for Branch Gateways. The LAN Summary page displays a graphical representation of the LAN link availability of a Branch Gateway. It also provides a summary of all the LAN interfaces and port details.
IPsec VPN
License Applicability: IPsec VPN is available for Gateway Foundation and Foundation Base License. An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPsec tunnel to the controller secures corporate data. You can configure an IPsec tunnel from virtual controller using Aruba Central.

Aruba Central | User Guide

91

Role-based Access Policy
License Applicability: Role-based Access Policy configuration is available for Foundation License for Branch Gateways. The Role-based Access Policy determines client access based on the user roles assigned to a client. Each user or device connected to the branch network is associated with a user role. Once the role is assigned, traffic and security policies are applied to devices based on the role.
SD-WAN Overlay
License Applicability: SD-WAN Overlay monitoring is available for Gateway Foundation License. The SD-WAN Overlay is an orchestrator service for branch deployments, which is done by setting up IPsec tunnels between the Branch Gateways and VPN Concentrators. This is achieved through Tunnel and Route orchestration. The tunnel configuration between the branch and hub sites is automatic and the route configuration is done by redistributing the routing information learnt from the branch in a dynamic way. The Map and Grid views of the Tunnel and Route tabs under SD-WAN Overlay serve as dashboards for monitoring purpose, providing information about the tunnels and routes configured for an individual Branch Gateway.
Stateful Firewalls
License Applicability: Stateful Firewalls is available for Gateway Foundation and Foundation Base License. Aruba Gateways support stateful firewall for stateful inspection of packets. Stateful firewalls provide an additional layer of security by tracking the state of network connections and using the state information from previous communications to monitor and control new communication attempts. To protect your network from external attacks and unauthorized communication attempts, you can configure match conditions and packet filtering criteria for the Aruba Gateways.
Web Content Filtering
License Applicability: Website content filtering is available for Foundation License for Branch Gateways. Aruba Gateways enhance branch security by providing real-time web content and reputation filtering. The Website Content Classification feature on Branch Gateways allows you to classify website content based on reputation and take measures to block malicious sites.

Starting Your Free Trial
Aruba Central offers a 90-day evaluation license for customers who want to try the solution for managing their networks. The evaluation license allows you to use the functions described in the following table:

Table 21: Evaluation features

Application

Function

Network Operations

n 10 Advanced AP Licenses n 5 Foundation Switches 6100 / 25xx / low density (16 ports or less) Licenses n 5 Foundation Switches 6200 / 29xx Licenses n 5 Foundation Switches 6300 / 3810 Licenses n 5 Foundation Switches 8xxx / 6400 / 5400 Licenses n 5 Advanced 90xx Gateways with security feature Licenses n 10 Advanced 70xx Gateways Licenses

Getting Started with Aruba Central | 92

Application
ClearPass Device Insight

Function
n 2 Advanced 72xx Gateways Licenses
Discover, monitor, and automatically classify new and existing devices that connect to a network.

Complete the following steps to evaluate Aruba Central:
n Step 1: Getting Started with the Initial Setup n Step 2: Viewing Subscription Details (Optional) n Step 3: Adding Devices n Step 4: Assigning Subscriptions n Step 5: Organizing Your Devices into Groups n Step 6: Assigning Sites and Labels (Optional) n Step 7: Configuring Your Network n Step 8: Monitoring Your Network and Devices n Step 9: Canceling or Upgrading Your Subscription (Optional)
Step 1: Getting Started with the Initial Setup
To get started with the trial:
1. Register for evaluating Aruba Central. For more information, see Creating an Aruba Central Account. 2. Log in to Aruba Central. For more information, see Accessing Aruba Central Portal.
n If you signed up to evaluate only the Network Operations app, the Welcome to Aruba Central page is displayed. o Click Evaluate Now. The Get Started With Aruba Central page guides you through the onboarding steps. o Click through the steps to set up your account and start using Aruba Central. If you want to exit the wizard and complete the onboarding steps on your own, click Exit Workflow.
The Initial Setup wizard is displayed only when you log in to Aruba Central for the first time. The wizard is not available for Aruba Central users in the MSP mode.
n If you signed up to evaluate both Network Operations and ClearPass Device Insight, the Network Operations page is displayed. For more information, see ClearPass Device Insight Information Center.
Step 2: Viewing Subscription Details (Optional)
At your first login, the Initial Setup wizard displays the details of the evaluation license details. After you exit the wizard, you can view the license details on the Account Home > Global Settings > Key Management page.
Viewing Subscription Key Details The following table shows the typical contents of a license key:

Aruba Central | User Guide

93

Table 22: License Key Details

Keys

Subscription key number

Type

Type of the license. Aruba Central supports the following types of licenses: n Foundation--This license provides all the features included in the Device Management
subscription and some additional features that were available as value-added services for APs in the earlier licensing model. n Advanced--This license provides all the features of a Foundation license, with additional features related to AI insights

Expiration Date

Expiration date for the license key.

Quantity

Number of licenses available.

Status

Status of the license key. For example, if you are a trial user, Aruba Central displays the status of subscription key as Eval.

Step 3: Adding Devices
To manage devices from Aruba Central, trial users must manually add the devices to Aruba Central's device inventory. You can add up to 60 devices. The devices can be APs, switches, or gateways. For details about how many device licenses of each type are available, see Table 21. Use one of the following methods to add devices to Aruba Central:
n Using the Initial Setup Wizard n Using the Device Inventory Page
Using the Initial Setup Wizard
1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number and MAC address of your devices.
You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. 3. Click Done. 4. Review the devices in your inventory.
Using the Device Inventory Page
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Click Add Devices. The Add Devices pop-up window is displayed.
3. Enter the serial number and the MAC address of each device. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware.

Getting Started with Aruba Central | 94

4. Click Done. 5. Review the devices in your inventory.
Step 4: Assigning Subscriptions
By default, an evaluation license key is assigned for users who sign up for a free trial of Aruba Central. The evaluation license key allows you to manage up to 60 devices from Aruba Central. You can either enable automatic assignment of license or manually assign Foundation and Advanced licenses to your devices. By default, the automatic license assignment is disabled.
Enabling Automatic Assignment of Subscriptions Use one of the following options to enable automatic assignment of licenses: In the Initial Setup Wizard
1. Verify that you have a valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign License tab, slide the Auto License toggle switch to the On position.
From the License Assignment Page
1. In the Account Home page, under Global Settings, click License Assignment. 2. Under Device Licenses, slide the Auto License toggle switch to the On position. All the devices in
your inventory are selected for automatic assignment of a license. You can edit the list by clearing the existing selection and re-selecting devices.
Manually Assigning Subscriptions Use one of the following options to manually assign subscriptions: In the Initial Setup Wizard
1. In the Assign License tab, ensure that the AutoLicense toggle switch is turned off. 2. Select the devices in the list for which you want to manually assign licenses. 3. Click Update Licenses.
From the Subscription Assignment Page
1. In the Account Home page, under Global Settings, click License Assignment. 2. On the License Assignment page, ensure that the Auto License toggle is turned off. 3. Select the devices to which you want to assign licenses. 4. Click Update Licenses.
For more information on subscriptions. see Managing Licenses.
Step 5: Organizing Your Devices into Groups
A group in Aruba Central functions as a configuration container for devices added in Aruba Central.
Why Should You Use Groups? Groups allow you to create a logical subset of devices and simplify the configuration and device management tasks. Groups offer the following functions and benefits:

Aruba Central | User Guide

95

n Combining different types of devices under a group. For example, a group can have APs and switches. Aruba Central allows you to manage configuration of these devices in separate containers (wireless and wired management) within the same group. Any new device that is added to a group inherits the current configuration of the group.
n Assigning multiple devices to a single group. For example, a group can consist of multiple Instant AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to member Instant APs in their respective clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location.
n Cloning an existing group allows you to create a base configuration for the devices and customize it as per your network requirements.
You can also use groups for filtering your monitoring dashboard content, generating reports, and managing software upgrades.
A device can be part of only one group at any given time. Groups in Aruba Central are independent and do not follow a hierarchical model.
For more information on groups and group configuration workflows, see Groups for Device Configuration and Management.
Assigning Devices to Groups After you successfully complete the onboarding workflow, the Initial Setup wizard prompts you to assign your devices to a group. You can click Assign Group and assign your devices to a group. You can also use one of the following methods to assign your devices to groups: To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory.
1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign. 4. Click Assign Device(s).
To assign a device to a group from the Groups page:
1. In the Network Operations app, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Maintain, click Organization. By default, the Groups page is displayed.
3. From the devices table on the right, select the device that you want to assign to a new group. 4. Drag and drop the device to the group to which you want to assign the device.
Step 6: Assigning Sites and Labels (Optional)
A site in Aruba Central refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Aruba Central allows you to use sites as a primary navigation element. For example, if your devices are deployed in a campus, you can create a site called CampusA. You can also tag the devices within CampusA using labels. If your campus consists of multiple buildings, the devices deployed in the campus can be labeled as Building1 or Lobby. For more information on sites and labels and how to assign devices to sites and labels, see Managing Sites and Managing Labels.
Getting Started with Aruba Central | 96

Step 7: Configuring Your Network
If you have added Instant APs as part of your evaluation, you can configure an employee and guest wireless network. If you have Switches or SD-Branch or SD-WAN Gateways, configure wired access network or SDWAN respectively. For more information, see Device Configuration and Network Management.
Step 8: Monitoring Your Network and Devices
Use monitoring dashboards to view the health of the device and network. You can also run reports, configure alerts, and view client details.
Step 9: Canceling or Upgrading Your Subscription (Optional)
During the trial period or after you complete your trial, if you want to continue using Aruba Central for managing your devices, contact Aruba Customer Support to upgrade your license. If you do not want to continue, contact Aruba support team to cancel your license or wait until the trial expires. When the trial period expires, your devices can no longer be managed from Aruba Central.
Upgrading to a Paid Account If you have purchased a license for an AP, a switch, or a gateway, then upgrade your account by completing the following steps:
1. On the Account Home page, in the Network Operation app, click the link that shows the number of days left for the evaluation to expire.
Figure 15 Network Operations Evaluation Account

The Add a New License window is displayed. 2. Enter the new license key that you purchased from Aruba. 3. Click Add License.
After you upgrade your account, you can add more devices, enable services, and continue using Aruba Central.

Aruba Central | User Guide

97

Setting up Your Aruba Central Instance
If you have purchased a license key to manage your devices and networks from Aruba Central, get started with steps described in this topic. Figure 16 illustrates the steps required for setting up your Aruba Central instance: Figure 16 Getting Started Workflow
Getting Started with Aruba Central
Complete the following steps to start using Aruba Central for managing your devices and setting up your networks. n Step 1: Getting Started n Step 2: Adding a Subscription Key n Step 3: Adding Devices n Step 4: Assigning Subscriptions n Step 5: Organizing Your Devices into Groups n Step 6: Assigning Sites and Labels (Optional) n Step 7: Configuring Users n Step 8: Configuring and Managing Networks n Step 9: Monitoring Your Network and Devices n Step 10: Upgrading Software Images on Devices n Step 11: Running Diagnostic Checks and Troubleshooting Issues
Step 1: Getting Started
To get started: 1. Sign up to create your Aruba Central account. For more information, see Creating an Aruba Central Account. 2. If you already have an Aruba Central account, log in to Aruba Central with your credentials. When you log in for the first time, the Initial Setup wizard opens and guides you through the onboarding workflow. 3. Click Get Started. 4. Click through the wizard to complete the onboarding workflow. If you want to exit the wizard and complete the onboarding steps on your own, click Exit and go to Aruba Central.
The Initial Setup wizard is displayed only when you log in to Aruba Central for the first time. The wizard is not available for Aruba Central users in the MSP mode.
Step 2: Adding a Subscription Key
At your first login, the Initial Setup wizard prompts you add your license key.
Getting Started with Aruba Central | 98

If you are not using the wizard, complete the following steps to add your license key.
1. On the Account Home page, under Global Settings, click Key Management. The Key Management page is displayed.
2. Enter your license key. 3. Click Add Key.
The license key is added to Aruba Central and the contents of the license key are displayed in the Manage Keys table. Review the license details. If you add a Device Management token, the key is listed in the Convert Deprecated Licenses page. For more information, see Converting Legacy Tokens to New Licenses.
Step 3: Adding Devices
If you have a paid license, you can automatically import devices from the Activate database to the Aruba Central device inventory.
Figure 17 Typical Workflow for Device Sync Setup

Setting up Device Sync for Automatic Device Addition To set up device sync, use one of the following methods:
n In the Initial Setup Wizard n From the Device Inventory Page
In the Initial Setup Wizard

Aruba Central | User Guide

99

1. Ensure that you have added a license key and click Next. 2. In the Add Devices tab, enter the serial number and MAC address of any one device from your
purchase order. Most Aruba devices have the serial number and MAC address on the front or back of the hardware. 3. Click Add Device. Aruba Central imports all other devices mapped to your purchase order. 4. Review the devices in your inventory. 5. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number
of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the
Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support.
From the Device Inventory Page
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
Aruba Central imports only devices associated with your account from Activate.
2. Do any one of the following: n Click Sync Devices. Enter the serial number and MAC address and click Add Device. n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file.
Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page.
3. Review the devices in your inventory. 4. Perform the following options:
n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device.
n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices.
n Contact support--Contact Aruba Technical Support.
Manually Adding Devices To add devices using MAC address and serial number, use any one of the following methods:
n In the Initial Setup Wizard n From the Device Inventory Page
In the Initial Setup Wizard If you are using the Initial Setup wizard:
Getting Started with Aruba Central | 100

1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number or the MAC address of your device. 3. Click Done. 4. Review the list of devices.
From the Device Inventory Page To add devices from the Device Inventory page:
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Perform one of the following: n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file.
Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page.
3. Click Done. 4. Review the devices added to the inventory.
When you add the serial number and MAC address of one AP from a cluster or a switch stack member, Aruba Central imports all devices associated in the AP cluster and switch stack respectively.
For more information on adding devices, see Onboarding Devices.
Step 4: Assigning Subscriptions
Aruba Central supports the following types of licenses:
n Foundation--This license provides all the features included in the Device Management subscription and some additional features that were available as a value- added services for APs in the earlier licensing model.
n Advanced--This license provides all the features of a Foundation License, with additional features related to AI insights.
You can either enable automatic assignment of license or manually assign licenses to your devices. By default, the automatic license assignment is disabled.
Enabling Automatic Assignment of Licenses Use any one of the following options to enable automatic assignment of licenses:
n In the Initial Setup Wizard n From the License Assignment Page
In the Initial Setup Wizard

Aruba Central | User Guide

101

1. Verify that you have a valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the License Assignment tab, slide the Auto Assign Licenses toggle switch to the On position.
From the License Assignment Page
1. In the Account Home page, under Global Settings, click License Assignment. 2. Under Device Subscriptions, toggle the Auto Assign Licenses slider to ON. All the devices in your
inventory are selected for automatic assignment of licenses. You can edit the list by clearing the existing selection and re-selecting devices. For more information on how auto licensing works, see Automatic License Assignment Workflow.
Manually Assigning Licenses Use any one of the following methods to manually assign the licenses:
n In the Initial Setup Wizard n From the License Assignment Page
In the Initial Setup Wizard
1. In the Assign License tab, ensure that the Auto License toggle switch is turned off. 2. Select the devices in the list for which you want to manually assign subscriptions. 3. Click Update License.
From the License Assignment Page
1. In the Account Home page, under Global Settings, click License Assignment. 2. On the License Assignment page, ensure that the Auto License toggle is turned off. 3. Select the devices to which you want to assign licenses. 4. Click Update License.
For more information on subscriptions and how to assign network service and SD-WAN Gateway subscriptions. see Managing License Assignments.
Step 5: Organizing Your Devices into Groups
A group in Aruba Central functions as a configuration container for devices added in Aruba Central.
Why Should You Use Groups? Groups allow you to create a logical subset of devices and simplify the configuration and device management tasks. Groups offer the following functions and benefits:
n Combining different types of devices under a group. For example, a group can have Instant APs and Switches. Aruba Central allows you to manage the configuration of these devices in separate containers (wireless and wired management) within the same group. Any new device that is added to a group inherits the current configuration of the group.
n Assigning multiple devices to a single group. For example, a group can consist of multiple Instant AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to member Instant APs in their respective clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location.
Getting Started with Aruba Central | 102

n Cloning an existing group allows you to create a base configuration for the devices and customize it according to your network requirements.
You can also use groups for filtering your monitoring dashboard content, generating reports, and managing software upgrades.
A device can be part of only one group at any given time. Groups in Aruba Central are independent and do not follow a hierarchical model.
For more information on groups and group configuration workflows, see Groups for Device Configuration and Management.
Assigning Devices to Groups After you successfully complete the onboarding workflow, the Initial Setup wizard prompts you to assign your devices to a group. You can click Assign Group and assign your devices to a group. You can also use any one of the following methods to assign your devices to groups. To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory.
1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign. 4. Click Assign Device(s).
To assign a device to a group from the Groups page:
1. In the Network Operations app, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Maintain, click Organization. By default, the Groups page is displayed.
3. From the devices table on the right, select the device that you want to assign to a new group. 4. Drag and drop the device to the group to which you want to assign the device.
Step 6: Assigning Sites and Labels (Optional)
A site in Aruba Central refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Aruba Central allows you to use sites as a primary navigation element. For example, if your devices are deployed in a campus, you could create a site called CampusA. You can also tag the devices within CampusA using labels. If your campus consists of multiple buildings, the devices deployed in the campus can be labeled as Building1 or Lobby. For more information on sites and labels and how to assign devices to sites and labels, see Managing Sites and Managing Labels.
Step 7: Configuring Users
Add system users, assign user roles, and configure role-based access control. For more information, see Configuring System Users.
Step 8: Configuring and Managing Networks
To start configuring your network setup:

Aruba Central | User Guide

103

1. Connect your devices to Aruba Central. For more information, see Connecting Devices to Aruba Central.
2. Provision Instant APs, switches, or gateways to set up your WLAN, wired access, and SD-WAN network.
Step 9: Monitoring Your Network and Devices
Use monitoring dashboards to view the health of the device and network. You can also run reports, configure alerts, and view client details.
Step 10: Upgrading Software Images on Devices
View software images available for the devices provisioned in your account, run a compliance check for the recommended software version, and upgrade devices. For more information and step-by-step instructions, see Managing Software Upgrades.
Step 11: Running Diagnostic Checks and Troubleshooting Issues
Run diagnostic checks and troubleshooting commands to analyze network connectivity, latency issues, and debug device issues, if any. For more information and step-by-step instructions, see Using Troubleshooting Tools.
Configuring Email Notifications for Software Upgrades
Aruba Central administrators would receive email notifications before software upgrades, scheduled maintenance activity, or any unplanned outage. By default, email notifications are enabled. The banner is updated in the Aruba Central UI seven days before the upgrade and an email notification is sent seven days before the upgrade. In case of an unplanned outage, an email notification is sent immediately and the banner is also updated immediately in the Aruba Central UI. The email notification contains the following details:
n Start date and time. n Estimated end date and time. n Link to the What's New page where users can view the list of new features and enhancements included
in the release. n Impact of the outage.
Users can no longer check the status of Aruba Central using the following URLs:
n US--http://status.central.arubanetworks.com n Canada--http://ca-status.central.arubanetworks.com n APAC--http://apac-status.central.arubanetworks.com n APAC East--http://apaceast-status.central.arubanetworks.com n Europe--http://eu-status.central.arubanetworks.com
Enabling Email Notifications
By default, email notifications are enabled. However, if email notifications are disabled and you wish to enable system maintenance or software update email notifications, complete the following steps:
Getting Started with Aruba Central | 104

1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click User Settings. 3. In the User Settings pop-up window, do the following:
a. Select the Get system maintenance notifications check box to receive system maintenance notification on the registered email ID. Email notifications are sent before any scheduled maintenance activity or unplanned outage.
b. Select the Get software update notifications check box to receive software update notification on the registered email ID.
4. Click Save.
Figure 18 Email Notifications

Configuring Idle Timeout
Aruba Central allows you to set a timeout value for inactive user sessions. The value is in minutes and is the amount of time a user can be inactive before the user's session times out and closes. To configure idle timeout, complete the following steps:
1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click User Settings. 3. In the User Settings pop-up window, enter the timeout value in the Idle Timeout field. The value
must be within the range of 5 to 10080 minutes. 4. Click Save.
Opening Firewall Ports for Device Communication
Most of the communication between devices on the remote site and Aruba Central server in the cloud is carried out through HTTPS (TCP 443). To allow devices to communicate over a network firewall, ensure that the following domain names and ports are open. This section includes the following topics:

Aruba Central | User Guide

105

n Domain names for Aruba Central Portal Access n Domain Names for Device Communication with Aruba Central n Domain Names for Device Communication with Aruba Activate n Cloud Guest Server Domains for Guest Access Service n Domain Names for OpenFlow n Other Domain Names

Domain names for Aruba Central Portal Access

Table 23: Domain Names and URLs for Aruba Central Portal Access

Region

Domain Name

Protocol

US-1

portal.central.arubanetworks.com

HTTPS TCP port 443

US-2

portal-prod2.central.arubanetworks.com

HTTPS TCP port 443

US-WEST-4

portal-uswest4.central.arubanetworks.com

HTTPS TCP port 443

EU-1

portal-eu.central.arubanetworks.com

HTTPS TCP port 443

EU-2

portal-eucentral2.central.arubanetworks.com HTTPS TCP port 443

EU-3

portal-eucentral3.central.arubanetworks.com HTTPS TCP port 443

Canada-1

portal-ca.central.arubanetworks.com

HTTPS TCP port 443

China-1

portal.central.arubanetworks.com.cn

HTTPS TCP port 443

APAC-1

portal-apac.central.arubanetworks.com

HTTPS TCP port 443

APAC-EAST1

portal-apaceast.central.arubanetworks.com

HTTPS TCP port 443

APAC-SOUTH1 portal-apacsouth.central.arubanetworks.com HTTPS TCP port 443

Domain Names for Device Communication with Aruba Central

Table 24: Domain Names for Device Communication with Aruba Central

Regi on

Aruba Central URL

URL for Device Connectivity

Proto col

FQDNs for SD-WAN Orchestrator Service

US-1

app.central.arubanetworks.co m

app1.central.arubanetworks.c om

HTTPS

app1h2.central.arubanetworks .com

Getting Started with Aruba Central | 106

Regi on

Aruba Central URL

URL for Device Connectivity

Proto FQDNs for SD-WAN

col

Orchestrator Service

TCP port 443

US-2

appprod2.central.arubanetworks. com

deviceprod2.central.arubanetworks. com

HTTPS TCP port 443

device-prod2h2.central.arubanetworks .com

USWES T-4

appuswest4.central.arubanetwor ks.com

deviceuswest4.central.arubanetwor ks.com

HTTPS TCP port 443

device-uswest4h2.central.arubanetworks .com

EU-1

app2eu.central.arubanetworks.co m

deviceeu.central.arubanetworks.co m

HTTPS TCP port 443

device-euh2.central.arubanetworks .com

EU-2

appeucentral2.central.arubanetw orks.com

deviceeucentral2.central.arubanetw orks.com

HTTPS TCP port 443

device-eucentral2h2.central.arubanetworks .com

EU-3

appeucentral3.central.arubanetw orks.com

deviceeucentral3.central.arubanetw orks.com

HTTPS TCP port 443

device-eucentral3h2.central.arubanetworks .com

Cana da-1

appca.central.arubanetworks.com

deviceca.central.arubanetworks.com

HTTPS TCP port 443

device-cah2.central.arubanetworks .com

Chin a-1

app.central.arubanetworks.co m.cn

device.central.arubanetworks. com.cn

HTTPS TCP port 443

deviceh2.central.arubanetworks .com.cn

APAC1

app2ap.central.arubanetworks.co m

app1ap.central.arubanetworks.co m

HTTPS TCP port 443

app1-aph2.central.arubanetworks .com

APACEAST 1

appapaceast.central.arubanetwor ks.com

deviceapaceast.central.arubanetwor ks.com

HTTPS TCP port 443

device-apaceasth2.central.arubanetworks .com

APACSOUT H1

appapacsouth.central.arubanetw orks.com

deviceapacsouth.central.arubanetw orks.com

HTTPS TCP port 443

device-apacsouthh2.central.arubanetworks .com

Aruba Central | User Guide

107

Domain Names for AOS-CX Device Communication with Aruba Central

Table 25: Domain Names for AOS-CX Device Communication with Aruba Central

Region Aruba Central URL

URL for Device Connectivity

Protocol

US-1

app.central.arubanetworks.com

device-prodd2.central.arubanetworks.com

HTTPS TCP port 443

US-2

app-prod2.central.arubanetworks.com deviceprod2.central.arubanetworks.com

HTTPS TCP port 443

US-

app-

WEST-4 uswest4.central.arubanetworks.com

device-uswest4d2.central.arubanetworks.com

HTTPS TCP port 443

EU-1

app2-eu.central.arubanetworks.com

device-eu.central.arubanetworks.com

HTTPS TCP port 443

EU-2

app-

device-eucentral2-

eucentral2.central.arubanetworks.com d2.central.arubanetworks.com

HTTPS TCP port 443

EU-3

app-

device-eucentral3-

eucentral3.central.arubanetworks.com d2.central.arubanetworks.com

HTTPS TCP port 443

Canada- app-ca.central.arubanetworks.com 1

device-ca.central.arubanetworks.com

HTTPS TCP port 443

China-1 app.central.arubanetworks.com.cn

device.central.arubanetworks.com.cn

HTTPS TCP port 443

APAC-1 app2-ap.central.arubanetworks.com

app1-ap.central.arubanetworks.com

HTTPS TCP port 443

APACEAST1

appapaceast.central.arubanetworks.com

deviceapaceast.central.arubanetworks.com

HTTPS TCP port 443

APACSOUTH1

appapacsouth.central.arubanetworks.com

deviceapacsouth.central.arubanetworks.com

HTTPS TCP port 443

Getting Started with Aruba Central | 108

Domain Names for Device Communication with Aruba Activate

Table 26: Domain Names for Device Communication with Aruba Activate

Domain Name

Protocol

device.arubanetworks.com devices-v2.arubanetworks.com

HTTPS TCP port 443

est.arubanetworks.com *

* Required for Aruba 2530 switches to provision certificate using the EST server in activate.

Cloud Guest Server Domains for Guest Access Service

Table 27: Domain Names for Cloud Guest Server Access

Region

Domain Name

Protocol

US-1

nae1.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

nae1-elb.cloudguest.central.arubanetworks.com

TCP port 443

US-2

naw2.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

naw2-elb.cloudguest.central.arubanetworks.com

TCP port 443

US-WEST-4

uswest4.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

uswest4-elb.cloudguest.central.arubanetworks.com TCP port 443

EU-1

euw1.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

euw1-elb.cloudguest.central.arubanetworks.com

TCP port 443

EU-2

naw2.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

EU-3

naw2-elb.cloudguest.central.arubanetworks.com euw1.cloudguest.central.arubanetworks.com

TCP port 443
TCP port 2083 TCP port 443

Canada-1

euw1-elb.cloudguest.central.arubanetworks.com ca.cloudguest.central.arubanetworks.com

TCP port 443
TCP port 2083 TCP port 443

ca-elb.cloudguest.central.arubanetworks.com

TCP port 443

APAC-1

ap1.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

Aruba Central | User Guide

109

Region

Domain Name

Protocol

ap1-elb.cloudguest.central.arubanetworks.com

TCP port 443

APAC-EAST1 apaceast.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

apaceast-elb.cloudguest.central.arubanetworks.com TCP port 443

APAC-SOUTH1 apacsouth.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

apacsouth-elb.cloudguest.central.arubanetworks.com TCP port 443

Domain Names for OpenFlow

Table 28: Domain Names for OpenFlow

Region

Domain Name

US-1

https://app2-ofc.central.arubanetworks.com

US-2

https://ofc-prod2.central.arubanetworks.com

US-WEST-4

https://ofc-uswest4.central.arubanetworks.com

EU-1

https://app2-eu-ofc.central.arubanetworks.com

EU-2

https://ofc-eucentral2.central.arubanetworks.com

EU-3 Canada-1

https://ofc-eucentral3.central.arubanetworks.com https://ofc-ca.central.arubanetworks.com

China-1

https://ofc.central.arubanetworks.com.cn

APAC-1

https://app2-ap-ofc.central.arubanetworks.com

APAC-EAST1 https://ofc-apaceast.central.arubanetworks.com

APAC-SOUTH1 https://ofc-apacsouth.central.arubanetworks.com

Other Domain Names

Table 29: Other Domain Names Domain Name

Protocol

sso.arubanetworks.com

TCP port 443

internal.central.arubanetworks.com TCP port internal2.central.arubanetworks.com 443

Description
Allows users to access their accounts on the internal server.
Allows users to access the Aruba Central Internal portal.

pool.ntp.org

UDP port 123

Allows users to update the internal clock and configure time zone when a factory default device comes up.

Getting Started with Aruba Central | 110

Domain Name

Protocol

activate.arubanetworks.com stun.pqm.arubanetworks.com
pqm.arubanetworks.com images.arubanetworks.com http://h30326.www3.hpe.com

TCP port 443
UDP or TCP port 3478 and 3479
ICMP or UDP port 4500
TCP port 80
TCP port 80

d2vxf1j0rhr3p0.cloudfront.net
rcs-m.central.arubanetworks.com (For all other regions) central-eurcs.central.arubanetworks.com (For Europe region)
cloud.arubanetworks.com
aruba.brightcloud.com

TCP port 443 TCP port 443
TCP port 80 TCP port 443

bcap15-dualstack.brightcloud.com

TCP port 443

api-dualstack.bcti.brightcloud.com

TCP port 443

database-dualstack.brightcloud.com TCP port 443

Description
By default, the Aruba devices contact pool.ntp.org and use NTP to synchronize their system clocks.
Allows users to configure provisioning rules in Activate.
Allows users to discover public IP over the WAN uplinks configured on devices.
Allows users to check the health of WAN uplinks configured on Branch Gateways.
Allows users to access the server that hosts software images available for upgrading devices.
Allows users to access the Aruba switch software images. To view the URL for software updates, use the show activate software-update command.
Allows users to access the CloudFront server for locating Instant AP software images.
Allows users to access a device console through SSH.
Allows users to open the Aruba Central evaluation sign-up page.
Enables devices to access the Webroot Brightcloud server for application, application categories, and website content classification.
Allows Aruba devices to look up the Webroot Brightcloud server for Website categories.
Allows Aruba devices to access the IP Reputation and IP Geolocation service on the Webroot Brightcloud server.
Allows Aruba devices to download the website classification database from the Webroot Brightcloud server.

When configuring ACLs to allow traffic over a network firewall, use the domain names instead of the IP addresses. For Branch Gateways to set up IPsec tunnel with the VPN concentrators, the UDP 4500 port must be open.

Aruba Central | User Guide

111

Connecting Devices to Aruba Central
Aruba devices support automatic provisioning, also known as ZTP. In other words, Aruba devices can download provisioning parameters from Aruba Activate and connect to their management entity once they are powered on and connected to the network.
Although most of the communication between devices on the remote site and Aruba Central server in the cloud is carried out through HTTPS (TCP 443), you may want to open the following ports for devices to communicate over network firewall.
This section includes the following topics:

n Domain names for Aruba Central Portal Access n Domain Names for Device Communication with Aruba Central n Domain Names for Device Communication with Aruba Activate n Cloud Guest Server Domains for Guest Access Service n Domain Names for OpenFlow n Other Domain Names

Domain names for Aruba Central Portal Access

Table 30: Domain Names and URLs for Aruba Central Portal Access

Region

Domain Name

Protocol

US-1

portal.central.arubanetworks.com

HTTPS TCP port 443

US-2

portal-prod2.central.arubanetworks.com

HTTPS TCP port 443

US-WEST-4

portal-uswest4.central.arubanetworks.com

HTTPS TCP port 443

EU-1

portal-eu.central.arubanetworks.com

HTTPS TCP port 443

EU-2

portal-eucentral2.central.arubanetworks.com HTTPS TCP port 443

EU-3

portal-eucentral3.central.arubanetworks.com HTTPS TCP port 443

Canada-1

portal-ca.central.arubanetworks.com

HTTPS TCP port 443

China-1

portal.central.arubanetworks.com.cn

HTTPS TCP port 443

APAC-1

portal-apac.central.arubanetworks.com

HTTPS TCP port 443

APAC-EAST1

portal-apaceast.central.arubanetworks.com

HTTPS TCP port 443

APAC-SOUTH1 portal-apacsouth.central.arubanetworks.com HTTPS TCP port 443

Getting Started with Aruba Central | 112

Domain Names for Device Communication with Aruba Central

Table 31: Domain Names for Device Communication with Aruba Central

Regi on

Aruba Central URL

URL for Device Connectivity

Proto col

FQDNs for SD-WAN Orchestrator Service

US-1

app.central.arubanetworks.co m

app1.central.arubanetworks.c om

HTTPS TCP port 443

app1h2.central.arubanetworks .com

US-2

appprod2.central.arubanetworks. com

deviceprod2.central.arubanetworks. com

HTTPS TCP port 443

device-prod2h2.central.arubanetworks .com

USWES T-4

appuswest4.central.arubanetwork s.com

deviceuswest4.central.arubanetwork s.com

HTTPS TCP port 443

device-uswest4h2.central.arubanetworks .com

EU-1

app2eu.central.arubanetworks.co m

deviceeu.central.arubanetworks.co m

HTTPS TCP port 443

device-euh2.central.arubanetworks .com

EU-2

appeucentral2.central.arubanetw orks.com

deviceeucentral2.central.arubanetw orks.com

HTTPS TCP port 443

device-eucentral2h2.central.arubanetworks .com

EU-3

appeucentral3.central.arubanetw orks.com

deviceeucentral3.central.arubanetw orks.com

HTTPS TCP port 443

device-eucentral3h2.central.arubanetworks .com

Cana da-1

appca.central.arubanetworks.com

deviceca.central.arubanetworks.com

HTTPS TCP port 443

device-cah2.central.arubanetworks .com

Chin a-1

app.central.arubanetworks.co m.cn

device.central.arubanetworks. com.cn

HTTPS TCP port 443

deviceh2.central.arubanetworks .com.cn

APAC1

app2ap.central.arubanetworks.co m

app1ap.central.arubanetworks.co m

HTTPS TCP port 443

app1-aph2.central.arubanetworks .com

APACEAST 1

appapaceast.central.arubanetwor ks.com

deviceapaceast.central.arubanetwor ks.com

HTTPS TCP port 443

device-apaceasth2.central.arubanetworks .com

APACSOUT H1

appapacsouth.central.arubanetw orks.com

deviceapacsouth.central.arubanetw orks.com

HTTPS TCP port 443

device-apacsouthh2.central.arubanetworks .com

Aruba Central | User Guide

113

Domain Names for AOS-CX Device Communication with Aruba Central

Table 32: Domain Names for AOS-CX Device Communication with Aruba Central

Region Aruba Central URL

URL for Device Connectivity

Protocol

US-1

app.central.arubanetworks.com

device-prodd2.central.arubanetworks.com

HTTPS TCP port 443

US-2

app-prod2.central.arubanetworks.com deviceprod2.central.arubanetworks.com

HTTPS TCP port 443

US-

app-

WEST-4 uswest4.central.arubanetworks.com

device-uswest4d2.central.arubanetworks.com

HTTPS TCP port 443

EU-1

app2-eu.central.arubanetworks.com

device-eu.central.arubanetworks.com

HTTPS TCP port 443

EU-2

app-

device-eucentral2-

eucentral2.central.arubanetworks.com d2.central.arubanetworks.com

HTTPS TCP port 443

EU-3

app-

device-eucentral3-

eucentral3.central.arubanetworks.com d2.central.arubanetworks.com

HTTPS TCP port 443

Canada- app-ca.central.arubanetworks.com 1

device-ca.central.arubanetworks.com

HTTPS TCP port 443

China-1 app.central.arubanetworks.com.cn

device.central.arubanetworks.com.cn

HTTPS TCP port 443

APAC-1 app2-ap.central.arubanetworks.com

app1-ap.central.arubanetworks.com

HTTPS TCP port 443

APACEAST1

appapaceast.central.arubanetworks.com

deviceapaceast.central.arubanetworks.com

HTTPS TCP port 443

APACSOUTH1

appapacsouth.central.arubanetworks.com

deviceapacsouth.central.arubanetworks.com

HTTPS TCP port 443

Getting Started with Aruba Central | 114

Domain Names for Device Communication with Aruba Activate

Table 33: Domain Names for Device Communication with Aruba Activate

Domain Name

Protocol

device.arubanetworks.com devices-v2.arubanetworks.com

HTTPS TCP port 443

est.arubanetworks.com *

* Required for Aruba 2530 switches to provision certificate using the EST server in activate.

Cloud Guest Server Domains for Guest Access Service

Table 34: Domain Names for Cloud Guest Server Access

Region

Domain Name

Protocol

US-1

nae1.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

nae1-elb.cloudguest.central.arubanetworks.com

TCP port 443

US-2

naw2.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

naw2-elb.cloudguest.central.arubanetworks.com

TCP port 443

US-WEST-4

uswest4.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

uswest4-elb.cloudguest.central.arubanetworks.com TCP port 443

EU-1

euw1.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

euw1-elb.cloudguest.central.arubanetworks.com

TCP port 443

EU-2

naw2.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

EU-3

naw2-elb.cloudguest.central.arubanetworks.com euw1.cloudguest.central.arubanetworks.com

TCP port 443
TCP port 2083 TCP port 443

Canada-1

euw1-elb.cloudguest.central.arubanetworks.com ca.cloudguest.central.arubanetworks.com

TCP port 443
TCP port 2083 TCP port 443

ca-elb.cloudguest.central.arubanetworks.com

TCP port 443

APAC-1

ap1.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

Aruba Central | User Guide

115

Region

Domain Name

Protocol

ap1-elb.cloudguest.central.arubanetworks.com

TCP port 443

APAC-EAST1 apaceast.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

apaceast-elb.cloudguest.central.arubanetworks.com TCP port 443

APAC-SOUTH1 apacsouth.cloudguest.central.arubanetworks.com

TCP port 2083 TCP port 443

apacsouth-elb.cloudguest.central.arubanetworks.com TCP port 443

Domain Names for OpenFlow

Table 35: Domain Names for OpenFlow

Region

Domain Name

US-1

https://app2-ofc.central.arubanetworks.com

US-2

https://ofc-prod2.central.arubanetworks.com

US-WEST-4

https://ofc-uswest4.central.arubanetworks.com

EU-1

https://app2-eu-ofc.central.arubanetworks.com

EU-2

https://ofc-eucentral2.central.arubanetworks.com

EU-3 Canada-1

https://ofc-eucentral3.central.arubanetworks.com https://ofc-ca.central.arubanetworks.com

China-1

https://ofc.central.arubanetworks.com.cn

APAC-1

https://app2-ap-ofc.central.arubanetworks.com

APAC-EAST1 https://ofc-apaceast.central.arubanetworks.com

APAC-SOUTH1 https://ofc-apacsouth.central.arubanetworks.com

Other Domain Names

Table 36: Other Domain Names Domain Name

Protocol

sso.arubanetworks.com

TCP port 443

internal.central.arubanetworks.com TCP port internal2.central.arubanetworks.com 443

Description
Allows users to access their accounts on the internal server.
Allows users to access the Aruba Central Internal portal.

pool.ntp.org

UDP port 123

Allows users to update the internal clock and configure time zone when a factory default device comes up.

Getting Started with Aruba Central | 116

Domain Name

Protocol

activate.arubanetworks.com stun.pqm.arubanetworks.com
pqm.arubanetworks.com images.arubanetworks.com http://h30326.www3.hpe.com

TCP port 443
UDP or TCP port 3478 and 3479
ICMP or UDP port 4500
TCP port 80
TCP port 80

d2vxf1j0rhr3p0.cloudfront.net
rcs-m.central.arubanetworks.com (For all other regions) central-eurcs.central.arubanetworks.com (For Europe region)
cloud.arubanetworks.com
aruba.brightcloud.com

TCP port 443 TCP port 443
TCP port 80 TCP port 443

bcap15-dualstack.brightcloud.com

TCP port 443

api-dualstack.bcti.brightcloud.com

TCP port 443

database-dualstack.brightcloud.com TCP port 443

Description
By default, the Aruba devices contact pool.ntp.org and use NTP to synchronize their system clocks.
Allows users to configure provisioning rules in Activate.
Allows users to discover public IP over the WAN uplinks configured on devices.
Allows users to check the health of WAN uplinks configured on Branch Gateways.
Allows users to access the server that hosts software images available for upgrading devices.
Allows users to access the Aruba switch software images. To view the URL for software updates, use the show activate software-update command.
Allows users to access the CloudFront server for locating Instant AP software images.
Allows users to access a device console through SSH.
Allows users to open the Aruba Central evaluation sign-up page.
Enables devices to access the Webroot Brightcloud server for application, application categories, and website content classification.
Allows Aruba devices to look up the Webroot Brightcloud server for Website categories.
Allows Aruba devices to access the IP Reputation and IP Geolocation service on the Webroot Brightcloud server.
Allows Aruba devices to download the website classification database from the Webroot Brightcloud server.

When configuring ACLs to allow traffic over a network firewall, use the domain names instead of the IP addresses. For Branch Gateways to set up IPsec tunnel with the VPN concentrators, the UDP 4500 port must be open.
Connecting Instant APs to Aruba Central
To bring up Instant APs in Aruba Central, perform the following steps:

Aruba Central | User Guide

117

1. Connect the Instant AP to a provisioning network. 2. Ensure that Instant AP is operational and is connected to the Internet. 3. Ensure that the Instant AP has a valid DNS server address either through DHCP or static IP
configuration. 4. Ensure that NTP server is running and Instant AP system clock is configured.
Connecting Aruba Switches to Aruba Central
Note the following points about automatic provisioning of switches:
n Pre-configured switches can now join Aruba Central. You can also import configuration from these switches to generate a template. For more information, see Creating a Configuration Template.
n If the switches ship with a version lower than the minimum supported firmware version, a factory reset may be required, so that the switch can initiate a connection to Aruba Central. For information, on the minimum firmware versions supported on the switches, see Supported AOS-Switch Platforms.
n During Zero Touch Provisioning, the Aruba switches can join Aruba Central only if they are running the factory default configuration, and have a valid IP address and DNS settings from a DHCP server.
n The provisioning of the Aruba Mobility Access Switch fails when the provisioning process is interrupted during the initial booting and if the switch has a static IP address with no DNS server configured.

Connecting SD-WAN Gateways to Aruba Central
The Aruba gateways have the ability to automatically provision themselves and connect to Aruba Central once they are powered on. The gateways also support multiple active uplinks for ZTP (also referred to as automatic provisioning). The supported ZTP ports for different hardware platforms are listed in the following table. All these ZTP ports are assigned to VLAN 4094.

Table 37: ArubaOS Hardware Platforms and Supported ZTP Ports
ArubaOS Hardware Platform Supported ZTP Ports

Aruba 7005 Gateway

ALL ports except 0/0/1

Aruba 7008 Gateway

ALL ports except 0/0/1

Aruba 7010 Gateway

ALL ports except 0/0/1

Aruba 7030 Gateway

ALL ports except 0/0/1

Aruba 7024 Gateway

ALL ports except 0/0/1

Aruba 7210 Gateway

ALL ports except 0/0/1

Aruba 7220 Gateway

ALL ports except 0/0/1

Aruba 7240 Gateway

ALL ports except 0/0/1

Aruba 7280 Gateway

ALL ports except 0/0/1

Aruba 9004 Gateway

ALL ports except 0/0/1

Getting Started with Aruba Central | 118

Table 37: ArubaOS Hardware Platforms and Supported ZTP Ports
ArubaOS Hardware Platform Supported ZTP Ports

Aruba 9004-LTE Gateway

ALL ports except 0/0/1

Aruba 9012 Gateway

ALL ports except 0/0/1

To know the minimum software version required for the gateways, see Supported SD-Branch Components. To automatically provision the gateways:
1. Connect your gateway to the provisioning network. 2. Wait for the device to obtain an IP address through DHCP. Gateways support multiple uplink ports.
The first port to receive the DHCP IP connects to the Activate server and completes the provisioning procedure: n If the device has factory default configuration, it receives an IP address through DHCP, connects
to Aruba Activate, and downloads the provisioning parameters. When a device identifies Aruba Central as its management entity, it automatically connects to Aruba Central. n If the device is running a software version that does not have the SD-WAN image, the devices are automatically upgraded to a supported SD-WAN software version.

Aruba 72xx gateways with the ArubaOS 8.3.0.9 factory default image use only port 0/0/1 (the last copper port) for ZTP. When the factory default gateways connect to Activate through ZTP for the first time, Activate recommends a base SD-WAN image, which the gateways will download. In the SDWAN image, port 0/0/1 is used as a debug port, and DHCP requests will not be sent out of port 0/0/1 for subsequent ZTP requests. Hence, ZTP workflow for Aruba 72xx gateways with the ArubaOS 8.3.0.9 factory default image will not work. You must manually upgrade the Aruba 72xx gateways to the SD-WAN image or use other methods like full-setup and static-activate to provision the gateways.

3. Observe the LED indicators. Table 2 describes the LED behavior.

Table 38: LED Indicators

LED Indicator

LCD Text Description

Solid Amber

Getting DHCP IP

Indicates that the uplink connection is UP, but DHCP IP is yet to be retrieved.

Blinking Amber

Activate Wait

Indicates that the device was able to reach the DHCP server and the connection to the Activate server is yet to be established.

Solid Green

Activate OK

Indicates that the device was able to retrieve provisioning parameters from the Activate server.

Alternating Solid Green and Amber

Activate Error

Indicates that the device was not able to retrieve provisioning parameters.

After successfully connecting to Aruba Central, the gateways download the configuration from Aruba Central.

Aruba Central | User Guide

119

n From ArubaOS 8.7.0.0-2.3.0.0 release version onwards, Aruba SD-Branch Gateways no longer require additional reboot when they receive the controller IP from Aruba Central after the ZTP process. Some services are restarted, resulting in an expected network impact, but the gateways do not reload for the second time. However, the gateways will reboot if there are any subsequent controller IP changes.
n The gateways also include service ports that the technicians can use for manually provisioning devices in the event of ZTP failure. For more information on ports available for Aruba 7000 Series Mobility Controllers and Aruba 7200 Series Mobility Controllers, see ArubaOS User Guide.
Device Configuration and Network Management
Aruba Central supports provisioning, managing, monitoring, and troubleshooting workflows for the following types of Aruba devices:
n Instant APs--Know more about Instant AP, supported hardware platforms and software versions and learn how to manage your WLAN deployments with Instant APs. For more information, see Instant APs.
n Switches--Know more about Aruba switches, supported hardware platforms and software versions, and learn how to manage wired access using switches. For more information, see AOS-Switches Overview.
n Gateways--Know more about SD-WAN Gateways, supported hardware platforms and software versions, and learn how to build and manage SD-WAN deployments. For more information, see Aruba SD-Branch Solution.
n Virtual Gateways--Deploy, connect, and manage Virtual Gateways hosted on customer VPC from Aruba Central. For more information, see Deploying Aruba Virtual Gateways.
Using the Search Bar
The search bar in the Network Operations app enables users to search for clients, devices, and infrastructure connected to the network. The search also retrieves relevant documentation to help users efficiently operate their networks. The search engine uses Natural Language Processing (NLP) to analyze queries and return relevant search results. The following figure illustrates the search bar option in Aruba Central. Figure 19 Search Bar
To start a search in the Aruba Central UI, click the search bar or press / (forward slash) on your computer keyboard. When you click the search bar, you can see the search suggestions in the Recent and Suggested Search list. Recent--Shows the searches performed recently in the search bar. These suggestions help you quickly look at the previous searches. Suggested Search--Shows search suggestions corresponding to the workflow that you follow in the Network Operations app. The suggested search help you perform onboarding, monitoring, configuring, and troubleshooting tasks. For more information, see the Suggested Search page. The following figure illustrates the sample search result in Aruba Central.
Getting Started with Aruba Central | 120

Figure 20 Sample Search Result

From the search results, you can navigate to:
1. Search Cards--displays monitoring summary and links to configuration, monitoring, and troubleshooting pages in the Network Operations app.
2. View--relevant links to the corresponding pages in the Network Operations app. 3. Read--relevant links to the help pages in the Aruba Central Help Center.
Suggested Search
The search bar displays search suggestions corresponding to the workflow that you follow as a user of the platform. The suggestions help you perform on-boarding tasks and bring up the devices in the network, configure and troubleshoot the network issues. The following are some of the sample queries to get you started on the on-boarding journey. These sample queries in the Network Operations app search bar can guide you into getting started with Central, adding devices, assigning licenses to devices, creating groups and sites, and so on:
n Getting started with Central n How to add devices n How do I add licenses n How to create groups n How to create sites n How to add device to a site n How to add a new user n Where to find install manager n Install manager issues
The following figure illustrates search suggestions to get started with Aruba Central.

Aruba Central | User Guide

121

Figure 21 Suggestions to Get Started with Aruba Central
The following sample queries in the Network Operations app search bar can guide you to create SSIDs, configure a switch group, configure a gateway and so on: n How to configure an SSID n Configure SSID for group <Group Name> ( Detect an AP group without SSID configuration) n How to configure a switch group n Configure switch group <Group Name> n How to configure a switch port n How to configure a Micro branch AP n Configure Micro branch group <Name> n How to configure a gateway. n Configure gateway group <Group Name> The following figure illustrates search suggestions for the next actions to perform in Aruba Central based on the workflow that you follow in the Network Operations app. Figure 22 Suggestions to Get Started with Aruba Central
Client Search Terms
The search bar helps you to search a client's information, navigate to the configuration and troubleshooting pages of the client in the Network Operation app. The sample search terms in this page help you with the list of terms for troubleshooting the client issues in the Network Operations app. Using the search bar you can perform the following tasks: n Hover over a client search card to view more details and links to the monitoring, configuration, and
troubleshooting pages.
Getting Started with Aruba Central | 122

n Click the client name to open the Client Details page. n Click View to open the corresponding page in Aruba Central. For example, clicking the View button
corresponding to High DHCP Failures opens the AI Insights dashboard. n Click Read to navigate to the documentation page in the Aruba Central Help Center relevant to the
search terms.
Search Cards for Clients
The search results in Aruba Central displays certain cards with monitoring information and links to the configuration and troubleshooting pages for the client. You can click the links to navigate to that particular page of the client in the Network Operations app. You can see the search cards when you search with the client name, IP address, or MAC address. Following is an example of the search card that appears when you search with a client name: Figure 23 Search Card for Client Name Search
Options available on the client's search card: n Network Check--Opens the Network Check page for the client. n Live Events--Opens the Live Troubleshooting page for the client. n Events--Opens the Alerts & Events page for the client. n Disconnect--Opens the Client Details page to disconnect the client. n Insights--Opens the AI Insights page for the client. Following is an example of the search card that appears when you search with a client IP address:

Aruba Central | User Guide

123

Figure 24 Search Card for Client IP Address Search
Following is an example of the search card that appears when you search with a client MAC address: Figure 25 Search Card_Client MAC Address

Sample Search Terms for a Client
The following table lists the sample search terms for a client.

Table 39: Client Search Terms

Typical Queries
View client(s) facing issues in the network
View failed client (s)

Search Terms
client issues client anomalies problem clients
client failures failed clients

Result
Returns client(s) that failed to connect and client(s) experiencing issues such as high DHCP failures, authentication failures, high roaming latency, and so on.
Returns client(s) that failed to connect to the network.

Getting Started with Aruba Central | 124

Table 39: Client Search Terms

Typical Queries

Search Terms

Result

View client(s) running Windows operation system

list windows clients

Returns a list of the client(s) running Windows operation system.

View client(s) running Android operation system

list android clients

Returns a list of the client(s) running Android operation system.

View client(s) in a site

Enter list clients in site followed by the site name.
Example--list clients in siteCalifornia

Returns a list of all client(s) in the site.

View offline client (s) in a site

Enter show offline clients in site followed by the site name.
Example--show offline clients in site California

Returns a list of offline client(s) in the site.

View connected client(s) in a particular site

Enter show connected clients in site followed by the site name.
Example--show connected clients in site California

Returns a list of the connected client(s) in the site.

Search by client name

Enter the name of the client. Example--myipad

Returns the client whose name matches the search term.

Search by client MAC address

Enter client followed by the MAC address. Example-- client00:01:00:10:9f:20

Returns the client whose MAC address matches the search term.

User Experience Search Terms
The following table provides a list of recommended search terms with the corresponding search results. These sample search terms can help you in gauging the network performance and identifying anomalies affecting user experience in the Network Operations app.

Table 40: User Experience Search Terms

Search Terms Result

user experience issues

Returns the following links: n Client-related insights generated for the last three hours n Network Health dashboard Click View to open the corresponding page.

Aruba Central | User Guide

125

Table 40: User Experience Search Terms

Search Terms Result

user experience issues last month

Returns client-related insights generated for the last one month.

client issues last week

Returns the following: n Client(s) that failed to connect to the network in the last one week n Client-related insights generated for the last one week

how is my network today

Returns the following links: n Wi-Fi Connectivity dashboard n Network Health > List page Click View to open the corresponding page.

is everything ok

Returns a link to the AI Insights dashboard. Click View to open the AI Insights dashboard and review the insights triggered.

roaming issues

Returns links to the following insights: n Clients who Roamed Excessively n Clients with High Roaming Latency Click View to open the corresponding insight and identify roaming anomalies.

authentication issues

Returns links to the following insights: n Clients with High 802.1X Authentication Failures n Clients with High MAC Authentication Failures Click View to open the corresponding insight and identify authentication anomalies.

problem clients

Returns client(s) that failed to connect and client(s) experiencing issues such as high DHCP failures, authentication failures, high roaming latency, and so on.

coverage issues

Returns links to the following insights: n Clients with Low SNR Minutes n Coverage Holes Identified Click View to open the corresponding insight and identify coverage anomalies.

Device Search Terms
The search bar helps you to search all devices monitored by Aruba Central. The search enables you to navigate to the monitoring, configuration, and troubleshooting pages of the devices in the Network Operation app. The sample search terms in this page help you with the list of terms for troubleshooting the devices issues in the Network Operations app. Using the search bar you can perform the following tasks:
n Hover over a device search card to view more details and links to the monitoring, configuration, and troubleshooting pages.
n Click the device name to open the corresponding Device Details page. n Click View to open the corresponding page in Aruba Central. For example, clicking the View button
corresponding to Alerts & Events Overview opens the Alerts & Events page. n Click Read to navigate to the documentation page in the Aruba Central Help Center relevant to the
search terms.

Getting Started with Aruba Central | 126

Search Cards for Devices
The search results in Aruba Central displays certain cards with monitoring information and links to the configuration and troubleshooting pages for the device. You can click the links to navigate to that particular page of the device in the Network Operations app. You can see the search cards when you search with the device name, IP address, MAC address, group, site, or label name. Following are the examples for APs, switches, and gateways. Following is an example of the search card that appears when you search with an Access Point name: Figure 26 Search Card for the Access Point Name Search
Options available on the AP name search card: n Configure--Opens the AP Configuration page. n Network Check--Opens the Network Check page. n Locate--Locates the AP in the network. n Events--Opens the Alerts & Events page for the AP. n Clients--Opens the Clients page for the AP. n Configure Group--Opens the Access Points page to configure a group for the AP. n Insights--Opens the AI Insights page for the AP. Following is an example of the search card that appears when you search with a Switch name: Figure 27 Search Card for the Switch Name Search

Aruba Central | User Guide

127

Options available on the switch name search card: n Configure--Opens the Switch Configuration page. n Network Check--Opens the Network Check page for the switch. n Console--Opens the Switch Details page. n Events--Opens the Alerts & Events page for the switch. n Clients--Opens the Clients page for the AP. n Configure Group--Opens the Switches page to configure a group for the switch. n Insights--Opens the AI Insights page for the switch. The following is an example of the search card that appears when you search with a gateway name: Figure 28 Search Card for the Gateway Name Search
Options available on the gateway name search card: n Configure Group--Opens the Gateways page to configure a group for the gateway. n Network Check--Opens the Network Check page for the gateway. n Console--Opens the Gateway Summary page for the gateway. n Events--Opens the Alerts & Events page for the gateway. n Clients--Opens the Clients page for the gateway. n Session--Opens the Sessions page for the gateway. The following is an example of the search card that appears when you search with a device serial:
Getting Started with Aruba Central | 128

Figure 29 Search Card for the Device Serial Search

The following is an example of the search card that appears when you search with a device IP address: Figure 30 Search Card for the Device IP Address Search

The following is an example of the search card that appears when you search with a device MAC address: Figure 31 Search Card for the Device MAC Address Search

The following is an example of the search card that appears when you search with a device group name:

Aruba Central | User Guide

129

Figure 32 Search Card for the Device Group Name Search
The following is an example of the search card that appears when you search with a device label: Figure 33 Search Card for the Label Search

Sample Device Search Terms
The following table lists the search terms for AP, switch, and gateway.

Table 41: Device Search Terms

Typical Queries

Search Terms

Result

Access Point

View AP(s) facing issues in the network

AP issues AP anomalies problem APs

Returns a list of the AP(s) that are offline, AP radios changing channels more frequently, AP (s) experiencing higher than normal channel utilization, AP(s) experiencing frequent transmit power changes, and AP(s) that missed sending telemetry data, and so on.

View AP(s) in a site

Enter list aps in site or show aps in site followed by the site name.
Example--list aps in site California

Returns a list of the AP(s) in the site.

Getting Started with Aruba Central | 130

Table 41: Device Search Terms Typical Queries View a list of online AP(s) View AP(s) belonging to a group
View AP(s) tagged with a particular label
View AP(s) by model number
Search by AP name
Search by AP MAC address
Search by AP serial number
Switch View switch(es) facing issues in the network View switch(es) in a site
View a list of online switch(es) View switch(es) belonging to a group

Search Terms

Result

online aps

Returns a list of the AP(s) that are online.

Enter list aps in group followed by group name. Example--list aps in groupdefault

Returns a list of the AP(s) that are belonging to the group.

Enter list aps in label followed by the label name.
Example--list aps in labellobby

Returns a list of the AP(s) that are tagged with the label.

Enter show ap model followed by the model number.
Example--show ap modelap-105

Returns a list of the AP(s) whose model number matches the search term.

Enter the name of the AP. Example--printer-room

Returns the AP whose name matches the search term.

Enter ap followed by the MAC address. Example--ap 94:b4:0f:d9:ba:cc

Returns the AP whose MAC address matches the search term.

Enter ap serial followed by the serial number. Example--ap serialCNJJKPN1G5

Returns the AP whose serial number matches the search term.

switch issues switch anomalies problem switches

Returns a list of switch(es) that are offline, switch(es) experiencing high CPU and memory utilization, switch(es) facing PoE issues, and so on.

Enter list switches in site or show switches in site followed by the site name.
Example--list switches in site California

Returns a list of switch(es) in the site.

online switches

Returns a list of switch(es) that are online.

Enter list switches in group followed by group name.
Example--list switches in groupdefault

Returns a list of switch(es) belonging to the group.

Aruba Central | User Guide

131

Table 41: Device Search Terms Typical Queries View switch(es) tagged with a label
Search by switch name Search by switch MAC address
Search by switch serial number
Gateway View gateway(s) facing issues in the network View gateway(s) in a site
Configure gateway(s) in a particular group
View a list of online gateway(s) View gateway(s) belonging to a group
View gateway(s) tagged with a label

Search Terms

Result

Enter list switches in label followed by the label name.
Example--list switches in labelstore

Returns a list of switch(es) that are tagged with the label.

Enter the name of the switch. Example--store-switch

Returns the switch whose name matches the search term.

Enter switches followed by the MAC address. Example--switch f8:60:f0:b6:22:00

Returns the switch whose MAC address matches the search term.

Enter switch serial followed by the serial number.
Example--switch serialCN90HKX045

Returns the switch whose serial number matches the search term.

gateway issues gateway anomalies problem gateways

Returns a list of gateway(s) that are down, gateway(s) experiencing high CPU and memory utilization, gateway tunnel(s) that are down, and so on.

Enter list gateways in site or show gateways in site followed by the site name.
Example--list gateways in site California

Returns a list of gateway(s) in the site.

Enter configure gateways in group followed by the site name.
Example--configure gateways in groupdefault

Returns a link to the gateway configuration page.

online gateways

Returns a list of gateway(s) that are online.

Enter list gateways in group followed by group name.
Example--list gateways in groupdefault

Returns a list of gateway(s) belonging to the group.

Enter list gateways in label followed by the label name.

Returns a list of gateway(s) that are tagged with the label.

Getting Started with Aruba Central | 132

Table 41: Device Search Terms

Typical Queries

Search Terms

Result

Example--list gateways in labellobby

Search by gateway name

Enter the name of the gateway. Example--branch

Returns the gateway whose name matches the search term.

Search by gateway MAC address

Enter gateway followed by the MAC address. Example--gateway 00:0b:86:f9:0d:d2

Returns the gateway whose MAC address matches the search term.

Search by gateway serial number

Enter gateway serial followed by the serial number.
Example--gateway serialCZ0003248

Returns the gateway whose serial number matches the search term.

Network & Services Search Terms
The following table provides a list of recommended search terms with the corresponding search results for network and services.

Table 42: Network & Services Search Terms

Search Terms

Result

service issues

Returns the following links: n Wi-Fi Connectivity dashboard n AI Insights dashboard Click View to open the corresponding page.

dhcp issues

Returns a link to the Clients with DHCP Server Connection Problems insight. Click View to open the insight and identify the DHCP failures impacting the network.

dns issues

Returns links to the following insights: n DNS Queries Failed to Reach or Return from the Server n Delayed DNS Request or Response n DNS Servers Rejected High Number of Queries Click View to open the corresponding insight and identify DNS anomalies.

authentication issues

Returns links to the following insights: n Clients with High 802.1X Authentication Failures n Clients with High MAC Authentication Failures Click View to open the corresponding insight and identify authentication anomalies.

Site Search Terms
The search bar helps you to search all sites monitored by Aruba Central.

Aruba Central | User Guide

133

The sample search terms in this page help you with the list of terms for troubleshooting the site issues in the Network Operations app. Using the search bar you can perform the following tasks for a site:
n Hover over a site search card to view more details and links to the monitoring and troubleshooting pages.
n Click the site name to open the Site Health page. n Click View to open the corresponding page in Aruba Central. For example, clicking the View button
corresponding to Site Issues opens the AI Insights dashboard.
Search Cards for Sites
The search results in Aruba Central displays certain cards with monitoring information and links to the troubleshooting pages for the site. You can click the links to navigate to that particular page of the site in the Network Operations app. You can see the search cards when you search with the site name. Following is an example of the search card that appears when you search with a site name:
Figure 34 Search Card for a Site Name Search

Options available on the site search card:
n Site Health--Opens the Site Health page. n Summary--Opens the Summary page for the site. n Topology--Opens the Topology page for the site. n Events--Opens the Alerts & Events page for the site. n Reports--Opens the Reports page for the site.
The following table lists the search terms for a site.

Table 43: Site Search Terms

Typical Queries

Search Terms

View problems in a site

Enter any problems in site followed by the site name. Example--any problems in site California

Result
Returns the link to navigate to the AI Insights dashboard for the site.

Getting Started with Aruba Central | 134

Table 43: Site Search Terms

Typical Queries

Search Terms

Result

View client(s) in a site

Enter list clients in site followed by the site name. Example--list clients in site California

Returns a list of all client(s) in the site.

View offline client (s) in a site

Enter show offline clients in site followed by the site name. Example--show offline clients in site California

Returns a list of offline client(s) in the site.

View connected client(s) in a site

Enter show connected clients in site followed by the site name. Example--show connected clients in site California

Returns a list of connected client(s) in the site.

View AP(s) in a site

Enter list aps in site or show aps in site followed by the site name. Example--list aps in site California

Returns a list of AP(s) in the site.

View switch(es) in a site

Enter list switches in site or show switches in site followed by the site name. Example--list switches in site California

Returns a list of switch(es) in the site.

View gateway(s) in a site

Enter list gateways in site or show gateways in site followed by the site name. Example--list gateways in site California

Returns a list of gateway(s) in the site.

View alerts at a specific site

Enter list gateways in site or show gateways in site followed by the site name. Example--list gateways in site California

Returns a list of gateway(s) in the site.

Navigation Search Terms
The following table provides a list of recommended search terms with the corresponding search results. These sample search terms can help you navigate through Aruba Central. Based on the displayed results, click View to open the corresponding page in Aruba Central.

Table 44: Navigation Search Terms

Search Terms

UI Page

network health

Network Health > List

access points usage statistics ap device summary

Devices > Access Points > Summary

list alerts

Global > Alerts & Events > Summary

client overview

Clients > Summary

bandwidth usage

Global > Overview > Summary

Aruba Central | User Guide

135

Table 44: Navigation Search Terms Search Terms configure ssid
configure vpn assign virtual controller config ap ports radios profile manage firmware for virtual controller where can I configure switch configure switch stacks enable cdp for switches configuration conflicts for switches switch dhcp pools switch security dhcp how to configure switch igmp switch port priority manage switch ports configure VLANs configure gateways config audit gateway wan transport health wan performance show branch uplinks utilization virtual gateway settings how to upgrade gateway overlay route orchestrator topology topology list all saas apps saas express summary

UI Page Group > Devices > Access Points > Config > WLANs > Wireless SSIDs Group > Devices > Access Points > Config > VPN Group > Devices > Access Points > Interfaces > Wired
Group > Devices > Access Points > Config > Radios Global > Firmware > Access Points
Devices > Switches > Config Devices > Switches > Stacks > Config Devices > Switches > System > CDP Devices > Switches > Configuration Audit Devices > Switches > IP Settings > DHCP Pools Devices > Switches > Security > DHCP Snooping Devices > Switches > IGMP Devices > Switches > Interface > PoE Devices > Switches > Interface > Ports Devices > Switches > Interface > VLANs Devices > Gateways > Config Devices > Gateways > Config > Advanced Mode > Config Audit Devices > Gateways > Summary Global > Overview > WAN Health > List Global > Overview > WAN Health > Summary Global > Network Services > Virtual Gateways Global > Firmware > Gateways Global > Network Services > SD-WAN Overlay > Route Site > Overview > Topology Global > Applications > SaaS Express > Map

Getting Started with Aruba Central | 136

Table 44: Navigation Search Terms Search Terms ssh threats current threat map configure presence analytics view wifi connected devices setup guest access setup guest network ucc settings enable call prioritization for ucc list ucc call tutorials

UI Page Global > Security > Gateway IDS/IPS > Threats List Global > Security > Gateway IDS/IPS > Summary Global > Guests > Presence Analytics > Config Global > Guests > Presence Analytics > Summary Global > Guests > Guest Access Group > Guests > Config > Guest Networks Global > Applications > UCC > Config > Settings
Global > Applications > UCC > List WalkMe Menu for launching guided tutorials

Aruba Central | User Guide

137

Chapter 4 Administering Aruba Central
Administering Aruba Central
Aruba Central is a cloud-native network operations and assurance solution for wired, wireless, and SD-WAN networks. Aruba Central unifies traditional management with AI-based network and user insights, and IoT device profiling in a single interface for simplified and secure management and control.
Apps
From the Account Home page, you can manage network inventory, subscriptions, and user access. You can provision or launch the following apps: n Network Operations n ClearPass Device Insight The application(s) displayed in the Apps section of the page are dependent on the app(s) that you selected while signing up for Aruba Central. For more information, see Creating an Aruba Central Account. To provision an app, click Get Started. After the app is provisioned, click Launch to navigate to the corresponding application UI. If the app provisioning fails, you can retry or contact Aruba Technical Support. Figure 35 All Apps

Network Operations
Network Operations is a unified network operations, assurance and security platform that simplifies the deployment, management, and service assurance of wireless, wired and SD-WAN environments. Network Operations provides a cloud-based network management platform for managing your wireless, WAN, and

Aruba Central | User Guide

138

wired networks with Aruba APs, Gateways, and Switches. Along with device and network management functions, the app also offers value-added services such as customized guest access, client presence, and service assurance analytics. For more information, see Aruba Central Help Center.
ClearPass Device Insight
ClearPass Device Insight enables network and security administrators to discover, monitor, and automatically classify new and existing devices that connect to a network. You can identify devices that include loT devices, medical devices, printers, smart devices, laptops, VoIP phones, computers, gaming consoles, routers, servers, and switches. For more information, see Aruba ClearPass Device Insight Information Center.

Global Settings
In Aruba Central, most of the general administration tasks are grouped under Global Settings. The following table lists all the options and relevant app(s) to which the option is applicable:

Table 45: Options & Apps

Option

App(s)

User and Roles

n Network Operations n ClearPass Device Insight

Key Management

n Network Operations n ClearPass Device Insight

Device Inventory

Network Operations

License Assignment

Network Operations

Data Collectors

Data Collectors option appears only if the ClearPass Device Insight app is provisioned.

Audit Trail

Network Operations

Single Sign On

Network Operations

API Gateway

API Gateway option appears only if the Network Operations app is provisioned and if the API Gateway license is enabled.

Webhooks

Network Operations

Users and Roles
Aruba Central users are broadly categorized as follows:
n Network Administrators--Network administrators manage, configure, and monitor devices in their respective network or organization using the Aruba Central Standard Enterprise interface.
n Service Provider Administrators--Service Provider administrators are referred to as the MSP administrators who create, manage, and monitor accounts for multiple organizations (tenants). For MSP

Administering Aruba Central | 139

accounts, the Network Operations app provides a separate interface called the MSP View, using which MSP administrators can provision and manage their respective tenant accounts. Tenant account users' access is limited to their respective account or network setup. For more information on creating tenant accounts, see the Aruba Central MSP User Guide.
Within each Aruba Central account, the admin users of the respective accounts can configure and manage the following types of users:
n System users--Users who authenticate to the Aruba SSO server (public cloud deployments) or LocalDB servers (private cloud deployments). System users can access both the UI and API interface with their Aruba Central login credentials. Access for the system users is determined by the role to which they are mapped. For more information on configuring system users, see Configuring System Users.
n External users--Users who log in to Aruba Central using an external authentication source. External user accounts are maintained by IT administrators of the respective organizations. External users are also referred to as federated users. To provide a secure and seamless sign-on experience for external users, Aruba Central supports a federation configuration module based on the SAML SSO framework. For more information on configuring the SAML SSO framework for federated users, see the Aruba Central SAML SSO Solution Guide.
The following table lists the tasks that you can perform from the Users and Roles page:

Table 46: Users and Roles--Tasks Task
Create, modify, or delete users

For more information... Configuring System Users

Create, modify, or delete user roles

Configuring User Roles

Resend email invitation to users

Resend Email Invite

Enable Two-Factor Authentication (2FA) Two-Factor Authentication

Enable support access to debug issues Support Access

Configuring System Users
In the Account Home page, the Users and Roles option under Global Settings allows you to create, modify, and delete users.
This section describes the procedure for configuring users in an enterprise account. For information on how to configure system users in the MSP mode, see the Aruba Central Managed Service Provider User Guide.

Adding a System User
To add a user, complete the following steps:
1. In the Account Home page, under Global Settings, click Users and Roles. The Users and Roles page is displayed.
2. Click Add User. The New User window is displayed.

Aruba Central | User Guide

140

3. Configure the following parameters: n Username--Email ID of the user. Enter a valid email address. n Description--Description of the user role. You can enter up to a maximum of 32 characters including alphabets, numbers, and special characters in the text field. n Language--Select a language. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. n Account Home--Select a user role for the Account Home page. If there are common modules between Account Home and other app(s), the Account Home user role has higher precedence. For example, the Devices and Subscription module in the Network Operations app. If an application is not provisioned, that application is not listed in the New User pop-up window. n Network Operations--Select a user role for the Network Operations application. If you assign the user role guestoperator, readonly, or readwrite, from the Select Groups drop-down list, select group(s). By default, the admin user role has access to all groups. n ClearPass Device Insight--Select a user role for the ClearPass Device Insight application. For more information on user roles, see Configuring User Roles.
4. Click Save. An email invite is sent to the user with a registration link. Users can use this link to access Aruba Central.
Figure 36 New User Window
The registration link in the email invite is valid for 15 days. The link expiry date is also mentioned in the registration email notification:
Administering Aruba Central | 141

Figure 37 Aruba Central Registration Email

Resend Email Invite
If any user has not received the email invite, complete the following steps to resend the invite:
1. Click Actions and slide the Resend Invitation To Users toggle button to the right. 2. Enter the email ID and click Resend Invite.
Viewing User Details
In the Account Home page, under Global Settings, click Users and Roles. The Users tab is displayed. The List of Users table displays the following information:
n Email ID of the user. n Type of user. The user can be system user or external user. n Description of the user. n Role assigned for the Network Operations app. n Role assigned for the ClearPass Device Insight app. This option is displayed only if the ClearPass
Device Insight app is provisioned and if you have subscribed to the app. n Role assigned for the Account Home page. n Allowed groups for the user.

Aruba Central | User Guide

142

n Last active time of the user. If the last active time cell is blank, the user has not logged in after the product upgrade.
Editing a User
To edit a user account, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens. 2. In the List of Users table, select the user and click the edit icon. 3. In the Edit User <"Username"> window, modify description, role, or allowed groups. 4. Click Save.
Deleting a User
To delete a user account: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens. 2. In the List of Users table, select the user and click the delete icon. 3. Confirm user deletion in the Confirm Action dialog box.
Viewing Audit Trail Logs for Users
Audit logs are generated when a new user is created and an existing user is modified or deleted from the Aruba Central account. It also records the login and logout activities of users. To view audit logs for Aruba Central users:
1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page is displayed.
2. To view audit logs for user addition, modification, or deletion, click the filter in the Classification column, and select User Management.
3. To filter audit logs about user activity, click the filter in the Classification column, and select User Activity.
Configuring User Roles
A role refers to a logical entity used for determining user access to devices and application services in Aruba Central. Users are always tagged to roles that govern the level of user access to the Aruba Central applications and services.
Access control for federated users is determined by the attributes set in the IDP.
Aruba Central supports a set of predefined roles with different privileges and access permissions. You can also configure custom roles. The following sections are covered in this page: n Predefined Roles n Module Permissions
Administering Aruba Central | 143

n Custom Roles n Viewing Role Details n Editing a Role n Deleting a Role

Predefined Roles
The Users and Roles page allows you to configure the following types of users with system-defined roles:

Table 47: Predefined Roles Application Role

Privilege

Account Home

admin

Administrator for the Account Home page. If there are common modules between Account Home and other app(s), the Account Home role has higher precedence and the user is granted permission if the operation is initiated from the Account Home page.

guestoperator Has guest operator access to the Network Operations application. User does not have access to Account Home > Global Settings.

readwrite

Can view and modify settings in the Account Home page and all Global Settings pages.
NOTE: The readwrite role does not have modify permission for the following pages:
n Users and Roles n Single-Sign-On

readonly

Can view the Account Home page and all Global Settings pages.

