Aruba Central User Guide
Aruba Central User Guide
172 10080 Dynamic Guest Login - Mindanao Times
Not Your Device? Search For Manuals or Datasheets below:
File Info : application/pdf, 1927 Pages, 54.04MB
Document DEVICE REPORTuser-guideAruba Central User Guide Copyright Information © Copyright 2021 Hewlett Packard Enterprise Development LP. Open Source Code This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US $10.00 to: Hewlett Packard Enterprise Company 6280 America Center Drive San Jose, CA 95002 USA Contents Contents About this Guide Intended Audience Related Documents Conventions Terminology Change Contacting Support What is Aruba Central? Key Features Supported Web Browsers Operational Modes and Interfaces Supported Devices Getting Started with Aruba Central Key Terms and Concepts Workflow Summary Creating an Aruba Central Account Accessing Aruba Central Portal Accessing Aruba Central Mobile Application About the Network Operations App User Interface Overview of Aruba Central Foundation and Advanced Licenses Aruba Central Licenses Feature Details Starting Your Free Trial Setting up Your Aruba Central Instance Configuring Email Notifications for Software Upgrades Configuring Idle Timeout Opening Firewall Ports for Device Communication Connecting Devices to Aruba Central Device Configuration and Network Management Using the Search Bar Administering Aruba Central Apps Global Settings Users and Roles Managing License Keys Managing License Assignments Managing Your Device Inventory Data Collectors Webhooks Streaming API Viewing Audit Trails in the Account Home Page Maintaining Aruba Central Groups for Device Configuration and Management Sites and Labels Certificates Installation Management Viewing Configuration Status Viewing the Configuration Audit Page Applying Configuration Changes Viewing Configuration Overrides and Errors Backing up and Restoring Configuration Templates Managing Software Upgrades Aruba Central | User Guide Contents 3 11 11 11 11 12 12 13 13 14 14 16 27 27 28 29 32 34 34 73 82 92 98 104 105 105 112 120 120 138 138 139 139 192 196 212 219 255 288 292 294 294 317 322 324 329 329 330 333 336 337 3 Viewing Audit Trail in the Standard Enterprise Mode and MSP Mode Removing Devices The AI Insights Dashboard Insights Context Cards Baselines Access Points with High Number of Reboots Access Points with Excessive Number of Channel Changes Access Points with High CPU Utilization Access Points Impacted by High 2.4 GHz Usage Access Points Radios with Frequent Transmit Power Changes Access Point Transmit Power can be Optimized Access Points Impacted by High 5 GHz Usage Access Points with High Memory Usage Clients with High Roaming Latency Clients with Low SNR Minutes Clients with High MAC Authentication Failures Clients with DHCP Server Connection Problems Clients with High 802.1X Authentication Failures Clients with High Wi-Fi Security Key-Exchange Failures Clients with Captive Portal Authentication Problems Clients with High Number of Wi-Fi Association Failures Clients who Roamed Excessively Coverage Holes Identified Dual-band (2.4/5 GHz) Clients Primarily using 2.4 GHz Delayed DNS Request or Response DNS Servers Rejected High Number of Queries Gateways with High Memory Usage Gateways with High CPU Utilization Failure to Establish Gateway Tunnels DNS Queries Failed to Reach or Return from the Server Telemetry Information not Received from APs or Radios Outdoor Clients Impacting Wi-Fi Performance AOS-CX Switches with High CPU Utilization AOS-CX Switches with High Memory Usage AOS-CX Switch Ports with High Power-over-Ethernet Problems AOS-CX Switches with High Port Errors AOS-CX Switches with High Port Flaps AOS-Switches with High Port Errors AOS-Switches with High Port Flaps AOS-Switches with High CPU Utilization AOS-Switches with High Memory Usage AOS-Switch Ports with High Power-over-Ethernet Problems Managed Service Provider Terminology Getting Started with MSP Solution Enabling Managed Service Mode Managing MSP Licenses System Users and User Roles in MSP Mode Groups in the MSP Mode About Provisioning Tenant or Customer Accounts Assigning Devices to Tenant Accounts MSP Dashboard MSP Certificates Navigating to the Tenant Account MSP Alerts MSP Audit Trails MSP Reports Firmware Upgrades for MSP Mode Customizing the Portal in MSP Mode MSP Deployment Models Frequently Asked Questions 348 350 351 353 365 367 368 369 371 373 375 377 378 380 381 383 385 387 389 391 393 394 396 398 399 401 403 405 406 408 410 412 413 415 417 419 420 422 424 426 428 429 431 434 434 435 435 438 442 448 450 454 455 461 463 463 468 470 477 482 484 491 Contents | 4 Instant APs Supported Deployment Modes Configuration and Management Supported Instant APs Provisioning Instant APs Configuring APs Using Templates Viewing APs Configuration Tabs Navigating to Virtual Controller Configuration Dashboard Deploying a Wireless Network Using Instant APs Monitoring APs AOS-CX Overview Supported AOS-CX Platforms Getting Started with AOS-CX Deployments Using Configuration Templates for AOS-CX Switch Management Configuring AOS-CX Switches in UI Groups AOS-CX VSF Stack AOS-Switches Overview Supported AOS-Switch Platforms Getting Started with AOS-Switch Deployments Provisioning Workflow Group Assignment Configuration and Management Switch Monitoring Troubleshooting and Diagnostics Configuring AOS-Switches Monitoring Switches and Switch Stacks Monitoring Switches in List View Monitoring Switches in Summary View Switch > Overview > Summary Switch > Overview > Hardware Switch > Overview > Routing Switch > Overview > AI Insights Switch > Clients > Clients Switch > Clients > Neighbours Switch > LAN > Ports Switch > LAN > PoE Switch > LAN > VLAN Switch > VSX Switch > Alerts & Events > Events Rebooting Switches Opening Remote Console for Switch Troubleshooting Aruba Switches Enabling Unsupported Transceivers on AOS-Switches Troubleshooting AOS-CX Switch Onboarding Issues Aruba SD-Branch Solution Why SD-WAN? Key Features and Benefits Understanding SD-WAN What are the Solution Requirements? Supported SD-Branch Components Supported 4G Modems for Aruba SD-Branch SD-Branch Enhancements Getting Started Creating an Aruba Central Account Accessing Aruba Central Portal Managing License Keys Managing License Assignments Onboarding Devices to Aruba Central Assigning Subscriptions to Aruba Gateways Assigning Gateways to a Group Aruba Central | User Guide 494 494 494 495 498 499 505 506 506 667 695 695 697 712 716 761 768 768 770 770 770 771 771 771 784 842 842 845 845 850 853 855 856 858 859 862 866 868 871 871 872 873 873 874 876 876 876 877 879 880 881 882 897 897 901 902 907 910 911 914 5 Assigning Gateways to Sites Assigning Labels to Gateways Recovering an Aruba Gateway Assigning a Group Role to an Aruba Gateway Group Connecting Aruba Gateways to Aruba Central Configuring Communication Ports Certificates Provisioning Aruba Gateways in Aruba Central Different Modes of Configuring Gateways and Gateway Groups Configuring Branch Gateway Groups Using the Guided Setup Configuring Branch Gateways Using the Guided Setup Configuring VPNC Group Using the Guided Setup Configuring VPNCs Using the Guided Setup Configuring an SD-Branch Network Using the Advanced Setup Configuring Address Pools for Aruba Gateways Uploading Bulk Configuration Template Configuring System Information on Aruba Gateways Configuring VLANs on Aruba Gateways Configuring SLB using NAT Configuring Ports Configuring Uplinks Managing 9004-LTE Branch Gateway Configuring WAN Health Check Configuring WAN Interface Bandwidth Priorities SD-WAN Overlay Tunnel and Route Orchestration Configuring the SD-Branch Overlay Network Configuring the SD-WAN Hub Mesh Topology Branch Mesh Topology in SD-Branch Configuring Site-to-Site VPN Configuring Site-to-Site VPN with GRE Tunnel Configuring IKE Policies Routing Configuring Policies for PBR Configuring Policies for Dynamic Path Steering SaaS Application Traffic Management with SaaS Express Configuring Aruba Gateways for Application Visibility and Control Enforcing a Common Security Policy for Wired and Wireless Users Configuring Firewall Policies and ACLs Configuring User Roles for Clients Configuring Authentication Profiles Applying Policies to Gateway Interfaces SD-Branch Redundancy Configuring Aruba Gateways for Certificate-Based Authentication Configuring Aruba Gateways for SNMP-Based Reporting Configuring Captive Portal IP Redirect Address Viewing Gateway Configuration Status Managing Configuration Overrides Configuring Aruba Gateways for Syslog Message Collection Configuring an SD-Branch Network Using the Basic Setup Configuration Checklist Configuring System Information on Aruba Gateways Configuring a LAN Interface Configuring Routing Profiles Configuring LAN Redundancy for High Availability Configuring VPN Pools Configuring Policies for a Branch Gateway Group Overview of Aruba IDPS Why Aruba IDPS? Key Features and Benefits How does Aruba IDPS Work? Preparing to add the Aruba IDPS Supported Gateways 914 914 915 916 916 918 918 921 921 922 935 941 952 965 965 972 973 991 996 998 1004 1010 1015 1017 1019 1060 1067 1069 1071 1076 1082 1088 1129 1133 1138 1175 1185 1186 1199 1203 1239 1241 1247 1251 1253 1253 1254 1255 1258 1258 1260 1264 1274 1288 1289 1289 1296 1296 1296 1297 1297 Contents | 6 Configuring Aruba IDPS Monitoring Aruba IDPS Data Filters Threat Categories Integration with AWS Public Cloud through Cloud Connect Service Additional References Generating API Token in AWS Console Configuring Aruba Branch Gateway in Aruba Central Onboarding AWS Account in Aruba Central Orchestrating Tunnel to the AWS VPC through Cloud Connect Service Verifying the Instantiation Status Integration with Microsoft Azure Public Cloud through Cloud Connect Service Additional References Configuring Azure Application in Azure Admin Portal Configuring Azure Application for API Access in Azure Admin Portal Configuring Aruba Branch Gateway in Aruba Central Onboarding Azure Account in Aruba Central Orchestrating Tunnels to Azure Virtual WAN and Vhub through Cloud Connect Service Verifying the Instantiation Status Integration with Zscaler through Cloud Connect Service Additional References Configuring ZIA for API Access in Zscaler Admin Portal Onboarding a Cloud Provider Account in Aruba Central Orchestrating Tunnels to the Nearest ZIA Public Service Edge Configuring Zscaler Nexthop List Adding Nexthop List to PBR Policy Verifying Tunnel Status Integration with Zscaler Cloud Security Service Integrating SD-Branch with ZIA Setting up Tunnels to ZIA Additional References Integration with Prisma Access Deployment Scenarios Configuring Prisma Access Integration with Check Point Supported IKE and IPsec Cryptographic Profiles Configuration Steps Configuring Aruba Gateways for Integration with Check Point Integration with Symantec WSS Integration Overview Role-Based and Application-Based Routing Supported IKE and IPSec Cryptographic Profiles Configuring Symantec WSS Micro Branch Redundancy Architectures Configuring a Micro Branch with Instant APs Configuring Support for Aruba VIA Service Configuring VIA Configuring VPN IP Pool Defining IKEv1 Shared Secret Configuring VIA User Role Creating VIA Server Group for Authenticating VIA Users Configuring VIA Authentication Parameters Loading and Applying VIA Certificates Configuring and Attaching VIA Connection Profile Uploading VIA Installer to VPNC 1298 1312 1313 1320 1324 1325 1325 1325 1326 1327 1328 1331 1332 1332 1332 1333 1333 1334 1335 1339 1340 1340 1341 1342 1344 1344 1344 1345 1346 1346 1350 1351 1351 1354 1359 1359 1359 1362 1369 1369 1370 1372 1372 1381 1385 1389 1389 1389 1391 1391 1391 1391 1394 1394 1399 Aruba Central | User Guide 7 Provisioning Gateways Using Configuration Templates Important Points to Note Configuring Gateways Using a Template Creating a Template Group Assigning a Gateway to a Template Group Creating a Configuration Template for Gateways Customizing a Template Using Variable Definitions Downloading a Sample Variables File Modifying a Variables File Uploading a Variables File Sample Template and Variables Files Sample Variables File Verifying Configuration Status Backing up and Restoring Templates Monitoring SD-Branch Monitoring Gateway WAN Health--Global WAN Health--Transport WAN Health--Site Monitoring Sites in the Topology Tab Monitoring SaaS Express Gateway Alerts Reports Maintenance Troubleshooting Devices Gateway Diagnostic Tests Updating Software Images on Aruba Gateways APIs Updating Software Images on Aruba Gateways Feature Availability Across Multiple Software Versions Upgrading Software Deploying Aruba Virtual Gateways Features Supported by Virtual Gateway Virtual Gateway Redundancy Software Image for Virtual Gateways Deploying Aruba Virtual Gateways in AWS Deploying Aruba Virtual Gateways in Microsoft Azure Deploying Aruba Virtual Gateways in VMware ESXi (Unmanaged Mode) Deploying Aruba Virtual Gateways in Google Cloud Platform (Unmanaged Mode) Deploying Aruba Virtual Gateways in MSP (Unmanaged Mode) Provisioning Virtual Gateways to Groups Troubleshooting Deployment Issues High Availability Support for Aruba Virtual Gateways Monitoring Virtual Gateways Monitoring Gateway Monitoring Gateways in List View Monitoring Gateways in Summary View Gateway > Overview > Summary Gateways > Overview > IDPS Gateway > Overview > Routing Gateway > Overview > Sessions Viewing the Overview > Sessions Tab Session Summary Sessions Gateway > Overview > AI Insights Gateway > WAN > Summary Viewing the WAN > Summary Tab Port Status WAN Interfaces 1401 1401 1401 1402 1402 1403 1404 1404 1405 1405 1406 1408 1410 1410 1411 1411 1466 1467 1469 1470 1484 1492 1494 1507 1507 1507 1513 1515 1516 1516 1516 1517 1517 1517 1517 1518 1542 1587 1597 1604 1605 1605 1606 1612 1613 1613 1614 1615 1619 1621 1640 1640 1640 1641 1643 1644 1644 1645 1646 Contents | 8 Actions Go Live Gateway > WAN > Tunnels Gateway > WAN > Path Steering Gateway > LAN > Summary Gateway > LAN > DHCP Gateway > Applications > Visibility Downloading Gateway Details Deleting a Gateway Rebooting a Gateway Opening a Remote Console Clearing IPSec SA Clearing ISAKMP SA Monitoring Your Network Network Overview Network Health Dashboard Global--Summary Wi-Fi Connectivity Monitoring SaaS Express Monitoring Sites in the Topology Tab Gateway Firewall Logging About RAPIDS About Floorplans Alerts & Events Reports Viewing Audit Trail All Clients Clients Client Overview Client Status Changes Clients > Wireless Client > Overview Clients > Wired Client > Overview Clients > Remote Client > Overview Classifying Clients Application Visibility Viewing Visibility Dashboard Applications Websites Blocked Traffic Using Troubleshooting Tools Troubleshooting Network Issues Enabling Gateway Logs Troubleshooting Device Issues Advanced Device Troubleshooting Proximity Tracing Service Apps Guest Access Presence Analytics API Gateway API Gateway and NB APIs Accessing API Gateway Viewing Swagger Interface List of Supported APIs Creating Application and Token Using OAuth 2.0 for Authentication Obtaining Token Using Offline Token Mechanism Obtaining Token Using OAuth Grant Mechanism Viewing Usage Statistics Changes to Aruba Central APIs Aruba Central | User Guide 1649 1650 1650 1653 1658 1662 1664 1667 1667 1668 1669 1669 1670 1671 1671 1671 1683 1685 1688 1696 1710 1716 1719 1727 1747 1759 1761 1761 1767 1768 1769 1784 1791 1796 1799 1799 1800 1801 1803 1805 1805 1818 1819 1822 1834 1840 1840 1856 1862 1862 1863 1864 1865 1867 1869 1872 1872 1879 1880 9 Troubleshooting Workflows Client Connectivity Device Issues AI Insights Network Check 1888 1888 1915 1918 1920 Contents | 10 Chapter 1 About this Guide About this Guide This user guide describes the features supported by Aruba Central and provides detailed instructions to set up and configure devices such as Instant APs, Aruba Switches, and Aruba SD-WAN Gateways. Intended Audience This guide is intended for system administrators who configure and monitor their networks using Aruba Central. Related Documents In addition to this document, the Aruba Central product documentation includes the following documents: n Aruba Central Help Center n Aruba Central Getting Started Guide n Aruba Central Managed Service Provider User Guide n Aruba Central SD Branch Solution Guide Conventions The following conventions are used throughout this guide to emphasize important concepts: Table 1: Typographical Conventions Type Style Description Italics This style is used to emphasize important terms and to mark the titles of books. System items This fixed-width font depicts the following: n Sample screen output n System prompts The following informational icons are used throughout this guide: Indicates a risk of damage to your hardware or loss of data. Indicates helpful suggestions, pertinent information, and important things to remember. Indicates a risk of personal injury or death. Aruba Central | User Guide 11 Terminology Change As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products and publications may continue to include terminology that seemingly evokes bias against specific groups of people. Such content is not representative of our HPE culture and moving forward, Aruba will replace racially insensitive terms and instead use the following new language: Usage Campus Access Points + Controllers Instant Access Points Switch Stack Wireless LAN Controller Firewall Configuration Types of Hackers Old Language Master-Slave Master-Slave Master-Slave Mobility Master Blacklist, Whitelist Black Hat, White Hat New Language Conductor-Member Conductor-Member Conductor-Member Mobility Conductor Denylist, Allowlist Unethical, Ethical Contacting Support Table 2: Contact Information Main Site arubanetworks.com Support Site asp.arubanetworks.com Airheads Social Forums and Knowledge community.arubanetworks.com Base North American Telephone 1-800-943-4526 (Toll Free) 1-408-754-1200 International Telephone arubanetworks.com/support-services/contact-support/ Software Licensing Site lms.arubanetworks.com End-of-life Information arubanetworks.com/support-services/end-of-life/ Security Incident Response Team Site: arubanetworks.com/support-services/security-bulletins/ Email: [email protected] About this Guide | 12 Chapter 2 What is Aruba Central? What is Aruba Central? Aruba Central offers unified network management, AI-based analytics, and IoT device security for wired, wireless, and SD-WAN networks. All of these capabilities are combined into one easy-to-use platform, which includes the following apps: n Network Operations--Provides unified network management by consolidating wired, wireless, and SDWAN deployment and management tasks, real-time diagnostics, and live monitoring, for simple and fast problem resolution. n ClearPass Device Insight--Provides a single pane of glass for device visibility employing automated device discovery, machine learning (ML) based fingerprinting and identification. For more information, see Aruba ClearPass Device Insight Information Center. This section includes the following topics: n Key Features n What is Aruba Central? n Supported Web Browsers n Operational Modes and Interfaces Key Features Aruba Central offers the following key features and benefits: n Streamlined configuration and deployment of devices--Leverages the ZTP capability of Aruba devices to bring up your network in no time. Aruba Central supports group configuration of devices, which allows you to provision and manage multiple devices with similar configuration requirements with less administrative overhead. n Integrated wired, WAN, and wireless Infrastructure management--Offers a centralized management interface for managing wireless, WAN, and wired networks in distributed environments, and thus help organizations save time and improve efficiency. n Advanced analytics and assurance--With continuous monitoring, AI-based analytics provide real-time visibility and insight into what's happening in the Wi-Fi network. The insights utilize machine learning that leverage a growing pool of network data and deep domain experience. n Secure cloud-based platform--Offers a secure cloud platform with HTTPS connection and certificate based authentication. n Interface for Managed Service Providers--Offers an additional interface for MSPs to provision and manage their respective tenant accounts. Using the MSP mode, service provider organizations can administer network infrastructure for multiple organizations in a single interface. n SD-Branch Management--Offers a simplified solution for managing and monitoring SD Branch devices such as Branch Gateways, VPN Concentrators, Instant APs, and Aruba Switches. It also provides detailed dashboards showing WAN health and pictorial depictions of the branch setup. The Aruba SD-Branch solution extends the SD-WAN concepts to all elements in a branch setup to deliver a full-stack solution for managing WLAN, LAN and WAN connections. The SD-Branch solution provides a common cloudmanagement model that simplifies deployment, configuration, and management of all components of a Aruba Central | User Guide 13 branch setup. The solution leverages the ZTP and cloud management capabilities of Aruba devices to integrate management and infrastructure for WAN, WLAN, and LAN and provide a holistic solution from access network to edge with end-to-end security. It also addresses all communications in distributed deployments, from micro branches to medium or large branches. For more information, see the Aruba SD-Branch Solution. n Health and usage monitoring--Provides a comprehensive view of your network, device status and health, and application usage. You can monitor, identify, and address issues by using data-driven dashboards, alerts, reports, and troubleshooting workflows. Aruba Central also utilizes the DPI feature of the devices to monitor, analyze and block traffic based on application categories, application type, web categories and website reputation. Using this data, you can prioritize business critical applications, limit the use of inappropriate content, and enforce access policies on a per user, device or location basis. n Guest Access--Allows you to manage access for your visitors with a secure guest Wi-Fi experience. You can create guest sponsor roles and social logins for your guest networks. You can also design your guest landing page with custom logos, color, and banner text. n Presence Analytics--Offers a value added service for Instant AP based networks to get an insight into user presence and loyalty. The Presence Analytics dashboard allows you to view the presence of users at a specific site and the frequency of user visits at a given location or site. Using this data, you can make business decisions to improve customer engagement. Supported Web Browsers To view the Aruba Central UI, ensure that JavaScript is enabled on the web browser. Table 3: Browser Compatibility Matrix Browser Versions Operating System Google Chrome 39.0.2171.65 or later Windows and Mac OS Mozilla Firefox 34.0.5 or later Windows and Mac OS Safari 7 or later Mac OS Microsoft Edge version 79 or later Windows Operational Modes and Interfaces Aruba offers the following variants of the Aruba Central web interface: n Standard Enterprise Mode n Managed Service Provider Mode Standard Enterprise Mode The Standard Enterprise interface is intended for users who manage their respective accounts end-to-end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision devices and subscriptions to manage their respective accounts. The following figure illustrates a typical Standard Enterprise mode deployment. What is Aruba Central? | 14 Figure 1 Standard Enterprise Mode Managed Service Provider Mode Aruba Central offers the MSP mode for managed service providers who need to manage multiple customer networks. The MSP administrators can provision tenant accounts, allocate devices, assign licenses, and monitor tenant accounts and their networks. The administrators can also drill down to a specific tenant account and perform administration and configuration tasks. Tenants can access only their respective accounts, and only those features and application services to which they have subscribed. The following figure illustrates a typical MSP mode deployment. Aruba Central | User Guide 15 Figure 2 Managed Service Provider Mode Supported Devices This section provides the following information: n Supported Instant APs n Supported AOS-Switch Platforms n Supported AOS-CX Platforms n Supported SD-Branch Components n Supported 4G Modems for Aruba SD-Branch Supported Instant APs The following table lists the Instant AP platforms, the installation mode, the minimum supported Aruba Instant software versions, and the Instant APs supporting power draw: Table 4: Supported Instant AP Platforms Instant AP Platform Installation Mode Minimum Supported Aruba Instant Software Version Power Draw Support AP-567EX Outdoor Aruba Instant 8.7.1.0 No AP-567 Outdoor Aruba Instant 8.7.1.0 Yes AP-565EX Outdoor Aruba Instant 8.7.1.0 No AP-565 Outdoor Aruba Instant 8.7.1.0 Yes AP-503H Indoor Aruba Instant 8.7.1.0 Yes What is Aruba Central? | 16 Instant AP Platform Installation Mode AP 577EX AP-577 AP-575EX AP-575 AP-574 AP 518 AP-505H AP-505 AP-504 AP-555 AP-535 AP 534 AP 515 AP-514 AP-387 AP-303P AP-377EX AP-377 AP-375EX AP-375 AP-374 AP-345 AP-344 AP-318 AP-303 AP-203H AP-367 Outdoor Outdoor Outdoor Outdoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Indoor Outdoor Outdoor Outdoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Outdoor Minimum Supported Aruba Instant Software Version Power Draw Support Aruba Instant 8.7.0.0 Yes Aruba Instant 8.7.0.0 Yes Aruba Instant 8.7.0.0 Yes Aruba Instant 8.7.0.0 Yes Aruba Instant 8.7.0.0 Yes Aruba Instant 8.7.0.0 Yes Aruba Instant 8.7.0.0 Yes Aruba Instant 8.6.0.0 Yes Aruba Instant 8.6.0.0 Yes Aruba Instant 8.5.0.0 No Aruba Instant 8.5.0.0 No Aruba Instant 8.5.0.0 No Aruba Instant 8.4.0.0 Yes Aruba Instant 8.4.0.0 Yes Aruba Instant 8.4.0.0 Yes Aruba Instant 8.4.0.0 No Aruba Instant 8.3.0.0 No Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 No Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 No Aruba Instant 6.5.3.0 No Aruba Instant 6.5.2.0 No Aruba Central | User Guide 17 Instant AP Platform Installation Mode AP-365 AP-303HR AP-303H AP-203RP AP-203R IAP-305 IAP-304 IAP-207 IAP-335 IAP-334 IAP-315 IAP-314 IAP-325 IAP-324 IAP-277 IAP-228 IAP-205H IAP-215 IAP-214 IAP-205 IAP-204 IAP-275 IAP-274 IAP-103 IAP-225 IAP-224 IAP-115 Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Outdoor Indoor Indoor Indoor Indoor Minimum Supported Aruba Instant Software Version Power Draw Support Aruba Instant 6.5.2.0 No Aruba Instant 6.5.2.0 No Aruba Instant 6.5.2.0 Yes Aruba Instant 6.5.2.0 No Aruba Instant 6.5.2.0 No Aruba Instant 6.5.1.0-4.3.1.0 Yes Aruba Instant 6.5.1.0-4.3.1.0 Yes Aruba Instant 6.5.1.0-4.3.1.0 No Aruba Instant 6.5.0.0-4.3.0.0 Yes Aruba Instant 6.5.0.0-4.3.0.0 Yes Aruba Instant 6.5.0.0-4.3.0.0 No Aruba Instant 6.5.0.0-4.3.0.0 Yes Aruba Instant 6.4.4.3-4.2.2.0 No Aruba Instant 6.4.4.3-4.2.2.0 No Aruba Instant 6.4.3.1-4.2.0.0 No Aruba Instant 6.4.3.1-4.2.0.0 No Aruba Instant 6.4.3.1-4.2.0.0 No Aruba Instant 6.4.2.0-4.1.1.0 No Aruba Instant 6.4.2.0-4.1.1.0 No Aruba Instant 6.4.2.0-4.1.1.0 No Aruba Instant 6.4.2.0-4.1.1.0 No Aruba Instant 6.4.0.2-4.1.0.0 No Aruba Instant 6.4.0.2-4.1.0.0 No Aruba Instant 6.4.0.2-4.1.0.0 No Aruba Instant 6.3.1.1-4.0.0.0 No Aruba Instant 6.3.1.1-4.0.0.0 No Aruba Instant 6.3.1.1-4.0.0.0 No What is Aruba Central? | 18 Instant AP Platform Installation Mode IAP-114 RAP-155P RAP-155 RAP-109 RAP-108 RAP-3WN RAP-3WNP Indoor Indoor Indoor Indoor Indoor Indoor Indoor Minimum Supported Aruba Instant Software Version Power Draw Support Aruba Instant 6.3.1.1-4.0.0.0 No Aruba Instant 6.2.1.0-3.3.0.0 No Aruba Instant 6.2.1.0-3.3.0.0 No Aruba Instant 6.2.0.0-3.2.0.0 No Aruba Instant 6.2.0.0-3.2.0.0 No Aruba Instant 6.1.3.1-3.0.0.0 No Aruba Instant 6.1.3.1-3.0.0.0 No n RAP-155, RAP-155P, IAP-214, IAP-215, IAP-224, IAP-225, IAP-228, IAP-274, IAP-275, and IAP-277 IAPs are no longer supported from Aruba Instant 8.7.0.0 onwards. n IAP-103, RAP-108, RAP-109, IAP-114, IAP-115, IAP-204, IAP-205, and IAP-205H IAPs are no longer supported from Aruba Instant 8.3.0.0 onwards. n By default, AP-318, AP-374, AP-375, and AP-377 IAPs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba does not recommend you to upgrade these IAPs to Aruba Instant 8.5.0.0 or 8.5.0.1 firmware versions, as the upgrade process changes the uplink port from Eth1 to Eth0 port thereby making the devices unreachable. n For more information about Aruba's End-of-life policy and the timelines for hardware and software products at the end of their lives, see: https://www.arubanetworks.com/support-services/end-of-life/. n Data sheets and technical specifications for the supported AP platforms are available at: https://www.arubanetworks.com/products/networking/access-points/. Aruba Central | User Guide 19 Supported AOS-Switch Platforms n Aruba Central uses the SSL certificate by GeoTrust Certificate Authority for device termination and web services. As the SSL certificate is about to expire, Aruba is replacing it with a new certificate from another trusted Certificate Authority. During the certificate upgrade window, all devices managed by Aruba Central will be disconnected. After the upgrade, the devices reconnect to Aruba Central and resume their services with Aruba Central. However, for AOS-Switches to reconnect to Aruba Central after the certificate upgrade, you must ensure that the switches are upgraded to the recommended software version listed in Table 5. n Aruba Central does not support switch software versions below 16.08 release for firmware upgrade. In addition, only the latest three switch software versions of all major release versions will be available for firmware upgrade from Aruba Central. For example, if the latest switch software version released is 16.10.0011, the following versions will be available for firmware upgrade: 16.10.0009, 16.10.0010 and 16.10.0011. n Changing AOS-Switches firmware from latest version to earlier major versions is not recommended if the switches are managed in UI groups. For features that are not supported or not managed in Aruba Central on earlier AOS-Switch versions, changing firmware to earlier major versions might result in loss of configuration. The following tables list the switch platforms, corresponding software versions supported in Aruba Central, and switch stacking details. Table 5: Supported AOS-Switch Series, Software Versions, and Switch Stacking Switch Platform Supported Software Versions Recommended Switch Software Stacking Versions Support Supported Stack Type (Frontplane (VSF) / Backplane (BPS)) Aruba YA/YB.16.05.0008 YA/YB.16.10.0013 N/A N/A 2530 or later Switch Series Aruba YC.16.03.0004 or YC.16.10.0013 N/A N/A 2540 later Switch Series Aruba 2920 Switch Series WB.16.03.0004 or WB.16.10.0013 later Yes BPS Switch Software Dependency: WB.16.04.0008 or later Supported Configuration Group Type for Stacking (UI / Template) N/A N/A UI and Template Aruba WC.16.03.0004 or WC.16.10.0014 Yes VSF 2930F later Switch Series UI and Template What is Aruba Central? | 20 Switch Platform Supported Software Versions Recommended Switch Software Stacking Versions Support Supported Stack Type (Frontplane (VSF) / Backplane (BPS)) Switch Software Dependency: WC.16.07.0002 or later Aruba 2930M Switch Series WC.16.04.0008 or WC.16.10.0014 later Yes BPS Switch Software Dependency: WC.16.06.0006 or later Aruba 3810 Switch Series KB.16.03.0004 or KB.16.10.0014 later Yes BPS Switch Software Dependency: KB.16.07.0002 or later Aruba 5400R Switch Series KB.16.04.0008 or KB.16.10.0014 later Yes VSF Switch Software Dependency: KB.16.06.0008 or later Supported Configuration Group Type for Stacking (UI / Template) UI and Template UI and Template Template only Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central. Table 6: Supported Aruba Mobility Access Switch Series and Software Versions Mobility Access Switch Series Supported Software Versions n S1500-12P n S1500-24P n S2500-24P n S3500-24T ArubaOS 7.3.2.6 ArubaOS 7.4.0.3 ArubaOS 7.4.0.4 ArubaOS 7.4.0.5 ArubaOS 7.4.0.6 Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/networking/switches/ Aruba Central | User Guide 21 Supported AOS-CX Platforms To manage your AOS-CX switches using Aruba Central, ensure that the switch software is upgraded to 10.05.0021 or a later version. AOS-CX switches with version 10.05.0021 or earlier might not connect to Aruba Central after ten days of operation. You must upgrade the AOS-CX switch to a recommended software version to connect to Aruba Central. The following table lists the AOS-CX platforms, corresponding software versions supported in Aruba Central, and switch stacking details. Table 7: Supported AOS-CX Switch Series, Software Versions, and Switch Stacking Switch Platform Supported Software Versions Recommended Software Versions Switch Stacking Support Supported Stack Type Maximum Number of Stack Members Supported Configuration Group Type (UI / Template) AOS-CX 6100 Switch Series 10.06.0110 10.06.0110 or later -N/A- -N/A- -N/A- Template only AOS-CX 10.05.0021 10.06.0101 Yes VSF 8 6200 Switch Switch Software Series Dependency: 10.05.0021 UI and Template AOS-CX 10.05.0021 10.06.0101 Yes VSF 10 UI and Template 6300 Switch Switch Software Series Dependency: 10.05.0021 AOS-CX 10.06.0001 10.06.0101 Yes VSF 10 UI and Template 6300 or later Switch Switch Software Series Dependency: [JL762A] 10.05.0021 Back 2 Front Power Supply SKU only AOS-CX 6405 Switch Series 10.05.0021 10.06.0101 -N/A- -N/A- -N/A- Template only AOS-CX 6410 Switch Series 10.05.0021 10.06.0101 -N/A- -N/A- -N/A- Template only What is Aruba Central? | 22 Switch Platform Supported Software Versions Recommended Software Versions Switch Stacking Support AOS-CX 8320 Switch Series AOS-CX 8325 Switch Series AOS-CX 8360 Switch Series AOS-CX 8400 Switch Series 10.05.0021 10.06.0101 10.05.0021 10.06.0101 10.06.0001 10.06.0101 or later 10.06.0001 10.06.0101 or later -N/A-N/A-N/A-N/A- Supported Stack Type Maximum Number of Stack Members Supported Configuration Group Type (UI / Template) -N/A- -N/A- UI and Template -N/A- -N/A- UI and Template -N/A- -N/A- UI and Template -N/A- -N/A- Template only Provisioning and configuring of AOS-CX 6405, 6410, and 8400 switch series and switch stacks is supported only through configuration templates. Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/networking/switches/. Supported SD-Branch Components The Aruba SD-WAN Gateway portfolio includes Aruba Gateways that function as Branch Gateways and VPNCs. The following table lists the Aruba Gateway platforms and ArubaOS software versions that function as Branch Gateways: Table 8: Supported Aruba Gateways Platform Minimum Supported Software Version Aruba 9004-LTE ArubaOS 8.5.0.0-2.1.0.0 Latest Software Version ArubaOS 8.7.0.02.3.0.0 Recommended Software Version ArubaOS 8.5.0.0-2.1.0.0 Aruba 9012 ArubaOS 8.5.0.0-2.0.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.5.0.0-2.0.0.4 Aruba 9004 Aruba 7210, 7220, and 7240XM ArubaOS 8.5.0.0-1.0.7.0 ArubaOS 8.5.0.0-2.0.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.5.0.0-2.0.0.4 ArubaOS 8.5.0.0-2.0.0.4 Aruba Central | User Guide 23 Platform Aruba 7030 Aruba 7024 Aruba 7010 Aruba 7008 Aruba 7005 Minimum Supported Software Version ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.1.0.0-1.0.4.0 Latest Software Version ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 Recommended Software Version ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 The following table lists the Aruba Gateway platforms and ArubaOS software versions that function as VPNCs: Table 9: Supported Aruba VPNCs Platform Minimum Supported Software Version Latest Software Version Recommended Software Version Aruba 9004 ArubaOS 8.7.0.0-2.3.0.0 Aruba 9012 ArubaOS 8.7.0.0-2.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.0-2.3.0.0 ArubaOS 8.7.0.0-2.3.0.0 Aruba 7280 ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.4.0.0-2.0.0.4 Aruba 7240XM ArubaOS 8.1.0.0-1.0.4.0 Aruba 7220 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 Aruba 7210 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.4.0.0-2.0.0.4 vGW-4G vGW-2G ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 vGW-500M ArubaOS 8.4.0.0-1.0.6.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.4.0.0-2.0.0.4 Aruba 7030 ArubaOS 8.1.0.0-1.0.4.0 ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.4.0.0-2.0.0.4 What is Aruba Central? | 24 Table 9: Supported Aruba VPNCs Platform Minimum Supported Software Version Aruba 7024 ArubaOS 8.1.0.0-1.0.4.0 Aruba 7010 ArubaOS 8.1.0.0-1.0.4.0 Latest Software Version ArubaOS 8.7.0.02.3.0.0 ArubaOS 8.7.0.02.3.0.0 Recommended Software Version ArubaOS 8.4.0.0-2.0.0.4 ArubaOS 8.4.0.0-2.0.0.4 Aruba Virtual Gateways also function as VPNCs. The minimum supported software version for Virtual Gateways is ArubaOS 8.1.0.0-1.0.4.1. Aruba 9012 Gateway supports traffic inspection while deployed as a VPNC. Data sheets and technical specifications for the supported Gateways are available at: https://www.arubanetworks.com/products/networking/gateways-and-controllers/ Supported 4G Modems for Aruba SD-Branch The following table lists the 4G modems that are supported on the Aruba Branch Gateways: Table 10: Supported 4G Modems for Aruba SD-Branch USB 4G Modem Model Inseego Skyus SC4V Inseego Skyus SC4A Digisol DG-BA4305 ZTE MF861 Franklin Wireless U772 Huawei E3372h-320 Huawei E3372s-153/ E3372h-153 Huawei E3372h-607 Huawei E8372h-153 Huawei E8372h-608 Huawei E8372h-511 Huawei E8372h-517 Huawei E3276-500 Huawei K5160 ZTE MF79S Carrier Support Verizon AT&T ROW AT&T Sprint ROW ROW ROW ROW ROW T-Mobile T-Mobile ROW ROW ROW Aruba Central | User Guide 25 USB 4G Modem Model ZTE MF825C ZTE MF831 ZTE MF832S ZTE MF832U ZTE MF823 Huawei E3276-150 Novatel (Inseego) U620L Carrier Support ROW ROW ROW ROW ROW ROW Verizon ROW (Rest of the World) indicates that the modem can be used outside of the United States region. However, the list of supported carriers and supported countries for the modem may vary. To select a modem for a specific country and carrier, refer to the modem documentation. What is Aruba Central? | 26 Chapter 3 Getting Started with Aruba Central Getting Started with Aruba Central Thank you for choosing Aruba Central as your network management solution! Before you get started with Aruba Central, we recommend that you review the Key capabilities of Aruba Central and the list of Aruba devices supported in Aruba Central. Key Terms and Concepts Take a few minutes to familiarize yourself with the key terms and concepts used in the help topics. Cluster Zone Refers to an Aruba Central deployment area within a specific region. In other words, cluster zones are regional grouping of one or more container instances on which Aruba Central is deployed. Cluster zones allow your deployments to restrict customer data to a specific region and plan time zone specific maintenance windows. Each cluster zone has separate URLs for signing up for Aruba Central, accessing Aruba Central portal, and for allowing devices to communicate with Aruba Central. To view the zone in Aruba Central UI, click the User Settings menu at the bottom of the left navigation pane. Enterprise Mode Refers to the Aruba Central solution deployment mode in which the customers provision, manage, and maintain their networks end-to-end for their respective organizations or businesses. Managed Services Mode Refers to the Aruba Central deployment mode in which the service providers, resellers, administrators, and retailers to centrally manage and monitor multiple tenant or end-customer accounts from a single management interface. Subscription Refers to the license granted to a customer for using a product or service. Evaluation Account Refers to the Aruba Central account created for evaluating Aruba Central solution and its services. Paid Subscriber Refers to the customers who have purchased a subscription to obtain access to Aruba Central and its services. Subscription Refers to the license key. A subscription key is a 14-character alphanumeric string; for example, Key PQREWD6ADWERAS. Customer ID Subscriber ID Refers to the identity number of your Aruba Central account. To view your subscriber ID, click the User Settings menu at the bottom of the left navigation pane in the Aruba Central UI. Zero Touch Provisioning Refers to one of the following: n Zero Touch Provisioning of Aruba Central accounts-- When you purchase a subscription key and add this subscription key in Aruba Central, Aruba Central queries the Aruba Activate database to retrieve the devices mapped to your purchase order and add these devices to the inventory. This process is referred to as zero touch provisioning in Aruba Central. n Zero Touch Provisioning of Devices--Most Aruba devices support self-provisioning; that is, when you connect a device to a provisioning network, it can automatically download provisioning parameters from the Activate server and connect to their management entity. Aruba Central | User Guide 27 Onboarding Refers to the process of importing devices to Aruba Central's device inventory, activating subscriptions, and making devices available for management from Aruba Central. Device Sync Refers to the process of synchronizing devices from the Activate database. The device sync operation allows Aruba Central to retrieve devices from Activate and automatically add these devices to the device inventory in Aruba Central. Provisioning Refers to the process of setting up a device for deploying networks as per the configuration requirements of your organization. Group Refers to the device configuration container in Aruba Central. You can combine devices with common configuration requirements into a single group and apply the same configuration to all the devices in that group. Site Refers to the physical locations where devices are installed. Organizing devices per sites allows you to filter your dashboard view per site. Label Refers to the tags used for logically grouping devices based on various parameters such as ownership, specific areas within a site, departments, and so on. Workflow Summary The following illustration summarizes the steps required for getting started with Aruba Central: Navigate through the following topics to know more about the onboarding and provisioning procedures: n Creating an Aruba Central Account n Accessing Aruba Central Portal n Starting Your Free Trial n Setting up Your Aruba Central Instance Getting Started with Aruba Central | 28 Creating an Aruba Central Account To start using Aruba Central, you need to register and create an Aruba Central account. Both evaluating and paid subscribers require an account to start using Aruba Central. Zones and Sign-Up URLs Aruba Central instances are available on multiple regional clusters. These regional clusters are referred to as zones. When you register for an Aruba Central account, Aruba creates an account for you in the zone that is mapped to the country you selected during registration. To create an Aruba Central account in the zone that is mapped to your country, use the following zonespecific sign-up URLs. Table 11: Sign-Up URLs & Apps Regional Cluster Sign-Up URL US-1 https://portal.central.arubanetworks.com/signup Available Apps Network Operations US-2 https://portal-prod2.central.arubanetworks.com/signup OR https://signup.central.arubanetworks.com/ n Network Operations n ClearPass Device Insight Canada-1 China-1 https://portal-ca.central.arubanetworks.com/signup https://portal.central.arubanetworks.com.cn/signup Network Operations Network Operations EU-1 https://portal-eu.central.arubanetworks.com/signup n Network Operations n ClearPass Device Insight APAC-1 https://portal-apac.central.arubanetworks.com/signup Network Operations APAC-EAST1 https://portal-apaceast.central.arubanetworks.com/signup Network Operations APAC-SOUTH1 https://portal-apacsouth.central.arubanetworks.com/signup Network Operations Signing up for an Aruba Central Account You can choose one of the following ways to start your Aruba Central account trail: 1. Open the following page in a supported browser window:http://www.arubanetworks.com/products/sme/eval/. a. Click Start the Central Demo. The Aruba Central Demo page is displayed. b. Fill the form to start a product demo, and click Start Demo. c. The Aruba Central Account Home page is displayed. 2. Use the sign-up URL for your region from Sign-Up URLs & Apps and complete the following steps: a. Enter your email address. Based on the email address you entered, the Registration page guides you to the subsequent steps: Aruba Central | User Guide 29 Table 12: Registration Workflow If... If you are a new user: Then... The Registration page prompts you to create a password. To continue with the registration, enter a password in the Password and Confirm Password fields. If you are an existing Aruba customer, but you do not have an Aruba Central account: If your email account is already registered with Aruba, but you do not have an Aruba Central account: The Registration page displays the following message: Email already exists. Please enter the password below. To continue with registration, validate your account: 1. Enter the password. 2. Click Validate Account. NOTE: If you do not remember the password, click Forgot Password to reset the password. If you are invited to join as a user in an existing Aruba Central customer account: The Registration page displays the following message: An invitation email has already been sent to your email ID. Resend. To continue with the registration: 1. Go to your email box and check if you have received the email invitation. 2. If you have not received the email invitation, go to the Registration page and click Resend. A registration invitation will be sent your account. 3. Click the registration link. The user account is validated. 4. Complete the registration on the Sign Up page to sign in to Aruba Central. If you are a registered user of Aruba Central and have not verified your email yet: The Registration page displays the following message: You are an existing Aruba Central user. Please verify your account. Resend Verification email. To continue: 1. Go to your email box and check if you have received the email invitation. 2. If you have not received the email invitation, go to the Registration page and click Resend Verification email. A registration invitation will be sent your account. 3. Click the account activation link. 4. After the email verification is completed successfully, click Log in to access Aruba Central. If you are already a registered user of Aruba Central and have verified your email: The Registration page displays the following message: User has been registered and verified. Sign in to Central. Click Sign in to Central to skip the registration process and access the Aruba Central portal. Getting Started with Aruba Central | 30 Table 12: Registration Workflow If... If your email address is in the arubanetworks.com or hpe.com domain: Then... The Single Sign-On option is enabled. You can use your respective Aruba or HP Enterprise credentials to log in to your Aruba Central account after the registration. b. To continue with registration, enter your first name, last name, company name, address, country, state, ZIP code, and phone details. c. Specify if you are an Aruba partner. d. Ensure that you select an appropriate zone. The Registration page displays a list of zones in which the Aruba Central servers are available for account creation. Based on the country you select, the Aruba Central server is automatically selected. If you want your account and Aruba Central data to reside on a server from another zone, you can select an Aruba Central server from the list of available servers. e. From the Interested Apps section, select the app(s) that you want to pre-provision. You must select at least one app to continue: n Network Operations n ClearPass Device Insight Aruba Central | User Guide 31 See Table 11 for the app(s) available in the zone in which you are signing up. If you are interested in evaluating the Aruba Central MSP solution, select only the Network Operations app. f. Select the I agree to the Terms and Conditions check box. g. Set a preferred mode of communication for receiving notifications about Aruba products and services. h. Optionally, to read about the privacy statement, click the HPE Privacy Statement link. To opt out of marketing communication, you can either click the unsubscribe link available at the bottom of the email or click the link as shown in the following figure: i. Click Sign Up. Your new account is created in the zone you selected and an email invitation is sent to your email address for account activation. j. Access your email account and click the Activate Your Account link. After you verify your email, you can log in to Aruba Central. Accessing Aruba Central Portal After you create an Aruba Central account, the link to Aruba Central portal will be sent to your registered email address. You can use this link to log in to Aruba Central. If you are accessing the login URL from the www.arubanetworks.com website, ensure that you select the zone in which your account was created. Login URLs When you try to access Aruba Central portal, you are redirected to the Aruba Central URL that is mapped to your cluster zone. Table 13: Cluster Zone-- Portal URLs Regional Cluster Login URL US-1 https://portal.central.arubanetworks.com/platform/login/user Getting Started with Aruba Central | 32 Regional Cluster Login URL US-2 https://portal-prod2.central.arubanetworks.com/platform/login/user Canada-1 https://portal-ca.central.arubanetworks.com/platform/login/user China-1 https://portal.central.arubanetworks.com.cnath/platform/login/user EU-1 https://portal-eu.central.arubanetworks.com/platform/login/user APAC-1 https://portal-apac.central.arubanetworks.com/platform/login/user APAC-EAST1 https://portal-apaceast.central.arubanetworks.com/platform/login/user APAC-SOUTH1 https://portal-apacsouth.central.arubanetworks.com/platform/login/user Logging in to Aruba Central To log in to Aruba Central: 1. Access the Aruba Central login URL for your zone. 2. Notice that the zone is automatically selected based on your geographical location. 3. Enter the email address and click Continue. 4. Log in using your credentials. If your user credentials are stored in your organization's Identity Management server and SAML SSO authentication is enabled for your IdP on Aruba Central, complete the SSO authentication workflow. 5. Enter the password. If you have forgotten password, you can click the Forgot Password and reset your password. The Forgot Password link resets only your Aruba Central account; hence, it is not available to SSO users. 6. Click Continue. The Initial Setup wizard opens. n If you have a paid subscription, click Get Started and set up your account. n If you are a trial user, click Evaluate Now and start your trial. Changing Your Password To change your Aruba Central account: 1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click Change Password. 3. Enter a new password. 4. Log in to Aruba Central using the new password. The Change Password menu option is not available for federated users who sign in to Aruba Central using their SSO credentials. Aruba Central | User Guide 33 Logging Out of Aruba Central To log out of Aruba Central: 1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click Logout. Accessing Aruba Central Mobile Application Aruba Central mobile application lets you manage, monitor, and optimize your Central account. You can log in to your Aruba Central account using your credentials from the mobile application. To download the Aruba Central application, visit the App Store on iOS devices running iOS 9.0 or later and Google Play Store on Android devices running android 5.0 Lollipop or later. About the Network Operations App User Interface The Network Operations app is one of the apps in Aruba Central that helps to manage, monitor, and analyze your network. Aruba offers the following variants of the Network Operations app user interface: n Standard Enterprise mode-- This mode is intended for customers who manage their respective accounts end-to- end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision and manage their respective accounts. n Managed Service Provider (MSP) mode-- This mode is for managed service providers who need to manage multiple customer networks. With MSP mode enabled, the MSP administrators can provision customer accounts, allocate devices, assign licenses, and monitor customer accounts and their networks. The administrators can also drill down to a specific tenant account and perform administration and configuration tasks. The tenants can access only their respective accounts, and only those features and application services to which they have subscribed. The following image displays the navigational elements of the Network Operations app in the Standard Enterprise mode. However, the navigational elements also apply to the MSP mode. Figure 3 Navigation Elements of the Network Operations App Getting Started with Aruba Central | 34 Callout Number 1 2 3 4 5 6 7 8 9 Description Filter to select an option under Groups, Labels, Sites. For all devices, select Global. A corresponding dashboard is displayed. Item under the left navigation contextual menu. The menu is dependent on the filter selection. First-level tab on the dashboard. Second-level tab on the dashboard. Dashboard content for the selected view and filter. For example, the current dashboard in the image displays the UCC tab under Manage > Applications in the List view for the Global filter. Time range filter. This is displayed for selected dashboards only. List view to display tabular data for the selected filter. This is displayed for selected dashboards only. Summary view to display charts for the selected filter. This is displayed for selected dashboards only. Config view to enable configuration options for the selected filter. This is displayed for selected dashboards only. Types of Dashboards in the Network Operations App The Network Operations app uses a filter to set the dashboard context for the app. The menu for the left navigation pane changes according to the selected filter value. Selecting any item on the left navigation pane displays a corresponding dashboard. Accordingly, for different values of the filter, the content displayed for the left navigation menu and the dashboard context differs. The dashboard for any item on the left navigation menu can have a combination of the following views: n Summary view-- Click the Summary icon to display the summary dashboard. The summary dashboard displays a number of charts. For example, for the global dashboard, under Manage, the Overview > Network Health tab in Summary view displays a map of the available sites and their corresponding health. If available, use the time range filter to change the time-lines for the charts. n List view-- Click the List icon to display tabular data for a selected dashboard. For example, for the global dashboard under Manage, the Overview > Network Health tab in List view displays a list of the available sites managed by Aruba Central. If available, use the time range filter to change the time- lines for the tabular data. n Config view-- Click the Config icon to enable the configuration options for a specific dashboard. For example, for the global dashboard under Manage, the Applications > UCC tab in Config view displays various configuration options for UCC. Navigating to the Switch, Access Point, or Gateway Dashboard In the Network Operations app, you can navigate to a device dashboard for a switch, access point, or gateway. The device dashboard enables you to monitor, troubleshoot, or configure a single device. In order Aruba Central | User Guide 35 to do this, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. 2. Under Manage > Devices, select one of the following options: n To view an access point dashboard, click the Access Points tab. n To view a switch dashboard, click the Switches tab. n To view a gateway dashboard, click the Gateways tab. The list of devices is displayed in List view. 3. Click a device listed under Device Name. The dashboard context for the specific device is displayed. To exit the device dashboard, click the back arrow on the filter. Workflow to Configure, Monitor, or Troubleshoot in the Network Operations App The following image displays a flowchart to help you navigate the Network Operations app to complete any task. Getting Started with Aruba Central | 36 Figure 4 Navigation Workflow for Network Operations App The Standard Enterprise Mode This section discusses the user interface for the Standard Enterprise mode for the Network Operations app. This mode is intended for customers who manage their respective accounts end-to- end. In the Standard Enterprise mode, the customers have complete access to their accounts. They can also provision and manage their respective accounts. The following topics are discussed in this section: n Launching the Network Operations App n Parts of the Network Operations App User Interface n Search Bar n Help Icon n Account Home Icon Aruba Central | User Guide 37 n User Icon n Filter n Time Range Filter n Left Navigation Pane Launching the Network Operations App If the Network Operations app is the only app provisioned, the Network Operations app is displayed at each user login. If there are a number of apps provisioned such as Network Operations, ClearPass Device Insight and so on, the Account Home page is displayed at each user login. From the Account Home page, you can manage network inventory, subscriptions, and user access. In the event of multiple apps provisioned, perform the following steps to launch the Network Operations app: 1. Log in to the Account Home page. The Account Home page displays the apps and Global Settings For more information, see Accessing Aruba Central Portal. 2. Click Launch on the Network Operations tile. The Network Operations app is launched. Figure 5 Launching the Network Operations App Getting Started with Aruba Central | 38 Parts of the Network Operations App User Interface After you launch the Network Operations app, the Standard Enterprise view is displayed. Figure 6 Parts of the Network Operations App Callout Number Description 1 Filter to select an option under Groups, Labels, or Sites. For all devices, select Global. To select a specific device, see Navigating to the Switch, Access Point, or Gateway Dashboard. The example in the image shows the filter set to a group called "IAP_setup_GW". For more information, see Filter. 2 Health Bar for the selected filter. For more information, see The Health Bar. 3 First-level tab for the selected dashboard, corresponding to the selected item in the left navigation pane. The example in the image shows the first-level tab selection as Gateways under Manage > Devices for the group dashboard. 4 Search bar. For more information, see Search Bar. 5 Help icon. For more information, see Help Icon. 6 Account Home icon For more information, see Account Home Icon. 7 User settings icon. For more information, see User Icon. 8 Menu item under left navigation contextual menu. Menu is dependent on the filter selection. For more information, see Types of Dashboards in the Network Operations App. 9 Second-level tab for the dashboard, corresponding to the selected first-level tab. The example in the image shows the second-level tab selection as Gateways under Manage > Devices > Gateways for the group dashboard. Aruba Central | User Guide 39 Callout Number Description 10 Icon is for filtering the data of the selected column. 11 List icon. Click the List icon to view a tabular representation of the data. This icon is not available for all pages. 12 Summary icon. Click the Summary icon to view a graphical representation of the data. This icon is not available for all pages. 13 Config icon. Click the Config icon to enable configuration mode. This icon is not available for all pages. 14 Icon is for downloading the data of the selected page in CSV format. 