Network Operations

admin

Administrator for the Network Operations application. Has access to Account Home > Global Settings. This is applicable only if the Account Home role is not set or is not conflicting.

deny-access Cannot view the Network Operations application.

guestoperator Has guest operator access to the Network Operations application. User does not have access to Account Home > Global Settings.

readonly

Has read-only access to Account Home > Global Settings and the Network Operations application.

readwrite

Has read-write access to Account Home > Global Settings and the Network Operations application. Has access to view and modify data using the Aruba Central UI or APIs. However, the user cannot execute APIs to:
n Enable or disable MSP mode. n Perform operations in the following pages:
o Account Home > Users and Roles o Network Operations application > Organization > Labels and Sites

ClearPass Device Insight

admin deny-access readonly

Administrator for the ClearPass Device Insight application.
Cannot view the ClearPass Device Insight application.
Can launch and view all the pages in the ClearPass Device Insight application.

Aruba Central | User Guide

144

Module Permissions
Aruba Central enables you to define roles with view or modify permissions. You can also block user access to some modules. If a module is blocked for a specific role, the corresponding pages are not displayed in the UI or can access the pages but no data is displayed and all actions are disabled for the role. Aruba Central supports setting permissions for the following modules:

Table 48: Permissions Application

Module

Description

Account Home

Devices and Subscription
Users

Enables users to add devices and assign keys and subscriptions to devices in the Account Home page.
Enables users to define a role with access (View, Modify, or Block) to the user details in the Users tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles.

Roles SSO

Network Operations

MSP

Enables users to define a role with access (View, Modify, or Block) to the role details in the Roles tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles.
Enables users to define a role with access (View, Modify, and Block) to the Single Sign On profiles details in the Users tab in the Single-Sign-On page (Account Home > Single-Sign-On). Enables users to define a role with access (View, Modify, or Block) to the Single Sign On profiles details in the Single Sign On page. To navigate to the Single Sign On page, go to Account Home > Single Sign On.
Enables users with administrator role and privileges to define user access to MSP modules such as Customer Management and Portal Customization. The MSP tenant account user does not have access to the MSP application. Even if a tenant account user is assigned a custom role having MSP application privileges:
n Tenant account user does have access to the MSP
application. n MSP does not appear in the Account Home > Global
Settings > Users and Roles > Roles > Allowed
Applications list.

Group Management

Enables users to create, view, modify, and delete groups and assign devices to groups.

Devices and Subscription

Users cannot edit or set permissions for this module. Modify and Block options are disabled. By default, the View Only permission is set.

Network Management

Enables users to configure, troubleshoot, and monitor Aruba Central-managed networks. You can customize the permissions (View or Modify or Block) for the following sub-modules:
n Configuration
n Configuration Variables

Administering Aruba Central | 145

Application

Module

Description

n Privileged Configuration n Firmware n Troubleshooting n Other Modules

NOTE: For the Privileged Configuration, the Block option disables the Admin tab (Gateway > System > Admin) for the user. The user management privileges are disabled for this user for gateways at the device and group level.

Guest Management

Enables users to configure cloud guest splash page profiles.

AirGroup

Enables users to define or block user access to the AirGroup pages.

Presence Analytics

Enables users to access the Presence Analytics app and analyze user presence data.

Floorplans

Enables user to access Floorplans and RF heatmaps.

Unified

Enables users to access the Unified Communications pages.

Communications

Install Manager

Enables users to manage installer profiles and site installations.

Reports

Enables users to view and create reports.

Other Applications

Enables users to access other applications modules such as notifications and Virtual Gateway deployment service.

ClearPass Device Insight
NOTE: This option is displayed only if the ClearPass Device Insight app is provisioned and if you have subscribed to the app.

Classified devices
Generic devices
User classified devices

Enables users to view or modify system and user-classified devices.
Enables users to view or modify devices which are not classified by system or user.
Enables users to view or modify user-classified devices.

Discovery settings

Enables users to view, create, modify, or delete discovery settings.

Application settings

Enables users to view or modify application level user settings

Reports

Enables users to view create and view reports

Other Applications

Enables users to define or block access to other applications.

Custom Roles
Along with the predefined roles, Aruba Central also enables you to create custom roles with specific security requirements and access control. However, only users with the administrator role and privileges can create, modify, clone, or delete a custom role in Aruba Central.

Aruba Central | User Guide

146

With custom roles, you can configure access control at the application level and specify access rights to view or modify specific application services or modules. For example, you can create a custom role that enables access to a specific applications such as Guest Management or Network Management and assign it to a user.
MSP tenant account users cannot add, edit, or delete roles.
Adding a Custom Role
The following are the permissions that you can associate with a custom role:
n Roles with Modify permission can perform add, edit, or delete actions within the specific module. n Roles with View Only permission can only view the specific module. n Roles with Block permission cannot view that particular module or can view the corresponding pages but
no data is displayed and all actions are disabled.
To add a custom role, complete the following steps:
1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. Click Add Role. The New Role window is displayed. 4. Specify a name for the role. 5. From the drop-down list, select one of the following:
n Account Home--To manage access to devices and subscriptions in Aruba Central. n Network Operations--To set permissions at the module level in the Network Operations
application. n ClearPass Device Insight--To set permissions at the module level in the ClearPass Device
Insight application. This option is displayed only if the ClearPass Device Insight app is provisioned and if you have subscribed to the app. 6. For Network Management and MSP modules, you can set access rights at the module level. To set view or edit permissions or block the users from accessing a specific module, complete the following steps: a. Click Customize. b. Select one of the following options for each module as required:
n View Only n Modify n Block 7. Click Save. 8. Assign the role to a user account as required.
Viewing Role Details
To view the details of a role, complete the following steps:
1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. The Roles tab displays the following information:
n Role Name--Name of the role. n Allowed Applications--The application(s) to which the user account is subscribed to. n Assigned Users--Number of users assigned to a role.
Administering Aruba Central | 147

Editing a Role
To edit a role, complete the following steps:
1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the edit icon. 4. In the Edit Role <"Rolename"> window, modify the permissions set for module(s). 5. Click Save.
Deleting a Role
To delete a role, ensure that the role is not associated to any user and complete the following steps:
1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the delete icon. 4. Confirm role deletion in the Confirm Action dialog box.
Configuring SAML SSO for Aruba Central
The SSO solution simplifies user management by allowing users to access multiple applications and services with a single set of login credentials. If the applications services are offered by different vendors, IT administrators can use the SAML authentication and authorization framework to provide a seamless login experience for their users. To provide seamless login experience for users whose identity is managed by an external authentication source, Aruba Central now offers a federated SSO solution based on the SAML 2.0 authentication and authorization framework. SAML is an XML-based open standard for exchanging authentication and authorization data between trusted partners; in particular, between an application service provider and identity management system used by an enterprise. With Aruba Central's SAML SSO solution, organizations can manage user access using a single authentication and authorization source.
SAML SSO Solution Overview
The SAML SSO solution consists of the following key elements:
n Service Provider (SP)--The provider of a business function or service; For example, Aruba Central. The service provider requests and obtains an identity assertion from the IdP. Based on this assertion, the service provider allows a user to access the service.
n Identity Provider (IdP)--The Identity Management system that maintains identity information of the user and authenticates the user.
n SAML Request--The authentication request that is generated when a user tries to access the Aruba Central portal.
n SAML Assertion--The authentication and authorization information issued by the IdP to allow access to the service offered by the service (Aruba Central portal).
n Relying Party--The business service that relies on SAML assertion for authenticating a user; For example, Aruba Central.
n Asserting Party--The Identity management system or the IdP that creates SAML assertions for a service provider.

Aruba Central | User Guide

148

n Metadata--Data in the XML format that is exchanged between the trusted partners (IdP and Aruba Central) for establishing interoperability.
n SAML Attributes--The attributes associated with the user; for example, username, customer ID, role, and group in which the devices belonging to a user account are provisioned. The SAML attributes must be configured on the IdP according to specifications associated with a user account in Aruba Central. These attributes are included in the SAML assertion when Aruba Central sends a SAML request to the IdP.
n Entity ID--A unique string to identify the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as a URL by all providers.
n Assertion Services Consumer URL--The URL that sends the SAML request and receives the SAML response from the IdP.
n User--User with SSO credentials.
n Aruba Central SAML SSO solution supports only the HTTP Redirect POST method for sending and receiving SAML requests and response.
n The SAML SSO integration allows federated users to access only the Central UI. The API Gateway access is restricted to system users that are configured and managed from Aruba Central.
How SAML SSO Works
Aruba Central supports the following types of SAML SSO workflows: n SP-initiated SSO n IdP-initiated SSO
SP-initiated SSO
In an SP Initiated SSO workflow, the SSO request originates from the service provider domain, that is, from Aruba Central. When a user tries to access Aruba Central, a federation authentication request is created and sent to the IdP server. The following figure illustrates the standard SP-Initiated SAML SSO workflow:
Administering Aruba Central | 149

Figure 38 SP-Initiated SSO

The SP-initiated SSO workflow with Aruba Central is supported only through the HTTP Redirect POST method. In other words, Aruba Central sends an HTTP redirect message with an authentication request to the IdP through the user's browser. The IdP sends a SAML response with an assertion to Aruba Central through HTTP POST. The SP-initiated SSO workflow with HTTP Redirect POST includes the following steps:
1. The user tries to access Aruba Central and the request is redirected to the IdP. 2. Aruba Central sends an HTTP redirect message with the SAML request to the IdP for authentication
through the user's browser. 3. The user logs in with the SSO credentials. 4. On successful authentication, the IdP sends a digitally signed HTML form with SAML assertion and
attributes to Aruba Central through the web browser. 5. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access
to the user.
IdP-initiated SSO
In the IdP-Initiated workflow, the SSO request originates from the IdP domain. The IdP server creates a SAML response and redirects the users to Aruba Central. The Aruba Central SAML SSO deployments support the IdP-initiated SSO workflow through the HTTP POST method. The IdP-initiated SSO workflow consists of the following steps:
1. The user is logged in to the IdP and tries to access Aruba Central. 2. The IdP sends a digitally signed HTML form with SAML assertion and attributes to Aruba Central
through the web browser. 3. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access
to the user.
The following figure illustrates the standard IdP-Initiated SAML SSO workflow:

Aruba Central | User Guide

150

Figure 39 IdP-Initiated SSO
SAML SSO Single Logout
Aruba Central supports Single Logout (SLO) of SAML SSO users. SLO allows users to terminate server sessions established using SAML SSO by initiating the logout process once. SAML SLO can be initiated either from the Service Provider or the IdP. However, Aruba Central supports only the IdP-initiated SLO. IdP-initiated SAML SLO The IdP-initiated logout workflow includes the following steps:
1. User logs out of the IdP. 2. The IdP sends a logout request to Aruba Central. 3. Aruba Central validates the logout request from the IdP, terminates the user session, and sends a
logout response to the IdP. 4. User is logged out of Aruba Central. 5. After the IdP receives logout response from all service providers, the IdP logs out the user.
Configuring SAML SSO
The SAML SSO configuration for Aruba Central includes the following steps: 1. Configuring user accounts and roles in Aruba Central. For more information, see the Managing User Access topic in Aruba Central Help Center. 2. Configure SAML authorization profile in Aruba Central. 3. Configuring Service Provider metadata such as metadata URL, service consumer URL, Name and other attributes on the IdP server.
Configuring SAML Authorization Profiles in Aruba Central
For SAML SSO solution with Aruba Central, you must configure a valid SAML authorization profile in the Aruba Central portal.
Administering Aruba Central | 151

Important Points to Note
Following are the important points to note about the SAML authorization in Aruba Central:
n The SAML authorization profile configuration feature is available only for the admin users of an Aruba Central account. Aruba Central allows only MSP admin users to configure SAML authorization profiles for their respective tenant accounts.
n Each domain can have only one federation. There must be at least one verified user belonging to the domain in the system users' list.
n Aruba Central allows only one authorization profile per domain. n SAML user access is determined by the role attribute included in the SAML token provided by the IdP. n SAML users with admin privileges can configure system users in Aruba Central. n SAML users can initiate a Single Sign On request by trying to log in to Aruba Central (SP-initiated login).
However, SAML users cannot initiate a single logout request from Aruba Central. n The following menu options in Aruba Central UI are not available for a SAML user.
o Enable MSP and Disable MSP--SAML users cannot enable or disable MSP deployment mode in Aruba Central.
o Change Password--Aruba Central does not support changing the password of a SAML user account.
Before You Begin
Before you begin, ensure that you have the following information:
n Entity ID--A unique string that identifies the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as URL by all providers.
n Login URL--Login URL configured on the IdP server. n Logout URL--Logout URL configured on the IdP server. n Certificate Details--SAML signing certificate in the Base64 encoded format. The SAML signing
certificates are required for verifying the identity of IdP server and relying applications such as Aruba Central. n Metadata URL--Service provider metadata URL configured on the IdP server.
SAML profiles can also be configured using NB APIs. If you want to use NB APIs for configuring SAML profiles, use the APIs available under the SSO Configuration category in Aruba Central API Gateway.
Configuring a SAML Authorization Profile
To configure the SAML authorization profiles in Aruba Central, complete the following steps:
1. In the Account Home page, under Global Settings, click Single Sign On. The Single Sign On page is displayed.
2. To add an authorization profile, enter the domain name.
n Ensure that the domain has at least one verified user. n For public cloud deployments, Aruba Central does not support adding hpe.com,
arubanetworks.com and other free public domain names, such as Gmail.com, Yahoo.com, or Facebook.com, for SAML authorization profiles.

Aruba Central | User Guide

152

3. Click Add SAML Profile. 4. To manually enter the metadata:
a. Select Manual Setting and enter the following information: n Entity ID--Entity ID configured on the IdP server. n Login URL--Login URL configured on the IdP server. n Logout URL--Login URL configured on the IdP server. n Certificate--Certificate details. Ensure that the certificate content is in the Base64 encoded format. You can either upload a certificate or paste the contents of the certificate in the text box. Ensure that the Entity ID, Login URL, and Logout URL fields have valid HTTPS URLs.
b. Click Save. The following figure shows an example for the manual entry of metadata:
Administering Aruba Central | 153

Figure 40 Manual Addition of Metadata

5. If you have already configured the IdP server and downloaded the metadata file, you can upload the metadata file. To upload a metadata file: a. Select Metadata File. Ensure that the metadata file is in the XML format and it includes valid certificate content and HTTPS URLs for the Entity ID, Login URL, and Logout URL fields. b. Click Browse and select the IdP metadata file. Aruba Central extracts the Entity ID, Login URL, Logout URL, and certificate content. c. Verify the details. d. Click Save.
The following figure shows an example for the content imported from a metadata file:

Aruba Central | User Guide

154

Figure 41 Importing Information from a Metadata File
Configuring Service Provider Metadata in IdP
Aruba Central supports SAML SSO authentication framework with various Identity Management vendors such as ADFS, PingFederate, Aruba ClearPass Policy Manager, and so on. Aruba recommends that you look up the instructions provided by your organization for adding service provider metadata to the IdP server in your setup. Some of the generic and necessary attributes required to be configured on the IdP server for SAML integration with Aruba Central are described in the following list:
Administering Aruba Central | 155

n Metadata URL--URL that provides service provider metadata. n Entity ID--A unique string that identifies the service provider that issues a SAML SSO request. According
to the SAML specification, the string should be a URL, although not required as URL by all providers. n Assertion Services Consumer URL--The URL that sends SAML SSO login requests and receives
authentication response from the IdP. n NameID--The NameID attribute must include the email address of the user.
<NameID>[email protected]</NameID> If the NameID attribute does not return the email address of the user, you can use the aruba_user_ email attribute. Ensure that you configure the NameID or the aruba_user_email attribute for each user. n SAML Attributes--The following example shows the syntax structure for SAML attributes:
#customer 1 aruba_1_cid = <customer-id> # app1, scope1 aruba_1_app_1 = central aruba_1_app_1_role_1 = <readonly> aruba_1_app_1_role_1_tenant = <admin> aruba_1_app_1_group_1 = groupx, groupy aruba_1_app_2 = device_profiling aruba_1_app_2_role_1 = <readonly> aruba_1_app_3 = account_setting aruba_1_app_3_role_1 = <readonly>
#customer 2 aruba_2_cid = <customer-id> # app1, scope1 aruba_2_app_1 = central aruba_2_app_1_role_1 = <readonly> aruba_2_app_1_role_1_tenant = <admin> aruba_2_app_1_group_1 = groupx, groupy aruba_2_app_2 = device_profiling aruba_2_app_2_role_1 = <readonly> aruba_2_app_3 = account_setting aruba_2_app_3_role_1 = <readonly>
Note the following points when defining SAML attributes in the IdP server:
n cid--Customer ID. If you have multiple customers, define attributes separately for each customer ID. n app--Application. Set the value as per the following:
o Network Operations--central o Clear Pass Device Insight--device_profiling o Account Home--account_setting n role--User role. Specify the user role. If no role is defined, Aruba Central assigns read-only role to the user. n tenant role--Tenant user role. If the tenant role is not defined in the IdP, the MSP role is assigned to the SAML user. n group--Group in Aruba Central. When a group is specified in the attribute, the user is allowed to access only the devices in that group. If the attribute does not include any group, Aruba Central allows SAML

Aruba Central | User Guide

156

SSO users to access all groups. You can also configure custom attributes to add multiple groups if the user requires access to multiple groups.
Aruba Central recommends you to configure the Account Home. However, If you do not return the Account Home application from the Idp, then the Network Operations role is applied by default.
See Also: n Configuring Service Provider Metadata in Microsoft ADFS n Configuring Service Provider Metadata in PingFederate IdP n Configuring Service Provider Metadata in ArubaClearPass Policy Manager
Configuring Service Provider Metadata in Microsoft ADFS
This procedure describes the steps required for configuring service provider metadata in Microsoft Active Directory Federation Services (ADFS) for SAML integration with Aruba Central. ADFS runs on Windows Servers and provides users with SSO access to application services hosted by the trusted service providers.
This topic provides a basic set of guidelines required for setting up the ADFS instance on a Windows Server 2016 as an IdP. The images used in this procedure may change with Windows Server updates.
Before you Begin
n Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central.
n Ensure that the ADFS is installed and available for configuration on a Windows server. For more information, see the ADFS Deployment Guide.
n Ensure that an Active Directory security group is configured and the users are added as group members. For more information, see the ADFS Deployment Guide.
Steps to Configure Service Provider Metadata in ADFS
To enable SAML integration with ADFS, complete the following steps: n Step 1:Adding a Relying Party Trust n Step 2:Configure the Name ID Attribute n Step 3:Configure the Customer ID Attribute n Step 4:Configure the Application Attribute n Step 5:Configure the Role Attribute n Step 6:Configure the Group Attribute n Step 7:Configure the Logout URL n Step 8:Exporting Token-signing Certificate n Step 9:SAML Authorization Profile in Aruba Central
Step 1:Adding a Relying Party Trust
To configure Aruba Central and ADFS as trusted partners, complete the following steps:
Administering Aruba Central | 157

1. On Windows Server, click Start > Administrative Tools > AD FS Management. The ADFS administrative console opens.
2. Click AD FS folder and select Add Relying Party Trust from the Actions menu. Figure 42 AD FS Management
3. Select Enter data about the relying party manually. 4. Click Next. 5. Enter a Display Name. The name entered here will be displayed in the management console and to
the users logging in to Aruba Central. 6. Click Next. 7. Select AD FS Profile and then click Next. 8. Select Enable support for the SAML 2.0 WebSSO protocol check box and enter the consumer
URL that you want to use for sending SAML SSO login requests and receiving SAML response from the IdP. Figure 43 Enabling Support for SAML 2.0 WebSSO Protocol
9. Click Next. 10. Add Aruba Central URL as the relying party trust identifier.
Figure 44 Adding Replying Party Trust Identifier

11. Click Next. 12. Select the preferred security setting. You can select Permit all users to access this relying party
option to permit access to all users. 13. Click Close. 14. Verify if Aruba Central is added to the list of relying party trust.

Aruba Central | User Guide

158

Step 2:Configure the Name ID Attribute
The Name ID attribute is used for user identification. For SAML integration with Aruba Central, the Name ID attribute must include the email address of the user. If the Name ID attribute does not return the email address of the user, use the aruba_user_email attribute. To configure the Name-ID attribute:
1. Select the display name you just added for Aruba Central and click Edit Claim Issuance Policy. 2. In the Edit Claim Issuance Policy window, click Add Rule. 3. Set the Claim Rule template to Send LDAP Attributes as Claims rule. 4. Click Next. 5. In the Claim rule name text box, enter Name-ID.
Figure 45 Adding Claim Rule Name
6. Select the LDAP as the Attribute store. 7. Select the User-Principal-Name as LDAP attribute and Name ID for the Outgoing Claim Type. 8. Click Finish.
Step 3:Configure the Customer ID Attribute
To create a rule with the customer ID attribute: 1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the customer ID attribute. For example, aruba-cid.
Administering Aruba Central | 159

5. Select a user group. Figure 46 Selecting a User Group

6. Click OK. 7. Select a customer ID attribute for the Outgoing claim rule and enter a value for the Outgoing
claim value.

Aruba Central | User Guide

160

Figure 47 Configuring Claim Rule Details
8. Click Finish. 9. If you have multiple customers, define the customer ID attribute separately for each customer ID.
Step 4:Configure the Application Attribute
To add a rule for the application attribute, complete the following steps: 1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App Name. 5. Select a user group. 6. Select the application attribute for Outgoing claim type and enter a value for the Outgoing claim value.
Administering Aruba Central | 161

Figure 48 Configuring the Application Attribute
7. Click Finish.
Step 5:Configure the Role Attribute
To add a rule for a role attribute, complete the following steps: 1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App Role. 5. Select a user group. 6. Select the role attribute for Outgoing claim type and enter a value for the Outgoing claim value. Figure 49 Configuring the Role Attribute

Aruba Central | User Guide

162

7. Click Finish. If the role attribute is not configured, Aruba Central assigns a read-only role to the user.
Step 6:Configure the Group Attribute
If you want to restrict user access to a group in Aruba Central, you can configure the group attribute. If the group attribute is not configured, Aruba Central allows SAML SSO users to access all groups. To add a rule for a group attribute, complete the following steps:
1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to
Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App
Group. 5. Select a user group. 6. Select a group attribute for Outgoing claim type and enter a value for the Outgoing claim value. 7. Click Finish.
Step 7:Configure the Logout URL
To enable IdP-initiated logout, complete the following steps: 1. Select the relying party trust entry created for Aruba Central and click Properties. 2. Click Endpoints. 3. To add a logout URL, click Add SAML. 4. Select the endpoint type as SAML Logout. 5. Select Redirect for Binding. 6. Enter the Aruba Central logout URL for Trusted URL. Sample Trusted URL: https://portal-yoda.arubathena.com/global_login/aaa_saml/adfsaruba.com?sls
Administering Aruba Central | 163

7. Enter the IdP logout URL for Response URL. Figure 50 Configuring the Logour URL

8. Click OK.
Step 8:Exporting Token-signing Certificate
The token-signing certificate is required SAML authentication. To export the token-signing certificate: 1. In the ADFS management console, go to AD FS > Service > Certificates. 2. Click the certificate under Token-signing and select View Certificate from the contextual menu.

Aruba Central | User Guide

164

3. Click Details > Copy to File. Figure 51 Exporting Token-Signing Certificate
4. Click Next and select Base-64 encoded X.509 (.CER) as the certificate format. 5. Click Next. 6. Save the certificate file on your local directory.
Step 9:SAML Authorization Profile in Aruba Central
For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central.
Configuring Service Provider Metadata in PingFederate IdP
This procedure describes the steps required for configuring service provider metadata in PingFederate.
Administering Aruba Central | 165

This topic provides a basic set of guidelines required for service provider metadata on the PingFederate server. The images and attributes may change with PingFederate software updates.
Before you Begin
Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central.
Steps to Configure Service Provider Metadata in PingFederate
To configure service provider metadata in PingFederate, complete the following steps: n Step 1:Create an SP Connection Profile n Step 2:Configure Browser SSO Settings n Step 3:Configure Credentials n Step 4:Review Configuration n Step 5:SAML Authorization Profile in Aruba Central
Step 1:Create an SP Connection Profile
1. Log in to the PingFederate administration console. 2. Click IdP Configuration > SP Connections > Create New. The SP Connections page opens.
Figure 52 SP Connections Window
3. In the Connection Type tab, select Browser SSO Profiles. Figure 53 Connection Options

4. Click the General Info tab.

Aruba Central | User Guide

166

5. Verify the Entity ID and select the logging mode. Figure 54 General Info

Figure 55 Logging Mode
6. Click Next to configure the Browser SSO Settings.
Step 2:Configure Browser SSO Settings
1. On the SP Connections page in PingFederate administrative console, click Browser SSO. Figure 56 Browser SSO

2. Click Configure Browser SSO. 3. Select the following SAML profiles:
n Select IDP-INITITATED SSO n Select SP-INITITATED SSO

Administering Aruba Central | 167

Figure 57 SAML Profiles
4. Click Next. The Assertion Lifetime tab opens. 5. Click Next. The Assertion Creation page opens.
a. Click Configure Assertion Creation. The Assertion Creation wizard opens. Figure 58 Assertion Creation Window

b. Click Next. The Attribute Contract page opens. c. Add the SAML attributes in the SAML assertion. The IdP sends these attributes in the SAML
Assertion.

Aruba Central | User Guide

168

Figure 59 Attribute Contract
d. Click Next. The Authentication Source Mapping tab opens. Figure 60 Authentication Source Mapping
e. Click Map New Adapter Instance. The adapter configuration screen opens. Figure 61 Adapter Insurance
Administering Aruba Central | 169

f. Complete the following configuration steps: i. Click Mapping Method and select a mapping option. Figure 62 Mapping Method Selection
ii. Click Attribute Sources and User Lookup iii. To add a data source, click Add Attribute Store and add the data store ID as shown in the
following figure: Figure 63 Add Data Store ID
iv. Click Save. 6. On the SP Connections > Browser SSO Settings page, click Protocol Settings to configure the
Browser SSO Protocol Settings, SSO service URLs, and SAML bindings. Figure 64 Protocol Settings

7. Click Configure Protocol Settings and complete the following steps: a. Verify the Assertion Consumer Service URL. The endpoint URLs for Redirect and Post bindings are both automatically populated from the metadata. If not, enter the URL manually. The URL will be the same for both bindings.

Aruba Central | User Guide

170

Figure 65 Assertion Consumer Service URL Verification
b. Click Next. The Allowable SAML Bindings tab opens. c. Select Post and Redirect.
Figure 66 SAML Bindings Selection
d. Click Next. The Encryption Policy Settings tab opens. e. Select None.
Figure 67 Encryption Policy Settings
f. Click Next. Review the protocol setting. g. Click Done.
Step 3:Configure Credentials
1. On the SP Connections page in the PingFederate administrative console, click Credentials. 2. Click Configure Credentials. 3. Click Digital Signature Settings.
Administering Aruba Central | 171

4. Select the certificate to use for digital signature in SAML messages. Figure 68 Digital Signature Settings

Step 4:Review Configuration
To review the configuration, click the Activation & Summary tab.
Step 5:SAML Authorization Profile in Aruba Central
For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central.
Configuring Service Provider Metadata in ArubaClearPass Policy Manager
This procedure describes the configuration steps required for setting up ArubaClearPass Policy Manager as an IdP.
ClearPass must be synced to NTP along with any other SAML SPs and IdPs. If clocks are out of sync, SAML will not function.
Before you Begin
n Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central.
n Ensure that you have access to the ClearPass Policy Manager instance. n Ensure that you have downloaded the SAML metadata from Aruba Central.
Steps to Configure ClearPass Policy Manager as an IdP
To configure ClearPass as an IdP for providing SAML authentication and authorization services to Aruba Central, complete the following steps:
n Step 1:Configuring Enforcement Profile and Policies n Step 2:Adding Roles n Step 3:Mapping Roles to Enforcement Policies n Step 4:Configuring an IdP Service n Step 5:Uploading SP Metadata n Step 6:Adding Local Users n Step 7:Configuring SAML Authorization Profile in Aruba Central
Step 1:Configuring Enforcement Profile and Policies
To configure an enforcement profile:

Aruba Central | User Guide

172

1. Go to Configuration > Enforcement > Profiles. 2. Click Add to add a new enforcement profile. The Enforcement Profiles page is displayed. 3. In the Profile tab, select the template as Generic Application Enforcement from the Template
drop-down list. 4. Enter a name and description for the profile in the Name and Description fields. 5. In the Action field, click and select Accept from the given options. 6. Click Next. The Attributes tab is displayed. 7. Click to add the attributes name and attributes value in the Attributes Name and Attributes
Value fields. Ensure that you add Aruba-defined attributes and values. To know more about Aruba defined attributes, see Configuring Service Provider Metadata in IdP. 8. Click Next. The Summary tab is displayed. 9. In the Summary tab, check the information entered in the Profile and Attributes field and click Save to save the enforcement profile. To configure an enforcement policy, complete the following steps: 1. Go to Configuration > Enforcement > Policies. 2. Click Add to add a new enforcement policy. The Enforcement Policies page is displayed. 3. Enter a name and description for the policies in the Name and Description fields. 4. In the Enforcement Type field, click and select Application. 5. From the Default Profile drop-down list, select the profile which you created. 6. Click Next. The Rules tab is displayed. 7. For configuring the rules, follow the steps mentioned in Step 3 below. 8. Click Next. The Summary tab is displayed. 9. In the Summary tab, check and validate the information and click Save to save the enforcement policy.
Step 2:Adding Roles
To add a user role: 1. Go to Configuration > Identity > Roles. The Roles page is displayed. 2. To add a new role, click Add in the Roles page. Figure 69 Configuring Roles
3. Enter the role name and description in the Name and Description fields and click Save to save the role.
Administering Aruba Central | 173

Figure 70 Adding Role Information

Step 3:Mapping Roles to Enforcement Policies
To map roles to enforcement policies:
1. Go to Configuration > Enforcement > Policies. The Enforcement Policies page is displayed. 2. Click and select the policy that you created. 3. Click the Rules tab and select Add rule to map a rule to the policy. 4. In the Rules Editor page, fill in the Type, Name, Operator, and Values as shown in the below
example figure.
Figure 71 Rules Editor Page

5. In the Profile Names under Enforcement Profiles, select the profile that you created and click Save.
6. Click Save.
Step 4:Configuring an IdP Service
To configure an IdP service, complete the following steps:
1. Go to Configuration > Services. The Services Page is displayed. 2. From the Services page, click Add to add a new service.

Aruba Central | User Guide

174

3. In the Service tab, select Aruba Application Authentication as a type of authentication from the Type drop-down list.
4. Enter a name Prefix and description for the services in the Name and Description fields respectively. This prefix is used to name all of the services and enforcement policies/profiles created by the wizard.
5. Optionally, you can enable the monitor mode and more options by clicking the Monitor Mode and More Options check boxes. By default, both the check boxes are not selected.
6. From the Service Rule option, select ANY or All of the following conditions to match the conditions.
7. You can define Type, Name, Operator, and Values for the condition by clicking and selecting from the respective drop-down lists.
8. Click Next. The Authentication tab is displayed. 9. Select [Local User Repository] [Local SQL DB] as an authentication source from Authentication
Sources drop-down list. 10. Click Next. The Roles tab is displayed. 11. Keep the Roles tab to default values. 12. Click Next. The Enforcement tab is displayed. 13. Add an enforcement policy from the Enforcement Policy drop-down list. 14. Click Next. The Summary tab is displayed. 15. In the Summary tab, check if all the information in Service, Authentication, Roles , and
Enforcement fields are correct and click Save to save the service.
Step 5:Uploading SP Metadata
To upload SP metadata, complete the following steps: 1. In the Account Home page, under Global Settings, click Single Sign On. The Single Sign On page is displayed. 2. Select the SAML authorization profile configured for the ClearPass IdP service, click Show Metadata, and download the metadata. 3. To upload SP metadata, go to Configuration > Identity > Single Sign-On (SSO). 4. Click SAML IdP Configuration tab, and click Add SP metadata. 5. Set the SP name as Aruba Central and select the metadata file and click Upload. Figure 72 SAML IdP Configuration
Administering Aruba Central | 175

Step 6:Adding Local Users
To add local users, complete the following steps:
1. Go to Configuration > Identity > Local Users. The Local Users page is displayed. 2. In the Local Users page, click Add. The Add Local User page is displayed. 3. Enter the user id, name, and password in their respective fields. 4. Enter the password again to verify password in the Verify Password field. 5. By default, the Enable User check box is selected. 6. Select the Change Password check box if you want to force change the password on next user login.
By default, the check box is not selected. 7. Select the role from the Role drop-down list and click Add to add the user. Below is an example figure
for adding user:
Figure 73 Adding a Local User

Step 7:Configuring SAML Authorization Profile in Aruba Central
For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central.
Configuring Service Provider Metadata in G Suite
This procedure describes the configuration steps required for setting up service provider metadata in G Suite.
Before you Begin
n Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central.
n Ensure that you have a domain and administrator privileges access to the G Suite. For more information, see G Suite Admin Help.
n Ensure that you have a verified user in Aruba Central. n Ensure that you have downloaded the SAML metadata from Aruba Central.
Steps to Configure Service Provider Metadata in Google Admin Console.
To configure Google Admin Console for providing SAML authentication and authorization services to Aruba Central, complete the following steps:

Aruba Central | User Guide

176

n Step 1:Add Custom Attributes n Step 2:Add new user n Step 3:Add values to custom attributes n Step 4:Set up Custom SAML app n Step 5:Turn on SSO to your new SAML app
Step 1:Add Custom Attributes
To add custom attributes in Google Admin: 1. In the Google Admin console, go to Users > More > Manage custom attributes. The Manage user attributes page is displayed. 2. At the top right corner, click Add Custom Attribute. Figure 74 Manage User Attributes
Administering Aruba Central | 177

3. In the Add custom fields pop-up window, configure the parameters as per the following table:

Parameter Description

Category

Enter a name for the category you want to add.

Description Optionally, enter a description for the category.

Custom fields

Configure the custom fields as per the following: n Name-- Enter the label you want to display on the user's account page. n Info type-- Select one of the following from the drop-down list:
o Text o Whole Number o Yes or No o Decimal number o Phone o Email o Date n Visibility-- Select one of the following from the drop-down list: o Visible to user and admin o Visible to organization n No. of values-- Select one of the following from the drop-down list: o Multi-Value o Single-value

NOTE: n You cannot edit the info type and No. of values once you have created the custom
attribute.
n You can add multiple numbers of custom attributes in the Custom fields. Make sure that you add the Aruba supported attributes in the Name field. For more information on Aruba supported attributes, see Configuring Service Provider Metadata in IdP.

4. Click Add to finish adding the custom attributes.
Step 2:Add new user
To add a new user in the Google Admin console, complete the following steps:
1. In the Google Admin console, go to Users > Add new user. The Add new user page is displayed. 2. To add an image for the user, click Add photo and select the image file from the storage. You can also
add the image later if you do not have it ready. 3. Fill the account information as per the following table:

Parameter First name Last name Primary email

Description Enter the first name of the user. Enter the last name of the user. Enter the primary email of the user.

Aruba Central | User Guide

178

Parameter

Description

Organization unit The field gets auto populated.

Secondary email Optionally, enter the secondary email of the user

Phone number

Optionally, enter the phone number of the user.

4. You can either generate the password automatically by turning on the toggle button or enter the password manually. By default, you have to enter the password manually. While creating the password, make sure that the password is of at least 8 characters.
5. Optionally, turn on the toggle to ask the user to change the password at the next sign-in. 6. Click Add New User.
Step 3:Add values to custom attributes
You can add or update values for custom attributes on the User information page for an user. To add values to custom attributes:
1. In the Google Admin console, click Users. The user page is displayed.
Figure 75 Users Page

2. From the users list, find the user by using a filter or Search bar. For more information on how to find the user, see Find a user account.
3. Click User information.
Figure 76 User Information

4. Click the Aruba-Attributes section to edit.

Administering Aruba Central | 179

5. Add or change values to custom attributes as shown in the following example figure: Figure 77 Editing Aruba-Attributes

6. Click Save.
You can only assign roles to the user which are already existing and valid in Aruba Central.
Step 4:Set up Custom SAML app
To setup own custom SAML App: 1. Log in to G Suite. The Admin console is displayed. Figure 78 Google Admin Console

2. From the Admin Console main screen, click Apps. The Apps page is displayed. 3. From the Apps screen, click SAML apps. The SAML apps page is displayed.
Figure 79 SAML Applications

4. Click the + sign at the bottom of the screen to add a new SAML app (or, you can edit an existing one). The Enable SSO for SAML Application window page is displayed.

Aruba Central | User Guide

180

Figure 80 Enable SSO for SAML Application
5. Click Setup My Own Custom App. The Google IdP Information window opens and the SSO URL and Entity ID fields automatically populate. Figure 81 Setup Custom Application
6. Get the setup information needed using one of these methods: a. Copy the SSO URL and Entity ID and download the Certificate. b. Download the Idp metadata. Figure 82 Google IdP Information
Administering Aruba Central | 181

7. In a separate browser tab or window, sign in to Aruba Central and enter the information you copied in step 6 above into the appropriate SSO configuration page, then return to the Admin console. For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central.
8. Click Next. 9. In the Basic Information for Your Custom App window, add an application name and description. 10. Optionally, upload a PNG or GIF file to serve as an icon for your custom app. The icon image should
be of size 256 x 256 pixels.
Figure 83 Configuring Basic Information

11. Click Next. 12. In Aruba Central, select the SAML authorization profile configured for the domain, click show meta
data, download the metadata, and return to the G Suite Admin console. 13. In the Service Provider Details window, enter an ACS URL, Entity ID, and Start URL (if needed)
for your custom app. These values are all provided from the downloaded metadata. 14. By default, the Signed Response check box is not selected. 15. The Name ID and Name ID Format fields are automatically populated.
Figure 84 Service Provider Details

16. Click Next.

Aruba Central | User Guide

182

17. Optionally, click Add New Mapping and enter a new name for the attribute you want to map. 18. In the drop-down list, select the category and user attributes to map the attribute from the Google
profile. Figure 85 Attribute Mapping
19. Click Finish.
Step 5:Turn on SSO to your new SAML app
To turn on SSO in your SAML app: 1. In the Google Admin console, go to Apps > SAML apps and select the SAML app that you created. 2. At the top right corner of the gray box, click Edit Service. Figure 86 Editing a Service
3. To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone from the Service status option, and click Save.
Administering Aruba Central | 183

Figure 87 Configuring All Organizational Units

Viewing Federated Users in Aruba Central
If your Aruba Central account has SAML SSO users, Aruba Central displays these users as federated users. To view a list of federated users in your account:
1. In the Account Home page, under Global Settings, click Users & Roles. The Users & Roles page opens.
2. In the Users table, use the filter in User Type column to sort the table by federated users.
Viewing Audit Logs for Federated Users in Aruba Central
The federated or the SAML SSO user activity is logged in Aruba Central as audit trails. To view the audit logs for federated users, complete the following steps:
1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page is displayed.
2. To filter audit logs by federated user activity, click the filter in the Category column and select User Activity.
To view audit logs for the SAML authorization profiles, in the Audit Trail page, select SAML Profile from the Classification filter.
Converting System Users to Federated Users
The system users in Aruba Central use the standard authentication method, whereas the federated users sign in to Aruba Central using the SAML-based SSO authentication method. If your business requires you to move system users from the standard authentication method to SAMLbased authentication, follow the steps described in this page.
Before you Begin
Check if the user is accessing Aruba Central application using the web application, API Gateway, or the mobile app.
Aruba does not support SAML-Based SSO logins for Aruba Central API Gateway, Aruba Installer, and Aruba Central mobile apps; Hence, it is recommended that you do not convert the API Gateway and mobile app user profiles to federated users.
Migrating Aruba Central Web Application Users to Federated User Profiles
To move system users of the Aruba Central web application users to SAML-based authentication method:

Aruba Central | User Guide

184

1. Back up the user profiles in the domain that is being migrated to SAML-based authentication framework. To view and create a backup of a list of existing user profiles, access the [GET] /platform/rbac/v1/users NB API.
2. Restore the current users in the system along with role and scope information defined for each user. To restore user profiles in bulk, use the [POST] /platform/rbac/v1/bulk_users API in the same domain.
3. Validate the configuration for one user. 4. If the migration is successful, remove the remaining system users in the domain, by using one of the
following methods: n In the Account Home page, under Global Settings, click Users & Roles. page in the UI, select
the user profile that you want to delete and click the delete icon. n Access the [DELETE] /platform/rbac/v1/bulk_users API and adding user account names in
Parameters section. Example
Param ­ [ "[email protected]","[email protected]","[email protected]" ]
5. Ensure that there is at least one system admin user in the domain that you are migrating to SAMLbased SSO authentication framework.
6. Validate the SSO workflow for the users that you just migrated to the SAML-based SSO authentication method.
Enabling NB API Access for Federated Users
To enable NB API access for federated users:
1. Log in to Aruba Central web application using the SAML-based SSO authentication method. 2. In the Account Home page, under Global Settings, click API Gateway. 3. Click My Apps& Tokens. 4. Click + Add Apps & Tokens and generate an OAuth token.
For more information on generating tokens and API Gateway bootstrapping, see Aruba Central API Gateway Documentation.
Troubleshooting SAML SSO Authentication Issues
This section provides troubleshooting guidelines and tips to help Aruba Central administrators to diagnose and fix issues related to SAML SSO authentication.
Installing SAML Tracer on Web Browsers
To view SAML trace logs, you can install SAML Tracer on your web browsers. To install SAML Tracer:
n Mozilla FireFox-- Go to https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/. n Google Chrome--Go to https://chrome.google.com/webstore/category/extensions.
Administering Aruba Central | 185

Viewing SAML Trace Logs
To view the SAML trace logs, open the SAML Tracer add-on in the web browser. SAML Tracer records all HTTP requests sent or received by your browser. If the HTTP request contains SAML, the SAML tab in the SAML Trace window records the trace logs. For example, when the SAML user logs in, you can verify the SAML attributes that are recorded. Note the key elements in the SAML attributes output when diagnosing a SAML authentication error.
<Subject> <NameID>[email protected]</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="ONELOGIN_ f937f6f66c3d29c4713eee99e09fd31e23ae6fec" NotOnOrAfter="2019-06-14T11:57:47.883Z" Recipient="https://portal-yodaacdc.arubathena.com/global_login/aaa_ saml/adfsaruba.com?acs" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2019-0614T11:52:47.881Z" NotOnOrAfter="2019-06-14T12:52:47.881Z" > <AudienceRestriction> <Audience>https://portal-yodaacdc.arubathena.com/global_ login/aaa_saml/adfsaruba.com/metadata</Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="aruba_1_cid"> <AttributeValue>ab8eeb91a8434025a3ecbdad9b8af705</AttributeValue> </Attribute> <Attribute Name="aruba_1_app_1"> <AttributeValue>central</AttributeValue> </Attribute> <Attribute Name="aruba_1_app_1_role_1"> <AttributeValue>admin</AttributeValue> </Attribute> <Attribute Name="aruba_1_app_1_role_1_tenant"> <AttributeValue>readonly</AttributeValue> </Attribute>
Troubleshooting Tips for Most Common Errors
Error 1--A blank page is displayed when the SAML user is redirected to the IdP server
n Description: When a SAML user is redirected to the IdP server for authentication, the IdP server does not return the SAML response and displays a blank page.
n Cause: This issue may occur when the Service Provider metadata for Aruba Central is not configured on the IdP server.
n Resolution: Configure Service Provider metadata for your Aruba Central account in the IdP server.
Error 2--The SAML user is logged out of Aruba Central after logging in to IdP
n Description: The SAML user gets logged out of Aruba Central after logging in to the IdP server and the following error code is displayed in the browser: error_code=INVALID+EXTERNAL+AUTH+REQUEST
n Reason: This issue may occur when the customer ID for the SAML user is not successfully retrieved from the IdP server.
n Solution: Verify the trace logs, check the IdP configuration for customer ID details, and ensure that the IdP sends the correct customer ID.
<NameID>[email protected]</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="ONELOGIN_

Aruba Central | User Guide

186

c000669424a538ea0f4793ec38dab3b57a635efb" NotOnOrAfter="2019-06-14T10:06:20.153Z" Recipient="https://compass.arubathena.com/global_login/aaa_saml/adfsaruba.com?acs"/>
</SubjectConfirmation> </Subject> <Conditions NotBefore="2019-06-14T10:01:20.151Z" NotOnOrAfter="2019-06-14T11:01:20.151Z"> <AudienceRestriction> <Audience>https://compass.arubathena.com/global_login/aaa_ saml/adfsaruba.com/metadata</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2019-06-14T10:01:19.749Z" SessionIndex="_400366f7-75dc-4423-909c-2b3dc4e9fd9c"> <AuthnContext>
Error 3--The web browser displays an error message when a SAML user is redirected to Aruba Central after logging in to IdP
n Description: The web browser displays the following error message when the SAML user logs into IdP and is redirected to Aruba Central:
error_code "FAILED EXTERNAL AUTH - SAML ACS PROCESSING" message "NameID not found in the assertion of the Response"
n Cause: This issue may occur when the name-id attribute is not configured in the IdP server. n Solution: Verify the trace logs, check the IdP configuration, and ensure that the name-id attribute maps
to the user's email address.
Error 4--The web browser displays a 404 error message when a SAML user is redirected to Aruba Central after logging into IdP
n Description: The web browser displays the following error message when a SAML user is redirected to Aruba Central after logging into IdP:
The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again. status_code 404
n Cause: This issue may occur due to one of the following reasons: o The name-id attribute does not contain user's email address. o The app-id attribute is not configured as Central in IdP. o The role attribute returned by the IdP is not configured in Aruba Central. o The group attribute in the IdP server is mapped to a group that is not available in your Aruba Central account. o IdP returns a tenant role for the SAML user of a standalone enterprise account.
n Solution: Verify the trace logs, check your Aruba Central deployment setup and the IdP configuration, and ensure that the correct values are configured for these attributes in the IdP server.
Error 5--Although the role attribute is not configured in IdP, the SAML user is assigned a readonly role
n Description: Although the role attribute is not configured in the IdP server, the SAML user is assigned a readonly role after logging in to Aruba Central.
Administering Aruba Central | 187

n Cause: By default, Aruba Central assigns readonly role for SAML users if role attribute is not configured in IdP.
n Solution: If you want the SAML user to have a specific role assigned, configure the role attribute for the user in the IdP server.
Error 6--A SAML user was able to log in to Aruba Central earlier, but cannot access Aruba Central now
n Description: The SAML user who was able to log in to Aruba Central earlier gets the following message during login:
The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again. status_code 404
This issue is observed when the customer ID of a SAML user is changed from an MSP to its tenant or from a tenant to its MSP in the IdP server. n Cause: This issue occurs when the Aruba Central user database already has a user entry for the SAML user who tries to log in to Aruba Central after the customer ID modification in the IdP server. n Solution: In the Account Home page, under Global Settings click Users & Roles page and delete the SAML user in Aruba Central. Verify if the user entry is removed from the user database.
Error 7--The web browser displays SAML authentication error message when a SAML user tries to log in to Aruba Central
n Description: When a SAML user tries the log in to Aruba Central, the following error message is displayed:
FAILED EXTERNAL AUTH - SAML ACS PROCESSING message 0 "invalid_response"
n Cause: This issue may occur due to certificate mismatch. n Solution: Verify the SAML authorization profile configured in Aruba Central and ensure that the correct
certificate is uploaded.
Error 8--The Aruba Central login page is displayed for the SAML user instead of the IdP login page
n Description: When a SAML user tries to access Aruba Central, the user is redirected to the Aruba Central login page instead of the IdP login page.
n Cause: This issue may occur when the SAML user is configured as a system user in Aruba Central. n Solution: If a SAML user is added as a system user in Aruba Central, delete the system user entry for the
user in Aruba Central.
Two-Factor Authentication
Aruba Central now supports two-factor authentication for both computers and mobile phones to offer a second layer of security to your login, in addition to password. When two-factor authentication is enabled on a user account, the users can sign in to their Aruba Central account either through the mobile app or the

Aruba Central | User Guide

188

web application, only after providing their password and the six-digit verification code displayed on their trusted devices. When two-factor authentication is enabled at the customer account level, all the users belonging to the customer account are required to complete the authentication procedure when logging in to Aruba Central. If a user account is associated with multiple customer accounts and if two-factor authentication is enabled on one of these accounts, the user must complete the two-factor authentication during the login procedure. If two-factor authentication is enabled on your accounts, you must install the Google Authenticator app on your devices such as mobile phones to access the Aruba Central application. When the users attempt to log in to Aruba Central with their credentials, the Google Authenticator app provides a six-digit verification code to complete the login procedure.
Installing the Google Authenticator App
For two-factor authentication, ensure that the Google Authenticator app is installed on your mobile device. During the registration process, the Aruba Central application shares a secret key with the mobile device of the user over a secure channel when the user logs in to Aruba Central. The key is stored in the Google Authenticator app and used for future logins to the application. This prevents unauthorized access to a user account as this authentication procedure involves two-levels for secure transaction. When you register your mobile device successfully, the Google Authenticator app generates a six-digit token for the second level authentication. The token is generated every thirty seconds.
Enabling Two-factor Authentication for User Accounts
To enable two-factor authentication, complete the following steps:
1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed.
2. From the Actions menu, slide the Two-Factor Authentication (2FA) toggle button to the right. The two-factor authentication is enabled for all the users associated with the account.
Two-factor Authentication for Aruba Central Web Application
When two-factor authentication is enabled for a customer account, the users associated with that customer account are prompted for two-factor authentication when they log in to Aruba Central. To complete two-factor authentication, perform the following actions:
1. Access the Aruba Central website. 2. Log in with your credentials. If two-factor authentication is enforced on your account, the two-factor
authentication page opens. 3. Install the Google Authenticator app on your mobile device if not already installed. 4. Click Next. 5. If this is your first login since two-factor authentication is enforced on your account, open Google
Authenticator on your mobile device. 6. Scan the QR Code. If you are unable to scan the QR code, perform the following actions:
a. Click the Problem in Reading QR Code link. The secret key is displayed. b. Enter the secret key in the Google Authenticator app. c. Ensure that the Time-Based parameter is set. Aruba Central is added to the list of supported
clients and a six-digit token is generated. 7. Click Next.
Administering Aruba Central | 189

8. Enter the six-digit token. 9. Select the Remember 2FA for 30 Days check box if you want the authentication to expire only
after 30 days. 10. Click Finish.
Two-factor Authentication for the Aruba Central Mobile App
Two-factor authentication must first be enabled for your account. If two-factor authentication is not enabled, you log in to the application directly after a successful SSO authentication. To log in to Aruba Central app on your mobile device, perform the following actions:
1. Open the Aruba Central app on your mobile device. 2. Enter your username and password and click Log in. If the registration process is pending, an error
message is displayed:
Please register for two-factor authentication in our web app to ensure secured authentication.
3. Enter the token. On successful authentication, the Aruba Central app opens.
Registering a New Mobile Device
If you have changed your mobile device, you need to install Google Authenticator app on your new device and register again using a web browser on your Desktop for two-factor authentication. To register your new mobile device, complete the following steps:
1. Log in to Aruba Central web application. The two-factor authentication page is displayed. 2. Click the Changed Your Mobile Device? link. 3. To register your new device and receive a reset email with instructions, click Send 2FA Reset Email.
A reset email with instructions will be sent to your registered email address:

Aruba Central | User Guide

190

Figure 88 Reset Tow-Factor Authentication Email
4. Follow the instructions in the email and complete the registration.
Support Access
Aruba technical support may ask you to enable Support Access to debug issues. After you enable Support Access, the Aruba support team can access your Aruba Central account remotely. Only users with administrator role can enable Support Access.
Enabling Support Access
To enable Support Access, complete the following steps: 1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed. 2. From the Actions menu, slide the Support Access toggle button to the right. 3. Set password expiry by selecting the number of days and click Get Password. A new password is generated. 4. Copy the password and share it with the Aruba technical support representative.
Disabling Support Access
After the remote support session is complete, do the following to disable Support Access:
Administering Aruba Central | 191

1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed.
2. From the Actions menu, slide the Support Access toggle button to the left.
Managing License Keys
A license key is an alphanumeric string with 9 to 14 characters; for example, PQREWD6ADWERAS. Aruba Central can manage a device only if the corresponding license key of the device is added to Aruba Central. License keys can either be evaluation license keys that map to evaluation licenses or paid license keys that map to paid licenses. The evaluation license key is valid for 90 days. To use Aruba Central for managing, profiling, analyzing, and monitoring your devices, you must ensure that you have a valid license key and that the license key is listed in the Account Home > Global Settings > Key Management page.
Evaluation License Key
The evaluation license key is enabled for trial users by default. It allows you to add up to a total of 60 devices. For an evaluation user, a set of evaluation keys is generated. The Account Home > Global Settings > Key Management page displays the license expiration date in the Key Management table. You will receive license expiry notifications through email 30, 15, and 1 day before the license expiry and on day 1 after the license actually expires. The number of days left for license expiry is also displayed in the respective app under the Apps section of the Account Home page.
Upgrading to a Paid Account
If you have purchased a license for an AP, a switch, or a gateway, then upgrade your account by completing the following steps:
1. On the Account Home page, in the Network Operation app, click the link that shows the number of days left for the evaluation to expire.
Figure 89 Network Operations Evaluation Account

Aruba Central | User Guide

192

The Add a New License window is displayed. 2. Enter the new license key that you purchased from Aruba. 3. Click Add License.
After you upgrade your account, you can add more devices, enable services, and continue using Aruba Central.
Paid License Key
If you have purchased a license key, you must ensure that your license key is added to Aruba Central. If you are logging in for the first time, Aruba Central prompts you to add your license key to activate your account. Ensure that you add the license key before on-boarding devices to Aruba Central. The Account Home > Global Settings > Key Management page displays the license expiration date. You receive the license expiry notifications through email 90, 60, 30, 15, and 1 day before expiry and two notifications each day on day 1 and day 2 after the license expires. When you upgrade or renew your license, or purchase another license key, you must add the key details in the Account Home > Global Settings > Key Management page to avail the benefits of the new license.
Adding a License Key
1. On the Account Home page, under Global Settings, click Key Management. The Key Management page is displayed.
2. Enter your license key. 3. Click Add Key.
The license key is added to Aruba Central and the contents of the license key are displayed in the Manage Keys table. Review the license details. If you add a Device Management token, the key is listed in the Convert Deprecated Licenses page. For more information, see Converting Legacy Tokens to New Licenses.
Viewing License Key Details
To view the license key details, navigate to Account Home > Global Settings > Key Management. The Key Management page provides information about license keys available for the devices and their details such as license tier, expiration date, and quantity of licenses. The Key Management sections are described in the next topics.
License Summary
For the selected device type or app, or for all devices, the License Summary section lists down all the available licenses, the total number of licenses, the number of assigned licenses, and the number of unassigned licenses. The available devices are APs, switches, and gateways. The Applications tab currently lists the license keys for the Network Operations app and the Clear Pass Device Insight app (where applicable). Click a single or multiple licenses in the License Summary section to display the details of the license type in the Key Management table. To unselect the license, click the selected license type again.
Administering Aruba Central | 193

Figure 90 License Summary Details for APs

The preceding screenshot shows the following details:
n Total number of AP Foundation Licenses = 101 n Assigned AP Foundation Licenses = 2 n Unassigned AP Foundation Licenses = 99 n Total number of AP Advanced Licenses = 0

Key Management Table Details
The following table describes the contents of the Key Management table:

Table 49: License Key Details

Data Pane Item

Description

Key

License key number.

License Tier Type

Type of the license. Aruba Central supports the following types of licenses:
n Foundation n Advanced The Foundation and Advanced licenses for APs, switches, and SD-WAN gateways are different from each other and cannot be used interchangeably.

Expiration Expiration date for the license key.

Aruba Central | User Guide

194

Data Pane Item

Description

License Quantity

Number of licenses available.

To arrange the rows in ascending or descending order, use the sorting icon ( ) in the table header rows.
You can also use the row header indicated by the filter icon ( ) to type in search queries to refine the search.
License Expiry Date
The Key Management table displays the expiration date for each license. As the licenses expiration date approaches, users receive expiry notifications. The users with evaluation license receive license expiry notifications through email 30, 15, and 1 day before the license expiry and on day 1 after the license actually expires. The users with paid licenses receive license expiry notifications through email 90, 60, 30, 15, and 1 day before expiry and two notifications per day on day 1 and day 2 after the license expires. If a license for the particular device expires, Aruba Central no longer manages that device. Currently, Aruba Central does not give an option to remove the expired licenses from the UI. The expired licenses are displayed in the Key Management table with the expired date.
Converting Legacy Tokens to New Licenses
The conversion of unassigned Device Management tokens to Foundation Licenses for APs, switches, and gateways is a one-time operation for the selected Device Management tokens. The Device Management token can either be an evaluation token or a purchased token.

The Service Management tokens are not converted into the Aruba Central Licenses.
If you do not convert the unassigned Device Management tokens by 31 December 2021, all the tokens are automatically converted to AP Foundation Licenses. If you wish to revert a conversion, you must contact Aruba Technical Support.

To complete the license conversion:
1. On the Account Home page, go to Global Settings > Key Management. The Key Management page is displayed.
2. Click Click here to complete license conversion. The Convert Deprecated Licenses page is displayed.
3. Select the key that you want to convert and click Convert on the row. The Convert Deprecated Licenses window is displayed.
4. Select the option to which you want to convert the unassigned device license for the key. 5. Click Convert.
The Convert button is available only when all the licenses are assigned for the selected key. 6. View Global Settings > License Assignment page.
A list of new licenses assigned for the deprecated keys is displayed.

Administering Aruba Central | 195

Download Conversion Logs
This option provides information about how legacy Device Management and Services subscription keys are converted to Aruba Central Licenses either using automatic or manual license assignment. The information can be downloaded as a PDF document. The document contains a table which provides following information:
n Conversion Time--Date and time when the legacy keys are converted to Aruba Central Licenses. n SKU Type--Legacy key type as Device Management or Service subscription. n Subscription Key--Legacy subscription key details. n Start Date--Start date of the legacy subscription. n End Date--End date of the legacy subscription. n Remaining Unassigned Quantity--Number of Aruba Central Licenses that are not yet assigned (after
the legacy subscription keys are converted). n Converted Subscriptions--Information about the Aruba Central Licenses to which the legacy keys are
converted.
Managing License Assignments
Aruba offers two tiers of device licenses as part of the Aruba Central Licenses. The two tiers are Foundation and Advanced Licenses. The devices in Aruba Central that offer Foundation and Advanced Licenses include the following:
n APs n Switches n SD-Branch Gateways
The value-added services that previously required service subscriptions are now packaged as part of either a Foundation or an Advanced License. To know more about the different types of licenses available for the devices, and the services packaged with each license, see Overview of Aruba Central Foundation and Advanced Licenses. Before proceeding with the license assignment, ensure that all the license keys are available in Aruba Central. For more information on how to add license keys to Aruba Central, see Managing License Keys.
For more information about MSP Licenses, see Managing MSP Licenses.
Licensing Workflow in the Initial Setup Wizard
To enable automatic assignment of licenses from the Initial Setup Wizard:
1. Verify that you have valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign License tab, turn on the Auto Assign License toggle switch.
Licensing Workflow for a New User
If you are a new user in Aruba Central, you can avail of either the evaluation license or a paid license. For an evaluation user, see the workflow at Starting Your Free Trial. For a paid user, see the workflow at Setting up Your Aruba Central Instance.

Aruba Central | User Guide

196

If you are a new user in Aruba Central and have purchased one or several licenses, ensure that all of your license keys are added to Aruba Central. For license assignment to devices, you can avail of one of the following options: n Use the Auto-Assign Licenses option n Manually assign, update, or unassign licenses
Enabling the Auto-Assign Licenses Option
The Auto-Assign Licenses option in Aruba Central enables automatic assignment of available licenses to all of the devices available in the inventory. When you enable this option, you must specify the preferred license type as either Foundation or Advanced. You cannot manually assign licenses to devices if the AutoAssign Licenses option is enabled.
The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if an Aruba 25xx Switch is in the inventory but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch. Before enabling the Auto-Assign License option for a specific device type, ensure that there are sufficient available licenses for the specific device type.
To enable automatic assignment of licenses from the License Assignment page: 1. On the Account Home page, under Global Settings, click License Assignment. The License Assignment page is displayed. 2. Select the device type to assign the license. The available tabs are Access Points, Switches, and Gateways. The total number of devices for each device type is displayed for each of the tabs. 3. On the device tab, slide the Auto-Assign Licenses toggle switch to the On position. The Manage License Assignment (Auto) window is displayed. 4. Select the appropriate license type, Foundation or Advanced, from the drop-down menu, and then click Update. All the unassigned devices of the selected type in the inventory are enabled for automatic assignment of license.
Manually Assigning, Updating, or Unassigning Licenses
The License Assignment page enables you to assign, update, or even unassign a license from a device. Aruba Central monitors devices with a valid license only.
The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if an Aruba 25xx Switch is in the inventory but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch.
To manually assign licenses to devices or to change the existing license assignment: 1. On the Account Home page, under Global Settings, click License Assignment. The License Assignment page is displayed.
Administering Aruba Central | 197

2. Select a device type tab. The available tabs are Access Points, Switches, and Gateways. The total number of devices for each device type is displayed for each of the tabs.
3. Under License Summary, ensure that the Auto-Assign Licenses option is disabled. You cannot manually assign licenses if the Auto-Assign Licenses option is enabled.
4. Select the device for which you want to assign or update the license. Clicking on a device type displays two additional sub-tabs: Licensed and Unlicensed.
To manually assign or update licenses for all devices of a type, click Select All. You can also select devices at random.
5. Click Manage. The Manage License Assignment (Manual) window is displayed.
6. Do one of the following: a. To update or assign a license: Select the appropriate license from the drop-down menu and click Update. b. To unassign a license: Select Unassign to remove the existing license from that device.
Migration Workflow for an Existing User
Whether you are an evaluation user or a user with purchased licenses, the following is the migration workflow to the new Aruba Central Licenses:
Any existing rules set about Service Management tokens through APIs are discarded during the migration.
1. For all existing APs and switches that are already assigned licenses in the legacy system, the licenses are automatically converted to device-specific Foundation Licenses in the new model. The gateway licenses remain unchanged.
2. To check how the migration was done, and to learn more about the new license keys and corresponding licenses, in the Account Home page, go to Global Settings > Key Management. For more information about the Key Management page, see Managing License Keys.
3. To check how the legacy licenses were converted, navigate to Account Home > Global Settings > Key Management page, and click the Download Conversion Logs link.
4. If there are unassigned evaluation or purchased Device Management tokens, you can convert the legacy tokens to license keys for the new Aruba Central Licenses.
Service Management tokens are not converted. Instead, the AP licenses are pre-packaged with additional services.
To know more about converting unassigned Device Management tokens, see Converting Legacy Tokens to New Licenses. 5. If you had the auto-licensing option enabled before migration, in the new licensing model the AutoAssign Licenses option is automatically enabled for APs, switches, and gateways. The Auto-Assign Licenses option for APs and switches is set with the corresponding device-specific Foundation Licenses.

Aruba Central | User Guide

198

The Auto-Assign Licenses option for gateways is not enabled during the migration.
For more information about the Auto-Assign Licenses option, see Enabling the Auto-Assign Licenses Option. 6. If you had the auto-licensing option disabled before migration, this option is also disabled in the new licensing system.
Viewing the License Assignment Details
The License Assignment page consists of three sections for the type of device selected from the tabs. The device can be Access Points, Switches, or Gateways,
License Summary
A summary about the type of licenses available for the selected device type, the number of licenses available, and number of licenses assigned. The available devices for Aruba Central include APs, switches, and gateways. Clicking on a device type displays two additional sub-tabs: Licensed and Unlicensed. Clicking on one or more license type in the License Summary section displays the details of the license type in the License Management section. To deselect the license, click the selected license type again.
License Assignment
The License Assignment section provides detailed information about all the devices in the inventory and license status for each of the device. This table provides following information about each device in the inventory:
n Type n Serial Number n MAC address n Model n Customer n Assigned License
Use the sorting icon ( ) in the table header row to arrange the rows in ascending or descending order. You can also use the row header indicated by the filter icon ( ) to type in search queries to refine the search.
Renewing License Assignments
To renew your license, contact your Aruba Sales team.
Automatic License Assignment Workflow
The Auto-Assign Licenses option can be set to either Foundation or Advanced. This option enables Aruba Central to automatically assign licenses to all the available APs, switches, and gateways. This section explains how the Auto-Assign Licenses option works with the help of a sample Aruba Central account.
Sample Aruba Central Account Details
Assume an Aruba Central account with the following devices:
Administering Aruba Central | 199

n APs - 10 n Aruba 90xx Series Gateway and 1 Aruba 70xx Series Gateway - 1 n Aruba 29xx Series Switches - 2
Now assume that you have the following licenses:
n AP Foundation Licenses - 5 n AP Advanced Licenses - 10 n Gateway Foundation Base Licenses - 5 n Gateway Advanced with Security Licenses - 5 n Switch Foundation Licenses for 6200/29xx - 5
Here are the available scenarios for the Auto-Assign Licenses option. Note that only one can be chosen during actual installation.
n Auto-Assign Licenses Option Set to Foundation n Auto-Assign Licenses Option Set to Advanced
If you have an Aruba Central account with legacy Device Management tokens, the tokens are utilized during the automatic license assignment workflow if and when there is no availability of licenses. The legacy tokens are converted to Foundation Licenses of the required type and assigned to the devices that did not have any licenses mapped. For more information, see Using Legacy Device Management Tokens.
Auto-Assign Licenses Option Set to Foundation
If you enable the Auto-Assign Licenses option and set the preference to Foundation, this is how the device-to-license mappings are done:
n For APs--First, the Foundation Licenses for APs are used. Since there are five AP Foundation License, five APs are assigned with the Foundation Licenses. For the remaining five APs, the Advanced License pool for APs is used and the five remaining APs are assigned Advanced Licenses.
n For Gateways--First, the Foundation Base Licenses for gateways are used. Since there are only two gateways and the Foundation Base Gateway Licenses are applicable to both the Aruba 70xx Series and 90xx Series Gateways, two Foundation Base Licenses for gateways are assigned.
n For Switches--First, the Foundation Licenses for switches are used. Since there are only two 29xx Series Switches and two Foundation Licenses for 29xx Series Switches are available, these are assigned.
The following is the final device-to-license mapping:
n APs (10) - Five AP Foundation Licenses and five AP Advanced Licenses n Gateways (2) - Two Gateway Foundation Base Licenses n Switches (2) - Two Switch Foundation Licenses for 6200/29xx
Auto-Assign Licenses Option Set to Advanced
If you enable the Auto-Assign Licenses option and set the preference to Advanced, this is how the device-to-license mappings are done:
n For APs--First, the Advanced Licenses for APs are used. Since there are five AP Advanced Licenses, five APs are assigned with the Advanced License. For the remaining five APs, the Foundation License pool for APs is used and the five remaining APs are assigned Foundation Licenses.

Aruba Central | User Guide

200

n For Gateways--First, the Advanced with Security Licenses for gateways are used. Since there are only two gateways and the Advanced with Security Licenses are applicable to both the Aruba 70xx Series and 90xx Series Gateways, two Advanced with Security Licenses for gateways are assigned.
n For Switches--There are no Advanced Licenses for switches available. Hence, the Foundation Switch Licenses for 6200/29xx are used. Since there are only two switches, two Foundation Licenses for switches are assigned.
The following is the final device-to-license mapping:
n APs (10) - Five AP Advanced Licenses and five AP Foundation Licenses n Gateways (2) - Two Gateway Advanced with Security Licenses n Switches (2) - Two Switch Foundation Licenses
Using Legacy Device Management Tokens
When you enable the Auto-Assign Licenses option, and there are no available Foundation or Advanced Licenses left to assign, Aruba Central has the option of checking if legacy Device Management tokens are available and use those tokens instead. The legacy tokens are converted to Foundation Licenses of the required type and assigned to the devices that did not have any licenses mapped. Assume that you have the following devices:
n APs - 20 n Gateways - 2 n Switches - 2
For the sake of simplicity, the gateway and switch model types are omitted from this example.
Now assume that you have the following licenses:
n AP Foundation Licenses - 5 n AP Advanced Licenses - 10 n Legacy Device Management Tokens - 20
If you enable the Auto-Assign Licenses option and set the preference to Foundation Licenses, this is how the device to license mappings are done:
n For APs--First, the Foundation Licenses for APs are used. Since there are five AP Foundation License, five APs are assigned with the Foundation Licenses. Next, the 10 AP Advanced Licenses are assigned. For the remaining five APs, there are no licenses available. Aruba Central then converts five legacy Device Management tokens to five AP Foundation Licenses and assigns them to the remaining five APs. There are now 15 legacy Device Management tokens available.
n For Gateways--There are no available gateway licenses. Aruba Central converts two legacy Device Management tokens to two Gateway Foundation Licenses and assigns them to the two gateways. There are now 13 legacy Device Management tokens available.
n For Switches--There are no available switch licenses. Aruba Centralconverts two legacy Device Management tokens to two Switch Foundation Licenses and assigns them to the two switches. There are now 11 legacy Device Management tokens available.
The following is the final device to license mapping:
Administering Aruba Central | 201

n APs (20) - 10 AP Foundation Licenses, five AP Advanced Licenses n Gateways (2) - Two Gateway Foundation Licenses n Switches (2) - Two Switch Foundation Licenses n Legacy Device Management Tokens left - 11
Aruba Central Licenses Feature Details
This section provides a description about the different configuration and monitoring options available for Aruba Central features tied to Foundation and Advanced Licenses.
Configuration
AP Configuration
License Applicability: AP configuration is available for AP Foundation License. Network administrators can manage APs through the Aruba Instant UI, Aruba Central, or AirWave management system. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AP deployments. For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled.
AOS-Switch Configuration
License Applicability: AOS-Switch configuration is available for Switch Foundation License. Network administrators can manage AOS-Switches through the Aruba Central UI menu options. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AOS-Switch deployments.
AOS-CX Configuration
License Applicability: AOS-CX configuration is available for Switch Foundation License. Network administrators can manage AOS-CX switches through the Aruba Central UI menu options and the MultiEdit mode. The MultiEdit mode in Aruba Central provides a single window for viewing and editing the configuration for one or more AOS-CX switches. In this mode, viewing and editing the configuration is performed using the CLI syntax. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AOS-CX deployments.
Auto-Commit
License Applicability: Auto-Commit is available for Foundation and Advanced Licenses for APs, switches, and gateways. Aruba Central supports a two-staged configuration commit workflow for Instant APs. When the autocommit state is enabled for a group, the configuration changes are instantly applied to all devices where the auto-commit state is enabled.

Aruba Central | User Guide

202

Configuration Audit
License Applicability: Configuration Audit is available for Foundation and Advanced Licenses for APs, switches, and gateways. In Aruba Central, the Configuration Audit page provides an audit dashboard for reviewing configuration changes of the devices provisioned in the UI and template groups. The Configuration Audit page allows you to view configuration push errors, template synchronization errors, configuration sync, and device-level configuration overrides.
Gateway Configuration
License Applicability: Gateway configuration is available for Gateway Foundation and Foundation Base Licenses. Aruba Central supports the following methods to configure Gateway groups and Gateways in SD-Branch deployments:
n Guided Setup--You can use the Guided Setup to quickly configure basic and essential parameters on Aruba Gateways for deploying the SD-WAN solution. The Guided Setup provides a wizard-based workflow for provisioning Gateways.
n Basic Mode--Allows you to configure your Gateways in a non-linear fashion. This mode allows you to make configuration changes after you provision your gateways for the first time using a Guided setup.
n Advanced Mode--Allows you to configure advanced features for SD-WAN deployments.
Template groups in Aruba Central allow network administrators to create a common configuration output by using a combination of CLI commands and variables, and apply this configuration to the other Gateway devices provisioned in that group.
Monitoring and Reporting
Access, Spectrum, Monitor Mode of Radio Operations
License Applicability: The Access, Spectrum, and Monitor modes of the radios of an access point are available for AP Foundation and Advanced Licenses. In the Access mode, the Instant AP serves clients, while also monitoring for rogue Instant APs in the background. In the Monitor mode, the Instant AP acts as a dedicated monitor, scanning all channels for rogue Instant APs and clients. In the Spectrum mode, the Instant AP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference, whether from the neighboring Instant APs or from non Wi-Fi devices such as microwaves and cordless phones.
Alerts and Events
License Applicability: Alerts and events for APs, Gateways, and switches is part of Foundation License and does not require any extra configuration. This tab shows data for all devices irrespective of device license type. The Alerts and Events dashboard displays a list of alerts and events generated for events pertaining to device provisioning, configuration, and user management. You can view the alerts and events in the List view and Summary view. Configuration view is used to configure alerts and is available only at the Global context.
Application Visibility
License Applicability: The Application Visibility feature is a part of a Foundation License. However, as API streaming is available for Advanced Licenses only, the Application Visibility streaming service is supported only for APs with an Advanced License.
Administering Aruba Central | 203

Application Visibility is a custom-built Layer-7 firewall capability in Aruba Central that allows you to create firewall policies based on the types of applications in IAPs. Application Visibility provides features like deep packet inspection, application monitoring, and AirSlice Policy.
Audit Trail
License Applicability: Audit Trail logs for APs, gateways, and switches, is part of Foundation License and does not require any extra configuration. This tab shows data for all devices irrespective of device license type. The Audit Trail page in Aruba Central shows the total number of logs generated for all device management, configuration, and user management events triggered in the network.
Client List and Details
License Applicability: Clients monitoring is available for the Foundation License of AP, switch, and gateway. The Clients page is also called the unified clients list and it provides a list of all clients that are connected to access points, switches, or gateways in the network. The List and Summary views under the Clients tab serve as dashboards. It displays details about the network performance, client connection status, instantaneous client refresh, Go Live (only AP), and other information required for monitoring the clients.
Floorplans
License Applicability: Floorplans is available for AP and gateway Foundation Licenses. Floorplans allow you to plan sites, create and manage floorplans, and provision access points. Floorplans provide a real-time picture of the radio environment of your wireless network and the ability to plan the wireless coverage of new sites.
Reports
License Applicability: Reports is available for the Foundation License. The Reports feature enables you to generate reports for the Clients, Infrastructure, Security Compliance, and Applications categories. The Reports feature is present under the Analyze section of the Network Operations app. The functionalities present are creating a report, generating a report, scheduling the report generation, previewing a report, and downloading a report in PDF and CSV formats. The Custom range for the Summary report is available for the last one year, except the current date (today). All other reports are available for 90 days in Aruba Central 2.5.3.
Topology
License Applicability: Topology is available for Foundation and Advanced Licenses for APs, switches, and gateways. In Aruba Central, the Topology tab in the site dashboard provides a graphical representation of the site, including the network layout, details of the devices deployed, and the health of the WAN uplinks and tunnels. The topology map provides information about third-party devices and devices that are not managed by Aruba. It also provides information about orphan and offline third-party devices, and the VLANs configured on switches running AOS-Switch and AOS-CX software.
Web Content Classification (WebCC)
License Applicability: The WebCC feature is available for Foundation Licenses for APs and gateways. The WebCC allows you to classify website content based on reputation and take measures to block malicious sites. It fetches information about website content classification and geolocation of IPs. The IP reputation database contains known IP addresses associated with various malicious activities or threats such as botnet, DOS, and spam sources. The geolocation IP database contains the geographical location of

Aruba Central | User Guide

204

the IP address from where the traffic is received or to which the traffic is sent. This provides geolocation and reputation filtering as part of the security suite.
The table below lists the features supported for AP and gateway licenses:

AP Foundation
WebCC Firewall rules, visualization by reputation and category

Gateway Foundation and Foundation Base
WebCC Firewall rules, visualization by reputation and category

Wi-Fi Connectivity
License Applicability: The Wi-Fi Connectivity dashboard for APs is part of Foundation License and does not require any extra configuration. The Wi-Fi Connectivity page displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include the following:
n All--Displays the aggregated success percentage of Association, Authentication, and DHCP for all clients connected to the network.
n Association--Displays the percentage of successful attempts made by a client to connect to the network.
n Authentication--Displays the percentage of successful attempts of client authentication. n DHCP--Displays the percentage of successful attempts of DHCP requests and responses when
onboarding a client. n DNS--Displays the percentage of successful attempts in the detected DNS resolutions, when a client is
connected to the network.
AI Operations
AI Insights
License Applicability: AI Insights is available for Foundation and Advanced Licenses for APs, switches, and gateways. The Insights that require an Advanced License are marked as Advanced in the UI. The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level for the selected time range. Each insight provides specific details on the occurrences of these events for easy debugging. Different types of insights are generated by Aruba Central and they can be accessed from different contexts such as Global, Site, Clients, and Device. Some of the insights are part of an Advanced License only and they are marked as Advanced in the user interface. The following figure displays various AI Insights available and some are marked as Advanced.