15 Icon is for selecting or resetting the column headers for the selected page. Search Bar The search bar Help Icon enables users to look for help information. The help icon contains the following options: n Tutorials--Displays the Aruba Central product learning center. n Feedback--Allows you to provide feedback on the Aruba Central. You can choose the rating from the range of 1 to 10, where 1 being extremely unlikely and 10 being extremely likely and type your comment into the box and click Submit to submit the feedback. n Documentation Center--Directs you to the online help documentation. n Get help on this page--Selecting this option changes the appearance of some of the text on the UI to green italics. On the UI, when you point to the text in green italics, a dialog box displays the help information for that text. To disable this option, click Done. n Airheads Community--Directs you to the Aruba support forum at https://community.arubanetworks.com/t5/Cloud-Managed-Networks/bd-p/CloudManagedNetworks. n View / Update Case--Enables you to view or edit an existing support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. n Open New Case--Enables you to create a new support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. Account Home Icon The Account Home icon enables you to go to the Account Home page and switch to another app if you have one subscribed. Most of the apps require service subscriptions to be enabled on the devices. Contact your administrator or the Aruba Central Support team to obtain access to an application service. Getting Started with Aruba Central | 40 User Icon The user icon enables you to view user account details such as account name, domain, customer ID, and zone details. It also includes the following options for managing your accounts: n Switch Customer--Enables you to switch to another account. This is especially required during troubleshooting scenarios. n Change Password--Enables you to change the password of the account. n User Settings o Time Zone--Displays the zone, date, time, and time zone of the region. o Language--Administrators can set a language preference. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. o Idle Timeout--Administrators can set a timeout value for inactive user sessions in the Idle Timeout field. The value is in minutes. o Get system maintenance notifications--Administrators can select the check box to receive system maintenance notification on their registered email ID. Email notifications are sent before any scheduled maintenance activity or unplanned outage. o Get software update notifications--Administrators can select the check box to receive software update notification on their registered email ID. n Enable MSP--Enables MSP mode and switches the user interface to the MSP mode. This option changes to Disable MSP when the MSP mode is enabled. You can select Disable MSP to switch to the Standard Enterprise interface. The MSP mode can be disabled only if there is no tenant data. The option is grayed out if there are any active tenant accounts. n Terms of Service--Displays the terms and conditions for using Aruba Central services. n Logout--Enables you to log out of from your account. Filter The filter enables you to set the dashboard context to a value under one of the following options: n Groups--Sets the dashboard context to a group of devices. n Sites--Sets the dashboard context to all a site. n Labels--Sets the dashboard context to a label. If no filter is applied, by default the filter is set to Global for all devices. Use the search box in the filter to enter an available group, site, or label name and then select the option to set the filter. Hovering over Groups, Labels, or Sites displays the associated config icon. Clicking on the config icon redirects you to Maintain > Organization in the global dashboard. Time Range Filter The time range filter enables you to set a time duration for showing monitoring and reports data. The option is displayed for selected dashboards only. You can set the filter to any of the following time ranges: n 3 hours n 1 day n 1 week Aruba Central | User Guide 41 n 1 month n 3 months Left Navigation Pane The left navigation pane is a contextual menu that displays a number of configuration, monitoring, and troubleshooting options depending on filter value. This topic discusses the Network Operations app in MSP mode. To know more about the Account Home page, see the online Aruba Central documentation. The MSP mode is intended for the managed service providers who manage multiple distinct tenant accounts. The MSP mode allows service providers to provision and manage tenant accounts, assign devices to tenant accounts, manage subscription keys and other functions such as configuring network profiles and viewing alerts. Launching the Network Operations App for MSP Aruba Central in MSP mode consists of the Network Operations app and the Account Home page. After you create an Aruba Central account, the link to Aruba Central portal will be sent to your registered email address. You can use this link to log in to Aruba Central. If you are accessing the login URL from the www.arubanetworks.com website, ensure that you select the zone in which your account was created. The Network Operations app is displayed at each user login to Aruba Central. From the Network Operations app, you can navigate to the Account Home page by clicking the Account Home icon . From the Account Home page, you can navigate to the Network Operations app by clicking the Launch button for the Network Operations tile. Figure 7 Launching the Network Operations App for MSP from Account Home Parts of the Network Operations App for MSP After you launch the Network Operations app, the MSP view opens. Getting Started with Aruba Central | 42 Figure 8 Parts of the Aruba Central User Interface for MSP Callout Number 1 2 3 4 5 6 7 8 9 Description Filter to select a group or all groups. For more information, see Filter. Here, the global dashboard is displayed as the filter is set to All Groups. First-level tab on dashboard. The dashboard may also have second and third-level tabs dependent on the filter selection. Menu item under left navigation contextual menu. Menu is dependent on the filter selection. Help icon. For more information, see Help Icon. Account Home icon. User Settings icon. For more information, see User Icon. List view. Click the List icon to view a tabular representation of the data. Only applicable for the global dashboard. Summary view. Click the Summary icon to view a graphical representation of the data. Only applicable for the global dashboard. Config view. Click the Config icon to enable configuration mode. Help Icon The help icon contains the following options: Aruba Central | User Guide 43 n Get help on this page-- Selecting this option changes the appearance of some of the text on the UI to green italics. On the UI, when you point to the text in green italics, a dialog box displays the help information for that text. To disable this option, click Done. n Tutorials-- Displays the Aruba Central product learning center. n Feedback-- Allows you to provide feedback on the Aruba Central. You can choose the rating from the range of 1 to 10, where 1 being extremely unlikely and 10 being extremely likely and type your comment into the box and click Submit to submit the feedback. n Documentation Center-- Directs you to the online help documentation. n Airheads Community-- Directs you to the Aruba support forum. n View / Update Case--Enables you to view or edit an existing support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. n Open New Case-- Enables you to create a new support ticket in the Aruba Support Portal at https://asp.arubanetworks.com. You must log in to this portal. Account Home Icon The Account Home icon User Icon enables you to go to the Account Home page. The user icon enables you to view user account details such as account name, domain, customer ID, and zone details. It also includes the following options for managing your accounts: n Switch Customer-- Enables you to switch to another account. This is especially required during troubleshooting scenarios. n Change Password-- Enables you to change the password of the account. n User Settings o Time Zone-- Displays the zone, date, time, and time zone of the region. o Language-- Administrators can set a language preference. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. o Idle Timeout-- Administrators can set a timeout value for inactive user sessions in the Idle Timeout field. The value is in minutes. o Get system maintenance notification-- Administrators can select the check box to get system maintenance notification. o Get software update notifications-- Administrators can select the check box to get software update notification. n Disable MSP-- Disables MSP mode and switches the user interface to the standard enterprise mode. This option changes to Enable MSP when the MSP mode is disabled. You can select Enable MSP to switch to the MSP mode. The MSP mode can be disabled only if there is no tenant data. The option is grayed out if there are any active tenant accounts. n Terms of Service-- Displays the terms and conditions for using Aruba Central services. n Logout-- Enables you to log out of from your account. Filter The filter enables you to select a group or All Groups for performing specific configuration and monitoring tasks. If no filter is applied, by default the filter is set to All Groups. When you set the filter to Getting Started with Aruba Central | 44 All Groups, the global dashboard is displayed and when you set the filter to a group, the group dashboard is displayed. You can type a group name to start your search for a filter value. Figure 9 MSP Filter set to Global on Selecting All Groups Time Range Filter The time range filter enables you to set a time duration for showing monitoring and reports data. This time filter is not displayed when you view the configuration or device details. It is displayed only when you view monitoring data. You can set the filter to any of the following time ranges: n 3 hours n 1 day n 1 week n 1 month n 3 months The Global Dashboard in MSP Mode In the Network Operations app in MSP mode, use the filter to select All Groups. The global dashboard is displayed. In the global dashboard under the left navigation pane, you can see a number of menu items divided under the following categories: Manage, Analyze, and Maintain. Aruba Central | User Guide 45 Figure 10 Launching the Global Dashboard for MSP Selecting each menu item in the left navigation pane displays a corresponding dashboard with tabs. Each tab may support all or some of the following functions: n Summary -- Click the icon global dashboard. to view a graphical representation of the data. Only applicable for the n List-- Click the icon dashboard. to view a tabular representation of the data. Only applicable for the global n Config-- Click the icon to enable configuration mode. The Group Dashboard in MSP Mode In the Network Operations app in MSP mode, use the filter to select a group. The group dashboard is displayed. Getting Started with Aruba Central | 46 Figure 11 Launching the Group Dashboard for MSP Some tabs or options may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. In the group dashboard under the left navigation pane, you can see the Device and Guest options under Manage. Selecting an option in the left navigation pane displays a corresponding dashboard with tabs. Each tab supports the Config view that enables the configuration mode. The next sections discuss the left navigation menu items in the group dashboard. The Health Bar The Health Bar provides a snapshot of the overall health of the devices configured as part of the specific dashboard. The applicable dashboards include global, group, site, client, and device dashboards. The topic discusses the following: n Health Bar for the Global Dashboard n Health Bar for the Group Dashboard n Health Bar for the Site Dashboard n Health Bar for the AP Dashboard n Health Bar for the Switch Dashboard n Health Bar Dashboard for the Gateway Dashboard n Health Bar for the Wireless Client Dashboard n Health Bar for the Wired Client Dashboard n Health Bar for the Remote Client Dashboard Viewing the Health Bar Dashboard To view the Health Bar, perform the following steps: Aruba Central | User Guide 47 1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed. n To select a client: a. Set the filter to Global. b. Under Manage, click Clients. A list of clients is displayed in the List view. c. Click a client listed under Client Name. The dashboard context for the client is displayed. The Health Bar icon displays the overall health of the network of the selected filter as either online or offline. 2. In the selected filter, click the Health Bar icon to expand the Health Bar dashboard. 3. Use the pin icon to pin the Health Bar dashboard to the Network Operations app display. Health Bar for the Global Dashboard The following image shows the Health Bar for the global dashboard. Figure 12 Expanded but Unpinned Health Bar in the Global Dashboard Getting Started with Aruba Central | 48 Health Bar Icons Icon Type Description This icon is specific to Site, Device, and Client dashboard. It indicates that there are no issues in the connection. This icon is specific to Site, Device, and Client dashboard. It indicates that there is an issue in the connection. This icon is specific to the Global and Group dashboards, and the health is not calculated at these levels. Device and Clients Status Icons Icon Type Description n For devices, indicates the number of devices that are online. n For clients, indicates the number of clients that are connected. n For devices, indicates the number of devices that are offline. n For clients, indicates the number of failed clients. n For AI Insights, indicates the number of insights that are of high priority. For AI Insights, indicates the number of insights that are of medium priority. For AI Insights, indicates the number of insights that are of low priority. The following table includes information on the various parameters of the Health Bar displayed for a global dashboard. The Health Bar in a global dashboard is in the context of all devices. Parameter Description Access Points n Displays the number of access points that are online and the number of access points that are offline. n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view. Switches n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view. Aruba Central | User Guide 49 Parameter Description Gateways n Displays the number of gateways that are online and the number of gateways that are offline. n The number in green indicates the number of gateways that are online. n Clicking the number in green redirects you to Manage > Devices > Gateways > Online in List view. n The number in red indicates the number of gateways that are offline. n Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List view. Clients n Displays the number of clients that are connected and the number of clients that are failed. n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view. Health Bar for the Group Dashboard The following table includes information on the various parameters of the Health Bar displayed for a group dashboard. The Health Bar in a group dashboard is in the context of all devices configured as part of that group. Parameter Description Access Points n Displays the number of access points that are online and the number of access points that are offline. n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view. Switches n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view. Gateways n Displays the number of gateways that are online and the number of gateways that are offline. n The number in green indicates the number of gateways that are online. n Clicking the number in green redirects you to Manage > Devices > Gateways > Online in List view. n The number in red indicates the number of gateways that are offline. n Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List view. Getting Started with Aruba Central | 50 Parameter Description Clients n Displays the number of clients that are connected and the number of clients that are failed. n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view. Health Bar for the Site Dashboard The following table includes information on the various parameters of the Health Bar displayed for a site dashboard. The Health Bar in a site dashboard is in the context of all devices configured as part of that site. The values are refreshed every minute. The Health Bar icon indicating the site status changes to red when the value for one of the following parameters in the List view is greater than zero for the Down status: n Number of devices o Status o High Mem Usage o High CPU Usage o High CH Utilization o High Noise n Uplink Status n Tunnels Status Parameter Description Access Points n Displays the number of access points that are online and the number of access points that are offline. n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view. Switches n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view. Gateways n Displays the number of gateways that are online and the number of gateways that are offline. n The number in green indicates the number of gateways that are online. Aruba Central | User Guide 51 Parameter Description n Clicking the number in green redirects you to Manage > Devices > Gateways > Online in List view. n The number in red indicates the number of gateways that are offline. n Clicking the number in red redirects you to Manage > Devices > Gateways > Offline in List view. Clients AI Insights n Displays the number of clients that are connected and the number of clients that are failed for the last three hours. n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view. n Displays the number of insights categorized by status. n The number in red indicates the insights are of high priority. n The number in orange indicates the insights are of medium priority. n The number in yellow indicates the insights are of low priority. n Clicking the numbers redirects you to Manage > Overview > AI Insights at the site context. Health Bar for the AP Dashboard The following table includes information on the various parameters of the Health Bar displayed for an AP. If the AP is not online and running, not all of the following data is available. Parameter Description AP Status n Value can be Online Since, Offline, or Operating under Thermal Management. n If the value is Online Since, it also displays the time period, in the format of days-hours- minutes, for which the AP has been online and running. n When an AP operates under thermal management, the device health is displayed as Poor and the radios are in disabled mode. For more information, see Thermal Shutdown Support in IAP. Device Health n Displays the performance of the AP in terms of the CPU and memory usage. n For example, the device health is Good when the CPU usage is less than or equal to 70% and the memory usage is less than or equal to 90%. If the value of the CPU and/or memory usage falls below the threshold, the device health is displayed as Poor. If the AP is down, the value is Offline. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Device Health status to get the exact percentage value of the memory and CPU usage. Radio 2.4 GHz n Displays the performance of the AP in terms of the channel utilization and noise floor in the 2.4 GHz channel. n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Radio 2.4 GHz status to get the exact value of the channel utilization and Getting Started with Aruba Central | 52 Parameter Description noise floor. Radio 5 GHz n Displays the performance of the AP in terms of the channel utilization and noise floor in the 5 GHz channel. n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Radio 5 GHz status to get the exact value of the channel utilization and noise floor. Radio 5 GHz (Secondary) n Displays the performance of the AP in terms of the channel utilization and noise floor in the 5 GHz (Secondary) channel. n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Radio 5 GHz (Secondary) status to get the exact value of the channel utilization and noise floor. NOTE: In the Health Bar dashboard, the Radio 5 GHz (Secondary) data is available only for AP555 and only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode. Virtual Controller Indicates if the AP is connected to a virtual controller. If the AP is connected, clicking on the virtual controller name redirects you to the Manage > Overview > Summary page for the virtual controller. Health Bar for the Switch Dashboard The following table includes information on the various parameters of the Health Bar displayed for a switch. If the switch is not online and running, not all of the following data is available. Parameter Description Switch Status Displays the time period for which the switch has been online and running or its offline status. Device Health n Displays the performance of the switch in terms of the CPU and memory usage. n For example, the device health is Good when the CPU usage is less than or equal to 70% and the memory usage is less than or equal to 70%. If the value of the CPU and/or memory usage falls below the threshold, the device health is displayed as Poor. n Hover over the Device Health status to get the exact percentage value of the memory and CPU usage. Port Status n Displays the number of ports on the switch that are online and the number of ports that are offline. n The number in green indicates the number of switch ports that are online. Aruba Central | User Guide 53 Parameter Description Port Alerts n The number in red indicates the number of switch ports that are offline. n Displays the total number of open alerts. Health Bar Dashboard for the Gateway Dashboard The following table includes information on the various parameters of the Health Bar displayed for a gateway. If the gateway is not online and running, not all of the following data is available. Parameter Description Gateway Status Displays the time period, in the format of days-hours-minutes, for which the gateway has been running or its offline status. WAN n Displays the number of WAN ports as online or offline. n The number in green indicates the number of WAN ports that are online. n The number in red indicates the number of WAN ports that are offline. n Clicking the numbers redirects you to Manage > WAN > Summary. LAN n Displays the number of LAN ports as online or offline. n The number in green indicates the number of LAN ports that are online. n The number in red indicates the number of LAN ports that are offline. n Clicking the numbers redirects you to Manage > LAN > Summary. Tunnels n Displays the number of VPN tunnels as online or offline. n The number in green indicates the number of VPN tunnels that are online. n The number in red indicates the number of VPN tunnels that are offline. n Clicking the numbers redirects you to Manage > WAN > Tunnels. Path Steering n Displays the number of path steering policies that are compliant of the total number of policies. n Clicking the numbers redirects you to Manage > WAN > Path Steering. Alerts n Displays the total number of open alerts. n Clicking the number redirects you to Analyze > Alerts & Events in List view. Health Bar for the Wireless Client Dashboard The following table includes information on the various parameters of the Health Bar displayed for a wireless client. Parameter Description Client Status Displays the connection status of the client. Device Health Displays the device health of the client. Getting Started with Aruba Central | 54 Parameter Description Signal Quality Displays the signal quality in dB. Tx | Rx Rate Displays the transmit and receive rate in Mbps. Connected To n Displays the device to which the wired client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that device. Refresh icon Refreshes the data on the Health Bar for the client. Health Bar for the Wired Client Dashboard The following table includes information on the various parameters of the Health Bar displayed for a wired client. Parameter Description Client Status Displays the connection status of the client. Connected Port Displays the port to which the client is connected. Connected To n Displays the device to which the wired client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that device. Refresh icon Refreshes the data on the Health Bar for the client. Health Bar for the Remote Client Dashboard The following table includes information on the various parameters of the Health Bar displayed for a remote client. Parameter Description Client Status Displays the connection status of the client. Connected To n Displays the name of the gateway to which the remote client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that device. Refresh icon Refreshes the data on the Health Bar for the client. Aruba Central | User Guide 55 The Global Dashboard In the Network Operations app, the global dashboard is displayed when the filter is set to Global. The global dashboard displays information related to all devices registered to that account in Aruba Central. Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. Table 14: Contents of the Global Dashboard Left Navigation Menu Manage > Overview First-Level Tabs Network Health WAN Health Summary Wi-Fi Connectivity AI Insights Manage > Devices Access Points Switches Gateways Manage > Clients Clients Description Displays information of the networks sorted by site, including information on network devices and WAN connectivity of individual sites. For more information, see Network Health Dashboard. Displays detailed information of the network health status and usage for the sites in which Branch Gateways and VPN Concentrators are configured in your setup. For more information, see WAN Health--Global. Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range Filter. For more information, see Global--Summary Displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include Association, Authentication, DHCP, and DNS. For more information, see Wi-Fi Connectivity. Displays a report of network events that may affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level observed in the network for the selected time range. Each insight report provides specific details on the occurrences of these events for ease in debugging. For more information, see The AI Insights Dashboard. Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View Displays the gateways information in the following views: n Summary view: Monitoring Gateways in Summary View n List view: Monitoring Gateways in List View Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients. Getting Started with Aruba Central | 56 Left Navigation Menu Manage > Guests Manage > Applications Manage > Security Manage > Network Services First-Level Tabs Description Guest Access Enables guest users to connect to the network and at the same time, allows the administrator to control guest user access to the network. For more information, see Guest Access. Presence Analytics Enables businesses to collect real-time data on user footprints within the wireless network range of Aruba Instant APs that are managed using Aruba Central. For more information, see Presence Analytics. Visibility Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility. SAAS Express Enables the following to provide an improved user experience: discovering SaaS application servers, monitoring application performance, and steering traffic to the best available servers.. For more information, see SaaS Application Traffic Management with SaaS Express. RAPIDs Helps to identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. For more information, see Rapids. Gateway IDS/IDPS Enables traffic inspection, threat detection, and threat prevention on the Aruba Branch Gateways. For more information, see Overview of Aruba IDPS. Firewall Monitors traffic coming into and going out of the Aruba Central-managed network and acts as an investigative resource for users to track blocked sessions within the network. For more information, see Firewall. SD-WAN Overlay Configured IPsec tunnels between the Branch Gateways and VPN Concentrators provisioned in an Aruba Central account. For more information, see SD-WAN Overlay Tunnel and Route Orchestration . Virtual Gateways Helps deploy a virtualized instance of a headend gateway in the customer's public cloud infrastructure. The virtualized instance of Aruba Gateway is referred to as Virtual Gateway. For more information, see Deploying Aruba Virtual Gateways. Cloud Connect Helps integrate SD-Branch with Zscaler and allows to set up and maintain a secure tunnels between Aruba Branch Gateways and Zscaler Public Service Edges. For more information, see Aruba SD-Branch Integration with Zscaler through Cloud Connect Service. Cloud Security (Legacy) Helps integrate SD-Branch with Zscaler and allows to set up tunnels automatically or manually between Aruba Branch Gateways and Zscaler Public Service Edges. For more information, see Aruba SD-Branch Integration with Zscaler Cloud Security Service. Aruba Central | User Guide 57 Left Navigation Menu First-Level Tabs Description Analyze > Alerts and Events Alerts & Events Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events. Analyze > Audit Trail Audit Trail Shows the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. For more information, see Viewing Audit Trail. Analyze > Tools n Network Check n Device Check n Commands n Health Checks Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools. Analyze > Reports Reports Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports. Maintain > Firmware n Access Points n SwitchMAS n Switches n Gateways Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Managing Software Upgrades. Maintain Groups >Organization A group in Aruba Central is the primary configuration element that functions as a container for device management, monitoring, and maintenance. Groups enable administrators to manage devices efficiently by using either a UI-based configuration workflow or CLI-based configuration template. For more information, see Groups for Device Configuration and Management. Sites and Labels A site refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Labels are tags attached to a device provisioned in the network. Labels determine the ownership, departments, and functions of the devices. For more information, see Sites and Labels. Certificates Enables administrators to upload a valid certificate signed by a root CA so that devices are validated and authorized to use Aruba Central. For more information, see Groups for Device Configuration and Management. Install Manager Simplifies and automates site deployments, and helps IT administrators manage site installations with ease. For more information, see Installation Management. Getting Started with Aruba Central | 58 The Label Dashboard In the Network Operations app, the label dashboard is displayed when the filter is set to any of the options under Labels. The site dashboard displays information related to all devices configured for that site in Aruba Central. Table 15: Contents of the Label Dashboard Left Navigation Menu First-Level Tabs Description Manage > Devices All Devices Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter. For more information, see Global--Summary Access Points Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View Switches Displays the switches information in the following views: Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View Gateways Displays the gateways information in the following views: n Summary view: Monitoring Gateways in Summary View n List view: Monitoring Gateways in List View Manage > Clients Clients Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients. Manage > Security RAPIDs Identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central sends alerts to the network administrators about the possible threat and provides essential information needed to locate and manage the threat. For more information, see Rapids. Analyze > Alerts and Events Alerts & Events Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events. Analyze > Tools n Network Check n Device Check n Commands Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools. Analyze > Reports Reports Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports. Aruba Central | User Guide 59 The Site Dashboard In the Network Operations app, the site dashboard is displayed when the filter is set to any of the options under Sites. The site dashboard displays information related to all devices configured for that site in Aruba Central. Table 16: Contents of the Site Dashboard Left Navigation Menu First-Level Tabs Manage > Overview Site Health Summary Wi-Fi Connectivity WAN Health AI Insights Topology Floor Plans Manage > Devices Access Points Switches Gateways Description Displays details of wired and wireless devices deployed on the site. This page includes information on client connectivity statistics, change logs, health of devices, and RF health of the site. For more information, see Site Health Dashboard. Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter. For more information, see Global--Summary Displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include Association, Authentication, DHCP, and DNS. For more information, see Wi-Fi Connectivity. Displays details for the wired, wireless, and gateway devices deployed on the site. For more information, see WAN Health--Site. Displays a report of network events that may affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level in the network for the selected time range. Each insight report provides specific details on the occurrences of these events for ease in debugging. For more information, see The AI Insights Dashboard. Provides a graphical representation of the site including the network layout, details of the devices deployed, and the health of the WAN uplinks and tunnels. For more information, see Monitoring Sites in the Topology Tab. Provides information regarding the current location of the Instant AP. For more information, see Access Point > Overview > Floor Plan. Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View Displays the gateways information in the following views: n Summary view: Monitoring Gateways in Summary View Getting Started with Aruba Central | 60 Left Navigation Menu First-Level Tabs Description n List view: Monitoring Gateways in List View Manage > Clients Clients Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients. Manage > Visibility Applications Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility. Manage > Security RAPIDS Identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central sends alerts to the network administrators about the possible threat and provides essential information needed to locate and manage the threat. For more information, see Rapids. Manage > Guests Presence Analytics Enables businesses to collect real-time data on user footprints within the wireless network range of Aruba Instant APs that are managed using Aruba Central. For more information, see Presence Analytics. Analyze > Alerts and Events Alerts & Events Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events. Analyze > Live Events Live Events Enables you to troubleshoot issues related to a wireless client connected to an access point or a wired client connected to a switch. For more information, see Client Live Troubleshooting. Analyze > Tools n Network Check n Commands Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools. Analyze > Reports Reports Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports. The Access Point Dashboard In the Network Operations app, the access point dashboard is displayed when the filter is set to an access point. To navigate to an access point dashboard, see Navigating to the Switch, Access Point, or Gateway Dashboard. The following table lists all the available menu items in the Network Operations app for the access point dashboard. Aruba Central | User Guide 61 Table 17: Contents of the Access Point Dashboard Left Navigation Menu Manage > Overview Manage > Device First-Level Tabs Summary AI Insights Floor Plan Performance RF Spectrum Access Point Configuration using UI groups Description Displays the AP device details, network information, radio details including the topology of clients connected to each radio, and the health status of the AP in the network. See Access Point > Overview > Summary. Displays information on AP performance issues such as excessive channel changes, excessive reboots, airtime utilization, and memory utilization. See Access Point > Overview > AI Insights Displays information regarding the current location of the Instant AP. See Access Point > Overview > Floor Plan. Displays the size of data transmitted through the AP. See Access Point > Overview > Performance. Displays details corresponding to 2.4 GHz, 5 GHz, and 5 GHz Secondary radios of the AP. See Access Point > Overview > RF. Displays details for all Wi-Fi and non-Wi-Fi devices associated to each radio. See Access Point > Overview > Spectrum Enables AP configuration in the Config view. See Deploying a Wireless Network Using Instant APs. Configuration using UI groups contains the following second-level tabs: n WLANs--Configure wireless network profiles on Instant APs. See Configuring Wireless Network Profiles on Instant APs. n Access Points--Configure device parameters on Instant APs. See Configuring Device Parameters . n Radios--Configure ARM and RF parameters on Instant APs. See Configuring ARM and RF Parameters on Instant APs. n Interfaces--Configuring interfaces parameters on Instant APs. See Configuring Uplink Interfaces on Instant APs. n Security--Configure authentication and security profiles on Instant APs. See Configuring Authentication and Security Profiles on Instant APs. n VPN--Configure VPN host settings on an Instant AP to enable communication with a controller in a remote location. See Configuring Instant APs for VPN Tunnel Creation. n Services--Configure AirGroup, location services, Lawful Intercept, OpenDNS, and Firewall services on Instant APs. See Configuring Services. n System--Configure system parameters on Instant APs. See Configuring Systems. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. Getting Started with Aruba Central | 62 Left Navigation First-Level Menu Tabs Description Access Point Configuration using template groups Configuration using template groups contains the following secondlevel tabs: n Templates--Configure Access Points using template groups. See Configuring APs Using Templates. n Variables--Modify, download, or upload variables associated with devices that you can use in template configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. Manage > Clients Clients Displays details of all the clients connected to a specific AP. See Access Point > Clients > Clients. Manage > Security VPN Displays information on VPN connections associated with the virtual controller along with information on the tunnels and the data usage through each of the tunnels. See Access Point > Security > VPN Analyze > Alerts & Alerts & Events Events The Alerts & Events tab displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. See Access Point > Alerts & Events > Alerts & Events. Analyze > Audit Trail Audit Trail The Audit Trail tab displays the logs for all the device management, configuration, and user management events triggered in Aruba Central. See Viewing Audit Trail in the Standard Enterprise Mode and MSP Mode. Analyze > Tools Commands The Commands tab allows network administrators and user with troubleshooting permission to identify, diagnose, and debug issues on Aruba Instant APs at an advanced level using commands. See Using Troubleshooting Tools. Maintain > Firmware Access Points The Access Points tab allows the user to view the firmware details and upgrade the devices provisioned in Aruba Central. See Viewing Firmware Details. The Switch Dashboard In the Network Operations app, the switch dashboard is displayed when the filter is set to a switch. To navigate to a switch dashboard, see Navigating to the Switch, Access Point, or Gateway Dashboard. The following table lists all the available menu items in the Network Operations app for the switch dashboard. n Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. Also, some tabs or some fields inside tabs are only applicable either for AOS-Switch or AOS-CX switches. n AOS-CX switches can be configured using templates only. Aruba Central | User Guide 63 Table 18: Contents of the Switch Dashboard Left Navigation Menu First-Level Tabs Description Manage > Overview Summary Displays details about a specific switch, including device information, network summary, and port and hardware status. It also displays uplink and usage details. Use the time range filter to change the time period for the displayed information. See Switch > Overview > Summary. Hardware Displays switch hardware details, including status of power supplies and fans, CPU and memory utilization, and device temperature. See Switch > Overview > Hardware. Routing Displays routing information for the switch, such as, type of route, number of static and connected routes, and distance of the route. See Switch > Overview > Routing. NOTE: The Routing tab is displayed only for AOS-Switches. Manage > Clients Manage > LAN Manage > VSX AI Insights Displays information on switch performance issues, such as, PoE issues, port errors, port flaps, airtime utilization, and memory utilization. See Switch > Overview > AI Insights. Clients Displays details about the wired clients that are connected to the switch. See Switch > Clients > Clients. Neighbours Displays details about the devices neighboring the switch. See Switch > Clients > Neighbours. Ports Displays details about ports and the LAGs configured in the switch. See Switch > LAN > Ports. PoE Displays details about PoE status, PoE ports, and the power consumption from these ports. See Switch > LAN > PoE. VLAN Displays VLAN information configured on the switch and details about tagged and untagged ports. See Switch > LAN > VLAN. VSX Displays VSX configuration details between AOS-CX switches and the status of the inter-switch link (ISL). See Switch > VSX. NOTE: The VSX tab is displayed only for AOS-CX switch series. Manage > Device AOSSwitch-- Configuration using UI groups Enables AOS-Switch configuration in the AOS-S Config view. See Configuring or Viewing AOS-Switch Properties in UI Groups. Configuration using UI groups contains the following second-level tabs: n Switches--Configure and view general switch properties, such as, hostname, IP address, and netmask. See Configuring or Viewing Switch Properties. n Stacks--Create stacks, add members, or view stacking details, such as, stack type, stack id, and topology. See Configuring AOS-Switch Stacks Using Getting Started with Aruba Central | 64 Left Navigation Menu First-Level Tabs Description UI Groups. n Interface: o Ports--Assign or view port properties, such as, PoE, access policies, and trunk groups. See Configuring Switch Ports on AOS-Switches. o PoE--Configure or view PoE settings for each port. See Configuring PoE Settings on AOS-Switch Ports. o Trunk Groups--Configure or view trunk groups and their associated properties, such as, members of the trunk group, and type of trunk group. See Configuring Trunk Groups on AOS-Switches in UI Groups. o VLANs--Configure or view VLAN details and the associated ports and access policies. See Configuring VLANs on AOS-Switches. o Spanning Tree--Configure or view spanning tree protocol and its associated properties. See Enabling Spanning Tree Protocol on AOSSwitches. o Loop Protection--Configure or view loop protection and its associated properties. See Configuring Loop Protection on AOS-Switch Ports. n Security: o Access Policies--Add or view access policies. See Configuring Access Policies on AOS-Switches. o DHCP Snooping--Configure or view DHCP snooping, authorized DHCP servers IP addresses, and their associated properties. See Configuring DHCP Snooping on AOS-Switches. o Port Rate Limit--View or specify bandwidth to be used for inbound or outbound traffic for each port. See Configuring Port Rate Limit on AOSSwitches. o RADIUS--Configure RADIUS (Remote Authentication Dial-In User Service) server settings on AOS-Switches. See Configuring RADIUS Server Settings on AOS-Switches. o Downloadable User Role--Enable DUR and configure ClearPass settings to download user roles, policy, and class from the ClearPass Policy Manager server. See Configuring Downloadable User Role on AOS-Switches. o Tunneled Node Server--Configure user-based tunnel or port-based tunnel on switches. See Configuring Tunnel Node Server on AOSSwitches. o Authentication--Configure and enable 802.1X and MAC authentication on switches. You can also configure authentication order and priority for authentication methods. Configuring Authentication for AOS-Switches. n System: o Access/DNS--Configure or view the administrator and operator logins. See Configuring System Parameters for AOS-Switches. o Time--Configure time synchronization in switches. See Configuring Time Synchronization on AOS-Switches. o SNMP--Add or view SNMP v2c and v3 community and its trap destination. See Configuring SNMP on AOS-Switches. o CDP--Configure CDP and its associated properties. See Configuring Aruba Central | User Guide 65 Left Navigation Menu First-Level Tabs Description CDP on AOS-Switches. o DHCP--Add or view a DHCP pool and its associated properties. See Configuring DHCP on AOS-Switches. n Routing--Configure or view a specific routing path to a gateway. See Configuring Routing on AOS-Switches. n IGMP--Configure IGMP and its associated properties. See Configuring IGMP on AOS-Switches. n QoS--Configure QoS traffic policies on switches to classify and prioritize traffic throughout a network. See Configuring QoS Settings on AOSSwitches. n Device Profile--Configure device profile on switches to dynamically detect devices based on certain parameters. See Configuring Device Profile. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. AOSSwitch-- Configuration using templates See Using Configuration Templates for AOS-Switch Management. Configuration of AOS-Switches using template groups contains the following second-level tabs: n Templates--Configure switch using template groups. See Creating a Configuration Template. n Variables--Modify, download, or upload variables associated with devices that you can use in template configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. AOS-Switch Stack-- Configuration using templates Configuration of AOS-Switch stacks using template groups contains the following second-level tabs: n Templates--Configure switch stack using template groups. See Configuring AOS-Switch Stacks using Template Groups. n Variables--Modify, download, or upload variables associated with devices that you can use in template configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. AOS-CX-- Configuration using UI groups Enables AOS-CX configuration in the AOS-CX Config view. See Configuring AOS-CX Switches in UI Groups. Configuration using UI groups allows you to configure the following features: n System: o Properties--Edit system property settings such as contact, location, time zone, and administrator password. You can also select the VRF to be used and add the DNS and NTP servers. See Configuring System Properties on AOS-CX. o SNMP--Add, edit, or delete SNMP v2 communities, v3 users, and trap notifications. See Configuring SNMP on AOS-CX. o Logging--Add, edit, or delete logging servers to view event logs from the AOS-CX switches. Configure FQDN or IP address, log severity level, and the VRF to be used for each of the logging servers. Also configure Getting Started with Aruba Central | 66 Left Navigation Menu First-Level Tabs Description the global level debug log severity. See Configuring Logging Servers for AOS-CX. o Administrator--Add, edit, or delete server groups to be used for authentication, authorization, and accounting. You must also configure the protocol required to enable connection to these server groups. See Configuring AAA for AOS-CX. n Routing: o Static Routing--Add, edit, or delete static routes manually and configure destination IP addresses and next hop values, VRF, and the administrative distance. You can add different static routes for different VRFs on the switch. See Configuring Static Routing on AOS-CX. n Interfaces: o Ports & Link Aggregations--View and edit port settings such as description, VLAN mode, speed duplex, routing, and the operational status of the port. Add, edit, or delete LAGs by combining different ports and configuring the speed duplex, VLAN mode, aggregation mode, and the operational status of the LAG. See Configuring Ports and LAGs on AOS-CX. n Security: o Authentication Servers--Add, edit, or view the RADIUS and TACACS servers for authentication. Add settings such as FQDN or IP address of the servers, authentication port number, response timeout, retry count, and the VRF to be used when communicating with the servers. See Configuring Authentication Servers on AOS-CX. o Authentication--View or edit details about 802.1X and MAC authentication methods. Configure the precedence order and other parameters such as reauthentication timeout, cached reauthentication timeout, and quiet period. See Configuring Authentication on AOS-CX. o Access Control--View or add access policies and rules to permit or deny passage of traffic. See Configuring Access Control on AOS-CX. n Bridging: o VLANs--Add, edit, delete, or view VLANs, and associated parameters such as type of IP assignment, operational status, IP address of the DHCP relay. See Configuring VLANs on AOS-CX. o Loop Prevention--Enable or disable loop protection and spanning tree protocol, and associated parameters such as the mode and priority. Enable or disable various MSTP mode-related settings such as BPDU filter, BPDU protection, admin edge, and root guard. See Configuring Loop Prevention on AOS-CX. AOS-CX-- Configuration using MultiEdit mode Enables AOS-CX configuration using the MultiEdit mode in the AOS-CX Config view. View and edit configuration on the AOS-CX switches using the CLI syntax. You can also apply predefined set of configuration settings such as NAE to the switches. See Using MultiEdit View for AOS-CX. Configuration using the MultiEdit mode contains the following options: n View Config--View configuration of AOS-CX switches and find differences Aruba Central | User Guide 67 Left Navigation Menu First-Level Tabs Description in the configuration across switches. See Viewing Configuration on AOS-CX. n Edit Config--Edit configuration for one or more AOS-CX switches in the MultiEdit mode. Edit the entire configuration in a familiar looking CLI with syntax checking, colorization, and command completion. See Editing Configuration on AOS-CX. n Express Config--Apply predefined set of configuration settings such as NAE scripts and device profile to a single or multiple switches. See Express Configuration on AOS-CX. AOS-CX-- Configuration using templates Enables AOS-CX switch configuration in the AOS-CX view. See Using Configuration Templates for AOS-CX Switch Management. Configuration of AOS-Switches using template groups contains the following second-level tabs: n Templates--Configure switch using template groups. See Creating a Configuration Template. n Configuration Audit--View configuration sync errors and overrides. See Viewing Configuration Status. n Configuration Status--View configuration status of AOS-CX switches that are managed through UI groups in Aruba Central. See Using Configuration Status on AOS-CX. Analyze > Alerts & Events Analyze > Audit Trail Analyze > Tools AOS-CX VSF Enables AOS-CX switch stack configuration in the AOS-CX view. See AOS-CX Stack-- VSF Stack. Configuration Alerts & Events The Alerts & Events tab displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. See Alerts & Events. You can also configure and enable certain categories of switch alerts. See Switch Alerts. Audit Trail Displays the details of logs generated for all device management, configuration, and user management events triggered in Aruba Central. See Viewing Audit Trail. Network Check The Network Check tab allows administrators and users with troubleshooting permission to diagnose issues related to wired network connections. See Troubleshooting Switch Connectivity Issues. Device Check The Device Check tab allows network administrators and users with troubleshooting permission to identify, diagnose, and debug issues on AOSSwitch and AOS-CX switches using predefined tests. See Troubleshooting Device Issues. Commands The Commands tab allows network administrators and user with troubleshooting permission to identify, diagnose, and debug issues on AOSSwitch and AOS-CX switches at an advanced level using commands. See Troubleshooting Switches. Getting Started with Aruba Central | 68 Left Navigation Menu First-Level Tabs Description Analyze > Reports Reports The Reports tab allows you to create, manage, and view various reports. You can create recurrent reports, generate reports on demand, or schedule reports to run at a later time. See Reports. Maintain > Firmware Switches The Switches tab allows the user to view the firmware details and upgrade the devices provisioned in Aruba Central. See Managing Software Upgrades. The Gateway Dashboard In the Network Operations app, the gateway dashboard is displayed when the filter is set to a gateway. To navigate to a gateway dashboard, see Navigating to the Switch, Access Point, or Gateway Dashboard. The following table lists all the available menu items in the Network Operations app for the gateway dashboard. Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. Table 19: Contents of the Gateway Dashboard Left Navigation Menu FirstLevel Tabs Description Manage > Overview Summary Displays details about a specific gateway, including device information, WAN summary, and health status. Use the time range filter to change the time period for the displayed information. See Gateway > Overview > Summary. IDPS Displays the graphs related to IDPS. This feature is only applicable to IDPS gateways. Use the time range filter to change the time period for the displayed information. See Gateways > Overview > IDPS. Routing Displays routing information for the following second-level tabs in List view. n BGP-- See Gateway > Overview > Routing > BGP. n OSPF--See Gateway > Overview > Routing > OSPF. n Overlay--See Gateway > Overview > Routing > Overlay n RIP--See Gateway > Overview > Routing > RIP n Route Table--See Gateway > Overview > Routing > Route Table Use the time range filter to change the time period for the displayed information. Sessions Displays information for the running sessions. See Gateway > Overview > Sessions. AI Insights Displays information on gateway performance issues such as tunnel up, tunnel down, airtime utilization, and memory utilization. See Gateway > Overview > AI Insights. Aruba Central | User Guide 69 Left Navigation Menu FirstLevel Tabs Manage > WAN Summary Tunnels Path Steering Manage > LAN Summary Manage > Device Gateway Manage > Clients Clients Manage > Visibility Applications Manage > Security Analyze > Alerts and Events SAAS Express Firewall Alerts & Events Description Displays status information about WAN ports and WAN interfaces. See Gateway > WAN > Summary. Display status information for VPN tunnels. See Gateway > WAN > Tunnels Displays information about dynamic path steering policies configured on a Branch Gateway. See Gateway > WAN > Path Steering. Displays information about LAN port and LAN status. See Gateway > LAN > Summary. Enables gateway configuration in Config view for the basic mode, advanced mode, and guided setup. See Provisioning Aruba Gateways in Aruba Central. Displays a list of clients connected to a gateway. See All Clients. Displays charts showing client traffic trends to application, application categories, website categories, and websites of a specific security reputation score. n Applications-- See Applications n Websites-- See Websites Displays charts with QoE scores for all of the SaaS applications that you have configured. See Monitoring SaaS Express . Displays graphical and tabular representations of all the session activities belonging to gateways managed by Aruba Central. See Firewall. Displays alerts for SD-WAN and gateway-related events. See Gateway Alerts. NOTE: You can configure alerts in the global dashboard only. Analyze > Audit Trail Analyze > Tools Analyze > Reports Maintain > Firmware Audit Trail Displays the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. See Viewing Audit Trail. Network Check Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. See Troubleshooting Gateway Connectivity Issues. Logs Enables network administrators and users with permission to download and upload TAR logs and crash logs related to gateways. See Enabling Gateway Logs. Commands See Troubleshooting Gateways. Reports Enables network administrators to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports. Firmware Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Managing Software Upgrades. Getting Started with Aruba Central | 70 The Client Dashboard In the Network Operations app, the clients dashboard is displayed when the filter is set to one of the options under Groups, Labels, Sites, or Global. The following table lists all the available menu items in the Network Operations app for the clients dashboard. Table 20: Contents of the Clients Dashboard Left Navigation Menu Wireless Clients Manage > Overview First-Level Tabs Summary AI Insights Location Sessions Manage > Applications Analyze > Live Events Analyze > Events Analyze > Tools Wired Clients Manage > Overview Summary AI Insights Description Displays the client details about the type of data path that the client uses, the network and connectivity details, and basic client details such as IP address of the client, type of encryption etc. See Summary . Displays the information about client performance and connectivity issues such as, excessive 2.4 GHz dwell and low SNR links. See The AI Insights Dashboard. Displays the current physical location of the client device on the floor map. See Location. Displays the firewall session details for the client connected to an AP or a Branch Gateway. The Sessions page displays information filtered by the IP address of the client. See Sessions. Displays the client details for passive motoring of the client connected to a wireless network. The Visibility dashboard provides a summary of client traffic and their data usage to and from applications, and websites. See Application Visibility. Allows troubleshooting issues related to a client or a site in real time for detailed analysis. See Live Events. Displays the details of events generated by the AP and client association. See Alerts & Events Enables network administrators to perform checks on the client and debug client connectivity issues. See Using Troubleshooting Tools Displays the information about the type of data path that the client uses, the network details, and basic client details such as IP address of the client, type of encryption etc. See Summary . Displays information about client performance and connectivity issues such as, excessive 2.4 GHz dwell and low SNR links. Aruba Central | User Guide 71 Left Navigation First-Level Menu Tabs Sessions Manage > Applications Analyze > Live Events Analyze > Events Analyze > Tools Remote Clients Manage > Overview Summary AI Insights Location Sessions Manage > Applications Analyze > Security Analyze > Tools Description See The AI Insights Dashboard. Displays the firewall session details for the client connected to a Branch Gateway. The Sessions page displays information filtered by the IP address of the client. See Sessions . Displays the client details for passive motoring of the client connected to a wired network. The Visibility dashboard