Administering Aruba Central | 205

Figure 91 AI Insights List

The table below lists the features supported for AP, switch, and gateway licenses:

AP Foundation License AP Advanced License

n Connectivity--Wi-Fi n Wireless Quality n Availability--Access
Points n Class and Company
Baselines

n Wireless Quality o Outdoor clients impacting Wi-Fi performance o Coverage Hole Detection o Transmit power optimization

Switch Foundation
n Availability--Switch n Class and Company
Baselines

Gateway Foundation, Foundation Base, and VGW
n Availability-- Gateways
n Class and Company Baselines

In this release, all AI Insights are available irrespective of the user role or Aruba Central subscription. In the upcoming Aruba Central release, AI Insights marked as Advanced in the user interface would require an advanced subscription.
AI Search
License Applicability: AI Search feature is available for Foundation License for AP, switch, and gateway. The AI search feature in Aruba Central enables you to search for clients, devices, and infrastructure connected to the network. Using the search results, you can navigate to the configuration and troubleshooting pages. The search also retrieves relevant documentation to help you efficiently operate your networks. The search engine uses Natural Language Processing (NLP) to analyze queries and return relevant search results.

Aruba Central | User Guide

206

Dynamic Logs
License Applicability: Dynamic Log is available for both Foundation and Advanced Licenses for APs and gateways. The Dynamic Logs feature enables Aruba Central to dynamically run CLI show commands on APs and gateways, and collect the output as logs. You can also enable Aruba support notification option to notify TAC support regarding the logs generated. These logs can be used to troubleshoot the APs and gateways.
Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. The following figure displays the available options for Dynamic Logs. Figure 92 Dynamic Logs Option
For devices assigned with the Foundation License, the Dynamic Logs feature only supports the log collection activity. Even if you enable the Notify Aruba Support option, the option is not activated for devices licensed with Foundation License. For devices assigned with Advanced Licenses, Dynamic Logs support both log collection and the Aruba support notification option. For example, assume an Aruba Central account with Dynamic Logs enabled, where you configure a group of three Access Points (APs), AP1, AP2, and AP3. AP1 has a Foundation License while AP2 and AP3 have Advanced Licenses. For this group, both Dynamic logs collection and Notify Aruba Support options are enabled. However, the Aruba support notification option is only applicable for AP2 and AP3, which have Advanced Licenses.
Troubleshooting Live Events
Licensing Applicability: Live Events for clients, APs and switches is part of Foundation License and does not require any extra configuration. The clients Live Events page shows information required to troubleshoot issues related to a client or a site in real time for detailed analysis. Aruba Central also allows to troubleshoot issues related to access points. The AP Live Events feature is similar to client live troubleshooting, but in this case we can enable Live Events at the AP level. Currently, users can subscribe to Radio, VPN, and Spectrum events.
Administering Aruba Central | 207

Live Packet Capture (PCAP)
Licensing Applicability: Live PCAP for APs and switches is part of Foundation License and does not require any extra configuration. Aruba Central allows users to interact and launch a targeted packet capture on a client connected to a specific AP or a switch. When the user starts packet capture from the UI, Aruba Central notifies the AP and the switch. The default packet capture duration is 15 minutes.
Troubleshooting Tools
License Applicability: Troubleshooting for APs, gateways, and switches is part of Foundation License and does not require any extra configuration. The Tools menu option allows network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. The Tools page is divided into the following tabs:
n Network Check--Allows you to run diagnostic checks on networks and troubleshoot client connectivity issues.
n Device Check--Allows you to run diagnostic checks and troubleshoot switches. n Commands--Allows you to perform network health check on devices at an advanced level using
command categories.
Services
AirGroup
License Applicability: AirGroup is available for both AP Foundation and Advanced Licenses. AirGroup is a zero­configuration networking protocol that enables service discovery, address assignment, and name resolution for desktop computers, mobile devices, and network services. It is designed for flat, single-subnet IP networks such as wireless networking at home. AirGroup supports both wired and wireless devices.
AirGroup is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
In InstantOS-based APs, the service is hosted on the IAP Virtual controller and all services are supported.
AirMatch
License Applicability: AirMatch is available for AP Foundation License. AirMatch channel planning evens out channel distributions in any size of network and in any subset of the contiguous network. AirMatch also minimizes channel coupling where adjacent radios are assigned to the same channel.
AirSlice
License Applicability: The AirSlice feature is available for only AP Advanced Licenses. The AirSlice feature allows network operators to build virtual networks suitable for specific application requirements. It allows network operators to monitor applications used by clients and supports multiple services such as gaming, IoT, voice, video, and so on.

Aruba Central | User Guide

208

AirSlice is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
For devices that have Advanced Licenses, the AirSlice feature supports unlimited applications and provides prioritization of custom-applications with visibility and configuration. The table below lists the features supported for AP licenses:
Advanced
n Visibility and prioritization of applications n Maximum number of applications as
supported by the Aruba Central platform
ClientMatch
License Applicability: ClientMatch is available for AP Foundation License. ClientMatch continually monitors the RF neighborhood for each client to provide ongoing client band steering, load balancing, and enhanced AP reassignment for roaming mobile clients.
Presence Analytics
License Applicability: Presence Analytics is available for Foundation AP License. Presence Analytics enables businesses to collect and analyze user presence data in public venues, enterprise environments, and retail hubs. Presence Analytics also enables businesses to collect real-time data on user footprints within the wireless network range.
SaaS Express
License Applicability: SaaS Express is available for Advanced Gateway License and Advanced with Security Gateway License only. The SaaS Express feature, on SD-WAN Gateways, enables discovery of the SaaS application servers, monitors application performance, and steers traffic to the best-available servers, and thus provides an improved user experience.
Unified Communications
License Applicability: Unified Communications is available for AP Advanced Licenses. The Unified Communications feature enables a seamless user experience for voice calls, video calls, and application-sharing when using communication and collaboration tools. It allows you to actively monitor voice, video, and application-sharing sessions, provide traffic visibility, prioritize the required sessions, and provide rich visual metrics for analytical purposes.
Unified Communications is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
Security
Cloud Guest
License Applicability: Cloud Guest is available for the AP Foundation License. The Cloud Guest access enables the guest users to connect to the network. This is provided through the splash page profile that is created by the administrators for the guest users in the Guests tab under
Administering Aruba Central | 209

Manage. The Summary page in the Manage > Guest Access application is the monitoring dashboard that displays the number of guests, guest SSID, client count, type of clients, and guest connection. Cloud Guest deals with the AP, so the license that is assigned to the AP is also applicable to Cloud Guest. By default, the Foundation License is applicable. The Advanced License features will also be available if the Cloud Guest is assigned to it.
ClearPass Device Insight-Based Clients Profile
License Applicability: ClearPass Device Insight (CPDI) based Clients Profile is available for Foundation License for APs and gateways.. The CPDI-based Clients Profile enables network and security administrators to discover, monitor, and automatically classify new and existing devices that connect to a network. You can identify devices that include IoT devices, medical devices, printers, smart devices, laptops, VoIP phones, computers, gaming consoles, routers, servers, switches, and so on.

CPDI-based Clients Profile is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
The table below lists the features supported for AP and gateway licenses:

Foundation
n Basic client MAC Classification based on telemetry data
n Client Family, Client Category, Client OS n Cloud Auth Integration

Advanced
n Access to Collector support in Central (not including physical collector costs)
n ML-based client classification n Advanced Security Features (Risk /
Posture / Vulnerability) n Security baseline of device behavior with
Firewall recommendation

Intrusion Detection and Prevention (IDS or IPS)
License Applicability: IDS and IPS is available for Foundation with Security Gateway License, Foundation Base with Security Gateway License, and Advanced with Security Gateway License. The IDS and IPS monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDS or IPS adds an extra layer of security that focuses on users, applications, network connections, and can be integrated with the Aruba SD-Branch solution.
RAPIDS
License Applicability: RAPIDS is available for Foundation and Advanced Licenses for APs. The RAPIDS feature enables Aruba Central to quickly identify and act on interfering APs in the network that can be later considered for investigation, restrictive action, or both. Once the interfering APs are discovered, Aruba Central sends alerts for security events to the network administrators about the possible threat and provides essential information needed to locate and manage the threat.
RAPIDS is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account.
This feature is part of the AP Foundation License. However, as API streaming is available for Advanced License only, Aruba Central would not stream any security events for APs with Foundation License. For APs

Aruba Central | User Guide

210

with Advanced License, API streaming of security events is available for further diagnosis and threat management.
API
Streaming APIs
License Applicability: The Streaming API service requires that devices such as IAPs and gateways are assigned with Advanced License. The Streaming API feature enables you to subscribe to a select set of services, instead of polling the NB API to get an aggregated state, or statistics of the events, pertinent to the monitoring activities of Aruba Central. With Streaming API, you can write value-added applications based on the aggregated context. For example, with Streaming API, you are notified about the following types of events:
n The UP and DOWN status of the devices n Change in location of stations
The Streaming API feature in Aruba Central is enabled only when any one of the devices in the account has an Advanced License. If the account has devices with only Foundation License, the Steaming API tab is not displayed in Aruba Central. If the Streaming API feature is enabled, and the account has a mix of Foundation License and Advanced License for devices, the devices that are assigned with Foundation License do not stream any data for any topics.
SD-Branch
Application-based Policy
License Applicability: The application-based policy configuration is available for Foundation License for Branch Gateways. The Application-based policy configuration helps in deep packet inspection of application usage by clients. Using this configuration, you can define applications, security, and service aliases. You can configure Access Control Lists (ACLs) to restrict user access to an application or application category.
Dynamic Path Steering
License Applicability: Dynamic Path Steering is available for Gateway Foundation and Foundation Base License. In the Path Steering tab, you can view traffic path steering details for the Dynamic Path Steering policies configured on the Branch Gateway. This tab also displays the number of policies that are compliant along with the total number of policies configured on the Branch Gateway.
Full SD-LAN Control
License Applicability: SD-LAN monitoring is available for Foundation License for Branch Gateways. The LAN Summary page displays a graphical representation of the LAN link availability of a Branch Gateway. It also provides a summary of all the LAN interfaces and port details.
IPsec VPN
License Applicability: IPsec VPN is available for Gateway Foundation and Foundation Base License. An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPsec tunnel to the controller secures corporate data. You can configure an IPsec tunnel from virtual controller using Aruba Central.
Administering Aruba Central | 211

Role-based Access Policy
License Applicability: Role-based Access Policy configuration is available for Foundation License for Branch Gateways. The Role-based Access Policy determines client access based on the user roles assigned to a client. Each user or device connected to the branch network is associated with a user role. Once the role is assigned, traffic and security policies are applied to devices based on the role.
SD-WAN Overlay
License Applicability: SD-WAN Overlay monitoring is available for Gateway Foundation License. The SD-WAN Overlay is an orchestrator service for branch deployments, which is done by setting up IPsec tunnels between the Branch Gateways and VPN Concentrators. This is achieved through Tunnel and Route orchestration. The tunnel configuration between the branch and hub sites is automatic and the route configuration is done by redistributing the routing information learnt from the branch in a dynamic way. The Map and Grid views of the Tunnel and Route tabs under SD-WAN Overlay serve as dashboards for monitoring purpose, providing information about the tunnels and routes configured for an individual Branch Gateway.
Stateful Firewalls
License Applicability: Stateful Firewalls is available for Gateway Foundation and Foundation Base License. Aruba Gateways support stateful firewall for stateful inspection of packets. Stateful firewalls provide an additional layer of security by tracking the state of network connections and using the state information from previous communications to monitor and control new communication attempts. To protect your network from external attacks and unauthorized communication attempts, you can configure match conditions and packet filtering criteria for the Aruba Gateways.
Web Content Filtering
License Applicability: Website content filtering is available for Foundation License for Branch Gateways. Aruba Gateways enhance branch security by providing real-time web content and reputation filtering. The Website Content Classification feature on Branch Gateways allows you to classify website content based on reputation and take measures to block malicious sites.
Managing Your Device Inventory
After you add the paid subscription key(s) to your Aruba Central account, device(s) purchased by you are automatically added to the device inventory in the respective Aruba Central account. For more information about subscription keys, see Managing License Keys. If the device you purchased does not show up in the inventory, you can manually add it. Aruba Central allows you to add up to 32 devices manually by entering the valid MAC and serial number combination for each device.
Users having roles with Modify permission can add devices. Users having roles with View Only permission can only view the Device Inventory module.
Viewing Devices
The devices provisioned in your account are listed in the Account Home > Global Settings > Device Inventory page. A dashboard lists the total number of devices and the number of access points, switches, and gateways in the inventory.

Aruba Central | User Guide

212

The following table describes the columns in the Devices table.

Table 50: Device Details

Parameter Description

Serial Number
MAC Address

Serial number of the device. MAC address of the device.

Type

Type of the device, for example Instant AP, switch, or gateway.

Model

Hardware model of the device.

Part Number

Part number of the device.

IMEI

The International Mobile Equipment Identity (IMEI) number of the gateway device.
This field is applicable only for 9004-LTE gateways. Click the ellipsis icon in the table to select this column. It is not displayed by default.

IP Address IP address of the device.

Name

Name of the device.

Group

Group assigned to the device.

Assigned License

License assigned to the device.

Adding Devices to Inventory
For information on adding devices, see Onboarding Devices.
Onboarding Devices
Aruba Central supports the following options for adding devices:
n If you are an evaluating user, you must manually add the serial number and MAC address of the devices that you want to manage from Aruba Central.
This section includes the following topics:
n Adding Devices (Evaluation Account) n Adding Devices (Paid Subscription) n Manually Adding Devices
Adding Devices (Evaluation Account)
Use one of the following methods to add devices to Aruba Central:
n Using the Initial Setup Wizard n Using the Device Inventory Page

Administering Aruba Central | 213

Using the Initial Setup Wizard
1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number and MAC address of your devices.
You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. 3. Click Done. 4. Review the devices in your inventory.
Using the Device Inventory Page
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Click Add Devices. The Add Devices pop-up window is displayed.
3. Enter the serial number and the MAC address of each device. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware.
4. Click Done. 5. Review the devices in your inventory.
Adding Devices (Paid Subscription)
If your devices are not added to your inventory, set up a device sync by adding one device from your purchase order. To set up device sync, use one of the following methods:
n In the Initial Setup Wizard n From the Device Inventory Page
In the Initial Setup Wizard
1. Ensure that you have added a license key and click Next. 2. In the Add Devices tab, enter the serial number and MAC address of any one device from your
purchase order. Most Aruba devices have the serial number and MAC address on the front or back of the hardware. 3. Click Add Device. Aruba Central imports all other devices mapped to your purchase order. 4. Review the devices in your inventory. 5. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number
of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the
Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support.
From the Device Inventory Page

Aruba Central | User Guide

214

1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
Aruba Central imports only devices associated with your account from Activate.
2. Do any one of the following: n Click Sync Devices. Enter the serial number and MAC address and click Add Device. n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file.
Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page.
3. Review the devices in your inventory. 4. Perform the following options:
n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device.
n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices.
n Contact support--Contact Aruba Technical Support.
Manually Adding Devices
Aruba Central allows you to set up only manual sync of devices from Activate database using one of the following methods: n Adding Devices Using MAC address and Serial Number n Adding Devices Using Activate Account n Adding Devices Using Cloud Activation Key
You can only set up only a manual sync for Aruba Central-managed folders such as the default, licensed, and non-licensed folders.
Adding Devices Using MAC address and Serial Number
You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. To add devices using MAC address and serial number, use any one of the following methods: n In the Initial Setup Wizard n From the Device Inventory Page In the Initial Setup Wizard If you are using the Initial Setup wizard:
1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number or the MAC address of your device.
Administering Aruba Central | 215

3. Click Done. 4. Review the list of devices.
From the Device Inventory Page To add devices from the Device Inventory page:
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Perform one of the following: n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file.
Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page.
3. Click Done. 4. Review the devices added to the inventory.
When you add the serial number and MAC address of one AP from a cluster or a switch stack member, Aruba Central imports all devices associated in the AP cluster and switch stack respectively.
Adding Devices Using Activate Account
n Use this device addition method only when you want to migrate your inventory from Aruba AirWave or a standalone AP deployment to the Aruba Central management framework.
n Use this option with caution as it imports all devices from your Activate account to the Aruba Central device inventory.
n You can use this option only once. After the devices are added, Aruba Central does not allow you to modify or re-import the devices using your Aruba Activate credentials.
To add devices from your Activate account:
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Click Advanced and select Using Activate. 3. Enter the username and password of your Activate account. 4. Click Add. 5. Review the devices added to the inventory.

Aruba Central | User Guide

216

Adding Devices Using Cloud Activation Key
When you import devices using the Cloud Activation Key, all your devices from the same purchase order are added to your Aruba Central inventory.
Before adding devices using cloud activation key, ensure that you have noted the cloud activation key and MAC address of the devices to add.
Locating Cloud Activation Key and MAC Address To know the cloud activation key:
n For APs: 1. Log in to the WebUI or CLI. n If using the WebUI, go to the Maintenance > About. n If using the CLI, execute the show about command. 2. Note the cloud activation key and MAC address.
n For Aruba Switches: 1. Log in to the switch CLI. 2. Execute the show system | in Base and show system | in Serial commands. 3. Note the cloud activation key and MAC address in the command output.
n For Mobility Access Switches 1. Log in to the Mobility Access Switch UI or CLI. n If using the UI, go to the Maintenance > About. n If using the CLI, execute the show inventory | include HW and show version commands. 2. Note the cloud activation key and MAC address. The activation key is enabled only if the switch has access to the Internet.
Adding Devices Using Cloud Activation Key
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Click Advanced and select With Cloud Activation Key. The Cloud Activation Key pop-up window opens.
3. Enter the cloud activation key and MAC address of the device. 4. Click Add.
If a device belongs to another customer account or is used by another service, Aruba Central displays it as a blocked device. As Aruba Central does not support managing and monitoring blocked devices, you may have to release the blocked devices before proceeding with the next steps.
Archiving Devices in Aruba Central
Aruba Central supports archiving devices that are not in use or devices that are yet to be installed. Archiving feature helps network administrators to hide devices in the Device Inventory page, to keep the device inventory organized. The archived devices are moved to the Archived tab on the Device Inventory page, and these can be unarchived and used whenever required.
Administering Aruba Central | 217

Network administrators and users with a custom role and the Modify permission for the Device Inventory page can archive and unarchive devices in Aruba Central.
The virtual gateway devices cannot be archived.
Archiving Devices
Complete the following steps to archive devices in Aruba Central:
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Click the All tab. 3. Select the devices to be archived. 4. Click the Archive button.
The Confirm Action window is displayed. If you click Yes and the selected devices are licensed, then the licenses applied to the devices are removed automatically, and devices are disconnected from the Aruba Central. The disconnected devices are moved to the Archived tab.
For an MSP account, if a device of a tenant is archived, the device gets unlicensed and is moved back to the MSP account and then archived.
Unarchiving Devices
Complete the following steps to unarchive devices in Aruba Central:
1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed.
2. Click the Archived tab. 3. Select the devices to be unarchived. 4. Click the Unarchive button.
The Confirm Action window is displayed.

If you click Yes, the devices are moved out of the Archived tab, and if auto-licensing is enabled, then the devices get licensed automatically. 5. To see the unarchived devices, click the All tab .
For an MSP account, if a device is unarchived, the device is moved back to the MSP account. The device continues to stay unlicensed with the MSP and does not move to the tenant.

Aruba Central | User Guide

218

Data Collectors
Data collectors host applications that process network data. Data collectors are available as a physical appliance or a virtual appliance. To create a data collector, set up and install on-premises at your organization the physical appliance or virtual appliance and then install an Aruba application.
Managing Data Collectors High-Level Process Flow
The following is a high-level process flow for managing data collectors:
1. Set up on-premises the physical or virtual appliance that will become the data collector. For more information, see Setting Up Appliances.
2. Create the data collector by installing an Aruba application on the physical or virtual appliance. For more information, see Creating Data Collectors.
3. Verify the status of the data collector. The status is Running if the data collector was created successfully. For more information, see Viewing Data Collectors.
4. Repeat Step 1 through 3 until you have created all of the data collectors that you require. 5. Set the auto-update preference for the data collectors. For more information, see Updating Data
Collectors. 6. Monitor the status and performance of the different data collectors. For more information, see
Viewing Data Collectors. 7. (Optional) Manually update one or all of the data collectors as required. This overrides the global
auto-update preference you have set for all data collectors. For more information, see Updating Data Collectors. 8. (Optional) Delete the installed Aruba application from the data collector. This enables the appliance to be available to become a data collector again in the future for the same Aruba application or for a different Aruba application. For more information, see Deleting Data Collectors.
About Data Collectors Page
The Data Collectors page enables you to manage the data collectors for your organization. Using this page you can: n Create a registration token required for setting up a physical or virtual appliance. n Download the virtual appliance required for setting up a virtual appliance. n Create data collectors by installing an Aruba application on a physical or virtual appliance. n View data collectors (both managed and unmanaged). n Set the data collectors update preference and update data collectors. n Uninstall the Aruba application running on a data collector. When you uninstall the application, the
appliance is freed up and can be used for creating another data collector in the future. This page contains the following four cards, which can be used to perform different data collector functions: n Managed Collectors n Other Collectors n Create Collector n Configure Appliance
Administering Aruba Central | 219

Managed Collectors Card
You can view and update the managed data collectors that you have created in the Managed Collectors card. The Managed Collectors card provides a Dashboard and a List view of the data collectors. Click the grid view icon ( ) in the upper right hand corner of the card to open the List view.
Dashboard
The Dashboard displays a donut chart showing the data collectors by status, by applications, or by update. By default, the data collectors by status are displayed in the chart. To change the display option for the chart, click the down arrow in the heading of the card and select another display option. Display options are: By Status, By Apps, and By Update.
By Status
The donut chart shows the data collectors by status. Next to the chart is a legend indicating the different data collector statuses. Statuses are: Starting (grey), Online (green), Offline (red), and Warning (yellow). Hover over the different color sections of the donut chart and a tool tip is displayed indicating the number of data collectors for each status. The total number of data collectors is displayed in the center of the chart.
By Apps (Applications)
The donut chart displays the data collectors by applications. Next to the chart is a legend indicating the different Aruba applications. Aruba applications include: ClearPass Device Insight. Each application is displayed in a different color. Hover over the different color sections of the donut chart and a tool tip is displayed indicating the number of data collectors for each Aruba application. The total number of data collectors is displayed in the center of the chart.
By Update
The donut chart shows the data collectors by update status. Next to the chart is a legend indicating the different update statuses. Statuses are: Up to date (yellow), Update in progress (red), and Update available (green). Hover over the different color sections of the donut chart and a tool tip is displayed indicating the number of data collectors for each update status. The total number of data collectors is displayed in the center of the chart. The Auto-Update field is displayed in the lower right corner of the card when you select this display option. By default, As soon as available is displayed in this field. When you click this field, the Collector Update dialog opens. Use the Collector Update dialog to set when you want updates to be installed for all data collectors. For more information about setting the data collectors global update preference, see Updating Data Collectors.
List View
The List view displays all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard. At the top of the List view are the following buttons: n Update All
Click this button to update all of the data collectors at once. To update a specific data collector, you can expand a row in the grid and click the Update Now button for that specific data collector. For more information, see Updating Data Collectors. n Create Collector

Aruba Central | User Guide

220

Opens the Create Collector dialog where you can create a data collector. For more information, see Creating Data Collectors. The following table describes the information that is displayed in the List view:

Table 51: List View Field

Description

Name

Data collector name.

Status

Status of the data collector. Statuses are: Starting, Online, Offline and Warning.

Applications

Aruba application installed on the data collector.

Desired Update Time Desired update time for that specific collector. For more information, see Updating Data Collectors.

Update Status

Update status for the data collector. Statuses are: n Up to date n Update in progress n Update available

When you hover over a row in the grid, the following icons are displayed in the row of the grid: n Delete icon is displayed to the right of Applications. Click the Delete icon to uninstall the Aruba
application running on that data collector. When you uninstall the application, the appliance is freed up and can be used for creating another data collector in the future. For more information, see Deleting Data Collectors. Additional details for a data collector can be viewed by expanding a row in the grid. Click the plus icon next to a row in the grid to expand a row. When you expand the row, the row expands and the additional details for the data collector are displayed.
Additional Details
In the expanded row, additional overview details for the data collector are displayed. In the Collector Details area, the data collector name, status, creation date, and the Aruba application installed on the data collector are displayed. To the right in the expanded row, the Appliance In Collector table is displayed. The following table describes the information displayed in the table:

Table 52: Appliance In Collector Table

Field

Description

Name

Appliance name.

IP Address

IP address of the appliance.

Model

Appliance model name. VMware Virtual Platform is displayed for virtual appliances.

At the bottom of the expanded row, the Update Now button is either available or unavailable depending on whether there is an update available for the data collector. If there is no update available, the Update Now button is unavailable and No update available is displayed in the Version field. If there is an update available, the Update Now button is available and the update version is displayed in the Version field.

Administering Aruba Central | 221

Click the Update Now button to update that specific data collector. To update all data collectors, you can click the Update All button at the top of the List view. For more information, see Updating Data Collectors.
Other Collectors Card
The Other Collectors card displays an overview of the number of unmanaged data collectors that are connected and not connected. The counts that are displayed in this card are: n Connected (Number of unmanaged data collectors that are connected) n Not Connected (Number of unmanaged data collectors that are not connected) The following actions can be performed within the card: n Click the Connected number to open the Other Collectors dialog where you can view the data
collectors that are connected. n Click the Not Connected number to open the Other Collectors dialog where you can view the data
collectors that are not connected. For more information, see Viewing Data Collectors.
Create Collector Card
The Create Collector card displays the number of appliances that are available to be used for creating a data collector. The appliance number is updated after you have successfully set up a physical appliance or virtual appliance. For more information about setting up appliances, see Setting Up Appliances. Click the Create Collector button to open the Create Collector dialog where you can create a data collector. For more information, see Creating Data Collectors.
Configure Appliance Card
The Configure Appliance card contains a Download Virtual Appliance link and a Registration Token button. Click the Registration Token button to create a registration token. The registration token is required when setting up a physical appliance or virtual appliance. Click the Download Virtual Appliance link to open the Download Virtual Appliance dialog where you can download either the small virtual appliance file (.ova file) or medium virtual appliance file (.ova file) that is required when setting up a virtual appliance. For more information about setting up appliances, see Setting Up Appliances.
Setting Up Appliances
Data collectors are available as physical appliances or virtual appliances. Appliances must be set up before you can create a data collector. This section contains:
n Creating Registration Tokens n Downloading Virtual Appliances n Setting Up Physical Appliances n Setting Up Virtual Appliances n Using Command Line Interface Options

Aruba Central | User Guide

222

Creating Registration Tokens
A registration token is required when setting up a physical appliance or a virtual appliance. To create a registration token:

1. Go to Account Home.
2. Under Global Settings, click Data Collectors. If no data collectors have been created, the Get Started dialog is displayed. Otherwise, the Data Collectors page is displayed.
3. Click Registration Token in the Get Started dialog or the Configure Appliance card of the Data Collectors page. The registration token is created. The Registration Token dialog opens with the token that was created displayed. The date and time the registration token expires is displayed at the bottom of the dialog.
4. Click Copy Token. You can now enter this registration token when setting up a physical appliance or virtual appliance during the registration of the appliance (Option 3 (register)) on the Collector CLI. For more information about setting up appliances, see Setting Up Appliances.
5. Click Close.

Downloading Virtual Appliances
The virtual appliance file (.ova file) is required for setting up a virtual appliance. To download a virtual appliance:

1. Go to Account Home.
2. Under Global Settings, click Data Collectors. If no data collectors have been created, the Get Started dialog is displayed. Otherwise, the Data Collectors page is displayed.
3. Click get a virtual appliance in the Getting Started dialog or the Download Virtual Appliance link in the Configure Appliance card of the Data Collectors page. The Download Virtual Appliance dialog opens displaying a Small virtual appliance card and a Medium virtual appliance card. The small virtual appliance requires: 8 Core CPU, 16 GB Memory, and 256 GB disk. The medium virtual appliance requires: 24 Core CPU, 64 GB Memory, and 480 GB disk. Download the virtual appliance by performing the following: a. Hover over the Small card or the Medium card. The Download File link is displayed in the card. b. Click the Download File link in the Small card or Medium card. The virtual appliance file (.ova) is downloaded. When setting up a virtual appliance using VMWare, you will browse for and select this virtual appliance file (.ova file). For more information about setting up virtual appliances, see Setting Up Appliances.
4. Click Close.

Setting Up Physical Appliances

Data collectors are available as physical appliances or virtual appliances. Before you can use an Aruba application that uses data collectors, you need to set up appliances.

To set up a physical appliance, you use several command line options from the Collector CLI on the

appliance after it is installed. On the Collector CLI there are seven options that are available for selection.

The options available are listed below:

Options:

1. Configure Hostname 4. Configure Proxy

7. Advanced Options

2. Configure Network 5. Change Timezone/NTP 0. Exit

3. Register

6. Test Connectivity

You use options 1 through 6 to set up a physical appliance. Perform the options in the order in which they are displayed.

Administering Aruba Central | 223

For more information about the advanced options, see Using Command Line Interface Options.

Before You Begin
Before you begin to set up a physical appliance, you need to create a Registration Token. For more information, see Creating Registration Tokens.

About the Physical Appliance
Aruba provides one physical appliance for Aruba ClearPass Device Insight, the Aruba Central Data Collector physical appliance.

Table 53: Physical Appliance Specifications

Model

vCPU

Memory

Disk

NICs

DC2000 (Medium)

24

64 GB

480 GB

8 (2 mgmt, 6 data)

Setting Up Physical Appliances
This section discusses how to set up a physical appliance.
If you are using a proxy, configure the proxy prior to doing the registration. Additionally, it is recommended that you configure the time zone and NTP prior to registration if you plan on changing them.
To set up a physical appliance:
1. Install on-premises the physical appliance. 2. Power on the appliance and log in to the appliance using these credentials:
n Username = aruba n Password = aruba 3. Configure the hostname for the appliance using Option 1 (Configure Hostname) on the Collector CLI. 4. Configure the network interfaces for the appliance using Option 2 (Configure Network) on the Collector CLI: n Configure the eth0 Ethernet interface. n (Optional) Configure the eth1 Ethernet interface. 5. Configure Domain Name System (DNS) for the appliance using Option 2 (Configure Network) on the Collector CLI. 6. Configure routes for the appliance using Option 2 (Configure Network) on the Collector CLI.
You only need to configure routes if you have configured the eth1 Ethernet interface.
7. Test the connectivity of the appliance to the Cloud URL discovery server using Option 6 (Test Connectivity) on the Collector CLI.
8. Register the appliance using Option 3 (Register) on the Collector CLI. 9. Test the connectivity of the appliance to the Aruba cloud using Option 6 (Test Connectivity) on
the Collector CLI.

Aruba Central | User Guide

224

10. Configure the proxy server using Option 4 (Configure Proxy) on the Collector CLI. 11. Change the time zone for the appliance using Option 5 (Change Timezone/NTP) on the Collector
CLI. 12. Configure the Network Time Protocol (NTP) server for the appliance using Option 5 (Change
Timezone/NTP) on the Collector CLI.

For more information about the different command line options, see Using Command Line Interface Options.

Setting Up Virtual Appliances

Data collectors are available as virtual appliances or physical appliances. Before you can use an Aruba application that uses data collectors you need to set up appliances.

You can set up virtual appliances using two different methods. You can set up a virtual appliance using the

VMware ESXi Host Web Client or the VMware vSphere Desktop Client for Windows. Using either of these

methods, you create the virtual machine and then you complete the setup using several command line

options from the Collector CLI from the virtual machine. On the Collector CLI there are seven options

that are available for selection. The options available are listed below:

Options: 1. Configure Hostname 2. Configure Network 3. Register

4. Configure Proxy

7. Advanced Options

5. Change Timezone/NTP 0. Exit

6. Test Connectivity

You use options 1 through 6 to set up a virtual appliance. Perform the options in the order in which they are displayed.

For more information about the advanced options, see Using Command Line Interface Options.

You perform the same command line options when setting up a virtual appliance as you would when setting up a physical appliance.

Before You Begin
Before you begin to set up a virtual appliance you need the following:
n VMware ESXi server n A VMware ESXi server is required to set up a virtual appliance. You must know the ESXi server host name
and IP address when setting up a virtual appliance. n Registration Token n A registration token is required to set up a virtual appliance. n For more information, see Creating Registration Tokens. n Virtual appliance file (.ova file) n A virtual appliance file (.ova file) is required to set up a virtual appliance using VMware. n For more information, see Downloading Virtual Appliances.
About Aruba Virtual Appliances
Aruba provides two virtual appliances for Aruba ClearPass Device Insight:

Administering Aruba Central | 225

n Aruba Central Data Collector virtual appliance (small) n Aruba Central Data Collector virtual appliance (medium)

Table 54: Virtual Appliance Specifications

Model

vCPU Memory

DC1000V (Small)

8

16 GB

DC2000V (Medium) 24

64 GB

Disk NICs 256 GB 4 ports (1 G management, DPI up to 100 Mbps) 480 GB 4 ports (1 G management, DPI up to 1 Gbps)

Setting Up Virtual Appliances Using the VMware ESXi Host Web Client
If you are using a proxy, configure the proxy prior to doing the registration. Additionally, it is recommended that you configure the time zone and network time protocol (NTP) prior to registration if you plan on changing them.
To set up a virtual appliance using the VMware ESXi Host Web Client: 1. Go to a web browser and enter the IP address for the VMware ESXi server. 2. Press Enter. The VMware ESXi Welcome window appears.

3. Click the Open the VMware Host Client link under Getting Started. The VMware ESXi Host Client Log In window appears.

Aruba Central | User Guide

226

4. Enter the User name and Password for the ESXi host server.
5. Click Log In.
6. Click Create/Register VM icon. The New virtual machine- Select creation type window appears.
Administering Aruba Central | 227

7. Select Deploy a virtual machine from an OVF or OVA file for creation type. 8. Click Next. The New virtual machine- Select OVF and VMDK files window appears. 9. Enter the following:
a. Enter a name for the virtual machine. b. Browse for the ova file and select it.

10. Click Next. The New virtual machine - Select storage window appears.

Aruba Central | User Guide

228

11. Select the datastore.
12. Click Next. The New virtual machine - Deployment options window appears. 13. Enter the following:
You need to assign a management network and optionally a data network to the virtual machines network adaptors. A virtual machine has network adaptors 1 through 4 to which you can assign the management network, data network, and SPAN networks. You need to identify the network adaptor with the lowest MAC address and assign the management network to this network adaptor. If you have a separate data network, the network adaptor with the second lowest MAC address must be assigned to the data network. You can assign the rest of the network adaptors to the SPAN networks. a. Select the Network mapping for mgmt1. b. Select the Network mappings for data1, data2, and data3.
Currently, Aruba ClearPass Device Insight supports one management network mapping and one data network mapping. c. Select the Disk provisioning option. Options are Thin or Thick. Thin appears by default. d. Click the Power on automatically check box to have the machine automatically power on. This check box appears selected by default.
Administering Aruba Central | 229

14. Click Next. The New virtual machine - Additional settings window appears.

15. Click Next. The New virtual machine - Ready to complete window appears displaying the selections you made in the previous windows.

Aruba Central | User Guide

230

16. Click Finish. The creation of the virtual machine is initiated. Under Recent tasks you can view the results of the new virtual machine tasks by monitoring the Result field status bar for each task. Wait until the Result field displays Completed successfully for each task. When this occurs you have created the virtual machine.
17. Select the new virtual machine that you just created in the upper region of the window and click the Console icon. The Collector CLI appears.
Administering Aruba Central | 231

18. Configure the hostname for the appliance using Option 1 (Configure Hostname) on the Collector CLI.
19. Configure the network interfaces for the appliance using Option 2 (Configure Network) on the Collector CLI: n Configure the eth0 Ethernet interface. n (Optional) Configure the eth1 Ethernet interface.
20. Configure Domain Name System (DNS) for the appliance using Option 2 (Configure Network) on the Collector CLI.
21. Configure routes for the appliance using Option 2 (Configure Network) on the Collector CLI.
You only need to configure routes if you have configured the eth1 Ethernet interface.
22. Test the connectivity of the appliance to the Cloud URL discovery server using Option 6 (Test Connectivity) on the Collector CLI.
23. Register the appliance using Option 3 (Register) on the Collector CLI. 24. Test the connectivity of the appliance to the Aruba cloud using Option 6 (Test Connectivity) on
the Collector CLI. 25. Configure the proxy server using Option 4 (Configure Proxy) on the Collector CLI. 26. Change the time zone for the appliance using Option 5 (Change Timezone/NTP) on the Collector
CLI. 27. Configure the Network Time Protocol (NTP) server for the appliance using Option 5 (Change
Timezone/NTP) on the Collector CLI.
For more information about the different command line options, see Using Command Line Interface Options.
Setting Up Virtual Appliances Using the VMware vSphere Desktop Client for Windows
If you are using a proxy, configure the proxy prior to doing the registration. Plus, it is recommended that you configure the time zone and network time protocol (NTP) prior to registration if you plan on changing them.
To set up a virtual appliance using the VMware vSphere Desktop Client for Windows:

Aruba Central | User Guide

232

1. Go to a web browser and enter the IP address for the VMware ESXi server. 2. Press Enter. The VMware ESXi Welcome window appears.
3. Click the Download vSphere Client for Windows link under Getting Started. The VMware vSphere Client Log In window appears.
4. Enter the User name and Password for the ESXi host server.
Administering Aruba Central | 233

5. Click Login. The ESXi Host Details window appears. 6. Go to File > Deploy OVF Template. The Deploy OVF Template - Source window appears.

Aruba Central | User Guide

234

7. Click Browse and browse for the ova file and select it.
8. Click Next. The Deploy OVF Template - OVF Template Details window appears displaying the OVF template details.
Administering Aruba Central | 235

9. Click Next. The Deploy OVF Template - Name and Location window appears.

Aruba Central | User Guide

236

10. In the Name field enter the name for the virtual appliance.
11. Click Next. The Deploy OVF Template - Disk Format window appears. 12. Enter the following:
a. In the Datastore field enter the datastore. b. Select the disk format. Options are: Thick Provision Lazy Zeroed, Thick Provision Eager
Administering Aruba Central | 237

Zeroed, and Thin Provision. Thin Provision appears selected by default.

13. Click Next. The Deploy OVF Template - Network Mapping window appears. 14. Enter the following:
You need to assign a management network and optionally a data network to the virtual machines network adaptors. A virtual machine has network adaptors 1 through 4 to which you can assign the management network, data network, and SPAN networks. You need to identify the network adaptor with the lowest MAC address and assign the management network to this network adaptor. If you have a separate data network, the network adaptor with the second lowest MAC address must be assigned to the data network. You can assign the rest of the network adaptors to the SPAN networks.
a. Select the Destination Network for mgmt1. b. Select the Destination Networks for data1, data2, and data3.
Currently, Aruba ClearPass Device Insight supports one management destination network and one data destination network.

Aruba Central | User Guide

238

15. Click Next. The Deploy OVF Template - Ready to Complete window appears. 16. Review the settings and select the Power on after deployment check box to have the machine
automatically power on. The Power on after deployment check box appears selected by default.
Administering Aruba Central | 239

17. Click Finish. The creation of the virtual machine is initiated. A dialog box appears displaying the status of the virtual machine creation. After the virtual machine is created, it is listed in the ESXi Host Details window.

Aruba Central | User Guide

240

18. Select the virtual machine on the ESXi Host Details window and then select the Console tab. The Collector CLI appears.
19. Configure the hostname for the appliance using Option 1 (Configure Hostname) on the Collector CLI.
20. Configure the network interfaces for the appliance using Option 2 (Configure Network) on the Collector CLI: n Configure the eth0 Ethernet interface. n (Optional) Configure the eth1 Ethernet interface.
21. Configure Domain Name System (DNS) for the appliance using Option 2 (Configure Network) on the Collector CLI.
Administering Aruba Central | 241

22. Configure routes for the appliance using Option 2 (Configure Network) on the Collector CLI.
You only need to configure routes if you have configured the eth1 Ethernet interface.
23. Test the connectivity of the appliance to the Cloud URL discovery server using Option 6 (Test Connectivity) on the Collector CLI.
24. Register the appliance using Option 3 (Register) on the Collector CLI. 25. Test the connectivity of the appliance to the Aruba cloud using Option 6 (Test Connectivity) on
the Collector CLI. 26. Configure the proxy server using Option 4 (Configure Proxy) on the Collector CLI. 27. Change the time zone for the appliance using Option 5 (Change Timezone/NTP) on the Collector
CLI. 28. Configure the Network Time Protocol (NTP) server for the appliance using Option 5 (Change
Timezone/NTP) on the Collector CLI.
For more information about the different command line options, see Using Command Line Interface Options.
Using Command Line Interface Options
This section describes how to use the different command line interface (CLI) options for an appliance. Several of these options are used when setting up a physical appliance or a virtual appliance. This section contains:
n Configuring Hostname n Configuring Network n Registering the Appliance n Configuring Proxy Server n Changing Time Zone and Configuring NTP Server n Testing Appliance Connectivity n Performing Advanced Options
Configuring Hostname
This section describes how to configure hostname for an appliance and how to edit the hostname after it has been configured.
Configuring Hostname To configure hostname:
1. Go to the Collector CLI. 2. In the Enter option field, enter 1 (Configure Hostname) and press Enter. 3. In the New hostname field, enter the hostname and press Enter. The hostname must start with a letter and can contain letters, numbers, and a hyphen "-". It can not contain any other special characters. A message is displayed stating that the hostname has been changed successfully. 4. Press Enter.
Editing Configured Hostname
This option is available only after you have configured the hostname.

Aruba Central | User Guide

242

To edit configured hostname: 1. Go to the Collector CLI. 2. In the Enter option field, enter 1 (Configure Hostname) and press Enter. 3. In the Enter option field, enter 1 (Edit Hostname) and press Enter. 4. In the New hostname field, enter the hostname and press Enter. The hostname must start with a letter and can contain letters, numbers, and a hyphen "-". It can not contain any other special characters. A message is displayed stating that the hostname has been changed successfully. 5. Press Enter.
Configuring Network
This section describes how to configure the network interfaces, domain system name, and routes for the appliance and how to show the interfaces information for the appliance. Configuring Network Interfaces To configure network interfaces:
1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 1 (Configure Network Interfaces) and press Enter. 4. In the Enter option field, enter 0 (eth0) and press Enter.
You must configure the eth0 (management) Ethernet interface. Configuring the eth1 (data) Ethernet interface is optional. The MAC Address is displayed in brackets next to eth0 and eth1.
5. In the Enter IP Address field, enter the IP address for the appliance and press Enter. 6. In the Enter Subnet mask field, enter the subnet mask for the appliance and press Enter. 7. In the Enter Gateway field, enter the gateway address for the appliance and press Enter. 8. (Optional) Configure the second ethernet interface (eth1). Repeat steps 4 through 7 above except in
step 4 enter 1 (eth1). 9. In the Enter option field, enter b (Back to Previous Menu) and press Enter. 10. Press Enter. 11. In the Enter option field, enter m (Main Menu) and press Enter.
Configuring DNS To configure Domain Name System (DNS):
1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 2 (Configure DNS) and press Enter. 4. In the Enter DNS field, enter the DNS address for the appliance and press Enter. 5. (Optional) In the Enter Secondary DNS field, enter the secondary DNS address for the appliance
and press Enter. Otherwise, press Enter to proceed without entering a secondary DNS address. 6. Press Enter. 7. In the Enter option field, enter m (Main Menu) and press Enter.
Administering Aruba Central | 243

Configuring Routes
You only need to configure routes if you have configured ethernet interface eth1. Routes do not apply to ethernet interface eth0.
Listing All Routes To list all routes:
1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 3 (Configure Routes) and press Enter. 4. In the Enter option field, enter 1 (List all routes) and press Enter. All of the routes are displayed. 5. Enter b (Back to Previous Menu) and press Enter. 6. Press Enter. 7. In the Enter option field, enter m (Main Menu) and press Enter.
Adding a Route Via eth1 To add a route through eth1:
1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 3 (Configure Routes) and press Enter. 4. In the Enter option field, enter 2 (Add a route via eth1) and press Enter. 5. In the Enter destination IP Address field, enter the IP address of the node that needs to connect
to the eth1 interface and press Enter. The route is created. The system assigns a sequential index number to the route. You can view the index number assigned to the route by using Option 1 - List all routes. 6. Enter b (Back to Previous Menu) and press Enter. 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter.
Deleting a Route Via eth1 To delete a route through eth1:
1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 3 (Configure Routes) and press Enter. 4. In the Enter option field, enter 3 (Delete a route via eth1) and press Enter. 5. In the Enter index of route to be deleted field, enter the index number associated with the route
to be deleted and press Enter. 6. Enter b (Back to Previous Menu) and press Enter. 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter.
Showing Interfaces Information To show interfaces information:

Aruba Central | User Guide

244

1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 4 (Show Interfaces Info) and press Enter. 4. The information for both eth0 and eth1 network interfaces is displayed. The IP address, Netmask,
Gateway, and MAC Address is displayed for each interface. 5. Press Enter. 6. In the Enter option field, enter m (Main Menu) and press Enter.
Registering the Appliance
To register the appliance:
1. Go to the Collector CLI. 2. In the Enter option field, enter 3 (Register) and press Enter. 3. In the Registration code field, enter the registration code and press Enter. The registration process
is initiated. The registration process associates the appliance with your customer account. After the registration process completes, a message is displayed that the registration was successful. The appliance is now available to be formed into a data collector by installing an Aruba application on it. The appliance count that is displayed in the Create Collector card on the Data Collectors page is incremented by one. For information about creating a data collector, see Creating Data Collectors. 4. Press Enter.
Configuring Proxy Server
This section describes how to configure a proxy server, edit a proxy server configuration, and unconfigure a proxy server.
Configuring Proxy Server To configure proxy server:
1. Go to the Collector CLI. 2. In the Enter option field, enter 4 (Configure Proxy) and press Enter. 3. In the Proxy Server URL/IP field, enter the URL or IP address for the proxy server and press Enter. 4. In the Proxy Server Port field, enter the port and press Enter. Otherwise, press Enter to accept the
default port. 3128 appears as the default port. 5. In the Username field, enter the user name for the server and press Enter. 6. In the Password field, enter the password for the server and press Enter. A password can not
contain any special characters. A message is displayed stating the proxy server has been configured. 7. Press Enter.
Editing Proxy Configuration
This option is available only after you have configured a proxy server.
To edit proxy configuration:
1. Go to the Collector CLI. 2. In the Enter option field, enter 4 (Configure Proxy) and press Enter. 3. In the Enter option field enter 1 (Edit Proxy Configuration) and press Enter.
Administering Aruba Central | 245

4. In the Proxy Server URL/IP field, enter the URL or IP address for the proxy server and press Enter. 5. In the Proxy Server Port field, enter the port and press Enter. Otherwise, press Enter to accept the
default port. 3128 appears as the default port. 6. In the Username field, enter the user name for the server and press Enter. 7. In the Password field, enter the password for the server and press Enter. A password can not
contain any special characters. A message is displayed stating the proxy server has been configured. 8. Press Enter.
Unconfiguring Proxy Configuration
This option is available only after you have configured a proxy server.
To unconfigure proxy configuration:
1. Go to the Collector CLI. 2. In the Enter option field, enter 4 (Configure Proxy) and press Enter. 3. In the Enter option field, enter 2 (Unconfigure Proxy) and press Enter. A message is displayed stating
the proxy server is being disabled. 4. Press Enter.
Changing Time Zone and Configuring NTP Server
This section describes how to change the time zone and how to configure the NTP server.
Changing Time Zone To change the time zone:
1. Go to the Collector CLI. 2. In the Enter option field, enter 5 (Change Timezone/NTP) and press Enter. 3. In the Enter option field, enter 1 (Change Timezone) and press Enter. The following regions are displayed:
l 1- Africa l 2 - America l 3 - Antarctica l 4 - Arctic l 5 - Asia l 6 - Atlantic l 7 - Australia l 8 - Europe l 9 - Indian l 10 - Pacific l 11 - UTC 4. In the Select region field, enter the number for the region and press Enter. For example, to select the Pacific region enter 10. The time zones for the region you selected are displayed. 5. In the Select timezone field, enter the number for the time zone and press Enter. A message is displayed that the time zone was configured. Press Enter. 6. In the Enter option field enter m (Main Menu) and press Enter.

Aruba Central | User Guide

246

Configuring NTP Server To configure Network Time Protocol (NTP) server:
1. Go to the Collector CLI. 2. In the Enter option field, enter 5 (Change Timezone/NTP) and press Enter. 3. In the Enter option field, enter 2 (Configure NTP) and press Enter. 4. In the NTP Server field, enter the NTP server hostname and press Enter. A message is displayed that the NTP server has been configured. 5. Press Enter. 6. In the Enter option field, enter m (Main Menu) and press Enter.
Testing Appliance Connectivity
The section describes how to test the appliances connectivity to the Aruba cloud and to another host. Testing Aruba Cloud Reachability To test Aruba cloud reachability:
1. Go to the Collector CLI. 2. In the Enter option field, enter 6 (Test Connectivity) and press Enter. 3. In the Enter option field, enter 1 (Test Aruba Cloud reachability) and press Enter. This process
performs two connectivity tests. The first test, tests the reachability of the appliance to the Cloud URL discovery server. This test you perform before you register the appliance. The second test, tests the reachability of the appliance to the Aruba cloud. This test you perform after you register the appliance. When you perform this process before registration, the following messages are displayed:
Testing reachability to Cloud URL discovery server ... Cloud URL discovery server reachable Aruba Cloud URL is not set. Please activate the node. When you perform this process after registration, the following messages are displayed: Testing reachability to Cloud URL discovery server ... Cloud URL discovery server reachable Testing cloud reachability..... Aruba cloud is reachable
4. Press Enter. Testing Connectivity to Another Host
To test connectivity to another host: 1. Go to the Collector CLI. 2. In the Enter option field, enter 6 (Test Connectivity) and press Enter. 3. In the Enter option field, enter 2 (Test connectivity to another host (using PING)) and press Enter.
Administering Aruba Central | 247

4. In the Type host address field, enter the host address you want to reach and press Enter. A message is displayed whether the host is reachable or not.
5. Press Enter.
Performing Advanced Options
This section describes how to complete advanced tasks for appliances such as changing the password, enabling support access, and resetting the factory settings.
Rebooting or Shutting Down Rebooting To reboot:
1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 1 (Reboot/Shutdown) and press Enter. 4. In the Enter option field, enter 1 (Reboot) and press Enter. 5. At the prompt, Are you sure you want to reboot the node? enter y and press Enter. The
appliance is rebooted.
Shutting Down To shutdown:
1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 1 (Reboot/Shutdown) and press Enter. 4. In the Enter option field, enter 2 (Shutdown) and press Enter. 5. At the prompt, Are you sure you want to shutdown the node? enter y and press Enter. The
appliance is shutdown.
Changing Password To change password:
1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 2 (Change password) and press Enter. 4. At the prompt, Are you sure you want to change the password? enter y and press Enter. 5. In the Enter new UNIX password field, enter the new password and press Enter. 6. In the Retype new UNIX password field, re-enter the new password and press Enter. A message is
displayed that the password has been updated successfully. 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter.
Enabling Support Access Enabling support access provides a way for Aruba customer support to access the collector remotely for any troubleshooting. This requires both enabling support access on the collector and providing consent in Aruba Central. Enabling Support Access on the Collector

Aruba Central | User Guide

248

To enable support access on the collector:
1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 3 (Enable support access) and press Enter. 4. In the Select an option field, enter 1 (Enable support access) and press Enter. 5. In the Allow access for user field, enter the email address for the Aruba Technical Assistance Center
(TAC) support contact you wish to enable access and press Enter. An Access Token is generated and is displayed. 6. Send that Access Token to the Aruba TAC support contact through email or when speaking with them over the phone. The TAC support contact takes that access token and generates a decoded password. From there they can access the appliance remotely using an application such as Webex or Remote Control Service (RCS). 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter.
Providing Consent in Aruba Central To provide consent in Aruba Central:
1. Go to Aruba Central (if you are in the Analyzer portal, there is an option on the top right to switch to Aruba Central.
2. Go to User Management. 3. In the Actions drop down located in the top right, select Enable Support Access. A popup appears. 4. Toggle the Enable Support Access option and enable it. 5. Select Get Password. We do not need the password. It can be ignored for the purpose of accessing
the collector.
Disabling Support Access The support access, once enabled, remains until it is disabled. For security reasons it is recommended that you disable the access once it is no longer required by Aruba customer support. To disable support access:
1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 3 (Enable support access) and press Enter. 4. In the Select an option field, enter 2 (Disable support access) and press Enter. 5. Press Enter.
Transferring Logs Through SCP When troubleshooting an issue, you may want to transfer the logs that have been generated from the appliance. For this transfer to occur you need to have a Linux server that is Secure Shell (SSH) enabled. To transfer logs through SCP:
1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 4 (Transfer logs through SCP) and press Enter.
Administering Aruba Central | 249

4. In the SCP server configuration field, enter the hostname and IP address for the server and press Enter. Before the logs are transferred they are compressed. On the Collector CLI the status of the compression is displayed. 100% is displayed after compression is complete.
5. In the server password field, enter the password for the server and press Enter. A tar file is created for the logs. The date and time when the tar file was created is a part of the name of the file. For example, if a tar file is named (ISO-38-41-PH_logs_11021729.tar.gz) the date and time it was created is November, 2 at 17:29. The time zone reflected is the appliance time zone where the tar file was created.
6. Press Enter.
Resetting Factory Settings
This option applies only to physical appliances.
To reset factory settings:
1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 5 (Factory Reset) and press Enter. 4. At the prompt, Are you sure you want to do a factory reset? enter y and press Enter. The
appliance is reset to the state it was when it came from the factory and then the appliance reboots. To use the appliance perform the appliance setup process again. For more information, see Setting Up Physical Appliances. 5. Press Enter.
Creating Data Collectors
Before You Begin
Before you can create a data collector, you must have already successfully set up a physical appliance or virtual appliance. For information, see Setting Up Appliances.
ClearPass Device Insight Requirements
This topic lists the ClearPass Device Insight requirement.
Network Requirements for CPDI Collector
The network requirements for CPDI collector include:
n Static IP address n Outbound Internet Access on TCP port 443 n Optional: Proxy Server
Network Services (Internal or External) from the collector
The network services (internal or external) requirements from the data collector include:
n TCP/UDP 53 (DNS) n UDP 123 (NTP)

Aruba Central | User Guide

250

Recommended access to network devices from the collector
The recommended access to network devices from the collector include UDP 161: SNMP (V1 through 3, but 3 is preferred).
Recommended access from the network devices to the collector
The recommended access to network devices from the collector include:
n UDP 67: DHCP for the ip-helpers / DHCP relays n When used: Netflow or IPFix
Recommended access to endpoints from the collector
The recommended access to endpoints from the collector include:
n TCP, UDP, ICMP - For nmap profiling and WMI profiling n TCP:22 - For SSH scans n UDP:161 - for SNMP scans
Creating Data Collectors
To create a data collector:
1. Go to the Account Home page. 2. Under Global Settings, click Data Collectors. 3. If no data collectors have been created, the Get Started dialog is displayed. Otherwise, the Data
Collectors page is displayed. 4. The number of appliances that are available to form new data collectors is displayed in the Get
Started dialog and in the Create Collector card of the Data Collectors page. 5. Click Create Collector in the Get Started dialog or the Create Collector card in the Data
Collectors page. The Create Collector dialog is displayed.
The Create Collector dialog can also be accessed by clicking the Create Collector button within the Managed Collectors card - List view.
6. In the Give collector a name field, enter a name for the data collector. 7. Select the application you want to install on the data collector. Applications include ClearPass
Device Insight. 8. Click Next. All of the appliances that are available to become data collectors are listed in a grid. The
appliance Name, IP Address, and Model are displayed. 9. Select the row in the grid for the appliance you want to become the data collector. 10. Click Create. The application you previously selected is installed on the appliance and the data
collector is created. You can manage this data collector using the Managed Collectors card. Plus, the data collector is now available for use by the application that was installed on the data collector. For more information, see About Data Collectors Page.
Viewing Data Collectors
Using the Data Collectors page you can view managed data collectors in the Managed Collectors card and view the unmanaged data collectors that are connected or not connected in the Other Collectors card.
Administering Aruba Central | 251

Viewing Managed Data Collectors
To view managed data collectors:
1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens, displaying all of the
managed data collectors in the Managed Collectors card by status by default. 3. (Optional) Click the down arrow in the Managed Collectors card heading and select By Apps, to
view the data collectors by applications. 4. (Optional) Click the down arrow in the Managed Collectors card heading and select By Update, to
view the data collectors by update status. 5. Click the View Grid icon to view more details for the data collectors. The Managed Collectors - List
view opens, displaying all of the data collectors in a grid format. 6. Expand a row in the grid to view additional details for a specific data collector. The row is expanded
displaying an Overview tab and a Performance tab. View the data collector overview information in the Overview tab. View the data collector performance information in the Performance tab. For more information, see About Data Collectors Page.

Viewing Unmanaged Data Collectors
To view unmanaged data collectors:
1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page is displayed. 3. Click the Connected number in the Others card to view the connected unmanaged data collectors.
The Other Collectors dialog opens, displaying the connected data collectors in a grid format. The following table describes the information that is displayed in the grid:

Table 55: Other Collectors Dialog

Field

Description

Name

Data collector name.

Status

Status of the data collector. Connected is displayed for data collectors that are connected.

Address

IP address for the data collector.

4. Click the Not Connected number in Others card to view the unmanaged data collectors that are not connected. The Other Collectors dialog opens, displaying the data collectors that are not connected in a grid format. The following table describes the information that is displayed in the grid:

Table 56: Other Collectors Dialog

Field

Description

Name

Data collector name.

Aruba Central | User Guide

252

Table 56: Other Collectors Dialog

Field

Description

Status

Status of the data collector. Not Connected is displayed for data collectors that are not connected.

Address

IP address for the data collector.

For more information, see About Data Collectors Page.
Updating Data Collectors
Setting the Data Collectors Global Auto-Update Preference
To set the data collectors global auto-update preference:
1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens, displaying all of
the managed data collectors in the Managed Collectors card by status by default. 3. Click the down arrow in the Managed Collectors card heading and select By Update. The
Managed Collectors card displays the data collectors by update status. In lower right hand corner of the card is displayed an Auto-Update field that displays the current global setting for the data collector auto-update preference. As soon as available is displayed by default in this field. 4. Click the Auto-Update field. The Collector Update dialog opens displaying the data collector update options. 5. Select when you want to install the updates for all data collectors. Options are: n Apply Instantly: All data collectors will be updated as soon as a new version is available. n Apply on specific time: All data collectors will be updated at the day and time that you set when
a new version is available. When you select this option, a Day field and Time field are displayed. Click the down arrow next to the Day field and select the day. Day options are: Monday through Sunday. Click the up and down arrows in the Time field and select the time. You can also update one or more data collectors earlier than what you have specified with the auto-update option, by clicking the Update All button or Update Now button on the Managed Collectors card - List view. For more information, see Manually Updating All Data Collectors and Manually Updating a Specific Data Collector. 6. Click Save.
Manually Updating All Data Collectors
To manually update all data collectors:
1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens displaying all of the
managed data collectors in the Managed Collectors card by status by default. 3. Click the down arrow in the Managed Collectors card heading and select By Update. The
Managed Collectors card displays the data collectors by update status. In lower right hand corner of the card is displayed an Auto-Update field that displays the current setting for the data collector global auto-update preference.

Administering Aruba Central | 253

4. Click the Grid View icon in the upper right corner of the Managed Collectors card. The Managed Collectors card - List view opens displaying all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard view. If an update is available for one or more data collectors, the Update All button is available at the top of the List view.
5. Click Update All. All of the data collectors are updated.
Manually Updating a Specific Data Collector
To update a specific data collector:
1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens displaying all of the
managed data collectors in the Managed Collectors card by status by default. 3. Click the down arrow in the Managed Collectors card heading and select By Update. The
Managed Collectors card displays the data collectors by update status. In lower right hand corner of the card is displayed an Auto-Update field that displays the current setting for the data collector global auto-update preference. 4. Click the Grid View icon in the upper right corner of the Managed Collectors card. The Managed Collectors card - List view opens displaying all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard view. If an update is available for one or more data collectors, Update available is displayed in the Update Status for those data collectors in the grid. 5. Expand the row in the grid for the individual data collector that you want to update. The row expands displaying the additional overview details for that specific data collector. In the lower portion of the expanded row, the update version is displayed in the Version field and the Update Now button is available. 6. Click Update Now. The data collector is updated.
Deleting Data Collectors
To delete a data collector:
1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens, displaying all of the
managed data collectors in the Managed Collectors card by status by default. 3. Click the Grid View icon in the upper right corner of the Managed Collectors card. The Managed
Collectors card - List view opens, displaying all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard view. 4. Hover over a data collector row in the grid that you want to delete. The Delete icon is displayed to the right of Applications. 5. Click the Delete icon. The Delete Collector dialog opens asking if you are sure you want to delete the data collector. 6. Click Delete. The Aruba application running on the collector is uninstalled from the collector. The appliance is freed up and can be used for creating another data collector in the future. For more information about creating a data collector, see Creating Data Collectors.

Aruba Central | User Guide

254

Webhooks
Webhooks allow you to implement event reactions by providing real-time information or notifications to other applications. Aruba Central allows you to create Webhooks and select Webhooks as the notification delivery option for all alerts. Using Aruba Central, you can integrate Webhooks with other third-party applications such as ServiceNow, Zapier, IFTTT, and so on. You can access the Webhooks service either through the Aruba Central UI or API Gateway. Aruba Central supports creating up to 10 Webhooks. To enable redundancy, Aruba Central allows you to add up to three URLs per Webhook. From Aruba Central, you can add, list, or delete Webhooks; get or refresh Webhooks token; get or update Webhooks settings for a specific item; and test Webhooks notification. This section includes the following topics: n Creating and Updating Webhooks Through the UI n Refreshing Webhooks Token Through the UI n Creating and Updating Webhooks Through the API Gateway n List of Webhooks APIs n Sample Webhooks Payload Format for Alerts In the Alerts & Events page, click the Configuration icon to configure and enable an alert. In the Notification Options, select Webhooks as the notification delivery option. The following figure illustrates how Aruba Central integrates with third-party applications using Webhooks. Figure 93 Webhooks Integration
Administering Aruba Central | 255

Creating and Updating Webhooks Through the UI
To access the Webhooks service from the UI: 1. In the Account Home page, under Global Settings, click Webhooks.The Webhooks page is displayed. 2. In the Webhook tab, click + sign. The Add Webhook pop-up window is displayed. Figure 94 Webhooks Page
Figure 95 Add Webhooks Page

3. To create webhooks, enter the following details: a. Name--Enter a name for the Webhook. b. Retry Policy--Select one of the following options:

Aruba Central | User Guide

256

n None--No retries. n Important--Up to 5 retries over 6 minutes. n Critical--Up to 5 retries over 27 hours. c. URLs--Enter the URL. Click + to enter another URL. You can add up to three URLs. 4. Click Save. The Webhooks is created and listed in the Webhook table.
Viewing Webhooks
To view the Webhooks, complete the following steps: 1. In the Account Home page, under Global Settings, click Webhooks. 2. The Webhooks page with Webhook table is displayed. The Webhook table allows you to edit or delete Webhooks and also displays the following information: n Name--Name of the Webhooks. n Number of URL Entries--Number of URLs in Webhooks. Click the number to view the list of URLs. n Updated At--Date and time at which Webhooks was updated. n Webhook ID--Webhooks ID. n Token--Webhooks token. Webhooks token enables header authentication and the third-party receiving service must validate the token to ensure authenticity. n Edit--Select the Webhook from the list and click the Edit icon to edit the Webhook. You can refresh the token and add URLs. Click Save to save the changes. n Delete--Select the Webhook from the list and click the Delete icon and click Yes to delete the Webhook. n Test Webhooks--Select the Webhook from the list and click the Test Webhooks icon to test the Webhook by posting sample webhook payload to the configured URL. The Test Webhooks table provides the URL and Status of the selected Webhook. n View Dispatch Logs--Select the Webhook from the list and click the View Dispatch Log icon to view the Dispatch Logs for the selected Webhook. The Dispatch Logs table provides the URL, Status, and Dispatched Time. Click the arrow against each row to view the Log Details and Attempts in the drop-down for the respective URL.
Administering Aruba Central | 257

Figure 96 Dispatch Logs Details Page

Refreshing Webhooks Token Through the UI
To refresh Webhooks token through the UI:
1. In the Account Home page, under Global Settings, click Webhooks. The Webhooks page is displayed.
2. In the Webhook table, select the Webhook from the list and click Edit icon to edit. 3. In the pop-up window, click the Refresh icon next to the token. The token is refreshed.
Creating and Updating Webhooks Through the API Gateway
The following HTTP methods are defined for Aruba Central API Webhooks resource:
n GET n POST n PUT n DELETE
You can perform CRUD operation on the Webhooks URL configuration. The key configuration elements that are required to use API Webhooks service are Webhooks URL and a shared secret. A shared secret token is generated for the Webhooks URL when you register for Webhooks. A hash key is generated using SHA256 algorithm by using the payload and the shared secret token. The API required to refresh the shared secret token is provided for a specific Webhooks configuration. You can choose the frequency at which you want to refresh the secret token. To access and use the API Webhooks service:

Aruba Central | User Guide

258

1. In the Account Home page, under Global Settings, click API Gateway.The API Gateway page is displayed.
2. In the APIs tab, click the Swagger link under the Documentation header. The Swagger website opens.
3. In the Swagger website, from the URL drop-down list, select Webhook. All available Webhooks APIs are listed under API Reference.
For more information on Webhooks APIs, see: https://app1-apigw.central.arubanetworks.com/swagger/central.
List of Webhooks APIs
Aruba Central supports the following Webhooks APIs:
n GET /central/v1/webhooks--Gets a list of Webhooks.
The following is a sample response:
{ "count": 1, "settings": [ { "wid": "e26450be-4dac-435b-ac01-15d8f9667eb8", "name": "AAA", "updated_ts": 1523956927, "urls": [ "https://example.org/webhook1", "https://example.org/webhook1" ], "secure_token": "KEu5ZPTi44UO4MnMiOqz" } ]
}
n POST /central/v1/webhooks--Creates Webhooks.
The following is a sample response:
{ "name": "AAA", "wid": "e829a0f6-1e36-42fe-bafd-631443cbd581"
}
n DELETE /central/v1/webhooks/{wid}--Deletes Webhooks.
The following is a sample response:
{ "wid": "e26450be-4dac-435b-ac01-15d8f9667eb8"
}
n GET /central/v1/webhooks/{wid}--Gets Webhooks settings for a specific item.
Administering Aruba Central | 259

The following is a sample response:
{ "wid": "e26450be-4dac-435b-ac01-15d8f9667eb8", "name": "AAA", "updated_ts": 1523956927, "urls": [ "https://example.org/webhook1", "https://example.org/webhook1" ], "secure_token": "KEu5ZPTi44UO4MnMiOqz"
}
n PUT /central/v1/webhooks/{wid}--Updates Webhooks settings for a specific item.
The following is a sample response:
{ "name": "AAA", "wid": "e829a0f6-1e36-42fe-bafd-631443cbd581"
}
n GET /central/v1/webhooks/{wid}/token--Gets the Webhooks token for the Webhooks ID.
The following is a sample response:
{ "name": "AAA", "secure_token": "[{\"token\": \"zSMrzuYrblgBfByy2JrM\", \"ts\": 1523957233}]"
}
n PUT /central/v1/webhooks/{wid}/token--Refreshes the Webhooks token for the Webhooks ID.
The following is a sample response:
{ "name": "AAA", "secure_token": "[{\"token\": \"zSMrzuYrblgBfByy2JrM\", \"ts\": 1523957233}]"
}
n GET /central/v1/webhooks/{wid}/ping--Tests the Webhooks notification and returns whether success or failure.
The following is a sample response:
"Ping Response [{'url': 'https://example.org', 'status': 404}]"
Sample Webhooks Payload Format for Alerts
URL POST <webhook-url> Custom Headers Content-Type: application/json X-Central-Service: Alerts X-Central-Event: Radio-Channel-Utilization

Aruba Central | User Guide

260

X-Central-Delivery-ID: 72d3162e-cc78-11e3-81ab-4c9367dc0958 X-Central-Delivery-Timestamp: 2016-07-12T13:14:19-07:00 X-Central-Customer-ID: <########>
Refer to the following topics to view sample JSON content:
n Access Point Alerts--Sample JSON n Switch Alerts--Sample JSON n Gateway Alerts--Sample JSON n Miscellaneous Alerts--Sample JSON
Access Point Alerts--Sample JSON
This section includes sample JSON content for the following alerts:
AP Disconnected
{ "alert_type": "AP disconnected", "description": "AP with Name 84:d4:7e:c5:c8:8c and MAC address 84:d4:7e:c5:c8:8c
disconnected, Group:unprovisioned", "timestamp": 1564326129, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-4", "state": "Open", "nid": 4, "details": { "_rule_number": "0", "group": "1", "labels": "", "conn_status": "disconnected", "params": [ "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c" ], "time": "2019-07-28 15:02:09 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm2zVQO1ZtiGF20e", "severity": "Critical"
}
AP Connected Clients
{ "alert_type": "AP_CONNECTED_CLIENTS", "description": "Number of Clients connected to AP with name 84:d4:7e:c5:c8:8c has been
above 1 for about 5 minutes since 2019-07-29 12:26:00 UTC.",
"timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1255", "state": "Open", "nid": 1255, "details": {
"_rule_number": "0", "group": "1", "labels": "", "name": "84:d4:7e:c5:c8:8c", "duration": "5", "threshold": "1", "time": "2019-07-28 15:02:08 UTC" }, "operation": "create",
Administering Aruba Central | 261

"device_id": "CT0779239", "id": "AWw5Gm1zVGH9ZtiGF20d", "severity": "Major" }
AP CPU Over Utilization
{ "alert_type": "AP_CPU_OVER_UTILIZATION", "description": "CPU utilization for AP 84:d4:7e:c5:c8:8c with serial CT0779239 has been
above 10% for about 5 minutes since 2019-07-28 14:21:00 UTC.",
"timestamp": 1564323960, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1250", "state": "Open", "nid": 1250, "details": {
"_rule_number": "0", "group": "1", "name": "84:d4:7e:c5:c8:8c", "duration": "5", "time": "2019-07-28 14:21:00 UTC", "threshold": "10", "ds_key": "201804170291.CT0779239.cpu_utilization.5m", "serial": "CT0779239", "unit": "%" }, "operation": "create", "device_id": "CT0779239", "id": "AWw4-VVrVQO1ZtiGFkZ3", "severity": "Critical" }
AP Memory Over Utilization
{ "alert_type": "AP_MEMORY_OVER_UTILIZATION", "description": "Memory utilization for AP iap-303-iphone456-offline with serial
CNGHKGX004 has been above 40% for about 5 minutes since 2019-07-24 07:11:00 UTC.",
"timestamp": 1563952560, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1251", "state": "Open", "nid": 1251, "details": {
"_rule_number": "1", "group": "3", "name": "iap-303-iphone456-offline", "labels": "3,118", "duration": "5", "time": "2019-07-24 07:11:00 UTC", "threshold": "40", "ds_key": "201804170291.CNGHKGX004.memory_utilization.5m", "serial": "CNGHKGX004", "unit": "%" }, "operation": "create", "device_id": "CNGHKGX004", "id": "AWwi1jihVQO1ZtiGThDA", "severity": "Major" }
AP Radio Noise Floor

Aruba Central | User Guide

262

{ "alert_type": "AP_RADIO_NOISE_FLOOR", "description": "Noise floor on AP iap-303-iphone456-offline operating on Channel 10 and
serving 0 clients has been above -110 dBm for about 10 minutes since 2019-07-24 07:06:00 UTC.",
"timestamp": 1563952560, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1253", "state": "Open", "nid": 1253, "details": {
"_rule_number": "0", "group": "3", "name": "iap-303-iphone456-offline", "_radio_num": "1", "client_count": "0", "labels": "3,118", "_band": "0", "duration": "10", "time": "2019-07-24 07:06:00 UTC", "threshold": "110", "ds_key": "201804170291.CNGHKGX004.radio.noisefloor", "serial": "CNGHKGX004", "channel": "10" }, "operation": "create", "device_id": "CNGHKGX004", "id": "AWwi1jjgVQO1ZtiGThDB", "severity": "Critical" }
AP Radio Over Utilization
{ "alert_type": "AP_RADIO_OVER_UTILIZATION", "description": "Radio utilization on AP 84:d4:7e:c5:c8:8c operating on Channel 36E and
serving 0 clients has been above 1% for about 5 minutes since 2019-07-28 14:31:00 UTC.",
"timestamp": 1564324560, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1252", "state": "Open", "nid": 1252, "details": {
"_rule_number": "0", "group": "1", "name": "84:d4:7e:c5:c8:8c", "_radio_num": "0", "client_count": "0", "_band": "1", "duration": "5", "unit": "%", "time": "2019-07-28 14:31:00 UTC", "threshold": "1", "ds_key": "201804170291.CT0779239.radio.busy64", "serial": "CT0779239", "channel": "36E" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5An08VQO1ZtiGFpgm", "severity": "Critical" }
Client Attack detected
Administering Aruba Central | 263

{ "alert_type": "Client attack detected", "description": "An AP (NAME iap-303-iphone456-o and MAC 90:4c:81:cf:27:74 on RADIO 1)
detected an unencrypted frame between a valid client (88:63:df:bb:2a:9d) and access point (BSSID 90:4c:81:72:77:55)
with source 88:63:df:bb:2a:9d and receiver ff:ff:ff:ff:ff:ff SNR value is 55",
"timestamp": 1564392710, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-13", "state": "Open", "nid": 13, "details": {
"group": "3", "labels": "3,142,141", "params": "None", "_rule_number": "0", "time": "2019-07-29 09:31:50 UTC" }, "operation": "create", "device_id": "CNGHKGX004", "id": "AWw9EmBxVQO1ZtiGO1Q8", "severity": "Critical" }
Connected Clients
{ "alert_type": "CONNECTED_CLIENTS", "description": "Number of Clients connected to swarm with name SetMeUp-CA:35:56 has been
above 1 for about 5 minutes since 2019-07-29 12:26:00 UTC.",
"timestamp": 1564403460, "webhook": "68612ee3-3ee9-4da4-b07b-13977a350344", "setting_id": "b8be21720dc04a8e9f0028374b6a9bbd-1254", "state": "Open", "nid": 1254, "details": {
"_rule_number": "0", "group": "1", "name": "SetMeUp-CA:35:56", "duration": "5", "aggr_context": "swarm", "time": "2019-07-29 12:26:00 UTC", "threshold": "1", "ds_key": "b8be21720dc04a8e9f0028374b6a9bbd.cluster.156.device.clients.5m", "serial": "156" }, "operation": "create", "device_id": "156", "id": "AWw9tmhNVQO1ZtiGQR5U", "severity": "Critical" }
Infrastructure Attack Detected
{ "alert_type": "Infrastructure attack detected", "description": "An AP (NAME iap-303-iphone456-o and MAC 90:4c:81:cf:27:74 on RADIO 1)
detected that the Access Point with MAC f0:5c:19:23:56:10 and BSSID f0:5c:19:23:56:10 has sent a beacon for SSID tan This
beacon advertizes channel 149 but was received on channel 161 with SNR 50 ",
"timestamp": 1564400165, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-12",

Aruba Central | User Guide

264

"state": "Open", "nid": 12, "details": {
"group": "3", "labels": "3,142,141", "params": "None", "_rule_number": "0", "time": "2019-07-29 11:36:05 UTC" }, "operation": "create", "device_id": "CNGHKGX004", "id": "AWw9hCLAVQO1ZtiGP1ig", "severity": "Critical" }
Insufficient Power Alert
{ "alert_type": "INSUFFICIENT_POWER_ALERT", "description": "Insufficient inline power supplied to AP-205 with name
04:bd:88:c3:b6:f0", "timestamp": 1564403450, "webhook": "68612ee3-3ee9-4da4-b07b-13977a350344", "setting_id": "b8be21720dc04a8e9f0028374b6a9bbd-21", "state": "Open", "nid": 21, "details": { "group": "0", "name": "04:bd:88:c3:b6:f0", "labels": [], "label_site_desc": "", "time": "2019-07-29 12:30:50 UTC", "serial": "CM0381143", "group_name": "default", "ap_model": "AP-205" }, "operation": "create", "device_id": "CM0381143", "id": "AWw9tkNGVQO1ZtiGQRz-", "severity": "Major"
}
Modem Plugged
{ "alert_type": "Modem Plugged", "description": "Modem plugged to ap with name 84:d4:7e:c5:c8:8c'and MAC address
84:d4:7e:c5:c8:8c", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-18", "state": "Open", "nid": 18, "details": { "_rule_number": "0", "group": "1", "labels": "", "params": [ "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zJKL90tiGF20d", "severity": "Critical"
Administering Aruba Central | 265

}
Modem Unplugged
{ "alert_type": "Modem Unplugged", "description": "Modem unplugged from ap with name 84:d4:7e:c5:c8:8c'and MAC address
84:d4:7e:c5:c8:8c", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-19", "state": "Open", "nid": 19, "details": { "_rule_number": "0", "group": "1", "labels": "", "params": [ "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiGF20d", "severity": "Critical"
}
New AP Detected
{ "alert_type": "New AP detected", "description": "New AP with Name 84:d4:7e:c5:c8:8c and MAC address 84:d4:7e:c5:c8:8c
detected, Group:unprovisioned", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-3", "state": "Open", "nid": 3, "details": { "_rule_number": "0", "group": "1", "labels": "", "params": [ "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiJH56e", "severity": "Major"
}
New Virtual Controller Detected
{ "alert_type": "New Virtual Controller detected", "description": "New Virtual Controller with Name SetMeUp-CA:51:D6, Version 8.4.0.0_69847
and IP address 10.29.43.70 detected, Group:unprovisioned",
"timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1", "state": "Open",

Aruba Central | User Guide

266

"nid": 1, "details": {
"_rule_number": "0", "group": "1", "labels": "", "params": [
"SetMeUp-CA:51:D6", "8.4.0.0_69847", "10.29.43.70" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiJH56j", "severity": "Critical" }
Rogue AP Detected
{ "alert_type": "Rogue AP detected", "description": "An AP (NAME 84:d4:7e:c5:c8:8c and MAC address 84:d4:7e:c5:c8:8con RADIO
1) detected an access point (BSSID 0c:00:01:34:69:62 and SSID ssid1 on CHANNEL 52) as rogue",
"timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-10", "state": "Open", "nid": 10, "details": {
"_rule_number": "0", "group": "1", "labels": "", "params": [
"84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c", "1", "0c:00:01:34:69:62", "ssid1", "52" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiJK89l", "severity": "Critical" }
Uplink Changed
{ "alert_type": "Uplink Changed", "description": "Uplink changed from 0 to 1 for ap'with name {params[2]} and MAC address
{params[3]}", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-17", "state": "Open", "nid": 17, "details": { "_rule_number": "0", "group": "1", "labels": "", "params": [
Administering Aruba Central | 267

"0", "1", "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiGF20d", "severity": "Critical" }
Virtual Controller Disconnected
{ "alert_type": "Virtual controller disconnected", "description": "Virtual Controller with Name SetMeUp-CA:51:D6, Version 8.4.0.0_69847 and
IP address 10.29.43.70 disconnected, Group:unprovisioned",
"timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-2", "state": "Open", "nid": 2, "details": {
"_rule_number": "0", "group": "1", "labels": "", "conn_status": "disconnected", "params": [
"SetMeUp-CA:51:D6", "8.4.0.0_69847", "10.29.43.70" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiGF20d", "severity": "Critical" }
Switch Alerts--Sample JSON
This section includes sample JSON content for the following alerts:
Switch Disconnected
{ "alert_type": "Switch Disconnected", "description": "Switch with serial CN8AHKW095, MAC address 54:80:28:b8:f6:20 IP address
10.22.41.3 and Hostname Aruba-2930F-24G-PoEP-4SFPP disconnected, Group:unprovisioned",
"timestamp": 1569475139, "webhook": "f8b021a2-8127-4c28-a755-8ee6e01ada66", "setting_id": "e344d961bccd411dbd279bf92f61b989-203", "state": "Open", "nid": 203, "details": {
"_rule_number": "0", "group": "1", "labels": "", "conn_status": "disconnected", "params": [

Aruba Central | User Guide

268

"CN8AHKW095", "54:80:28:b8:f6:20", "10.22.41.3", "Aruba-2930F-24G-PoEP-4SFPP" ], "time": "2019-09-26 05:18:59 UTC" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1sAhfAYu0OgJ2anzUD", "severity": "Major" }
New Switch Connected
{ "alert_type": "New Switch Connected", "description": "New Switch with serial CN8AHKW095, MAC address 54:80:28:b8:f6:20 IP
address 10.22.41.3 and Hostname Aruba-2930F-24G-PoEP-4SFPP connected, Group:unprovisioned",
"timestamp": 1569476559, "webhook": "f8b021a2-8127-4c28-a755-8ee6e01ada66", "setting_id": "e344d961bccd411dbd279bf92f61b989-201", "state": "Open", "nid": 201, "details": {
"group": "1", "labels": "", "params": [
"CN8AHKW095", "54:80:28:b8:f6:20", "10.22.41.3", "Aruba-2930F-24G-PoEP-4SFPP" ], "_rule_number": "0", "time": "2019-09-26 05:42:39 UTC" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1sF8IGYu0OgJ2an0Aq", "severity": "Major" }
Switch Memory Over Utilization
{ "alert_type": "SWITCH_MEMORY_OVER_UTILIZATION", "description": "Memory utilization for Switch Aruba-2930F-24G-PoEP-4SFPP with serial
CN8AHKW095 has been above 10% for about 5 minutes since 2019-09-26 05:48:00 UTC",
"timestamp": 1569477180, "webhook": "f8b021a2-8127-4c28-a755-8ee6e01ada66", "setting_id": "e344d961bccd411dbd279bf92f61b989-1301", "state": "Open", "nid": 1301, "details": {
"_rule_number": "0", "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "duration": "5", "time": "2019-09-26 05:48:00 UTC", "threshold": "10", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN8AHKW095.memory_utilization.5m", "serial": "CN8AHKW095", "unit": "%" }, "operation": "create",
Administering Aruba Central | 269

"device_id": "CN8AHKW095", "id": "AW1sITrfYu0OgJ2an0UP", "severity": "Critical" }
Switch CPU Over Utilization
{ "alert_type": "SWITCH_CPU_OVER_UTILIZATION", "description": "CPU utilization for Switch Aruba-2930F-48G-PoEP-4SFPP with serial
CN88HKX1CR has been above 5% for about 5 minutes since 2019-09-26 06:07:00 UTC.",
"timestamp": 1569478320, "webhook": "f8b021a2-8127-4c28-a755-8ee6e01ada66", "setting_id": "e344d961bccd411dbd279bf92f61b989-1300", "state": "Open", "nid": 1300, "details": {
"_rule_number": "0", "group": "41", "name": "Aruba-2930F-48G-PoEP-4SFPP", "duration": "5", "time": "2019-09-26 06:07:00 UTC", "threshold": "5", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN88HKX1CR.cpu_utilization.5m", "serial": "CN88HKX1CR", "unit": "%" }, "operation": "create", "device_id": "CN88HKX1CR", "id": "AW1sMqB4Yu0OgJ2an055", "severity": "Critical" }
Switch Interface Rx Rate
{ "alert_type": "SWITCH_INTERFACE_RX_RATE", "description": "Receive rate for Interface 15 on Switch Aruba-2930F-24G-PoEP-4SFPP has
been above 1 % for about 5 minutes since 2019-09-26 13:18:00 UTC.",
"timestamp": 1569504180, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1303", "state": "Open", "nid": 1303, "details": {
"_rule_number": "0", "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "max_value_for_percentage": "1000.0", "threshold": "1", "intf_name": "15", "time": "2019-09-26 13:18:00 UTC", "duration": "5", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN8AHKW095.intf.rx_utilization.5m", "serial": "CN8AHKW095", "unit": "%" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1tvTgBYu0OgJ2 aoCgl", "severity": "Critical" }
Switch Interface Tx Rate

Aruba Central | User Guide

270

{ "alert_type": "SWITCH_INTERFACE_TX_RATE", "description": "Transfer rate for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has
been above 1 % for about 5 minutes since 2019-09-26 13:18:00 UTC.",
"timestamp": 1569504180, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1302", "state": "Open", "nid": 1302, "details": {
"_rule_number": "0", "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "max_value_for_percentage": "1000.0", "threshold": "1", "intf_name": "19", "time": "2019-09-26 13:18:00 UTC", "duration": "5", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN8AHKW095.intf.tx_utilization.5m", "serial": "CN8AHKW095", "unit": "%" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1tvTgBYu0OgJ2aoCgk", "severity": "Critical" }
Switch POE Utilization
{ "alert_type": "SWITCH_POE_UTILIZATION", "description": "PoE utilization for Switch Aruba-2930F-24G-PoEP-4SFPP with serial
CN69HKW05T MAC address e0:07:1b:c4:8d:80 and IP address 10.22.182.78 has been above 1%",
"timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": {
"group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" }
Switch Interface Input Errors
{ "alert_type": "SWITCH_INTERFACE_INPUT_ERRORS", "description": "Input errors for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has
been above 90% for about 30 minutes since 2019-09-26 06:07:00 UTC .",
"timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0",
Administering Aruba Central | 271

"setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": {
"group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" }
Switch Interface Output Errors
{ "alert_type": "SWITCH_INTERFACE_OUTPUT_ERRORS", "description": "Output errors for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has
been above 90% for about 30 minutes since 2019-09-26 06:07:00 UTC.",
"timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": {
"group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" }
Switch Mismatch Config
{ "alert_type": "Switch Mismatch Config", "description": "Config mismatch occurred in switch with serial CN69HKW05T MAC address
e0:07:1b:c4:8d:80 and IP address 10.22.182.78 and Hostname Aruba-2930F-48G-PoEP-4SFPP ",
"timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": {
"group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1",

Aruba Central | User Guide

272

"serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" }
Switch Hardward Failure
{ "alert_type": "SWITCH_HARDWARE_FAILURE", "description": "Switch with serial CN8AHKW095 : Fan 1 failed ", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical"
}
Switch Interface Duplex Mode
{ "alert_type": "SWITCH_INTERFACE_DUPLEX_MODE", "description": "Interface 19 on switch Aruba-2930F-24G-PoEP-4SFPP with serial CN8AHKW095
is operating at Half-Duplex mode", "timestamp": 1569901561, "webhook": "c71404f4-00c1-4241-8bf4-c8d3f981caa2", "setting_id": "e344d961bccd411dbd279bf92f61b989-1306", "state": "Open", "nid": 1306, "details": { "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "labels": "", "mode": "Half", "intf_name": "19", "time": "2019-10-01 03:46:01 UTC", "serial": "CN8AHKW095" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW2FbMiOYu0OgJ2asaWh", "severity": "Critical"
}
Gateway Alerts--Sample JSON
This section includes sample JSON content for the following alerts:
WAN Uplink Flap
Administering Aruba Central | 273

{ "alert_type": "WAN_UPLINK_FLAP", "description": "Uplink link1_inet link status flapped 1% on device with CNHHKLB031 for
about 15 minutes since 2019-07-25 12:36:00 UTC.",
"timestamp": 1564059060, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1600", "state": "Open", "nid": 1600, "details": {
"status": "DOWN", "_rule_number": "0", "group": "77", "labels": "8,661", "current_status": "UP", "duration": "15", "intf_name": "link1_inet", "time": "2019-07-25 12:36:00 UTC", "threshold": "1", "ds_key": "abce082bef4a428bb31366f6d6ff223f.CNHHKLB031.uplink.flap.5m", "serial": "CNHHKLB031", "uplink_tag": "link1_inet", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpL0fvVQO1ZtiGh-2_", "severity": "Critical" }
WAN Tunnel Flap
{ "alert_type": "WAN_TUNNEL_FLAP", "description": "Tunnel data-vpnc-00:1a:1e:03:83:30-link1_inet status flapped 1% on device CNHHKLB031 for about 15 minutes since 2019-07-25 12:26:00 UTC.", "timestamp": 1564058460, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1601", "state": "Open", "nid": 1601, "details": { "alias_map_name": "data-vpnc-00:1a:1e:03:83:30-link1_inet", "_rule_number": "0", "group": "77", "dst_ip": "172.168.101.9", "labels": "8,661", "src_ip": "192.168.51.254", "duration": "15", "time": "2019-07-25 12:26:00 UTC", "threshold": "1", "ds_key": "abce082bef4a428bb31366f6d6ff223f.CNHHKLB031.uplink.tunnel.flap.5m", "serial": "CNHHKLB031", "uplink_tag": "link1_inet", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpJiAiVQO1ZtiGh5tw", "severity": "Critical"
}
WAN Auto Negotiation Flap

Aruba Central | User Guide

274

{ "alert_type": "WAN_AUTO_NEGOTIATION_FLAP", "description": "Uplink GE0/0/1 speed flapped 1% on device CNHHKLB031 for about 15 minutes since 2019-07-25 12:32:00 UTC.", "timestamp": 1564058820, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1602", "state": "Open", "nid": 1602, "details": { "new_speed": "Auto", "group": "77", "labels": "8,661", "duration": "15", "_rule_number": "0", "intf_name": "GE0/0/1", "time": "2019-07-25 12:32:00 UTC", "threshold": "1", "ds_key": "abce082bef4a428bb31366f6d6ff223f.CNHHKLB031.uplink.speed.flap.5m", "serial": "CNHHKLB031", "speed": "1000", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpK55sVQO1ZtiGh8zr", "severity": "Minor"
}
WAN IPsec SA Establishment Failed
{ "alert_type": "WAN_IPSEC_SA_ESTABILSHMENT_FAILED", "description": "IPSec Tunnel Establishment from 192.168.51.254 to 172.168.101.9 failed on device CNHHKLB031 at 2019-07-25 12:49:56 UTC", "timestamp": 1564058996, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1550", "state": "Open", "nid": 1550, "details": { "alias_map_name": "data-vpnc-00:1a:1e:03:83:30-link1_inet", "group": "77", "name": "None", "labels": [ "8", "661" ], "src_ip": "192.168.51.254", "link_tag": "link1_inet", "time": "2019-07-25 12:49:56 UTC", "dst_ip": "172.168.101.9", "serial": "CNHHKLB031" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpLlB0VQO1ZtiGh-WS", "severity": "Minor"
}
WAN IPsec SA Down
{ "alert_type": "WAN_IPSEC_SA_DOWN", "description": "IPSec tunnel from 192.168.52.254 to 172.168.101.9 is DOWN on device
Administering Aruba Central | 275

CNHHKLB031. Reason: Administrator cleared IPSEC SA at 2019-07-25 12:40:22 UTC",
"timestamp": 1564058422, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1551", "state": "Open", "nid": 1551, "details": {
"alias_map_name": "data-vpnc-00:1a:1e:03:83:30-link2_mpls", "group": "77", "name": "None", "labels": [
"8", "661" ], "src_ip": "192.168.52.254", "reason": "Administrator cleared IPSEC SA", "time": "2019-07-25 12:40:22 UTC", "dst_ip": "172.168.101.9", "serial": "CNHHKLB031", "uplink_tag": "link2_mpls" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpJY4aVQO1ZtiGh5c-", "severity": "Minor" }
WAN IPsec SA All Down
{ "alert_type": "WAN_IPSEC_SA_ALL_DOWN", "description": "All IPSec SAs down for device CNHHKLB031 at 2019-07-25 12:40:22 UTC", "timestamp": 1564058446, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1552", "state": "Close", "nid": 1552, "details": { "serial": "CNHHKLB031", "labels": [ "8", "661" ], "group": "77", "name": "None", "time": "2019-07-25 12:40:22 UTC" }, "operation": "update", "device_id": "CNHHKLB031", "id": "AWwpJY3NVQO1ZtiGh5c9", "severity": "Critical"
}
CFG Set Advertisement Failure
{ "alert_type": "CFG_SET_ADVERTISEMENT_FAILURE", "description": "CFG-Set advertisement failure for Gateway with CNHHKLB031 on tunnel data-
vpnc-00:1a:1e:03:83:30-link1_inet from 192.168.51.254 to 172.168.101.9",
"timestamp": 1564059635, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1554", "state": "Open", "nid": 1554,

Aruba Central | User Guide

276

"details": { "alias_map_name": "data-vpnc-00:1a:1e:03:83:30-link1_inet", "group": "77", "name": "None", "labels": [ "8", "661" ], "src_ip": "192.168.51.254", "time": "2019-07-25 13:00:35 UTC", "map_name": "data-vpnc-00:1a:1e:03:83:30-link1_inet", "dst_ip": "172.168.101.9", "serial": "CNHHKLB031"
}, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpOBCVVQO1ZtiGiD0f", "severity": "Major" }
Controller CPU Over Utilization
{ "alert_type": "CONTROLLER_CPU_OVER_UTILIZATION", "description": "CPU utilization for Gateway Aruba9004_40_0C_28 with serial CNHHKLB031 has
been above 1% for about 15 minutes since 2019-07-25 09:30:00 UTC.",
"timestamp": 1564047900, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1351", "state": "Open", "nid": 1351, "details": {
"_rule_number": "0", "group": "77", "name": "Aruba9004_40_0C_28", "labels": "8,661", "duration": "15", "time": "2019-07-25 09:30:00 UTC", "threshold": "1", "ds_key": "abce082bef4a428bb31366f6d6ff223f.CNHHKLB031.cpu_utilization.5m", "serial": "CNHHKLB031", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwohP4LVQO1ZtiGgfbQ", "severity": "Critical" }
Controller Memory Over Utilization
{ "alert_type": "CONTROLLER_MEMORY_OVER_UTILIZATION", "description": "Memory utilization for Gateway Aruba9004_40_0C_28 with serial CNHHKLB031
has been above 1% for about 10 minutes since 2019-07-25 09:30:00 UTC.",
"timestamp": 1564047600, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1352", "state": "Open", "nid": 1352, "details": {
"_rule_number": "0", "group": "77", "name": "Aruba9004_40_0C_28",
Administering Aruba Central | 277

"labels": "8,661", "duration": "10", "time": "2019-07-25 09:30:00 UTC", "threshold": "1", "ds_key": "abce082bef4a428bb31366f6d6ff223f.CNHHKLB031.memory_utilization.5m", "serial": "CNHHKLB031", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwogGqYVQO1ZtiGgc2L", "severity": "Major" }
Controller OSPF Session Error
{ "alert_type": "CONTROLLER OSPF SESSION ERROR", "description": "OSPF session state change for Gateway with hostname GSK_VPNC2 and serial
CW0003307 from Init State to Down State for neighbor 1.0.0.2 on interface 100 with reason No hello packets received from
neighbour.Inactivity timer fired", "timestamp": 1564121712, "webhook": "60785e88-9513-4352-94d6-ec25fedbeddc", "setting_id": "b27f67fa44234c51a890fccea7c9b83e-1354", "state": "Open", "nid": 1354, "details": { "dst_state": "Down State", "neighbour_ip": "1.0.0.2", "group": "4", "uniq_identifier": "100-16777218", "labels": [ "2", "11", "12", "15", "13", "8" ], "src_state": "Init State", "reason": "No hello packets received from neighbour.Inactivity timer fired", "time": "2019-07-26 06:15:12 UTC", "interface": "100", "serial": "CW0003307", "hostname": "GSK_VPNC2" }, "operation": "create", "device_id": "CW0003307", "id": "AWws60Yxon2R5PyMmUU4", "severity": "Major"
}
Gateway Base License Capacity Exceeded
{ "alert_type": "GATEWAY_BASE_LICENSE_CAPACITY_EXCEEDED", "description": "Base license capacity limit exceeded for Gateway with name: Dev-BR1-GW-
Kafka, serial: CP0015859", "timestamp": 1564141290, "webhook": "1348bcc4-ce00-4180-b314-32849c3638a1", "setting_id": "2fb4b8a7e77c496395950510a1d270bc-1356", "state": "Open", "nid": 1356, "details": { "serial": "CP0015859", "labels": [],

Aruba Central | User Guide

278

"group": "1", "name": "Dev-BR1-GW-Kafka", "time": "2019-07-26 11:41:30 UTC" }, "operation": "create", "device_id": "CP0015859", "id": "AWwuFgZqnGtA5yFV0hCr", "severity": "Critical" }
DHCP Pool Consumption Alert
{ "alert_type": "DHCP_POOL_CONSUMPTION_ALERT", "description": "DHCP Pool Consumption on Gateway CNHHKLB031 is 12% at 2019-07-25 13:02:39
UTC for 192.168.53.0/24", "timestamp": 1564059759, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1510", "state": "Open", "nid": 1510, "details": { "subnet": "192.168.53.0/24", "group": "77", "name": "None", "labels": "8,661", "time": "2019-07-25 13:02:39 UTC", "threshold": "12", "serial": "CNHHKLB031", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpOfQAVQO1ZtiGiE2H", "severity": "Critical"
}
WAN Auto Negotiation
{ "alert_type": "WAN_UPLINK_AUTONEGOTIATION_STATE_CHANGE", "description": "WAN ports autonegotiaton speed changed from 1000 Mbps to Auto Mbps for
device with CNHHKLB031 for uplink GE0/0/1 at 2019-07-25 12:46:36 UTC",
"timestamp": 1564058796, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1506", "state": "Open", "nid": 1506, "details": {
"new_speed": "Auto", "group": "77", "name": "None", "labels": [
"8", "661" ], "intf_name": "GE0/0/1", "time": "2019-07-25 12:46:36 UTC", "serial": "CNHHKLB031", "speed": "1000" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpK0IxVQO1ZtiGh8oh", "severity": "Minor" }
Administering Aruba Central | 279

WAN Uplink Status Change
{ "alert_type": "WAN_UPLINK_STATUS_CHANGE", "description": "Uplink port link1_inet status change UP -&gt; DOWN for device with
CNHHKLB031 at 2019-07-25 09:22:31 UTC", "timestamp": 1564046551, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1505", "state": "Open", "nid": 1505, "details": { "status": "UP", "group": "77", "name": "None", "labels": [ "8", "661" ], "current_status": "DOWN", "intf_name": "link1_inet", "time": "2019-07-25 09:22:31 UTC", "serial": "CNHHKLB031", "uplink_tag": "link1_inet" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwocGtYVQO1ZtiGgT03", "severity": "Major"
}
Gateway Threat Count
{ "alert_type": "GW_IDS_IPS_ALERT_THREAT_OVER_A_PERIOD", "id": "AXX7N0IhaFBUFq6FQ2R1", "nid": 2305, "setting_id": "8fc0df01a43b42aa9f8e9fbc3d3b9d35-2305", "device_id": "TWJ6KSP005", "description": "Dear Incident Manager, Your Aruba Central Portal admin configured an email alert notification to be sent to this email address Why this alert? Aruba Branch Gateway https://app-yoda.arubathena.com/frontend/#/GATEWAYDETAIL/OVERVIEW/TWJ6KSP005aruba9004 _lte with serial number TWJ6KSP005exceeded 50 threat events in last 10 minutes, triggering this CRITICAL Alert notification What is next? Reach out to your Aruba Central Portal admin to address this incident .If not addressed or if the situation escalates, you may continue to receive similar alert notifications. More Information Go to https://app-yoda.arubathena.com/frontend/#/IDPS_DASHBOARDSystem Generated Email from Aruba Central based on alert configuration; do not reply Thanks, Aruba Central", "state": "Close", "severity": "Critical", "operation": "update", "timestamp": 1606238738, "details__threshold": 50, "details__agg_field_name": "device", "details__duration": 10, "details__device": "TWJ6KSP005", "details__severity": "CRITICAL", "details__rule_id": 0, "details__serial": "TWJ6KSP005", "details__name": "aruba9004_lte", "details__group_id": 73, "details__time": "2020-11-24 16:55:04 UTC", "webhook": "001378a5-bfb1-465e-a955-0034ef801136", "text": "Dear Incident Manager, Your Aruba Central Portal admin configured an email

Aruba Central | User Guide

280

alert notification to be sent to this email address Why this alert? Aruba Branch Gateway https://app-yoda.arubathena.com/frontend/#/GATEWAYDETAIL/OVERVIEW/TWJ6KSP005aruba9004 _lte with serial number TWJ6KSP005exceeded 50 threat events in last 10 minutes, triggering this CRITICAL Alert notification What is next? Reach out to your Aruba Central Portal admin to address this incident. If not addressed or if the situation escalates, you may continue to receive similar alert notifications. More Information Go to https://app-yoda.arubathena.com/frontend/#/IDPS_DASHBOARDSystem Generated Email from Aruba Central based on alert configuration; do not reply Thanks, Aruba Central" }
Gateway Threat Count per Signature
{ "alert_type": "GW_IDS_IPS_ALERT_THREAT_SID_OVER_A_PERIOD", "id": "AXX7N0LFaFBUFq6FQ2R2", "nid": 2306, "setting_id": "8fc0df01a43b42aa9f8e9fbc3d3b9d35-2306", "device_id": 2003068, "description": "Dear Incident Manager, Your Aruba Central Portal admin configured an email alert notification to be sent to this email address Why this alert? Threat events of signature id 2003068 exceeded the threshold 30 in last 30minutes, triggering this CRITICAL Alert notification. What is next? Reach out to your Aruba Central Portal admin to address this incident. If not addressed or if the situation escalates, you may continue to receive similar alert notifications. More Information Go to https://app-yoda.arubathena.com/frontend/#/IDPS_DASHBOARDSystem Generated Email from Aruba Central based on alert configuration; do not reply Thanks, Aruba Central", "state": "Close", "severity": "Critical", "operation": "update", "timestamp": 1606239938, "details__threshold": 30, "details__duration": 30, "details__agg_field_name": "signature", "details__signature": 2003068, "details__severity": "CRITICAL", "details__rule_id": 0, "details__serial": 2003068, "details__time": "2020-11-24 16:35:04 UTC", "webhook": "001378a5-bfb1-465e-a955-0034ef801136", "text": "Dear Incident Manager, Your Aruba Central Portal admin configured an email alert notification to be sent to this email address .Why this alert? Threat events of signature id 2003068 exceeded the threshold30 in last 30minutes, triggering this CRITICAL Alert notification. What is next? Reach out to your Aruba Central Portal admin to address this incident. If not addressed or if the situation escalates, you may continue to receive similar alert notifications. More Information Go to https://app-yoda.arubathena.com/frontend/#/IDPS_DASHBOARD System Generated Email from Aruba Central based on alert configuration; do not reply Thanks, Aruba Central"
}
Miscellaneous Alerts--Sample JSON
This section includes sample JSON content for the following alerts:
Device Config Change Detected
{ "alert_type": "DEVICE_CONFIG_CHANGE_DETECTED", "description": "Config change detected on group nbapi_test for device type Switch by user [email protected].\n\nSerial: None, \nMacAddress: None,
Administering Aruba Central | 281

\nConfig Content: Template Updated \nmodel: ALL\nversion: ALL\ndevice_type: HPPC\ntemplate changes: \n @@ -18,6 +18,6 @@\n\n\n ip address dhcp-bootp\n\n exit\n\n vlan 13\n\n- name \"vlan_8888\"\n\n+ name \"vlan_ 44\"\n\n no ip address\n\n exit ", "timestamp": 1564383294, "webhook": "272eda1a-f79b-4192-ad6f-b35da11515bc", "setting_id": "715e45fe3ff8453da355cd34aff2afa5-2000", "state": "Open", "nid": 2000, "details": { "config_change": "Template Updated\nmodel: ALL\nversion: ALL\ndevice_type: HPPC\ntemplate changes: \n @@ -18,6 +18, 6 @@\n\n\n ip address dhcp-bootp\n\n exit\n\n vlan 13\n\n- name \"vlan_8888\"\n\n+ name \"vlan_44\"\n\n no ip address\n\n exit ", "macaddr": "None", "group": "8", "dev_type": "Switch", "labels": "None", "group_name": "nbapi_test", "_rule_number": "0", "params": "None", "user": "[email protected]", "time": "2019-07-29 06:54:54 UTC", "serial": "None" }, "operation": "create", "device_id": "", "id": "AWw8grSBeZ6A6PlBvMk4", "severity": "Warning" }
User Account Deleted
{ "alert_type": "User account deleted", "description": "User with name [email protected] deleted.", "timestamp": 1569234480, "webhook": "057b0a95-9f06-4a0f-b4bf-149a28d749b3", "setting_id": "573b0412517a41c8a73a80f3e74ff0d2-15", "state": "Open", "nid": 15, "details": { "group": "-1", "labels": "None", "params": [ "[email protected]" ], "_rule_number": "0", "time": "2019-09-23 10:28:00 UTC" }, "operation": "create", "device_id": "", "id": "AW1dqe6rYu0OgJ2alXzT", "severity": "Major"
}
New User Account Added
{ "alert_type": "New User account added", "description": "User account setting updated for user: [email protected] with
language:en_US and idle timeout: 1800", "timestamp": 1569234534, "webhook": "057b0a95-9f06-4a0f-b4bf-149a28d749b3", "setting_id": "573b0412517a41c8a73a80f3e74ff0d2-14",

Aruba Central | User Guide

282

"state": "Open", "nid": 14, "details": {
"group": "-1", "labels": "None", "params": [], "_rule_number": "0", "time": "2019-09-23 10:28:54 UTC" }, "operation": "create", "device_id": "", "id": "AW1dqr6nYu0OgJ2alX1l", "severity": "Major" }
User Account Edited
{ "alert_type": "User account edited", "description": "User with Name [email protected], role readwrite and access [] updated.", "timestamp": 1569235100, "webhook": "057b0a95-9f06-4a0f-b4bf-149a28d749b3", "setting_id": "573b0412517a41c8a73a80f3e74ff0d2-16", "state": "Open", "nid": 16, "details": { "group": "-1", "labels": "None", "params": [ "[email protected]", "readwrite", "[]" ], "_rule_number": "0", "time": "2019-09-23 10:38:20 UTC" }, "operation": "create", "device_id": "", "id": "AW1ds2LcYu0OgJ2alYM2", "severity": "Major"
}
Integrating Aruba Central with ServiceNow
ServiceNow is an IT service management platform that allows you to automatically create incidents or IT tickets based on a live data feed from a Webhook service. If you have a ServiceNow instance, you can configure a Webhook service in Aruba Central to send a notification feed. The ServiceNow integration enables your current IT Infrastructure management systems to automatically generate an IT incident or a ticket whenever an alert is triggered due to a user-generated event in Aruba Central.
Before You Begin
Before you begin, ensure that you have a valid ServiceNow account. If you do not have a ServiceNow instance, create an instance before you proceed with the steps described in following sections. For more information on creating a ServiceNow instance, see the ServiceNow user documentation.
Integration Workflow
Complete the following steps to enable ServiceNow integration with Aruba Central:
Administering Aruba Central | 283

n Step 1: Add the Hash Library to Your ServiceNow Instance n Step 2: Create a Scripted REST API to Obtain a Webhook URL n Step 3: Configure a Webhook in Aruba Central n Step 4: Configure an Alert in Aruba Central n Step 5: Verify the Integration Status
Step 1: Add the Hash Library to Your ServiceNow Instance
To get started with the ServiceNow integration, create a new script with the hash library in your ServiceNow instance. The hash library is required for header authentication.
1. Log in to ServiceNow with your user credentials. 2. Click Manage > Instance and log in to your instance. 3. Go to System Definition > Script Includes. 4. Click New. 5. Name the script as Hashes. 6. Select All application scopes from the Accessible from drop-down list. 7. Select the Client callable check box. 8. Go to the GitHub Gist website that hosts the hash library. 9. Copy the snow_hashes.js file content and paste it in the Script text box. 10. Click Submit.
Step 2: Create a Scripted REST API to Obtain a Webhook URL
To create a Scripted REST API:
1. In your ServiceNow instance, go to System Web Services > Scripted REST APIs. 2. Click New. The REST API creation page is displayed. 3. Enter a name and the API ID. 4. Click Submit. The API is added to the list of REST APIs. 5. Open the REST API that you created. 6. To add a REST resource with the header and query parameters, click New in the Resources tab. The
Scripted REST Resource New record page is displayed. 7. Provide a name for the resource. 8. Select POST for the HTTP method. 9. Clear the Requires authentication check box. 10. In the Script section, add the following text:
(function process( /*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) { // Calcuate signature for verification using request headers, data and token var centralService = request.getHeader('X-Central-Service'); var centralDeliveryId = request.getHeader('X-Central-Delivery-ID');

Aruba Central | User Guide

284

var centralDeliveryTimestamp = request.getHeader('X-Central-DeliveryTimestamp');
var token = "<webhook_token>"; var body = request.body.dataString; var message = body + centralService + centralDeliveryId + centralDeliveryTimestamp; var calculatedSign = new Hashes.SHA256().b64_hmac(token, message); var signFromServer = request.getHeader('X-Central-Signature'); // Signature sent by Aruba Central var low_severities = ["Minor", "Warning"]; if (calculatedSign == signFromServer) {
event = JSON.parse(body); // Only process events from Central which has status Open if (event.state == "Open") {
var inc = new GlideRecord('incident'); inc.initialize(); inc.short_description = event.alert_type; inc.state = 1; if (low_severities.includes(event.severity)) {
inc.impact = 3; inc.urgency = 3; } else if (event.severity == "Major") { inc.impact = 2; inc.urgency = 2; } else if (event.severity == "Critical") { inc.impact = 1; inc.urgency = 1; } inc.description = event.description; inc.insert(); } response.setStatus(200); response.setBody({ status: "success" }); } else { response.setStatus(200); response.setBody({ status: "failure" }); } })(request, response);
After you create a Webhook in Aruba Central replace the Webhook token (see highlighted text in the above code sample) in your Scripted REST API.
Administering Aruba Central | 285

11. Click Submit. The Scripted REST API that you created is added to the list of APIs.
12. Note the base API path. The base API path must be appended to your Webhook URL. 13. Ensure that your Webhook URL is in the following format:
https://<yourInstanceName>.service-now.com/<baseApiPath>.
Step 3: Configure a Webhook in Aruba Central
To create a Webhook in Aruba Central: 1. In the Account Home page, under Global Settings, click Webhooks. The Webhooks page is displayed. 2. In the Webhook tab, click the + sign. The Add Webhook window is displayed.

Aruba Central | User Guide

286

a. Name--Enter a name for the Webhook b. Retry Policy-- Select any one of the following options:
n None--Select this to have no retry. n Important--Select this to have up to 5 retries over 6 minutes. n Critical--Select this to have up to 5 retries over 27 hours. c. URLs--Enter the URL. Click + to enter another URL. You can add up to three URLs. https://<yourInstanceName>.service-now.com/<baseApiPath> The URL must include your ServiceNow instance and the base API path generated for your Scripted REST API. 3. Click Save. The Webhooks is created and listed in the Webhook table. 4. Note the token ID. 5. Go back to your ServiceNow instance and update the Webhook token in the script text of the Scripted REST API you created in step 2.
You can also create a Webhook using the API interface. For more information, see Webhook documentation in Aruba Central documentation portal.
Step 4: Configure an Alert in Aruba Central
To configure an alert in Aruba Central: 1. In the Network Operations app, set the filter to Global. 2. Under Analyze, click Alerts & Events to view the alert and events dashboard.
Administering Aruba Central | 287

3. To configure alerts, click the Config icon. 4. In the Alert Severities & Notifications page, click All. 5. Select an alert and click + to enable the alert with default settings. 6. Configure the following alert parameters.
a. Severity--Set the severity. The available options are Critical, Major, Minor, and Warning. b. Duration--Enter the duration in minutes. c. Device Filter Options--(Optional) You can restrict the scope of an alert by setting any of the
following parameters: n Group--Select a group to limit the alert to a specific group. n Label--Select a label to limit the alert to a specific label. n Device--Select a device to limit the alert to a specific device. d. Select Webhook check box under Notification Options and select a webhook from the dropdown list. e. Click Save.
Step 5: Verify the Integration Status
To verify if the integration is successful:
1. Trigger an alert from Aruba Central. 2. Verify if an incident is created in your ServiceNow instance.

Streaming API
Streaming API allows customers to subscribe to select set of services instead of polling the NB API to get an aggregated state or statistics of the events. For example, with Streaming API, the customers can get notifications about the following types of events:
n The UP and DOWN status of the devices n Change in location of stations
For a complete list of supported services, with Streaming API, users can write value-added applications based on the aggregated context.

Aruba Central | User Guide

288

n Streaming API service in Aruba Central is enabled if one of the devices in the account has an Advanced License. If the account has only Foundation License, Steaming API tab is not displayed in Aruba Central. For more information about streaming API feature in the Aruba Central licensing model, see Aruba Central Licensing Guide.
n Streaming API service is not supported at MSP level.
Supported Services
Streaming API supports the following services: n Audit--The Audit messages are sent to notify events like device connectivity, configuration status, and
firmware status. n AppRF--AppRF stream is the flow of all the client sessions. For each connected devices (IAP/BGW), It lists
the client's web session information of the past 14/15 minutes (Ip, Rx/Tx, Timestamp, etc). n Monitoring--The monitoring streaming event is generated for state message (on state change) and stats
message (received for every 5 minutes). n Presence --The Presence events are sent to provide details of all associated and unassociated clients
detected by Instant AP devices. n Location--A location event is generated when the location of a client is computed using RSSI values
reported by IAPs. The event message includes co-ordinates of the client on the VisualRF floorplan. n Security--The Security streaming event is generated when the IAPs have enabled Intrusion Detection.
This feed contains all the IDS detections reported by the IAPs in the network.
Viewing the Streaming API Page
Perform the following steps to view the Streaming API page: 1. Log in to Account Home. 2. Under Global Settings, click the Webhooks menu option. 3. Click the Streaming tab. The following is an illustration of the Streaming API page:
Administering Aruba Central | 289

Figure 97 View of the Streaming API Page

The parameters in the page are described in the following table. Refer to the callout numbers. Table 57: Parameters of the Streaming API Page

Callout API

Description

1

Topic

A list of available topics for streaming APIs. To receive streaming events from a

topic, subscribe to the specific topic.

2

Subscribe Enables Aruba Central to stream events for a specific topic when this box is

enabled.

3

Protobuf Definition of the specific topic. All WebSocket response messages are

Definition encapsulated in a protocol buffer, the format of which you can download.

4

Key

Access token for establishing a WebSocket connection.

5

Endpoint WebSocket endpoint address for the Aruba Central instance.

6

Streaming The protocol buffer in which all the incoming streaming messages are

Protobuf encapsulated. This protobuf is further used to identify the topic of the message

Definition received and decode the topic-specific protobuf message.

Subscribing to a Streaming API Topic

n Only Aruba Central admin users can subscribe to, or unsubscribe from, a topic. n In case a live WebSocket connection breaks, reconnect the connection.

To subscribe to a streaming API topic:
1. In the Account Home page, under Global Settings, click Webhooks. The Webhooks page is displayed.
2. In the Webhooks page, click Streaming tab. The Streaming page is displayed.

Aruba Central | User Guide

290

3. In the Streaming APIs table, select the check box corresponding to the topic that you want to subscribe. To unsubscribe a topic, clear the corresponding check box.
4. In the Webhooks > Streaming page, the following details are displayed: n Key--Access token. The token comes with a validity of seven days after which a new token needs to be generated. n Endpoint--WebSocket endpoint. n Streaming Protobuf Definition--Allows you to download the Streaming protocol buffer definition.
Use the WebSocket endpoint and access token to establish a WebSocket connection and start streaming data for the topics you have subscribed to.
Downloading Protobuf Definition for a Streaming API topic
To download the protobuf definition, complete the following steps:
1. In the Streaming APIs table, click the Download button corresponding to the protobuf definition for the topic to which you have subscribed. The following topics are available for download: n Apprf--Protocol buffer specification of the AppRF topic. n Audit--Protocol buffer specification of the Audit topic. n Monitoring--Protocol buffer specification of the Monitoring topic. n Presence--Protocol buffer specification of the Presence topic. n Location--Protocol buffer specification of the Location topic. n Security--Protocol buffer specification of the Security topic.
Retrieving a New Token
The access token comes with a validity of seven days after which a new token needs to be generated. You can retrieve the token either directly from the UI or by using the API.
1. To retrieve the new access token from the Aruba Central UI, complete the following steps: a. In the Account Home page, under Global Settings, click Webhooks > Streaming tab. The Streaming page is displayed. b. You can retrieve the valid token from the Key field. The token gets refreshed automatically after seven days of its generation.
2. To retrieve the new access token from the API, here are the details required: n API-- https://<central-host>/streaming/token/validate n Method--GET n Authorization--Enter the current token The API will return the same token if the old token is not expired or will return a new token in case the old token is expired.
Enabling Data Streaming From a Topic
Complete the following steps to receive streaming events from Aruba Central:
Administering Aruba Central | 291

1. Create a WebSocket connection: wss://<central-host>/streaming/api 2. Set the following additional headers:
n UserName--Username of the admin. This is an optional header. n Authorization--Access token. For more information about how to generate the key, see
Subscribing to a Streaming API Topic. n Topic--Value of the topic to which you have subscribed. The value should be one of the following:
o apprf o monitoring o audit o presence o location o security
3. Start the read loop to read the events. The payload is a protocol buffer message.
Decoding WebSocket Response Messages
All WebSocket response messages are encapsulated in a protocol buffer. When a message is received, use the subject (topic) to identify the message and invoke an appropriate message processor. To decode the message, refer to the protocol buffer specification of the respective topic. The format is as follows:
message MsgProto { string subject = 2; // subject bytes data = 3; // payload int64 timestamp = 4; // received timestamp string customer_id = 5; // customer id to which this data belongs string msp_id = 6; // optional field indicating the msp_id }
Viewing Audit Trails in the Account Home Page
The Audit Trail page shows the logs for all the device management, configuration, and user management events triggered in Aruba Central. To view audit trail logs:
1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page opens. 2. From the Select App drop-down list, select one of the following:
n All Apps--Displays audit trail logs for all apps. n Network Operations--Displays audit trail logs for the Network Operations app. n ClearPass Device Insight--Displays audit trail logs for the ClearPass Device Insight app.
The following table describes the fields displayed in the Audit Trail table:

Aruba Central | User Guide

292

Table 58: Audit Trail Details Parameter Description

Occurred On

Time stamp of the events for which the audit trails are shown.

IP Address IP address of the client device.

Username Username of the admin user who applied the changes.

Target

Group or device to which the changes were applied.

Source

Tenant account in which the changes occurred.

NOTE: This column is applicable only in the MSP mode.

Category

Type of modification and the affected device management category.

Description

A short description of the changes such as subscription assignment, firmware upgrade, and
configuration updates. Click to view the complete details of the event. For example, if an event was not successful, click the ellipsis to view the reason for the failure.

Administering Aruba Central | 293

Chapter 5 Maintaining Aruba Central
Maintaining Aruba Central
The Maintain menu includes the following options:
n Firmware--Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information see, Managing Software Upgrades.
n Organization--Allows you to create groups, sites or labels, upload certificates, and manage site installations. See the following topics: o Groups for Device Configuration and Management o Sites and Labels o Certificates o Installation Management
Groups for Device Configuration and Management
Aruba Central simplifies the configuration workflow for managed devices by allowing administrators to combine a set of devices into groups. A group in Aruba Central is the primary configuration element that functions as a container for device management, monitoring, and maintenance. Groups enable administrators to manage devices efficiently by using either a UI-based configuration workflow or CLI-based configuration template. Groups provide the following functions and benefits:
n Ability to provision multiple devices in a single group. For example, a group can consist of multiple Instant AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to member Instant APs in their respective Instant AP clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location.
n Ability to provision different types of devices in a group. For example, a group can consist of Instant APs, Gateways, and Switches.
n Ability to create a configuration base and add devices as necessary. When you assign a new device to a group, it inherits the configuration that is currently applied to the group.
n Ability to create a clone of an existing group. If you want to build a new group based on an existing group, you can create a clone of the group and customize it as per your network requirements.
n A device can be part of only one group at any given time. n Groups in Aruba Central are mutually exclusive (independent) and do not follow a hierarchical model.
The following figure illustrates a generic group deployment scenario in Aruba Central:

Aruba Central | User Guide

294

Figure 98 Group Deployment
Group Operations
The following list shows the most common tasks performed at a group level: n Configuration-- Add, modify, or delete configuration parameters for devices in a group n User Management--Control user access to device groups and group operations based the type of user
role n Device Status and Health Monitoring--View device health and performance for devices in a specific
group. n Report Generation--Run reports per group. n Alerts and Notifications--View and configure notification settings per group. n Firmware Upgrades--Enforce firmware compliance across all devices in a group.
Group Configuration Modes
Aruba Central allows network administrators to manage device configuration using either UI workflows or configuration templates: n UI-based configuration method--For device groups that use UI-based workflows, Aruba Central provides
a set of UI menu options. You can use these UI menu options to configure devices in a group. You can also secure the UI-based device groups with a password and thus restrict user access. n Template-based configuration method--For device groups that use a template-based workflow, Aruba Central allows you to manage devices using configuration templates. A device configuration template includes a set of CLI commands and variable definitions that can be applied to all other devices deployed in a group. If your site or store has different types of devices, such as the Instant APs, Switches, and Gateways, and you want to manage these devices using different configuration methods, that is, either using the UI or template-based workflows, you can create a single group and define a configuration method to use for each type of device. This allows you to use a single group for both UI and template based configuration and eliminates the need for creating separate groups for each configuration method. For example, you can create a group with the name Group1 and within this group, you can enable templatebased configuration method for switches and UI-based configuration method for Instant APs and
Maintaining Aruba Central | 295

Gateways. Aruba Central identifies both these groups under a single name ( Group1). If a device type in the group is marked for template-based configuration method, the group name is prefixed with TG prefix is added (TG Group1. You can use Group1 as the group ID for workflows such as user management, monitoring, reports, and audit trail. When you add Instant APs, Gateways, and switches to a group, Aruba Central groups these devices based on the configuration method you chose for the device type, and displays relevant workflows when you try to access the respective configuration menu. For information on how to create a group, see Creating a Group.
Default Groups and Unprovisioned Devices
The default group is a system-defined group to which Aruba Central assigns all new devices with factory default configuration. When a new device with factory default configuration connects to Aruba Central, it is automatically added to the default group. If a device has customized configuration and connects to Aruba Central, Aruba Central marks the device as Unprovisioned. If you want to preserve the device configuration, you can create a new group and assign this device to the newly created group. If you want to overwrite the configuration, you can move the unprovisioned device to an existing group.
The unprovisioned state does not apply to Aruba Switches as only the factory-default switches can join Aruba Central.
Best Practices and Recommendations
Use the following best practices and recommendations for deploying devices in groups:
n Determine the configuration method (UI or template-based) to use based on your deployment, configuration, and device management requirements.
n If there are multiple sites with similar characteristics--for example, with the same device management and configuration requirements--assign the devices deployed in these sites to a single group.
n Apply device-level or cluster-level configuration changes if necessary. n Use groups cloning feature if you need to create a group with an existing group configuration settings. n If the user access to a particular site must be restricted, create separate groups for each site.
Working with Groups
See the following topics for detailed information and step-by-step instructions on how to manage groups and provision devices assigned to a group:
n Managing Groups n Provisioning Devices Using UI-based Workflows n Provisioning Devices Using Configuration Templates
Managing Groups
The Groups page allows you to create, edit, or delete a group, view the list of groups provisioned in Aruba Central, and assign devices to groups. This section describes the following topics:

Aruba Central | User Guide

296

n Creating a Group n Assigning Devices to Groups n Creating a New Group by Importing Configuration from a Device n Viewing Groups and Associated Devices n Cloning a Group n Moving Devices between Groups n Configuring Device Groups n Deleting a Group
Creating a Group
Aruba Central allows you to manage configuration for different types of devices, such as Aruba Instant APs, Gateways, and switches in your inventory. These devices can be configured using either UI workflows or configuration templates. You can define your preferred configuration method when creating a group. Aruba Central allows you to create a single group with different configuration methods defined for each device type. For example, you can create a group with the name Group1 and within this group, you can enable template-based configuration method for switches and UI-based configuration method for Instant APs and Gateways. Aruba Central identifies both these groups under a single name ( Group1). If a device type in the group is marked for template-based configuration method, the group name is prefixed with TG, (TG Group1. You can use Group1 as the group ID for workflows such as user management, monitoring, reports, and audit trail. After you assign devices to group and when you access configuration containers, Aruba Central automatically displays relevant configuration options based on the configuration method you defined for the device group. To create a group:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. Click (+) New Group. The Create New Group pop-up window opens. 4. Enter a name for the group. The group name can be a maximum of 32 single byte ASCII characters if
you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports all special characters excluding the ">" character. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names.
By default, Aruba Central enables template-based configuration method for switches and UI-workflowbased configuration method for Instant AP and Gateway.
5. To enable template-based configuration method for all device categories: n For Instant APs or Gateways, select the IAP and Gateway check box. n For Switches, ensure that Switch check box is selected. The Switch check box is enabled by default.
6. To enable UI-based configuration method on all device categories: a. For Instant APs and Gateways, ensure that the IAP and Gateway check box is cleared. b. For switches, clear the Switch check box.
7. Assign a password. This password enables administrative access to the device interface. 8. Click Add Group.
Maintaining Aruba Central | 297

You can also create a group that uses different provisioning methods for switch, and IAP and Gateway device categories. For example, you can create a group with template-based provisioning method for switches and UIbased provisioning method for Instant APs and Gateways.
Assigning Devices to Groups
To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory.
1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign. 4. Click Assign Device(s).
To assign a device to a group from the Groups page:
1. In the Network Operations app, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Maintain, click Organization. By default, the Groups page is displayed.
3. From the devices table on the right, select the device that you want to assign to a new group. 4. Drag and drop the device to the group to which you want to assign the device.
Viewing Groups and Associated Devices
To view the groups dashboard, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. The groups table on the left side of the page displays the following information: n Group Name--Name of the group. n Devices--Number of devices assigned to a group. n All Connected Devices--Total number of devices provisioned in Aruba Central. The devices table
on right side of the page shows all the devices provisioned in Aruba Central. n Unassigned Devices--Total number of devices that are yet to be assigned. The devices table on
the right shows the devices are not assigned any group.
The devices table is not available for MSP users as the devices are primarily assigned to tenant accounts. However, MSP administrators can drill down to a tenant account and view devices mapped to a group.
3. To view the devices assigned to a group, select the group from the table on the left. The devices table displays the following information: n Name--Name of the device. n Location--Physical location of the device. n Type--Type of the device such as Instant AP or Switch. n Serial--Serial number of the device. n MAC Address--MAC address of the device.

Aruba Central | User Guide

298

Creating a New Group by Importing Configuration from a Device
To import configuration from an existing device to a new group, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. Select the device from which you want to import the configuration. 4. Click Import Configuration to New Group. The Import Configuration pop-up window opens. 5. Enter a name for the group. 6. Configure a password for the group. 7. Click Import Configuration.
Cloning a Group
To clone a group, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. To create a clone of an existing group, select the group from the groups table and click Clone
Selected Group. 4. Enter a name for the cloned group. 5. Click Add Group.
When you clone a group, Aruba Central also copies the configuration templates applied to the devices in the group.
Moving Devices between Groups
To move a device from one group to another group:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. From the devices table on the right, select from the following device options that you want to move:
n Virtual Controller--Moving a Commander VC also moves the member IAP(s) to the new group. n Switch stack--Moving a commander stack also moves the member switches to the new group. n Standalone IAP--Moving a standalone IAP moves only that particular IAP to the new group. n Standalone switch--Moving a standalone switch moves only that particular switch to the new
group. n Gateways (MC)--Moving a standalone MC moves only that particular MC to the new group. 4. Drag and drop the device to group to which you want to assign the device. 5. Click Yes when the system prompts you to confirm device movement.
MSP mode does not support moving devices across different groups.
Maintaining Aruba Central | 299

Configuring Device Groups
For information on provisioning devices in groups, see the following topics:
n Provisioning Devices Using UI-based Workflows n Provisioning Devices Using Configuration Templates
Configuring Groups in MSP Mode
For information on using groups in the MSP mode and instructions on how to assign devices to MSP tenants, see the Aruba Central Managed Service Provider User Guide.
Deleting a Group
When you delete a group, Aruba Central removes all configuration, templates, and variable definitions associated with the group. Before deleting a group, ensure that there are no devices attached to the group.
To delete a group:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. From the list of groups, select the group that you want to delete. 4. Click the delete icon. 5. Confirm deletion.
Assigning Devices to Groups
In Aruba Central, devices are assigned to groups for configuration, monitoring, and management purposes. A group in Aruba Central is a primary configuration element that acts like a container. In other words, groups are a subset of one or several devices that share common configuration settings. Aruba Central supports assigning devices to groups for the ease of configuration and maintenance. For example, you can create a common group for Branch Gateways or Instant APs that have similar configuration requirements.
Assigning Instant APs to Groups
The Instant AP groups may consist of the configuration elements:
n Instant AP Cluster--Consists of a conductor Instant AP and a set of member Instant APs in the same VLAN.
n Virtual Controller--A virtual controller provides an interface for entire cluster. The member Instant APs and conductor Instant APs function together to provide a virtual interface.
n Conductor Instant AP and Member Instant AP--In a typical Instant AP deployment scenario, the first Instant AP that comes up is elected as the conductor Instant AP. All other Instant APs joining the cluster function as the member Instant APs. When a conductor Instant AP is elected, the member Instant APs download the configuration changes.
The following table describes the group assignment criteria for Instant APs:

Aruba Central | User Guide

300

Table 59: Instant AP Group Assignment APs with Default Configuration

APs with Non-Default Configuration

If an Instant AP with factory default configuration joins Aruba Central, it is automatically assigned to the default group or to an existing group with similar configuration settings. The administrators can perform any of the following actions:
n Manually assign them to a pre-provisioned group.
n Create a new group.

If an Instant AP with non-default or custom configuration joins Aruba Central, it is automatically assigned to an unprovisioned group.
The administrators can perform any of the following actions: n Create a new group for the device and
preserve device configuration. n Move the device to an existing group and
override the device configuration.

To manually assign Instant AP(s) to a group, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. To view a list of unassigned devices, click Unassigned Devices.
A list of unassigned devices is displayed in the devices table. 4. Select the group to which you want to assign the devices. 5. From the devices table on the right, select Instant AP(s) to assign. 6. Drag and drop the Instant APs to the group that you selected.
Assigning Switches to Groups
Aruba Central allows switches to join groups only if the switches are running factory default configuration. Switches with factory default configuration are automatically assigned to the default group. Administrators can either move the switch to an existing group or create a new group.
Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central.
To manually assign switch(s) to a group, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. To view a list of unassigned devices, click Unassigned Devices. A list of unassigned devices is
displayed in the devices table. 4. Select the group to which you want to assign the devices. 5. From the devices table on the right, select the switch(s) to assign. 6. Drag and drop the switches to the group that you selected.

Maintaining Aruba Central | 301

Moving Instant Access Point(s) Between Groups
In Aruba Central, an Instant AP device group may consist of any of the following:
n Instant AP--Consist a commander Instant AP. n Virtual Controller (VC)--VC provides an interface for entire cluster. The member Instant APs and
commander Instant APs function together to provide a virtual interface.
In typical Instant AP deployment scenario, the first Instant AP that comes up is elected as the commander Instant AP. All other Instant AP(s) joining the cluster function as the member Instant AP(s). When a commander Instant AP is configured, the member Instant AP(s) download the configuration changes. The commander Instant AP may change as necessary from one device to another without impacting network performance. To move an Instant AP or VC from one group to another group, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization.
By default, the Groups page is displayed. 3. From the groups table on the left, select the group from which you want to move the Instant APs. 4. From the devices table on the right, select the standalone IAP or VC that you want to move.
Moving a VC also moves the member IAP(s) to the new group.
5. Drag and drop the IAP to the group that you want to assign the IAP to. 6. Click Yes when the system prompts you to confirm device movement.
MSP mode does not support moving devices across different groups.
Important Points to Note
n The instant AP(s) inherits the configuration of the group to which it is moved. However, only the system configuration is inherited and the Per AP Settings on the IAP(s) are retained.
n If the instant AP(s) did not inherit the configuration of the new group, go to the Configuration Audit page of the IAP(s) to check the configuration difference. For more information, see Viewing Configuration Status.
n If firmware compliance is enabled on the new group and if the firmware version enforced by the group is different from the IAP(s) firmware version, the firmware is upgraded and the IAP(s) reboots.
Provisioning Devices Using UI-based Workflows
This section describes the important points to consider when assigning devices to UI groups:
n Provisioning Instant APs using UI-based Configuration Method n Provisioning Switches Using UI-based Configuration Method n Provisioning Aruba Gateways Using UI-based Configuration Method
Provisioning Instant APs using UI-based Configuration Method
An Instant AP device group may consist of any of the following:

Aruba Central | User Guide

302

n Instant AP Cluster--Consists of a conductor Instant AP and member Instant APs in the same VLAN. n VC--A virtual controller. VC provides an interface for entire cluster. The member Instant APs and
conductor Instant APs function together to provide a virtual interface. n Conductor Instant AP and Member Instant AP--In typical Instant AP deployment scenario, the first
Instant AP that comes up is elected as the conductor Instant AP. All other Instant APs joining the cluster function as the member Instant APs. When a conductor Instant AP is configured, the member Instant APs download the configuration changes. The conductor Instant AP may change as necessary from one device to another without impacting network performance.
Aruba Central allows configuration operations at the following levels for a device group with Instant APs.
n Per group configuration--Aruba Central allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all VCs within a group can have common SSID settings.
n Per VC Configuration--Any changes that need to applied at the Instant AP cluster level can be configured on a VC within a group. For example, VCs within a group can have different VLAN configuration for the SSIDs.
n Per Device Configuration--Although devices are assigned to a group, the users can maintain device specific configuration such as radio, power, or uplink settings for an individual AP within a group.
When the APs that are not pre-provisioned to any group join Aruba Central, they are assigned to groups based on their current configuration.

Table 60: Instant AP Provisioning APs with Default Configuration

APs with Non-Default Configuration

If an Instant AP with factory default configuration joins Aruba Central, it is automatically assigned to the default group or an existing group with similar configuration settings. The administrators can perform any of the following actions:
n Manually assign them to an existing group.
n Create a new group.

If an Instant AP with non-default or custom configuration joins Aruba Central, it is automatically assigned to an unprovisioned group.
The administrators can perform any of the following actions: n Create a new group for the device and
preserve device configuration. n Move the device to an existing group and
override the device configuration.

Ensure that the conductor Instant AP and member Instant APs are assigned to the same group. You must convert the member Instant AP to a standalone AP in order to move the member Instant AP to another group independently.
In the following illustration, Instant APs from three different geographical locations are grouped under California, Texas, and New York states. Each state has unique SSIDs and can support devices from multiple locations in a state. As shown in Figure 99, the California group has devices from different locations and has the same SSID, while devices in the other states/groups have different SSIDs. When a device with the factory default configuration connects to Aruba Central, it is automatically assigned to the default group. If the device has custom configuration, it is marked as unprovisioned. If you want to preserve the custom configuration, create a new group for the device. If you want to overwrite the custom configuration, you can assign the device to an existing group.

Maintaining Aruba Central | 303

Figure 99 Instant AP Provisioning

For more information on how to configure Instant APs using UI-based configuration workflows, see Deploying a Wireless Network Using Instant APs. To view local overrides and configuration errors, select a template group and navigate to Devices > Access Points > Settings > Configuration Audit page.
Provisioning Switches Using UI-based Configuration Method
Aruba Central allows switches to join UI groups only if the switches are running factory default configuration. Aruba Central assigns switches with factory default configuration to the default group. The administrators can either move the switch to an existing group or create a new group.
Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central
Aruba Central allows the following configuration operations at the following levels for switches in a UI group:
n Per group configuration-- Aruba Central allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all switches within a group can have common VLAN settings.
n Per Device Configuration--Although the Switches inherit group configuration, the users can maintain device-specific configuration, for example, ports or DHCP pools.
For more information on how to configure switches using UI-based configuration workflows, see Configuring or Viewing AOS-Switch Properties in UI Groups. To view local overrides and configuration errors, select a template group and navigate to Devices > Switches > Settings > Configuration Audit page.
Provisioning Aruba Gateways Using UI-based Configuration Method
For SD-Branch deployments with Aruba Gateways, the following recommendations apply:

Aruba Central | User Guide

304

n Combine Branch Gateways of identical characteristics and configuration requirements under a single group.
n Create groups according to your branch requirements. o You can create separate groups for the small, medium, and large sized branches. o You can also create separate groups for the branch sites in different geographical locations; for example, East Coast and West Coast branch sites. If these groups have similar characteristics with minor differences, you can create the first group and then clone it. o You can use either a single group for all their devices or deploy devices in multiple groups. For example, you can deploy 7008 controllers and Aruba 2930F Switch Series with 24 ports in a single group for every branch. o You can also deploy 7005 controller and Aruba 2930F Switch Series with 24 ports in one group and provision 7008 controller with Aruba 2930F Switch Series with 48 ports in another group.
Important Points to Note n The groups in Aruba Central are not device-specific, however, Aruba recommends that you use the
following guidelines for provisioning SD-WAN Gateways. o Assign Branch Gateways and VPN Concentrators to separate groups. Because the configuration
requirements for Branch Gateways and VPN Concentrators are different, the Branch Gateways and VPN Concentrators must be assigned to different groups. o Ensure that the configuration group for SD-WAN Gateways consists of the same type of devices. For example, Branch Gateways assigned to a group must have the same number of ports. n Before assigning SD-WAN Gateways to groups, you must set the device persona or role as Branch Gateway or VPN Concentrator. Example The following figures shows a few sample group deployment scenarios for Aruba Branch Gateways and VPN Concentrators:
Maintaining Aruba Central | 305

Figure 100 Branch Gateway Groups

Figure 101 VPN Concentrator Groups

For more information on how to configure Aruba using UI-based configuration workflows, see the SDBranch Configuration section in Aruba Central Help Center. To view local overrides and configuration errors, select a template group and navigate to Devices > Gateways > Settings > Configuration Audit page.
Provisioning Devices Using Configuration Templates
Aruba Central allows you to provision devices using UI-based or template-based configuration method. If you have groups with template-based configuration enabled, you can create a template with a common set

Aruba Central | User Guide

306

of CLI scripts, configuration commands, and variables. Using templates, you can apply CLI-based configuration parameters to multiple devices in a group. If the template-based configuration method is enabled for a group, the UI configuration wizards for the devices in that group are disabled.
Creating a Group with Template-Based Configuration Method
To create a template group, complete the following steps:
1. In the Network Operations app, set the filter to Global. The dashboard context for selected filter is displayed.
2. Under Maintain, click Organization. By default, the Groups page is displayed.
3. Click (+) New Group. The Create New Group window is displayed.
4. Enter the name of the group. 5. Select one of the following device types for which you want to create a template group:
n IAP and Gateway n Switch 6. Enter the password and confirm the password. 7. Click Save.
If the group is set as a template group, a configuration template is required for managing device configuration.
Provisioning Devices Using Configuration Templates and Variable Definitions
For information on configuration template, see the following topics:
n Configuring APs Using Templates n Using Configuration Templates for AOS-Switch Management n Managing Variable Files
Managing Variable Files
Aruba Central allows you to configure multiple devices in bulk using templates. However, in some cases, the configuration parameters may vary per device. To address this, Aruba Central identifies some customizable CLI parameters as variables and allows you to modify the definitions for these variables as per your requirements. You can download a sample file with variables for a template group or for the devices deployed in a template group, update the variable definitions, upload the file with the customized definitions, and apply these configuration changes in bulk.
Important Points to Note
n Variables are associated to a device and not to a group. If you move a device between groups, variables remain with the device.
n Variables are displayed as part of the group to which the device belongs. After you upload the variables for a device, the association would stay in the system even if the device is moved to a UI group or template group.
Maintaining Aruba Central | 307

n If the device is part of a UI group, variables are unused and not displayed in the UI. Aruba Central ignores the variables.
n If the device is moved to a template group, variables are displayed in the UI and used for configuration purposes.

Downloading a Sample Variables File
The sample variables file includes a set of sample variables that the users can customize. You can download the sample variables file in the JSON or CSV format. To download a sample variables file:
1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select one of the following formats to download the sample variables file:
n JSON--shows the file in JSON format. n CSV--Shows the variables in different columns. 6. Click Download Sample Variables File. The sample variables file is saved to your local directory.

Modifying a Variable File
The CSV file includes the following columns for which the variable definitions are mandatory:
n _sys_serial--Serial number of the device. n _sys_lan_mac--MAC address of the device. n modified--Indicates the modification status of the device. The value for this column is set to N in the
sample variables file. When you edit a variable definition, set the modified column to Y to allow Aruba Central to parse the modified definition.

Predefined Variables for Aruba Switches The system defined variables in the sample variables files are indicated with sys prefix. Table 61 lists the predefined variables for switches.

Table 61: Predefined Variables Example

Variable Name

Description

_sys_gateway

Populates gateway IP address.

_sys_hostname

Maintains unique host name.

_sys_ip_address

Indicates the IP address of the device.

_sys_module_command

Populates module lines.

_sys_netmask

Netmask of the device.

Variable Value 10.22.159.1 HP-2920-48G-POEP 10.22.159.201 module 1 type j9729a 255.255.255.0

Aruba Central | User Guide

308

Variable Name _sys_oobm_command _sys_snmpv3_engineid _sys_stack_command
_sys_template_header
_sys_use_dhcp _sys_vlan_1_untag_command _sys_vlan_1_tag_command

Description

Variable Value

Represents Out of Band Management (OOBM) block.

oobm ip address dhcp-bootp exit

Populates engine ID.

00:00:00:0b:00:00:5c:b9:01:22:4c:00

Represents stack block.

stacking member 1 type "J9729A" mac-address 5cb901224c00 exit

Represents the first two lines of the configuration file. Ensure that this variable is the first line in the template.

; J9729A Configuration Editor; Created on release #WB.16.03.0003+ ; Ver #0f:3f.f3.b8.ee.34.79.3c.29.eb.9f.fc.f3.ff.37.ef:91

Indicates DHCP status

0

(true or false) of VLAN 1

Indicates untagged ports 1-28,A1-A2 of VLAN 1

Indicates tagged ports of 28-48 VLAN 1

The _sys_template_header_ and _sys_snmpv3 engineid are mandatory variables that must have the values populated, irrespective of their use in the template. If there is no value set for these variables, Aruba Central reimports the values for these mandatory variables when it processes the running configuration of the device.
Predefined Variables for APs For APs, the sample variables file includes the _sys_allowed_ap variable for which you can specify a value to allow new APs to join the Instant AP cluster.
Conditions The following conditions apply to the variable files:
n The variable names must be on the left side of condition and its value must be defined on the right side. For example, %if var=100% is supported and %if 100=var% is not supported.
n The < or <= or > or >= operators should have only numeric integer value on the right side. The variables used in these 4 operations are compared as integer after flooring. For example, if any float value is set as %if dpi_value > 2.8%, it is converted as %if dpi_value > 2 for comparison.
n The variable names should not include white space, and the & and % special characters. The variable names must match regular expression [a-zA-Z0-9_]. If the variables values with % are defined, ensure that the variable is surrounded by space. For example, wlan ssid-profile %ssid_name%.
n The first character of the variable name must be an alphabet. Numeric values are not accepted. n The values defined for the variable must not include spaces. If quotes are required, they must be
included as part of the variable value. For example, if the intended variable name is wlan ssid-profile

Maintaining Aruba Central | 309

"emp ssid", then the recommended format for the syntax is "wlan ssid-profile %ssid_name%" and variable as "ssid_name": "\"emp ssid\"". n If the configuration text has the percentage sign % in it--for example, "url "/portal/scope.cust5001098/Splash%20Profile%201/capture"--Aruba Central treats it as a variable when you save the template. To allow the use of percentage % as an escape character, use \" in the variable definition as shown in the following example: Template text
wlan external-captive-portal "Splash Profile 1_#guest#_"server naw1.cloudguest.central.arubanetworks.comport url %url%
Variable
"url": "\"/portal/scope.cust-5001098/Splash%20Profile%201/capture\""
n Aruba Central supports adding multiple lines of variables in Instant AP configuration templates. If you want to add multiple lines of variables, you must add the HAS_MULTILINE_VARIABLE directive at the beginning of the template. Example
#define HAS_MULTILINE_VARIABLE 1 %if allowed_aps% %allowed_aps% %endif%
Variable
"allowed_aps": "allowed-ap 24:de:c6:cb:76:4e\n allowed-ap ac:a3:1e:c5:db:d8\n allowed-ap 84:d4:7e:c4:8f:2c"
For Instant APs, you can configure a variable file with a set of values defined for a master AP in the network. When the variable file is uploaded, the configuration changes are applied to all Instant AP devices in the cluster.
Examples The following example shows the contents of a variable file in the JSON format for Instant APs:
{ "CK0036968": { "_sys_serial": "CK0036968", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:7a", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0",

Aruba Central | User Guide

310

"swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_1" }, "CJ0219729": { "_sys_serial": "CJ0219729", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:cb:04:92", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_2" }, "CK0112486": { "_sys_serial": "CK0112486", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c8:29:76", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_3" }, "CT0779001": { "_sys_serial": "CT0779001", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c5:c6:b0", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_4" }, "CM0640401": { "_sys_serial": "CM0640401", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c4:8f:2c", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_6" }, "CK0037015": { "_sys_serial": "CK0037015", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:d8", "vc_name": "test_config_CK0036968", "org": "Uber_org_test",

Maintaining Aruba Central | 311

"vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_7" }, "CK0324517": { "_sys_serial": "CK0324517", "ssid": "s1", "_sys_lan_mac": "f0:5c:19:c0:71:24", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_8" } }
Figure 102 shows a sample variables file in the CSV format:
Figure 102 Variables File in the CSV Format

Uploading a Variable File
To upload a variable file, complete the following steps:
While uploading the variables file to Aruba Central in the CSV format, make sure to choose the default language in Microsoft Excel as English (United States).
1. Ensure that the _sys_serial and _sys_lan_mac variables are defined with the serial number and MAC address of the devices, respectively.
2. In the Network Operations app, set the filter to one of the template groups under Groups. 3. Under Manage, click Devices > Switches. 4. Click the Config icon. 5. Click Variables. 6. Click Upload Variables File and select the variable file to upload. 7. Click Open. The contents of the variable file is displayed in the Variables table. 8. To search for a variable, specify a search term and click Search icon. 9. To download variable file with device-specific definitions, click the download icon in the Variables
table.
Modifying Variables
To modify variables without downloading a variable file, modifying the variable file, and uploading the customized variable file:

Aruba Central | User Guide

312

1. In the Network Operations app, set the filter to one of the template groups under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select a device and variable. 6. Modify the value and click Add to Modifications. 7. Click Save.
Alternatively, to modify a single variable without downloading a variable file, modifying the variable file, and uploading the customized variable file:
1. In the Network Operations app, set the filter to one of the template groups under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Hover over a desired variable and click Edit. 5. Modify the value and click Save. 6. Click Save.
Backing Up and Restoring Configuration Templates
Aruba Central allows you to create a backup of configuration templates and variables that you can restore in the event of a failure or loss of data. The Configuration Backup and Restore feature is available in the Configuration Audit page for devices deployed using the template-based configuration method. The Configuration Backup and Restore feature enables administrators to perform the following functions:
n Back up templates and variable files applied to the devices, managed using the template-based configuration method.
n Restore an earlier known working combination of the configuration template and device variables in the event of a failure.
Important Points to Note
n The backup and restoration options are available for devices deployed using the template-based configuration method.
n When the backup or restore for a group is in progress, you cannot make configuration changes to that group.
n The restore operation restores the variables only for the devices that are currently provisioned or preprovisioned to the group.
n The restore operation is terminated if the firmware version running on any one device in the group does not match the firmware version in the backed up file that is being restored. For example, if the configuration file was backed up when a switch was running 16.03.0003 and was later upgraded to 16.04.0003, the restore operation fails for the group.
n The restore operation deletes any templates applied to the group before the restore. It also deletes and replaces device variables with the backed up version that is being restored.
n The details pertaining to the actions carried out during the backup and restore operations are logged in the Audit Trail page.
Maintaining Aruba Central | 313

Creating a Configuration Backup
To back up configuration templates and variables applied to devices:
1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click New Configuration Backup.
The Create New Backup window is displayed. 4. Enter a Backup Name. 5. Select Do Not Delete if you do not want the backed up file to be deleted by a new backup after the
threshold of 20 backups is exceeded.
You can create and maintain up to 20 backed up configuration files. If the number of backup files exceed 20, the old backed up configuration files are overwritten. However, if the backed up files are marked as Do not Delete, Aruba Central does not overwrite the backed up configuration files.
6. Click OK. The Confirm Backup window is displayed. 7. Read through the information. Select the check box to confirm that configuration changes to the
group cannot be done when the backup is in progress. 8. Click Proceed.
The backup for the group configuration is created.
Viewing Contents of a Backed Up Configuration
To view the contents of a backed up configuration:
1. Click the Manage Backup option. 2. Download the backup and untar the downloaded file. The following example shows the tree
structure of a typical backup download.
<backup-name_timestamp>  templates  <hppctemplate1.tmpl>  <iaptemplate1.tmpl>  template_meta.json  variables
HPPC_variables_1.json IAP_variables_1.json devices_meta.json
The variables are stored according the device type, such as, Instant APs and Aruba Switches. For example, for all Instant APs, the variables are aggregated and stored together. The aggregated file can include variables for up to 80 devices or up to 5 MB of variables data, based on whichever condition is met first. When the number of variables or the data size exceeds this limit, new aggregate files are created and added to the backup until all the variables in the selected group are backed up. The variable data limit applies only to the aggregated files. Aruba Central does not impose any limit on the number of devices or the device variables that can be backed up.
The following details are available for a backed up configuration snapshot:

Aruba Central | User Guide

314

n Backups--Provides details of the number of available and allowed backup and allows you to perform the following actions: o Manage group configuration backups o Create new configuration backups o Modify backup delete protection
n Last Backup--Provides details of the status and the timestamp of the last backup. n Last Restore--Provides details of the status and the timestamp of the last restore.
Restoring a Backed Up Configuration
To restore a backed up configuration snapshot:
1. In the Network Operations app, use the filter to select a group that uses template-based configuration method.
2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click Restore Configuration Backup.
The Restore from Backup window is displayed. 4. Select the backup name that you want to restore, from the Backup Name drop-down list. 5. Select the required device type from the Device Type drop-down list.
Selecting a device type allows you to restore the backed up configuration by the specific device type, for example, Instant APs, Aruba Switch. By default, All is selected. When the device type is set to All, configuration restore does not follow any specific order.
6. Click OK. The Confirm Configuration Restore window is displayed. 7. Read the instructions and select the check boxes to confirm your action for configuration restore. 8. Click Proceed.
The selected backup configuration is restored.
Aruba recommends that the administrators take a backup of the current configuration of the group before the restore operation.
Managing Backups
To manage the backed up configuration files:
1. In the Network Operations app, use the filter to select a group that uses template-based configuration method.
2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click Manage Backup.
The Last <#> Backups window is displayed. 4. View the backup details such as date and time of backup, backup name, username, and the delete
protection status for each configuration backup. 5. Click Close. 6. Click Last Backup Log to view the details of the latest backup. The Last Backup Log window
displays the following details:
Maintaining Aruba Central | 315

n Group name n Backup name n Username that initiated the configuration backup n Details on whether templates and device variables are being saved, and completion of the
configuration backup process. 7. To get the status of the last restore, click Last Restore Log. To get the error log for a restore error
event, click Last Restore Error Log.
Backing Up and Restoring Templates and Variables Using APIs
Aruba Central supports the following NB APIs for the backup and restore feature:
n Create new configuration backup for group [POST] /configuration/v1/groups/snapshot/{group}
n Create backups for multiple groups associated with a customer account [POST]/configuration/v1/groups/snapshot/create_backups
Aruba Central creates a backup of configuration template and variables only for the groups included in the API request payload. You can use the include or exclude parameters to create backups for specific list of groups.