provides a summary of client traffic and their data usage to and from applications, and websites. See Application Visibility. Allows troubleshooting issues related to a wired client connected to a switch in real time for detailed analysis. See Live Events. Displays the details of events generated by the AP and client association. See Alerts & Events. Enables network administrators to perform checks on the client and debug client connectivity issues. See Using Troubleshooting Tools. Displays the information about the type of data path that the client uses, the network details, and basic client details such as IP address of the client, type of encryption, and so on. See Summary. Displays information about client performance and connectivity issues such as, excessive 2.4 GHz dwell and low SNR links. See The AI Insights Dashboard. Displays the current physical location of the client device on the floor map. See Location. Displays the firewall session details for the client connected to a Branch Gateway. The Sessions page displays information filtered by the IP address of the client. See Sessions. Displays the client details for passive motoring of the client connected to a wired network. The Visibility dashboard provides a summary of client traffic and their data usage to and from applications, and websites. See Applications. Displays the authentication and accounting details of the remote client. See Security. Enables network administrators to perform checks on the client and debug client connectivity issues. See Tools. Getting Started with Aruba Central | 72 Overview of Aruba Central Foundation and Advanced Licenses As part of the shift to an Edge-to-Cloud Platform-as-a-Service organization, Aruba has introduced the Aruba Central Foundation and Advanced Licenses (Aruba Central Licenses). This is a uniform software subscription licensing model that will be extended to all products under the Aruba Central-managed portfolio. The new 1, 3, 5, 7, and 10-year fixed-term licenses offer you the flexibility to choose services and device operations that are most meaningful to the type of business that you own. This licensing model provides different licenses for APs, switches, and gateways. The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if you have an Aruba 25xx Switch but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch. The features that are available in both the Foundation and Advanced Licenses have different monitoring and configuration options depending on the licensing tier. For more information, see Supported Features. This licensing model provides the following types of licenses depending on the devices: n Switches: o Foundation--This license provides all the features included in the legacy Device Management tokens. n Aruba Central does not provide Switch Advanced Licenses. n Mobility Access Switch (MAS) license will get converted to Switch Foundation 61xx/25xx license and continue to work. n Access Points (APs): o Foundation--This license provides all the features included in the legacy Device Management tokens and some additional features that were available as value-added services for APs and switches in the earlier licensing model. o Advanced--This license provides all the features included in the Foundation License, with additional features related to AI Insights and WLAN services. n SD-Branch Gateways: o Foundation--This license provides all features required for SD-Branch functionality in branch or headend deployments. o Foundation Base--This license provides all the features included in a Foundation License, but can support only up to 75 client devices per branch site. o Foundation with Security--This license provides all features required for SD-WAN functionality in branch or headend deployments and some additional security features. o Foundation Base with Security--This license provides all the features included in a Foundation with Security License, but can support only up to 75 client devices per branch. o Advanced--This license provides all the features included in a Foundation License, with additional features related to SaaS Express and AI Insights. o Advanced with Security--This license provides all the features of an Advanced License, with additional security features related to IPS and IDS, security dashboard, and anti-malware. Aruba Central | User Guide 73 o Virtual Gateway (VGW) License--This license is available for AWS, Azure, and ESXi platforms and is licensed based on the bandwidth required. The license types available for VGW are, VGW-500M, VGW2G, and VGW-4G. For more information, see SD-WAN Ordering Guide. The Foundation and Advanced Licenses for APs, switches, and SD-Branch gateways are different and cannot be used interchangeably. For a detailed list of the features supported in each type of license, see Supported Features. For more information about evaluation licenses, see Starting Your Free Trial. Changes to the Legacy Licensing Model For existing Aruba Central customers, please note that the previous Device Management and Service Token model is changed to the new licensing model, which provides a uniform licensing structure for all types of devices such as APs, switches, and gateways. The following list provides information about important aspects of the legacy licensing model: n Device Management Token--This is a mandatory token which allows you to manage and monitor your APs and switches from Aruba Central. n Service Token--This token allows you to enable value-added services for APs managed from Aruba Central. These services include UCC, AirGroup, Wi-Fi Connectivity Dashboard (formerly, Clarity), Cloud Guest, WebCC, and Presence Analytics. n Subscription Key--A valid subscription key allows you to manage, profile, and analyze your devices using Aruba Central. A subscription key is a 14-character alphanumeric string provided for either a device management or service token. The new Aruba Central Licenses simplify the existing subscription-based licensing model. With the introduction of this licensing model, the existing Device Management tokens for APs and switches are no longer available. Similarly, the Service tokens for value-added services on the APs are unavailable. Instead, APs and switches have adopted the current Gateway Foundation and Advanced licensing model. Supported Devices The Aruba Central Licenses are supported for APs, switches, and gateways. For more information on the individual device models supported, refer to the next sections. The pricing structure for Foundation and Advanced Licenses for the hardware devices may differ based on the types of models. APs and IAPs All AP and IAP models that are currently being shipped are supported. See Supported Instant APs. Switches Aruba Central supports AOS-Switch and AOS-CX switches. AOS-Switches The following AOS-Switches are supported: n Aruba 2530 Switch Series n Aruba 2540 Switch Series Getting Started with Aruba Central | 74 n Aruba 2920 Switch Series n Aruba 2930F Switch Series n Aruba 2930M Switch Series n Aruba 3810 Switch Series n Aruba 5400R Switch Series For more information, see Supported AOS-Switch Platforms. AOS-CX Switches The following AOS-CX switches are supported: n AOS-CX 6200 Switch Series n AOS-CX 6300 Switch Series n AOS-CX 6400 Switch Series n AOS-CX 8320 Switch Series n AOS-CX 8325 Switch Series n AOS-CX 8360 Switch Series n AOS-CX 8400 Switch Series For more information, see Supported AOS-CX Platforms. Gateways Aruba Central supports SD-Branch Gateways based on the license type. For more information, see Supported SD-Branch Components. Gateway Foundation and Advanced License The Gateway Foundation and Advanced License can be assigned to the following gateways: n Aruba 70xx Series n Aruba 72xx Series n Aruba 90xx Series This license does not have a capacity limit for client devices. Gateway Foundation Base License The Gateway Foundation Base License can be assigned to the following gateways: n Aruba 7005, 7008, 9004, 9004-LTE, 9012 This license includes all the features available in the Gateway Foundation License. However, this license can support only up to 75 client devices per branch. When the client capacity reaches the threshold, Aruba Central triggers an alert to indicate the Gateway Base License capacity limit has exceeded. If the notification option for the license capacity limit exceeded alert is configured, Aruba Central sends an email notification with a list of Aruba gateways that exceed the clientcapacity threshold. You can also configure alerts to trigger an incident using Webhook. For more information, see Gateway Alerts. Gateway Foundation, Foundation Base, and Advanced with Security License The Gateway Foundation with Security License can be assigned to the following gateways: Aruba Central | User Guide 75 n Aruba 9004 Gateway n Aruba 9004-LTE Gateway n Aruba 9012 Gateway Virtual Gateway (VGW) License (VPNC only) The Virtual Gateway License is available on AWS, Azure, and ESXi platforms and are licensed based on bandwidth required: 500 Mbps, 2 Gbps, or 4 Gbps. Aruba Virtual Gateway is a virtual instance of the headend gateway for ArubaSD-Branch. Aruba Central supports licenses based on the bandwidth capacity for virtual gateways. All license assignments are undertaken by the virtual gateway orchestration app. The following are the options available for Virtual Gateway Licenses: n License duration--1 year, 3 years, and 5 years n Available bandwidths--500 Mbps, 2 Gbps, and 4 Gbps n Available Aruba Virtual Gateways based on the bandwidth--VGW-500M for 500 Mbps, VGW-2G for 2 Gbps, and VGW-4G for 4Gbps Aruba Central maintains a pool of Virtual Gateway Licenses. When a Virtual Gateway License expires and there are no available Virtual Gateway Licenses, the expired license is unassigned from the Aruba Central account. The availability of SKUs is dependent on the installation consuming the license. If a Virtual Gateway License expires and there is a similar new license available, the new license is assigned to the Virtual Gateway, provided that the Auto-Assign Licenses option is enabled. For more information about the Auto-Assign Licenses option, see Enabling the Auto-Assign Licenses Option. For an Aruba Central evaluation account, four licenses of each base SKU are assigned to the account. These evaluation licenses are valid for 90 days. You can track licenses on the Key Management page or the License Assignment page available from the Account Home page. The list of licenses available against consumed licenses is also displayed during the deployment of a Virtual Gateway. When the client capacity reaches the threshold, Aruba Central triggers an alert to indicate the Gateway Base License capacity limit has exceeded. If the notification option for the license capacity limit exceeded alert is configured, Aruba Central sends an email notification with a list of Aruba gateways that exceed the clientcapacity threshold. You can also configure alerts to trigger an incident using Webhook. For more information, see Gateway Alerts. For more information, see SD-WAN Ordering Guide. Supported Features This section includes detailed information about the different configuration and monitoring options available for Aruba Central features tied to Foundation and Advanced Licenses. AP Foundation and Advanced License The AP Foundation and Advanced License for Aruba Central includes the following features: Getting Started with Aruba Central | 76 Feature Category Foundation License Features Advanced License Features Configuration n UI- and template-based group configuration o SSID (Bridge Mode) o IAP VPN n Auto-commit n Configuration audit All the features in Foundation Monitoring and Reporting n Network Health, Summary, Wi-Fi Connectivity Dashboards n Network Topology View n Visual RF Floorplans n Client List and Details n AP List and Details n Go Live mode for Client, AP n Application Visibility n WebCC Firewall rules, visualization by reputation and category n Access to all monitoring data for up to 30 days n Access to reporting data for up to 90 days n Access to historical Client Summary Report data for up to one year n Audit Trail n Alerts and Events n Access, Spectrum, Monitor mode of radio operations n UXI Sensor Integration n All the features in Foundation n AirSlice o Visibility and Prioritization of applications NOTE: AirSlice is supported in this release as Early-Access features. Contact your Aruba SE or Account Manager to enable these in your Aruba Central account. AI Operations n AI Search n AI Insights o Connectivity--Wi-Fi o Wireless Quality o Availability--Access Points o Class and Company Baselines n AI Assist o Dynamic logs n All the features in Foundation n AI Insights--Wireless Quality o Outdoor clients impacting Wi-Fi performance o Coverage Hole Detection o Transmit power optimization n AI Assist o Aruba support notification NOTE: Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. NOTE: Aruba support notification is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. Troubleshooting n Network Check, CLI commands n Live Events for Client and AP, Packet Capture All the features in Foundation Aruba Central | User Guide 77 Feature Category Services Security Foundation License Features Advanced License Features n AirGroup (In InstantOS-based APs, the service is hosted on the IAP Virtual controller and all services are supported.) NOTE: AirGroup is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. n RF Management Services o Adaptive Radio Management (ARM) o ClientMatch n Presence Analytics n All the features in Foundation n UCC NOTE: UCC is supported in this release as Early-Access features. Contact your Aruba SE or Account Manager to enable these in your Aruba Central account. n Guest Access n Clients Profile n Rogues n WIPS/WIDS All the features in Foundation NOTE: CPDI-based Client Profile and Rouges are supported in this release as an EarlyAccess feature. Contact your Aruba SE or Account Manager to enable these in your Aruba Central account. API Northbound (NB) API: 1000 API calls/day per n All the features in Foundation customer n Streaming API Switch Foundation License The Switch Foundation License for Aruba Central includes the following features: Aruba Central does not support Switch Advanced License. Feature Category Configuration Monitoring and Reporting AOS-Switch Features n UI- and template-based group configuration n Auto-commit n Configuration audit n Network Health, Summary Dashboards n Network Topology View n Client List and Details n Switch List and Details n Access to all monitoring data for up to 30 days AOS-CX Features n UI-, Template-, and MultiEdit-based group configuration n Configuration audit n Network Health, Summary Dashboards n Network Topology View n Client List and Details n Switch List and Details n Access to all monitoring data for up to 30 days Getting Started with Aruba Central | 78 Feature Category AOS-Switch Features AOS-CX Features n Access to reporting data for up to 90 days n Access to historical Client Summary Report data for up to one year n Audit Trail n Alerts and Events n Access to reporting data for up to 90 days n Access to historical Client Summary Report data for up to one year n Audit Trail n Alerts and Events AI Operations n AI Search n AI Insights o Availability Switch o Class and Company Baselines n AI Search n AI Insights o Availability Switch o Class and Company Baselines Troubleshooting n Network Check, Device Check, CLI commands n Live Events and Packet Capture for wired client Network Check, Device Check, CLI commands API Northbound (NB) API: 1000 API calls/day per Northbound (NB) API: 1000 API calls/day per customer customer Gateway Foundation, Foundation Base, and Advanced License The Gateway Foundation, Foundation Base, and Advanced License for Aruba Central includes the following features: The Foundation Base License provides all the features included in the Foundation License, but this license can support only up to 75 client devices per branch. Feature Category SD-Branch Foundation and Foundation Base License Features n Branch Gateway and VPNC Management n Stateful Firewall n IPsec VPN n Client VPN n Static and Dynamic Routing (BGP, OSPF, RIPv2) n SD-WAN Route and Tunnel orchestration n Orchestrated Cloud IaaS connectivity (AWS, Azure) n Orchestrated SASE Integration n Dynamic Path Steering n Link Redundancy n 4 WAN links plus 1 LTE link n Application-based policies n High Availability (Active-Standby or Active-Active) n Web content filtering n Role-based Access Policy n Full SD-LAN Control Advance License Features All the features in Foundation Aruba Central | User Guide 79 Feature Category Foundation and Foundation Base License Features Configuration n CPDI-based Client Profile n UI- and template-based group configuration n Configuration audit Monitoring and Reporting AI Operations n Network, WAN Health, Summary Dashboards n Network Topology View n Client List and Details n Gateway List and Details n Go Live mode for Client n Application Visibility n WebCC Firewall rules, visualization by reputation and category n Access to all monitoring data for up to 30 days n Access to reporting data for up to 90 days n Access to historical Client Summary Report data for up to one year n Audit Trail n Alerts and Events n AI Search n AI Insights o Availability Gateways o Class and Company Baselines n AI Assist o Dynamic logs NOTE: Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. Advance License Features All the features in Foundation All the features in Foundation All the features in Foundation Troubleshooting Network Check, CLI commands API Services Northbound (NB) API: 1000 API calls/day per customer Not Applicable All the features in Foundation Streaming API SaaS Express Gateway Foundation, Foundation Base, and Advanced License with Security The Gateway Foundation, Foundation Base, and Advanced License with Security for Aruba Central includes the following features: Foundation and Foundation Base with Security All the features in Foundation n Intrusion Detection and Prevention (IDS/IPS) Advanced with Security All the features in Advanced n Intrusion Detection and Prevention (IDS/IPS) Getting Started with Aruba Central | 80 Foundation and Foundation Base with Security n Anti-malware n Security Dashboard Advanced with Security n Anti-malware n Security Dashboard Virtual Gateway (VGW) License The Virtual Gateway (VGW) License for Aruba Central includes the following features: Feature Category VGW License Features SD-Branch n VPNC Management n Stateful Firewall n IPsec VPN n Client VPN n GRE Tunnel n Static and Dynamic Routing (BGP, OSPF, RIPv2) n VGW orchestration in public cloud n SD-WAN Route and Tunnel orchestration n Orchestrated Cloud IaaS connectivity (AWS, Azure) n Orchestrated SASE integration n Link Redundancy n High Availability (Active-Standby or Active-Active) Configuration n UI- and template-based group configuration n Configuration audit Monitoring and Reporting n Network, WAN Health, Summary Dashboards n Network Topology View n Access to all monitoring data for up to 30 days n Access to reporting data for up to 90 days n Access to historical Client Summary Report data for up to one year n Audit Trail n Alerts and Events AI Operations n AI Search n AI Insights o Availability Gateways o Class and Company Baselines n AI Assist o Dynamic logs NOTE: Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. Troubleshooting Network Check, CLI commands API Northbound (NB) API: 1000 API calls/day per customer For more information about the features supported, see Aruba Central Licenses Feature Details. Aruba Central | User Guide 81 Aruba Central Licenses Feature Details This section provides a description about the different configuration and monitoring options available for Aruba Central features tied to Foundation and Advanced Licenses. Configuration AP Configuration License Applicability: AP configuration is available for AP Foundation License. Network administrators can manage APs through the Aruba Instant UI, Aruba Central, or AirWave management system. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AP deployments. For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled. AOS-Switch Configuration License Applicability: AOS-Switch configuration is available for Switch Foundation License. Network administrators can manage AOS-Switches through the Aruba Central UI menu options. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AOS-Switch deployments. AOS-CX Configuration License Applicability: AOS-CX configuration is available for Switch Foundation License. Network administrators can manage AOS-CX switches through the Aruba Central UI menu options and the MultiEdit mode. The MultiEdit mode in Aruba Central provides a single window for viewing and editing the configuration for one or more AOS-CX switches. In this mode, viewing and editing the configuration is performed using the CLI syntax. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AOS-CX deployments. Auto-Commit License Applicability: Auto-Commit is available for Foundation and Advanced Licenses for APs, switches, and gateways. Aruba Central supports a two-staged configuration commit workflow for Instant APs. When the autocommit state is enabled for a group, the configuration changes are instantly applied to all devices where the auto-commit state is enabled. Configuration Audit License Applicability: Configuration Audit is available for Foundation and Advanced Licenses for APs, switches, and gateways. Getting Started with Aruba Central | 82 In Aruba Central, the Configuration Audit page provides an audit dashboard for reviewing configuration changes of the devices provisioned in the UI and template groups. The Configuration Audit page allows you to view configuration push errors, template synchronization errors, configuration sync, and device-level configuration overrides. Gateway Configuration License Applicability: Gateway configuration is available for Gateway Foundation and Foundation Base Licenses. Aruba Central supports the following methods to configure Gateway groups and Gateways in SD-Branch deployments: n Guided Setup--You can use the Guided Setup to quickly configure basic and essential parameters on Aruba Gateways for deploying the SD-WAN solution. The Guided Setup provides a wizard-based workflow for provisioning Gateways. n Basic Mode--Allows you to configure your Gateways in a non-linear fashion. This mode allows you to make configuration changes after you provision your gateways for the first time using a Guided setup. n Advanced Mode--Allows you to configure advanced features for SD-WAN deployments. Template groups in Aruba Central allow network administrators to create a common configuration output by using a combination of CLI commands and variables, and apply this configuration to the other Gateway devices provisioned in that group. Monitoring and Reporting Access, Spectrum, Monitor Mode of Radio Operations License Applicability: The Access, Spectrum, and Monitor modes of the radios of an access point are available for AP Foundation and Advanced Licenses. In the Access mode, the Instant AP serves clients, while also monitoring for rogue Instant APs in the background. In the Monitor mode, the Instant AP acts as a dedicated monitor, scanning all channels for rogue Instant APs and clients. In the Spectrum mode, the Instant AP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference, whether from the neighboring Instant APs or from non Wi-Fi devices such as microwaves and cordless phones. Alerts and Events License Applicability: Alerts and events for APs, Gateways, and switches is part of Foundation License and does not require any extra configuration. This tab shows data for all devices irrespective of device license type. The Alerts and Events dashboard displays a list of alerts and events generated for events pertaining to device provisioning, configuration, and user management. You can view the alerts and events in the List view and Summary view. Configuration view is used to configure alerts and is available only at the Global context. Application Visibility License Applicability: The Application Visibility feature is a part of a Foundation License. However, as API streaming is available for Advanced Licenses only, the Application Visibility streaming service is supported only for APs with an Advanced License. Application Visibility is a custom-built Layer-7 firewall capability in Aruba Central that allows you to create firewall policies based on the types of applications in IAPs. Application Visibility provides features like deep packet inspection, application monitoring, and AirSlice Policy. Aruba Central | User Guide 83 Audit Trail License Applicability: Audit Trail logs for APs, gateways, and switches, is part of Foundation License and does not require any extra configuration. This tab shows data for all devices irrespective of device license type. The Audit Trail page in Aruba Central shows the total number of logs generated for all device management, configuration, and user management events triggered in the network. Client List and Details License Applicability: Clients monitoring is available for the Foundation License of AP, switch, and gateway. The Clients page is also called the unified clients list and it provides a list of all clients that are connected to access points, switches, or gateways in the network. The List and Summary views under the Clients tab serve as dashboards. It displays details about the network performance, client connection status, instantaneous client refresh, Go Live (only AP), and other information required for monitoring the clients. Floorplans License Applicability: Floorplans is available for AP and gateway Foundation Licenses. Floorplans allow you to plan sites, create and manage floorplans, and provision access points. Floorplans provide a real-time picture of the radio environment of your wireless network and the ability to plan the wireless coverage of new sites. Reports License Applicability: Reports is available for the Foundation License. The Reports feature enables you to generate reports for the Clients, Infrastructure, Security Compliance, and Applications categories. The Reports feature is present under the Analyze section of the Network Operations app. The functionalities present are creating a report, generating a report, scheduling the report generation, previewing a report, and downloading a report in PDF and CSV formats. The Custom range for the Summary report is available for the last one year, except the current date (today). All other reports are available for 90 days in Aruba Central 2.5.3. Topology License Applicability: Topology is available for Foundation and Advanced Licenses for APs, switches, and gateways. In Aruba Central, the Topology tab in the site dashboard provides a graphical representation of the site, including the network layout, details of the devices deployed, and the health of the WAN uplinks and tunnels. The topology map provides information about third-party devices and devices that are not managed by Aruba. It also provides information about orphan and offline third-party devices, and the VLANs configured on switches running AOS-Switch and AOS-CX software. Web Content Classification (WebCC) License Applicability: The WebCC feature is available for Foundation Licenses for APs and gateways. The WebCC allows you to classify website content based on reputation and take measures to block malicious sites. It fetches information about website content classification and geolocation of IPs. The IP reputation database contains known IP addresses associated with various malicious activities or threats such as botnet, DOS, and spam sources. The geolocation IP database contains the geographical location of the IP address from where the traffic is received or to which the traffic is sent. This provides geolocation and reputation filtering as part of the security suite. The table below lists the features supported for AP and gateway licenses: Getting Started with Aruba Central | 84 AP Foundation WebCC Firewall rules, visualization by reputation and category Gateway Foundation and Foundation Base WebCC Firewall rules, visualization by reputation and category Wi-Fi Connectivity License Applicability: The Wi-Fi Connectivity dashboard for APs is part of Foundation License and does not require any extra configuration. The Wi-Fi Connectivity page displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include the following: n All--Displays the aggregated success percentage of Association, Authentication, and DHCP for all clients connected to the network. n Association--Displays the percentage of successful attempts made by a client to connect to the network. n Authentication--Displays the percentage of successful attempts of client authentication. n DHCP--Displays the percentage of successful attempts of DHCP requests and responses when onboarding a client. n DNS--Displays the percentage of successful attempts in the detected DNS resolutions, when a client is connected to the network. AI Operations AI Insights License Applicability: AI Insights is available for Foundation and Advanced Licenses for APs, switches, and gateways. The Insights that require an Advanced License are marked as Advanced in the UI. The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level for the selected time range. Each insight provides specific details on the occurrences of these events for easy debugging. Different types of insights are generated by Aruba Central and they can be accessed from different contexts such as Global, Site, Clients, and Device. Some of the insights are part of an Advanced License only and they are marked as Advanced in the user interface. The following figure displays various AI Insights available and some are marked as Advanced. Aruba Central | User Guide 85 Figure 13 AI Insights List The table below lists the features supported for AP, switch, and gateway licenses: AP Foundation License AP Advanced License n Connectivity--Wi-Fi n Wireless Quality n Availability--Access Points n Class and Company Baselines n Wireless Quality o Outdoor clients impacting Wi-Fi performance o Coverage Hole Detection o Transmit power optimization Switch Foundation n Availability--Switch n Class and Company Baselines Gateway Foundation, Foundation Base, and VGW n Availability-- Gateways n Class and Company Baselines In this release, all AI Insights are available irrespective of the user role or Aruba Central subscription. In the upcoming Aruba Central release, AI Insights marked as Advanced in the user interface would require an advanced subscription. AI Search License Applicability: AI Search feature is available for Foundation License for AP, switch, and gateway. The AI search feature in Aruba Central enables you to search for clients, devices, and infrastructure connected to the network. Using the search results, you can navigate to the configuration and troubleshooting pages. The search also retrieves relevant documentation to help you efficiently operate your networks. The search engine uses Natural Language Processing (NLP) to analyze queries and return relevant search results. Getting Started with Aruba Central | 86 Dynamic Logs License Applicability: Dynamic Log is available for both Foundation and Advanced Licenses for APs and gateways. The Dynamic Logs feature enables Aruba Central to dynamically run CLI show commands on APs and gateways, and collect the output as logs. You can also enable Aruba support notification option to notify TAC support regarding the logs generated. These logs can be used to troubleshoot the APs and gateways. Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. The following figure displays the available options for Dynamic Logs. Figure 14 Dynamic Logs Option For devices assigned with the Foundation License, the Dynamic Logs feature only supports the log collection activity. Even if you enable the Notify Aruba Support option, the option is not activated for devices licensed with Foundation License. For devices assigned with Advanced Licenses, Dynamic Logs support both log collection and the Aruba support notification option. For example, assume an Aruba Central account with Dynamic Logs enabled, where you configure a group of three Access Points (APs), AP1, AP2, and AP3. AP1 has a Foundation License while AP2 and AP3 have Advanced Licenses. For this group, both Dynamic logs collection and Notify Aruba Support options are enabled. However, the Aruba support notification option is only applicable for AP2 and AP3, which have Advanced Licenses. Troubleshooting Live Events Licensing Applicability: Live Events for clients, APs and switches is part of Foundation License and does not require any extra configuration. The clients Live Events page shows information required to troubleshoot issues related to a client or a site in real time for detailed analysis. Aruba Central also allows to troubleshoot issues related to access points. The AP Live Events feature is similar to client live troubleshooting, but in this case we can enable Live Events at the AP level. Currently, users can subscribe to Radio, VPN, and Spectrum events. Aruba Central | User Guide 87 Live Packet Capture (PCAP) Licensing Applicability: Live PCAP for APs and switches is part of Foundation License and does not require any extra configuration. Aruba Central allows users to interact and launch a targeted packet capture on a client connected to a specific AP or a switch. When the user starts packet capture from the UI, Aruba Central notifies the AP and the switch. The default packet capture duration is 15 minutes. Troubleshooting Tools License Applicability: Troubleshooting for APs, gateways, and switches is part of Foundation License and does not require any extra configuration. The Tools menu option allows network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. The Tools page is divided into the following tabs: n Network Check--Allows you to run diagnostic checks on networks and troubleshoot client connectivity issues. n Device Check--Allows you to run diagnostic checks and troubleshoot switches. n Commands--Allows you to perform network health check on devices at an advanced level using command categories. Services AirGroup License Applicability: AirGroup is available for both AP Foundation and Advanced Licenses. AirGroup is a zeroconfiguration networking protocol that enables service discovery, address assignment, and name resolution for desktop computers, mobile devices, and network services. It is designed for flat, single-subnet IP networks such as wireless networking at home. AirGroup supports both wired and wireless devices. AirGroup is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. In InstantOS-based APs, the service is hosted on the IAP Virtual controller and all services are supported. AirMatch License Applicability: AirMatch is available for AP Foundation License. AirMatch channel planning evens out channel distributions in any size of network and in any subset of the contiguous network. AirMatch also minimizes channel coupling where adjacent radios are assigned to the same channel. AirSlice License Applicability: The AirSlice feature is available for only AP Advanced Licenses. The AirSlice feature allows network operators to build virtual networks suitable for specific application requirements. It allows network operators to monitor applications used by clients and supports multiple services such as gaming, IoT, voice, video, and so on. Getting Started with Aruba Central | 88 AirSlice is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. For devices that have Advanced Licenses, the AirSlice feature supports unlimited applications and provides prioritization of custom-applications with visibility and configuration. The table below lists the features supported for AP licenses: Advanced n Visibility and prioritization of applications n Maximum number of applications as supported by the Aruba Central platform ClientMatch License Applicability: ClientMatch is available for AP Foundation License. ClientMatch continually monitors the RF neighborhood for each client to provide ongoing client band steering, load balancing, and enhanced AP reassignment for roaming mobile clients. Presence Analytics License Applicability: Presence Analytics is available for Foundation AP License. Presence Analytics enables businesses to collect and analyze user presence data in public venues, enterprise environments, and retail hubs. Presence Analytics also enables businesses to collect real-time data on user footprints within the wireless network range. SaaS Express License Applicability: SaaS Express is available for Advanced Gateway License and Advanced with Security Gateway License only. The SaaS Express feature, on SD-WAN Gateways, enables discovery of the SaaS application servers, monitors application performance, and steers traffic to the best-available servers, and thus provides an improved user experience. Unified Communications License Applicability: Unified Communications is available for AP Advanced Licenses. The Unified Communications feature enables a seamless user experience for voice calls, video calls, and application-sharing when using communication and collaboration tools. It allows you to actively monitor voice, video, and application-sharing sessions, provide traffic visibility, prioritize the required sessions, and provide rich visual metrics for analytical purposes. Unified Communications is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. Security Cloud Guest License Applicability: Cloud Guest is available for the AP Foundation License. The Cloud Guest access enables the guest users to connect to the network. This is provided through the splash page profile that is created by the administrators for the guest users in the Guests tab under Aruba Central | User Guide 89 Manage. The Summary page in the Manage > Guest Access application is the monitoring dashboard that displays the number of guests, guest SSID, client count, type of clients, and guest connection. Cloud Guest deals with the AP, so the license that is assigned to the AP is also applicable to Cloud Guest. By default, the Foundation License is applicable. The Advanced License features will also be available if the Cloud Guest is assigned to it. ClearPass Device Insight-Based Clients Profile License Applicability: ClearPass Device Insight (CPDI) based Clients Profile is available for Foundation License for APs and gateways.. The CPDI-based Clients Profile enables network and security administrators to discover, monitor, and automatically classify new and existing devices that connect to a network. You can identify devices that include IoT devices, medical devices, printers, smart devices, laptops, VoIP phones, computers, gaming consoles, routers, servers, switches, and so on. CPDI-based Clients Profile is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. The table below lists the features supported for AP and gateway licenses: Foundation n Basic client MAC Classification based on telemetry data n Client Family, Client Category, Client OS n Cloud Auth Integration Advanced n Access to Collector support in Central (not including physical collector costs) n ML-based client classification n Advanced Security Features (Risk / Posture / Vulnerability) n Security baseline of device behavior with Firewall recommendation Intrusion Detection and Prevention (IDS or IPS) License Applicability: IDS and IPS is available for Foundation with Security Gateway License, Foundation Base with Security Gateway License, and Advanced with Security Gateway License. The IDS and IPS monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDS or IPS adds an extra layer of security that focuses on users, applications, network connections, and can be integrated with the Aruba SD-Branch solution. RAPIDS License Applicability: RAPIDS is available for Foundation and Advanced Licenses for APs. The RAPIDS feature enables Aruba Central to quickly identify and act on interfering APs in the network that can be later considered for investigation, restrictive action, or both. Once the interfering APs are discovered, Aruba Central sends alerts for security events to the network administrators about the possible threat and provides essential information needed to locate and manage the threat. RAPIDS is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. This feature is part of the AP Foundation License. However, as API streaming is available for Advanced License only, Aruba Central would not stream any security events for APs with Foundation License. For APs Getting Started with Aruba Central | 90 with Advanced License, API streaming of security events is available for further diagnosis and threat management. API Streaming APIs License Applicability: The Streaming API service requires that devices such as IAPs and gateways are assigned with Advanced License. The Streaming API feature enables you to subscribe to a select set of services, instead of polling the NB API to get an aggregated state, or statistics of the events, pertinent to the monitoring activities of Aruba Central. With Streaming API, you can write value-added applications based on the aggregated context. For example, with Streaming API, you are notified about the following types of events: n The UP and DOWN status of the devices n Change in location of stations The Streaming API feature in Aruba Central is enabled only when any one of the devices in the account has an Advanced License. If the account has devices with only Foundation License, the Steaming API tab is not displayed in Aruba Central. If the Streaming API feature is enabled, and the account has a mix of Foundation License and Advanced License for devices, the devices that are assigned with Foundation License do not stream any data for any topics. SD-Branch Application-based Policy License Applicability: The application-based policy configuration is available for Foundation License for Branch Gateways. The Application-based policy configuration helps in deep packet inspection of application usage by clients. Using this configuration, you can define applications, security, and service aliases. You can configure Access Control Lists (ACLs) to restrict user access to an application or application category. Dynamic Path Steering License Applicability: Dynamic Path Steering is available for Gateway Foundation and Foundation Base License. In the Path Steering tab, you can view traffic path steering details for the Dynamic Path Steering policies configured on the Branch Gateway. This tab also displays the number of policies that are compliant along with the total number of policies configured on the Branch Gateway. Full SD-LAN Control License Applicability: SD-LAN monitoring is available for Foundation License for Branch Gateways. The LAN Summary page displays a graphical representation of the LAN link availability of a Branch Gateway. It also provides a summary of all the LAN interfaces and port details. IPsec VPN License Applicability: IPsec VPN is available for Gateway Foundation and Foundation Base License. An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPsec tunnel to the controller secures corporate data. You can configure an IPsec tunnel from virtual controller using Aruba Central. Aruba Central | User Guide 91 Role-based Access Policy License Applicability: Role-based Access Policy configuration is available for Foundation License for Branch Gateways. The Role-based Access Policy determines client access based on the user roles assigned to a client. Each user or device connected to the branch network is associated with a user role. Once the role is assigned, traffic and security policies are applied to devices based on the role. SD-WAN Overlay License Applicability: SD-WAN Overlay monitoring is available for Gateway Foundation License. The SD-WAN Overlay is an orchestrator service for branch deployments, which is done by setting up IPsec tunnels between the Branch Gateways and VPN Concentrators. This is achieved through Tunnel and Route orchestration. The tunnel configuration between the branch and hub sites is automatic and the route configuration is done by redistributing the routing information learnt from the branch in a dynamic way. The Map and Grid views of the Tunnel and Route tabs under SD-WAN Overlay serve as dashboards for monitoring purpose, providing information about the tunnels and routes configured for an individual Branch Gateway. Stateful Firewalls License Applicability: Stateful Firewalls is available for Gateway Foundation and Foundation Base License. Aruba Gateways support stateful firewall for stateful inspection of packets. Stateful firewalls provide an additional layer of security by tracking the state of network connections and using the state information from previous communications to monitor and control new communication attempts. To protect your network from external attacks and unauthorized communication attempts, you can configure match conditions and packet filtering criteria for the Aruba Gateways. Web Content Filtering License Applicability: Website content filtering is available for Foundation License for Branch Gateways. Aruba Gateways enhance branch security by providing real-time web content and reputation filtering. The Website Content Classification feature on Branch Gateways allows you to classify website content based on reputation and take measures to block malicious sites. Starting Your Free Trial Aruba Central offers a 90-day evaluation license for customers who want to try the solution for managing their networks. The evaluation license allows you to use the functions described in the following table: Table 21: Evaluation features Application Function Network Operations n 10 Advanced AP Licenses n 5 Foundation Switches 6100 / 25xx / low density (16 ports or less) Licenses n 5 Foundation Switches 6200 / 29xx Licenses n 5 Foundation Switches 6300 / 3810 Licenses n 5 Foundation Switches 8xxx / 6400 / 5400 Licenses n 5 Advanced 90xx Gateways with security feature Licenses n 10 Advanced 70xx Gateways Licenses Getting Started with Aruba Central | 92 Application ClearPass Device Insight Function n 2 Advanced 72xx Gateways Licenses Discover, monitor, and automatically classify new and existing devices that connect to a network. Complete the following steps to evaluate Aruba Central: n Step 1: Getting Started with the Initial Setup n Step 2: Viewing Subscription Details (Optional) n Step 3: Adding Devices n Step 4: Assigning Subscriptions n Step 5: Organizing Your Devices into Groups n Step 6: Assigning Sites and Labels (Optional) n Step 7: Configuring Your Network n Step 8: Monitoring Your Network and Devices n Step 9: Canceling or Upgrading Your Subscription (Optional) Step 1: Getting Started with the Initial Setup To get started with the trial: 1. Register for evaluating Aruba Central. For more information, see Creating an Aruba Central Account. 2. Log in to Aruba Central. For more information, see Accessing Aruba Central Portal. n If you signed up to evaluate only the Network Operations app, the Welcome to Aruba Central page is displayed. o Click Evaluate Now. The Get Started With Aruba Central page guides you through the onboarding steps. o Click through the steps to set up your account and start using Aruba Central. If you want to exit the wizard and complete the onboarding steps on your own, click Exit Workflow. The Initial Setup wizard is displayed only when you log in to Aruba Central for the first time. The wizard is not available for Aruba Central users in the MSP mode. n If you signed up to evaluate both Network Operations and ClearPass Device Insight, the Network Operations page is displayed. For more information, see ClearPass Device Insight Information Center. Step 2: Viewing Subscription Details (Optional) At your first login, the Initial Setup wizard displays the details of the evaluation license details. After you exit the wizard, you can view the license details on the Account Home > Global Settings > Key Management page. Viewing Subscription Key Details The following table shows the typical contents of a license key: Aruba Central | User Guide 93 Table 22: License Key Details Keys Subscription key number Type Type of the license. Aruba Central supports the following types of licenses: n Foundation--This license provides all the features included in the Device Management subscription and some additional features that were available as value-added services for APs in the earlier licensing model. n Advanced--This license provides all the features of a Foundation license, with additional features related to AI insights Expiration Date Expiration date for the license key. Quantity Number of licenses available. Status Status of the license key. For example, if you are a trial user, Aruba Central displays the status of subscription key as Eval. Step 3: Adding Devices To manage devices from Aruba Central, trial users must manually add the devices to Aruba Central's device inventory. You can add up to 60 devices. The devices can be APs, switches, or gateways. For details about how many device licenses of each type are available, see Table 21. Use one of the following methods to add devices to Aruba Central: n Using the Initial Setup Wizard n Using the Device Inventory Page Using the Initial Setup Wizard 1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number and MAC address of your devices. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. 3. Click Done. 4. Review the devices in your inventory. Using the Device Inventory Page 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Click Add Devices. The Add Devices pop-up window is displayed. 3. Enter the serial number and the MAC address of each device. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. Getting Started with Aruba Central | 94 4. Click Done. 5. Review the devices in your inventory. Step 4: Assigning Subscriptions By default, an evaluation license key is assigned for users who sign up for a free trial of Aruba Central. The evaluation license key allows you to manage up to 60 devices from Aruba Central. You can either enable automatic assignment of license or manually assign Foundation and Advanced licenses to your devices. By default, the automatic license assignment is disabled. Enabling Automatic Assignment of Subscriptions Use one of the following options to enable automatic assignment of licenses: In the Initial Setup Wizard 1. Verify that you have a valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign License tab, slide the Auto License toggle switch to the On position. From the License Assignment Page 1. In the Account Home page, under Global Settings, click License Assignment. 2. Under Device Licenses, slide the Auto License toggle switch to the On position. All the devices in your inventory are selected for automatic assignment of a license. You can edit the list by clearing the existing selection and re-selecting devices. Manually Assigning Subscriptions Use one of the following options to manually assign subscriptions: In the Initial Setup Wizard 1. In the Assign License tab, ensure that the AutoLicense toggle switch is turned off. 2. Select the devices in the list for which you want to manually assign licenses. 3. Click Update Licenses. From the Subscription Assignment Page 1. In the Account Home page, under Global Settings, click License Assignment. 2. On the License Assignment page, ensure that the Auto License toggle is turned off. 3. Select the devices to which you want to assign licenses. 4. Click Update Licenses. For more information on subscriptions. see Managing Licenses. Step 5: Organizing Your Devices into Groups A group in Aruba Central functions as a configuration container for devices added in Aruba Central. Why Should You Use Groups? Groups allow you to create a logical subset of devices and simplify the configuration and device management tasks. Groups offer the following functions and benefits: Aruba Central | User Guide 95 n Combining different types of devices under a group. For example, a group can have APs and switches. Aruba Central allows you to manage configuration of these devices in separate containers (wireless and wired management) within the same group. Any new device that is added to a group inherits the current configuration of the group. n Assigning multiple devices to a single group. For example, a group can consist of multiple Instant AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to member Instant APs in their respective clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location. n Cloning an existing group allows you to create a base configuration for the devices and customize it as per your network requirements. You can also use groups for filtering your monitoring dashboard content, generating reports, and managing software upgrades. A device can be part of only one group at any given time. Groups in Aruba Central are independent and do not follow a hierarchical model. For more information on groups and group configuration workflows, see Groups for Device Configuration and Management. Assigning Devices to Groups After you successfully complete the onboarding workflow, the Initial Setup wizard prompts you to assign your devices to a group. You can click Assign Group and assign your devices to a group. You can also use one of the following methods to assign your devices to groups: To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory. 1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign. 4. Click Assign Device(s). To assign a device to a group from the Groups page: 1. In the Network Operations app, set the filter to Global. The dashboard context for the selected filter is displayed. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. From the devices table on the right, select the device that you want to assign to a new group. 4. Drag and drop the device to the group to which you want to assign the device. Step 6: Assigning Sites and Labels (Optional) A site in Aruba Central refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Aruba Central allows you to use sites as a primary navigation element. For example, if your devices are deployed in a campus, you can create a site called CampusA. You can also tag the devices within CampusA using labels. If your campus consists of multiple buildings, the devices deployed in the campus can be labeled as Building1 or Lobby. For more information on sites and labels and how to assign devices to sites and labels, see Managing Sites and Managing Labels. Getting Started with Aruba Central | 96 Step 7: Configuring Your Network If you have added Instant APs as part of your evaluation, you can configure an employee and guest wireless network. If you have Switches or SD-Branch or SD-WAN Gateways, configure wired access network or SDWAN respectively. For more information, see Device Configuration and Network Management. Step 8: Monitoring Your Network and Devices Use monitoring dashboards to view the health of the device and network. You can also run reports, configure alerts, and view client details. Step 9: Canceling or Upgrading Your Subscription (Optional) During the trial period or after you complete your trial, if you want to continue using Aruba Central for managing your devices, contact Aruba Customer Support to upgrade your license. If you do not want to continue, contact Aruba support team to cancel your license or wait until the trial expires. When the trial period expires, your devices can no longer be managed from Aruba Central. Upgrading to a Paid Account If you have purchased a license for an AP, a switch, or a gateway, then upgrade your account by completing the following steps: 1. On the Account Home page, in the Network Operation app, click the link that shows the number of days left for the evaluation to expire. Figure 15 Network Operations Evaluation Account The Add a New License window is displayed. 2. Enter the new license key that you purchased from Aruba. 3. Click Add License. After you upgrade your account, you can add more devices, enable services, and continue using Aruba Central. Aruba Central | User Guide 97 Setting up Your Aruba Central Instance If you have purchased a license key to manage your devices and networks from Aruba Central, get started with steps described in this topic. Figure 16 illustrates the steps required for setting up your Aruba Central instance: Figure 16 Getting Started Workflow Getting Started with Aruba Central Complete the following steps to start using Aruba Central for managing your devices and setting up your networks. n Step 1: Getting Started n Step 2: Adding a Subscription Key n Step 3: Adding Devices n Step 4: Assigning Subscriptions n Step 5: Organizing Your Devices into Groups n Step 6: Assigning Sites and Labels (Optional) n Step 7: Configuring Users n Step 8: Configuring and Managing Networks n Step 9: Monitoring Your Network and Devices n Step 10: Upgrading Software Images on Devices n Step 11: Running Diagnostic Checks and Troubleshooting Issues Step 1: Getting Started To get started: 1. Sign up to create your Aruba Central account. For more information, see Creating an Aruba Central Account. 2. If you already have an Aruba Central account, log in to Aruba Central with your credentials. When you log in for the first time, the Initial Setup wizard opens and guides you through the onboarding workflow. 3. Click Get Started. 4. Click through the wizard to complete the onboarding workflow. If you want to exit the wizard and complete the onboarding steps on your own, click Exit and go to Aruba Central. The Initial Setup wizard is displayed only when you log in to Aruba Central for the first time. The wizard is not available for Aruba Central users in the MSP mode. Step 2: Adding a Subscription Key At your first login, the Initial Setup wizard prompts you add your license key. Getting Started with Aruba Central | 98 If you are not using the wizard, complete the following steps to add your license key. 1. On the Account Home page, under Global Settings, click Key Management. The Key Management page is displayed. 2. Enter your license key. 3. Click Add Key. The license key is added to Aruba Central and the contents of the license key are displayed in the Manage Keys table. Review the license details. If you add a Device Management token, the key is listed in the Convert Deprecated Licenses page. For more information, see Converting Legacy Tokens to New Licenses. Step 3: Adding Devices If you have a paid license, you can automatically import devices from the Activate database to the Aruba Central device inventory. Figure 17 Typical Workflow for Device Sync Setup Setting up Device Sync for Automatic Device Addition To set up device sync, use one of the following methods: n In the Initial Setup Wizard n From the Device Inventory Page In the Initial Setup Wizard Aruba Central | User Guide 99 1. Ensure that you have added a license key and click Next. 2. In the Add Devices tab, enter the serial number and MAC address of any one device from your purchase order. Most Aruba devices have the serial number and MAC address on the front or back of the hardware. 3. Click Add Device. Aruba Central imports all other devices mapped to your purchase order. 4. Review the devices in your inventory. 5. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support. From the Device Inventory Page 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. Aruba Central imports only devices associated with your account from Activate. 2. Do any one of the following: n Click Sync Devices. Enter the serial number and MAC address and click Add Device. n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file. Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page. 3. Review the devices in your inventory. 4. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support. Manually Adding Devices To add devices using MAC address and serial number, use any one of the following methods: n In the Initial Setup Wizard n From the Device Inventory Page In the Initial Setup Wizard If you are using the Initial Setup wizard: Getting Started with Aruba Central | 100 1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number or the MAC address of your device. 