The following table describes the API response based on the inputs provided in the parameters:

Table 62: API Functionality for Backup Creation

include_groups

exclude_groups

API Functionality

No groups specified

No groups specified

Raises an exception to either include or exclude groups.

group names

group names

Raises an exception to include or exclude groups.

[]

No groups specified

Raises an exception to provide valid values for the

include groups parameter.

group names

No groups specified

Includes selected groups for the backup operation.

No groups specified

ALL_GROUPS

Creates a backup for all groups.

No groups specified

group names

Does not create backup for the excluded groups.

n Restore a backed up version of the configuration template for all devices in a group: [POST] /configuration/v1/groups/<group_name>/snapshots/<snapshot_name>/restore The API restores a specific version of the backup snapshot for the group specified in the API request.
n Restore a backed up version of the configuration template by device type: The [POST]/configuration/v1/groups/{group}/snapshots/{snapshot}/restore API provides you an option to restore the configuration by device type. By selecting a specific device type, you can control the order in which the configuration is restored by device type. This minimizes the impact of the configuration restore activity on the network.

Aruba Central | User Guide

316

If monitor mode is enabled at the device level, the selected device functions in the monitor mode. If the monitor mode is enabled at the group level, all devices in the group inherit this setting. If a device managed by Aruba Central displays a configuration sync issue and persistently fails to receive configuration updates from Aruba Central, contact Aruba Central Technical Support.

Sites and Labels

Sites
A site in refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Aruba Central allows you to use sites as a primary navigation element. For example, if your devices are deployed in a campus, you could create a site called CampusA. You can also tag the devices within CampusA using labels. For example, if the campus consists of multiple buildings, the devices deployed in the campus can be labeled as Building1 or Lobby. If the devices in a specific location or an area within a specific location must have similar configuration, the devices can be grouped together.
For more information, see Managing Sites.

Labels
Labels are tags attached to a device provisioned in the network. Labels determine the ownership, departments, and functions of the devices. You can use labels for creating a logical set of devices and use these labels as filters when monitoring devices and generating reports.
For example, consider an Instant AP labeled as Building 25 and Lobby. These tags identify the location of the Instant AP within the enterprise campus or a building. The Instant APs in other buildings within the same campus can also be tagged as Lobby. To filter and monitor Instant APs in the lobbies of all the campus buildings, you can tag all the Instant APs in a lobby with the label Lobby.
For more information, see Managing Labels.

Device Classification
Devices can also be classified using Groups and Sites.
n The group classification can be used for role-based access to a device, while labels can be used for tagging a device to a location or a specific area at a physical site. However, if a device is already assigned to a group and has a label associated with it, it is classified based on both groups and labels.
n The site classification is used for logically grouping devices deployed at a given physical location. You can also convert labels to sites.

Managing Sites
The Sites page allows you to create sites, view the list of sites configured in your setup, and assign devices to sites. The Sites page includes the following functions:

Table 63: Sites Page Name Contents of the Table

Convert Labels to Sites

Allows you to convert existing labels to sites. To convert labels, download the CSV file with the list of labels configured in your setup, add the site information, and upload the CSV file. For more information, see Creating a Site.

Maintaining Aruba Central | 317

Name Contents of the Table

Sites table

Displays a list of sites configured. It provides the following information:
n Site Name--Name of the site. n Address--Physical address of the site. n Device Count--Number of devices assigned to a site. The table also includes the following sorting options to reset the table view on the right:
n All Devices--Displays all the devices provisioned in Aruba Central. n Unassigned--Displays the list of devices that are not assigned to any site. You can also use the filter and sort icons on the Sites and Address columns to filter and sort sites respectively.

New Site Allows you to create a new site.

Bulk upload

Allows you to add sites in bulk from a CSV file.

Devices table

Displays a list of devices provisioned. It provides the following information: n Name--Name of the device n Group--Group to which the device is assigned. n Type--Type of the device.

Creating a Site
To create a site, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. To add a new site, click (+) New Site. The Create New Site pop-up window opens. 6. In the Create New Site pop-up window, enter the following details:
a. Site Name--Name of the site. The site name can be a maximum of 255 single byte characters. Special characters are allowed.
b. Street Address--Address of the site. c. City--City in which the site is located. d. Country--Country in which the site is located. e. State/Province--State or province in which the site is located. f. ZIP/Postal Code--(Optional) ZIP or postal code of the site. 7. Click Add. The new site is added to the Sites table.
Adding Multiple Sites in Bulk
To import site information from a CSV file in bulk, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Click (+) Bulk upload. The Bulk Upload pop-up opens. 6. Download a sample file.

Aruba Central | User Guide

318

7. Fill the site information and save the CSV file in your local directory.
The CSV file for bulk upload of sites must include the mandatory information such as the name, address, city, state, and country details.
8. In the Aruba Central UI, click Browse and add the file from your local directory. 9. Click Upload. The sites from the CSV file are added to the site table.
Assigning a Device to a Site
To assign devices to a site, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Select Unassigned. The list of devices that are not assigned to any site is displayed. 6. Select device(s) from the list of devices.
It is recommended not to add more than 20 devices at a time for seamless operation.
7. Drag and drop the devices to the site on the left. A pop-up window opens and prompts you to confirm the site assignment.
8. Click Yes.
Converting Existing Labels to Sites
To convert existing labels to sites, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Click Convert Labels to Sites. The Confirm Conversion pop-up window opens. 6. To download a CSV file with the list of labels configured in your setup, click Download a File. A CSV file with a list of all the labels in your setup is downloaded to your local directory. 7. Enter address, city, state, country, and ZIP code details for the labels that you want to convert to sites.
In the CSV file, you must enter the following details: address, city, state, and country.
8. Save the CSV file. 9. On the Confirm Conversion pop-up window, click Browse and select the CSV file with the list of
labels to convert. 10. Click Upload. 11. Click Convert. The labels are converted to sites.
Maintaining Aruba Central | 319

Points to Note
n If the conversion process fails for some labels, Aruba Central generates and opens an Excel file showing a list of labels that could not be converted to sites. Verify the reason for the errors, update the CSV file, and re-upload the file.
n Aruba Central does not allow conversion of sites to labels. If the existing labels are converted to sites, you cannot revert these sites to labels.
n When the existing labels are converted to sites, Aruba Central retains only the historical data for these labels. Aruba Central displays the historical data for these labels only in reports and on the monitoring dashboard.

Editing a Site
To modify site details, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Select the site to edit and click the edit icon. 6. Modify the site information and click Update.

Deleting a Site
To delete a site, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Select the site to delete and click the delete icon. 6. Confirm deletion.

Managing Labels
The Labels page allows you to create labels, view a list of labels, and assign devices to labels. The page includes two tables. The table on the left lists the labels, whereas the table on the right lists the devices. These tables provide the following information:

Table 64: Labels Name Contents of the Table

Labels

Displays a list of labels configured. The table provides the following information: n Name of the label n Number of devices assigned to a label The table also includes the following sorting options to reset the table view on the right: n All Devices--Displays all the devices provisioned in Aruba Central. n Unassigned--Displays the list of devices that are not assigned to any label.

Devices Displays a list of devices provisioned. The table provides the following information about the devices:

Aruba Central | User Guide

320

Name Contents of the Table
n Name--Name of the device n Group--Group to which the device is assigned n Type--Type of the device n Labels--Number of labels assigned to a device
Creating a Label
To create a label, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. To add a new label, click (+) Add Label. The Create New Label pop-up window opens. 6. Enter a name for the label. The label name can be a maximum of 255 single byte characters. Special characters are allowed. 7. Click Add. The new label is added to the All Labels table.
Assigning a Label to a Device
To assign a label to a device, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Locate the label to which you want to assign a device. 6. In the table that lists the labels, you can perform one of the following actions: n Click All Devices to view all devices. n Click Unassigned to view all the devices that are not assigned to any labels. 7. Select Unassigned. The list of devices that are not assigned to any label is displayed. 8. Select device(s) from the list of devices.
It is recommended not to add more than 20 devices at a time for seamless operation.
9. Drag and drop the selected device(s) to a specific label. A pop-up window asking you to confirm the label assignment opens.
10. Click Yes.
Aruba Central allows you to assign up to five label tags per device.
Detaching a Device from a Label
To remove a label assigned to a device, complete the following steps:
Maintaining Aruba Central | 321

1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Select the device from the table on the right. 6. Click the delete icon. 7. To detach labels from the multiple devices at once, select the devices, and click Batch Remove
Labels. 8. Confirm deletion.
Editing a Label
To edit a label, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Select the label to edit. 6. Click the edit icon. 7. Edit the label and click Update.
Deleting a Label
To delete one or several labels, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Select the label to delete. 6. Click the delete icon. 7. Confirm deletion.
Certificates
By default, Aruba Central includes a self-signed certificate that is available on the Certificates page. The default certificate is not signed by a root certificate authority (CA). For devices to validate and authorize Aruba Central, administrators must upload a valid certificate signed by a root CA. Aruba devices use digital certificates for authenticating a client's access to user-centric network services. Most devices such as controllers and Instant APs include a server certificate by default for captive portal server authentication. However, Aruba recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CA. Certificates can be stored locally on the devices and used for validating device or user identity during authentication. Aruba Central-managed devices such as Instant AP and switches support the following root CA certificates:

Aruba Central | User Guide

322

Instant APs
n AddTrust n GeoTrust n VeriSign n Go Daddy

Switches
n Comodo n GeoTrust

Uploading Certificates
To upload certificates, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Select the Certificates tab.
The Certificates page opens. 4. Click the plus icon to add the certificate to the certificate store. 5. In the Add Certificate dialog box, do the following:
a. In the Name text box, specify the certificate name. b. Select the type of certificate. You can select any one of the following certificates:
n CA --Digital certificates issued by the CA. n Server--Server certificates required for communication between devices and authentication
servers. n CRL--Certificate Revocation List that contains the serial numbers of certificates that have
been revoked. This certificate is required for performing a certificate revocation check. n OCSP Responder Cert--OCSP responder certificates. n OCSP Signer Cert--OCSP Response Signing Certificate.
OCSP certificates are required for OCSP server authentication. c. From the Format drop-down list, select a certificate format; for example, PEM, DER, and
PKCS12. d. In the Passphrase text box, enter a passphrase. e. In the Retype Passphrase text box, retype the passphrase for confirmation.
The Passphrase and Retype Passphrase text boxes are displayed only when you select Server Certificate from the Type drop-down list.
f. In the Certificate File field, click Browse and select the certificate files. g. Click Add. The certificate is added to the Certificate Store.
Managing Certificates on Instant APs Configured Using Templates
Aruba Central supports uploading multiple certificates to Instant APs configured using templates. You can manage certificates either from the Aruba Central UI or through the API Gateway. For more information about APIs, see API Documentation. To push certificates to Instant APs configured using templates:
1. Upload certificate(s) through one of the following methods: n UI--See Uploading Certificates. n API--Use the [POST] /configuration/v1/certificates API.

Maintaining Aruba Central | 323

2. Get the certificate name and MD5 checksum through one of the following methods: n UI--In the Network Operations app, filter All Devices. Under Maintain, click Organization and select the Certificates tab. The Certificate Store table displays these details. n API--Use the [GET] /configuration/v1/certificates API.
3. In the template, anywhere before the per-ap settings block, depending on your requirement, add one or more of the following commands:
ca-cert-checksum <ca_cert_checksum/ca_cert_name> cp-cert-checksum <captive_portal_cert_checksum/captive_portal_cert_name> radsec-ca-checksum <radsed_ca_checksum/radsed_ca_name> radsec-cert-checksum <radsed_cert_checksum/radsed_cert_name> server-cert-checksum <server_cert_checksum/server_cert_name>
You can either use the certificate name or the checksum value in the command. Or, you can set it as a variable and enter the variable value for the Instant AP. Aruba recommends using the certificate name.
Example 1
ca-cert-checksum my_default_cert
Example 2
ca-cert-checksum %ca_cert_name% variable: {
"ca_cert_name": "my_default_cert" }
Installation Management
Site installations and device deployments at customer premises require extensive coordination between the IT administrators and installation personnel. If there are multiple sites to deploy, businesses may require more time and manual effort to coordinate and manage site installations. The Aruba Installation Management service simplifies and automates site deployments, and helps IT administrators manage site installations with ease. The Installation Management service includes the following components:
n Install Manager on Aruba Central portal--Intended for IT administrators who oversee the installation management activities in an organization. Using Install Manager, network administrators can create installer profiles, assign site deployments to installers, and monitor deployment status for each site from a remote location. Aruba Central users can access the Install Manager application from the app selection pane in the UI.
n Aruba Installer mobile app--Intended for the installation personnel who deploy devices on a site. The Aruba Installer mobile app allows the installers to scan devices and add them to the provisioning network. The Aruba Installer mobile app is available for downloads on Apple® App Store and Google Play Store.

Aruba Central | User Guide

324

Installation Management and Monitoring
The Install Manager feature in Aruba Central includes the following menu options: n Site Installations --Displays a list of sites associated with an Aruba Central account. n Installers--Displays a list of installers added using the Install Manager application.
Installation Management Workflow
The following figure illustrates the installation management workflow for the Install Manager users: Figure 103 Installation Management Workflow
Installer Workflow
Installers are technicians who are assigned the task of visiting a physical site or location, and install devices. The Aruba Installer mobile app enables installers to scan devices and report the task status to IT administrators. The following figure illustrates the installation workflow for the Aruba Installer mobile app users:
Maintaining Aruba Central | 325

Figure 104 Installer Workflow

Managing Site Deployments
Before you begin, ensure that the following tasks are completed:
n Onboarding Devices n Managing License Assignments
The steps required for completing a site installation procedure are listed in the following table:

Table 65: Installation Management Administrator Workflow

Installer Workflow

n Creating a Site n Assigning Groups to a Site n Adding an Installer and Assigning Sites for
Installation n Monitoring and Troubleshooting Installation
Issues

n Downloading the Installer Mobile App n Registering as an Aruba Installer n Installing Devices on a Site

Creating a Site
To create a site in Aruba Central, complete the steps described in Creating a Site.
Assigning Groups to a Site
To assign groups to a site, complete the following steps:

Aruba Central | User Guide

326

1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Install Manager tab. 4. On the Site Installations page, click on the site you want to edit. 5. Select the group for each device category. 6. Click Save. To assign groups to multiple sites, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Install Manager tab. 4. On the Site Installations page, select the sites. The Assign Groups button is displayed. 5. Click Assign Groups. 6. In the Assign Groups to Sites pop-up window, select a group for each device category. 7. Click Save.
You can also add installation notes for sites. The installers can view the notes by clicking the info icon in the Installer mobile app.
Adding an Installer and Assigning Sites for Installation
Administrators can add installers and assign installation tasks to these installers through the Aruba Installer mobile app. To add an installer profile in Aruba Central, complete the following steps:
1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Install Manager tab. 4. In the Install Manager tab, click Installers. The Installers page is displayed. 5. Click + Add Installer. The Add Installer page is displayed. 6. Enter the name and phone number of the technician to whom you want to assign a site for installing
the devices. 7. Specify the time until which the installer's profile is valid. The technicians will be automatically logged
out of the Aruba Installer app on the specified date. 8. On the Add Installer page, you can do the following:
n Select a site in the Sites not assigned table and click Add > to add the site. n Select a site in the Sites Selected table and click < Remove to remove the site. n Click Add all > to add all the sites. n Click < Remove all to remove all sites.
Maintaining Aruba Central | 327

Figure 105 Assigning Sites

9. Click Save. An SMS notification is sent to the installer's mobile device. The site(s) assigned are displayed in the Sites Assigned table.
To start the installation, the installer must download the Aruba Installer mobile app and sign up as an installer. The administrators can verify the installer registration status on the Installers dashboard in the Install Manager application in Aruba Central. The Installers dashboard displays the following status indicators for installers.
n Invited--The installer is added and an SMS notification is sent to the installer. n Registered--The installer has registered using the Aruba Installer mobile app. n Verified--The installer has accepted the installation invite and successfully completed the registration
with the Aruba Installer app.
Downloading the Installer Mobile App
When an installer is added in the Install Manager application in Aruba Central, an SMS notification is sent to the installer's mobile device. The SMS notification includes the links for downloading the Aruba Installer mobile app. If you are an installer and have received the SMS notification with the Aruba Installer mobile app details, download the Aruba Installer mobile app. The Aruba Installer mobile app is available in App Store for iOS devices and Google Play Store for Android devices.
Registering as an Aruba Installer
To register as an installer, complete the following steps:
1. Open the Aruba Installer app. 2. In the Sign Up tab, enter your first name, last name, country code and mobile number. 3. Click Register. A verification code is sent to your mobile device. 4. Enter the verification code received through the text message in the Code field. 5. Click Validate Code. If the code is valid, the installer is registered.
Installing Devices on a Site
To install a device on a site, complete the following steps:
1. Sign in to Aruba Installer mobile app. 2. View the sites assigned for deployment. 3. Select the site that you want to deploy.

Aruba Central | User Guide

328

4. Note the devices assigned for the site and installation notes if any. 5. Click Scan Device. Scan the serial number of the device. The Aruba Installer app verifies if the device
is onboarded to Aruba Central device inventory and is assigned a valid subscription. 6. Power on the device and connect it to the Internet. The device automatically connects to Aruba
Central and is provisioned in the group to which it is already assigned. 7. Verify the installation status and report errors if any.
Before scanning a device, ensure that the device is not connected to Aruba Central. If the device is already connected to Aruba Central, Install Manager will not assign it to a group.
Monitoring and Troubleshooting Installation Issues
To monitor the installation progress, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Select the Install Manager tab. The Site Installations table is displayed. 4. To view the status of a site installation, check the Status column: n In Progress--Indicates that the device installation is in progress. n Completed--Indicates that the device installation is completed. If the installation status displays an error: n Check if the devices are onboarded to Aruba Central. n Verify if the devices are assigned a valid subscription. n Check if the sites are assigned to a group. n View the audit trails. 5. If the installation is completed, click the site name to navigate to the site details page and click Mark Completed.
You can mark a site as completed even if Install Manager was not used to install or onboard the device.
6. Click Save.
Viewing Configuration Status
Aruba Central provides an audit dashboard for reviewing configuration changes for the devices provisioned in UI and template groups. The Configuration Audit page is available for Instant APs, switches, and gateways. The Configuration Audit page and the Auto Commit feature is available for Foundation and Advanced licenses for APs, switches, and gateways.
Viewing the Configuration Audit Page
To view the Configuration Audit page, complete the following steps:
Maintaining Aruba Central | 329

n For Instant APs: a. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Access Points. c. Click the Config icon. The tabs to configure access points are displayed. d. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed.
n For Aruba switches: a. In the Network Operations app, set the filter to a group that contains at least one switch. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon. The tabs to configure switches are displayed. d. Click Configuration Audit. The Configuration Audit details page is displayed.
n For Aruba gateways: a. In the Network Operations app, set the filter to a group that contains at least one Branch Gateway. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Gateways. c. Click the Config icon. The tabs to configure gateways are displayed. d. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed.
Applying Configuration Changes
Aruba Central supports a two-staged configuration commit workflow for Instant APs and switches. Aruba Central now supports the auto commit feature at a group level. When auto commit state is enabled for a group, the configuration changes are instantly applied to all devices where auto commit state is enabled. In the Configuration Audit page of the group, the Auto Commit State section allows administrators to switch their preference for committing configuration changes to the devices within the group.
n To enable auto commit, click Change to Auto commit state ON. When auto commit state is enabled for a group, the configuration changes are instantly applied to all devices where auto commit state is enabled.
n To disable auto commit, click Change to Auto commit state OFF. When auto commit state is disabled for a group, an administrator can build a candidate configuration, save it on cloud, review it, and then commit the configuration changes to all devices within the group.

Aruba Central | User Guide

330

Aruba Central resets the auto commit state, when a device moves to another group. The device inherits the auto commit state of the group to which the device is moved. When auto commit state is disabled for a group, Aruba Central restricts modification to the auto commit state at a device level. When auto commit state is enabled for a group, Aruba Central allows modification to the auto commit state at a device level. The auto commit at a group level is not applicable for Aruba MAS switches and Aruba gateways in the Configuration Audit page. Auto commit state is always enabled for Aruba MAS switches and Aruba gateways.
Viewing and Editing
To modify the auto commit state of devices within the group, when Auto Commit State for a group is enabled, complete the following steps:
1. Click View & Edit under Auto Commit State: ON tile. 2. Select a device name, click Disable Auto Commit, and then click OK. 3. Click Yes in the Confirm Action dialog box. To modify the auto commit state of devices within the group, when Auto Commit State for a group is disabled, complete the following steps: 1. Click View & Edit under Auto Commit State: OFF tile. 2. Select a device name, click Enable Auto Commit, and then click OK. 3. Click Yes in the Confirm Action dialog box.
When auto commit state for a group is disabled, the View & Edit link is disabled to restrict modifications to the auto commit state of the devices within the group. When auto commit state for a group is enabled, the View & Edit link allows you to modify the auto commit state of the devices within the group.
Auto Commit Workflow
To enable Aruba Central to commit configuration changes instantly, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP and a switch. The dashboard context for the selected group is displayed. 2. Under Manage, click Devices > Access Points.
In Aruba Central, the auto commit workflow for a group can be implemented either from the switch configuration audit page or Instant AP configuration audit page. Alternatively, you can navigate to Devices > Switches.
3. Click the Config icon. The tabs to configure access points are displayed.
4. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed.
5. Ensure that the Auto Commit State for the group is set to ON.
Maintaining Aruba Central | 331

6. Based on configuration mode set for the devices in the group, use either the UI workflows or a configuration template to complete the configuration workflow and save the changes. Aruba Central automatically commits the configuration changes to all devices where auto commit state is enabled.
7. View the Local Overrides and Configuration Sync Issues, if any.
Aruba Central does not support the two-staged configuration commit workflow for Aruba MAS switches and Aruba gateways. The tenant accounts in the MSP deployments do not inherit the Auto Commit State configured at the MSP level. The tenant account users can enable or disable Auto Commit state for the devices in their respective accounts.
Manual Commit Workflow
To build configuration and review it before committing the configuration changes, complete the following steps:
1. In the Network Operations app, set the filter to a group that contains at least one AP and a switch. The dashboard context for the selected group is displayed.
2. Under Manage, click Devices > Access Points.
In Aruba Central, the manual commit workflow for a group can be implemented either from the switch configuration audit page or Instant AP configuration audit page. Alternatively, you can navigate to Devices > Switches.
3. Click the Config icon. The tabs to configure access points are displayed.
4. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed.
5. Ensure that the Auto Commit State for the group is set to OFF. 6. Based on configuration mode set for the device, use either the UI workflows or a configuration
template to complete the configuration workflow and save the changes. When you try to save the save changes, Aruba Central displays the following warning message:
7. When the auto commit state for a group is set to OFF, and changes are configured to the devices at a group level, Aruba Central displays the following warning message when you try to save the changes:
8. View the Local Overrides and Configuration Sync Issues, if any. 9. Click Commit Now to commits the configuration changes to all devices within the group.

Aruba Central | User Guide

332

Viewing Configuration Overrides and Errors
The Configuration Audit page allows you to view the configuration push errors, template synchronization errors, configuration sync, and device level configuration overrides. Some of notable status indicators available on the page includes:
n Configuration Status--Provides details of the number of devices with configuration sync errors. To view the devices with configuration sync errors, click View Details. The Config Difference window is displayed. You can view configuration differences for each device within the group.
n Local Overrides--Provides details of the number of devices with local overrides. To view a complete list of overrides, click Manage Local Overrides. The Local Overrides window is displayed. You can view configuration differences for each device within the group. The overrides are grouped based on the features that are configured in the UI and are displayed as drop-down sections. For example, all overrides for IGMP are listed under a separate drop-down with the heading IGMP.
To preserve the overrides, click Close. To remove the overrides, select the group name with local override, type REMOVE in the text box and click OK.
n Configuration Conflicts--Provides details of the number of devices with configuration conflict errors. To view a complete list of configuration conflicts, click Manage Configuration Conflicts. The Configuration Conflict window is displayed. To resolve the configuration conflicts, enable the check box against each conflict, and then click Remove to remove the conflict.
n Template Errors--Provides the details of the number of devices with template errors. To view a complete list of configuration template errors, click View Template Errors. The Template Errors window is displayed. You can view a list of templates with errors.
n Move Failures--Aruba Central supports moving a device from one group to another. If the move operation fails, Aruba Central logs such instances as Move Failures.

Viewing Configuration Status for Devices at the Group Level (Template Configuration Mode)
When you select a template group from the filter, the Configuration Audit page displays the following information:

Table 66: Configuration Audit Status for a Template Group

Data Pane Content

Description

Template Errors

Provides details of the number of devices with template errors for the selected template group.
Devices deployed in the template group are provisioned using configuration templates. If there are errors in the templates or variable definitions, the configuration push to the devices fails. Aruba Central records such failed instances as template errors and displays these errors on the Configuration Audit page.
To view a complete list of errors, click View Template Errors. The Template Errors window allows you to view and resolve the template errors issues if any.

Configuration Status

Provides details of the number of devices with configuration sync errors for the selected template group.

To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs:
n Not In Sync Configuration--Displays the configuration changes that are

Maintaining Aruba Central | 333

Table 66: Configuration Audit Status for a Template Group

Data Pane Content

Description

not synched with the switch. n Device Running Configuration--Displays the running configuration on the
switch.

Configuration Backup & Restore

To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page.
Allows you to create a backup of templates and variables applied to the devices in the template group. For more information, see Backing Up and Restoring Configuration Templates. n New Configuration Backup--Allows you to create a new backup of
templates and variables applied to the devices in the template group.

All Devices

The All Devices table provides the following device information for the selected group: n Name--The name of the device. n Type--The type of the device. n Auto Commit--The status of the auto commit state for all the devices
within the group. n Config Sync--Indicator showing configuration sync errors. n Template Errors--Indicator showing configuration template errors for the
devices deployed in template groups.

Viewing Configuration Status for a Device (Template Configuration Mode)
When you select a device that is provisioned in a template group, the Configuration Audit page displays the following information:

Table 67: Configuration Audit Status for Devices in Template Groups

Data Pane Content

Description

Template Applied

Displays the template that is currently applied on the selected device.

Template Errors

Displays the number of template errors for the selected device. To view a complete list of errors, click View Template Errors.

Configuration Status

Displays the configuration sync errors for the selected device.

To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not
synched with the switch. n Device Running Configuration--Displays the running configuration on the
switch.

Aruba Central | User Guide

334

Table 67: Configuration Audit Status for Devices in Template Groups

Data Pane Content

Description

To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page.

Config Comparison Tool

Allows you to view the difference between the current configuration (Device Running Configuration) and the configuration that is yet to be pushed to the device (Attempted Configuration). To view the running and attempted configuration changes side by side, click View.

Viewing Configuration Status for Devices at the Group Level (UIbased Configuration Mode)
When you select an UI group, the Configuration Audit page displays the following information:

Table 68: Configuration Audit Status for a UI Group

Data Pane Content

Description

Configuration Status

Displays the number of devices with configuration sync errors for the selected UI group.

To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that
are not synched with the switch. n Device Running Configuration--Displays the running configuration
on the switch.

To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page.

Local Overrides

Displays the number of devices with local overrides. To view a complete list of overrides, click Manage Local Overrides. The Local Overrides window is displayed. The overrides are grouped based on the features that are configured in the UI and are displayed as drop-down sections. For example, all overrides for IGMP are listed under a separate drop-down with the heading IGMP.
n To preserve the overrides, click Close.
n To remove the overrides, select the group name with local override,
type REMOVE in the text box and then click OK.

All Devices

The All Devices table provides the following device information for the selected group:
n MAC Address--MAC address of the device. n Name--The name of the device. n IP Address--IP address of the device. n Site--Name of the site to which the device is assigned. n Type--The type of the device.

Maintaining Aruba Central | 335

Table 68: Configuration Audit Status for a UI Group

Data Pane Content

Description

n Auto Commit--The status of the auto commit state for all the devices within the group.
n Config Sync/Config Status--Indicator showing configuration sync errors.
n Local Overrides--Indicator showing configuration overrides for the devices deployed in the UI groups.
NOTE: The MAC Address, IP Address, Site, and Config Status columns are available only for groups in which Aruba gateways are provisioned (Manage > Device > Gateways, click the Config icon. The gateway configuration page is displayed. Navigate to Configuration Audit).

Viewing Configuration Status for a Device (UI-based Configuration Mode)
When you select a device assigned to a UI group, the Configuration Audit page displays the following information:

Table 69: Configuration Audit Status for a Device Assigned to a UI Group

Data Pane Content

Description

Configuration Status

Displays the number of devices with configuration sync errors for the selected device.
To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not synched
with the switch. n Device Running Configuration--Displays the running configuration on the switch.

Local Overrides

To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page.
Displays the number of local overrides. To view a complete list of overrides, click Manage Local Overrides. The Local Overrides window is displayed. The overrides are grouped based on the features that are configured in the UI and are displayed as drop-down sections. For example, all overrides for IGMP are listed under a separate drop-down with the heading IGMP.
n To preserve the overrides, click Close. n To remove the overrides, click Remove Local Overrides, type REMOVE in the text box and
then click OK.

Backing up and Restoring Configuration Templates
Aruba Central allows you to back up configuration templates assigned to the devices deployed in a template group. The Configuration Audit pages for Instant AP, switch, and gateway configuration containers allow

Aruba Central | User Guide

336

you to create and manage backed up files and restore these files when required. For more information, see Backing Up and Restoring Configuration Templates.
If monitor mode is enabled at the device level, the selected device functions in the monitor mode. If the monitor mode is enabled at the group level, all devices in the group inherit this setting. If a device managed by Aruba Central displays a configuration sync issue and persistently fails to receive configuration updates from Aruba Central, contact Aruba Central Technical Support.
Managing Software Upgrades
The Firmware page provides an overview of the latest firmware version supported on the device, details of the device, and the option to upgrade the device.
Changing AOS-Switches firmware from latest version to earlier major versions is not recommended if the switches are managed in UI groups. For features that are not supported or not managed in Aruba Central on earlier AOS-Switch versions, changing firmware to earlier major versions might result in loss of configuration.
Viewing Firmware Details
To view the firmware details for devices provisioned in Aruba Central, perform the following steps:
1. In the Network Operations app, select one of the following options: n To select a group in the filter, set the filter to one of the options under Group. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed. c. Click a device listed under Device Name. The dashboard context for the device is displayed.
2. Under Maintain, click Firmware. The Firmware dashboard displays the following information: The following image displays the Firmware dashboard at the global level: Figure 106 Firmware Dashboard at Global Level

Firmware Maintenance Window
The following are the data pane items and description:

Maintaining Aruba Central | 337

1. Access Points--Displays the following information: n Name--Name of the AP. Clicking on the device name opens a window with connected APs and allows you to select and view the device Summary page. For more information, see Clients > Wireless Client > Overview. n Site--Displays the site information only on global context. n Firmware Version--The current firmware version running on the device. n Latest Firmware Version--The latest firmware version available on the public firmware server. n Recommended Version--The version to which the device is recommended for the upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date n Compliance Status--Status of the firmware compliance setting. The value displayed in this column is either Set, Not Set, and Compliance scheduled on. The Compliance scheduled on displays the date and time that is set in the Firmware Compliance Setting page.
Clicking on the device name from the Name columns, opens a window with connected APs and allows you to select and view the device Summary page. For more information, see Clients > Wireless Client > Overview. Click any site name from the Site column to view the site associated APs with their firmware details page.
2. Switches--Displays the following details about Aruba switches managed through Aruba Central: n Name--Host name of the switch. n Family--Displays the following types of switches: o AOS-S o CX This information is only available for Aruba switch and Aruba CX switches. n Site--Displays the site information only on global context. n MAC Address--MAC address of the switch. n Model--Hardware model of the switch. n Firmware Version--The current firmware version running on the switch. n Recommended Version--The version to which the device is recommended for the upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date n Compliance Status--Status of the firmware compliance setting. The value displayed in this column is either Set, Not Set, and Compliance scheduled on. The Compliance scheduled on displays the date and time that is set in the Firmware Compliance Setting page.

Aruba Central | User Guide

338

n The Switch-MAS tab is only available for accounts with MAS-switches. n The Switches tab displays details of both Aruba Switch and Aruba CX switches.
3. Gateways--Displays the following details about the SD-WAN Gateways managed through Aruba Central in Standalone mode: n Name--Host name of the SD-WAN Gateway. n Site--Displays the site information only on global context. n MAC Address--MAC address of the SD-WAN Gateway. n Model--Hardware model of the SD-WAN Gateway. n Firmware Version--The current firmware version running on the SD-WAN Gateway. n Recommended Version--The version to which the device is recommended for the upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date n Compliance Status--Status of the firmware compliance setting. The value displayed in this column is either Set, Not Set, and Compliance scheduled on. The Compliance scheduled on displays the date and time that is set in the Firmware Compliance Setting page.
4. Set Compliance--Allows you to set firmware compliance for devices within a group. Click Set Compliance and turn on the toggle switch to enable and view the list of supported firmware versions for each device in a group in the Manage Firmware Compliance page. a. Set Compliance for Access Points--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select a specific group or multiple groups for which the compliance must be set. Select All Groups if you want to set compliance for all the groups. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time. o Now--To set the compliance to be carried out immediately. o Later Date--To set at the later date and time. n Click Save and Upgrade button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch. b. Set Compliance for Switches--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select the group for which the compliance must be set. Select the specific group to set compliance at group level. n AOS-S Firmware Version--Select the AOS-S firmware version number from the drop-down list to which the compliance is required to be set. n CX Firmware Version--Select the Aruba CX switch version number from the drop-down list to which the compliance is required to be set.
Maintaining Aruba Central | 339

n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device.
n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: o Now--To set the compliance to be carried out immediately. o Later Date--To set at the later date and time.
n Click Save and Upgrade button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch.
Aruba Central lists all available Aruba CX switches software versions. Select the software version that is applicable to the Aruba CX switch to which compliance is required to be set. For example, version 10.04.0020 is not applicable to Aruba CX 6200 and 6400 switch series.
c. Set Compliance for Gateways in Standalone Mode--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select a specific group or multiple groups for which the compliance must be set. Select All Groups if you want to set compliance for all the groups. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: o Now--To set the compliance to be carried out immediately. o Later Date--To set at the later date and time. n Click Save and Upgrade button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch.
5. Upgrade All--Allows you to simultaneously upgrade firmware for all devices. Click Upgrade All to view a list of supported firmware versions for each device. a. To Upgrade all Access Points--Click Upgrade All and complete the following parameters in the Upgrade Access Points Firmware page: n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also search for the site in the search filter. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. Select None for none of the firmware versions. n When --Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: o Now--To set the compliance to be carried out immediately. o Later Date--To set at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade.
While upgrading a large number of APs, cancel operation may not work as intended, and continues to upgrade.
b. To Upgrade all Switches--Click Upgrade All and complete the following parameters in the Upgrade Switch Firmware page:

Aruba Central | User Guide

340

n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also search for the site in the search filter.
n AOS-S Firmware Version--Select the AOS-S firmware version number from the drop-down list to which the compliance is required to be set.
n CX Firmware Version--Select the CX switch firmware version number from the drop-down list to which the compliance is required to be set.
n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device.
n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time:
o Now--To set the compliance to be carried out immediately.
o Later Date--To set at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade. c. To Upgrade all Gateways in Standalone Mode--click Upgrade All and complete the following parameters in the Upgrade Gateway Firmware page: n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also
search for the site in the search filter. n Firmware Version--Select the firmware version number from the drop-down list to which
the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is
downloaded on the device. On reboot, the new build is installed on the device. n When--Select one of the following radio buttons to specify if the compliance must be carried
out immediately or at a later date and time.
o Now--To set the compliance to be carried out immediately.
o Later Date--To set at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade.
6. Search Filter--Allows you to define a filter criterion for searching devices based on the following properties: n Common to all devices--Name, Firmware Version, Recommended Version and Upgrade Status of the device.
n Specific to switches and gateways--MAC address and Model.

7. Column Filter--Clicking view.

icon enables you to customize the table columns or set it to the default

8. Continue--Allows you to continue with firmware upgrade.

9. Cancel Upgrade--Cancels a scheduled upgrade.

10. Cancel All--Cancels a scheduled upgrade for all devices.

This section also includes the following topics:

n Upgrading a Single Device or Multiple Devices n Upgrading Devices using Upgrade All Option n Setting Firmware Compliance For Access Points n Setting Firmware Compliance For Switches n Setting Firmware Compliance For Gateways in Standalone Mode

Maintaining Aruba Central | 341

Upgrading a Single Device or Multiple Devices
To check a new version for a single device or multiple devices, complete the following steps:
1. In the Network Operations app, select one of the following options: a. To select a group, site or global in the filter: n Set the filter to one of the options under Group or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n Under Maintain, click Firmware. n Select one or more devices from the device list and click the Upgrade icon at the bottom of the page or hover over one of the selected device and click the Upgrade icon. The Upgrade <Device> Firmware pop-up window opens. b. To select a device in the filter: n Set the filter to Global. n Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed. n Click a device listed under Device Name. The dashboard context for the device is displayed. n Under Maintain, click Firmware and click Upgrade in the Firmware Details window. The Upgrade <Device> Firmware pop-up window opens.
2. In the Upgrade <Device> Firmware pop-up window, select the appropriate firmware version. You can either select a recommended version or manually choose a specific firmware version.
To obtain custom build details, contact Aruba Central Technical Support.
3. Select Auto Reboot if you want Aruba Central to automatically reboot after device upgrade.
The Auto Reboot option is available for Mobility Access Switches, Aruba Switch, Aruba CX switches, and Branch Gateways.
4. Specify if the upgrade must be carried out immediately or at a later date and time. 5. Click Upgrade. The device downloads the image from the server, saves it to flash, and reboots.
Depending on the progress and success of the upgrade, one of the following messages is displayed: n Upgrading--While image upgrade is in progress. n Upgrade failed--When the upgrade fails. 6. If the upgrade fails, retry upgrading your device.
After upgrading a switch, click Reboot.
Upgrading Devices using Upgrade All Option
To upgrade multiple devices using the Upgrade All option, complete the following steps:
1. In the Network Operations app, set the filter to one of the options under Group or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Maintain, click Firmware. The firmware dashboard for Access Points is displayed by default.
3. Click Upgrade All. The Upgrade <Device> Firmware pop-up window opens.

Aruba Central | User Guide

342

4. In the Upgrade <Device> Firmware pop-up window, select the specific site or multiple sites from the Sites drop-down list. This option is available only at the global context.
5. Select the appropriate firmware version (for Access points and Gateways) and AOS-S firmware version and CX firmware version (for Mobility Access Switches, Aruba Switch and Aruba CX switches) from their respective drop-down list. You can either select a recommended version or manually choose a specific firmware version. To obtain custom build details, contact Aruba Central Technical Support.
6. Select Auto Reboot if you want Aruba Central to automatically reboot after device upgrade. The Auto Reboot option is available for Mobility Access Switches, Aruba Switch, Aruba CX switches, and Branch Gateways.
7. Specify if the upgrade must be carried out immediately or at a later date and time. 8. Click Upgrade. The device downloads the image from the server, saves it to flash, and reboots.
Depending on the progress and success of the upgrade, one of the following messages is displayed: n Upgrading--While image upgrade is in progress. n Upgrade failed--When the upgrade fails. 9. If the upgrade fails, retry upgrading your device. After upgrading a switch, click Reboot. The following image displays the Upgrade <Device> Firmware window for the switches:
Maintaining Aruba Central | 343

Figure 107 Upgrade Switch Firmware

Setting Firmware Compliance For Access Points
Aruba Central allows you to run a firmware compliance check and force firmware upgrade for all APs in a group. To force a specific firmware version for all APs in a group, complete the following steps:
1. In the Global dashboard, under Maintain, click Firmware. The Access Points tab is selected by default.
2. Verify the firmware upgrade status for all APs. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage
Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select one of the following as required:
n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 7. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed.

Aruba Central | User Guide

344

The following image displays the Manage Firmware Compliance window for Access Points: Figure 108 Manage Firmware Compliance
Setting Firmware Compliance For Switches
To force a specific firmware version for all MAS switches in a group, complete the following steps: 1. In the Global dashboard, under Maintain, click Firmware > Switch-MAS tab. 2. Verify the firmware upgrade status for all MAS switches. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful device upgrade. 7. Select one of the following as required: n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 8. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. The following image displays the Manage Firmware Compliance window for MAS switches:
Maintaining Aruba Central | 345

Figure 109 Manage Firmware Compliance Window for MAS Switches

To force a specific firmware version for all Aruba switches in a group, complete the following steps:
1. In the Global dashboard, under Maintain, click Firmware > Switches tab. 2. Verify the firmware upgrade status for all switches. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage
Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a AOS-S firmware version from the AOS-S Firmware Version drop-down list. 6. Select a CX firmware version from the CX Firmware Version drop-down list. 7. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful
device upgrade. 8. Select one of the following as required:
n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time.
9. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. The following image displays the Manage Firmware Compliance window for Aruba switches:

Aruba Central | User Guide

346

Figure 110 Manage Firmware Compliance Window for Aruba Switches
Setting Firmware Compliance For Gateways in Standalone Mode
To force a specific firmware version for all gateways in standalone mode, complete the following steps: 1. In the Global dashboard, under Maintain, click Firmware > Gateways tab. All the gateways with standalone mode is displayed. 2. Verify the firmware upgrade status for all gateways. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful device upgrade. 7. Select one of the following as required: n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 8. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. The following image displays the Manage Firmware Compliance window for gateways:
Maintaining Aruba Central | 347

Figure 111 Manage Firmware Compliance

Viewing Audit Trail in the Standard Enterprise Mode and MSP Mode
The Audit Trail page in the Standard Enterprise Portal shows the total logs generated for all the device management, configuration, and user management events triggered in Aruba Central. You can search or filter the audit trail records based on any of the following columns:
n Occurred on (Custom Range) n Username n IP Address n Category n Description n Target
To view the audit trail log details in Aruba Central, perform the following steps:
1. In the Network Operations app, select one of the following options: n To select a group or all devices in the filter, set the filter to Group. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed.

Aruba Central | User Guide

348

2. Under Analyze, click Audit Trail. The Audit Trail table is displayed with the following details: n Occurred On-- Timestamp of the audit log. Use the sort option to sort the audit logs by date and time. Use the filter option to select a specific time range to display the audit logs. n IP Address--IP address of the client device. n Username--Username of the admin user who applied the changes. n Target--The group or device to which the changes were applied. n Category--Type of modification and the affected device management category. n Description--A short description of the changes such as subscription assignment, firmware upgrade, and configuration updates. Click to view the complete details of the event. For example, if an event was not successful, clicking the ellipsis displays the reason for the failure.
To customize the Audit Trail table, click the eclipses icon to select the required columns, or click Reset to default to set the table to the default columns.
Classification of Audit Trails
The audit trail is classified according to the type of modification and the affected device management category. The category can be one of the following:
n Configuration n Firmware Management n Reboot n Device Management n Templates n User Management n Variables n Label Management n MSP n Guest n Groups n Subscription Management n API Gateway n RBAC n Sites Management n SAML Profile n User Activity n Federated User Activity n Alert Configuration n Install Manager n Tools
Maintaining Aruba Central | 349

Removing Devices
The device monitoring dashboards allow you to remove an offline device. However, you will not be able to remove a device completely from Aruba Central database, because the device entry remains in the Device Inventory page. The devices appearing in the Device Inventory page shows the hardware devices that belong to your account or purchase order. For information on removing an offline device, see the following topics:
n Deleting an Offline AP n Deleting an Offline Switch n Deleting a Gateway
Removing a Device from the Device Inventory Page
You cannot remove a device completely from Aruba Central, but you can unsubscribe the device. After you unsubscribe, the device status changes to Unsubscribed in the Device Inventory page. If you have more than one Aruba Central account and if another Aruba Central user adds this unsubscribed device to another Aruba Central account, the device entry is removed from the Device Inventory page in your Aruba Central account.

Aruba Central | User Guide

350

Chapter 6 The AI Insights Dashboard
The AI Insights Dashboard
In an environment of rapidly changing business and user expectations driven by an explosion of connectivity requirements from the edge to the cloud, a new approach to network management is required. Aruba AIOps (Artificial Intelligence for IT operations) is the next generation of AI-powered solutions that integrates proven Artificial Intelligence solutions with recommended and automated action to provide both fast response to identified problems, along with proactive prediction and prevention. With data collected from over 750,000 access points, switches, and gateways, Aruba Central and built-in AI Insights proactively identifies and solves issues, and provides pinpoint configuration recommendations. As the data is stored in the cloud, it is easy to view the network performance across all locations from a single pane of glass. Utilizing the cloud also provides the ability to anonymously compare a network with a peer network or the baselines for a broader perspective and optimization. All of this comes from Aruba's advantage in accessing an enormous volume and variety of data that is factored into insights. Aruba does not collect or process personal data. In this release the insights are classified under three categories:
n Connectivity--Issues related to the wireless connectivity in the network. n Wireless Quality--Issues related to the RF Info or RF Health in the network. n Availability--Issues related to the health of your network infrastructure and the devices in the network
such as, APs, switches, and gateways.
The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level for the selected time range. Each insight provides specific details on the occurrences of these events for easy debugging. To launch the AI Insights dashboard, complete the following steps:
1. In the Network Operations app, set the filter to Global.The dashboard context for the selected filter is displayed.
2. Under Manage, click Overview > AI Insights. The Insights table is displayed. AI Insights listed in the dashboard are sorted from high priority to low priority.
3. Click the arrow against each insight to view the further details.

Aruba Central | User Guide

351

Figure 112 Insight Details

Callout Number

Description

1

Click this arrow to expand any specific insight to view further details.

2

Displays the insight severity, using the following colors:

Red--High priority

Orange--Medium priority

Yellow--Low priority

NOTE: The following three configuration recommendation insights are marked in blue color ( ) in the severity column:
lAccess Point Transmit Power can be Optimized lCoverage Holes Identified lOutdoor Clients Impacting Wi-Fi Performance

3

Short description of the insight.

4

Insight Summary displays the reason why the insight was generated along with recommendation. It

also shows the number and percentage of failures that occurred against each failure reason. The

reasons are classified into:

n Static--These reasons rely on Aruba's domain expertise.

n Dynamic--These reasons are generated based on error codes that is received from

infrastructure devices.

5

Time Series graph is a graphical representation of the failure percentage or failure events that

occurred for the selected time range. The entries in each time series bar can be customized to

highlight a specific entry by clicking on it. Only one specific entry can be highlighted at a time.

6 Category of the insight. Insight category can be filtered by clicking the filter icon.

The AI Insights Dashboard | 352

Callout Number

Description

7

Short description of the impact.

8

Cards display additional information specific to each insight. Cards might vary for each insight

based on the context the insight is accessed from.

For more information, see Cards.

All AI Insights generated are listed in the Global > AI Insights dashboard. Alternatively, AI Insights for a specific site, device, or client can be viewed by selecting the respective context. For more information on available insights and the context, see Insights Context.

AI Insights are displayed for a selected time period based on the time selected in the Time Range Filter ( ). You can select one of the following: 3 Hours, 1 Week, 1 Day, or 1 Month.
Figure 113 AI Insights Dashboard

Insights Context
Insights can be accessed from different contexts such as Global, Site, Clients, and Device. The following table lists the different types of insights generated by Aruba Central and the path from where it can be accessed.
In this release, all AI Insights are available irrespective of the user role or Aruba Central subscription. In the upcoming Aruba Central release, AI Insights marked as Advanced in the user interface would require an advanced subscription.

Aruba Central | User Guide

353

Table 70: Navigating Insights

Insights

Category

Context Navigation

Access Points with High CPU Utilization

Availability - Access Point Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Access Points with High Memory Usage

Availability - Access Point Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Telemetry Information not Received from APs or Radios

Availability - Access Point

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Access Points with High Number of Reboots

Availability - Access Point Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

The AI Insights Dashboard | 354

Insights
AOS-CX Switches with High Port Flaps

Category Availability - Switch

AOS-CX Switches with High Port Errors

Availability - Switch

AOS-CX Switch Ports with High Power-overEthernet Problems

Availability - Switch

AOS-CX Switches with High CPU Utilization

Availability - Switch

Context Navigation

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Switches

Network Operations > Global > Devices > Switches > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Switches

Network Operations > Global > Devices > Switches > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Switches

Network Operations > Global > Devices > Switches > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Switches

Network Operations > Global > Devices > Switches > Device Name > AI Insights

Aruba Central | User Guide

355

Insights
AOS-CX Switches with High Memory Usage

Category Availability - Switch

AOS-Switches with High Port Flaps

Availability - Switch

AOS-Switches with High Port Errors

Availability - Switch

AOS-Switch Ports with High Power-overEthernet Problems

Availability - Switch

Context Navigation

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Switches

Network Operations > Global > Devices > Switches > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Switches

Network Operations > Global > Devices > Switches > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Switches

Network Operations > Global > Devices > Switches > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Switches

Network Operations > Global > Devices > Switches > Device Name > AI Insights

The AI Insights Dashboard | 356

Insights
AOS-Switches with High CPU Utilization

Category Availability - Switch

AOS-Switches with High Memory Usage

Availability - Switch

Failure to Establish Gateway Tunnels

Availability - Gateway

Gateways with High CPU Utilization

Availability - Gateway

Context Navigation

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Switches

Network Operations > Global > Devices > Switches > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Switches

Network Operations > Global > Devices > Switches > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Gateways

Network Operations > Global > Devices > Gateways > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Gateways

Network Operations > Global > Devices > Gateways > Device Name > AI Insights

Aruba Central | User Guide

357

Insights
Gateways with High Memory Usage

Category Availability - Gateway

Clients who Roamed Excessively

Connectivity - Wi-Fi

Clients with High Roaming Latency

Connectivity - Wi-Fi

Context Navigation

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Gateways

Network Operations > Global > Devices > Gateways > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

The AI Insights Dashboard | 358

Insights
Clients with Captive Portal Authentication Problems

Category Connectivity - Wi-Fi

Clients with High Number of Wi-Fi Association Failures

Connectivity - Wi-Fi

Context Navigation

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

Aruba Central | User Guide

359

Insights
Delayed DNS Request or Response

Category Connectivity - Wi-Fi

DNS Servers Rejected High Number of Queries

Connectivity - Wi-Fi

Context Navigation

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

The AI Insights Dashboard | 360

Insights
Clients with DHCP Server Connection Problems

Category Connectivity - Wi-Fi

DNS Queries Failed to Reach or Return from the Server

Connectivity - Wi-Fi

Context Navigation

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Aruba Central | User Guide

361

Insights

Category

Clients with High MAC Connectivity - Wi-Fi Authentication Failures

Clients with High Wi-Fi Security Key-Exchange Failures

Connectivity - Wi-Fi

Context Navigation

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

The AI Insights Dashboard | 362

Insights
Clients with High 802.1X Authentication Failures

Category Connectivity - Wi-Fi

Access Point Transmit Power can be Optimized

Wireless Quality

Access Points Impacted by High 2.4 GHz Usage

Wireless Quality

Access Points Impacted by High 5 GHz Usage

Wireless Quality

Context Navigation

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Global
Site
Access Points
Global
Site
Access Points

Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Network Operations > Global > Devices > Access Points > Device Name > AI Insights
Network Operations > Global > Overview > AI Insights
Network Operations > Sites > Overview > AI Insights
Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Aruba Central | User Guide

363

Insights

Category

Dual-band (2.4/5 GHz) Clients Primarily using 2.4 GHz

Wireless Quality

Clients with Low SNR Minutes

Wireless Quality

Coverage Holes Identified

Wireless Quality

Context Navigation

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Clients

Network Operations > Global > Clients > Client Name > AI Insights
Network Operations > Site > Clients > Client Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

The AI Insights Dashboard | 364

Insights
Access Points with Excessive Number of Channel Changes

Category Wireless Quality

Access Points Radios Wireless Quality with Frequent Transmit Power Changes

Outdoor Clients Impacting Wi-Fi Performance

Wireless Quality

Context Navigation

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Site

Network Operations

> Sites > Overview >

AI Insights

Access Points

Network Operations > Global > Devices > Access Points > Device Name > AI Insights

Global

Network Operations > Global > Overview > AI Insights

Cards
All the insights in Aruba Central display certain cards with additional information specific to that insight. The top view of each card usually shows the most impacted data in a pie chart or a bar graph view. The data in a pie chart can be modified based on your requirement. To highlight specific entries in a card, click the check box next to each label. Few cards have further drill down option available, in the form of a drop-down. Additionally, a few cards have an expandable view option to view the graph.
The cards might vary for each insight based on the context the insight is accessed from. The following table displays the cards available in different insights:

Table 71: Cards

Card

Description

Site

The Site card displays the number of sites impacted by an insight. Click the arrow

to expand the card and view the most impacted sites where the issue occurred.

Aruba Central | User Guide

365

Card Access Points
Clients
Server
RF Info
Switch
Wired Clients Roam
Tunnel Gateway
VPNC
Outdoor Clients

Description

The Access Point card displays the number of APs impacted by an insight. Click
the arrow to expand the card and view the most impacted APs where the issue occurred. You can also click the drop-down list to view further details about the impacted access points.

The Client card displays the number of clients impacted by an insight. Click the
arrow to expand the card and view the most impacted clients where the issue occurred.

The Server card displays the number of servers impacted by an insight. Click the
arrow to expand the card and view the most impacted servers where the issue occurred.

The RF Info card displays the number of channels, band, and SSID information
based on the insight it is accessed from. Click the arrow to expand the card and view the relevant information. You can also click the drop-down list to view further details about the impacted RF bands.

The Switch card displays the number of switches impacted by an insight. Click the
arrow to expand the card and view the most impacted switches where the issue occurred. You can also click the drop-down list to view further details about the impacted switches.

The Wired Client card displays the number of wired clients impacted by an
insight. Click the arrow to expand the card and click the drop-down list to view further details about the impacted wired clients.

The Roam card displays the percentage of client latency roams. Click the arrow
to expand the card and click the drop-down list to view further details about the roaming latency and band.

The Tunnel card displays the number of gateway tunnels down. Click the arrow
to expand the card and view the reasons for the cause of tunnel down.
The Gateway card displays the number of gateways impacted by an insight. Click
the arrow to expand the card and view the most impacted gateways where the issue occurred. You can also click the drop-down list to view further details about the impacted gateways.

The VPNC card displays the number of VPNC gateways on which the tunnels are

down. Click the arrow of VPNC tunnel down.

to expand the card and view the reasons for the cause

The Outdoor Clients card is available only for Outdoor Clients Impacting Wi-Fi Performance insight and it displays the percentage of avoided outdoor client

minutes. Click the arrow of the data.

to expand the card and view graphical representation

The AI Insights Dashboard | 366

Card Outdoor Minutes Port CPU
Memory
Power Channel

Description

The Outdoor Minutes card is available only for Outdoor Clients Impacting WiFi Performance insight and it displays the percentage of avoided outdoor clients

minutes and affected indoor client minutes. Click the arrow and view graphical representation of the data.

to expand the card

The Port card is available for the switch port health insights and it displays the
number of ports experiencing excessive flaps or errors. Click the arrow to expand the card and view the most impacted ports where the issue occurred.

The CPU card is available at the device (Gateways and Switches) context and displays the number of gateways and switches impacted by high CPU utilization in

the network. Click the arrow representation of the data.

to expand the card and view graphical

The Memory card is available at the device (Gateways and Switches) context and displays the number of gateways and switches impacted by high memory

utilization in the network. Click the arrow graphical representation of the data.

to expand the card and view

The Power card displays the number of power changes in access points in the
network. Click the arrow to expand the card and click the drop-down list to view further details about the impacted access points.

The Channel card displays the number of channels changes per channel for a
specific access point in the network. Click the arrow to expand the card and click the drop-down list to view further details about the impacted channels.

If you click on the number displayed on each card, further details specific to that card is displayed in a
tabular format. The filter icon allows you to filter data in each table columns. The and icon allows you to sort the columns in ascending and descending order. Few columns are displayed by default whereas, there are few columns which does not appear in the table by default.
To customize a table, click the ellipses icon to select the required columns, or click Reset to default to set the table to the default columns. Click to download the card details in a CSV format.

Baselines
Baseline enables you to compare your network performance with similar peer groups. Baseline is calculated on a weekly basis and is available in the trend chart for insights in the Site context only. Baseline is displayed as a blue line in the trend chart. The following two baselines are available in Aruba Central:
n Class baseline--Provides a comparison with similar peer groups in the networks. Peer group classification is done based on various parameters such as number of access points, neighboring devices information, and so on.
n Company baseline--Provides a comparison of the network within the entire customer ID (CID).

Aruba Central | User Guide

367

Baseline is supported for the following insights: n Clients with High MAC Authentication Failures n Clients with High Wi-Fi Security Key-Exchange Failures n Clients with High 802.1X Authentication Failures n Clients with DHCP Server Connection Problems n DNS Queries Failed to Reach or Return from the Server n DNS Servers Rejected High Number of Queries n Delayed DNS Request or Response n Access Points with High CPU Utilization n Access Points with High Memory Usage n Access Points with High Number of Reboots n Telemetry Information not Received from APs or Radios n Access Points with Excessive Number of Channel Changes n Access Points Impacted by High 2.4 GHz Usage n Access Points Impacted by High 5 GHz Usage n Access Point Transmit Power can be Optimized n Dual-band (2.4/5 GHz) Clients Primarily using 2.4 GHz n Clients with Low SNR Minutes
Access Points with High Number of Reboots
The Access Points had a high number of reboots insight can be accessed from the Global, Site, and Access Points context. This insight provides information about APs that have been rebooted the maximum times and is categorized under availability as the clients connected to these APs experience connectivity drops. This insight displays the following information: n Time Series Graph n Cards
Time Series Graph
The time series graph displays the number of AP reboots that occurred during the selected time period. You can hover your mouse over each bar graph to see the exact number of reboots.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
The AI Insights Dashboard | 368

Table 72: Cards Context

Cards

Context

Site

Global

Access Point Global, Site

Site
Lists the number of sites where the APs experience excessive reboots. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Reboots--Number of APs that experience expressive reboots in each site. n APs--Number reboots that occurred in each AP in a specific site.
Access Point
Lists the number and details of reboots observed in an AP. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following:
n Time Series--Pictorial graph of the AP reboots that occurred on different dates but similar timestamp. n FW Version--Pictorial graph of AP reboots classified by AP firmware versions. n AP Model--Pictorial graph of AP reboots classified by AP models.
Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n AP Serial--Serial number of the AP. n FW Version--Version of the firmware running on each AP. n Model--Model number of each AP. n Site--Name of the site where the AP resides. n Reboots--Number of reboots over time.

Access Points with Excessive Number of Channel Changes
The Access Points had an excessive number of channel changes insight can be accessed from the Global, Site, and Access Points context. This insight provides information about AP radios on the network that changed channels excessively in the network. It is categorized under wireless quality as the connected clients might have to reconnect after an AP changes channel for a better network performance. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards

Aruba Central | User Guide

369

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the APs changed channels on the network. n Recommendation--Displays the recommendation against each failure to resolve the same. n Channel Changes--Displays the exact number and percentage of failures that occurred against each
failure reason.

Time Series Graph
The time series graph displays the number of channel changes per channel for a specific AP during the selected time period. You can hover your mouse on each bar graph to see the exact number of channel changes.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 73: Cards Context

Cards

Context

Site

Global

Access Point Global, Site

Client

Global, Site, Device

Channel

Global, Site, Device

Site
Lists the number of sites that experience excessive AP radio channel changes in the network. Click the arrow
to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Channel Changes--Total number of channel changes in each site. n Impacted Sessions--Number of times the insight is triggered on each site. n Total Session--Total number of session count in each site. n Impacted Radio--Number of radios with high airtime. n Total Radios--Total number of radios in each site.
Access Point
Lists the number and details of APs that experience excessive AP radio channel changes in the network. Click
the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following:

The AI Insights Dashboard | 370

n Model--Pictorial graph of the channel changes classified by AP models. n FW Version--Pictorial graph of channel changes classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Serial--Serial number of the AP. n Model--Model number of each AP. n Band--Bandwidth where each AP dwells. n Channel Changes--Number of channel changes on each AP. n Impacted Sessions--Number of times the insight is triggered on each AP. n Total Sessions--Total number of session count in each AP.
Client
Lists the MAC Address, name, host name, auth ID, and the corresponding number of channel changes for
each client. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Clients card, to view a detailed description of the impacted clients: n Client Name--Name of the client impacted by the insight and link to the specific insight at the client
context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Times Impacted--Number of channels changed on each client.
Channel
Number of channel changes per channel for a specific AP during the selected time period. Click the arrow
to expand the card and view the pictorial graph of the channel changes. Click the Channel drop-down list to view the following:
n Band-- Pictorial graph of the channel changes based on both 2.4 GHz and 5 GHz. n Channel--Pictorial graph of the number of channel changes per channel for a specific AP during the
selected time period. It shows a comparison of the channel change between the peer network and AP. Click to expand the channel data.
Click the number displayed on the Channel card to view a detailed description of the impacted channels:
n From Channel--Total number of channels. n Changes--Number of channels that experienced excessive changes.
Access Points with High CPU Utilization
The Access Points had unusually high CPU utilization insight can be accessed from the Global, Site, and Access Points context. This insight provides information about APs that have higher than normal CPU utilization and is categorized under availability as the clients connected to these APs experience intermittent connectivity drops. This insight displays the following information:

Aruba Central | User Guide

371

n Time Series Graph n Cards

Time Series Graph
The time series graph displays the number of APs that experience high CPU utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of APs.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 74: Cards Context

Cards

Context

Site

Global

Access Point Global, Site

Site
Lists the number of sites where the APs experience high CPU utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n APs--Number of APs that experience high CPU utilization in each site. n Time (min)--Time range of high CPU utilization in each site.
Access Point
Lists the number and details of APs that experience high CPU utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following:
n AP Model--Pictorial graph of CPU utilization classified by AP models. n FW Version--Pictorial graph of CPU utilization classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP. n AP Serial--Serial number of the AP. n Firmware--Version of the firmware running on each AP. n Model--Model number of each AP. n Site--Name of the site where the AP resides. n Time (min)--Time range of high CPU utilization on each AP. n Max CPU (%)--Percentage of high CPU utilization on each AP.

The AI Insights Dashboard | 372

Access Points Impacted by High 2.4 GHz Usage
The Access Points impacted by high 2.4 GHz usage insight can be accessed from the Global, Site, and Access Points context. This insight provides information about AP radios whose Wi-Fi channel utilization deviated from the normal utilization range, as compared to other APs broadcasting in the same location, RF band, and time of day. It is categorized under wireless quality as the connected clients experience poor Wi-Fi performance. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the APs experience higher airtime utilization in the network.
n Recommendation--Displays the possible recommendation against each failure to resolve the same.

Time Series Graph
The time series graph displays the number of APs that experience high 2.4 GHz airtime utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of APs.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 75: Cards Context

Cards

Context

Site

Global

Access Point Global, Site

Client

Global, Site, Device

RF Info

Global, Site, Device

Site
Lists the number of sites that experience high 2.4 GHz airtime utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Duration (mins)--Time range that an AP in each site experienced high airtime utilization. n Clients--Number of clients impacted by the insight.

Aruba Central | User Guide

373

n APs--Number of APs impacted by the insight in each site. n Reasons--Cause of the high 2.4 GHz airtime utilization in each site.
Access Point
Lists the number and details of APs that experience high 2.4 GHz airtime utilization in the network. Click the
arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point dropdown list, to view the following:
n Model--Pictorial graph of the high 2.4 GHz airtime utilization percentage classified by AP models.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Serial--Serial number of the AP. n Consumed Airtime (mins)--Time range of the consumed airtime in each AP. n Duration (mins)--Time range that the AP experienced high airtime utilization. n Reasons--Cause of the high 2.4 GHz airtime utilization in each AP. n Clients Impacted--Number of clients impacted by the insight connected to each AP. n Avg Channel Utilization (%)--Average percentage of the airtime utilization in each AP. n AP Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC Address, name, host name, auth ID, and the corresponding percentage of high 2.4 GHz
airtime utilization of each client. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the client impacted by the insight and link to the specific insight at the client context.
n Client MAC--MAC address of the client and link to the specific insight at the client context. n Duration (mins)--Time range that the client experienced high airtime utilization. n Reason--Cause of the high 2.4 GHz airtime utilization for each client. n Site--Name of the site where the client exists.
RF Info
Number of channels impacted by high 2.4 GHz airtime utilization. Click the arrow to view the pictorial graph of the impacted band. Click the RF Info drop-down list to view the following:
n Channel--Chart of AP radio channels that experienced excessive AP airtime utilization. It displays the channels impacted by this issue over the selected time period, sorted by airtime utilization score, which is calculated from the severity of the utilization level and the duration of time that the channel was over utilized. Click to expand the channel data.
n Reason--Pictorial graph of the percentage of causes for high 2.4 GHz airtime utilization in a channel.
The AI Insights Dashboard | 374

n Utilization--Pictorial graph of the airtime utilization in each AP on a specific date and time. Click to expand the utilization data.
n Power Distribution--Pictorial graph of Tx Power distribution (dBm) for both the 2.4 GHz and 5 GHz

band during the time it is transmitting signal to the client. Click data.

to expand the power distribution

n Hour of Day--Pictorial graph of which hours of the day the network was most impacted by excessive AP

airtime utilization. Click to expand the hourly data. n SNR Percentile--Pictorial graph of the average Signal-to-Noise Ratio of the AP in different percentiles

(25th, 50th, 75th, 90th, 99th) in 2.4 GHz band and 5 GHz band. Click data.

to expand the SNR percentile

n Click the number displayed on the RF Info card to view a detailed description of the impacted channels:

n Channel--Number of channels that experienced excessive AP airtime utilization.

n Airtime (mins)--Time range of the consumed airtime in each client.

Access Points Radios with Frequent Transmit Power Changes
The Access Point radios changed their transmit power frequently insight can be accessed from the Global, Site, and Access Points context. This insight provides information on AP radios that frequently changed transmission power levels in the network. It is categorized under wireless quality since the connected clients experience frequent throughput fluctuations. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the APs experience frequent transmit power changes in the network.
n Recommendation--Displays the recommendation against each failure to resolve the same.
Time Series Graph
The time series graph displays the number of AP power changes in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of power changes.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Aruba Central | User Guide

375

Table 76: Cards Context

Cards

Context

Site

Global

Access Point Global, Site

Power

Global, Site, Device

Site

Lists the number of sites that experience power transmit changes in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Insight--Number of power changes occurred in each site. n Radio--Number of AP radios in each site that changed transmission power level.

Access Point
Lists the number and details of APs that experience power transmit changes in the network. Click the arrow
to view the pictorial graph of the Most Impacted access points. Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP insight. n AP MAC--MAC address of the AP and link to the specific insight at the AP insight. n Serial--Serial number of the AP. n Power Changes--Number of power changes occurred in each AP. n Model--Model number of each AP. n Firmware--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.

Power

Displays the number of power changes that occurred in APs in the network. Click the arrow pictorial graph of the impacted band. Click the Power drop-down list to view the following:

to view the

n Power Changes over Time--Pictorial graphs of power transmit changes observed across time for 2.4 GHz and 5 GHz radio. Click to expand the power change data.
n Power Distribution--Pictorial graph of the percentage of time spent across power levels for the time period in the 2.4 GHz and 5 GHz band. Click to expand the power distribution data.
n Band--Pictorial graph of the percent of number of changes observed in the 2.4 GHz and 5 GHz bands. n Variance--Pictorial graph of the percentage of variance in transmission power across number of APs in
that power variance for the 2.4 GHz and 5 GHz band. Click to expand the variance data.

Click the number displayed on the Power card to view a detailed description of the impacted channels:

The AI Insights Dashboard | 376

n Band--Number of power changes observed in the 2.4 GHz and 5 GHz bands. n Changes--Number of power changes that occurred in each band.
Access Point Transmit Power can be Optimized
The Access Point transmit power can be optimized insight can be accessed only at the Globalcontext. This insight generates when the transmit power is not set optimally on the radios of access points existing in the network. This insight detects that wireless clients are experiencing a poor Wi-Fi connectivity due to the transmit power settings of the access points. It is categorized under wireless quality as the clients connected to these APs can communicate with the APs well but, the APs have difficulty to communicate with the clients in return. This insight displays the following information:
n Insight Summary n Card
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the transmit power of APs are not set optimally. n Recommendation--Displays the possible recommendation against each failure to resolve the same.
Card
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
Table 77: Cards Context
Cards Context
Mixed Global
Power Global
Mixed
Number of channels in the APs impacted by transmit power setting in the network. Click the arrow to view the pictorial graph of the impacted band. Click the Mixed drop-down list to view the following:
n Band--Pictorial graph of power changes in both the frequency bands by the AP (2.4 GHz or 5 GHz). n SSID--Pictorial graph of the percent of AP dwell bands (2.4 GHz or 5 GHz) sorted by SSIDs. Click to
expand the SSID data.
Power
Displays the number of power changes that occurred in a specific access point. Click the arrow to expand the card to view the pictorial graph of the band and power distribution in the network. Click the Power drop-down list, to view the following:

Aruba Central | User Guide

377

n Power Distribution--Pictorial graph of the percentage of time spent across power levels for the time period in the 2.4 GHz and 5 GHz band.
n Band--Graph of the percent of number of changes observed in the 2.4 GHz and 5 GHz bands.
Click the number displayed on the Power card, to view a detailed description of the impacted clients:
n Band--Band where the maximum power changes occurred. n Changes--Number of power changes that occurred in each band.

Access Points Impacted by High 5 GHz Usage
The Access Points were impacted by high 5 GHz usage insight can be accessed from the Global, Site, and Access Points context. This insight provides information about AP radios whose Wi-Fi channel utilization deviated from the normal utilization range, as compared to other APs broadcasting in the same location, RF band, and time of day. Access Points were impacted by high 5 GHz usage is categorized under wireless quality as the connected clients experience poor Wi-Fi performance. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the APs experience higher airtime utilization in the network.
n Recommendation--Displays the possible recommendation against each failure to resolve the same.

Time Series Graph
The time series graph displays the number of APs that experience high 5 GHz airtime utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of APs.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 78: Cards Context

Cards

Context

Site

Global

Access Point Global, Site

Client

Global, Site, Device

RF Info

Global, Site, Device

The AI Insights Dashboard | 378

Site
Lists the number of sites that experience high 5 GHz airtime utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Duration (mins)--Time range that an AP in each site experienced high airtime utilization. n APs--Number of APs impacted by the insight in each site. n Clients--Number of clients impacted by the insight. n Reason--Cause of the high 5 GHz airtime utilization in each site.
Access Point
Lists the number and details of APs that experience high 5 GHz airtime utilization in the network. Click the
arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point dropdown list, to view the following:
n Model--Pictorial graph of the high 5 GHz airtime utilization percentage classified by AP models. Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Serial--Serial number of the AP. n Consumed Airtime (mins)--Time range of the consumed airtime in each AP. n Duration (mins)--Time range that the AP experienced high airtime utilization. n Reason--Cause of the high 5 GHz airtime utilization in each AP. n Clients Impacted--Number of clients impacted by the insight connected to each AP. n Avg Channel Utilization (%)--Average percentage of the airtime utilization in each AP. n AP Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC Address, name, host name, auth ID, and the corresponding percentage of high 5 GHz airtime
utilization for each client. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the client impacted by the insight and link to the specific insight at the client context.
n Client MAC--MAC address of the client and link to the specific insight at the client context. n Duration (mins)--Time range that the client experienced high airtime utilization. n Reason--Cause of the high 5 GHz airtime utilization for each client. n Site--Name of the site where the client exists.
RF Info
Number of channels impacted by high 5 GHz airtime utilization. Click the arrow to view the pictorial graph of the impacted band. Click the RF Info drop-down list to view the following:

Aruba Central | User Guide

379

n Channel--Chart of AP radio channels that experienced excessive AP airtime utilization. It displays the channels impacted by this issue over the selected time period, sorted by airtime utilization score, which is calculated from the severity of the utilization level and the duration of time that the channel was over

utilized. Click to expand the channel data. n Reason--Pictorial graph of the percentage of causes for high 5 GHz airtime utilization in a channel.

n Utilization--Pictorial graph of the airtime utilization in each AP on a specific date and time. Click to expand the utilization data.
n Power Distribution--Pictorial graph of Tx Power distribution (dBm) for both the 2.4 GHz and 5 GHz

band during the time it is transmitting signal to the client. Click data.

to expand the power distribution

n Hour of Day--Pictorial graph of which hours of the day the network was most impacted by excessive AP

airtime utilization. Click to expand the hourly data. n SNR Percentile--Pictorial graph of the average Signal-to-Noise Ratio of the AP in different percentiles

(25th, 50th, 75th, 90th, 99th) in 5 GHz band. Click to expand the SNR percentile data. n Click the number displayed on the RF Info card to view a detailed description of the impacted channels: n Channel--Number of channels that experienced excessive AP airtime utilization. n Airtime (mins)--Time range of the consumed airtime in each client.

Access Points with High Memory Usage
The Access Points with unusually high memory usage were found insight can be accessed from the Global, Site, and Access Points context. This insight provides information about APs that have higher than normal memory utilization and is categorized under availability as the clients connected to these APs experience intermittent connectivity drops. This insight displays the following information:
n Time Series Graph n Cards

Time Series Graph
The time series graph displays the number of APs that experience high memory utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of APs.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 79: Cards Context

Cards

Context

Site

Global

Access Point Global, Site

The AI Insights Dashboard | 380

Site
Lists the number of sites where the APs experience high memory utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n APs with High Memory--Number of APs that experience high memory utilization in each site. n Minutes with High Memory--Time range of high memory utilization in each site.
Access Point
Lists the number and details of APs that experience high memory utilization in the network. Click the arrow
to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following:
n AP Model--Pictorial graph of memory utilization classified by AP models. n FW Version--Pictorial graph of memory utilization classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP. n AP Serial--Serial number of the AP. n Firmware--Version of the firmware running on each AP. n Model--Model number of each AP. n Site--Name of the site where the AP resides. n Time (min)--Time range of high memory utilization on each AP. n Max Memory (%)--Percentage of high memory utilization on each AP.
Clients with High Roaming Latency
The Clients experienced high latency while roaming insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides reports on wireless clients that have experienced long roam times to the target AP. The threshold to detect a delayed and long client roaming is set to 50 ms and all the data and analysis pattern is perceived from the target AP issues if you access this insight from the global, site, or client context. When you access this insight from device context, data is received from the home AP issues. Clients experienced high latency while roaming is categorized under connectivity since it helps the network administrators to take necessary actions if there are any clients experiencing long delays to roam between APs. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
The time series graph displays the total number of roams and the percentage of high latency roams that occurred in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number and percentage of roams.

Aruba Central | User Guide

381

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 80: Cards Context

Cards

Context

Site

Global

Access Point Global, Site, Client

Client

Global, Site, Device

Roam

Global, Site, Device, Client

Site
Lists the number of sites where the clients have experience high roaming latency in the network. Click the
arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n High Latency Roams (%)--Number and percentage of high latency roams in each site. n Impacted Clients Count--Number of clients impacted with high roaming latency in each site.
Access Point
Lists the number and details of APs where the clients have experience high roaming latency. Click the arrow
to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following:
n Model--Pictorial graph of high roaming latency classified by AP models. n FW Version--Pictorial graph of high roaming latency classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n Serial--Serial number of the AP. n High Latency Roams (%)--Number and percentage of high latency roams in each AP. n Clients From--Number of clients that roamed in each AP. n Latency (min/avg/max) msec--The minimum, average, and maximum latency that occurred in each
AP. n AP MAC--MAC address of the impacted AP and link to the specific insight at the AP context. n IP--IP address of the impacted AP. n Model-- Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.

The AI Insights Dashboard | 382

Client
Lists the MAC Address, name, host name, auth ID, and the number of clients that have experience high
roaming latency. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted clients and link to the specific insight at the client context. n Client MAC--MAC address of the impacted client and link to the specific insight at the client context. n High Latency Roams (%)--Number and percentage of high latency roams in each client. n Top AP-- AP where the client roamed maximum as compared to other APs in the network.
Roam
Displays the percentage of client latency roams in the network. This card includes the raw telemetry feed sorted based on latency at each context.
Click the arrow to expand the Roam card and click the drop-down list, to view the following:
n Latency--Pictorial graph of latency versus concurrences. Click to expand the latency data. n Band--Pictorial graph of clients roaming trends between 2.4 GHz and 5 GHz.
Click the number displayed on the Roam card, to view a detailed description of the impacted clients:
n Timestamp--Timestamp of the event received. n Latency (msec)--Latency value in microsecond per client. n Client Name--Name of the roaming client and link to the specific insight at the client context. n Client MAC--MAC Address of the roaming client and link to the specific insight at the client context. n From AP Name--Name of the home AP from the where the client roamed to the target AP. n To AP Name--Name of the target AP to where the client roamed from the home AP. n From Channel--Number of channel the client roamed from. n Roaming Type--Type of the roam that occurred in each client. n From AP MAC--MAC address of the home AP from the where the client roamed to the target AP. n From AP Serial--Serial number of the home AP from the where the client roamed to the target AP. n To AP MAC--MAC address of the target AP to where the client roamed from the home AP. n To AP Serial--Serial number of the target AP to where the client roamed from the home AP. n RSSI (dBm)--Received Signal Strength Indicator (RSSI) value of the client. n To Channel--Number of channels the client roamed to.
Clients with Low SNR Minutes
The Clients had a significant number of Low SNR minutes insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information about access points that have a low-quality signal-strength connection and is categorized under wireless quality as the clients connecting at a Low SNR have low throughput and high retransmissions. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards

Aruba Central | User Guide

383

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the APs experience low-quality SNR connection in the network.
n Recommendation--Displays the possible recommendation against each failure to resolve the same.

Time Series Graph
The time series graph displays the number of clients with low SNR uplink AP during the selected time period. You can hover your mouse on each bar graph to see the number of SNR links.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 81: Cards Context

Cards

Context

Site

Global

Access Point Global, Site, Client

Client

Global, Site, Device

RF Info

Global, Site, Device

Site
Lists the number of sites where the APs and clients experience low signal connection. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n APs with Low SNR--Number of APs with low signal connection. n Clients with Low SNR--Number of clients with low signal connection. n Uplink Minutes of Low SNR--Duration of uplink with low signal connection in each site. n Downlink Minutes of Low SNR--Duration of downlink with low signal connection in each site.
Access Point
Lists the number and details of APs that experience low signal connection in the network. Click the arrow
to view the pictorial graph of the Most Impactedaccess points. Click the Access Point drop-down list, to view the following: n TX Power--Pictorial graph of the percentage of Tx Power distribution (dBm) in both the 2.4 GHz and 5
GHz band during the time it is transmitting signal to the client. Click the number displayed on the Access Point card to view a detailed description of the impacted access points:

The AI Insights Dashboard | 384

n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of the AP and link to the Access Point Details page. n Serial--Serial number of the AP n AP Model--Model number of each AP. n Clients--Number of clients that experience low signal connection in each AP. n Uplink Low SNR (Total|2.4 GHz|5 GHz|min)--Duration of uplink with low signal minutes in both
bands during the time it is transmitting signal to the AP. n Downlink Low SNR (Total|2.4 GHz|5 GHz|min)--Duration of downlink with low signal connection in
both the bands during the time it is transmitting signal to the AP.
Client
Lists the MAC Address, name, host name, auth ID, and the number of clients experiencing low signal quality.
Click the arrow to view the pictorial graph of the Most Impacted clients. Click the Client drop-down list, to view the following: n Client Type--Pictorial graph of the number and percentage of low SNR clients classified by vendors. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Number of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Type--Device type of the client. n Uplink Minutes of Low SNR--Duration of uplink with low signal connection in each client. n Uplink Low SNR (Total|2.4 GHz|5 GHz|min)--Duration of uplink with low signal minutes in both
bands during the time it is transmitting signal to the AP. n Downlink Low SNR (Total|2.4 GHz|5 GHz|min)--Duration of downlink with low signal connection in
both the bands during the time it is transmitting signal to the AP. n Site--Name of the site where the client resides.
RF Info
Number of channels impacted by low-quality signal-strength connection in the network. Click the arrow to view the pictorial graph of the impacted band. Click the RF Info drop-down list to view the following:
n Band-- Pictorial graph of devices experiencing a low signal-quality link using 2.4 GHz or 5 GHz radio bands.
n Good vs Bad--Pictorial graph of the amount of time (minutes) with Low SNR (Bad) and High SNR (Good) for all the clients.
Click the number displayed on the RF Info card to view a detailed description of the impacted channels:
n Band--Number of channel changes between 2.4 GHz and 5 GHz. n Time (min)--Number of power changes.
Clients with High MAC Authentication Failures
The Clients had an unusual number of MAC authentication failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive MAC authentication failures observed in the network and is categorized under connectivity as the users are

Aruba Central | User Guide

385

unable to connect to the Wi-Fi network. It also helps in order to identify the rogue users in a network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.

Time Series Graph
The time series graph displays the number of MAC authentication failures that occurred during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 82: Cards Context

Cards

Context

Site

Global

Access Point Global, Site, Client

Client

Global, Site, Device

Site
Lists the number of sites that experienced MAC authentication failures in the network. Click the arrow to view a pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Failures--Number of failures occurred in each site. n Total--Total number of MAC authentication in each site.
Access Point
Lists the number and the details of APs that faced the MAC authentication failures in the network. Click the
arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point dropdown list to view the following:

The AI Insights Dashboard | 386

n SSID--Pictorial graph of the percentage of MAC authentication failures sorted by SSIDs. n Model--Pictorial graph of the percentage of MAC authentication failures sorted by AP models. n FW Version--Pictorial graph of the percentage of MAC authentication failures sorted by AP firmware
version.
Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n MAC--MAC address of the access point and link to the specific insight at the AP context. n Failures--Number of failures occurred in each AP. n Total--Total number of MAC authentication in each AP. n Serial--Serial number of the AP n IP--IP address of each AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC address, name, host name, and auth ID of clients that failed MAC authentication. Click the
arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Name--Name of the impacted client and link to the specific insight at the client context. n MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number of failures occurred in each client. n Client OS--OS type of the device.
Clients with DHCP Server Connection Problems
The Clients had DHCP server connection problems insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive client to AP DHCP failures observed in the network. This insight occurs when Wi-Fi clients attempt to acquire a DHCP IP address multiple times but fails to do so. It is insight is categorized under connectivity since the users fail to get an IP address and are unable to connect to the Wi-Fi network. It displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.

Aruba Central | User Guide

387

Time Series Graph
The time series graph displays the number of DHCP failures that occurred during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 83: Cards Context

Cards

Context

Site

Global

Server

Global, Site, Device, Client

Access Point Global, Site, Client

Client

Global, Site, Device

Site
Lists the number of sites that experience DHCP server connection problems in the network. Click the arrow
to view a pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of DHCP requests.
Server
Lists the number of DHCP servers involved in this insight. Click the arrow to view the pictorial graph of theMost Impacted sites. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Server IP--IP address of the server impacted by this insight. n Failures--Number of failures occurred in each server. n Total--Total number of DHCP requests.
Access Point
Lists the number and the details of the DHCP server connection problems observed in an AP. Click the
arrow to view a pictorial graph of the Most Impactedaccess points. Click the Access Point drop-down list to view the following:
n SSID--Pictorial graph of the percentage of DHCP failures sorted by SSIDs. n Model--Pictorial graph of the percentage of DHCP failures sorted by AP models. n FW Version--Pictorial graph of the percentage of DHCP failures sorted by AP firmware version.

The AI Insights Dashboard | 388

Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of DHCP requests. n Serial--Serial number of the AP n IP--IP address of each AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Site name of the AP where the failure occurred.
Client
Lists the MAC address, host name, and auth ID of clients that failed DHCP handshake. Click the arrow to view the pictorial graph of the Most Impactedclients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number of failures occurred in each client. n Total--Total number of DHCP requests. n Client OS--OS type of the device.
Clients with High 802.1X Authentication Failures
The Clients had excessive 802.1x authentication failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive 802.1X authentication failures observed in the network. It is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
The time series graph displays the number of 802.1X authentication failures observed in the network during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures.

Aruba Central | User Guide

389

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 84: Cards Context

Cards

Context

Site

Global

Server

Global, Site, Device, Client

Access Point Global, Site, Client

Client

Global, Site, Device

Site
Lists the number of sites that experienced 802.1X authentication failures in the network. Click the arrow
to view a pictorial graph with the Most Impactedsites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and lick to the specific insight at the site context. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of 802.1X authentication in each site.
Server
Lists the number of servers that failed 802.1X authentication in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Server IP--IP address of each server. n Failures--Number of 802.1X authentication failures in each server. n Total--Total number of 802.1X authentication.
Access Point
Lists the number and the details of APs that failed 802.1X authentication in the network. Click the arrow
to view a pictorial graph of the Most Impacted access points. Click the Access Point drop-down list to view the following:
n SSID--Pictorial graph of the percentage of 802.1X authentication failures sorted by SSIDs. n Model--Pictorial graph of the percentage of 802.1X authentication failures sorted by AP models. n FW Version--Pictorial graph of the percentage of 802.1X authentication failures sorted by AP firmware
version.
Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:

The AI Insights Dashboard | 390

n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC address, name, host name, and auth ID of clients that failed 802.1X authentication. Click the
arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device.
Clients with High Wi-Fi Security Key-Exchange Failures
The Clients had excessive Wi-Fi security key-exchange failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive Wi-Fi security key-exchange failures observed in the network. When this failure occurs, users connecting to Wi-Fi using PSK or 802.1x authentication, experience higher EAPOL Key exchange failures. This insight is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes of Wi-Fi security key-exchange failure in the network. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.
Time Series Graph
The time series graph displays the number of Wi-Fi security key-exchange failures that occurred in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of failures. The following graph shows data trend for 3 hours in a day.

Aruba Central | User Guide

391

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 85: Cards Context

Cards

Context

Site

Global

Access Point Global, Site, Client

Client

Global, Site, Device

Site
Lists the number of sites that experienced excessive Wi-Fi security key-exchange failures in the network.
Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of failures in each site.
Access Point
Lists the number APs that experienced Wi-Fi security key-exchange failures in the network. Click the arrow
to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following:
n SSID: Pictorial graph of 4-way handshake authentication failures sorted by SSIDs. n Model: Pictorial graph of 4-way handshake failures classified by AP models. n FW Version: Pictorial graph of 4-way handshake failures classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC Address, name, host name, and auth ID of clients that failed Wi-Fi security key-exchange
authentication. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the

The AI Insights Dashboard | 392

number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device.

Clients with Captive Portal Authentication Problems
The Clients had problems authenticating with the Captive Portal insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on captive portal failures observed in the network. It is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.

Time Series Graph
The time series graph displays the number of client captive portal failures observed in the network during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 86: Cards Context

Cards

Context

Site

Global

Access Point Global, Site, Client

Client

Global, Site, Device

Site
Lists the number of sites that experienced captive portal failures in the network. Click the arrow to view a pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed

Aruba Central | User Guide

393

description of the impacted sites:
n Site--Name of the site impacted by the insight. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of captive portal authentication in each site.
Access Point
Lists the number and the details of APs that failed captive portal authentication in the network. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point dropdown list to view the following:
n SSID--Pictorial graph of the percentage of captive portal authentication failures sorted by SSIDs. n Model--Pictorial graph of the percentage of captive portal authentication failures sorted by AP models. n FW Version--Pictorial graph of the percentage of captive portal authentication failures sorted by AP
firmware version.
Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC address, name, host name, and auth ID of clients that failed captive portal authentication. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device.
Clients with High Number of Wi-Fi Association Failures
The Clients had a high number of Wi-Fi Association failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on Wi-Fi association failures observed in the network. It is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information:
The AI Insights Dashboard | 394

n Insight Summary n Time Series Graph n Cards

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.

Time Series Graph
The time series graph displays the number of association failures observed in the network during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 87: Cards Context

Cards

Context

Site

Global

Access Point Global, Site, Client

Client

Global, Site, Device

Site
Lists the number of sites that experienced association authentication failures in the network. Click the arrow
to view a pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of association failures in each site.
Access Point
Lists the number and the details of APs that experienced association failures in the network. Click the arrow
to view a pictorial graph of the Most Impacted access points. Click the Access Point drop-down list to view the following:
n SSID--Pictorial graph of the percentage of association failures sorted by SSIDs. n Model--Pictorial graph of the percentage of association failures sorted by AP models. n FW Version--Pictorial graph of the percentage of association failures sorted by AP firmware version.

Aruba Central | User Guide

395

Click the number displayed on the Access Point card, to view the detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC address, name, host name, and auth ID of clients that experienced association failures in the network. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device.
Clients who Roamed Excessively
The Clients roamed excessively insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides reports on wireless clients that roam to the target APs more than normal from the home AP. This insight is categorized under connectivity since this helps to reduce the frequency of roaming clients in the customer network. It also helps network administrators to eliminate anonymous users and deploy additional access points in case the users get effected due to poor network performance. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
The time series graph displays the total number of roams and the percentage of excessive roams that occurred in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number and percentage of roams.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
The AI Insights Dashboard | 396

Table 88: Cards Context

Cards

Context

Site

Global

Access Point Global, Site, Client

Client

Global, Site, Device

Site
Lists the number of sites where the clients have experience excessive roams in the network. Click the arrow
to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Impacted Clients (%)--Number and percentage of clients impacted with excessive roaming in each site.
Access Point
Lists the number and details of APs where the clients have experience excessive roams. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following:
n Model--Pictorial graph of excessive roams classified by AP models. n FW Version--Pictorial graph of excessive roams classified by AP firmware versions.
Click the number displayed on the Access Point card to view a detailed description of the impacted access points:
n From AP--The AP name from where the client roamed excessively. n Impacted Clients (%)--Clients impacted by excessive roams in each AP. n AP MAC--MAC address of the APs and link to the specific insight at the AP context. n Serial--Serial number of the AP. n IP--IP Address of each AP. n Model-- Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.
Client
Lists the MAC Address, name, host name, auth ID, and the number of clients that have experience high
roaming latency. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the clients impacted by the insight and link to the specific insight at the client context.
n Client MAC--MAC address of the client impacted by the insight and link to the specific insight at the client context.
n Excessive Roams--Number of excessive roams for each client.

Aruba Central | User Guide

397

n Delayed Roams--Number of delayed roams by the client. n Top AP--AP where the client roamed maximum as compared to other APs in the network.

Coverage Holes Identified
The Coverage Hole detected insight can be accessed only at the Global context. This insight determines the connection status of Wi-Fi clients with the APs due to poor Wi-Fi coverage. Machine learning determines when a relatively large proportion of the client minutes that consistently have low SNR links. The exact location of the coverage hole can be identified from the location of the clients listed with poor coverage and implies that there is a need to deploy one more AP which will avoid the low SNR clients in the network. Coverage Hole detected is categorized under wireless quality since the clients in coverage holes have poor or intermittent Wi-Fi connectivity causing loss of productivity. This insight displays the following information:
n Insight Summary n Cards

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the clients experience poor Wi-Fi coverage in the network.
n Recommendation--Displays the recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 89: Cards Context

Cards

Context

Site

Global

Access Point Global

Client

Global

Site

Lists the sites where the clients experience poor Wi-Fi coverage in the network. Click the arrow the pictorial graph of the Most Impacted sites.
Click the number displayed on the Site card, to view a detailed description of the impacted sites:

to view

n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Clients--Number of clients that experience coverage hole in each site. n Coverage Holes--Total number clients that needs to be deployed in the network due to coverage holes.

The AI Insights Dashboard | 398

Access Point
Lists the number and details of APs which has clients with poor connections due to a coverage hole in the network. This is measured by the amount of time the client experiences poor vs good connectivity. Click the
arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point dropdown list, to view the following:
n Most Impacted by Low Uplink SNR--Pictorial graph of APs impacted maximum by low uplink SNR. n Most Impacted by Low 5 GHz Downlink SNR--Pictorial graph of APs impacted maximum by low 5
GHz downlink SNR. n Most Impacted by Low 2.4 GHz Downlink SNR--Pictorial graph of APs impacted maximum by low
2.4 GHz downlink SNR.
Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of each AP and link to the specific insight at the AP context. n Impacted (Time)--Time range of the coverage hole detected in each AP. n Clients--Number of clients with poor Wi-Fi coverage in each AP. n Coverage Hole Type--The type of coverage hole detected in each AP. n AP Serial--Serial number of each AP. n Firmware--Version of the firmware running on each AP. n Model--Model number of each AP.
Client
Lists the MAC Address, name, host name, auth ID, and the number of connected clients affected by poor
connections determined by the total number of minutes spend in the coverage hole. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the Client drop-down list, to view the following:
n Low Uplink SNR Minutes--Pictorial graph of clients impacted maximum by low uplink SNR minutes. n Low 5 GHz Downlink SNR--Pictorial graph of clients impacted maximum by low 5 GHz downlink SNR. n Low 2.4 GHz Downlink SNR--Pictorial graph of clients impacted maximum by low 2.4 GHz downlink
SNR.
Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Impacted (Time)--Time range of the coverage hole detected in each client. n Client OS--Operating system of the client. n Average SNR (dB)--Average SNR of the client on the AP. n Coverage Hole Type--The type of coverage hole detected in each AP.
Dual-band (2.4/5 GHz) Clients Primarily using 2.4 GHz
The Dual-band (2.4/5 GHz) capable clients primarily used 2.4 GHz insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provide reports on Dual band capable clients

Aruba Central | User Guide

399

that spent more airtime on 2.4 GHz band instead of 5 GHz band. Dual-band (2.4/5 GHz) capable clients primarily used 2.4 GHz is categorized under wireless quality since the 2.4 GHz band has more interference, more clients, and less bandwidth capabilities than the 5 GHz band. Dual-band clients have a better user experience when they are on the 5 GHz band. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the client is excessively dwelling in the 2.4 GHz band in the network.
n Recommendation--Displays the recommendation against each cause to resolve the same.

Time Series Graph
The time series graph displays the percentage of clients over dwelling in the 2.4 GHz band in the network during the selected time period. You can hover your mouse on each bar graph to see the exact percentage of the dwelling time.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 90: Cards Context

Cards

Context

Site

Global

Access Point Global, Site

Client

Global, Site, Device

Site
Lists the number of sites where the clients are dwelling excessively in the 2.4 GHz band. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Clients Impacted--Number of clients in each site that is excessively dwelling in the 2.4 GHz band. n APs Impacted--Number of APs impacted by the insight in each site.
Access Point
Lists the number and details of APs where the clients are dwelling excessively in the 2.4 GHz band. Click the
arrow to view the pictorial graph of the Most Impacted access points. Click the number displayed on the Access Point card to view a detailed description of the impacted access points:

The AI Insights Dashboard | 400

n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP. n Serial--Serial number of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. n Total Clients--Total number of clients connected to each AP. n Clients (%)--Number of clients that is dwelling excessively on 2.4 GHz band.
Client
Lists the MAC Address, name, host name, auth ID, and the corresponding percentage of time spent for each
client in the radio bands. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the Client drop-down list, to view the following: n Client Type--Pictorial graph of the percent of clients dwelling in the 2.4 GHz band sorted by client
device type. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Name of the client impacted by the insight. n Client MAC--MAC address of the client impacted by the insight and link to the specific insight at the
client context. n Device Type--Clients dwelling in the 2.4 GHz band sorted by client device type. n Site--Name of the site where the client resides. n 2.4 GHz Dwell (min, %)--Duration and percentage of time of each client dwelling in the 2.4 GHz band. n 5 GHz Dwell (min, %)--Duration and percentage of time of each client dwelling in the 5 GHz band. n Total Dwell Minutes--Total duration of each client dwelling on both the bands.
Delayed DNS Request or Response
The DNS request/responses were significantly delayed insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on significant delays in response from the DNS servers. It is categorized under connectivity since there is a high delay in response from the DNS server. This insight displays the following information:
n Time Series Graph n Cards
Time Series Graph
The time series graph displays the number of delays from the DNS server that occurred during the selected time. You can hover your mouse on each bar graph to see the exact number of delays.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Aruba Central | User Guide

401

Table 91: Cards Context

Cards

Context

Site

Global

Server

Global, Site, Device

Access Point Global, Site

Site
Lists the number sites that experience delays from the DNS server in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Min (ms)--Packet latency (delay) is measured. The lowest value of delay in the measurement interval is
the minimum response delay. n Avg (ms)--Packet latency (delay) is measured. The average value of delay in the measurement interval is
the minimum response delay. n Max (ms)--Packet latency (delay) is measured. The maximum value of delay in the measurement
interval is the maximum response delay.
Server
Lists the number of DNS servers that is impacted by this insight. Click the arrow to view the pictorial graph of the Most Impacted servers. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Server IP--IP address of each server. n Avg (ms)--Packet latency (delay) is measured. The average value of delay in the measurement interval is
the minimum response delay. n Min (ms)--Packet latency (delay) is measured. The lowest value of delay in the measurement interval is
the minimum response delay. n Max (ms)--Packet latency (delay) is measured. The maximum value of delay in the measurement
interval is the maximum response delay.
Access Point
Lists the number and details of APs that has the most DNS response delays. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n AP Serial--Serial number of the AP. n Avg (ms)--Packet latency (delay) is measured. The average value of delay in the measurement interval is
the minimum response delay.

The AI Insights Dashboard | 402

n Min (ms)--Packet latency (delay) is measured. The lowest value of delay in the measurement interval is the minimum response delay.
n Max (ms)--Packet latency (delay) is measured. The maximum value of delay in the measurement interval is the maximum response delay.
n Servers--Server ID where the AP resides. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.

DNS Servers Rejected High Number of Queries
The DNS server(s) rejected a high number of queries insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive request failures from the DNS servers. It is categorized under connectivity since there is a high number of request failures. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure
reason.

Time Series Graph
The time series graph displays the number of request failures from the DNS server that occurred during the selected time. You can hover your mouse on each bar graph to see the exact number of failures.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 92: Cards Context

Cards

Context

Site

Global

Server

Global, Site, Device

Access Point Global, Site

Aruba Central | User Guide

403

Site
Lists the number sites that experience request failures from the DNS server in the network. Click the arrow
to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Total Failures(%)--Total number of failure packets at the site multiplied by 100. n Query Attempts--Number of query attempts sent to the DNS server in a site. n Query Success(%)--Percentage of successful DNS queries in a site. n Query Format Error--Error in the DNS query format sent to the DNS server in a site. n Request Failed to Complete--DNS request failed to complete, and the server responds with an error
code. n Domain Name Does Not Exist--Domain name sent to the DNS server does not exist and the server
responds with an error code n Function Not Implemented--Function is not implemented on the DNS server and the server responds
with an error code. n Server Refused to Answer Query--Server refused to answer the query and responds with an error
code.
Server
Lists the number of servers that has the most number of DNS request rejections. Click the arrow to view the pictorial graph of the Most Impacted servers. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Server IP--IP address of each server. n Total Failures(%)--Total number and percentage of failure packets at the site multiplied by 100. n Query Attempts--Number of query attempts sent to the DNS server. n Query Success(%)--Percentage of successful DNS queries. n Query Format Error--Error in the DNS query format sent to the DNS server in a site. n Request Failed to Complete--DNS request failed to complete, and the server responds with an error
code. n Domain Name Does Not Exist--Domain name sent to the DNS server does not exist and the server
responds with an error code n Function Not Implemented--Function is not implemented on the DNS server and the server responds
with an error code. n Server Refused to Answer Query--Server refused to answer the query and responds with an error
code.
Access Point
Lists the number and details of access points that has the most number of DNS request rejections. Click the
arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point dropdown list to view the following: n Success Rate--Graphical representation of the total failures and total successful requests that
occurred at the server.
The AI Insights Dashboard | 404

Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n AP Serial--Serial number of the AP. n Total Failures(%)--Total number and percentage of failure packets at the site multiplied by 100. n Query Attempts--Number of query attempts sent to the DNS server in each AP. n Query Success(%)--Percentage of successful DNS queries in each AP. n Query Format Error--Error in the DNS query format sent to the DNS server in each AP. n Request Failed to Complete--DNS request failed to complete, and the server responds with an error
code. n Domain Name Does Not Exist--Domain name sent to the DNS server does not exist and the server
responds with an error code n Function Not Implemented--Function is not implemented on the DNS server and the server responds
with an error code. n Server Refused to Answer Query--Server refused to answer the query and responds with an error
code. n Site--Name of the site where the AP resides.

Gateways with High Memory Usage
The Gateways had high Memory usage insight can be accessed from the Global, Site, and Gateways context. This insight provides information about gateways that have higher than normal memory utilization. It is categorized under availability since the clients connected to these gateways experience intermittent connectivity drops. This insight displays the following information:
n Time Series Graph n Cards

Time Series Graph
The time series graph displays the percentage of impacted in the network during the selected time period. You can hover your mouse on each bar graph to see the percentage of impacted gateways.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 93: Cards Context

Cards Context

Site

Global

Gateway Global, Site

Memory Device

Aruba Central | User Guide

405

Site
Lists the number of sites where the gateways experience high memory utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Number of Gateways--Number of gateways that experience high memory utilization in each site. n Duration (mins)--Amount of time (minutes) high memory utilization observed in each site.
Gateway
Lists the number and details of gateways that experience high memory utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted gateways. Click the Gateway drop-down list, to view the following: n Gateway Model--Pictorial graph of memory utilization classified by gateway models. n FW Version--Pictorial graph of memory utilization classified by gateway firmware versions. n Mode--Operational mode of the gateway. Click the number displayed on the Gateway card to view a detailed description of the impacted gateways: n Serial--Serial number of each gateway and link to the specific insight at the gateway context. n Gateway Name--Name of the gateway that experience high memory utilization. n Mode--Operational mode of the mode. n Max Memory--Maximum memory consumed by the gateway. n Minutes with High Memory--Amount of time (minutes) high memory utilization observed in each
gateway. n Model--Model number of each gateway. n FW Version--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides.
Memory
Memory card is displayed only when this insight is accessed from the device context. Click the arrow to expand the card and view the graphical representation of the time series of memory utilization percentage in the selected gateway.
Gateways with High CPU Utilization
The Gateways had unusually high CPU utilization insight can be accessed from the Global, Site, and Gateways context. This insight provides information about gateways that have higher than normal CPU utilization. It is categorized under availability since the clients connected to these gateways experience intermittent connectivity drops. This insight displays the following information: n Time Series Graph n Cards
The AI Insights Dashboard | 406

Time Series Graph
The time series graph displays the percentage of impacted gateways in the network during the selected time period. You can hover your mouse on each bar graph to see the percentage of impacted gateways.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 94: Cards Context

Cards Context

Site

Global

Gateway Global, Site

CPU

Device

Site
Lists the number of sites where the gateways experience high CPU utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Number of Gateways--Number of gateways that experience high CPU utilization in each site. n Duration (mins)--Amount of time (minutes) high CPU utilization observed in each site.
Gateway
Lists the number and details of gateways that experience high CPU utilization in the network. Click the arrow
to view the pictorial graph of the Most Impacted gateways. Click the Gateway drop-down list, to view the following:
n Gateway Model--Pictorial graph of CPU utilization classified by gateway models. n FW Version--Pictorial graph of CPU utilization classified by gateway firmware versions. n Mode--Operational mode of the gateway.
Click the number displayed on the Gateway card to view a detailed description of the impacted gateways:
n Serial--Serial number of each gateway and link to the specific insight at the gateway context. n Gateway Name--Name of the gateway that experience high CPU utilization. n Mode--Operational mode of the gateway. n Max CPU--Rate of maximum CPU utilization observed in each gateway. n Minutes with High CPU--Amount of time (minutes) high CPU utilization observed in each gateway. n Model--The hardware model of each gateway. n FW Version--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides.

Aruba Central | User Guide

407

CPU
CPU card is displayed only when this insight is accessed from the device context. Click the arrow to expand the card and view the graphical representation of the time series of CPU utilization percentage in the selected gateway.

Failure to Establish Gateway Tunnels
The Gateway tunnels failed to get established insight can be accessed from the Global, Site, and Gateways context. This insight provides information about gateway tunnels that are marked down in the network. It is categorized under availability since the clients connected to these gateways experience connectivity drops.

Gateway Tunnels Down insight is available for branch and VPNC gateways in the network.

Tunnels are marked down in the network based on the following scenarios:
n If Aruba Central receives telemetry from branch gateway that a specific tunnel is down n If Aruba Central receives telemetry from the VPNC that a specific tunnel is down n Lack of telemetry from both branch and VPNC gateway
This insight displays the following information:
n Insight Summary n Time Series Graph n Cards

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for tunnel down in the network. n Minutes Down--Displays the exact number and percentage of tunnel down that occurred against each
failure reason.

Time Series Graph
The time series graph displays the percentage and number of tunnels down in the network during the selected time period. You can hover your mouse on each bar graph to see the exact percentage of tunnels down.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 95: Cards Context

Cards Context

Site

Global

The AI Insights Dashboard | 408

Cards Context

Gateway Global, Site

VPNC

Global, Site, Device

Tunnel Global, Site, Device

Site
Lists the number of sites where the gateways experience tunnel down. Click the arrow to expand the card and click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight. n Number of Down Tunnels--Number of tunnels down in each site that experience high memory
utilization in each site. n Total Tunnels--Total number of gateway tunnels in each site. n Number of Impacted Gateways--Number of gateways impacted by tunnel down in each site. n Number of Impacted VPNC--Number of VPNC gateways that experience tunnel down in each site.
Gateway
Lists the number and the reason for the cause of tunnel down in gateways. Click the arrow to expand the card and click the number displayed on the Gateway card to view a detailed description of the impacted gateways:
n Serial--Serial number of each gateway and link to the Gateway Details page. n Gateway Name--Name of the gateway that experience tunnel down. n Mode--Operational mode of the gateway. n Number of Tunnels--Number of tunnels down in each gateway. n Total Tunnels--Total number tunnels in each gateway. n Duration (mins)--Time range of tunnel down in each gateway. n Model--The hardware model number of the gateway. n FW Version--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides.
VPNC
Displays the total number of VPNC gateways experiencing tunnel down. Click the arrow to expand the card and view the amount of time (minutes) and the reasons for the cause of down tunnels on the VPNC gateways. Click the number displayed on the VPNC card to view a detailed description of the impacted VPNC gateways:
n Serial--Serial number of each gateway and link to the specific insight at the gateway context. n Gateway Name--Name of the gateway that experience tunnel down. n Mode--Operation mode of the VPNC. n Total Number of Tunnels Down--Number of tunnels down in each gateway.

Aruba Central | User Guide

409

n Total Number of Tunnels--Number of tunnels down in each gateway. n Number of Gateways--Number of gateways impacted by tunnel down. n Number of Sites--Number of site impacted by tunnel down. n Duration (mins)--Time range of tunnel down in each gateway. n Model--The hardware model number of the gateway. n FW Version--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides.
Tunnel
Displays the total number of gateways experiencing tunnel down. Click the arrow to expand the card to view the amount of time (minutes) and the reasons for the cause of tunnel down in the network. Click the number displayed on the Tunnel card to view a detailed description of the impacted tunnels:
n Site--Name of the site where the tunnel residee and link to the specific insight at the site context. n Gateway IP--IP address of the impacted gateway. n VPNC IP--IP address of the impacted VPNC gateway. n Duration (mins)--Time range of tunnel down. n Gateway VLAN--VLAN ID of the gateway. n VPNC VLAN--VLAN ID of the VPNC. n Gateway Name--Name of the gateway where the tunnel is down. n Gateway MAC--MAC address of the impacted gateway. n VPNC Name--Name of the VPNC gateway where the tunnel is down. n VPNC MAC--MAC address of the impacted VPNC gateway. n Gateway Serial--Serial number of the gateway and link to the specific insight at the gateway context. n VPNC Serial--Serial number of VPNC gateway.
DNS Queries Failed to Reach or Return from the Server
The DNS queries failed to reach or return from the serverinsight can be accessed from the Global, Site, and Access Points context. This insight provides information about wireless APs that experience a higher than normal number of connection failures with the DNS server. It is categorized under connectivity since the wireless clients are unable to reach the destination URL. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same.
The AI Insights Dashboard | 410

Time Series Graph
The time series graph displays the number of connection loss with the DNS server that occurred during the selected time. You can hover your mouse on each bar graph to see the exact number of loss.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 96: Cards Context

Cards

Context

Site

Global

Server

Global, Site, Device

Access Point Global, Site

Site
Lists the number sites that experience connection loss with the DNS server in the network. Click the arrow
to view the pictorial graph of the Most Impactedsites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Lost DNS Queries (%)--Total count of the DNS packets that get lost in the network. DNS server does
not receive these packets. n Total Queries--Total number of successful DNS queries, denied DNS queries, and lost queries in the
DNS server.
Server
Lists the number of servers that have higher number of DNS connection failures in the network. Click the
arrow to view the pictorial graph of the Most Impacted servers. Click the number displayed on the Server card, to view a detailed description of the impacted servers:
n Server IP--IP address of each server. n Lost DNS Queries (%)--Total count of the DNS packets that get lost in the network. DNS server does
not receive these packets. n Total Queries--Total number successful DNS queries, denied DNS queries, and lost queries in the DNS
server.
Access Point
Lists the number and details of APs that have higher number of DNS connection failures in the network.
Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point drop-down list to view the following: n Success RateGraphical representation of the total failures and total successful requests that occurred
at the AP.

Aruba Central | User Guide

411

Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n AP Serial--Serial number of the AP. n Lost DNS Queries (%)--Total count of the DNS packets that get lost in the network. DNS server does
not receive these packets. n Total Queries--Total number successful DNS queries, denied DNS queries, and lost queries in the DNS
server. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides.

Telemetry Information not Received from APs or Radios
The Information (telemetry) was not received from APs/Radios insight can be accessed from the Global and Site, and Access Points context. This insight provides information about AP radios that missed sending telemetry data to Aruba Central, and is categorized under availability since AI insights loses visibility of the APs. This insight displays the following information:
n Time Series Graph n Cards

Time Series Graph
The time series graph displays the number of 2.4 GHz and 5 GHz radios that failed to send telemetry data during the selected time period. You can hover your mouse over each bar graph to see the exact number of missing radios.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 97: Cards Context

Cards

Context

Site

Global

Access Point Global, Site

Site
Lists the number of sites where the APs experience missing telemetry. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Radios Impacted--Number radio channels that missed telemetry data.

The AI Insights Dashboard | 412

n Minutes Missing--Time range of missing telemetry in each site. n Hours Missing--Hourly data of the missing telemetry in each site.
Access Point
Lists the number and details of APs that experience missing telemetry. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the number displayed on the Access Point card, to view a detailed description of the impacted access points:
n AP Name--Name of the access points and link to the specific insight at the AP context. n Total Time (HH:MM)--Total time range (minutes/hours) of missing telemetry in both 2.4 GHz and 5
GHz bands. n 2.4 GHz Time (HH:MM, %)--Time range (minutes/hours) and percentage of missing telemetry in 2.4
GHz band. n 5 GHz Time (HH:MM,%)--Time range (minutes/hours) and percentage of missing telemetry in 5 GHz
band. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n AP Serial--Serial number of the AP. n Firmware--Version of the firmware running on each AP. n Model--Model number of each AP. n Site--Name of the site where the AP resides.
Outdoor Clients Impacting Wi-Fi Performance
The Outdoor clients are impacting Wi-Fi performance insight is used to understand which outdoor clients are affecting the performance of the indoor AP. This insight can be accessed only at the Global context, and is triggered when the probe SNR threshold is not set optimally. This insight is categorized under wireless quality as low SNR clients (outdoor) experience poor Wi-Fi connectivity, which in turn affects other indoor clients. This insight provides information about the optimum probe/auth SNR threshold value per AP and per SSID. It also provides the recommended configuration value for probe/auth SNR threshold below which APs ignore probe requests and authentication requests from outdoor clients.
Important Points to Note
n The outdoor clients are located far from the AP having low SNR value, whereas the indoor clients are located near the AP having high SNR value.
n Ensure that the SNR threshold value is set between 8 dBm and 16 dBm. If the value is set below 8 dBm, the system sets it back to 8 dBm. If the value is set above 16 dBm, the system sets it back to 16 dBm. If the value is set between +3 and -3, no specific recommendation is provided as there might be a few clients in the network.
This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:

Aruba Central | User Guide

413

n SSID--The list of SSIDs impacted by outdoor clients. n Recommendation--Change the Probe SNR/RSSI threshold and the Auth SNR/RSSI threshold to the
recommended value to improve the performance for the indoor Wi-Fi clients.
Time Series Graph
The time series graph displays the current and the recommended threshold (dBm) for each client type in the network. To rectify the issue, the Probe SNR threshold must be set to the recommended value. This frees up airtime and AP resources for indoor users. The following figure displays the SNR threshold graph based on the SSID selected from the drop-down list and contains the recommended SNR threshold value:
Figure 114 Sample Probe SNR Threshold Graph

The probe SNR threshold graph provides the following details:
n Outdoor--The number of outdoor minutes at that SNR. n Indoor--The number of indoor minutes at that SNR.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 98: Cards Context

Cards

Context

Access Point

Global

Outdoor Clients Global

Outdoor Minutes Global

Access Point
Displays the details of APs that are impacted by outdoor clients. Click the arrow to view the pictorial graph of the Most Impacted access points. Select an SSID from the Access Point drop-down list to view the most impacted APs. Click the number displayed on the Access Point card, to view a detailed description of the impacted APs:
n AP Name--Name of the impacted AP and link to the specific insight at the AP context. n SSID--The impacted SSID name. n Low SNR Minutes--The duration for which the connected clients have low SNR value. n Recommended Threshold--The recommended value of the Probe SNR/RSSI Threshold and Auth
SNR/RSSI Threshold. n Site--Name of the site where the AP resides.

The AI Insights Dashboard | 414

Outdoor Clients
Lists the name, MAC address, duration, SSID, client OS, and site of clients below the proposed SNR
threshold. Click the arrow to view the pictorial graph of the Most Impacted clients. Select an SSID from the Outdoor Clients drop-down list to view the most impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients:
n Client Name--Host name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the impacted client and link to the specific insight at the client context. n Duration (mins)--Number of minutes client was outside below the recommended Probe/Auth SNR
threshold. n SSID--The SSID impacted by outdoor clients. n Client OS--OS type of the device. n Site--Name of the site where the client resides.
Outdoor Minutes
Displays the percentage of avoided outdoor clients minutes and affected indoor client minutes in a chart.
Click the arrow to view a pictorial graph of the Most Impacted outdoor minutes. Click the number displayed on the Outdoor Minutes card, to view a detailed description of the impacted SSIDs:
n SSID--The impacted SSID name. n Total Traffic (%)--The percentage of total traffic impacted. n Current Authentication Threshold (min-max)--The minimum and maximum value of the current
SNR/RSSI authentication threshold. n Recommended Auth Threshold--The recommended value of the SNR/RSSI authentication threshold. n Current Probe Threshold (min-max)--The minimum and maximum value of the current probe
SNR/RSSI threshold. n Recommended Probe Threshold--The recommended value of the probe SNR/RSSI threshold. n Outdoor Minutes Rejected if recommendation is applied to all APs--The outdoor minutes that
are rejected if recommendation is applied to all APs. n Indoor Minutes sacrificed if recommendation is applied to all APs--The indoor minutes that are
sacrificed if recommendation is applied to all APs. n Outdoor Minutes Rejected if recommendation is applied to recommended subset of APs--The
outdoor minutes that are rejected if recommendation is applied to recommended subset of APs. n Indoor Minutes sacrificed if recommendation is applied to recommended subset of APs--The
indoor minutes that are sacrificed if recommendation is applied to recommended subset of APs.
AOS-CX Switches with High CPU Utilization
The CX Switches had unusually high CPU utilization insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches experiencing higher than normal CPU utilization. It is categorized under availability since the impacted switches and the associated devices experience connectivity issues. This insight displays the following information:
n Time Series Graph n Cards

Aruba Central | User Guide

415

Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing high CPU utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing high CPU utilization during the selected time period.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 99: Cards Context

Cards Context

Site

Global

Switch Global, Site

CPU Device

Site
Lists the number of sites where the switches experience high CPU utilization. Click the arrow to view the pictorial graph of the Most Impacted impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Switches with High CPU--Number of switches experiencing high CPU utilization in each site. n Minutes with High CPU--Amount of time (minutes) high CPU utilization observed in each site.
Switch
Lists the number of switches that experience high CPU utilization. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of the high CPU utilization sorted by switch models. n FW Version--Pictorial graph of high CPU utilization sorted by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing high CPU utilization and link to the specific insight at the switch context.
n Serial--Serial number the switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Max CPU--Maximum utilization of the CPU in each switch. n Minutes with High CPU--Time range of high CPU utilization on each switch. n Model--Model number of each switch.

The AI Insights Dashboard | 416

n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
CPU
Lists the time series of CPU utilization percentage for a switch. Click the arrow to expand the card and view the graphical representation of the data in the selected switch. Click the number displayed on the CPU card to view a detailed description of the impacted switch:
n Switch Name--Name of the switch experiencing high memory utilization. n Max CPU--Maximum utilization of the CPU in a specific switch. n Total Metrics--Total metrics of the utilization. n Percentage Metrics--Percentage metrics of the utilization. n Model--Model number of each switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.

AOS-CX Switches with High Memory Usage
The CX Switches had unusually high memory usage insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches experiencing higher than normal memory utilization, and is categorized under availability since the impacted switches and the associated devices experience connectivity issues. This insight displays the following information:
n Time Series Graph n Cards

Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing high memory utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing high memory utilization during the selected time period.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 100: Cards Context

Cards Context

Site

Global

Switch Global, Site

Memory Device

Aruba Central | User Guide

417

Site
Lists the number of sites where the switches experience memory utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Switches with High Memory--Number of switches experiencing high memory utilization in each site. n Minutes with High Memory--Amount of time (minutes) high memory utilization observed in each
site.
Switch
Lists the number of switches that experience high memory utilization. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following: n Switch Model--Pictorial graph of the high memory utilization sorted by switch models. n FW Version--Pictorial graph of high memory utilization sorted by switch firmware versions. Click the number displayed on the Switch card to view a detailed description of the impacted switches: n Switch Name--Name of the switch experiencing high memory utilization and link to the specific insight
at the switch context. n Serial--Serial number the switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Max Memory--Maximum utilization of memory in each switch. n Minutes with High Memory--Time range of high memory utilization on each switch. n Model--Model number of each switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Memory
Lists the time series of memory utilization percentage for a switch. Click the arrow to expand the card and view the graphical representation of the data in the selected switch. Click the number displayed on the Memory card to view a detailed description of the impacted switch: n Switch Name--Name of the switch experiencing high memory utilization. n Max Memory--Maximum utilization of memory in a specific switch. n Avg Memory--Average utilization of memory in a specific switch. n Total Metrics--Total metrics of the utilization. n Percentage Metrics--Percentage metrics of the utilization. n Model--Model number of each switch. n FW Version--Version of the firmware running on each switch. n Site Name--Name of the site where the switch exists.
The AI Insights Dashboard | 418

AOS-CX Switch Ports with High Power-over-Ethernet Problems
The CX Switch ports had a high number with Power-over-Ethernet problems insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that have not received required power from PoE devices connected to them. PoE issues occur in switches when power is denied, or power is demoted from the device connected to them. It is categorized under availability since the impacted switches are unable to receive sufficient power. This insight displays the following information:
n Time Series Graph n Cards

Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing power issues in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing power issues during the selected time period.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 101: Cards Context

Cards

Context

Site

Global

Switch

Global, Site

Wired Clients Global, Site

Site
Lists the number of sites where switches have PoE issue. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context.
n Events--Number of events generated pertaining to PoE failures in each site. n Ports--Number of ports for which power is denied. n Switches--Number of switches for which power is denied. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each site.
Switch
Lists the number of switches that experience PoE issues in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following:

Aruba Central | User Guide

419

n Switch Model--Pictorial graph of PoE issues classified by switch models. n FW Version--Pictorial graph of PoE issues classified by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context.
n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Events--Number of events generated pertaining to PoE failures in each switch. n Wired Clients--Number of clients impacted by the PoE failures. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each switch. n Stack ID--Stack ID of the impacted switch. n Number of Events--Number of events generated pertaining to PoE failures in each switch. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Wired Clients
Lists the MAC Address, name, host name, and auth ID of the clients connected to a switch that experience
PoE issues. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the Wired Clients drop-down list to view the following:
n Model--Pictorial graph of all the device types models connected to the impacted switch. n Vendor--Pictorial graph of the device type vendors connected to the impacted switch.
Click the number displayed on the Wired Clients card to view a detailed description of the impacted switches:
n Wired Client--Name of the client. n Client MAC--MAC address of the client. n Description--An overview of the connected devices, including the OS type, model, and version. n Switch Name--Name of the impacted switch where the client resides and link to the specific insight at
the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch where the client resides. n Port Number--Port number of the switch the client device is connected to. n Power Requested/Offered--PoE consumption for each client. n Reason--Cause of the denied PoE power in each client. n Status--Status of client. n Model--Hardware model of the impacted switch where the client resides. n Vendor--Vendor of the wired client. n Site--Name of the site where the client resides.
AOS-CX Switches with High Port Errors
The CX Switches had an unusual number of port errors insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that experience excessive port
The AI Insights Dashboard | 420

errors confined to the Layer1 and Layer2 in the network. This insight is categorized under availability since the wired devices connected to the affected ports experience connectivity issues. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards

Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the recommendation against each failure to resolve the same. n Errors--Displays the exact number and percentage of failures that occurred against each failure reason.

Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing port errors in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing port errors during the selected time period.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 102: Cards Context

Cards Context

Site

Global

Switch Global, Site

Port Global, Site, Device

Site
Lists the number of sites where switches have port errors. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context.
n Switches with Port Errors--Number of the switches experiencing port errors. n Number of Errors--Number of errors in each site. n Number of Ports--Number of ports experiencing errors in each site.

Aruba Central | User Guide

421

Switch
Lists the number of switches that experience excessive port errors in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of port errors classified by switch models. n FW Version--Pictorial graph of port errors classified by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing port errors and link to the specific insight at the switch context.
n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Number of Errors--Number of port errors in each switch. n Number of Ports--Number of ports experiential excessive errors. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Port
Number of ports experiencing excessive errors. Click the arrow to view the pictorial graph of the Most Impacted impacted ports. Click the number displayed on the Port card, to view a detailed description of the impacted ports:
n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context.
n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Switch MAC--MAC address of the impacted switch. n Port Number--Port number of the switch. n Number of Errors--Number of port errors in each port. n Status--Status of the impacted switch. n Connected Device--MAC address of the connected device. n Connected Device MAC--MAC address of the client device. n Connected Device Description--An overview of the connected devices, including the OS type, model
,and version.
AOS-CX Switches with High Port Flaps
The CX Switches had excessive port flaps insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that experience port flaps in the network. It is categorized under availability since this causes connectivity drops and also triggers the reboot of PoE devices. This insight displays the following information:
The AI Insights Dashboard | 422

n Time Series Graph n Cards

Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing port flaps in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing port flaps during the selected time period.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 103: Cards Context

Cards Context

Site

Global

Switch Global, Site

Port Global, Site, Device

Site
Site card is accessible only when this insight is accessed from the global context. It lists the number of sites
where switches have port flaps. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context.
n Switches with Excessive Flaps--Number of the switches experiencing port flaps. n Number of Flaps--Number of errors in each site. n Number of Ports--Number of ports experiencing flaps in each site.
Switch
Lists the number of switches that experience excessive port flaps in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of port flaps classified by switch models. n FW Version--Pictorial graph of port flaps classified by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing port flaps and link to the specific insight at the switch context.
n Serial--Serial number of the impacted switch and link to the specific insight at the switch context.

Aruba Central | User Guide

423

n Stack ID--Stack ID of the impacted switch. n Number of Flaps--Number of port flaps in each switch. n Number of Ports--Number of ports effected by excessive flaps. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Port
Number of ports experiencing excessive flaps. Click the arrow to view the pictorial graph of the Most Impacted ports. Click the number displayed on the Port card, to view a detailed description of the impacted ports:
n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context.
n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Switch MAC--MAC address of the impacted switch. n Port Number--Port number of the switch. n Number of Flaps--Number of port flaps in each port. n Status--Status of the impacted switch. n Connected Device--MAC address of the connected device. n Connected Device MAC--MAC address of the client device. n Connected Device Description--An overview of the connected devices, including the OS type, Model ,
and Version.
AOS-Switches with High Port Errors
The PVOS Switches had an unusual number of port errors insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that experience excessive port errors confined to the Layer1 and Layer2 in the network. This insight is categorized under availability since the wired devices connected to the affected ports experience connectivity issues. This insight displays the following information:
n Insight Summary n Time Series Graph n Cards
Insight Summary
The insight summary provides the following details:
n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the recommendation against each failure to resolve the same. n Errors--Displays the exact number and percentage of failures that occurred against each failure reason.
The AI Insights Dashboard | 424

Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing port errors in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing port errors during the selected time period.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 104: Cards Context

Cards Context

Site

Global

Switch Global, Site

Port Global, Site, Device

Site
Lists the number of sites where switches have port errors. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context.
n Switches with Port Errors--Number of the switches experiencing port errors. n Number of Errors--Number of errors in each site. n Number of Ports--Number of ports experiencing errors in each site.
Switch
Lists the number of switches that experience excessive port errors in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of port errors classified by switch models. n FW Version--Pictorial graph of port errors classified by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing port errors and link to the specific insight at the switch context.
n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Number of Errors--Number of port errors in each switch. n Number of Ports--Number of ports experiential excessive errors.

Aruba Central | User Guide

425

n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Port
Number of ports experiencing excessive errors. Click the arrow to view the pictorial graph of the Most Impacted ports. Click the number displayed on the Port card, to view a detailed description of the impacted ports: n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the
switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Switch MAC--MAC address of the impacted switch. n Port Number--Port number of the switch. n Number of Errors--Number of port errors in each port. n Status--Status of the impacted switch. n Connected Device--MAC address of the connected device. n Connected Device MAC--MAC address of the client device. n Connected Device Description--An overview of the connected devices, including the OS type, model
,and version.
AOS-Switches with High Port Flaps
The PVOS Switches had excessive port flaps insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that experience port flaps in the network. It is categorized under availability since this causes connectivity drops and also triggers the reboot of PoE devices. This insight displays the following information: n Time Series Graph n Cards
Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing port flaps in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing port flaps during the selected time period.
Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:
The AI Insights Dashboard | 426

Table 105: Cards Context

Cards Context

Site

Global

Switch Global, Site

Port Global, Site, Device

Site
Site card is accessible only when this insight is accessed from the global context. It lists the number of sites
where switches have port flaps. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context.
n Switches with Excessive Flaps--Number of the switches experiencing port flaps. n Number of Flaps--Number of errors in each site. n Number of Ports--Number of ports experiencing flaps in each site.
Switch
Lists the number of switches that experience excessive port flaps in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of port flaps classified by switch models. n FW Version--Pictorial graph of port flaps classified by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing port flaps and link to the specific insight at the switch context.
n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Number of Flaps--Number of port flaps in each switch. n Number of Ports--Number of ports effected by excessive flaps. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site Name--Name of the site where the switch exists.
Port
Number of ports experiencing excessive flaps. Click the arrow to view the pictorial graph of the Most Impacted ports. Click the number displayed on the Port card, to view a detailed description of the impacted ports:
n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context.

Aruba Central | User Guide

427

n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Switch MAC--MAC address of the impacted switch. n Port Number--Port number of the switch. n Number of Flaps--Number of port flaps in each port. n Status--Status of the impacted switch. n Connected Device--MAC address of the connected device. n Connected Device MAC--MAC address of the client device. n Connected Device Description--An overview of the connected devices, including the OS type, Model ,
and Version.

AOS-Switches with High CPU Utilization
The PVOS Switches had unusually high CPU utilization insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches experiencing higher than normal CPU utilization. It is categorized under availability since the impacted switches and the associated devices experience connectivity issues. This insight displays the following information:
n Time Series Graph n Cards

Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing high CPU utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing high CPU utilization during the selected time period.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 106: Cards Context

Cards Context

Site

Global

Switch Global, Site

CPU Device

Site
Lists the number of sites where the switches experience high CPU utilization. Click the arrow to view the pictorial graph of theMost Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:

The AI Insights Dashboard | 428

n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Switches with High CPU--Number of switches experiencing high CPU utilization in each site. n Minutes with High CPU--Amount of time (minutes) high CPU utilization observed in each site.
Switch
Lists the number of switches that experience high CPU utilization. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of the high CPU utilization sorted by switch models. n FW Version--Pictorial graph of high CPU utilization sorted by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing high CPU utilization and link to the specific insight at the switch context.
n Serial--Serial number the switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Max CPU--Maximum utilization of the CPU in each switch. n Minutes with High CPU--Time range of high CPU utilization on each switch. n Model--Model number of each switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
CPU
Lists the time series of CPU utilization percentage for a switch. Click the arrow to expand the card and view the graphical representation of the data in the selected switch. Click the number displayed on the CPU card to view a detailed description of the impacted switch:
n Switch Name--Name of the switch experiencing high memory utilization. n Max CPU--Maximum utilization of the CPU in a specific switch. n Total Metrics--Total metrics of the utilization. n Percentage Metrics--Percentage metrics of the utilization. n Model--Model number of each switch. n Firmware--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
AOS-Switches with High Memory Usage
The PVOS Switches had unusually high memory usage insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches experiencing higher than normal memory utilization, and is categorized under availability since the impacted switches and the associated devices experience connectivity issues. This insight displays the following information:
n Time Series Graph n Cards

Aruba Central | User Guide

429

Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing high memory utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing high memory utilization during the selected time period.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 107: Cards Context

Cards Context

Site

Global

Switch Global, Site

Memory Device

Site
Lists the number of sites where the switches experience memory utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Switches with High Memory--Number of switches experiencing high memory utilization in each site. n Minutes with High Memory--Amount of time (minutes) high memory utilization observed in each
site.
Switch
Lists the number of switches that experience high memory utilization. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of the high memory utilization sorted by switch models. n FW Version--Pictorial graph of high memory utilization sorted by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing high memory utilization and link to the specific insight at the switch context.
n Serial--Serial number the switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Max Memory (%)--Maximum utilization of memory in each switch. n Minutes with High Memory--Time range of high memory utilization on each switch. n Model--Model number of each switch.

The AI Insights Dashboard | 430

n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Memory
Lists the time series of memory utilization percentage for a switch. Click the arrow to expand the card and view the graphical representation of the data in the selected switch. Click the number displayed on the Memory card to view a detailed description of the impacted switch:
n Switch Name--Name of the switch experiencing high memory utilization. n Max Memory--Maximum utilization of memory in a specific switch. n Avg Memory--Average utilization of memory in a specific switch. n Total Metrics--Total metrics of the utilization. n Percentage Metrics--Percentage metrics of the utilization. n Model--Model number of each switch. n Firmware--Version of the firmware running on each switch. n Site Name--Name of the site where the switch exists.

AOS-Switch Ports with High Power-over-Ethernet Problems
The PVOS Switch ports had a high number with Power-over-Ethernet problems insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that have not received required power from PoE devices connected to them. PoE issues occur in switches when power is denied, or power is demoted from the device connected to them. It is categorized under availability since the impacted switches are unable to receive sufficient power. This insight displays the following information:
n Time Series Graph n Cards

Time Series Graph
In Global and Site context the time series graph displays the count of switches experiencing power issues in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing power issues during the selected time period.

Cards
The cards vary based on the context that you access the insight from. Click one of the cards to view further details:

Table 108: Cards Context

Cards

Context

Site

Global

Aruba Central | User Guide

431

Cards

Context

Switch

Global, Site

Wired Clients Global, Site

Site
Lists the number of sites where switches have PoE issue. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites:
n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context.
n Events--Number of events generated pertaining to PoE failures in each site. n Ports--Number of ports for which power is denied. n Switches--Number of switches for which power is denied. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each site.
Switch
Lists the number of switches that experience PoE issues in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following:
n Switch Model--Pictorial graph of PoE issues classified by switch models. n FW Version--Pictorial graph of PoE issues classified by switch firmware versions.
Click the number displayed on the Switch card to view a detailed description of the impacted switches:
n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context.
n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Events--Number of events generated pertaining to PoE failures in each switch. n Wired Clients--Number of clients impacted by the PoE failures. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each switch. n Stack ID--Stack ID of the impacted switch. n Number of Events--Number of events generated pertaining to PoE failures in each switch. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists.
Wired Clients
Lists the MAC Address, name, host name, and auth ID of the clients connected to a switch that experience
PoE issues. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the Wired Clients drop-down list to view the following:
n Model--Pictorial graph of all the device types models connected to the impacted switch. n Vendor--Pictorial graph of the device type vendors connected to the impacted switch.

The AI Insights Dashboard | 432

Click the number displayed on the Wired Clients card to view a detailed description of the impacted switches:
n Wired Client--Name of the client. n Client MAC--MAC address of the client. n Description--An overview of the connected devices, including the OS type, model, and version. n Switch Name--Name of the impacted switch where the client resides and link to the specific insight at
the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch where the client resides. n Port Number--Port number of the switch the client device is connected to. n Power Requested/Offered--PoE consumption for each client. n Reason--Cause of the denied PoE power in each client. n Status--Status of client. n Model--Hardware model of the impacted switch where the client resides. n Vendor--Vendor of the wired client. n Site--Name of the site where the client resides.

Aruba Central | User Guide

433

Chapter 7 Managed Service Provider

Managed Service Provider
Aruba Central is a SaaS platform that provides a single customer login for all cloud applications delivered by Aruba. Aruba Central in MSP mode consists of the Network Operations app and the Account Home page. The Network Operations app in Aruba Central provides a cloud-based network management platform for managing your wireless and wired networks with Aruba Instant APs and Switches. Along with device and network management functions, the Network Operations app offers value-added services such as customized guest access, client presence and service assurance analytics. In Account Home, you can manage network inventory, subscriptions, user access and other functions.
The Managed Service Provider (MSP) mode is a multi-tenant operational mode that Aruba Central accounts can be converted into, provided these accounts have subscribed to the Network Operations app. Enabling MSP mode for the Network Operations app provides additional options that an administrator can use to manage multiple independent Aruba Central accounts from a single interface.
With the MSP mode enabled, MSP administrators can provision tenant accounts, allocate devices, assign subscriptions, and monitor tenant accounts. MSP administrators can drill down to a specific tenant account and perform additional administration and configuration tasks.

Terminology
Take a few minutes to familiarize yourself with the following key terms:

Term Standard Enterprise mode
MSP mode
n Tenant accounts n Customer accounts

Description
Refers to the Aruba Central deployment mode in which customers manage their respective accounts end-toend. The Standard Enterprise mode is a singletenant environment for a single end-customer.
Refers to the Aruba Central deployment mode in which service providers centrally manage and monitor multiple tenant accounts from a single management interface.
End-customer accounts created in the MSP mode. Each tenant is an independent instance of Aruba Central.

Aruba Central | User Guide

434

Term MSP administrator
n Tenant users n Customers

Description
Refers to owners of the primary account. These users have administrator privileges to provision, manage, and monitor tenant accounts.
Refers to the owners of an individual tenant account provisioned in the Managed Service Provider mode. The MSP administrator can create a tenant account.

Getting Started with MSP Solution
Before you get started with your onboarding and provisioning operations, we recommend that you browse through the following topics to know the key capabilities of Aruba Central MSP Solution.
n Operational Modes and Interfaces n About the Managed Service Portal User Interface
Navigate through the following steps to view help pages that describe the onboarding and provisioning procedures for MSP and tenant accounts:
1. Set up your Aruba Central account 2. Accessing Aruba Central Portal 3. Enabling Managed Service Mode 4. Onboard devices 5. Add subscription keys 6. Create groups 7. Provision tenant accounts 8. Assign devices to tenant accounts 9. Assign subscription to devices and services 10. Configure users and roles 11. Customize tenant account view 12. Add Certificates 13. Monitor tenant accounts
Enabling Managed Service Mode
The Enable MSP option is only available if the following conditions are met:
n You sign into Aruba Central as an administrator. n The Aruba Central account is only subscribed to the Network Operations app. If the account has multiple
subscriptions, such as both Network Operations and ClearPass Device Insight, the Enable MSP option is not available.

Managed Service Provider | 435

Figure 115 Do Not Select the ClearPass Device Insight
n You access the User Settings icon from the Network Operations app and not the Account Home page. To enable MSP mode, perform the following steps:
1. Log in to your Aruba Central account as an administrator. 2. Launch the Network Operations app.
If you have subscriptions to other apps, enabling MSP mode is not supported, and the Enable MSP option is not available. In this case, create a new Aruba Central account with the Networks Operations app and contact Aruba Technical Support to migrate devices and licenses to the new account. 3. Click the user icon.

Aruba Central | User Guide

436

4. Click Enable MSP. Figure 116 Click Enable MSP
5. In the Managed Service Mode pop-up window, fill in the required details and click Submit. In the confirmation pop-up window, the following message is displayed if the submitted information meets the acceptance criteria: MSP Mode is enabled for this account. If the submitted information does not meet the acceptance criteria, a request denied message is displayed along with the reason on why the MSP mode is not recommended. MSP mode is not recommended and the MSP application is denied if one of the following conditions are true: n Your deployment of Aruba Central does not require you to deliver network management services to your end customers. n You are going to manage Aruba Central for your customers, however, the network devices are purchased by the customers. In this scenario, you can manage the customer accounts from the Standard Enterprise Mode by using the Switch Customer option. For more information on this deployment model, see End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2).
Managed Service Provider | 437

6. Click OK. The page is automatically redirected to the MSP Dashboard view.
If your online application is rejected because the conditions for enabling MSP were not met, and you wish to revise the provided information, the Enable MSP option is reset after 30 minutes for you to try again.
Disabling the Managed Service Mode
If you do not want to use Managed Service Mode, you can switch to the Standard Enterprise mode. Delete all tenant account data before you proceed. To disable Managed Service mode:
1. Click the user icon. 2. Click Disable MSP.
The option is grayed out if tenant account data exists. 3. In the Managed Service Mode pop-up window, click Disable Managed Service Mode.
MSP Mode Enablement Scenarios
You can convert the Standard Enterprise mode in the Network Operations app to MSP mode. Only the Network Operations app supports the MSP mode and it must be the only app running in Aruba Central for enabling the MSP mode. The following is a list of possible scenarios you might encounter while subscribing to the Network Operations app.
n Scenario 1: You sign up for Aruba Central to evaluate the Networks Operations app as well as the ClearPass Device Insight app. Subsequently, you wish to enable MSP mode on the Network Operations app. MSP mode conversion is not allowed in this scenario. Create another Aruba Central account with only the Network Operations app and convert this account to MSP mode. Contact Aruba Support for migrating the devices and licenses.
n Scenario 2: You sign up for an Aruba Central account to evaluate the ClearPass Device Insight app. After that, you also sign up for evaluating the Network Operations app in standard enterprise mode in the same account. This mode of operation is supported.
n Scenario 3: You sign up for an Aruba Central account to evaluate the Network Operations app. After that, you also sign up for evaluating the ClearPass Device Insight in the same Aruba Central account. If you are running the Network Operations app in the standard enterprise mode, this mode of operation is supported.
Managing MSP Licenses
Aruba Central in the Managed Service Provider (MSP) mode supports the following types of licenses for APs, switches, and gateways:
n Foundation--Allows you to manage and monitor the APs, switches, and gateways of your customers or tenants through the Aruba Central MSP mode. This license provides all the features included in the legacy Device Management subscription and some additional features that were available as a value- added services for APs in the earlier licensing model.
n Advanced--This license provides all the features of a Foundation License, with additional features related to AI Insights.

Aruba Central | User Guide

438

The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if an Aruba 25xx Switch is in the inventory but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch. Before enabling the Auto-Assign License option for a specific device type, ensure that there are sufficient available licenses for the specific device type.
For more information on the different types of available licenses, see Aruba Central License Feature Details. A license key is an alphanumeric string with 9 to 14 characters; for example, PQREWD6ADWERAS. Aruba Central can manage a device only if the corresponding license key of the device is added to Aruba Central. License keys can either be evaluation license keys that map to evaluation licenses or paid license keys that map to paid licenses. The evaluation license key is valid for 90 days. To use Aruba Central for managing, profiling, analyzing, and monitoring your devices, you must ensure that you have a valid license key and that the license key is listed in the Account Home > Global Settings > Key Management page.
The license keys are not mapped directly to devices. Before assigning a license key to a device, the system only checks whether there are licenses available in the pool for the device.
All license keys that are added to an MSP account goes to a license pool and devices are licensed from this MSP license pool. Licenses can be assigned to devices only when the devices are already mapped to customer accounts. In the MSP mode, all the hardware and licenses are owned by the MSP. The MSP temporarily assigns devices and their corresponding licenses to customers for the duration of the managed service contract. When the contract ends, the devices and the licenses are returned back to the common pool of resources of the MSP and can be reassigned to another customer. You can either enable automatic assignment of licenses or manually assign licenses for devices added in Aruba Central MSP mode.
Enabling Automatic License Assignments
If you, as an MSP administrator, want to enable automatic assignment of licenses to the devices mapped to your customer accounts, note the following points:
n Aruba Central assigns licenses only if the devices are mapped to a customer account. n When a device is moved from a customer account back to the MSP pool, Aruba Central removes the
license assigned to this device. n When the automatic license assignment is enabled, Aruba Central disables the device-specific and
customer-specific overrides. n When the automatic license assignment is enabled, all the existing customers and newly created
customers in the MSP account inherit the license assignment settings. Subsequently, Aruba Central assigns licenses to the customers and their respective devices. n If you migrate from the Standard Enterprise mode to the MSP mode, Aruba Central retains your license settings. n If the devices are no longer mapped to a customer account, MSP administrators cannot assign licenses to these devices. n If auto-assignment is enabled and the device license expires, you are notified about the license expiry. Aruba Central checks if an equivalent license of the same tier or capacity is available and reassigns that license to the device automatically. If an equivalent license is unavailable, Aruba Central un-assigns a set of devices to match the number of expiring licenses and you are notified that the device license is updated.
Managed Service Provider | 439

You can configure automatic license assignment either during initial setup or later from the Account Home page.
Automatic License Assignment from the Initial Setup Wizard
To enable automatic assignment of licenses from the Initial Setup Wizard:
1. Verify that you have a valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign License tab, slide the Auto-Assign Licenses toggle switch to the On position.
Automatic License Assignment from Account Home
To enable automatic assignment of licenses from the License Assignment page:
1. On the Account Home page, under Global Settings, click License Assignment. The License Management page is displayed.
2. In the Assign License tab, slide the Auto-Assign Licenses toggle switch to the On position. All the devices in your inventory are selected for automatic assignment of licenses. You can edit the list by clearing the existing selection and re-selecting devices.
When a license assigned to a device expires, or is canceled, Aruba Central checks for the available licenses in your account and assigns an available license of the longest validity to the device. If your account does not have an adequate number of licenses, you may have to manually assign licenses to as many devices as possible. To view the license utilization details and the number of licenses available in your account, go to the Account Home > Global Settings > Key Management page.
Enabling Manual License Assignments
You can disable the Auto-assign License option and manually assign licenses to devices. Licenses can be assigned only for devices which are mapped to a customer account. To manually assign licenses to devices or override the current assignment:
1. In the Account Home page, under Global Settings, click License Assignment. The License Management page is displayed.
2. Ensure that the Auto-Assign Licenses toggle switch is turned off. When you turn off the Auto-Assign Licenses toggle switch: n Automatic assignment of licenses for all the existing customers, including the MSP devices, are disabled. n All device licenses assigned to devices are preserved. n Devices must be assigned to customer accounts before assigning a license to it. If a license is assigned to a device that is not mapped to any specific customer account, Aruba Central displays the following error message: Please assign this device to a customer before licensing it. Customer assignment can be performed in the Device Inventory page.
3. Click one of the tabs for Access Points, Switches, or Gateways. Each of the device tabs has two sub-tabs: Unlicensed and Licensed.
4. You can use the Customer filter to display a specific customer.

Aruba Central | User Guide

440

5. In the Unlicensed tab, you can select one or multiple devices and click Manage or Manage Assignment. The Manual License Assignment (Manual) window is displayed.
6. From the Choose License Type drop-down menu, select a suitable license and click Update to assign a license. If the license update is successful, you get a notification and the device in not listed anymore under the Unlicensed tab.
Removing or Updating a License from a Device
You can remove a license from a device or change the license assigned to a device from the License Assignment window.
1. In the Account Home page, under Global Settings, click License Assignment. Ensure that the Auto-Assign License toggle is turned off.
2. Click one of the tabs for Access Points, Switches, or Gateways. Each of the device tabs has two sub-tabs: Unlicensed and Licensed.
3. You can use the Customer filter to display a specific customer. 4. In the Licensed tab, you can select one or multiple devices for which you want to either update or
remove a license. 5. Click Manage or Manage Assignment.
The Manual License Assignment (Manual) window is displayed. 6. You can do one of the following:
n To remove a license, click Unassign. The devices with unassigned licenses are no longer listed in the Licensed tab.
n To update to a new license, from the Choose License Type drop-down menu, select a suitable license and click Update. If the license update is successful, you get a notification and the Licensed tab displays the updated licenses.
Acknowledging License Expiry Notifications
In the Account Home page, under Global Settings, click Key Management. The Key Management page displays the expiration date for each license. As the licenses expiration date approaches, users receive expiry notifications. The users with an evaluation license receive license expiry notifications through email 30, 15, and 1 day before the license expiry and on day 1 after the license actually expires. The users with paid licenses receive license expiry notifications through email 90, 60, 30, 15, and 1 day before expiry and two notifications per day on day 1 and day 2 after the license expires.
Acknowledging Notifications through Email
If the user has multiple licenses, a consolidated email with the expiry notifications for all licenses is sent to the user. Users can acknowledge these notifications by clicking the Acknowledge All link in the email notification.
Managed Service Provider | 441

Figure 117 Acknowledging Notifications through Email

Acknowledging Notifications in the UI
If a license has already expired, or is about to expire within 24 hours, a license expiry notification message is displayed in a pop-up window when the user logs in to Aruba Central. To prevent Aruba Central from generating expiry notifications, click Acknowledge.
Renewing Licenses
To renew your licenses, contact Aruba Sales team.
System Users and User Roles in MSP Mode
The Users and Roles page under Global Settings enables you to view, create, and modify users and roles. The Users and Roles page has two tabs: Users and Roles. The following topics are included:
n About Roles in MSP Home Account o Module Permissions for Roles o Adding a Custom Role in MSP Account Home o Viewing Role Details o Editing a Role o Deleting a Role
n About Users in MSP Account Home o Adding a User in MSP Account Home o Editing a User in MSP Account Home o Deleting a User in MSP Account Home o Viewing Audit Trail Logs for Users
About Roles in MSP Home Account
Aruba Central MSP mode supports role-based access control. Aruba Central allows you to create predefined user roles and custom roles. As shown in the following figure, MSP user A is mapped to two roles. MSP role admin gives the user administrator access to all MSP applications and the tenant role readonly gives the user read-only access to all tenant accounts. MSP user B is tied to MSP role admin and tenant role admin. The tenant administrator role provides the user administrator access to all tenant accounts. Tenant user A is mapped to the admin role. This role gives the user administrator access to all tenant A applications. Tenant user B is mapped to the readonly role. This role gives the user read-only access to tenant B applications. Tenant user A and tenant user B can access only their respective accounts.