3. Click Done. 4. Review the list of devices. From the Device Inventory Page To add devices from the Device Inventory page: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Perform one of the following: n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file. Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page. 3. Click Done. 4. Review the devices added to the inventory. When you add the serial number and MAC address of one AP from a cluster or a switch stack member, Aruba Central imports all devices associated in the AP cluster and switch stack respectively. For more information on adding devices, see Onboarding Devices. Step 4: Assigning Subscriptions Aruba Central supports the following types of licenses: n Foundation--This license provides all the features included in the Device Management subscription and some additional features that were available as a value- added services for APs in the earlier licensing model. n Advanced--This license provides all the features of a Foundation License, with additional features related to AI insights. You can either enable automatic assignment of license or manually assign licenses to your devices. By default, the automatic license assignment is disabled. Enabling Automatic Assignment of Licenses Use any one of the following options to enable automatic assignment of licenses: n In the Initial Setup Wizard n From the License Assignment Page In the Initial Setup Wizard Aruba Central | User Guide 101 1. Verify that you have a valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the License Assignment tab, slide the Auto Assign Licenses toggle switch to the On position. From the License Assignment Page 1. In the Account Home page, under Global Settings, click License Assignment. 2. Under Device Subscriptions, toggle the Auto Assign Licenses slider to ON. All the devices in your inventory are selected for automatic assignment of licenses. You can edit the list by clearing the existing selection and re-selecting devices. For more information on how auto licensing works, see Automatic License Assignment Workflow. Manually Assigning Licenses Use any one of the following methods to manually assign the licenses: n In the Initial Setup Wizard n From the License Assignment Page In the Initial Setup Wizard 1. In the Assign License tab, ensure that the Auto License toggle switch is turned off. 2. Select the devices in the list for which you want to manually assign subscriptions. 3. Click Update License. From the License Assignment Page 1. In the Account Home page, under Global Settings, click License Assignment. 2. On the License Assignment page, ensure that the Auto License toggle is turned off. 3. Select the devices to which you want to assign licenses. 4. Click Update License. For more information on subscriptions and how to assign network service and SD-WAN Gateway subscriptions. see Managing License Assignments. Step 5: Organizing Your Devices into Groups A group in Aruba Central functions as a configuration container for devices added in Aruba Central. Why Should You Use Groups? Groups allow you to create a logical subset of devices and simplify the configuration and device management tasks. Groups offer the following functions and benefits: n Combining different types of devices under a group. For example, a group can have Instant APs and Switches. Aruba Central allows you to manage the configuration of these devices in separate containers (wireless and wired management) within the same group. Any new device that is added to a group inherits the current configuration of the group. n Assigning multiple devices to a single group. For example, a group can consist of multiple Instant AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to member Instant APs in their respective clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location. Getting Started with Aruba Central | 102 n Cloning an existing group allows you to create a base configuration for the devices and customize it according to your network requirements. You can also use groups for filtering your monitoring dashboard content, generating reports, and managing software upgrades. A device can be part of only one group at any given time. Groups in Aruba Central are independent and do not follow a hierarchical model. For more information on groups and group configuration workflows, see Groups for Device Configuration and Management. Assigning Devices to Groups After you successfully complete the onboarding workflow, the Initial Setup wizard prompts you to assign your devices to a group. You can click Assign Group and assign your devices to a group. You can also use any one of the following methods to assign your devices to groups. To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory. 1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign. 4. Click Assign Device(s). To assign a device to a group from the Groups page: 1. In the Network Operations app, set the filter to Global. The dashboard context for the selected filter is displayed. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. From the devices table on the right, select the device that you want to assign to a new group. 4. Drag and drop the device to the group to which you want to assign the device. Step 6: Assigning Sites and Labels (Optional) A site in Aruba Central refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Aruba Central allows you to use sites as a primary navigation element. For example, if your devices are deployed in a campus, you could create a site called CampusA. You can also tag the devices within CampusA using labels. If your campus consists of multiple buildings, the devices deployed in the campus can be labeled as Building1 or Lobby. For more information on sites and labels and how to assign devices to sites and labels, see Managing Sites and Managing Labels. Step 7: Configuring Users Add system users, assign user roles, and configure role-based access control. For more information, see Configuring System Users. Step 8: Configuring and Managing Networks To start configuring your network setup: Aruba Central | User Guide 103 1. Connect your devices to Aruba Central. For more information, see Connecting Devices to Aruba Central. 2. Provision Instant APs, switches, or gateways to set up your WLAN, wired access, and SD-WAN network. Step 9: Monitoring Your Network and Devices Use monitoring dashboards to view the health of the device and network. You can also run reports, configure alerts, and view client details. Step 10: Upgrading Software Images on Devices View software images available for the devices provisioned in your account, run a compliance check for the recommended software version, and upgrade devices. For more information and step-by-step instructions, see Managing Software Upgrades. Step 11: Running Diagnostic Checks and Troubleshooting Issues Run diagnostic checks and troubleshooting commands to analyze network connectivity, latency issues, and debug device issues, if any. For more information and step-by-step instructions, see Using Troubleshooting Tools. Configuring Email Notifications for Software Upgrades Aruba Central administrators would receive email notifications before software upgrades, scheduled maintenance activity, or any unplanned outage. By default, email notifications are enabled. The banner is updated in the Aruba Central UI seven days before the upgrade and an email notification is sent seven days before the upgrade. In case of an unplanned outage, an email notification is sent immediately and the banner is also updated immediately in the Aruba Central UI. The email notification contains the following details: n Start date and time. n Estimated end date and time. n Link to the What's New page where users can view the list of new features and enhancements included in the release. n Impact of the outage. Users can no longer check the status of Aruba Central using the following URLs: n US--http://status.central.arubanetworks.com n Canada--http://ca-status.central.arubanetworks.com n APAC--http://apac-status.central.arubanetworks.com n APAC East--http://apaceast-status.central.arubanetworks.com n Europe--http://eu-status.central.arubanetworks.com Enabling Email Notifications By default, email notifications are enabled. However, if email notifications are disabled and you wish to enable system maintenance or software update email notifications, complete the following steps: Getting Started with Aruba Central | 104 1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click User Settings. 3. In the User Settings pop-up window, do the following: a. Select the Get system maintenance notifications check box to receive system maintenance notification on the registered email ID. Email notifications are sent before any scheduled maintenance activity or unplanned outage. b. Select the Get software update notifications check box to receive software update notification on the registered email ID. 4. Click Save. Figure 18 Email Notifications Configuring Idle Timeout Aruba Central allows you to set a timeout value for inactive user sessions. The value is in minutes and is the amount of time a user can be inactive before the user's session times out and closes. To configure idle timeout, complete the following steps: 1. In the Aruba Central UI, click the user icon ( ) in the header pane. 2. Click User Settings. 3. In the User Settings pop-up window, enter the timeout value in the Idle Timeout field. The value must be within the range of 5 to 10080 minutes. 4. Click Save. Opening Firewall Ports for Device Communication Most of the communication between devices on the remote site and Aruba Central server in the cloud is carried out through HTTPS (TCP 443). To allow devices to communicate over a network firewall, ensure that the following domain names and ports are open. This section includes the following topics: Aruba Central | User Guide 105 n Domain names for Aruba Central Portal Access n Domain Names for Device Communication with Aruba Central n Domain Names for Device Communication with Aruba Activate n Cloud Guest Server Domains for Guest Access Service n Domain Names for OpenFlow n Other Domain Names Domain names for Aruba Central Portal Access Table 23: Domain Names and URLs for Aruba Central Portal Access Region Domain Name Protocol US-1 portal.central.arubanetworks.com HTTPS TCP port 443 US-2 portal-prod2.central.arubanetworks.com HTTPS TCP port 443 US-WEST-4 portal-uswest4.central.arubanetworks.com HTTPS TCP port 443 EU-1 portal-eu.central.arubanetworks.com HTTPS TCP port 443 EU-2 portal-eucentral2.central.arubanetworks.com HTTPS TCP port 443 EU-3 portal-eucentral3.central.arubanetworks.com HTTPS TCP port 443 Canada-1 portal-ca.central.arubanetworks.com HTTPS TCP port 443 China-1 portal.central.arubanetworks.com.cn HTTPS TCP port 443 APAC-1 portal-apac.central.arubanetworks.com HTTPS TCP port 443 APAC-EAST1 portal-apaceast.central.arubanetworks.com HTTPS TCP port 443 APAC-SOUTH1 portal-apacsouth.central.arubanetworks.com HTTPS TCP port 443 Domain Names for Device Communication with Aruba Central Table 24: Domain Names for Device Communication with Aruba Central Regi on Aruba Central URL URL for Device Connectivity Proto col FQDNs for SD-WAN Orchestrator Service US-1 app.central.arubanetworks.co m app1.central.arubanetworks.c om HTTPS app1h2.central.arubanetworks .com Getting Started with Aruba Central | 106 Regi on Aruba Central URL URL for Device Connectivity Proto FQDNs for SD-WAN col Orchestrator Service TCP port 443 US-2 appprod2.central.arubanetworks. com deviceprod2.central.arubanetworks. com HTTPS TCP port 443 device-prod2h2.central.arubanetworks .com USWES T-4 appuswest4.central.arubanetwor ks.com deviceuswest4.central.arubanetwor ks.com HTTPS TCP port 443 device-uswest4h2.central.arubanetworks .com EU-1 app2eu.central.arubanetworks.co m deviceeu.central.arubanetworks.co m HTTPS TCP port 443 device-euh2.central.arubanetworks .com EU-2 appeucentral2.central.arubanetw orks.com deviceeucentral2.central.arubanetw orks.com HTTPS TCP port 443 device-eucentral2h2.central.arubanetworks .com EU-3 appeucentral3.central.arubanetw orks.com deviceeucentral3.central.arubanetw orks.com HTTPS TCP port 443 device-eucentral3h2.central.arubanetworks .com Cana da-1 appca.central.arubanetworks.com deviceca.central.arubanetworks.com HTTPS TCP port 443 device-cah2.central.arubanetworks .com Chin a-1 app.central.arubanetworks.co m.cn device.central.arubanetworks. com.cn HTTPS TCP port 443 deviceh2.central.arubanetworks .com.cn APAC1 app2ap.central.arubanetworks.co m app1ap.central.arubanetworks.co m HTTPS TCP port 443 app1-aph2.central.arubanetworks .com APACEAST 1 appapaceast.central.arubanetwor ks.com deviceapaceast.central.arubanetwor ks.com HTTPS TCP port 443 device-apaceasth2.central.arubanetworks .com APACSOUT H1 appapacsouth.central.arubanetw orks.com deviceapacsouth.central.arubanetw orks.com HTTPS TCP port 443 device-apacsouthh2.central.arubanetworks .com Aruba Central | User Guide 107 Domain Names for AOS-CX Device Communication with Aruba Central Table 25: Domain Names for AOS-CX Device Communication with Aruba Central Region Aruba Central URL URL for Device Connectivity Protocol US-1 app.central.arubanetworks.com device-prodd2.central.arubanetworks.com HTTPS TCP port 443 US-2 app-prod2.central.arubanetworks.com deviceprod2.central.arubanetworks.com HTTPS TCP port 443 US- app- WEST-4 uswest4.central.arubanetworks.com device-uswest4d2.central.arubanetworks.com HTTPS TCP port 443 EU-1 app2-eu.central.arubanetworks.com device-eu.central.arubanetworks.com HTTPS TCP port 443 EU-2 app- device-eucentral2- eucentral2.central.arubanetworks.com d2.central.arubanetworks.com HTTPS TCP port 443 EU-3 app- device-eucentral3- eucentral3.central.arubanetworks.com d2.central.arubanetworks.com HTTPS TCP port 443 Canada- app-ca.central.arubanetworks.com 1 device-ca.central.arubanetworks.com HTTPS TCP port 443 China-1 app.central.arubanetworks.com.cn device.central.arubanetworks.com.cn HTTPS TCP port 443 APAC-1 app2-ap.central.arubanetworks.com app1-ap.central.arubanetworks.com HTTPS TCP port 443 APACEAST1 appapaceast.central.arubanetworks.com deviceapaceast.central.arubanetworks.com HTTPS TCP port 443 APACSOUTH1 appapacsouth.central.arubanetworks.com deviceapacsouth.central.arubanetworks.com HTTPS TCP port 443 Getting Started with Aruba Central | 108 Domain Names for Device Communication with Aruba Activate Table 26: Domain Names for Device Communication with Aruba Activate Domain Name Protocol device.arubanetworks.com devices-v2.arubanetworks.com HTTPS TCP port 443 est.arubanetworks.com * * Required for Aruba 2530 switches to provision certificate using the EST server in activate. Cloud Guest Server Domains for Guest Access Service Table 27: Domain Names for Cloud Guest Server Access Region Domain Name Protocol US-1 nae1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 nae1-elb.cloudguest.central.arubanetworks.com TCP port 443 US-2 naw2.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 naw2-elb.cloudguest.central.arubanetworks.com TCP port 443 US-WEST-4 uswest4.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 uswest4-elb.cloudguest.central.arubanetworks.com TCP port 443 EU-1 euw1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 euw1-elb.cloudguest.central.arubanetworks.com TCP port 443 EU-2 naw2.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 EU-3 naw2-elb.cloudguest.central.arubanetworks.com euw1.cloudguest.central.arubanetworks.com TCP port 443 TCP port 2083 TCP port 443 Canada-1 euw1-elb.cloudguest.central.arubanetworks.com ca.cloudguest.central.arubanetworks.com TCP port 443 TCP port 2083 TCP port 443 ca-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-1 ap1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 Aruba Central | User Guide 109 Region Domain Name Protocol ap1-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-EAST1 apaceast.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 apaceast-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-SOUTH1 apacsouth.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 apacsouth-elb.cloudguest.central.arubanetworks.com TCP port 443 Domain Names for OpenFlow Table 28: Domain Names for OpenFlow Region Domain Name US-1 https://app2-ofc.central.arubanetworks.com US-2 https://ofc-prod2.central.arubanetworks.com US-WEST-4 https://ofc-uswest4.central.arubanetworks.com EU-1 https://app2-eu-ofc.central.arubanetworks.com EU-2 https://ofc-eucentral2.central.arubanetworks.com EU-3 Canada-1 https://ofc-eucentral3.central.arubanetworks.com https://ofc-ca.central.arubanetworks.com China-1 https://ofc.central.arubanetworks.com.cn APAC-1 https://app2-ap-ofc.central.arubanetworks.com APAC-EAST1 https://ofc-apaceast.central.arubanetworks.com APAC-SOUTH1 https://ofc-apacsouth.central.arubanetworks.com Other Domain Names Table 29: Other Domain Names Domain Name Protocol sso.arubanetworks.com TCP port 443 internal.central.arubanetworks.com TCP port internal2.central.arubanetworks.com 443 Description Allows users to access their accounts on the internal server. Allows users to access the Aruba Central Internal portal. pool.ntp.org UDP port 123 Allows users to update the internal clock and configure time zone when a factory default device comes up. Getting Started with Aruba Central | 110 Domain Name Protocol activate.arubanetworks.com stun.pqm.arubanetworks.com pqm.arubanetworks.com images.arubanetworks.com http://h30326.www3.hpe.com TCP port 443 UDP or TCP port 3478 and 3479 ICMP or UDP port 4500 TCP port 80 TCP port 80 d2vxf1j0rhr3p0.cloudfront.net rcs-m.central.arubanetworks.com (For all other regions) central-eurcs.central.arubanetworks.com (For Europe region) cloud.arubanetworks.com aruba.brightcloud.com TCP port 443 TCP port 443 TCP port 80 TCP port 443 bcap15-dualstack.brightcloud.com TCP port 443 api-dualstack.bcti.brightcloud.com TCP port 443 database-dualstack.brightcloud.com TCP port 443 Description By default, the Aruba devices contact pool.ntp.org and use NTP to synchronize their system clocks. Allows users to configure provisioning rules in Activate. Allows users to discover public IP over the WAN uplinks configured on devices. Allows users to check the health of WAN uplinks configured on Branch Gateways. Allows users to access the server that hosts software images available for upgrading devices. Allows users to access the Aruba switch software images. To view the URL for software updates, use the show activate software-update command. Allows users to access the CloudFront server for locating Instant AP software images. Allows users to access a device console through SSH. Allows users to open the Aruba Central evaluation sign-up page. Enables devices to access the Webroot Brightcloud server for application, application categories, and website content classification. Allows Aruba devices to look up the Webroot Brightcloud server for Website categories. Allows Aruba devices to access the IP Reputation and IP Geolocation service on the Webroot Brightcloud server. Allows Aruba devices to download the website classification database from the Webroot Brightcloud server. When configuring ACLs to allow traffic over a network firewall, use the domain names instead of the IP addresses. For Branch Gateways to set up IPsec tunnel with the VPN concentrators, the UDP 4500 port must be open. Aruba Central | User Guide 111 Connecting Devices to Aruba Central Aruba devices support automatic provisioning, also known as ZTP. In other words, Aruba devices can download provisioning parameters from Aruba Activate and connect to their management entity once they are powered on and connected to the network. Although most of the communication between devices on the remote site and Aruba Central server in the cloud is carried out through HTTPS (TCP 443), you may want to open the following ports for devices to communicate over network firewall. This section includes the following topics: n Domain names for Aruba Central Portal Access n Domain Names for Device Communication with Aruba Central n Domain Names for Device Communication with Aruba Activate n Cloud Guest Server Domains for Guest Access Service n Domain Names for OpenFlow n Other Domain Names Domain names for Aruba Central Portal Access Table 30: Domain Names and URLs for Aruba Central Portal Access Region Domain Name Protocol US-1 portal.central.arubanetworks.com HTTPS TCP port 443 US-2 portal-prod2.central.arubanetworks.com HTTPS TCP port 443 US-WEST-4 portal-uswest4.central.arubanetworks.com HTTPS TCP port 443 EU-1 portal-eu.central.arubanetworks.com HTTPS TCP port 443 EU-2 portal-eucentral2.central.arubanetworks.com HTTPS TCP port 443 EU-3 portal-eucentral3.central.arubanetworks.com HTTPS TCP port 443 Canada-1 portal-ca.central.arubanetworks.com HTTPS TCP port 443 China-1 portal.central.arubanetworks.com.cn HTTPS TCP port 443 APAC-1 portal-apac.central.arubanetworks.com HTTPS TCP port 443 APAC-EAST1 portal-apaceast.central.arubanetworks.com HTTPS TCP port 443 APAC-SOUTH1 portal-apacsouth.central.arubanetworks.com HTTPS TCP port 443 Getting Started with Aruba Central | 112 Domain Names for Device Communication with Aruba Central Table 31: Domain Names for Device Communication with Aruba Central Regi on Aruba Central URL URL for Device Connectivity Proto col FQDNs for SD-WAN Orchestrator Service US-1 app.central.arubanetworks.co m app1.central.arubanetworks.c om HTTPS TCP port 443 app1h2.central.arubanetworks .com US-2 appprod2.central.arubanetworks. com deviceprod2.central.arubanetworks. com HTTPS TCP port 443 device-prod2h2.central.arubanetworks .com USWES T-4 appuswest4.central.arubanetwork s.com deviceuswest4.central.arubanetwork s.com HTTPS TCP port 443 device-uswest4h2.central.arubanetworks .com EU-1 app2eu.central.arubanetworks.co m deviceeu.central.arubanetworks.co m HTTPS TCP port 443 device-euh2.central.arubanetworks .com EU-2 appeucentral2.central.arubanetw orks.com deviceeucentral2.central.arubanetw orks.com HTTPS TCP port 443 device-eucentral2h2.central.arubanetworks .com EU-3 appeucentral3.central.arubanetw orks.com deviceeucentral3.central.arubanetw orks.com HTTPS TCP port 443 device-eucentral3h2.central.arubanetworks .com Cana da-1 appca.central.arubanetworks.com deviceca.central.arubanetworks.com HTTPS TCP port 443 device-cah2.central.arubanetworks .com Chin a-1 app.central.arubanetworks.co m.cn device.central.arubanetworks. com.cn HTTPS TCP port 443 deviceh2.central.arubanetworks .com.cn APAC1 app2ap.central.arubanetworks.co m app1ap.central.arubanetworks.co m HTTPS TCP port 443 app1-aph2.central.arubanetworks .com APACEAST 1 appapaceast.central.arubanetwor ks.com deviceapaceast.central.arubanetwor ks.com HTTPS TCP port 443 device-apaceasth2.central.arubanetworks .com APACSOUT H1 appapacsouth.central.arubanetw orks.com deviceapacsouth.central.arubanetw orks.com HTTPS TCP port 443 device-apacsouthh2.central.arubanetworks .com Aruba Central | User Guide 113 Domain Names for AOS-CX Device Communication with Aruba Central Table 32: Domain Names for AOS-CX Device Communication with Aruba Central Region Aruba Central URL URL for Device Connectivity Protocol US-1 app.central.arubanetworks.com device-prodd2.central.arubanetworks.com HTTPS TCP port 443 US-2 app-prod2.central.arubanetworks.com deviceprod2.central.arubanetworks.com HTTPS TCP port 443 US- app- WEST-4 uswest4.central.arubanetworks.com device-uswest4d2.central.arubanetworks.com HTTPS TCP port 443 EU-1 app2-eu.central.arubanetworks.com device-eu.central.arubanetworks.com HTTPS TCP port 443 EU-2 app- device-eucentral2- eucentral2.central.arubanetworks.com d2.central.arubanetworks.com HTTPS TCP port 443 EU-3 app- device-eucentral3- eucentral3.central.arubanetworks.com d2.central.arubanetworks.com HTTPS TCP port 443 Canada- app-ca.central.arubanetworks.com 1 device-ca.central.arubanetworks.com HTTPS TCP port 443 China-1 app.central.arubanetworks.com.cn device.central.arubanetworks.com.cn HTTPS TCP port 443 APAC-1 app2-ap.central.arubanetworks.com app1-ap.central.arubanetworks.com HTTPS TCP port 443 APACEAST1 appapaceast.central.arubanetworks.com deviceapaceast.central.arubanetworks.com HTTPS TCP port 443 APACSOUTH1 appapacsouth.central.arubanetworks.com deviceapacsouth.central.arubanetworks.com HTTPS TCP port 443 Getting Started with Aruba Central | 114 Domain Names for Device Communication with Aruba Activate Table 33: Domain Names for Device Communication with Aruba Activate Domain Name Protocol device.arubanetworks.com devices-v2.arubanetworks.com HTTPS TCP port 443 est.arubanetworks.com * * Required for Aruba 2530 switches to provision certificate using the EST server in activate. Cloud Guest Server Domains for Guest Access Service Table 34: Domain Names for Cloud Guest Server Access Region Domain Name Protocol US-1 nae1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 nae1-elb.cloudguest.central.arubanetworks.com TCP port 443 US-2 naw2.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 naw2-elb.cloudguest.central.arubanetworks.com TCP port 443 US-WEST-4 uswest4.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 uswest4-elb.cloudguest.central.arubanetworks.com TCP port 443 EU-1 euw1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 euw1-elb.cloudguest.central.arubanetworks.com TCP port 443 EU-2 naw2.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 EU-3 naw2-elb.cloudguest.central.arubanetworks.com euw1.cloudguest.central.arubanetworks.com TCP port 443 TCP port 2083 TCP port 443 Canada-1 euw1-elb.cloudguest.central.arubanetworks.com ca.cloudguest.central.arubanetworks.com TCP port 443 TCP port 2083 TCP port 443 ca-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-1 ap1.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 Aruba Central | User Guide 115 Region Domain Name Protocol ap1-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-EAST1 apaceast.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 apaceast-elb.cloudguest.central.arubanetworks.com TCP port 443 APAC-SOUTH1 apacsouth.cloudguest.central.arubanetworks.com TCP port 2083 TCP port 443 apacsouth-elb.cloudguest.central.arubanetworks.com TCP port 443 Domain Names for OpenFlow Table 35: Domain Names for OpenFlow Region Domain Name US-1 https://app2-ofc.central.arubanetworks.com US-2 https://ofc-prod2.central.arubanetworks.com US-WEST-4 https://ofc-uswest4.central.arubanetworks.com EU-1 https://app2-eu-ofc.central.arubanetworks.com EU-2 https://ofc-eucentral2.central.arubanetworks.com EU-3 Canada-1 https://ofc-eucentral3.central.arubanetworks.com https://ofc-ca.central.arubanetworks.com China-1 https://ofc.central.arubanetworks.com.cn APAC-1 https://app2-ap-ofc.central.arubanetworks.com APAC-EAST1 https://ofc-apaceast.central.arubanetworks.com APAC-SOUTH1 https://ofc-apacsouth.central.arubanetworks.com Other Domain Names Table 36: Other Domain Names Domain Name Protocol sso.arubanetworks.com TCP port 443 internal.central.arubanetworks.com TCP port internal2.central.arubanetworks.com 443 Description Allows users to access their accounts on the internal server. Allows users to access the Aruba Central Internal portal. pool.ntp.org UDP port 123 Allows users to update the internal clock and configure time zone when a factory default device comes up. Getting Started with Aruba Central | 116 Domain Name Protocol activate.arubanetworks.com stun.pqm.arubanetworks.com pqm.arubanetworks.com images.arubanetworks.com http://h30326.www3.hpe.com TCP port 443 UDP or TCP port 3478 and 3479 ICMP or UDP port 4500 TCP port 80 TCP port 80 d2vxf1j0rhr3p0.cloudfront.net rcs-m.central.arubanetworks.com (For all other regions) central-eurcs.central.arubanetworks.com (For Europe region) cloud.arubanetworks.com aruba.brightcloud.com TCP port 443 TCP port 443 TCP port 80 TCP port 443 bcap15-dualstack.brightcloud.com TCP port 443 api-dualstack.bcti.brightcloud.com TCP port 443 database-dualstack.brightcloud.com TCP port 443 Description By default, the Aruba devices contact pool.ntp.org and use NTP to synchronize their system clocks. Allows users to configure provisioning rules in Activate. Allows users to discover public IP over the WAN uplinks configured on devices. Allows users to check the health of WAN uplinks configured on Branch Gateways. Allows users to access the server that hosts software images available for upgrading devices. Allows users to access the Aruba switch software images. To view the URL for software updates, use the show activate software-update command. Allows users to access the CloudFront server for locating Instant AP software images. Allows users to access a device console through SSH. Allows users to open the Aruba Central evaluation sign-up page. Enables devices to access the Webroot Brightcloud server for application, application categories, and website content classification. Allows Aruba devices to look up the Webroot Brightcloud server for Website categories. Allows Aruba devices to access the IP Reputation and IP Geolocation service on the Webroot Brightcloud server. Allows Aruba devices to download the website classification database from the Webroot Brightcloud server. When configuring ACLs to allow traffic over a network firewall, use the domain names instead of the IP addresses. For Branch Gateways to set up IPsec tunnel with the VPN concentrators, the UDP 4500 port must be open. Connecting Instant APs to Aruba Central To bring up Instant APs in Aruba Central, perform the following steps: Aruba Central | User Guide 117 1. Connect the Instant AP to a provisioning network. 2. Ensure that Instant AP is operational and is connected to the Internet. 3. Ensure that the Instant AP has a valid DNS server address either through DHCP or static IP configuration. 