Aruba Central | User Guide

442

Figure 118 MSP Role-Based Access Control

The Roles tab has the following predefined roles.

Table 109: Predefined Roles Application Role

Privilege

Account Home

admin

Administrator for the Account Home page. If there are common modules between Account Home and other app(s), the Account Home role has higher precedence and the user is granted permission if the operation is initiated from the Account Home page.

readwrite

Can view and modify settings in the Account Home page and all Global Settings pages.
NOTE: Note: The 'readwrite' role will not have modify permission for the following pages:
n Users and Roles n Single-Sign-On

readonly

Can view the Account Home page and all Global Settings pages.

Network Operations

admin

Administrator for the Network Operations application. Has access to Account Home > Global Settings. This is applicable only if the Account Home role is not set or is not conflicting.

deny-access Cannot view the Network Operations application.

guestoperator Has guest operator access to the Network Operations application. User does not have access to Account Home > Global Settings.

readonly

Has read-only access to Account Home > Global Settings and the Network Operations application.

readwrite

Has read-write access to Account Home > Global Settings and the Network Operations application. Has access to view and modify data using the Aruba Central UI or APIs. However, the user cannot execute APIs to:
n Enable or disable MSP mode. n Perform operations in the following pages:
o Account Home > Users and Roles o Network Operations application > Organization > Labels and Sites

Managed Service Provider | 443

Module Permissions for Roles
Aruba Central enables you to define roles with view or modify permissions. You can also block user access to some modules. If a module is blocked for a specific role, the corresponding pages are not displayed in the UI or can access the pages but no data is displayed and all actions are disabled for the role. Aruba Central supports setting permissions for the following modules:

Table 110: Permissions Application Module

Description

Account Home

Devices and Subscription

Enables users to add devices and assign keys and subscriptions to devices in the Account Home page.

Users

Enables users to define a role with access (View, Modify, or Block) to the user details in the Users tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles.

Roles

Enables users to define a role with access (View, Modify, or Block) to the role details in the Roles tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles.

SSO

Enables users to define a role with access (View, Modify, and Block) to the Single Sign On profiles details in the Users tab in the Single-Sign-On page (Account Home > Single-Sign-On).
Enables users to define a role with access (View, Modify, or Block) to the Single Sign On profiles details in the Single Sign On page. To navigate to the Single Sign On page, go to Account Home > Single Sign On.

Network Operations

MSP

Enables users with administrator role and privileges to define user access to MSP modules such as Customer Management and Portal Customization. The MSP tenant account user does not have access to the MSP application. Even if a tenant account user is assigned a custom role having MSP application privileges:
n Tenant account user does have access to the MSP application.
n MSP will not appear in the Account Home > Global Settings > Users
and Roles > Roles > Allowed Applications list.

Group Management
Devices and Subscription

Enables users to create, view, modify, and delete groups and assign devices to groups.
Users cannot edit or set permissions for this module. Modify and Block options are disabled. By default, the View Only permission is set.

Network Management

Enables users to configure, troubleshoot, and monitor Aruba Centralmanaged networks. You can customize the permissions (view or modify or block) for the following sub-modules: n Configuration n Configuration Variables n Privileged Configuration n Firmware n Troubleshooting n Other Modules
NOTE: For the Privileged Configuration, the 'Block' option disables the Admin tab (Gateway>System>Admin) for the user. The user management privileges are disabled for this user for gateways at the

Aruba Central | User Guide

444

Application Module

Description

device and group level.

Guest Management

Enables users to configure cloud guest splash page profiles.

AirGroup

Enables users to define or block user access to the AirGroup pages.

Presence Analytics

Enables users to access the Presence Analytics app and analyze user presence data.

Floorplans

Enables user to access Floorplans and RF heatmaps.

Unified

Enables users to access the Unified Communications pages.

Communications

Install Manager Enables users to manage installer profiles and site installations.

Reports

Enables users to view and create reports.

Other Applications

Enables users to access other applications modules such as notifications and Virtual Gateway deployment service.

Adding a Custom Role in MSP Account Home
The following are the permissions that you can associate with a custom role:
n Roles with Modify permission can perform add, edit, or delete actions within the specific module. n Roles with View Only permission can only view the specific module. n Roles with Block permission cannot view that particular module or can view the corresponding pages but
no data is displayed and all actions are disabled.
To add a custom role, complete the following steps:
1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. Click Add Role. The New Role window is displayed. 4. Specify a name for the role. 5. From the drop-down list, select one of the following:
n Account Home--To manage access to devices and subscriptions in Aruba Central. n Network Operations--To set permissions at the module level in the Network Operations
application. 6. For Network Management and MSP modules, you can set access rights at the module level.
To set view or edit permissions or block the users from accessing a specific module, complete the following steps: a. Click Customize. b. Select one of the following options for each module as required:
n View Only n Modify n Block

Managed Service Provider | 445

7. Click Save. 8. Assign the role to a user account as required.
Viewing Role Details
To view the details of a role, complete the following steps:
1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. The Roles tab displays the following information:
n Role Name--Name of the role. n Allowed Applications--The application(s) to which the user account is subscribed to. n Assigned Users--Number of users assigned to a role.
Editing a Role
To edit a role, complete the following steps:
1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the edit icon. 4. In the Edit Role <"Rolename"> window, modify the permissions set for module(s). 5. Click Save.
Deleting a Role
To delete a role, ensure that the role is not associated to any user and complete the following steps:
1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the delete icon. 4. Confirm role deletion in the Confirm Action dialog box.
About Users in MSP Account Home
In the Account Home page, under Global Settings, click Users and Roles. The Users tab is displayed. The List of Users table displays the following information:
n Email ID of the user. n Type of user. The user can be system user or external user. n Description of the user. n MSP role n Tenant role n Account Home role n Allowed groups for the user. n Last active time of the user. If the last active time cell is blank, the user has not logged in after the
product upgrade.
The Actions link offers the following options:
n Resend invitation to users--If any user has not received the email invite, you can use this link to resend invitations

Aruba Central | User Guide

446

n Two-Factor Authentication (2FA)--Enables Two-factor authentication. n Support Access--Enables you to generate a new password of a specified validity to give access to a
support person from Aruba.
Adding a User in MSP Account Home
To add a user, complete the following steps:
1. In the Account Home page, under Global Settings, click Users and Roles. The Users and Roles page is displayed.
2. Click Add User. The New User window is displayed.
3. Configure the following parameters: n Username--Email ID of the user. Enter a valid email address. n Description--Description of the user role. You can enter up to a maximum of 32 characters including alphabets, numbers, and special characters in the text field. n Language--Select a language. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. n Account Home--Select a user role for the Account Home page. n Network Operations--Select an MSP role and Tenant role for the Network Operations application.
4. Click Save. An email invite is sent to the user with a registration link. Users can use this link to access Aruba Central.
The registration link in the email invite is valid for 15 days.
Track Progress
Click the Track Progress link to open the Operations Status page that provides the user account creation or modification status. The status can be in progress or failed. No status is displayed if the user account is successfully created.
Editing a User in MSP Account Home
To edit a user account, complete the following steps:
1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens.
2. In the List of Users table, select the user and click the edit icon. 3. In the Edit User <"Username"> window, modify description, role, or allowed groups. 4. Click Save.
Deleting a User in MSP Account Home
To delete a user account:
1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens.
Managed Service Provider | 447

2. In the List of Users table, select the user and click the delete icon. 3. Confirm user deletion in the Confirm Action dialog box.
Viewing Audit Trail Logs for Users
Audit logs are generated when a new user is created and an existing user is modified or deleted from the Aruba Central account. It also records the login and logout activities of users. To view audit logs for Aruba Central users:
1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page is displayed.
2. To view audit logs for user addition, modification, or deletion, click the filter in the Classification column, and select User Management.
3. To filter audit logs about user activity, click the filter in the Classification column, and select User Activity.
Groups in the MSP Mode
MSP groups are UI groups mapped to the default UI groups in the tenant account. If a tenant account is associated to a specific group in the MSP mode, the configuration changes to the devices associated with this tenant account are pushed only to the default group in the tenant account view. However, MSP administrators can create more groups for a specific tenant by drilling down to a tenant account.
Template groups are not supported in the MSP mode. However, template groups can be defined and managed at each tenant account individually.
MSP Group Illustration
As shown in the following figure, tenant A and tenant B are mapped to MSP group 1. The default group configuration for these tenants is inherited from MSP group 1 configuration. Tenant A has two additional user-defined groups that are independent of MSP group 1 configuration. Tenant B has one additional userdefined group that is independent of MSP group 1 configuration. Tenant C is mapped to MSP group 2 configuration. Its default group configuration is inherited from MSP group 2. It also has one additional user-defined group that is independent of MSP group 2 configuration. Tenant D has only one default group and its configuration is inherited from MSP group 3. Tenant E is not mapped to any MSP group. Its default group configuration is independent of any MSP group configuration. It can have additional user-defined groups as well, if required.

Aruba Central | User Guide

448

Figure 119 MSP Groups
Tenant Default Group Overrides
If a tenant is mapped to an MSP group, the configuration of its default group is inherited from the MSP group it is mapped to. Once mapped, except for any newly created WLAN SSID and WLAN PSK, other configurations are overridden. As shown in the following figure, the mentioned configuration options are allowed on a tenant default group that is mapped to an MSP group: n Creating a new WLAN SSID. n Overriding the WLAN PSK for a WLAN inherited from an MSP group.
Managed Service Provider | 449

Figure 120 Default Group Overrides

Creating an MSP UI Group
To manage device configuration using UI configuration containers in Aruba Central, you can create a UI group and assign devices. To create an MSP UI group:
1. From the Network Operations app, filter All Groups. 2. Under Maintain, click Organization to display the Groups dashboard. 3. To create a new group, click New Group.
The Create New Group pane is displayed. 4. Enter a name for the group. 5. Configure a password to restrict group access to authorized users only. 6. Click Add Group.
About Provisioning Tenant or Customer Accounts
After adding a device in the MSP mode, the device must be mapped to a tenant account for device management and monitoring operations.

Aruba Central | User Guide

450

With MSP mode enabled, the MSP administrator manages the creation and deletion of tenant accounts. After a tenant account is created, the MSP administrator can add tenant users to the account. To create a tenant user, the MSP administrator must provide a valid email address for the user. A verification email is sent to this email address. Tenant users have access to their individual tenant account only. Tenant users do not have access to other tenant accounts managed by the MSP. The group associated to the tenant account in the MSP mode shows up as the default group for tenant account users. In the MSP mode, all configuration changes made to the group associated to the tenant account are applied to the default group on the tenant account.
Flowchart for Tenant Account Mapping in MSP
The following flowchart displays a visual representation of how you can create a tenant account and map it to an MSP group. Figure 121 Tenant Account Mapping to an MSP Group
Creating a Tenant Account and Mapping to an MSP Group
The following are the usage guidelines for creating a tenant account:
Managed Service Provider | 451

n If the tenant account provisioning fails, the task is marked as Provision Failed in the UI and PROVISION_FAILED in the [GET] /msp/v1/customers API response. To view the task status in the UI, under Manage, click Overview to display the Dashboard page. Click the Customers tab. If the provisioning fails, you can delete the tenant account and try again.
n Tenant account users can only view reports generated for the default group. The administrators of a specific tenant account can drill down to the tenant account and generate reports for the default group.
n If cloud guest provisioning fails, cloud guest features for the tenant may get impacted. In such instances, contact Aruba Central Technical Support.
To add a tenant account, complete the following steps:
1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview.
The Dashboard is displayed. 3. Click Add New Customer.
The Add Customer page is displayed. 4. Enter the name of the tenant in the Customer Name text box. The MSP customer name can be a
maximum of 70 single byte characters. All special characters, ASCII, and Unicode are allowed. 5. Enter the description of the tenant in the Description text box. The MSP customer description field
can be a maximum of 32 single byte characters. All special characters, ASCII, and Unicode are allowed. 6. If you want to associate the tenant to a group, click the Add to group toggle switch. 7. From the Group drop-down list, select a group to which you want to assign the tenant.
The group associated to the tenant account in the MSP mode shows up as the default group for tenant account users. In the MSP mode, all configuration changes made to the group associated to the tenant account are applied to the default group on the tenant account.
8. If you want to prevent the users of the tenant account from modifying SSID settings of the device group, select the Lock SSID check box.
9. Click Save.
Viewing Tenant Account Details
To view the tenant account details, perform the following steps:
1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview to display the Dashboard page. 3. Click the Customers tab. 4. Hover over the tenant account and click expand.
The customer details window displays the following sections. Click the X mark on the top right-corner of the screen to exit the window and return to the dashboard.
Summary
n Customer ID--Displays the subscription renewal schedule for the next 12 months. The graph plots the total count of subscriptions that are due for renewal for each month.
n Customer Created--Displays the count of devices that are managed in the network over a period of time.

Aruba Central | User Guide

452

n MSP Group--Displays the total number of tenants added to Aruba Central over a period of time. n Description--Description of the tenant account. n Customer Name--Name of the tenant account.
Devices
This section is a graphical representation of the devices assigned to the selected tenant account, as well as the licensed and unlicensed count for each device type. n The section consists of three doughnut charts, each chart representing one of the following types of
devices, APs, switches, and gateways. n The number in the center of the chart indicates the total number of devices, both licensed and
unlicensed, of a specific type allocated to the tenant account. n The two colors on the ring of the doughnut indicates the number of licensed and unlicensed devices of a
specific type allocated to the tenant account. You can hover over one segment of the doughnut to see the numbers corresponding to the selected segment. n You can also deselect and reselect the Licensed and Unlicensed options for each chart. For example, in the following image, the tenant account has three APs, one switch, and one gateway. Out of this, only one AP is unlicensed. Figure 122 Devices Section of the Expand Tenant Account Page
Licenses
This section is a graphical representation of the device subscriptions assigned to the devices for the selected tenant account. The section also shows the number of Foundation and Advanced licenses for each type of device. n The section consists of three doughnut charts, each chart representing one of the following types of
devices, APs, switches, and gateways. n The number in the center of the chart indicates the total number of licensed devices of a specific type
allocated to the tenant account. n The two colors on the ring of the doughnut indicates the number of Advanced and Foundation licenses
assigned to a device of a specific type allocated to the tenant account. You can hover over one segment of the doughnut to see the numbers corresponding to the selected segment. n You can also deselect and reselect the Advanced and Foundation options for each chart. For example, in the following image, the tenant account has two APs, one switch, and one gateway, each assigned with a Foundation license.
Managed Service Provider | 453

Figure 123 Licenses Section of the Expand Tenant Account Page

Editing a Tenant Account
When editing the group associated with the MSP customer or tenant, the default group configuration of the tenant account is also impacted. To edit a tenant account, complete the following steps:
1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview.
The Dashboard is displayed. 3. Hover over the tenant account that you want to edit and click edit. 4. Modify the account details.
If you want to associate the tenant account to a different group, turn on the Add to group toggle switch and select a group.
5. Click Save.
Deleting a Tenant Account
To delete a tenant account, complete the following steps:
1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview.
The Dashboard is displayed. 3. Hover over the tenant account that you want to delete and click delete. 4. Click Yes to confirm the action.
If the tenant account deletion fails, the provisioning status is marked as Delete Failed in the UI and DELETE_FAILED in the [GET] /msp/v1/customers/{customer_id} API response. To view the task status in the UI, under Manage, click Overview to display the Dashboard page. Click the Customers tab.
Assigning Devices to Tenant Accounts
Before assigning devices to tenant accounts, ensure that you have completed the following: onboarded devices, assigned subscriptions, and provisioned tenant accounts. To assign devices to tenant accounts, complete the following steps:

Aruba Central | User Guide

454

1. In the Account Home page, under Global Settings, click Device Inventory. A list of devices provisioned in the MSP mode is displayed.
2. Select one or several devices from the table. To select multiple devices, press and hold the Ctrl key and select the devices. The Assign Customer button is displayed under the table.
3. Click Assign Customer. A window showing a list of tenant accounts provisioned in the MSP mode is displayed.
4. Select the tenant account to which you want to assign the device. The groups associated with the tenant accounts are displayed.
5. Click Assign Device (s). 6. Click Yes when prompted for confirmation.
MSP Dashboard
The MSP dashboard provides a summary of hardware and subscriptions owned by the MSP and details about the tenant accounts managed by the MSP. The hardware includes APs, switches, and gateways.
Viewing the MSP Dashboard
To view the MSP dashboard, perform the following steps: 1. In the Network Operations app, set the filter to All Groups. The filter context changes to Global. 2. Under Manage, click Overview to display the Dashboard. The number is parenthesis () for Customers indicates the total number of customers for that MSP account. In the following image, the total number of customers is 54. The Dashboard page includes the following sections: n A summary section for the dashboard--Displays the assigned and unassigned devices and the assigned and unassigned licenses for APs, switches, and gateways. n Overview--Displays the list of customers, the types of devices assigned to each customer, as well as critical alerts, if any. n Trends--Displays charts for license renewal, the number of devices under MSP management, and the number of customers added over the last year. n Add New Customer--Enables you to add a new tenant to the MSP account. Perform the steps detailed in About Provisioning Tenant or Customer Accounts.
Managed Service Provider | 455

Figure 124 Viewing the MSP Dashboard

Dashboard Summary
The summary section for Dashboard displays the total number of assigned and unassigned devices, and the total number of assigned and unassigned licenses for three categories of hardware devices that include APs, switches, and gateways. In MSP mode, you must first assign a device to a tenant account before assigning a license to the device.
The summary section includes the following details:
n Access Points
o Devices--Number of available APs. Click the number to navigate to Account Home > Device Inventory to see the details of the APs in the MSP inventory.
l Unassigned--Number of APs that are not assigned to any tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the unassigned APs in the MSP inventory.
l Assigned--Number of APs that are already assigned to a tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the assigned APs in the MSP inventory.
o Licenses--Number of available licenses for APs. Click the number to navigate to Account Home > License Assignment > Access Points to see the details of all the licenses for APs in the MSP inventory.
l Unassigned--Number of AP licenses that are not assigned to any AP. Click the number to navigate to Account Home > License Assignment > Access Points > Unlicensed to see the details of all the unassigned licenses for APs in the MSP inventory.
l Assigned--Number of AP licenses that are already assigned to APs. Click the number to navigate to Account Home > License Assignment > Access Points > Licensed to see the details of all the assigned licenses for APs in the MSP inventory.
n Switches
o Devices--Number of available switches. Click the number to navigate to Account Home > Device Inventory to see the details of the switches in the MSP inventory.
l Unassigned--Number of switches that are not assigned to any tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of the switches in the MSP inventory.

Aruba Central | User Guide

456

l Assigned--Number of switches that are already assigned to a tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the assigned switches in the MSP inventory.
o Licenses--Number of available licenses for switches. Click the number to navigate to Account Home > License Assignment > Switches to see the details of all the licenses for switches in the MSP inventory. l Unassigned--Number of switch licenses that are not assigned to any switches. Click the number to navigate to Account Home > License Assignment > Switches > Unlicensed to see the details of all the unassigned licenses for switches in the MSP inventory. l Assigned--Number of switch licenses that are already assigned to switches. Click the number to navigate to Account Home > License Assignment > Switches > Licensed to see the details of all the assigned licenses for switches in the MSP inventory.
n Gateways o Devices--Number of available gateways. Click the number to navigate to Account Home > Device Inventory to see the details of the gateways in the MSP inventory. l Unassigned--Number of gateways that are not assigned to any tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the unassigned gateways in the MSP inventory. l Assigned--Number of gateways that are already assigned to a tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the assigned gateways in the MSP inventory. o Licenses--Number of available licenses for gateways. Click the number to navigate to Account Home > License Assignment > Gateways to see the details of all the licenses for gateways in the MSP inventory. l Unassigned--Number of gateway licenses that are not assigned to any gateways. Click the number to navigate to Account Home > License Assignment > Gateways > Unlicensed to see the details of all the unassigned licenses for gateways in the MSP inventory. l Assigned--Number of gateway licenses that are already assigned to gateways. Click the number to navigate to Account Home > License Assignment > Gateways > Licensed to see the details of all the assigned licenses for gateways in the MSP inventory.
Customer | Overview
By default, the Customers | Overview table is displayed. The table provides an overview of tenant accounts. MSP administrators can perform tasks such as drilling down to a tenant account, editing an existing tenant account, and deleting a tenant account.
n Customer Name Name of the tenant account. Click the customer name to go to the tenant account view for the customer. Hover over the tenant account name to view the following options:
o expand--Opens a new pop-up window showing the tenant account details. For more information, see Viewing Tenant Account Details.
o edit--Opens the Edit Customer pop-up window. For more information, see Editing a Tenant Account .
o delete--Opens the confirmation dialog box. For more information, see Deleting a Tenant Account. Hover over the icon next to the tenant account name to view the provisioning status. The status can be one of the following:
Managed Service Provider | 457

o In Progress o Provision Failed
Use the filter icon on the column header to filter by tenant account name.
n Customer ID Unique ID of the tenant account. The ID can be in one of the following formats:
o Numerical format o UUID format
Use the column filter to search for a particular customer ID. Note that you must enter the full customer ID.
The Customer ID column is not displayed in the default view. Use the column selector and select the Customer ID check box to add the column to the table.
Figure 125 Selecting the Customer ID for Display

n Access Points o Up--Total number of online APs. Click the number to view the list of online APs. o Down--Total number of offline APs. Click the number to view the list of offline APs. Click the sort icon to sort the column in ascending or descending order. Sometimes, the total number of APs that are displayed as Down for a tenant account in MSP view may not equal the total number of corresponding APs displayed as Offline under Manage > Access Points in the tenant account view. This discrepancy is corrected by an automatic and periodic sync between the MSP database and tenant view database. The periodic sync happens every 12 hours. The number in parentheses () indicates the number of devices that are not onboarded.
n Switches o Up--Total number of online switches. Click the number to view the list of online switches. o Down--Total number of offline switches. Click the number to view the list of offline switches.

Aruba Central | User Guide

458

Click the sort icon to sort the column in ascending or descending order. Sometimes, the total number of switches that are displayed as Down for a tenant account in MSP view may not equal the total number of corresponding switches displayed as Offline under Manage > Switches in the tenant account view. This discrepancy is corrected by an automatic and periodic sync between the MSP database and tenant view database. The periodic sync happens every 12 hours. The number in parentheses () indicates the number of devices that are not onboarded.
The number of switches displayed in the MSP dashboard corresponds to the total number of switches available for the tenant. However, in the tenant view, a switch stack is considered as a single entity. For example, if there are two switch stacks for a tenant account, and each stack has two members, the MSP dashboard displays the count as four whereas the tenant account displays the count as two.
n Gateways o Up--Total number of online gateways. Click the number to view the list of online gateways. o Down--Total number of offline gateways. Click the number to view the list of offline gateways. Click the sort icon to sort the column in ascending or descending order. Sometimes, the total number of gateways that are displayed as Down for a tenant account in MSP view may not equal the total number of corresponding gateways displayed as Offline under Manage > Gateways in the tenant account view. This discrepancy is corrected by an automatic and periodic sync between the MSP database and tenant view database. The periodic sync happens every 12 hours. The number in parentheses () indicates the number of devices that are not onboarded.
n Critical Alerts Total number of critical alerts for the tenant account. Click the number to navigate to the Alerts page of the tenant account. For more information, see MSP Alerts.
Customers | Trends
Go to Customers | Trends to view the following sections:
n License Renewal Schedule (1 Year)--Displays the subscription renewal schedule for the next 12 months. The entries include the license renewal date and the total count of subscriptions of each type that are due for renewal on that date.
n Device Under Management graph--Displays the count of devices that are managed in the network over the last 12 months. The dates are plotted on the x-axis and the number of devices on the y-axis. Hover over any part of the chart to see the number of devices the MSP is managing on that specific date.
n Customers graph--Displays the total number of tenants added to Aruba Central over the last 12 months. The dates are plotted on the x-axis and the number of tenants on the y-axis. Hover over any part of the chart to see the number of tenants the MSP added on that specific date. Click Total to view the total number of tenant accounts.
Using the Switch Customer Option
If you are an MSP administrator and if your user ID has been added to multiple tenant accounts, after you log in to Aruba Central, you must select the tenant account that you want to access.
Managed Service Provider | 459

Figure 126 Select Account

To select a different tenant account, click the User icon tenant account that you want to access.

, select Switch Customer, and then select the

Aruba Central | User Guide

460

Figure 127 Switch Customer
MSP Certificates
You can view and add certificates in MSP.
Viewing Certificates in MSP Mode
1. In the Network Operations app, use the filter to select All Groups. The global dashboard is displayed for the MSP mode.
2. Under Maintain, click Organization. 3. Click the Certificates tab. 4. The Certificate Store displays the following information:
Managed Service Provider | 461

Table 111: Certificate Store Parameters

Date Pane Item

Description

Certificate Name of the certificate. Name

Status

Status of the certificate as either Active or Expired.

Expiry Date

Date of expiry for the certificate.

Type

Type of certificate. For example, a server certificate.

MD5

The Message Digest 5 (MD5) algorithm is a widely used hash function producing a 128-bit hash

Checksum value from the data input. Checksum value of the certificate.

SHA-1

The Secure Hash Algorithm 1 (SHA-1) is a cryptographic hash function which takes an input and

Checksum produces a 160-bit (20-byte) hash value. Checksum value of the certificate.

Uploading Certificates in the MSP Mode
MSP administrators can upload certificates to Aruba Central certificate store. They can also map the certificate usage for server and user authentication for the groups associated to a tenant account. To upload certificates to the certificate store:
1. In the Network Operations app, use the filter to select All Groups. The global dashboard is displayed.
2. Under Maintain, click Organization. 3. Click the Certificates tab. 4. To add a new certificate to the Certificate Store, click the + sign.
The Add Certificate dialog box is displayed. 5. Enter the certificate name in the Name text box. 6. Select the certificate type from the Type list. 7. Select the certificate format from the Format drop-down.
The supported certificate formats are PEM, DER, and PKCS12. 8. For server certificates, enter and then retype the passphrase. 9. Click Choose File to browse to your local directory and select the certificate to upload. 10. Click Add.

Aruba Central | User Guide

462

Aruba Central allows percolation of certificates that are mapped to the MSP group, to the tenant account. When a certificate is removed from the Device > Access Points > WLANs >Show Advanced > Security > Certificate Usage section in the group dashboard in MSP, the respective certificate is also removed from the tenant's Certificates Store, if the certificate is mapped to the tenant's default group and is no longer used by the tenant. If the certificate is used by any of the tenant's non-default groups, the certificate is retained in the tenant's certificate store, even if the certificate is removed from the MSP. The Device>Access Points> WLANs>Show Advanced >Security> Certificate Usage menu is displayed only when you select a group from the filter.
Navigating to the Tenant Account
MSP users with administrative privileges to tenant accounts can drill down to tenant accounts. To drill down to a specific tenant account:
1. In the Network Operations app, set the filter to All Groups. 2. Under Manage, click Overview to display the Dashboard.
The Dashboard page includes the following sections: n Dashboard summary bar n Overview and trends for customers 3. In the Customers | Overview table, click the tenant account name and click Expand. The tenant account details window is displayed. Close the window. 4. To go to the tenant account, click on the tenant account name. The tenant account is displayed in Standard Enterprise Mode.
To return to the MSP view, click Return to MSP View. Aruba recommends that you not use the Back button of the web browser to go back to the MSP view.
Points to Note:
n The group attached to tenant account in the MSP mode shows up as a default group for the users of the tenant account.
n Configuration changes to the group attached to a tenant account in the MSP mode are applied to the default group in the interface displayed for the tenant accounts.
n The administrators can add users to a tenant account using the Users & Roles menu in the Global Settings app.
n Tenant account administrators can allow or prevent user access to specific groups by configuring custom roles.
MSP Alerts
Aruba Central MSP mode enables administrators to trigger alerts when tenant provisioning, network, device, or user management events occur. An MSP administrator can configure alerts at the MSP level which percolate down to all tenant accounts managed by the MSP. For example, if the MSP administrator has configured an alert to be triggered when an AP is disconnected, the MSP is notified when an AP is disconnected in any of the tenant networks managed by the MSP. This allows for faster reactive support and makes monitoring and troubleshooting easy across multiple tenant accounts.
Managed Service Provider | 463

The MSP administrator can configure additional alerts at the tenant account level. At the tenant account level, alerts can be configured based on groups, labels, sites, or devices. Tenant account administrators can also configure additional alerts for their account. In this case, the alert is triggered only for the corresponding tenant account.
The MSP administrator can edit an alert configured by the tenant account administrator. However, the tenant account administrator cannot edit an alert created by the MSP administrator.
MSP level and tenant level alert configurations are managed separately. For example, if an alert is configured and enabled at both the MSP level and tenant level, two separate notifications are triggered for the event.
Figure 128 MSP Alerts

This section includes the following topics:
n Viewing MSP Alerts Dashboard n MSP Alerts in List View n MSP Alerts in Summary View n MSP Alerts in Config View
Viewing MSP Alerts Dashboard
1. In the Network Operations app, filter All Groups. 2. Under Analyze, click Alerts to display the Alerts dashboard.
The Alerts dashboard enables you to configure, view, and acknowledge alerts. The dashboard has three views:

Aruba Central | User Guide

464

n Alerts in List View n Alerts in Summary View n Alerts in Config View 3. The Search bar allows you to search for alerts by tenant account. Enter the name of the tenant account and select the tenant account from the list. 4. To view the list of alerts, click the List icon. a. The list view displays the number of alerts in the following categories:
n Critical n Major n Minor n Warning b. Click Acknowledge All to acknowledge all the alerts at once. c. Enable the Show Acknowledged Alerts button to display the list of acknowledged alerts.
d. Clicking icon enables you to customize the Alerts table columns or set it to the default view. 5. To view detailed graphs about the alerts, click the Summary icon . Select each tab, All, Access
Points, Switches, or Gateways to view the graphs pertaining to each device type. 6. To configure alerts, click the Config icon. For more information, see xxx.
MSP Alerts in List View
The MSP Alerts page in list view displays a list of alerts for all customers associated with the MSP account. Use the Search Customer Name field to filter alerts by customer name. The Alerts summary bar displays a list of all the alerts categorized by severity level. You can click on any of the categories to display the list of alerts for that category.
Figure 129 MSP Alerts in List View

All the alerts are displayed in a tabular format and displays the following information:

Table 112: Viewing the MSP Alerts in List View

Data Pane Content

Description

Occurred On

Timestamp of the alert. Use the sort option to sort the alerts by date and time.

Managed Service Provider | 465

Data Pane Content Category Label Site Customer Group Severity
Description

Description
Displays the category of the alert. Use the filter option to filter the alert by category. Displays the label name of the alert. Displays the site name of the alert. Displays the customer name of the alert. Displays the group name of the alert. Displays the severity level of the alert. The severity can be Critical, Major, Minor, or Warning. Displays a description of the alert. Use the search option in filter bar to filter the alert based on description.

MSP Alerts in Summary View
The Summary view lists all the alerts in charts. The available charts are:
n Alerts by Type--This horizontal bar chart plots the number of alerts versus the category of alerts. You can hover over a bar to get the exact data for the number of alerts for that category. Clicking on a bar redirects you to the list view for that category of alerts. An example is displayed in the next image.
n Alerts by Severity--This vertical bar chart plots the number of alerts versus the severity of alerts. You can hover over a bar to get the exact data for the number of alerts for that severity. Clicking on a bar redirects you to the list view for that severity of alerts.
Figure 130 Alerts by Type Chart in MSP Alerts Summary View

Select each tab, All, Access Points, Switches, or Gateways to view the graphs pertaining to each device type.

Aruba Central | User Guide

466

MSP Alerts in Config View
The Alerts page in Config view enables you to configure alerts. You can configure alerts at the MSP level and the tenant account level.
Configuring Alerts at the MSP Level
To configure alerts at the MSP level, complete the following steps:
1. In the Network Operations app, filter All Groups. 2. Under Analyze, click Alerts to display the Alerts dashboard. 3. Click the Config icon .
At the MSP level, you cannot configure alerts based on groups, labels, sites, or devices.
4. Use the tabs to navigate between the alert categories. Select an alert and click + to enable the alert with default settings. To configure alert parameters, click on the alert tile (anywhere within the rectangular box) and do the following: a. Severity--Set the severity. The available options are Critical, Major, Minor, and Warning. By default, the following alerts are enabled and the severity is Major: n Virtual Controller Disconnected n Rogue AP Detected n New User Account Added n Switch Detected n Switch Disconnected b. Notification Options--See Alert Notification Delivery Options. n Click Save. n Add Rule--(Optional) For a few alerts, the Add Rule option appears. For such alerts, you can add additional rule(s).
Configuring Alerts at the Tenant Account Level
To configure alerts at the tenant account level, complete the following steps:
1. Navigate to the tenant account. See Navigating to the Tenant Account. 2. In the Network Operations app, set the filter to a group or a device. 3. To configure alerts, click the settings icon under Analyze > Alerts & Events. By default, the Alerts
& Events > User category is displayed. 4. Use the tabs to navigate between the alert categories. Select an alert and click + to enable the alert
with default settings. To configure alert parameters, click on the alert tile (anywhere within the rectangular box) and do the following: a. Severity--Set the severity. The available options are Critical, Major, Minor, and Warning. By
default, the following alerts are enabled and the severity is Major: n Virtual Controller Disconnected n Rogue AP Detected n New User Account Added n Switch Detected n Switch Disconnected
Managed Service Provider | 467

For a few alerts, you can configure threshold value for one or more alert severities. To set the threshold value, select the alert and in the exceeds text box, enter the value. The alert is triggered when one of the threshold values exceed the duration.
b. Duration--Enter the duration in minutes. c. Device Filter Options--(Optional) You can restrict the scope of an alert by setting one or more
of the following parameters: n Group--Select a group to limit the alert to a specific group. n Label--Select a label to limit the alert to a specific label. n Device--Select a device to limit the alert to a specific device. n Sites--Select a site to limit the alert to a specific site. d. Notification Options n Email--Select the Email check box and enter an email address to receive notifications when
an alert is generated. You can enter multiple email addresses, separate each value with a comma. n Webhook--Select the Webhook check box and select the Webhook from the drop-down list. e. Click Save. f. Add Rule--(Optional) For a few alerts, the Add Rule option appears. For such alerts, you can add additional rule(s). The rule summaries appear at the top of the pag
Viewing Enabled Alerts
To view alerts enabled at the MSP level or tenant account level, do the following:
1. In the Network Operations app, filter All Groups. 2. Under Analyze, click Alerts to display the Alerts dashboard. 3. On the Alerts page, click Enabled.
The Enabled tab lists the alerts that you have enabled. Click the tabs to see enabled alerts for each category.
Alert Notification Delivery Options
When you configure an alert, you can select how you want to be notified when an alert is generated. Aruba Central supports the following notification types:
n Email--Select the Email check box and enter an email address to receive notifications when an alert is generated. You can enter multiple email addresses; separate each value with a comma.
n Webhook--Select the Webhook check box and select the desired Webhooks from the drop-down list. Before you select this option, you must create Webhooks. For more information about creating and modifying Webhooks, see the Aruba Central Online documentation.
MSP Audit Trails
The Audit Trail page shows the logs for all the device management, configuration, and user management events triggered in Aruba Central. You can search or filter the audit trail records based on any of the following columns:
n Occurred on (Custom Range) n Username

Aruba Central | User Guide

468

n IP Address n Category n Description n Target n Source
Viewing the Audit Trail Page
To view the audit trail log details in Aruba Central MSP mode:
1. From the Network Operations app, set the filter to All Groups. 2. Under Analyze, click Audit Trail. 3. Adjust the time filter to get the display for the required time range.
The Audit Trail logs are displayed for the following types of operations in the MSP: n Addition, modification, and deletion of tenant accounts n Addition, modification and deletion of users associated with a tenant account n Subscription assignment to devices n Modification of groups associated with a tenant account n Configuration push, override , and updates for the devices associated with a tenant account n Addition, modification, and deletion of MSP admin users n License reconciliation
The Audit Trail page in the MSP mode displays the following information: Table 113: Audit Trail Pane in the MSP Mode

Parameter Description

Occurred On

Time stamp of the events for which the audit trails are shown. Use the filter option to select a specific time range to display the events.

Username The username of the admin user who applied the changes.

IP Address IP address of the client device.

Category

Type of modification and the affected device management category. See Classification of Audit Trails.

Target

The group, device, or tenant account to which the changes were applied.

Source

The tenant account in which the changes occurred.

Description

A short description of the changes such as subscription assignment, firmware upgrade, and configuration updates. Click to view the complete details of the event. For example, if an event was not successful, clicking the ellipsis displays the reason for the failure.

Classification of Audit Trails
The audit trail is classified according to the type of modification and the affected device management category. The category can be one of the following:

Managed Service Provider | 469

n Configuration n Firmware Management n Reboot n Device Management n Templates n User Management n Variables n Label Management n MSP n Guest n Groups n Subscription Management n API Gateway n RBAC n Sites Management n SAML Profile n User Activity n Federated User Activity n Alert Configuration n Install Manager n Tools
MSP Reports
The MSP Reports page enables you to create reports. You can configure these reports to run on demand or periodically. You must have read and write privileges or you must be an Admin user to create reports. The Reports page is only applicable to the global MSP dashboard.
MSP reports are generated at the end of day, so the current day data is not available in the report. MSP reporting data is supported from version 2.5.0 onwards, the data is available only after an upgrade to version 2.5.0 or later. Data prior to the 2.5.0 upgrade is not available in the report.
Viewing the MSP Reports Page
To navigate to the Reports page, complete the following procedure:
1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed.
2. Under Analyze, click Reports. The Reports dashboard is displayed. The Reports dashboard has the following sections: n Browse--Explore, email, download, or delete generated reports. Displays the number of generated reports. Click Browse to displays the Reports page in List view. n Manage--Edit or delete scheduled reports. Displays the number of scheduled reports.

Aruba Central | User Guide

470

Click Manage to displays the Reports page in Config view. In the Config view, click + to generate a new report.
n Create--Creates a report that can be run instantly or periodically. Displays the number of report categories and the number of report types. Click Create to generate a new report. Currently, only Device and Subscription Inventory reports are supported in MSP.

Types of Reports
To access the Reports dashboard, set the filter to All Groups in the Network Operations app. Under Analyze, click Reports. Reports that are already run are listed under Browse > Generated Reports. If any report is yet to run, that report is available under Browse > Scheduled Reports. The following table explains the parameters available in the Device and Subscription Inventory report.

Table 114: Device and Subscription Inventory Report Description

Parameter

Description

Access Points Inventory

The Access Points Inventory page lists the following options both in table and graph form: n Opening Stock--Total number of unassigned APs in the
beginning of the time period. n Purchased--Number of APs purchased during the time period. n Returned--Number of APs returned by the tenants to the
customer during the time period. n Assigned--Number of APs assigned to the tenants during the
time period. n Closing Stock--Total of (Opening + Purchased + Returned -
Assigned)

Switch Inventory

The Switch Inventory page lists the following options both in table and graph form: n Opening Stock--Total number of unassigned switches in the
beginning of the time period. n Purchased--Number of switches purchased during the time
period. n Returned--Number of switches returned by the tenants to the
customer during the time period. n Assigned--Number of switches assigned to the tenants during
the time period. n Closing Stock--Total of (Opening + Purchased + Returned -
Assigned)

Gateway Inventory

The Gateway Inventory page lists the following options both in table and graph form: n Opening Stock--Total number of unassigned gateways in the
beginning of the time period. n Purchased--Number of gateways purchased during the time
period. n Returned--Number of gateways returned by the tenants to the
customer during the time period.

Managed Service Provider | 471

Parameter Device Management License Gateway Foundation License Gateway Advanced License

Description
n Assigned--Number of gateways assigned to the tenants during the time period.
n Closing Stock--Total of (Opening + Purchased + Returned Assigned)
The Device Management License page lists the following options both in table and graph form: n Opening Stock--Total number of all licenses available in the
beginning of the time period. n Purchased--Number of licenses purchased during the time
period. n Returned--Number of licenses returned by the tenants to the
customer during the time period. n Assigned--Number of licenses assigned to the tenants during
the time period. n Expired--Number of licenses that expired during the time
period. n Closing Stock--Total of (Opening + Purchased + Returned -
Assigned -Expired)
The Gateway Foundation License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of
the time period. n Purchased--Number of licenses purchased during the time
period. n Returned--Number of licenses returned by the tenants to the
customer during the time period. n Assigned--Number of licenses assigned to the tenants during
the time period. n Expired--Number of licenses that expired during the time
period. n Closing Stock--Total of (Opening + Purchased + Returned -
Assigned -Expired)
The Gateway Advanced License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of
the time period. n Purchased--Number of licenses purchased during the time
period. n Returned--Number of licenses returned by the tenants to the
customer during the time period. n Assigned--Number of licenses assigned to the tenants during
the time period. n Expired--Number of licenses that expired during the time
period. n Closing Stock--Total of (Opening + Purchased + Returned -
Assigned -Expired)

Aruba Central | User Guide

472

Parameter Gateway Base License
Access Points Foundation License
Access Points Advanced License
Switch Foundation License

Description
The Gateway Base License page lists the following options both in table and graph form: n Opening--Total number of licenses in the beginning of the
time period. n Purchased--Number of licenses purchased during the time
period. n Returned--Number of licenses returned by the tenants to the
customer during the time period. n Assigned--Number of licenses assigned to the tenants during
the time period. n Expired--Number of licenses that expired during the time
period. n Closing Stock--Total of (Opening + Purchased + Returned -
Assigned -Expired)
The Access Points Foundation License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of
the time period. n Purchased--Number of licenses purchased during the time
period. n Returned--Number of licenses returned by the tenants to the
customer during the time period. n Assigned--Number of licenses assigned to the tenants during
the time period. n Expired--Number of licenses that expired during the time
period. n Closing Stock--Total of (Opening + Purchased + Returned -
Assigned -Expired)
The Access Points Advanced License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of
the time period. n Purchased--Number of licenses purchased during the time
period. n Returned--Number of licenses returned by the tenants to the
customer during the time period. n Assigned--Number of licenses assigned to the tenants during
the time period. n Expired--Number of licenses that expired during the time
period. n Closing Stock--Total of (Opening + Purchased + Returned -
Assigned -Expired)
The Switch Foundation License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of
the time period.

Managed Service Provider | 473

Parameter Switch Advanced License

Description
n Purchased--Number of licenses purchased during the time period.
n Returned--Number of licenses returned by the tenants to the customer during the time period.
n Assigned--Number of licenses assigned to the tenants during the time period.
n Expired--Number of licenses that expired during the time period.
n Closing Stock--Total of (Opening + Purchased + Returned Assigned -Expired)
The Switch Advanced License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of
the time period. n Purchased--Number of licenses purchased during the time
period. n Returned--Number of licenses returned by the tenants to the
customer during the time period. n Assigned--Number of licenses assigned to the tenants during
the time period. n Expired--Number of licenses that expired during the time
period. n Closing Stock--Total of (Opening + Purchased + Returned -
Assigned -Expired)

The following table explains the parameters available in Generated Reports .

Table 115: Generated Reports Description

Parameter

Description

Title

Name of the report.

Date Run

Time when the report was last run. For Scheduled Reports, this is replaced by Next Run which indicates the time when the report will run in the future.

Scope

List of devices or subscription for which the report was run.

Report Type

Type of report, currently the only supported value is MSP Inventory.

Created by

Email address of the user who created the report.

The following table explains the parameters available in Scheduled Reports

Aruba Central | User Guide

474

Table 116: Scheduled Reports Description

Parameter

Description

Title

Name of the report.

Next Run

Time when the report will run in the future.

Status

Status of the report, whether scheduled, failed, running, rerun, or waiting.

Scope

List of devices or subscription for which the report was run.

Report Type

Type of report, currently the only supported value is MSP Inventory.

Recurrence

Time period of the scheduled report.

Created by

Email address of the user who created the report.

Creating a Report
The MSP Reports page in Summary view enables you to browse, manage, and create reports. To create a report, perform the following steps:
1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed.
2. Under Analyze, click Reports. The Reports page is displayed.
3. In the Reports page, click the Summary icon. Click the Create tile. Else, click the Config view and then click the + sign in the Scheduled Reports page. The Infrastructure page is displayed.
4. Under Infrastructure, click Device and Subscription Inventory and then click Next. 5. Under Scope, select All or a combination of the other choices and then click Next:
n All--Generates a report for all access points, gateways, switches, and subscriptions. n Access Points--Generates a report only for access points. n Gateways--Generates a report only for gateways. n Switches--Generates a report only for switches. n Subscriptions--Generates a report only for subscriptions. 6. Under Report period, select one of the following options and then click Next: n Last Month n Last 3 Months n Last 6 Months n Custom Range 7. Select one of the recurrent options: n One Time (now) n One Time (later) n Every day n Every week n Every month

Managed Service Provider | 475

8. For Report Information, enter the title of the report and an email address where the report will be delivered.
9. Select the format as either PDF or CSV. 10. Click Generate. 11. If you select One Time as an option in step 6, the report is available in the Generated view as
Generated Reports. If the report is yet to run, the report is available under Scheduled Reports.
Editing a Report
To edit a report, complete the following procedure:
1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed.
2. Under Analyze, click Reports. The Reports page is displayed.
3. In the Reports page, click the Scheduled view icon. The Scheduled Reports dashboard is displayed.
4. Under Scheduled Reports, select the report you want to edit and then click the edit icon. The Infrastructure page is displayed.
5. Under Scope, select one or a combination of the following choices and then click Next: n All--Generates a report for all access points, gateways, switches, and subscriptions. n Access Points--Generates a report only for access points. n Gateways--Generates a report only for gateways. n Switches--Generates a report only for switches. n Subscriptions--Generates a report only for subscriptions.
6. Under Report period, select one of the following options and then click Next n Last Month n Last 3 Months n Last 6 Months n Custom Range
7. Select one of the recurrent options: n One Time (now) n One Time (later) n Every day n Every week n Every month
8. For Report Information, enter the title of the report and an email address where the report will be delivered.
9. Select the format as either PDF or CSV. 10. Click Generate. 11. If you select One Time as an option, the report is available under Generated Reports. If the report
is yet to run, the report is available under Scheduled Reports.
Viewing or Downloading a Report
To view or download a report, complete the following procedure:

Aruba Central | User Guide

476

1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed.
2. Under Analyze, click Reports. The Reports page is displayed.
3. In the Reports page, click the Generated view icon. The Generated Reports dashboard is displayed.
4. Under Generated Reports, select the report you want to view or download. n To view the report online, click the report name. n To download the report, click the report and then click the download icon for either the CSV or PDF file. n To email the report, click the email to icon. n To delete the report, click the delete icon.
Deleting a Report or Multiple Reports
To delete a report or multiple reports, complete the following procedure: 1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed. 2. Under Analyze, click Reports. The Reports page is displayed. 3. In the Reports page, click the Generated view icon. Reports that are already run are listed under Generated Reports. If any report is yet to run, that report is available under Scheduled Reports. 4. Select the report you want to delete and then click the delete icon. You can select multiple reports to delete.
Firmware Upgrades for MSP Mode
The Firmware menu under Maintenance displays a list of tenant accounts and the status of the devices assigned to the tenant accounts.
Viewing the Firmware Dashboard
1. In the Network Operations app, use the filter to select All Groups. 2. Under Maintain, click Firmware. 3. Select one of the following tabs: Access Points, Switch-MAS, Switch-Aruba, or Gateways The Firmware menu displays the Access Points, Switch-MAS, Switch-Aruba, and Gateways tabs that list all the tenants with firmware and compliance status for each of the device types. The following table displays the Firmware dashboard for Access Points, the table for the other tabs are similar:
Managed Service Provider | 477

Table 117: Firmware Dashboard Parameters for APs Tab

Date Pane Item

Description

Customer Name

Name of the customer.

Upgrade Status

Status of the devices associated with the tenant account. This column displays one of the following: n Upgrading n Scheduling in progress n Downloading firmware n Upgrade successful, ready for reboot n Upgrade successful and rebooting AP n Upgrade in process n Firmware upgrade failed. Please try again. n Rebooting n Live upgrade initiating n Live upgrade initiated

Compliance Status

Status of compliance for the tenant. This column indicates the compliance status such as Set, Not Set, or Compliance scheduled on <date and time> for a specific tenant.

Manage Firmware Compliance

Enables you to plan upgrades. See Managing Firmware Compliance Based on Tenant Account.

Managing Firmware Compliance Based on Device Tabs
1. In the Network Operations app, use the filter to select All Groups. 2. Under Maintain, click Firmware. 3. Select one of the following tabs: Access Points, Switch-MAS, Switch-Aruba, or Gateways 4. Click Manage Firmware Compliance at the top right.
The Manage Firmware Compliance window opens. 5. Select the firmware version and the time for upgrade. 6. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful
device upgrade. The Auto Reboot option is not available for Access Points. 7. Select one of the following options as required:
n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 8. Click Save and Upgrade. 9. MSP initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed.
Managing Firmware Compliance Based on Tenant Account
1. In the Network Operations app, use the filter to select All Groups. 2. Under Maintain, click Firmware. 3. Select one of the following tabs: Access Points, Switch-MAS, Switch-Aruba, or Gateways

Aruba Central | User Guide

478

4. From the dashboard, select one or more customer name and click Continue. 5. The Upgrade <Device Type> Firmware page is displayed.

You can click the check box on the table heading of tenant details table to include all the tenants for the firmware upgrade listed in the current page. To manually upgrade firmware for specific tenants, select the check box corresponding to the tenant that requires a manual firmware upgrade in the tenant details table. Clicking the Continue button displays the Upgrade <Device Type> Firmware page. The Filter by upgrade status drop-down list disappears when the Update All button is clicked.

6. Perform the following actions:

Table 118: Upgrade <Device Type> Firmware Component Description

Firmware Version

The firmware version to which the tenant is required to be upgraded. Aruba Central considers the recommended firmware version as the default if no version is specified in the field.

Auto Reboot Select this check box to reboot the device automatically after the download of the new version.

NOTE: The Auto Reboot option is not applicable for Instant APs.

Schedule Cancel

Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time. n Now--To set the firmware upgrade to be carried out immediately. n Later Date--To set the firmware upgrade to take place at a later date and time. Click the Upgrade button to upgrade the firmware.
Click this button to cancel the settings and go back to the Maintenance > Firmware page.

7. The Firmware page also displays the Cancel All button. Click Cancel All button to cancel the manual firmware upgrade for all the tenants in the MSP mode.
The compliance upgrade settings for the tenants and the tenant devices takes precedence over the manual firmware upgrade. The scheduled manual firmware upgrade becomes invalid when you set or schedule the compliance upgrade.

Firmware Upgrade in MSP Through NB API
Aruba Central provides an option to upgrade firmware for all the tenants mapped to the MSP through APIs in Maintenance > API Gateway. To set or get the country code at group level through API:
1. In the Account Home page, click API Gateway. 2. Click System Apps & Tokens tab and generate a token key. 3. Download and copy the generated token. 4. Click the link displayed in the APIs tab of the API Gateway. The Central Network Management
APIs page opens.

Managed Service Provider | 479

5. On the left navigation pane, select Firmware from the URL drop-down list. 6. Paste the token key in the Token field and press enter. 7. In Firmware Management, the following options are displayed:
n [POST] /firmware/v1/msp/upgrade--Upgrades firmware at the MSP level. To configure the firmware upgrade for all the tenants of a specific device type, enter the following inputs in the corresponding labels of the script
{ "firmware_scheduled_at": 0, "device_type": "string", "firmware_version": "string", "reboot": true, "exclude_groups": "string", "exclude_customers": "string"
}:

Table 119: Firmware Upgrade at MSP level

Label

Description

Firmware_ scheduled_ at

The time at which the firmware upgrade must be initiated. The value entered in this field is the count in seconds from the current time.

Device_ type

The type of device for which the firmware upgrade must be initiated.

Firmware_ version

The firmware version to which the device is required to be upgraded. Aruba Central takes the recommended firmware version as the default version if no version is specified in the field.

Reboot

True or false value to enable or disable the reboot of device once the firmware upgrade build is downloaded.

NOTE: The Reboot option is not applicable for Instant APs.

Excludegroups

The list of groups to be excluded from firmware upgrade.

Exclude_

The list of tenants to be excluded from firmware upgrade.

customers

n [POST] /firmware/v1/msp/upgrade/customers/{customer_id}--Upgrades firmware at the tenant level. To configure the firmware upgrade for a specific tenant of a specific device type, enter the following inputs in the corresponding labels of the script
{ "firmware_scheduled_at": 0, "device_type": "string", "firmware_version": "string", "reboot": true, "exclude_groups": "string"
}.

Aruba Central | User Guide

480

Table 120: Firmware Upgrade at the Tenant level

Label

Description

Firmware_ The time at which the firmware upgrade must be initiated. The value entered in this scheduled_ field is the count in seconds from the current time. at

Device_ type

The type of device for which the firmware upgrade must be initiated.

Firmware_ version

The firmware version to which the device is required to be upgraded. Aruba Central takes the recommended firmware version as the default version if no version is specified in the field.

Reboot

True or false value to enable or disable the reboot of device once the firmware upgrade build is downloaded.

NOTE: The Reboot option is not applicable for Instant APs.

Excludegroups

List of groups to be excluded from firmware upgrade.

n [POST] /firmware/v2/msp/upgrade/cancel--Cancels a scheduled upgrade firmware of devices specified by device_type. Enter the following inputs in the corresponding labels of the script
{ "device_type": "string", "exclude_groups": "string", "exclude_customers": "string"
}.

Table 121: Cancel Scheduled Upgrade at MSP Level

Label

Description

Device_type

The type of device for which the firmware upgrade schedule must be canceled.

Exclude-groups

List of groups to be excluded while canceling scheduled upgrade.

Exclude_customers List of customer IDs to be excluded while canceling scheduled upgrade.

n [POST] /firmware/v2/msp/upgrade/customers/{customer_id}/cancel--Cancels a scheduled upgrade firmware of devices specified by device_type for a tenant. Enter the following inputs in the corresponding labels of the script
{ "device_type": "string", "exclude_groups": "string"
}.

Managed Service Provider | 481

Table 122: Cancel Scheduled Upgrade at the Tenant Level

Label

Description

Device_type

The type of device for which the firmware schedule must be canceled.

Exclude-groups List of groups to be excluded while canceling scheduled upgrade.

The following APIs that include v1 version will be deprecated from API Gateway and is replaced with v2 version:
n [POST] /firmware/v1/msp/upgrade/cancel n [POST] /firmware/v1/msp/upgrade/customers/{customer_id}/cancel
Order of Precedence For Compliance
The devices in the MSP mode inherits the compliance set in the following order of precedence from highest to lowest:
n Group level n Tenant level n MSP level
The devices in MSP mode exhibits the following behavior related to compliance settings:
n The compliance set at the group level overrides the compliance set at the tenant level or MSP level. If there is no compliance at the group level, the devices in the group inherits the compliance configured at the tenant level.
n The compliance set at the tenant level overrides the compliance set at the MSP level. If there is no compliance at the tenant level and group level, the tenant devices inherit the compliance configured at the MSP level.

Customizing the Portal in MSP Mode
The Portal Customization page enables you to customize the look and feel of the user interface and the email notifications sent to the customers and users. For example, you can use your company logo in the user interface and company address in the email notifications sent to the customers or users.

Aruba Central | User Guide

482

Figure 131 Customizing the Portal in the Network Operations App
To customize the look and feel of the portal, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Portal Customization. 3. The Portal Customization page is displayed. 4. Under Customization, configure the following information: n Product Name--Name of the product. n Provider Name--Name of the company. n Contact Link--The URL to the company website that shows the contact address of the company. n Sender Email Address--The email address from which the notifications are sent. n Mailing Address--The postal address of the company. n Service Link--The URL to the company website showing the service related information. n Terms and Conditions Link--The URL to the company website listing the terms and conditions. 5. If you want customize the logo of your portal, click Skinning. 6. Browse to your local directory and upload the logo image. 7. Click Save Settings.
The customized logo is displayed in the following pages: n Tenant account--All the apps and pages applicable to the tenant. For more information about tenant
accounts, see Provisioning Tenant Accounts.
Managed Service Provider | 483

Figure 132 Sample Logo for a Customer Account

n Email invite--Email invite sent while adding a new user. The email contains the registration link. For more information about adding a new user, see Adding a Custom Role in MSP Account Home.
MSP Deployment Models
The MSP mode supports multiple configuration constructs such as UI groups, template groups, local overrides, and so on. This section describes various MSP deployment models using examples. MSP supports the following deployment models:
n MSP Owns Devices and Subscriptions (Deployment Model 1) n End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2) n Hybrid MSP Deployment Model (Deployment Model 3)
MSP Owns Devices and Subscriptions (Deployment Model 1)
In this model, the MSP offers Network as a Service (NaaS). The MSP owns both the devices and subscriptions. The MSP acquires end-customers and manages the end-customer's network. The MSP temporarily assigns devices and subscriptions to end-customers for the duration of the managed service contract. Once the contract ends, the devices and the subscriptions are returned back to the MSP's common pool of resources and can be reassigned to another end-customer.
Setup and Provisioning
After the MSP purchases the devices and subscriptions, the MSP administrator has to do the following:
n Set up the Aruba Central account. n Onboard devices. n Assign device subscriptions and network services subscriptions.

Aruba Central | User Guide

484

MSPs can provide Network as a Service to end-customers using Aruba Central MSP mode capabilities. Aruba Central provides simplified provisioning. The Overview > Dashboard page under Manage in the MSP view allows you to add, view, edit, and delete tenant accounts. After adding a device, the MSP administrator must map the device to the tenant account for device management and monitoring operations. After you create a tenant account, you can map the tenant to a group. The group associated to the tenant account in the MSP mode shows up as the default group for tenant account users. In the MSP mode, all configuration changes made to the group associated to the tenant account are applied to the default group on the tenant account.
Customizing the Portal
MSPs can customize their Aruba Central MSP portal and guest splash pages by uploading their own logo. The Portal Customization pane allows you to customize the look and feel of the user interface and the email notifications sent to customers and users. Aruba Central also allows MSPs to localize various pages to support a diverse customer market.
Monitoring and Reporting
Using the MSP Dashboard, MSPs can monitor and observe trends on end-customer networks. MSPs can do the following from the MSP Dashboard:
n View total number of tenant accounts and consolidated device inventory and subscription status. n View graphs representing the devices under management, tenant accounts added, and subscription
renewal schedule n Navigate to each tenant account.
Managing Firmware and Maintenance
MSPs can streamline and automate end-customer's network management while maintaining complete control. MSPs can perform one-click firmware updates or schedule specific updates, manage user accounts across end-customers with different levels of access and tag devices with labels to simplify firmware management and configuration.
Example Deployment Scenario
In this scenario, an MSP is offering the following wireless management services:
n WiFiConnectGo--In this program, for a monthly fee per Instant AP, customers part of this program agree to broadcast MSP's free public WiFi SSID WiFiConnectGo. Customers can add up to 15 additional custom SSIDs, including guest, of their own. Tenant account administrators are responsible for configuring any additional SSIDs and ongoing monitoring and maintenance. MSP is responsible for installing and bringing up the Instant AP only.
n WiFiConnectGo-Plus--In this program, for an additional monthly fee per Instant AP, customers part of this program need not broadcast the free public WiFi SSID WiFiConnectGo. Customers can add up to 15 custom SSIDs, including guest, of their own. MSP is responsible for installing Instant APs, configuring custom SSIDs, and ongoing monitoring and maintenance.
Configuring WiFiConnectGo Using Default UI Groups
Use this deployment model if your customer deployments are identical. UI groups support an inheritance model from MSP to tenant. As shown in the following figure, MSP uses MSP UI groups to push SSID configuration to the default group in each tenant account. Tenants can choose to add additional custom SSIDs to the default group. All sites are mapped to the same default group.
Managed Service Provider | 485

Figure 133 MSP Deployment Using Default UI Groups

Configuring WiFiConnectGo-Plus Using User-Defined UI Groups
Use this deployment model if your customer deployments are unique and if you wish to use the Aruba Central user interface for configuring. UI groups support an inheritance model from MSP to tenant.
As shown in the following figure, each tenant has their own custom SSID configuration. In this scenario, the MSP administrator can create separate user-defined UI groups for each tenant. Sites with common SSID are mapped to the same UI group. MSP administrators can use the available UI group APIs add, modify, or remove allowed wireless configuration options.

Aruba Central | User Guide

486

Figure 134 MSP Deployment Using User-Defined UI Groups
Configuring WiFiConnectGo-Plus Using Template Groups
As shown in the following figure, one template group is defined for each tenant and all devices are associated to the same group. Using the if/else conditional statements, you can push SSIDs to Instant APs selectively. MSP administrators can use the template and variable APIs to add, modify, or remove any wireless configuration. You can use this deployment model if you wish to automate your customer deployments using Aruba CLIs and Aruba Central APIs.
Managed Service Provider | 487

Figure 135 MSP Deployment Using Template Groups

End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2)
In this deployment model, the account type must be Standard Enterprise Mode. Aruba recommends that you contact your Aruba Central sales representative or the Aruba Central Support team if you are an MSP proposing this model to your end-customer.
In this model, the end-customer owns both the devices and subscriptions, but the MSP manages the endcustomer's network. The end-customer can be one of the following:
n An existing Aruba customer who owns Aruba devices, but does not have an Aruba Central account. n An existing Aruba customer who owns Aruba devices and is managing the network using Aruba Central.
In this model, to manage end-customer-owned devices and subscriptions, the MSP can use the Aruba Central Standard Enterprise mode. The MSP need not create an Aruba Central account of their own, but can instead add their (MSP) administrator to the end-customer's Aruba Central account. The MSP administrator will only have access to each end-customer account.
Setup and Provisioning
The end-customer purchases the devices and subscriptions. The end-customer contacts the MSP to manage the network. As the devices and subscriptions are owned by the end-customer, the MSP uses the Aruba Central Standard Enterprise mode to set up and provision the tenant account.

Aruba Central | User Guide

488

The MSP has to request the end-customer to add the MSP administrator to their Aruba Central account. The MSP administrator can use the Switch Customer option to switch between end-customer accounts.
Monitoring and Reporting
As the MSP is not using the MSP mode, there is no single pane view of end-customer accounts managed by the MSP. The MSP has to monitor each end-customer individually. The MSP administrator has to use the Aruba Central Standard Enterprise mode to monitor the end-customer network.
Managing Firmware and Maintenance
The MSP has to use the Firmware menu under Maintain to view the latest supported firmware version of the device, details of the device, and the option to upgrade the device. The MSP administrator has to manage software upgrades for each end-customer individually.
Example Deployment Scenario
In this scenario, an MSP has to configure Instant APs and manage end-customer networks at two different sites. The following are the site details:
Site 1
Location: University Ave, Berkeley, CA SSID Name: "WiFi_CE" Security: WPA2-PSK SSID Password: "password@123" VLAN: 20
Site 2
Location: University Ave, Berkeley, CA SSID Name: "WiFi_CE" Security: WPA2-PSK SSID Password: "password@123" VLAN: 40
Considering the requirements, each site needs two Instant APs. The only difference between the sites is the VLAN ID.
Deployment Using User-Defined UI Groups
The MSP can configure Instant APs at both sites using user-defined UI groups. As the Wi-Fi configuration per site is different, one UI group must be created for each site. For each site, the tenant account administrator has to do the following:
1. Create a new UI group for each site. 2. Configure the UI group with Wi-Fi settings specific to each site. 3. Map the Instant APs in each site to the respective UI group. Points to Note: n One user-defined UI group is created for each site. n For any new site with a different VLAN ID, the tenant account administrator must create a new UI group.
Managed Service Provider | 489

n If a configuration change is required at all sites, the tenant account administrator must manually edit each UI group as each group is independent of the other. For example, to change the Wi-Fi SSID name from WiFi_CE to WiFi_Secure_CE, the tenant account administrator must edit UI group.
Deployment Using Template Groups
The MSP can configure Instant APs at both sites using template groups. The tenant account administrator can create a single template group for both sites with a variable file that differentiates the VLAN setting per device.
Template groups are not supported at the MSP level. However, template groups can be defined and managed at each tenant account individually.
For both sites, the tenant account administrator has to do the following:
1. Create one tenant template group. 2. Configure the newly created template group by uploading a base configuration with the WiFi_CE
setting and a variable for the SSID VLAN. 3. Upload a variable file with unique entries for each Instant AP. For the Instant APs part of Site 1, the
VLAN variable value is 20. For the Instant APs part of Site 2, the VLAN variable value is 40. 4. Map Site 1 and Site 2Instant APs to the common template group.
Points to Note:
n One tenant template group is created for both sites. n For every additional site with a different VLAN ID, the same template group can be used with a modified
variable file. n If a configuration change is required at all sites, the common template group can be updated and pushed
to all sites. For example, to change the Wi-Fi SSID name from WiFi_CE to WiFi_Secure_CE, the tenant account administrator can edit the common template group and push the configuration changes to all sites.
Hybrid MSP Deployment Model (Deployment Model 3)
In this model, Aruba Central supports a hybrid deployment model for the MSP. The MSP can use the following deployment models in conjunction to manage the end-customers' network:
n MSP Owns Devices and Subscriptions (Deployment Model 1)--The MSP owns both the devices and subscriptions. The MSP acquires the tenants and uses the Aruba Central MSP mode to manage the tenant's network and monitors multiple tenant accounts using the MSP Dashboard.
n End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2)--The MSP manages end-customer's network in which the end-customer owns both the devices and subscriptions. The MSP uses the Aruba Central Standard Enterprise mode to manage the network and the MSP administrator uses the Switch Customer option to navigate between different end-customer accounts.
In this deployment model if the end customer owns both devices and subscriptions, the account type must be Standard Enterprise Mode. Aruba recommends that you contact your Aruba Central sales representative or the Aruba Central Support team if you are an MSP proposing this model to your end-customer.

Aruba Central | User Guide

490

Frequently Asked Questions
How do I create an Aruba Central MSP account?
As MSP mode is an operational mode of the Network Operations app which is one of the apps in Aruba Central, the first step to create an MSP account is to create an Aruba Central account, subscribe only to the Network Operations app, and then enable Managed Service Mode.
n Sign up for Aruba Central evaluation here. n Enable MSP mode.
Should tenants sign up for an Aruba Central account as well?
No. With MSP mode enabled, the MSP administrator manages the creation and deletion of tenant accounts. After a tenant account is created, the MSP administrator can add tenant users to the account. To create a tenant user, the MSP administrator must provide a valid email address for the user. A verification email is sent to this email address. Tenant users have access to their individual tenant account only. Tenant users do not have access to other tenant accounts managed by the MSP.
Who owns the hardware and subscriptions?
In the MSP mode, all the hardware and subscriptions are owned by the MSP. The MSP temporarily assigns devices and their corresponding subscriptions to tenants for the duration of the managed service contract. When the contract ends, the devices and the subscriptions are returned back to the common pool of resources of the MSP and can be reassigned to another tenant.
Can existing Aruba Central customers migrate to an MSP account?
End customers who own their own devices and subscriptions cannot transfer ownership of the devices to an MSP. However, the MSP administrator can manage the end customer network.
What are the supported devices and architectures?
MSP supports all devices and architectures supported by Aruba Central. See Supported APs and Supported Switches. Aruba Central support wireless, wired, and SD-WAN deployments, either independently or in combination. For example, as an MSP, you can manage the following combinations:
n Customer environments having a wireless deployment. n Customer environments having both wired and wireless deployments. n Customer environments having an SD-WAN deployment.
Aruba Central does not support managing gateways at the MSP level. However, gateways can be configured and managed at the tenant account level.
Which group is the default group for the tenant account?
The MSP group associated to the Tenant account shows up as the default group for Tenant account users. All configuration changes made to the "MSP group" associated to the "Tenant account" are applied to the
Managed Service Provider | 491

default group on the Tenant account.
What are predefined user roles?
The Users & Roles tile under Global Settings in the Account Home page allows you to configure the following types of users with system-defined roles:

User Role

Standard Enterprise Mode

MSP Mode

admin

n Has full access to all devices. n Can provision devices and enable access
to application services. n Can create or update users, groups, and
labels.

n Has full access to tenant accounts. n Can create, modify, provision, and
manage tenant accounts.

readwrite

n Has access to the groups and devices assigned in the account.
n Can add, modify, configure, and delete a device in the account.

Can access and modify tenant accounts.

readonly

n Can view the groups and devices. n Can view generated reports.

Can view tenant accounts.

guestoperator

n Can access and modify cloud guest splash page profiles.
n Can configure visitor accounts for the cloud guest splash page profiles.

n Can access and modify cloud guest splash page profiles.
n Can configure visitor accounts for the cloud guest splash page profiles.

What are custom user roles?
Along with the predefined user roles, Aruba Central allows you to create custom roles with specific security requirements and access control. However, only the users with the administrator role and privileges can create, modify, clone, or delete a custom role in Aruba Central. With custom roles, you can configure access control at the application level and specify access rights to view or modify specific application services or modules. For example, you can create a custom role that allows access to a specific applications like Guest Access or network management and assign it to a user. You can create a custom role with specific access to MSP modules. The MSP application allows users with administrator role and privileges to define user access to MSP modules such as Customer Management and Portal Customization. The MSP tenant account user does not have access to the MSP application. Even if a tenant account user is assigned a custom role having MSP application privileges, the tenant account user will not have access to the MSP application and MSP will not appear in the Global Settings > Users & Roles > Roles > Allowed Applications list.
What tasks can be performed by an MSP user and tenant user?
In the MSP mode, MSP users have a superset of administration options compared to tenant users. An MSP administrator can perform the following administrative tasks:
n Tenant account management. n Device and subscription management across all tenants. n Monitoring and event management across all tenants.

Aruba Central | User Guide

492

n Configuration management across all tenants. n User management across all tenants. n API management for the MSP and across all tenants. A tenant account administrator can perform the following administrative tasks for their respective tenant account only: n Monitoring and event management. n Configuration management. n User management. n API management.
Managed Service Provider | 493

Chapter 8 Instant APs

Instant APs
Instant APs offer an enterprise-grade networking solution with a simple setup. The WLAN solution with Instant APs supports simplified deployment, configuration, and management of Wi-Fi networks. Instant APs run the Aruba Instant software that virtualizes Aruba Mobility Controller capabilities on 802.11 APs and offers a feature-rich enterprise-grade Wi-Fi solution. Instant APs are often deployed as a cluster. An Instant AP cluster includes a conductor AP and set of other APs that act as member APs. In an Instant deployment scenario, only the first AP or the conductor AP that is connected to a provisioning network is configured. All other Instant APs in the same VLAN join the conductor AP inherit the configuration changes. The Instant AP clusters are configured through a common interface called Virtual Controller. A Virtual Controller represents the combined intelligence of the Instant APs in a cluster.
Supported Deployment Modes
Aruba Instant APs can be deployed in the following modes in Aruba Central:
n Cluster mode--In this mode, several Instant APs form a cluster when connected to a provisioning network and a conductor Instant AP is elected. In the cluster mode, new Instant AP onboarded to Aruba Central can join an existing Instant AP cluster.
n Standalone mode--In this mode, individual Instant APs are provisioned in groups and managed from Aruba Central.
Configuration and Management
Network administrators can manage Instant APs through the Aruba Instant UI, Aruba Central, or AirWave management system. For information on how to configure Instant APs using the Aruba Instant UI, see the Aruba Instant User Guide. For more information on how to deploy, provision, manage, and monitor Instant APs from Aruba Central, see the following topics:
n Supported Instant APs n Provisioning Instant APs n Configuring Device Parameters n Configuring Network Profiles on Instant APs n Configuring Time-Based Services for Wireless Network Profiles n Configuring ARM and RF Parameters on Instant APs n Configuring IDS Parameters on APs n Configuring Authentication and Security Profiles on Instant APs n Configuring Instant APs for VPN Services n Configuring DHCP Pools and Client IP Assignment Modes on Instant APs n Configuring Services

Aruba Central | User Guide

494

n Configuring Uplink Interfaces on Instant APs n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Opening a Remote Console n Mapping Instant AP Certificates n Configuring APs Using Templates n Managing Variable Files n Viewing APs Configuration Tabs

Supported Instant APs
The following table lists the Instant AP platforms, the installation mode, the minimum supported Aruba Instant software versions, and the Instant APs supporting power draw:

Table 123: Supported Instant AP Platforms

Instant AP Platform

Installation Mode

Minimum Supported Aruba Instant Software Version

Power Draw Support

AP-567EX

Outdoor

Aruba Instant 8.7.1.0

No

AP-567

Outdoor

Aruba Instant 8.7.1.0

Yes

AP-565EX

Outdoor

Aruba Instant 8.7.1.0

No

AP-565

Outdoor

Aruba Instant 8.7.1.0

Yes

AP-503H

Indoor

Aruba Instant 8.7.1.0

Yes

AP 577EX

Outdoor

Aruba Instant 8.7.0.0

Yes

AP-577

Outdoor

Aruba Instant 8.7.0.0

Yes

AP-575EX

Outdoor

Aruba Instant 8.7.0.0

Yes

AP-575

Outdoor

Aruba Instant 8.7.0.0

Yes

AP-574

Outdoor

Aruba Instant 8.7.0.0

Yes

AP 518

Outdoor

Aruba Instant 8.7.0.0

Yes

AP-505H

Indoor

Aruba Instant 8.7.0.0

Yes

AP-505

Indoor

Aruba Instant 8.6.0.0

Yes

AP-504

Indoor

Aruba Instant 8.6.0.0

Yes

AP-555

Indoor

Aruba Instant 8.5.0.0

No

AP-535

Indoor

Aruba Instant 8.5.0.0

No

AP 534

Indoor

Aruba Instant 8.5.0.0

No

Instant APs | 495

Instant AP Platform

Installation Mode

AP 515 AP-514 AP-387 AP-303P AP-377EX AP-377 AP-375EX AP-375 AP-374 AP-345 AP-344 AP-318 AP-303 AP-203H AP-367 AP-365 AP-303HR AP-303H AP-203RP AP-203R IAP-305 IAP-304 IAP-207 IAP-335 IAP-334 IAP-315 IAP-314

Indoor Indoor Outdoor Indoor Outdoor Outdoor Outdoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor

Minimum Supported Aruba Instant Software Version

Power Draw Support

Aruba Instant 8.4.0.0

Yes

Aruba Instant 8.4.0.0

Yes

Aruba Instant 8.4.0.0

Yes

Aruba Instant 8.4.0.0

No

Aruba Instant 8.3.0.0

No

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

No

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

Yes

Aruba Instant 8.3.0.0

No

Aruba Instant 6.5.3.0

No

Aruba Instant 6.5.2.0

No

Aruba Instant 6.5.2.0

No

Aruba Instant 6.5.2.0

No

Aruba Instant 6.5.2.0

Yes

Aruba Instant 6.5.2.0

No

Aruba Instant 6.5.2.0

No

Aruba Instant 6.5.1.0-4.3.1.0

Yes

Aruba Instant 6.5.1.0-4.3.1.0

Yes

Aruba Instant 6.5.1.0-4.3.1.0

No

Aruba Instant 6.5.0.0-4.3.0.0

Yes

Aruba Instant 6.5.0.0-4.3.0.0

Yes

Aruba Instant 6.5.0.0-4.3.0.0

No

Aruba Instant 6.5.0.0-4.3.0.0

Yes

Aruba Central | User Guide

496

Instant AP Platform

Installation Mode

IAP-325 IAP-324 IAP-277 IAP-228 IAP-205H IAP-215 IAP-214 IAP-205 IAP-204 IAP-275 IAP-274 IAP-103 IAP-225 IAP-224 IAP-115 IAP-114 RAP-155P RAP-155 RAP-109 RAP-108 RAP-3WN RAP-3WNP

Indoor Indoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor

Minimum Supported Aruba Instant Software Version

Power Draw Support

Aruba Instant 6.4.4.3-4.2.2.0

No

Aruba Instant 6.4.4.3-4.2.2.0

No

Aruba Instant 6.4.3.1-4.2.0.0

No

Aruba Instant 6.4.3.1-4.2.0.0

No

Aruba Instant 6.4.3.1-4.2.0.0

No

Aruba Instant 6.4.2.0-4.1.1.0

No

Aruba Instant 6.4.2.0-4.1.1.0

No

Aruba Instant 6.4.2.0-4.1.1.0

No

Aruba Instant 6.4.2.0-4.1.1.0

No

Aruba Instant 6.4.0.2-4.1.0.0

No

Aruba Instant 6.4.0.2-4.1.0.0

No

Aruba Instant 6.4.0.2-4.1.0.0

No

Aruba Instant 6.3.1.1-4.0.0.0

No

Aruba Instant 6.3.1.1-4.0.0.0

No

Aruba Instant 6.3.1.1-4.0.0.0

No

Aruba Instant 6.3.1.1-4.0.0.0

No

Aruba Instant 6.2.1.0-3.3.0.0

No

Aruba Instant 6.2.1.0-3.3.0.0

No

Aruba Instant 6.2.0.0-3.2.0.0

No

Aruba Instant 6.2.0.0-3.2.0.0

No

Aruba Instant 6.1.3.1-3.0.0.0

No

Aruba Instant 6.1.3.1-3.0.0.0

No

Instant APs | 497

n RAP-155, RAP-155P, IAP-214, IAP-215, IAP-224, IAP-225, IAP-228, IAP-274, IAP-275, and IAP-277 IAPs are no longer supported from Aruba Instant 8.7.0.0 onwards.
n IAP-103, RAP-108, RAP-109, IAP-114, IAP-115, IAP-204, IAP-205, and IAP-205H IAPs are no longer supported from Aruba Instant 8.3.0.0 onwards.
n By default, AP-318, AP-374, AP-375, and AP-377 IAPs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba does not recommend you to upgrade these IAPs to Aruba Instant 8.5.0.0 or 8.5.0.1 firmware versions, as the upgrade process changes the uplink port from Eth1 to Eth0 port thereby making the devices unreachable.
n For more information about Aruba's End-of-life policy and the timelines for hardware and software products at the end of their lives, see: https://www.arubanetworks.com/support-services/end-of-life/.
n Data sheets and technical specifications for the supported AP platforms are available at: https://www.arubanetworks.com/products/networking/access-points/.
Provisioning Instant APs
The following figure illustrates the procedure for bringing up Instant APs and configuring a basic WLAN setup. To view a detailed description of the tasks, click the task link in the flowchart. The UI-based provisioning of APs is available for Foundation and Advanced licenses for APs.
When you click a task in the flowchart, the linked topic opens in a pop-up window. After you browse through the topic, click outside the pop-up window to return to this page.

Aruba Central | User Guide

498

Figure 136 Getting Started--Instant APs
Configuring APs Using Templates
Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AP deployments. The template-provisioning of APs is available for Foundation and Advanced licenses for APs. To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba APs. For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled. To create a template for the APs in a template group, complete the following steps:
Instant APs | 499

1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Under Manage, click Devices > Access Points.
A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure APs in a template group are displayed.
4. In the Templates table, click + to add a new template. The Add Template window is displayed.
5. Under Basic Info, enter the following information: a. Template Name--Enter the template name. b. Model--Set the model parameter to ALL. c. Version--Set the model parameter to ALL.
6. Under Template, add the CLI script content. 7. Check the following guidelines before adding content to the template:
n Ensure that the command text indentation matches the indentation in the running configuration. n The template allows multiple per-ap-settings blocks. The template must include the per-ap-
settings %_sys_lan_mac% variable. The per-ap-settings block uses the variables for each AP. The general VC configuration uses variables for conductor AP to generate the final configuration from the provided template. Hence, Aruba recommends that you upload all variables for all devices in a cluster and change values as required for individual AP variables. n You can obtain the list of variables for per-ap-settings by using the show amp-audit command. The following example shows the list of variables for per-ap-settings.
(Instant AP)# show amp-audit | begin per-ap per-ap-settings 70:3a:0e:cc:ee:60 hostname EE:60-335-24 rf-zone bj-qa ip-address 10.65.127.24 255.255.255.0 10.65.127.1 10.65.6.15 "" swarm-mode standalone wifi0-mode access wifi1-mode access g-channel 6+ 21 a-channel 140 26 uplink-vlan 0 g-external-antenna 0 a-external-antenna 0 ap1x-peap-user peap22 282eaf1077b8d898b91ec41b5da19895
The commands in the template are case-sensitive. IF ELSE ENDIF conditions are supported in the template. If the template text includes the if condition, % sign is required at the beginning and the end of the text. For example, %if guest%. The following example shows the template text with the IF ELSE ENDIF condition.
wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes

Aruba Central | User Guide

500

%else% opmode opensystem %endif%
Templates also support nesting of the IF ELSE END IF condition blocks. The following example shows how to nest such blocks:
%if condition1=true% routing-profile
route 10.10.0.0 255.255.255.0 10.10.0.255 %if condition2=true% routing-profile
route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile
route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else% routing-profile
route 10.40.0.0 255.255.255.0 10.40.0.255 %if condition3=true% routing-profile
route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile
route 10.60.0.0 255.255.255.0 10.60.0.255 %endif% %endif%
For profile configuration CLI text, for example, vlan, interface, access-list, ssid and so on, the first command must start with no white space. The subsequent local commands in given profile must start with at least one initial space (' ') or indented as shown in the following examples:
Example 1
vlan 1 name "vlan1" no untagged 1-24 ip address dhcp-bootp exit
Example 2
%if vlan_id1% vlan %vlan_id1% %if vlan_id1=1% ip address dhcp-bootp %endif% no untagged %_sys_vlan_1_untag_command% exit %endif%
To comment out a line in the template text, use the pound sign (#). Any template text preceded by # is ignored when processing the template.
Instant APs | 501

To allow or restrict APs from joining the Instant AP cluster, Aruba Central uses the _sys_allowed_ ap_ system-defined variable. Use this variable only when allowed APs configuration is enabled. For example, _sys_allowed_ap: "a_mac, b_mac, c_mac". Use this variable only once in the template.
8. Click OK.
n The variables configured for the Instant AP devices functioning as the VCs are replaced with the values configured at the template level.
n If any device in the cluster has any missing variables, the configuration push to those AP devices in the cluster fails. The audit trail for such instances shows the missing variables.
n You can configure the RF zone for an AP by adding the rf-zone %rfzone% variable in the template. Similarly, you can add the wifi0-mode %wifi0-mode% variable to configure a Wi-Fi0 interface of an AP to function in the access, monitor, or spectrum monitor mode.
Sample Template The following example shows the typical contents allowed in a template file for APs:
virtual-controller-country %countrycode% virtual-controller-key d2d8c79e010af35667dae85f950cf144b476ab4beba9ce5696 organization %org% name %VCname% virtual-controller-ip %vcip% terminal-access clock time zone none 00 00 rf-band all
allow-new-aps allowed-ap 38:17:c3:cd:34:ca
hash-mgmt-password hash-mgmt-user admin password cleartext public
syslog-level debug syslog-level warn ap-debug
arm wide-bands none a-channels 44,44+,40,36 g-channels 13,1+ min-tx-power 15 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode fair-access channel-quality-aware-arm-disable client-match client-match nb-matching 55 client-match calc-interval 5 client-match slb-mode 2
wlan access-rule default_wired_port_profile index 0 rule any any match any any any permit
wlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit

Aruba Central | User Guide

502

rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permit
wlan access-rule %ssid_name% index 2 rule any any match any any any permit
wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes %else% opmode opensystem %endif% type employee essid %ssid_name% wpa-passphrase %pw% max-authentication-failures 0 auth-server InternalServer rf-band all captive-portal disable dtim-period 1 broadcast-filter arp denylist dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64 okc
%if condition1=true% routing-profile
route 10.10.0.0 255.255.255.0 10.10.0.255 %if condition2=true% routing-profile
route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile
route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else% routing-profile
route 10.40.0.0 255.255.255.0 10.40.0.255 %if condition3=true% routing-profile
route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile
route 10.60.0.0 255.255.255.0 10.60.0.255 %endif% %endif%
wired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe

Instant APs | 503

type guest captive-portal disable no dot1x
wired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1x
enet0-port-profile default_wired_port_profile enet1-port-profile wired-SetMeUp
uplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180
cluster-security allow-low-assurance-devices
per-ap-settings %_sys_lan_mac% hostname %hostname% rf-zone %rfname% swarm-mode %mode% wifi0-mode %wifi0mode% wifi1-mode %wifi1mode% g-channel %gch% %gtx% a-channel %ach% %gtx%
Password Management in Configuration Templates for AP
In Aruba Central, the AP management user passwords are stored and displayed as hash instead of plain text. Password for an AP can be set using the following commands:
mgmt-user <user-name> <password>
mgmt-user <user-name> <password> guest-mgmt
mgmt-user <user-name> <password> read-only
The mgmt-user commands are used for APs running below Aruba InstantOS 4.3 firmware version.
The hash-mgmt-user commands is enabled by default on the APs provisioned in the template and UI groups. If a pre-configured AP joins Aruba Central and is moved to a new group, Aruba Central uses the hash-mgmt-user configuration settings and discards mgmt-user configuration settings, if any, on the AP. In other words, Aruba Central hashes management user passwords irrespective of the management user configuration settings running on an AP.

Aruba Central | User Guide

504

The mgmt-user commands can only be used for APs running firmware versions equal to or above Aruba InstantOS 4.3.
Password for AP can be set using the following hash-mgmt-user commands:
hash-mgmt-user <user-name> password hash <hash-password> hash-mgmt-user <user-name> password cleartext <cleartext-password> hash-mgmt-user <user-name> password hash <hash-password> usertype read-only hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype readonly hash-mgmt-user <user-name> password hash <hash-password> usertype guest-mgmt hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype guestmgmt hash-mgmt-user <user-name> password hash <hash-password> usertype local hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype local
n Aruba Central supports the use of hash commands with clear text, however, Aruba recommends you to use hash passwords instead of clear text passwords to avoid password disclosures.
n Aruba Central allows you to re-use the hash from one AP on another AP. n All AP templates must include a password command to set a password for the device. The template
cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates.
Viewing APs Configuration Tabs
Aruba Central now constantly displays the default tabs under the Show Advanced and Hide Advanced options in the Devices > Access Points page. When you click the Show Advanced or Hide Advanced option, a set of default configuration tabs are displayed. The respective default tabs under these two options are still displayed when you navigate out of the page, and visit the same page next time. Following are the default tabs displayed when you navigate to Devices > Access Points page and click the Config icon:
n WLANs n Access Points n Radios
When you click the Show Advanced option, the following tabs are displayed:
n WLANs n Access Points n Radios n Interfaces n Security n VPN
Instant APs | 505

n Services n System n Configuration Audit
To view the default tabs, click Hide Advanced.
Navigating to Virtual Controller Configuration Dashboard
To navigate to the virtual controller configuration dashboard, complete the following steps:
1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. In the Virtual Controller column, click on the virtual controller to navigate to the Access Points > List view of the virtual controller.
4. Click the Config icon. The default tabs to configure the virtual controller are displayed.
5. Click Show Advanced to view advanced configuration options. For more information about the various configuration options, see Deploying a Wireless Network Using Instant APs.
Deploying a Wireless Network Using Instant APs
This section describes how to configure WLAN SSIDs, radio profiles, DHCP profiles, VPN routes, security and firewall settings, uplink interfaces, and logging servers on Instant APs. For more information on Instant AP configuration, see the following topics:
n Configuring Device Parameters n Configuring Network Profiles on Instant APs n Configuring Time-Based Services for Wireless Network Profiles n Configuring ARM and RF Parameters on Instant APs n Configuring IDS Parameters on APs n Configuring Authentication and Security Profiles on Instant APs n Configuring Instant APs for VPN Services n Configuring DHCP Pools and Client IP Assignment Modes on Instant APs n Configuring Services n Configuring Systems n Configuring Uplink Interfaces on Instant APs n Configuring Mobility for Clients n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Viewing APs Configuration Tabs

Aruba Central | User Guide

506

n Opening a Remote Console n Mapping Instant AP Certificates

Setting Country Code
The initial Wi-Fi setup of an Instant AP requires you to specify the country code for the country in which the Instant AP operates. This configuration sets the regulatory domain for the radio frequencies that the Instant AP uses. The available 20 MHz, 40 MHz, or 80 MHz channels are dependent on the specified country code.

Country Code Configuration in Aruba Central from UI
If you provision a new Instant AP without the country code, Aruba Central exhibits the following behavior:

Table 124: Instant AP Provisioned to Aruba Central

Country Code Configured at Instant AP

Country Code Configured in Group

Behavior

No

Yes

The country code of the group is pushed to the newly added Instant AP.

No

No

Aruba Central displays the Country Code not set. Config not updated

message in Audit Trail. A notification is also displayed at the bottom of the

main window to set the country code of the new Instant AP.

To set the country code, perform the following actions:

1. Click Set Country Code now link on the notifications pane. The Set

Country Code pop up is displayed.

2. In the Device(s) without country code table, click the edit icon.

3. Specify a country code from the Country Code drop-down list.

4. Click Save.

Setting Cory Code At Group Level

If an Instant AP has a country code and joins Aruba Central using ZTP configuration, then the country code of the Instant AP is retained. In this case, Aruba Central will not push the group country code.

Setting Country Code at a Group Level
To set the country code of the Instant AP at the group level, complete the following steps:
1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The default tabs to configure the virtual controller are displayed.
4. Click Show Advanced to view advanced configuration options. 5. Click the System tab.
The System details page is displayed. 6. Expand the General accordion.

Instant APs | 507

7. In the Set Country code for group drop-down list, select the country code for the Instant AP. 8. Click Save Settings and then reboot the Instant AP.
n By default, the value corresponding to the Set Country code for group field is empty. This indicates that any Instant AP with different country codes can be a part of the group.
n When the Set Country code for group field is set, the field cannot revert to the default value. When the country code of the group is changed, the country code of the already connected Instant AP also will be updated.
Setting Country Code at a Device Level
To set the country code of the Instant AP at the device level, complete the following steps:
1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. In the Virtual Controller column, click the virtual controller link to navigate to the Access Points > List view of the virtual controller.
When you click the virtual controller link in the Virtual Controller column, the dashboard context for the virtual controller is dispalyed.
4. Click the Config icon. The default tabs to configure the virtual controller are displayed.
5. Click Show Advanced to view advanced configuration options. 6. Click the System tab.
The System details page is displayed. 7. Expand the General accordion. 8. In the Virtual Controller table, select a virtual controller and then click the edit icon. 9. In the Edit IP Address window, select the country code from the Country Code drop-down list. 10. Click Ok. 11. Click Save Settings and then reboot the Instant AP.
n By default, the value corresponding to the Country code is the country code set at the group level which can be then modified at the device level from the drop-down list. The country code of the Instant AP will always be the most recently set country code at the group level or device level.
n If there is a discrepancy in the country code configuration, Aruba Central displays it as an override in the Configuration Audit page.
Country Code Configuration at Group Level from API
Aruba Central provides an option to set and get the country code at group level through the APIs in API Gateway. To set or get the country code at group level through API, complete the following steps:

Aruba Central | User Guide

508

1. In the Account Home page, click API Gateway. The API Gateway page is displayed.
2. Click the Authorized Apps & Tokens tab and generate a token key.
The token key is valid only for 2 hours from the time it was generated.
3. Download and copy the generated token. 4. In the All Published APIs window, click the url link listed under the Documentation column.
The Central Network Management APIs page is displayed. 5. On the left navigation pane, select Configuration from the URL drop-down list. 6. Paste the token key in the Token field and press enter. 7. Click NB UI Group Configuration.
The following options are displayed: n Set country code at group level ([PUT]/configuration/v1/country)--This API allows to set
country code for multiple groups at once. Aruba Central currently allows country codes of up to 50 Instant AP device groups to be configured simultaneously. To set the country codes of multiple groups, enter the group names and country code as inputs corresponding to the groups and country labels respectively in the script { "groups": [ "string" ], "country": "string" } within the set_ group_config_ country_ code text box. n Get country code set for group ([GET]/configuration/v1/{group}/country)--This API allows to retrieve the country code set for a specific Instant AP group. To get the country code information of the Instant AP group, enter the name of the group for which the country code is being queried corresponding to the country label in the script { "country": "string"} within the group text box.

The APIs for setting and retrieving country code information are not available for the Instant AP devices deployed in template groups.

The following are the response messages displayed in the Set country code at group level and Get country code set for group sections:

Table 125: Response Messages

Set country code at group level

Get country code set for group

n 201 - Successful operation n 400 - Bad Request n 401 - Unauthorized access, authentication
required n 403 - Forbidden, do not have write access for
group n 413 - Request-size limit exceeded n 417 - Request-size limit exceeded n 429 - API Rate limit exceeded n 500 - Internal Server Error n 503 - Service unavailable, configuration update in
progress

n 400 - Bad Request n 401 - Unauthorized access authentication required
n 403 - Forbidden, do not have read access for group
n 413 - Request-size limit exceeded n 417 - Request-size limit exceeded n 429 - API Rate limit exceeded n 500 - Internal Server Error n 503 - Service unavailable, configuration update in
progress

Instant APs | 509

For further details on APIs, see https://app1-apigw.central.arubanetworks.com/swagger/central.

Configuring Device Parameters
To configure device parameters on an access point (AP), complete the following steps:
1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point.
2. Click the Config icon. The tabs to configure the APs are displayed.
3. Click the Access Points tab. The Access Points page is displayed.
4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Configure the parameters described below:

Table 126: Access Points Configuration Parameters

UI

Parameters Description

Basic Info Name

Configure a name for the Instant AP.
For Instant APs running Aruba InstantOS 8.7.0.0 or later versions, you can enter up to 128 ASCII or non-ASCII characters. For Instant APs running Aruba InstantOS 8.6.0.0 or earlier versions, you can enter up to 32 ASCII or non-ASCII characters.

AP Zone

Configure the Instant AP zone.
For Instant APs running Aruba InstantOS 6.5.4.7 or later versions, and 8.3.0.0 or later versions, you can configure multiple AP zones by adding zone names as comma separated values.
Aruba recommends that you do not configure zones in both SSID and in the Per AP settings of an Instant AP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide.

RF Zone

Allows you to create an RF zone for the Instant AP.

Aruba Central | User Guide

510

UI

Parameters Description

With RF zone, you can configure different power transmission settings for APs in different zones or sections of a deployment site. For example, you can configure power transmission settings to make Wi-Fi available only for the devices in specific areas of a store.
You can also configure separate RF zones for the 2.4 GHz and 5 GHz radio bands for the Instant APs in a cluster. For more information, see Configuring Radio Parameters.
Aruba recommends that you configure RF zone for either individual AP or for the cluster. Any discrepancy in the RF zone names may lead to configuration errors.

Swarm Mode

Allows you to set one of the following operation modes: n Cluster--Allows an Instant AP to operate in the
cluster mode. When an Instant AP operates in the cluster mode, it can form a cluster with other virtual controller Instant APs in the same VLAN. n Standalone--Allows an Instant AP to operate in the standalone mode. When an Instant AP operates in the standalone mode, it cannot join a cluster of Instant APs even if the Instant AP is in the same VLAN. n Single-AP--Allows an Instant AP to operate in the single AP mode that is specifically designed for Instant AP deployments with only one AP in the site. This mode is a type of standalone AP deployment with additional security when the AP is directly facing a WAN connection. When configured as a single AP, the AP will not send or receive management frames such as mobility packets, roaming packets, and hierarchy beacons through the uplink port.

NOTE: After changing the AP operation mode, ensure that you reboot the Instant AP.

LACP Mode
Preferred Conductor IP Address For Access Point

Allows you to set one of the following LACP modes: n Active--Allows you to enable the LACP on an Instant
AP. In this mode, both the ethernet ports on the Instant AP forms a static LAG. n Passive--Allows you to set the LACP on an Instant AP in a passive mode. n Disabled--Allows you to disable the LACP on an Instant AP.
Select the Preferred Conductor check-box to provision the Instant AP as a conductor Instant AP. After provisioning the Instant AP as a conductor Instant AP, ensure that you reboot the AP.
Select one of the following options: n Get IP Address from DHCP server--Allows IP to get

Instant APs | 511

UI

Parameters Description

an IP address from the DHCP server. By default, the Instant APs obtain IP address from a DHCP server. n Static--You can also assign a static IP address to the Instant AP. To specify a static IP address for the Instant AP, complete the following steps: n Enter the new IP address for the Instant AP in the IP Address text-box. n Enter the subnet mask of the network in the Netmask text-box. n Enter the IP address of the default gateway in the Default Gateway text-box. n Enter the IP address of the DNS server in the DNS Server text-box. n Enter the domain name in the Domain Name textbox. You can configure up to two DNS servers separated by a comma. If the first DNS server goes down, the second DNS server takes control of resolving the domain name.

Aruba Central | User Guide

512

UI

Parameters Description

Radio

Dual 5G Mode

Select the Dual 5G Mode check-box to enable the dual 5G mode. In the Dual 5G Mode, the Mode remains as Access and is non-editable. The Dual 5G Mode is only supported on AP-344 and AP-345 running on Aruba InstantOS 8.3.0.0. For more information, see Configuring Dual 5 GHz Radio Bands on an Instant AP.

Split Radio

Select the Split Radio check-box to allow the radios of the Instant AP to operate in the tri-radio mode. The Split Radio is only supported on AP-555 running on Aruba InstantOS 8.5.0.0. For more information, see About TriRadio Mode.

Enable Radio Select the Enable Radio check-box under 2.4GHz Band and 5 GHz Band to enable the radio.

Mode

From the Mode drop-down list, select any of the following options:
n Access--In this mode, the Instant AP serves clients,
while also monitoring for rogue Instant APs in the
background. n Monitor--In this mode, the Instant AP acts as a
dedicated monitor, scanning all channels for rogue
Instant APs and clients. n Spectrum--In this mode, the Instant AP functions as
a dedicated full-spectrum RF monitor, scanning all
channels to detect interference, whether from the
neighboring Instant APs or from non-Wi-Fi devices
such as microwaves and cordless phones. For more
information, see Spectrum Scan Overview. To get accurate monitoring details and statistics, it is highly recommended to reboot the Instant APs once the Instant APs are toggled from the 2.4 or 5 GHz mode to dual 5 GHz radio mode or vice-versa. The access, spectrum, and monitor mode of the radios of an access point is available for Foundation and Advanced licenses for APs.

Adaptive radio management assigned

You can configure a radio profile on an Instant AP either manually or by configuring the Adaptive radio management assigned option.
Adaptive Radio Management (ARM) feature is enabled on Aruba Central by default. It automatically assigns appropriate channel and power settings for the Instant APs.

Administrator assigned

You can also assign an administrator by using the Administrator assigned option and selecting the number of channels in the Channel drop-down list. In the Transmit Power field, enter the signal strength measured in dBm.

Installation Installation

Type

Type

Configure the Installation Type of the Instant AP. The Installation Type drop-down consists of the following options:

Instant APs | 513

UI Uplink

Parameters Description

n Default--Select this option to change the installation type to the default mode.
n Indoor--Select this option to change the installation type to the indoor mode.
n Outdoor--Select this option to change the installation type to the outdoor mode.
The options in the Installation Type drop-down are listed based on the Instant AP model.

Uplink Management VLAN

The uplink traffic on Instant AP is carried out through a management VLAN. However, you can configure a nonnative VLAN as an uplink management VLAN. After an Instant AP is provisioned with the uplink management VLAN, all management traffic sent from the Instant AP is tagged to the management VLAN.
To configure a non-native uplink VLAN, click Uplink and specify the VLAN in Uplink Management VLAN.

Eth0 Mode

Allows you to change the Eth0 bridging mode in your wired network. The Eth0 Mode drop-down consists of the following options:
n Uplink--Select this option to change the Eth0
bridging mode to the uplink port. n Downlink--Select this option to change the Eth0
bridging mode to the downlink port.

Eth1 Mode

Allows you to change the Eth1 bridging mode in your wired network. The Eth1 Mode drop-down consists of the following options: n Default--Select this option to change the Eth1
bridging mode to the default port. n Uplink--Select this option to change the Eth1
bridging mode to the uplink port. n Downlink--Select this option to change the Eth1
bridging mode to the downlink port.

USB Port PEAP User

Select the USB Port check-box if you do not want to use the cellular uplink or 3G/4G modem in your current network setup.
Create the PEAP user credentials for certificate based authentication. Enter the username, password, and retype password in the Username, Password, and Retype Password field for creating the PEAP user.

Aruba Central | User Guide

514

UI Mesh
External Antenna

Parameters Description

Mesh enable

Select the Mesh enable check-box to allow mesh access points to form mesh network. The mesh feature ensures reliability and redundancy by allowing the network to continue operating even when an Instant AP is nonfunctional or if the device fails to connect to the network. For more information, see Configuring Mesh Instant AP

Clusterless mesh name

Enter the name of mesh access points that do not belong to any cluster. The Clusterless mesh name field is disabled when the Mesh enable option is enabled.

Clusterless mesh key

Enter the key of the mesh access points that do not belong to any cluster. The Clusterless mesh key field is disabled when the Mesh enable option is enabled.

Retype

Re-enter the clusterless mesh key. The Retype is disabled when the Mesh enable option is enabled.

Antenna Gain

Enter the Antenna Gain values in dBi for the 2.4 GHz Antenna Gain and the 5 GHz Antenna Gain. For more information, see Configuring External Antenna

Antenna Polarization Type

From the Antenna Polarization Type drop-down list, select any of the following:
n co-polarization--Select this option for the
polarization of both the transmitting and receiving
antenna to be same. n cross-polarization--Select this option for the
polarization of both the transmitting and receiving
antenna to be different. The integrated antenna of the wireless bridge sends a radio signal that is polarized in a particular direction. The receive sensitivity of the antenna is also higher for radio signals that have the same polarization. To maximize the performance of the wireless link, both antennas must be set to the same polarization direction.

6. Click Save Settings and then reboot the Instant AP.
Configuring Systems
This section describes how to configure the General, Administrator, Time-Based Services, DHCP, Layer-3 Mobility, Enterprise Domains, Logging, SNMP, WISPr, Proxy, Named VLAN Mapping, and IPM parameters on an Instant AP.
n Configuring System Parameters for an AP n Configuring Users Accounts for the Instant AP Management Interface n Configuring Time-Based Services for Wireless Network Profiles n Configuring DHCP Pools and Client IP Assignment Modes on Instant APs n Configuring Mobility for Clients n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events

Instant APs | 515

n Configuring SNMP Parameters n Supported Authentication Methods n Configuring HTTP Proxy on an Instant AP n Configuring VLAN Name and VLAN ID n Configuring Intelligent Power Monitoring
Configuring VLAN Name and VLAN ID
Aruba Central allows you to map VLAN name to a VLAN ID for the ease of identifying the existing VLANs. To map a VLAN name to a VLAN ID, complete the following steps:
1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the Named VLAN Mapping accordion. 7. Click the + icon in the VLAN Name to VLAN ID Mapping pane.
The VLAN Name to VLAN ID Mapping window is displayed. 8. In the VLAN Name to VLAN ID Mapping window, enter the VLAN Name and VLAN ID. 9. Click OK.
The VLAN Name to VLAN ID Mapping table in the Named VLAN Mapping section lists all the mapped VLAN.
You can find the Named VLAN Mapping feature applied in the following fields of corresponding UI pages of Aruba Central:
n The VLAN ID field in the VLANs tab, when for when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during WLAN SSID creation. For more information, see Creating a Wireless Network Profile.
n The VLAN ID field in the VLANs tab, when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during wired port profile creation. For more information, see Configuring Wired Port Profiles on Instant APs.
n The Access rules page in the Interfaces > Access tab and the WLANs > Access tab, when you add rules for selected roles. Select VLAN Assignment as the rule type in the Access rules page to find the mapped VLAN name in the VLAN ID field.
You can also map VLAN ID to a VLAN name when you customize the Client VLAN Assignment configuration in VLANs tab during network profile creation. For more information, see VLANs Parameters.

Aruba Central | User Guide

516

Points to Remember
n The maximum number of Named VLAN ID Mapping allowed in Aruba Central is 32. n VLAN mapping cannot be performed if the VLAN name does not exist. n The VLAN mapping record is deleted from the VLAN Name to VLAN ID Mapping table when the VLAN
name is deleted. n You can only map a single VLAN id to a VLAN name. n The VLAN name field is not case-sensitive.

Configuring External Antenna
If the Instant AP has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system's EIRP is in compliance with the limit specified by the regulatory authority of the country in which the Instant AP is deployed. You can also measure or calculate additional attenuation between the device and antenna before configuring the antenna gain. To know, if the Instant AP device supports external antenna connectors, see the Installation Guide that is shipped along with the Instant AP device.

EIRP and Antenna Gain
The following formula can be used to calculate the EIRP limit related RF power based on selected antennas (Antenna Gain) and feeder (Coaxial Cable Loss): EIRP = Tx RF Power (dBm)+GA (dB) - FL (dB) The following table describes this formula:

Table 127: Formula Variable Definitions

Formula Element

Description

EIRP

Limit specific for each country of deployment.

Tx RF Power

RF power measured at RF connector of the unit.

GA

Antenna gain

FL

Feeder loss

Configuring Antenna Gain
To configure antenna gain for Instant APs with external connectors, complete the following steps:
1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.

Instant APs | 517

n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point.
2. Click the Config icon. The tabs to configure the APs are displayed.
3. Click the Access Points tab. The Access Points page is displayed.
4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click the External Antenna tab. 6. Enter the Antenna Gain values in dBi for the 2.4 GHz Antenna Gain and the 5 GHz Antenna
Gain. 7. From the Antenna Polarization Type drop-down list, select any of the following:
n co-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be same.
n cross-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be different.
8. Click Save Settings.
After configuring the external antenna parameters, ensure that you reboot the Instant AP.
Adding an Instant AP
To add an Instant AP to Aruba Central, assign an IP address and a subscription. After an Instant AP is connected to the network and if the Auto Join Mode feature is enabled, the Instant AP inherits the configuration from the virtual controller and is listed in the Access Points tab.
Deleting an Instant AP from the Network
To delete an Instant AP, complete the following steps:
1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.
2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view.
3. In the Access Points table, hover over the offline AP that you want to delete.
4. Click the delete icon.
Configuring Intelligent Power Monitoring
The Intelligent Power Monitoring (IPM) feature actively measures the power utilization of an AP and dynamically adapts to the power resources. IPM allows you to define the features that must be disabled to

Aruba Central | User Guide

518

save power, allowing the APs to operate at a lower power consumption without hampering the performance of the related features. This feature constantly monitors the AP power consumption and adjusts the power saving IPM features within the power budget.
IPM dynamically limits the power requirement of an AP as per the available power resources. IPM applies a sequence of power reduction steps as defined by the priority definition until the AP functions within the power budget. This happens dynamically as IPM constantly monitors the AP power consumption and applies the next power reduction step in the priority list if the AP exceeds the power threshold. To manage this prioritization, you can create IPM policies to define a set of power reduction steps and associate them with a priority. The IPM policies, when applied to the AP, are based on IPM priorities, where the IPM policy can be configured to disable or reduce certain features in a specific sequence to reduce the AP power consumption below the power budget. IPM priority settings are defined by integer values, where the lower values have the highest priority and are implemented first.

The Intelligent Power Monitoring feature is available only on AP devices running Aruba InstantOS 8.6.0.3.

To configure Intelligent Power Monitoring, complete the following steps:
1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the IPM accordion. 7. Select the IPM Activation check box to enable IPM. 8. Click the + icon in the IPM Power Reduction Steps With Priorities pane.
The IPM Power Reduction Steps With Priorities window is displayed. 9. In the IPM Step Priority field, enter a value from 1 to 16 to define IPM priority. 10. From the IPM Step drop-down list, select a setting as described in the following table:

Table 128: Intelligent Power Monitoring Step Parameters

Parameters

Description

cpu_throttle_25

Reduces CPU frequency to 25% of normal.

cpu_throttle_50

Reduces CPU frequency to 50% of normal.

cpu_throttle_75

Reduces CPU frequency to 75% of normal.

disable_alt_eth

Disables the second Ethernet port.

Instant APs | 519

Parameters disable_pse
disable_usb radio_2ghz_chain_1 radio_2ghz_chain_2 radio_2ghz_chain_3 radio_2ghz_power_3dB
radio_2ghz_power_6dB
radio_5ghz_chain_1 radio_5ghz_chain_2 radio_5ghz_chain_3 radio_5ghz_power_3dB
radio_5ghz_power_6dB

Description
Disables Power Sourcing Equipment (PSE).
Disables USB.
Reduces 2 GHz chains to 1x1.
Reduces 2 GHz chains to 2x2.
Reduces 2 GHz chains to 3x3.
Reduces 2 GHz radio power by 3 dB from the maximum value.
Reduces 2 GHz radio power by 6 dB from the maximum value.
Reduces 5 GHz chains to 1x1.
Reduces 5 GHz chains to 2x2.
Reduces 5 GHz chains to 3x3.
Reduces 5 GHz radio power by 3 dB from the maximum value.
Reduces 5 GHz radio power by 6 dB from the maximum value.

11. Click OK. The IPM Power Reduction Steps With Priorities table in the IPM section lists all the IPM settings.
12. Click Save Settings and reboot the Instant AP for changes to take effect.
The following figure shows the IPM steps and priorities listed in the IPM Power Reduction Steps With Priorities table:
Figure 137 IPM Steps and Priorities

Aruba Central | User Guide

520

Setting a low-priority value for a power reduction step reduces the power level sooner than setting a highpriority value for a power reduction step. However, if the power reduction step is of the same type but different level, the smallest reduction should be allocated the lowest priority value so that the power reduction step takes place earlier. For example, the cpu_throttle_25 or radio_2ghz_power_3dB parameter should have a lower priority level than the cpu_throttle_50 or radio_2ghz_power_6dB, respectively, so that Intelligent Power Monitoring reduces the CPU throttle or power usage based on the priority list.

Points to Remember
n By default, Intelligent Power Monitoring is disabled. n When enabled, IPM enables all Instant AP functionality initially. IPM then proceeds to shut down or
restrict functionality if the power usage of the AP goes beyond the power budget of the Instant AP.
Configuring Dual 5 GHz Radio Bands on an Instant AP
Aruba Central provides an option to retrieve the radio numbers of Instant AP through the APIs. It also provides an option to filter AP details using radio numbers in the AP monitoring dashboard.

For regular Instant APs with non-dual band, Central automatically assigns Radio 1 to 2.4 GHz band and Radio 0 to 5 GHz band respectively.

To retrieve the radio numbers through API, complete the following steps:
1. In the Account Home page, click API Gateway. The API Gateway page is displayed.
2. Click the APIs tab.

The token key is valid only for 2 hours from the time it was generated.

3. In the All Published APIs window, click the url link listed under the Documentation column. The Central Network Management APIs page is displayed.
4. On the left navigation pane, select Monitoring from the URL drop-down list. 5. Click API Reference > AP.
The following APIs allow you to retrieve the radio number for the APs:

Table 129: APIs to Get Radio Number in APs

API

Description

[GET]/monitoring/v1/aps/ {serial}/neighbouring_clients

Allows you to filter data of neighbouring clients for a specific radio number in a given time period.
When there is no radio number entered in the radio_number field, the API filters the data of neighbouring clients for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the data of neighboring clients for a specific radio number.

[GET]/monitoring/v1/aps/rf_ summary

Retrieves information on RF summary such as channel utilization and noise floor in positive, errors, drops for a given time period.

Instant APs | 521

API

Description

This API can also be used to filter RF health statistics for a specific radio number in a given time period.
When there is no radio number entered in the radio_number field, the API filters the RF health statistics for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the RF health statistics for a specific radio number.

[GET]/monitoring/v1/aps/bandwith_ usage

This API can also be used to filter out bandwidth usage data for a specific radio number in a given time period.
When there is no radio number entered in the radio_number field, the API filters the bandwidth usage for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the bandwidth usage for a specific radio number.

6. On the left navigation pane, click API Reference > Client. The following APIs allow you to retrieve the radio number for the total number of clients connected:

Table 130: APIs to Get Radio Number in Connected Clients

API

Description

[GET]/monitoring/v1/clients/count

This API is used to filter out the data for connected clients for a specific radio number of AP in a given time period.
When there is no radio number entered in the radio_number field, the API filters the clients count for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the total count of clients for a specific radio number.

For further details on APIs, see https://app1-apigw.central.arubanetworks.com/swagger/central.
Support for Dual 5 GHz AP
Aruba Central supports automatic opmode selection for dual 5 GHz AP. When the opmode is set to automatic, AirMatch determines whether to convert a radio in an AP to 5 GHz operation instead of the 2.4 GHz and 5 GHz dual band operation. Automatic is the default dual 5G mode where Airmatch detects what is an optimal mode for the radios ­ dual band or dual 5G and updates the running opmode without requiring an AP reboot between the mode changes. Manual setting of dual band and dual 5G is possible and the manual setting overrides the automatic mode and explicitly enables or disables the dual 5G mode. In this scenario, the AP immediately switches to the specified mode without a reboot and AirMatch maintains the specified channel and power assignments in the specified mode.
Automatic mode is not supported on AP-344. By default, AP-344 assumes the automatic mode to be the same as dual 5G disabled and operates in the dual band mode. To switch AP-344 to dual 5G mode, select the Dual 5G Mode check-box.
To configure automatic opmode selection for dual 5 GHz AP, complete the following steps:

Aruba Central | User Guide

522

1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point.
2. Click the Config icon. The tabs to configure the APs are displayed.
3. Click the Access Points tab. The Access Points page is displayed.
4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click the Radio tab. 6. Set Dual 5G Mode to Automatic. 7. Optionally, specify the manual channel by setting Channel Assignment to Manual. 8. Optionally, specify the transmit power by setting Transmit Power Assignment to Manual. 9. Click Save Settings.
Configuring System Parameters for an AP
To configure system parameters for an AP, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed.
Instant APs | 523

6. Click the General accordion and configure the following parameters:

Table 131: System Parameters Data Pane Item Description

Virtual Controller

This parameter configuration is only applicable for APs that operate in a cluster deployment environment. To configure the virtual controller name and IP address, click edit icon and update the name and IP address. The IP address serves as a static IP address for the multiAP network. When configured, this IP address is automatically provisioned on a shadow interface on the AP that takes the role of a virtual controller. The AP sends three ARP messages with the static IP address and its MAC address to update the network ARP cache.
n Name--Name of the virtual controller.
n IP address--IPv4 address configured for the virtual controller. The IPv4
address uses the 0.0.0.0 notation.
n IPv6 address--IPv6 address configured for the virtual controller. You can
configure IPv6 address for the virtual controller only if the Allow IPv6
Management feature is enabled. IPv6 is the latest version of IP that is suitable for large-scale IP networks. IPv6 supports a 128-bit address to allow 2128, or approximately 3.4×1038 addresses while IPv4 supports only 232 addresses. The IP address of the IPv6 host is always represented as eight groups of four hexadecimal digits separated by colons. For example 2001:0db8:0a0b:12f0:0000:0000:0000:0001. However, the IPv6 notation can be abbreviated to compress one or more groups of zeroes or to compress leading or trailing zeroes; for example 2001:db8:a0b:12f0::0:0:1.

Set Country code for group

To configure a country code for the AP at the group level, select the country code from the Set Country code for group drop-down list. By default, no country code is configured for the AP device groups.
When a country code is configured for the group, it takes precedence over the country code setting configured t the device level.

Timezone Preferred Band

To configure a time zone, select a time zone from the Timezone drop-down list. If the selected time zone supports DST, the UI displays the "The selected country observes Daylight Savings Time" message.
Assign a preferred band by selecting an appropriate option from the Preferred Band drop-down list. Reboot the AP after modifying the radio profile for changes to take effect.

NTP Server

This parameter allows you to configure NTP servers for the Instant AP. Up to four NTP servers can be configured for the AP, each one separated by a comma. To facilitate communication between various elements in a network, time synchronization between the elements and across the network is critical. Time synchronization allows you to:
n Trace and track security gaps, network usage, and troubleshoot network issues. n Validate certificates. n Map an event on one network element to a corresponding event on another. n Maintain accurate time for billing services and similar. n NTP helps obtain the precise time from a server and regulate the local time in
each network element. Connectivity to a valid NTP server is required to
synchronize the AP clock to set the correct time. If NTP server is not configured
in the AP network, an AP reboot may lead to variation in time data.

Aruba Central | User Guide

524

Table 131: System Parameters Data Pane Item Description

By default, the AP tries to connect to pool.ntp.org to synchronize time. The NTP server can also be provisioned through the DHCP option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server pool.ntp.org is used if no NTP server is configured or provisioned through DHCP option 42.
To configure an NTP server, enter the IP address or the URL of the NTP server and reboot the AP to apply the configuration changes.

Virtual Controller Netmask Virtual Controller Gateway Virtual Controller DNS Virtual Controller VLAN

This parameter configuration is only applicable for APs that operate in a cluster deployment environment. The IP configured for the virtual controller can be in the same subnet as AP or can be in a different subnet. Ensure that you configure the virtual controller VLAN, gateway, and subnet mask details only if the virtual controller IP is in a different subnet. Ensure that virtual controller VLAN is not the same as native VLAN of the AP.

DHCP Option 82 XML

The DHCP Option 82 XML is not applicable for cloud APs.
DHCP Option 82 XML can be customized to cater to the requirements of any ISP using the conductor AP. To facilitate customization using a XML definition, multiple parameters for Circuit ID and Remote ID options of DHCP Option 82 XML are introduced. The XML file is used as the input and is validated against an XSD file in the conductor AP. The format in the XML file is parsed and stored in the DHCP relay which is used to insert Option 82 related values in the DHCP request packets sent from the client to the server. From the drop-down list, select one of the following XML files:
n default_dhcpopt82_1.xml n default_dhcpopt82_2.xml For more information, see Configuring DHCP Scopes on Instant APs.

Dynamic CPU Utilization

APs perform various functions such as wired and wireless client connectivity and traffic flows, wireless security, network management, and location tracking. If an AP is overloaded, prioritize the platform resources across different functions. Typically, the APs manage resources automatically in real time. However, under special circumstances, if dynamic resource management needs to be enforced or disabled altogether, the dynamic CPU management feature settings can be modified. To configure dynamic CPU management, select any of the following options from Dynamic CPU Utilization.
n Automatic--When selected, the CPU management is enabled or disabled
automatically during run-time. This decision is based on real time load
calculations taking into account all different functions that the CPU needs to
perform. This is the default and recommended option. n Always Disabled in all APs--When selected, this setting disables CPU
management on all APs, typically for small networks. This setting protects user
experience. n Always Enabled in all APs--When selected, the client and network
management functions are protected. This setting helps in large networks with
high client density.

Instant APs | 525

Table 131: System Parameters Data Pane Item Description

Auto-Join Mode

When enabled, APs can automatically discover the virtual controller and join the network. The Auto-Join Mode feature is enabled by default.

APs allowed for Auto-Join Mode

Displays the number of APs allowed for Auto-Join Mode. n Click View Allowed APs to view the details of AP allowed for Auto-Join mode. n Click Hide Allowed APs to hide the details of AP allowed for Auto-Join mode. When Auto-Join Mode is enabled, the APs are automatically discovered and are allowed to join the cluster. When the Auto-Join Mode is disabled on the AP, the list of allowed APs on Aruba Central may not be synchronized or up-to-date. In such cases, you can manually add a list of APs that can join the AP cluster in the Aruba Central UI. To manually add the list of allowed AP devices, complete the following steps:
1. Under View Allowed APs, click + in the Allowed APs pane.
2. In the Add Allowed AP window, enter the MAC address of the AP in the MAC Address field.
3. Click Save.

Allow IPv6 Management Uplink switch native VLAN
Terminal Access Login Session Timeout Console Access WebUI Access Telnet Server LED Display Extended SSID
Advanced Zone

Enables IPv6 address configuration for the virtual controller. You can configure an IPv6 address for a virtual controller IP only when Allow IPv6 Management feature is enabled.
Allows you to specify a VLAN ID, to prevent the AP from sending tagged frames for clients connected on the SSID that uses the same VLAN as the native VLAN of the switch. By default, the AP considers the native VLAN of the upstream switch, to which it is connected, as the VLAN ID 1.
When enabled, the users can access the AP CLI through SSH.
Allows you to set a timeout for login session.
When enabled, the users can access AP through the console port.
If an AP is connected to Aruba Central, you can use this option to disable AP Web UI access and any communication via HTTPS or SSH. If you enable this feature, you can manage the AP only from Aruba Central.
When enabled, the users can start a Telnet session with the AP CLI.
Enables or disables the LED display for all APs in a cluster. The LED display is always enabled during the AP reboot.
Extended SSID is enabled by default in the factory default settings of APs. This disables mesh in the factory default settings. For AP devices that support Aruba Instant 8.4.0.0 firmware versions and above, you can configure up to 14 SSIDs. By enabling Extended SSID, you can create up to 16 networks.
Turn on the Advanced Zone toggle switch to broadcast the same ESSIDs on APs that are part of the same AP zone in a cluster.
NOTE: When the advanced-zone feature is enabled and a zone is already

Aruba Central | User Guide

526

Table 131: System Parameters Data Pane Item Description

configured with 16 SSIDs, ensure to remove the zone from two WLAN SSID profiles if you want to disable extended SSID.

Deny Inter User Bridging

If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same AP on the same VLAN. When inter-user bridging is denied, the clients can connect to the Internet but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision.
To disable inter-user bridging, turn off the Deny Inter User Bridging toggle switch.

Deny Local Routing

If you have security and traffic management policies defined in upstream devices, you can disable routing traffic between two clients connected to the same AP on different VLANs. When local routing is disabled, the clients can connect to the Internet but cannot communicate with each other, and the routing traffic between the clients is sent to the upstream device to make the forwarding decision.
To disable local routing, move the slider to the right.

Dynamic RADIUS Proxy

If your network has separate RADIUS authentication servers (local and centralized servers) for user authentication, you may want to enable Dynamic RADIUS proxy to route traffic to a specific RADIUS server. When Dynamic RADIUS proxy is enabled, the IP address of the virtual controller is used for communication with external RADIUS servers. To enable Dynamic RADIUS Proxy, you must configure an IP address for the Virtual Controller and set it as a NAS client in the RADIUS server profile.

Dynamic TACACS Proxy

If you want to route traffic to different TACACS servers, enable Dynamic TACACS Proxy. When enabled, the AP cluster uses the IP address of the Virtual Controller for communication with external TACACS servers.
If an IP address is not configured for the Virtual Controller, the IP address of the bridge interface is used for communication between the AP and TACACS servers. However, if a VPN tunnel exists between the Instant AP and TACACS server, the IP address of the tunnel interface is used.

Cluster Security

This parameter is required to be set only for APs that operate in a cluster deployment environment. Enables or disables the cluster security feature. When enabled, the control plane communication between the AP cluster nodes is secured. The Disallow Non-DTLS Members toggle switch appears. Turn on the toggle switch to allow member APs to join a DTLS enabled cluster. For secure communication between the cluster nodes, the Internet connection must be available, or at least a local NTP server must be configured. After enabling or disabling cluster security, ensure that the configuration is synchronized across all devices in the cluster, and then reboot the cluster. The Disallow Non-DTLS Members feature is only supported in AP devices supporting Aruba Instant 8.4.0.0 firmware versions and above.

Low Assurance PKI

Turn on the toggle switch to allow low assurance devices that use non-TPM chip, in the network. To enable the cluster security feature, turn on the Low Assurance PKI toggle switch. For more information on Low Assurance PKI, refer to Cluster Security section in Aruba Instant User Guide. The Low Assurance PKI toggle switch is supported in AP devices running Aruba Instant 6.5.3.0 firmware versions and later.

Instant APs | 527

Table 131: System Parameters Data Pane Item Description

Mobility Access Switch Integration

Turn on the toggle switch to enable LLDP protocol for Mobility Access Switch integration. With this protocol, APs can instruct the switch to turn off ports where rogue access points are connected, as well as take actions such as increasing PoE priority and automatically configuring VLANs on ports where APs are connected.

URL Visibility

Turn on the toggle switch to enable URL data logging for client HTTP and HTTPS sessions and allows APs to extract URL information and periodically log them on ALE for DPI and application analytics.

Restrict uplink port to specified VLANs

Turn on the toggle switch to restrict the uplink port to the specified VLANs.

VOIP QOS Trust

Turn on the toggle switch to enable the RTP traffic based on the DSCP value set by the end user device.

7. Click Save Settings.
Enabling 802.1X Authentication on Uplink Ports of an AP
If your network requires all wired devices to authenticate using PEAP or TLS protocol, you must enable 802.1X authentication type on uplink ports of an AP, so that the APs are granted access only after completing the authentication as a valid client. To enable 802.1X authentication on uplink ports using PEAP or TLS protocol, complete the following steps:
1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the Interfaces tab.
The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Expand the AP1X section.
n To set PEAP based authentication, select PEAP in the AP1X Type drop-down list.
If you select PEAP protocol, ensure that the PEAP User is configured on the uplink port by selecting an AP group and navigating to Uplink section in the Access Points tab.
n To set TLS based authentication: a. Select TLS in the AP1X Type drop-down list. b. Select User in the Certificate Type drop-down list.

Aruba Central | User Guide

528

8. Select the Validate Server check-box to validate the server credentials using server certificate. Ensure that the server certificates for validating server credentials are available in the Instant AP database.
9. Click Save Settings.
Configuring HTTP Proxy on an Instant AP
If your network requires a proxy server for Internet access, ensure that you configure the HTTP proxy on the Instant AP to download the image from the cloud server. After setting up the HTTP proxy settings, the Instant AP connects to the Activate server, Aruba Central, or OpenDNS server through a secure HTTP connection. You can also exempt certain applications from using the HTTP proxy (configured on an Instant AP) by providing their host name or IP address under Exception. Aruba Central allows the user to configure HTTP proxy on an Instant AP. To configure HTTP proxy on Instant AP through Aruba Central, complete the following steps:
1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click Show Advanced. 5. Click the System tab.
The System page is displayed. 6. Click the Proxy accordion and specify the following:
a. Enter the HTTP proxy server IP address in the Server text-box. b. Enter the port number in the Port text-box. 7. Click Save Settings.
Aruba Central displays the Username, Password, and Retype Password fields under System > Proxy for Instant AP running Aruba Instant 8.3.0.0. The Instant APs with the Aruba InstantOS 8.3.0.0 firmware require user credentials for proxy server authentication.
Configuring Network Profiles on Instant APs
This section describes the following procedures:
n Configuring Wireless Network Profiles on Instant APs n Configuring Wireless Networks for Guest Users on Instant APs n Configuring Wired Port Profiles on Instant APs n Configuring Wired Networks for Guest Users on Instant APs n Editing a Wireless Network Profile n Deleting a Network Profile
Configuring Wireless Network Profiles on Instant APs
You can configure up to 14 SSIDs. By enabling Extended SSID in the System > General accordion, you can create up to 16 networks.
Instant APs | 529

If more than 16 SSIDs are assigned to a zone and the extended zone option is disabled, an error message is displayed.

This section describes the following topics:
n Creating a Wireless Network Profile n Configuring VLAN Settings for Wireless Network n Configuring Security Settings for Wireless Network n Configuring ACLs for User Access to a Wireless Network n Viewing Wireless SSID Summary

Creating a Wireless Network Profile
To configure WLAN settings, complete the following steps:
1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs tab, click + Add SSID. The Create a New Network pane is displayed.
6. In General tab, enter a name that is used to identify the network in the Name (SSID) text-box. 7. Under Advanced Settings, configure the following parameters:

Table 132: Advanced Settings Parameters

Parameter

Description

Broadcast/Multicast

Broadcast filtering

Select any of the following values: n All--The Instant AP drops all broadcast and multicast frames except DHCP and ARP,
IGMP group queries, and IPv6 neighbor discovery protocols. n ARP--The Instant AP drops broadcast and multicast frames except DHCP and ARP,
IGMP group queries, and IPv6 neighbor discovery protocols. Additionally, it converts ARP requests to unicast and sends frames directly to the associated clients. By default, the Instant AP is configured to ARP mode. n Unicast ARP Only--This option enables Instant AP to convert ARP requests to unicast frames thereby sending them to the associated clients. n Disabled--The Instant AP forwards all the broadcast and multicast traffic is forwarded to the wireless interfaces.

Aruba Central | User Guide

530

Parameter DTIM Interval
Multicast Transmission Optimization
Dynamic Multicast Optimization (DMO)

Description
The DTIM Interval indicates the DTIM period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the Instant AP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode. Range is 1 to 10 beacons. The default value is 1, which means the client checks for buffered data on the Instant AP at every beacon. You can also configure a higher DTIM value for power saving.
Select the check-box if you want the Instant AP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients. When this option is enabled, multicast traffic can be sent up to a rate of 24 Mbps. The default rate for sending frames for 2.4 GHz is 1 Mbps and that for 5 GHz is 6 Mbps. This option is disabled by default.
Select the check-box to allow Instant AP to convert multicast streams into unicast streams over the wireless link. Enabling DMO enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients.
NOTE: When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN.

DMO channel utilization threshold

Specify a value to set a threshold for DMO channel utilization. With DMO, the Instant AP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the Instant AP sends multicast traffic over the wireless link.
NOTE: This option will be enabled only when Dynamic Multicast Optimization is enabled.

Transmit Rates (Legacy Only)

2.4 GHz

If the 2.4 GHz band is configured on the Instant AP, specify the minimum and maximum transmission rates. The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps.

5 GHz

If the 5 GHz band is configured on the Instant AP, specify the minimum and maximum transmission rates. The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps.

Zone

Zone

Specify the zone for the SSID. If a zone is configured in the SSID, only the Instant AP in that zone broadcasts this SSID. If there are no Instant APs in the zone, SSID is broadcast. If the Instant AP cluster has devices running Aruba Instant firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple AP zones by adding zone names as comma separated values.

NOTE: Aruba recommends that you do not configure zones in both SSID and in the device specific settings of an Instant AP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide.

Bandwidth Control

Instant APs | 531

Parameter Airtime
Downstream

Description
Select this to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage.
Enter the downstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per User check-box.
NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level.

Upstream

Enter the upstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per user check-box.
NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level.

Each Radio Enable 11n

Select this to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients. The value ranges from 1 through 65535.
When this option is selected, there is no disabling of High-Throughput (HT) on 802.11n devices for the 5 GHz radio band. If HT is enabled for the 5 GHz radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, HT is enabled on all SSIDs.
NOTE: If you want the 802.11ac Instant APs to function as 802.11n Instant APs, clear this check-box to disable VHT on these devices.

Enable 11ac

When this option is selected, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, VHT is enabled on all SSIDs.
NOTE: If you want the 802.11ac Instant APs to function as 802.11n Instant APs, clear this check-box to disable VHT on these devices.

Enable 11ax

When this option is selected, VHT is enabled on the 802.11ax devices. If VHT is enabled for a radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, VHT is enabled on all SSIDs.

WiFi Multimedia

Background Wifi Multimedia Share

Allocates bandwidth for background traffic such as file downloads or print jobs. Specify the appropriate DSCP mapping values within a range of 0­63 for the background traffic in the corresponding DSCP mapping text-box. Enter up to 8 values with no white space and no duplicate single DHCP mapping value.

Best Effort Wifi Multimedia Share

Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS. Specify the appropriate DSCP mapping values within a range of 0­63 for the best effort traffic in the corresponding DSCP mapping text-box.

Video Wifi Multimedia Share

Allocates bandwidth for video traffic generated from video streaming. Specify the appropriate DSCP mapping values within a range of 0­63 for the video traffic in the corresponding DSCP mapping text-box.

Aruba Central | User Guide

532

Parameter
Voice Wifi Multimedia Share

Description
Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication. Specify the appropriate DSCP mapping values within a range of 0­63 for the voice traffic in the corresponding DSCP mapping text-box.
NOTE: In a non-WMM or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best Effort Wifi Multimedia share and Voice Wifi Multimedia Share to allocate a higher bandwidth to clients transmitting best effort and voice traffic.

Traffic Specification (TSPEC)

Select this check-box to set if you want the TSPEC for the wireless network. The term TSPEC is used in wireless networks supporting the IEEE 802.11e Quality of Service standard. It defines a series of parameters, characteristics and Quality of Service expectations of a traffic flow.

TSPEC Bandwidth

Enter the bandwidth for the TSPEC.

Spectralink Voice Protocol (SVP)

Select this check-box to opt for SVP protocol.

WiFi Multimedia Power Save (UAPSD)

Select this check-box to enable WiFi Multimedia Power Save (U-APSD). The U-APSD is a power saving mechanism that is an optional part of the IEEE amendment 802.11e, QoS.

Miscellaneous

Band

Select a value to specify the band at which the network transmits radio signals in the Band drop-down list. You can set the band to 2.4 GHz, 5 GHz, or All. The All option is selected by default.

Content Filtering Select this check-box to route all DNS requests for the non-corporate domains to OpenDNS on this network.

Primary Usage

Based on the type of network profile, select one of the following options: n Mixed Traffic--Select this option to create an employee or guest network profile. The
employee network is used by the employees in an organization and it supports passphrase-based or 802.1X-based authentication methods. Employees can access the protected data of an enterprise through the employee network after successful authentication. The guest network is created for guests, visitors, contractors, and any non-employee users who use the enterprise Wi-Fi network. The VC assigns the IP address for the guest clients. Captive portal or passphrase-based authentication methods can be set for this wireless network. Typically, a guest network is an unencrypted network. However, you can specify the encryption settings when configuring a guest network. n Voice Only--Select this option to configure a network profile for devices that provide only voice services such as handsets or applications that require voice traffic prioritization.

NOTE: When a client is associated with the voice network, all data traffic is marked and placed into the high priority queue in QoS.

Instant APs | 533

Parameter

Description

Inactivity timeout

Specify an interval for session timeout in seconds, minutes, or hours. If a client session is inactive for the specified duration, the session expires and the user is required to log in again. You can specify a value within the range of 60­86,400 seconds (24 hours) for a client session. The default value is 1000 seconds.

Hide SSID

Select this check-box if you do not want the SSID to be visible to users.

Disable Network Select this check-box if you want to disable the SSID. When selected, the SSID is disabled, but is not removed from the network. By default, all SSIDs are enabled.

Max clients threshold

Specify the maximum number of clients that can be configured for each BSSID on a WLAN. You can specify a value within the range of 0­255. The default value is 64.

Local Probe Request Threshold

Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests if required. You can specify a RSSI value within range of 0­100 dB.

Min RSSI for auth request

Enter the minimum RSSI threshold for authentication requests.

Deauth inactive clients

Select this option to allow the Instant AP to send a de-authentication frame to the inactive client and the clear client entry.

Can be used without uplink

Select this check-box if you do not want the SSID profile to use the uplink.

Deny inter user bridging

Disables bridging traffic between two clients connected to the same SSID on the same VLAN. When this option is enabled, the clients can connect to the Internet, but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision.

Enable SSID when

Select an option from the drop-down list and specify the time period.

Disable SSID when

Select an option from the drop-down list and specify the time period.

Deny Intra VLAN Traffic

Disables intra VLAN traffic to enable the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. For more information, see Configuring Client Isolation.

Management Frame Protection

Turn on the Management Frames Protection toggle switch to provide high network security by maintaining data confidentiality of management frames. The Management Frame Protection (MFP) establishes encryption keys between the client and Instant AP using 802.11i framework. For more information, see Configuring Management Frames Protection.

Fine Timing Measurement (802.11mc) Responder Mode

Turn on the toggle switch to enable the fine timing measurement (802.11mc) responder mode.

Time Range Profiles

Aruba Central | User Guide

534

Parameter
Time Range Profiles

Description
Ensure that the NTP server connection is active. Select a time range profile from the Time Range Profiles list and apply a status form the drop-down list. Click + New Time Range Profile to create a new time range profile. For more information, see Configuring Time-Based Services for Wireless Network Profiles.

Configuring VLAN Settings for Wireless Network
To configure VLANs settings for an SSID, complete the following steps:
1. In the VLANs tab, select any of the following options for Client IP Assignment: n Instant AP assigned--When selected, the client obtains the IP address from the VC. n External DHCP server assigned--When selected, the client obtains the IP address from the network.

Instant APs | 535

2. Based on the type of client IP assignment mode selected, configure the following parameters:

Table 133: VLANs Parameters Parameter Description

Instant AP assigned

When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet and VLAN on the Instant AP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on Instant APs. If this option is selected, specify any of the following options in Client VLAN Assignment:
n Internal VLAN--Assigns IP address to the client in the same subnet as the Instant
APs. By default, the client VLAN is assigned to the native VLAN on the wired network.
n Custom--Allows you to customize the client VLAN assignment to a specific VLAN, or a
range of VLANs. When this option is selected, select the scope from the VLAN ID
drop-down list.

External DHCP server assigned

When this option is selected, specify any of the following options in Client VLAN Assignment: n Static--In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of
clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. o To show or hide the Named VLANs, click Show Named VLANs. Click Show
Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps:
a. Click +Add Named VLAN. The Add Named VLAN window is displayed.
b. Enter the VLAN Name and VLAN details, and then click OK. n Dynamic--Assigns the VLANs dynamically from a DHCP server.
o To add a new VLAN assignment rule, complete the following steps: a. Click + Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed.
b. Enter the Attribute, Operator, String, and VLAN details, and then click OK. o To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules
window, and then click the delete icon. o To show or hide the Named VLANs, click Show Named VLANs. Click Show Named
VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps:
a. Click +Add Named VLAN. The Add Named VLAN window is displayed.
b. Enter the VLAN Name and VLAN details, and then click OK. o To delete, select a Named VLAN in the Named VLAN table, and then click the delete
icon. n Native VLAN--Assigns the client VLAN is assigned to the native VLAN.

3. Click Next.
Configuring Security Settings for Wireless Network
To configure security settings for mixed traffic or voice network, complete the following steps:

Aruba Central | User Guide

536

1. In the Security tab, specify any one of the following options in the Security Level: n Enterprise--On selecting Enterprise security level, the authentication options applicable to the network are displayed. n Personal--On selecting Personal security level, the authentication options applicable to the personalized network are displayed. n Captive Portal--On selecting Captive Portal security level, the authentication options applicable to the captive portal is displayed. For more information on captive portal, see Configuring Wireless Networks for Guest Users on Instant APs. n Open--On selecting Open security level, the authentication options applicable to an open network are displayed.
The default security setting for a network profile is Personal.

2. Based on the security level specified, configure the following basic parameters:

Table 134: Basic WLAN Security Parameters

Data Pane Item

Description

Key Management

For Enterprise security level, select an encryption key from Key Management dropdown list: n WPA-2 Enterprise--Select this option to use WPA-2 security. The WPA-2
Enterprise requires user authentication and requires the use of a RADIUS server for authentication. n WPA Enterprise--Select this option to use both WPA Enterprise. n Both (WPA-2 & WPA)--Select this option to use both WPA-2 and WPA security. n Dynamic- WEP with 802.1X--If you do not want to use a session key from the RADIUS Server to derive pairwise unicast keys, turn on the Use Session Key for LEAP toggle switch. This is required for old printers that use dynamic WEP through LEAP authentication. The Use Session Key for LEAP feature is Disabled by default. n WPA-3 Enterprise(CNSA)--Select this option to use WPA-3 security employing CNSA encryption. n WPA-3 Enterprise(CCM 128)--Select this option to use WPA-3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text. n WPA-3 Enterprise(GCM 256)--Select this option to use WPA-3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text.
NOTE: When any of the aforementioned encryption types is selected and if 802.1x authentication method is configured, ensure that the Opportunistic key caching (OKC) and 802.11r toggle switches under Advanced Settings are turned on. This enables OKC and 802.11r protocols and allows faster roaming of clients without the need for a complete 802.1x authentication. You can configure both OKC and 802.11r roaming only for the Enterprise security level.

For Personal security level, select an encryption key from Key Management dropdown list:
n For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 Personal
keys, specify the following parameters:

Instant APs | 537

Data Pane Item

Description

a. Passphrase Format--Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters.
b. Passphrase--Enter a passphrase. c. Retype--Retype the passphrase to confirm. n For Static WEP, specify the following parameters: a. WEP Key Size--Select an appropriate value for WEP key size from the
drop-down list. Select an appropriate value from the Tx Key drop-down list. b. WEP Key--Enter an appropriate WEP key. c. Retype WEP Key--Retype the WEP key to confirm. n For MPSK-AES, select a primary server from the drop-down list. n For MPSK-LOCAL, select a Mpsk Local server from the drop-down list.

For Captive Portal security level, select an encryption key from Key Management drop-down list: n For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 Personal
keys, specify the following parameters: a. Passphrase Format--Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters.
b. Passphrase--Enter a passphrase.
c. Retype--Retype the passphrase to confirm. n For Static WEP, specify the following parameters:
a. WEP Key Size--Select an appropriate value for WEP key size from the drop-down list. Select an appropriate value from the Tx Key drop-down list.
b. WEP Key--Enter an appropriate WEP key.
c. Retype WEP Key--Retype the WEP key to confirm. For information on configuring captive portal, see Configuring Wireless Networks for Guest Users on Instant APs.

For Open security level, the Key Management includes Open and Enhanced Open options.

EAP offload

This option is applicable to Enterprise security levels only. To terminate the EAP portion of 802.1X authentication on the Instant AP instead of the RADIUS server, turn on the EAP offload toggle switch. Enabling EAP offload can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the Instant AP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the Instant AP acts as a relay for this exchange. When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. It can also reduce the number of exchange packets between the Instant AP and the authentication server.
Instant supports the configuration of primary and backup authentication servers in an EAP termination-enabled SSID.
If you are using LDAP for authentication, ensure that Instant AP termination is configured to support EAP.

Authentication Configure the following parameters:

Server

n MAC Authentication--Turn on the MAC Authentication toggle switch to allow

Aruba Central | User Guide

538

Data Pane Item
Users

Description
MAC address based authentication for Personal, Captive Portal, and Open security levels. n Primary Server--Set a primary authentication server. The Primary Server option appears only for Enterprise security level, internal and external captive portal types. Select one of the following options from the drop-down list: n Internal Server--To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs. Aruba Central allows you to configure an external RADIUS server, TACACS or LDAP server, and External Captive Portal for user authentication. n Secondary Server--To add another server for authentication, configure another authentication server. n Authentication Survivability--If an external server is configured for authentication, you can enable authentication survivability. Specify a value in hours for Cache Timeout to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours. By default, authentication survivability is disabled. n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring External Authentication Servers for APs.
Click Users to add the users. The registered users of Employee type will be able to access the users of Enterprise network. To add a new user, click + Add User and enter the new user in the Add Userpane. The Primary Server option appears only for Enterprise security level, Internal Captive Portal, and External Captive Portal.

3. Based on the security level specified, specify the following parameters in the Advanced Settings section:

Table 135: Advanced WLAN Security Parameters

Data pane item

Description

Use Session Key for LEAP

Turn on the toggle switch to use the session key for Lightweight Extensible Authentication Protocol. This option is available only for Enterprise level.

MAC Authentication for Enterprise Networks

To enable MAC address based authentication for Personal and Open security levels, turn on the toggle switch to enable MAC Authentication. For Enterprise security level, the following options are available:
n Perform MAC authentication before 802.1X--Select this to use 802.1X
authentication only when the MAC authentication is successful. n MAC Authentication Fail-Through--On selecting this, the 802.1X authentication
is attempted when the MAC authentication fails.

Instant APs | 539

Data pane item

Description

n If MAC Authentication is enabled, configure the following parameters: n Delimiter Character--Specify a character (for example, colon or dash) as a
delimiter for the MAC address string. When configured, the Instant AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. n Uppercase Support--Turn on the toggle switch to allow the Instant AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

Reauth Interval

Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. If the re-authentication interval is configured: n On an SSID performing L2 authentication (MAC or 802.1X authentication): When
re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role. n On an SSID performing both L2 and L3 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client. n On an SSID performing only L3 authentication (captive portal authentication): When re-authentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through captive portal to regain access.

Denylisting Enforce DHCP

By default, this option is disabled. To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.
Enforces WLAN SSID on Instant AP clients. When DHCP is enforced: n A layer-2 user entry is created when a client associates with an Instant AP. n The client DHCP state and IP address are tracked. n When the client obtains an IP address from DHCP, the DHCP state changes to
complete. n If the DHCP state is complete, a layer-3 user entry is created. n When a client roams between the Instant APs, the DHCP state and the client IP
address is synchronized with the new Instant AP.

WPA3 Transition

Enable this option to allow transition from WPA3 to WPA2 and vice versa. The WPA3 Transition appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level.

Aruba Central | User Guide

540

Data pane item

Description

Legacy Support

Enable this option to allow backward compatibility of encryption modes in networks. The Legacy Support appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level.

Use IP for Calling Station ID

Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed: n Called Station ID Type--Select any of the following options for configuring called
station ID: o Access Point Group--Uses the VC ID as the called station ID. o Access Point Name--Uses the host name of the Instant AP as the called
station ID. o VLAN ID--Uses the VLAN ID of as the called station ID. o IP Address--Uses the IP address of the Instant AP as the called station ID. o MAC address--Uses the MAC address of the Instant AP as the called station ID. n Called Station ID Include SSID--Appends the SSID name to the called station ID.

NOTE: The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled.
n Called Station ID Delimiter--Sets delimiter at the end of the called station ID. n Max Authentication Failures--Sets a value for the maximum allowed
authentication failures.

Delimiter Character

Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the Instant AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.

Uppercase Support

Select this option to allow the Instant AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

Fast Roaming

Enable the following fast roaming features as per your requirement: n Opportunistic Key Caching (OKC)--Turn on the Opportunistic key caching
(OKC) toggle switch to reduce the time needed for authentication. When OKC is enabled, multiple APs can share Pairwise Master Keys (PMKs) and use these keys when clients roam to a neighboring AP.

NOTE: The Opportunistic key caching (OKC) toggle switch is disabled by default when you select any of the encryption types from the Key Management dropdown list.
n 802.11k--Turn on the 802.11k toggle switch to enable 802.11k roaming. The 802.11k protocol enables Instant APs and clients to dynamically measure the available radio resources. When 802.11k is enabled, Instant APs and clients send neighbor reports, beacon reports, and link measurement reports to each other.
n 802.11v--Turn on the 802.11v toggle switch to enable 802.11v based BSS transition. The 802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows the client

Instant APs | 541

Data pane item

Description
devices to exchange information about the network topology and RF environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam. n 802.11r--Turn on the 802.11r toggle switch to enable 802.11r roaming. Selecting this option enables fast BSS transition. The fast BSS transition mechanism minimizes the delay when a client transitions from one BSS to another within the same cluster.
NOTE: For Enterprise security level, the 802.11r toggle switch is disabled by default when you select WPA2 Enterprise or Both (WPA2 & WPA) encryption types from the Key Management drop-down list. However, the 802.11r toggle switch is not available when you select the remaining encryption types from the Key Management drop-down list.
Once you enable the 802.11r, the following field is displayed: n MDID--In the MDID text-box, enter the mobility domain identifier to configure a
mobility domain identifier. In a network of standalone Instant APs within the same management VLAN, 802.11r roaming does not work. This is because the mobility domain identifiers do not match across Instant APs. They are auto-generated based on a virtual controller key. You can set a mobility domain identifier for 802.11r SSIDs. For standalone Instant APs in the same management VLAN, 802.11r roaming works only when the mobility domain identifier is configured with the same value.

4. Click Next.
Configuring ACLs for User Access to a Wireless Network
You can configure up to 64 access rules for a wireless network profile. To configure access rules for a network, complete the following steps:
1. In the Access tab, turn on the Downloadable Role toggle switch to allow downloading of preexisting user roles. For more information, see Configuring Downloadable Roles.
n The Downloadable Role feature is optional. The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8.
n At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for Instant APs
2. Click the action corresponding to the server. The Edit Server page is displayed.
Viewing Wireless SSID Summary
In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Save Settings to complete the network profile creation and save

Aruba Central | User Guide

542

the settings.
Configuring Client Isolation
Aruba Central supports the Client Isolation feature isolates clients from one another and disables all peerto-peer communication within the network. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. Client Isolation can only be configured through the CLI. When Client Isolation is configured, the Instant AP learns the IP, subnet mask, MAC, and other essential information of the gateway and the DNS server. A subnet table of trusted destinations is then populated with this information. Wired servers used in the network should be manually configured into this subnet table to serve clients. The destination MAC of data packets sent by the client is validated against this subnet table and only the data packets destined to the trusted addresses in the subnet table are forwarded by the Instant AP. All other data packets are dropped.
Client Isolation feature is supported only in IPv4 networks. This feature does not support AirGroup and affects Chromecast and Airplay services.
Enabling Client Isolation for Wireless Networks in Aruba Central
To enable the Client Isolation feature, complete the following steps:
1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANs page, click + Add SSID. The Create a New Network page is displayed.
6. Click Advanced Settings and expand Miscellaneous. 7. Turn on the Deny Intra VLAN Traffic toggle switch. 8. Click Next.
Configuring Management Frames Protection
Aruba Central supports the Management Frame Protection (MFP) feature in networks that include Aruba Instant 8.5.0.0 firmware version and later. This feature protects networks against forged management frames spoofed from other devices that might otherwise disrupt a valid user session. The MFP increases the security by providing data confidentiality of management frames. MFP uses 802.11i framework that establishes encryption keys between the client and Instant AP.
Enabling Management Frames Protection for Wireless Networks in Aruba Central
To enable the MFP feature, complete the following steps:
Instant APs | 543

1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view.
3. Click the Config icon. The tabs to configure the APs are displayed.
4. Click the WLANs tab. The WLANs details page is displayed.
5. In the WLANspage, click + Add SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon.
6. In the General tab, click Advanced Settings. 7. Expand Miscellaneous. 8. Turn on the Management Frames Protection toggle switch to enable the MFP feature. 9. Click Next. 10. Click Save Settings.
The MFP configuration is a per-SSID configuration. The MFP feature can be enabled only on WPA2-PSK a