4. Ensure that NTP server is running and Instant AP system clock is configured. Connecting Aruba Switches to Aruba Central Note the following points about automatic provisioning of switches: n Pre-configured switches can now join Aruba Central. You can also import configuration from these switches to generate a template. For more information, see Creating a Configuration Template. n If the switches ship with a version lower than the minimum supported firmware version, a factory reset may be required, so that the switch can initiate a connection to Aruba Central. For information, on the minimum firmware versions supported on the switches, see Supported AOS-Switch Platforms. n During Zero Touch Provisioning, the Aruba switches can join Aruba Central only if they are running the factory default configuration, and have a valid IP address and DNS settings from a DHCP server. n The provisioning of the Aruba Mobility Access Switch fails when the provisioning process is interrupted during the initial booting and if the switch has a static IP address with no DNS server configured. Connecting SD-WAN Gateways to Aruba Central The Aruba gateways have the ability to automatically provision themselves and connect to Aruba Central once they are powered on. The gateways also support multiple active uplinks for ZTP (also referred to as automatic provisioning). The supported ZTP ports for different hardware platforms are listed in the following table. All these ZTP ports are assigned to VLAN 4094. Table 37: ArubaOS Hardware Platforms and Supported ZTP Ports ArubaOS Hardware Platform Supported ZTP Ports Aruba 7005 Gateway ALL ports except 0/0/1 Aruba 7008 Gateway ALL ports except 0/0/1 Aruba 7010 Gateway ALL ports except 0/0/1 Aruba 7030 Gateway ALL ports except 0/0/1 Aruba 7024 Gateway ALL ports except 0/0/1 Aruba 7210 Gateway ALL ports except 0/0/1 Aruba 7220 Gateway ALL ports except 0/0/1 Aruba 7240 Gateway ALL ports except 0/0/1 Aruba 7280 Gateway ALL ports except 0/0/1 Aruba 9004 Gateway ALL ports except 0/0/1 Getting Started with Aruba Central | 118 Table 37: ArubaOS Hardware Platforms and Supported ZTP Ports ArubaOS Hardware Platform Supported ZTP Ports Aruba 9004-LTE Gateway ALL ports except 0/0/1 Aruba 9012 Gateway ALL ports except 0/0/1 To know the minimum software version required for the gateways, see Supported SD-Branch Components. To automatically provision the gateways: 1. Connect your gateway to the provisioning network. 2. Wait for the device to obtain an IP address through DHCP. Gateways support multiple uplink ports. The first port to receive the DHCP IP connects to the Activate server and completes the provisioning procedure: n If the device has factory default configuration, it receives an IP address through DHCP, connects to Aruba Activate, and downloads the provisioning parameters. When a device identifies Aruba Central as its management entity, it automatically connects to Aruba Central. n If the device is running a software version that does not have the SD-WAN image, the devices are automatically upgraded to a supported SD-WAN software version. Aruba 72xx gateways with the ArubaOS 8.3.0.9 factory default image use only port 0/0/1 (the last copper port) for ZTP. When the factory default gateways connect to Activate through ZTP for the first time, Activate recommends a base SD-WAN image, which the gateways will download. In the SDWAN image, port 0/0/1 is used as a debug port, and DHCP requests will not be sent out of port 0/0/1 for subsequent ZTP requests. Hence, ZTP workflow for Aruba 72xx gateways with the ArubaOS 8.3.0.9 factory default image will not work. You must manually upgrade the Aruba 72xx gateways to the SD-WAN image or use other methods like full-setup and static-activate to provision the gateways. 3. Observe the LED indicators. Table 2 describes the LED behavior. Table 38: LED Indicators LED Indicator LCD Text Description Solid Amber Getting DHCP IP Indicates that the uplink connection is UP, but DHCP IP is yet to be retrieved. Blinking Amber Activate Wait Indicates that the device was able to reach the DHCP server and the connection to the Activate server is yet to be established. Solid Green Activate OK Indicates that the device was able to retrieve provisioning parameters from the Activate server. Alternating Solid Green and Amber Activate Error Indicates that the device was not able to retrieve provisioning parameters. After successfully connecting to Aruba Central, the gateways download the configuration from Aruba Central. Aruba Central | User Guide 119 n From ArubaOS 8.7.0.0-2.3.0.0 release version onwards, Aruba SD-Branch Gateways no longer require additional reboot when they receive the controller IP from Aruba Central after the ZTP process. Some services are restarted, resulting in an expected network impact, but the gateways do not reload for the second time. However, the gateways will reboot if there are any subsequent controller IP changes. n The gateways also include service ports that the technicians can use for manually provisioning devices in the event of ZTP failure. For more information on ports available for Aruba 7000 Series Mobility Controllers and Aruba 7200 Series Mobility Controllers, see ArubaOS User Guide. Device Configuration and Network Management Aruba Central supports provisioning, managing, monitoring, and troubleshooting workflows for the following types of Aruba devices: n Instant APs--Know more about Instant AP, supported hardware platforms and software versions and learn how to manage your WLAN deployments with Instant APs. For more information, see Instant APs. n Switches--Know more about Aruba switches, supported hardware platforms and software versions, and learn how to manage wired access using switches. For more information, see AOS-Switches Overview. n Gateways--Know more about SD-WAN Gateways, supported hardware platforms and software versions, and learn how to build and manage SD-WAN deployments. For more information, see Aruba SD-Branch Solution. n Virtual Gateways--Deploy, connect, and manage Virtual Gateways hosted on customer VPC from Aruba Central. For more information, see Deploying Aruba Virtual Gateways. Using the Search Bar The search bar in the Network Operations app enables users to search for clients, devices, and infrastructure connected to the network. The search also retrieves relevant documentation to help users efficiently operate their networks. The search engine uses Natural Language Processing (NLP) to analyze queries and return relevant search results. The following figure illustrates the search bar option in Aruba Central. Figure 19 Search Bar To start a search in the Aruba Central UI, click the search bar or press / (forward slash) on your computer keyboard. When you click the search bar, you can see the search suggestions in the Recent and Suggested Search list. Recent--Shows the searches performed recently in the search bar. These suggestions help you quickly look at the previous searches. Suggested Search--Shows search suggestions corresponding to the workflow that you follow in the Network Operations app. The suggested search help you perform onboarding, monitoring, configuring, and troubleshooting tasks. For more information, see the Suggested Search page. The following figure illustrates the sample search result in Aruba Central. Getting Started with Aruba Central | 120 Figure 20 Sample Search Result From the search results, you can navigate to: 1. Search Cards--displays monitoring summary and links to configuration, monitoring, and troubleshooting pages in the Network Operations app. 2. View--relevant links to the corresponding pages in the Network Operations app. 3. Read--relevant links to the help pages in the Aruba Central Help Center. Suggested Search The search bar displays search suggestions corresponding to the workflow that you follow as a user of the platform. The suggestions help you perform on-boarding tasks and bring up the devices in the network, configure and troubleshoot the network issues. The following are some of the sample queries to get you started on the on-boarding journey. These sample queries in the Network Operations app search bar can guide you into getting started with Central, adding devices, assigning licenses to devices, creating groups and sites, and so on: n Getting started with Central n How to add devices n How do I add licenses n How to create groups n How to create sites n How to add device to a site n How to add a new user n Where to find install manager n Install manager issues The following figure illustrates search suggestions to get started with Aruba Central. Aruba Central | User Guide 121 Figure 21 Suggestions to Get Started with Aruba Central The following sample queries in the Network Operations app search bar can guide you to create SSIDs, configure a switch group, configure a gateway and so on: n How to configure an SSID n Configure SSID for group <Group Name> ( Detect an AP group without SSID configuration) n How to configure a switch group n Configure switch group <Group Name> n How to configure a switch port n How to configure a Micro branch AP n Configure Micro branch group <Name> n How to configure a gateway. n Configure gateway group <Group Name> The following figure illustrates search suggestions for the next actions to perform in Aruba Central based on the workflow that you follow in the Network Operations app. Figure 22 Suggestions to Get Started with Aruba Central Client Search Terms The search bar helps you to search a client's information, navigate to the configuration and troubleshooting pages of the client in the Network Operation app. The sample search terms in this page help you with the list of terms for troubleshooting the client issues in the Network Operations app. Using the search bar you can perform the following tasks: n Hover over a client search card to view more details and links to the monitoring, configuration, and troubleshooting pages. Getting Started with Aruba Central | 122 n Click the client name to open the Client Details page. n Click View to open the corresponding page in Aruba Central. For example, clicking the View button corresponding to High DHCP Failures opens the AI Insights dashboard. n Click Read to navigate to the documentation page in the Aruba Central Help Center relevant to the search terms. Search Cards for Clients The search results in Aruba Central displays certain cards with monitoring information and links to the configuration and troubleshooting pages for the client. You can click the links to navigate to that particular page of the client in the Network Operations app. You can see the search cards when you search with the client name, IP address, or MAC address. Following is an example of the search card that appears when you search with a client name: Figure 23 Search Card for Client Name Search Options available on the client's search card: n Network Check--Opens the Network Check page for the client. n Live Events--Opens the Live Troubleshooting page for the client. n Events--Opens the Alerts & Events page for the client. n Disconnect--Opens the Client Details page to disconnect the client. n Insights--Opens the AI Insights page for the client. Following is an example of the search card that appears when you search with a client IP address: Aruba Central | User Guide 123 Figure 24 Search Card for Client IP Address Search Following is an example of the search card that appears when you search with a client MAC address: Figure 25 Search Card_Client MAC Address Sample Search Terms for a Client The following table lists the sample search terms for a client. Table 39: Client Search Terms Typical Queries View client(s) facing issues in the network View failed client (s) Search Terms client issues client anomalies problem clients client failures failed clients Result Returns client(s) that failed to connect and client(s) experiencing issues such as high DHCP failures, authentication failures, high roaming latency, and so on. Returns client(s) that failed to connect to the network. Getting Started with Aruba Central | 124 Table 39: Client Search Terms Typical Queries Search Terms Result View client(s) running Windows operation system list windows clients Returns a list of the client(s) running Windows operation system. View client(s) running Android operation system list android clients Returns a list of the client(s) running Android operation system. View client(s) in a site Enter list clients in site followed by the site name. Example--list clients in siteCalifornia Returns a list of all client(s) in the site. View offline client (s) in a site Enter show offline clients in site followed by the site name. Example--show offline clients in site California Returns a list of offline client(s) in the site. View connected client(s) in a particular site Enter show connected clients in site followed by the site name. Example--show connected clients in site California Returns a list of the connected client(s) in the site. Search by client name Enter the name of the client. Example--myipad Returns the client whose name matches the search term. Search by client MAC address Enter client followed by the MAC address. Example-- client00:01:00:10:9f:20 Returns the client whose MAC address matches the search term. User Experience Search Terms The following table provides a list of recommended search terms with the corresponding search results. These sample search terms can help you in gauging the network performance and identifying anomalies affecting user experience in the Network Operations app. Table 40: User Experience Search Terms Search Terms Result user experience issues Returns the following links: n Client-related insights generated for the last three hours n Network Health dashboard Click View to open the corresponding page. Aruba Central | User Guide 125 Table 40: User Experience Search Terms Search Terms Result user experience issues last month Returns client-related insights generated for the last one month. client issues last week Returns the following: n Client(s) that failed to connect to the network in the last one week n Client-related insights generated for the last one week how is my network today Returns the following links: n Wi-Fi Connectivity dashboard n Network Health > List page Click View to open the corresponding page. is everything ok Returns a link to the AI Insights dashboard. Click View to open the AI Insights dashboard and review the insights triggered. roaming issues Returns links to the following insights: n Clients who Roamed Excessively n Clients with High Roaming Latency Click View to open the corresponding insight and identify roaming anomalies. authentication issues Returns links to the following insights: n Clients with High 802.1X Authentication Failures n Clients with High MAC Authentication Failures Click View to open the corresponding insight and identify authentication anomalies. problem clients Returns client(s) that failed to connect and client(s) experiencing issues such as high DHCP failures, authentication failures, high roaming latency, and so on. coverage issues Returns links to the following insights: n Clients with Low SNR Minutes n Coverage Holes Identified Click View to open the corresponding insight and identify coverage anomalies. Device Search Terms The search bar helps you to search all devices monitored by Aruba Central. The search enables you to navigate to the monitoring, configuration, and troubleshooting pages of the devices in the Network Operation app. The sample search terms in this page help you with the list of terms for troubleshooting the devices issues in the Network Operations app. Using the search bar you can perform the following tasks: n Hover over a device search card to view more details and links to the monitoring, configuration, and troubleshooting pages. n Click the device name to open the corresponding Device Details page. n Click View to open the corresponding page in Aruba Central. For example, clicking the View button corresponding to Alerts & Events Overview opens the Alerts & Events page. n Click Read to navigate to the documentation page in the Aruba Central Help Center relevant to the search terms. Getting Started with Aruba Central | 126 Search Cards for Devices The search results in Aruba Central displays certain cards with monitoring information and links to the configuration and troubleshooting pages for the device. You can click the links to navigate to that particular page of the device in the Network Operations app. You can see the search cards when you search with the device name, IP address, MAC address, group, site, or label name. Following are the examples for APs, switches, and gateways. Following is an example of the search card that appears when you search with an Access Point name: Figure 26 Search Card for the Access Point Name Search Options available on the AP name search card: n Configure--Opens the AP Configuration page. n Network Check--Opens the Network Check page. n Locate--Locates the AP in the network. n Events--Opens the Alerts & Events page for the AP. n Clients--Opens the Clients page for the AP. n Configure Group--Opens the Access Points page to configure a group for the AP. n Insights--Opens the AI Insights page for the AP. Following is an example of the search card that appears when you search with a Switch name: Figure 27 Search Card for the Switch Name Search Aruba Central | User Guide 127 Options available on the switch name search card: n Configure--Opens the Switch Configuration page. n Network Check--Opens the Network Check page for the switch. n Console--Opens the Switch Details page. n Events--Opens the Alerts & Events page for the switch. n Clients--Opens the Clients page for the AP. n Configure Group--Opens the Switches page to configure a group for the switch. n Insights--Opens the AI Insights page for the switch. The following is an example of the search card that appears when you search with a gateway name: Figure 28 Search Card for the Gateway Name Search Options available on the gateway name search card: n Configure Group--Opens the Gateways page to configure a group for the gateway. n Network Check--Opens the Network Check page for the gateway. n Console--Opens the Gateway Summary page for the gateway. n Events--Opens the Alerts & Events page for the gateway. n Clients--Opens the Clients page for the gateway. n Session--Opens the Sessions page for the gateway. The following is an example of the search card that appears when you search with a device serial: Getting Started with Aruba Central | 128 Figure 29 Search Card for the Device Serial Search The following is an example of the search card that appears when you search with a device IP address: Figure 30 Search Card for the Device IP Address Search The following is an example of the search card that appears when you search with a device MAC address: Figure 31 Search Card for the Device MAC Address Search The following is an example of the search card that appears when you search with a device group name: Aruba Central | User Guide 129 Figure 32 Search Card for the Device Group Name Search The following is an example of the search card that appears when you search with a device label: Figure 33 Search Card for the Label Search Sample Device Search Terms The following table lists the search terms for AP, switch, and gateway. Table 41: Device Search Terms Typical Queries Search Terms Result Access Point View AP(s) facing issues in the network AP issues AP anomalies problem APs Returns a list of the AP(s) that are offline, AP radios changing channels more frequently, AP (s) experiencing higher than normal channel utilization, AP(s) experiencing frequent transmit power changes, and AP(s) that missed sending telemetry data, and so on. View AP(s) in a site Enter list aps in site or show aps in site followed by the site name. Example--list aps in site California Returns a list of the AP(s) in the site. Getting Started with Aruba Central | 130 Table 41: Device Search Terms Typical Queries View a list of online AP(s) View AP(s) belonging to a group View AP(s) tagged with a particular label View AP(s) by model number Search by AP name Search by AP MAC address Search by AP serial number Switch View switch(es) facing issues in the network View switch(es) in a site View a list of online switch(es) View switch(es) belonging to a group Search Terms Result online aps Returns a list of the AP(s) that are online. Enter list aps in group followed by group name. Example--list aps in groupdefault Returns a list of the AP(s) that are belonging to the group. Enter list aps in label followed by the label name. Example--list aps in labellobby Returns a list of the AP(s) that are tagged with the label. Enter show ap model followed by the model number. Example--show ap modelap-105 Returns a list of the AP(s) whose model number matches the search term. Enter the name of the AP. Example--printer-room Returns the AP whose name matches the search term. Enter ap followed by the MAC address. Example--ap 94:b4:0f:d9:ba:cc Returns the AP whose MAC address matches the search term. Enter ap serial followed by the serial number. Example--ap serialCNJJKPN1G5 Returns the AP whose serial number matches the search term. switch issues switch anomalies problem switches Returns a list of switch(es) that are offline, switch(es) experiencing high CPU and memory utilization, switch(es) facing PoE issues, and so on. Enter list switches in site or show switches in site followed by the site name. Example--list switches in site California Returns a list of switch(es) in the site. online switches Returns a list of switch(es) that are online. Enter list switches in group followed by group name. Example--list switches in groupdefault Returns a list of switch(es) belonging to the group. Aruba Central | User Guide 131 Table 41: Device Search Terms Typical Queries View switch(es) tagged with a label Search by switch name Search by switch MAC address Search by switch serial number Gateway View gateway(s) facing issues in the network View gateway(s) in a site Configure gateway(s) in a particular group View a list of online gateway(s) View gateway(s) belonging to a group View gateway(s) tagged with a label Search Terms Result Enter list switches in label followed by the label name. Example--list switches in labelstore Returns a list of switch(es) that are tagged with the label. Enter the name of the switch. Example--store-switch Returns the switch whose name matches the search term. Enter switches followed by the MAC address. Example--switch f8:60:f0:b6:22:00 Returns the switch whose MAC address matches the search term. Enter switch serial followed by the serial number. Example--switch serialCN90HKX045 Returns the switch whose serial number matches the search term. gateway issues gateway anomalies problem gateways Returns a list of gateway(s) that are down, gateway(s) experiencing high CPU and memory utilization, gateway tunnel(s) that are down, and so on. Enter list gateways in site or show gateways in site followed by the site name. Example--list gateways in site California Returns a list of gateway(s) in the site. Enter configure gateways in group followed by the site name. Example--configure gateways in groupdefault Returns a link to the gateway configuration page. online gateways Returns a list of gateway(s) that are online. Enter list gateways in group followed by group name. Example--list gateways in groupdefault Returns a list of gateway(s) belonging to the group. Enter list gateways in label followed by the label name. Returns a list of gateway(s) that are tagged with the label. Getting Started with Aruba Central | 132 Table 41: Device Search Terms Typical Queries Search Terms Result Example--list gateways in labellobby Search by gateway name Enter the name of the gateway. Example--branch Returns the gateway whose name matches the search term. Search by gateway MAC address Enter gateway followed by the MAC address. Example--gateway 00:0b:86:f9:0d:d2 Returns the gateway whose MAC address matches the search term. Search by gateway serial number Enter gateway serial followed by the serial number. Example--gateway serialCZ0003248 Returns the gateway whose serial number matches the search term. Network & Services Search Terms The following table provides a list of recommended search terms with the corresponding search results for network and services. Table 42: Network & Services Search Terms Search Terms Result service issues Returns the following links: n Wi-Fi Connectivity dashboard n AI Insights dashboard Click View to open the corresponding page. dhcp issues Returns a link to the Clients with DHCP Server Connection Problems insight. Click View to open the insight and identify the DHCP failures impacting the network. dns issues Returns links to the following insights: n DNS Queries Failed to Reach or Return from the Server n Delayed DNS Request or Response n DNS Servers Rejected High Number of Queries Click View to open the corresponding insight and identify DNS anomalies. authentication issues Returns links to the following insights: n Clients with High 802.1X Authentication Failures n Clients with High MAC Authentication Failures Click View to open the corresponding insight and identify authentication anomalies. Site Search Terms The search bar helps you to search all sites monitored by Aruba Central. Aruba Central | User Guide 133 The sample search terms in this page help you with the list of terms for troubleshooting the site issues in the Network Operations app. Using the search bar you can perform the following tasks for a site: n Hover over a site search card to view more details and links to the monitoring and troubleshooting pages. n Click the site name to open the Site Health page. n Click View to open the corresponding page in Aruba Central. For example, clicking the View button corresponding to Site Issues opens the AI Insights dashboard. Search Cards for Sites The search results in Aruba Central displays certain cards with monitoring information and links to the troubleshooting pages for the site. You can click the links to navigate to that particular page of the site in the Network Operations app. You can see the search cards when you search with the site name. Following is an example of the search card that appears when you search with a site name: Figure 34 Search Card for a Site Name Search Options available on the site search card: n Site Health--Opens the Site Health page. n Summary--Opens the Summary page for the site. n Topology--Opens the Topology page for the site. n Events--Opens the Alerts & Events page for the site. n Reports--Opens the Reports page for the site. The following table lists the search terms for a site. Table 43: Site Search Terms Typical Queries Search Terms View problems in a site Enter any problems in site followed by the site name. Example--any problems in site California Result Returns the link to navigate to the AI Insights dashboard for the site. Getting Started with Aruba Central | 134 Table 43: Site Search Terms Typical Queries Search Terms Result View client(s) in a site Enter list clients in site followed by the site name. Example--list clients in site California Returns a list of all client(s) in the site. View offline client (s) in a site Enter show offline clients in site followed by the site name. Example--show offline clients in site California Returns a list of offline client(s) in the site. View connected client(s) in a site Enter show connected clients in site followed by the site name. Example--show connected clients in site California Returns a list of connected client(s) in the site. View AP(s) in a site Enter list aps in site or show aps in site followed by the site name. Example--list aps in site California Returns a list of AP(s) in the site. View switch(es) in a site Enter list switches in site or show switches in site followed by the site name. Example--list switches in site California Returns a list of switch(es) in the site. View gateway(s) in a site Enter list gateways in site or show gateways in site followed by the site name. Example--list gateways in site California Returns a list of gateway(s) in the site. View alerts at a specific site Enter list gateways in site or show gateways in site followed by the site name. Example--list gateways in site California Returns a list of gateway(s) in the site. Navigation Search Terms The following table provides a list of recommended search terms with the corresponding search results. These sample search terms can help you navigate through Aruba Central. Based on the displayed results, click View to open the corresponding page in Aruba Central. Table 44: Navigation Search Terms Search Terms UI Page network health Network Health > List access points usage statistics ap device summary Devices > Access Points > Summary list alerts Global > Alerts & Events > Summary client overview Clients > Summary bandwidth usage Global > Overview > Summary Aruba Central | User Guide 135 Table 44: Navigation Search Terms Search Terms configure ssid configure vpn assign virtual controller config ap ports radios profile manage firmware for virtual controller where can I configure switch configure switch stacks enable cdp for switches configuration conflicts for switches switch dhcp pools switch security dhcp how to configure switch igmp switch port priority manage switch ports configure VLANs configure gateways config audit gateway wan transport health wan performance show branch uplinks utilization virtual gateway settings how to upgrade gateway overlay route orchestrator topology topology list all saas apps saas express summary UI Page Group > Devices > Access Points > Config > WLANs > Wireless SSIDs Group > Devices > Access Points > Config > VPN Group > Devices > Access Points > Interfaces > Wired Group > Devices > Access Points > Config > Radios Global > Firmware > Access Points Devices > Switches > Config Devices > Switches > Stacks > Config Devices > Switches > System > CDP Devices > Switches > Configuration Audit Devices > Switches > IP Settings > DHCP Pools Devices > Switches > Security > DHCP Snooping Devices > Switches > IGMP Devices > Switches > Interface > PoE Devices > Switches > Interface > Ports Devices > Switches > Interface > VLANs Devices > Gateways > Config Devices > Gateways > Config > Advanced Mode > Config Audit Devices > Gateways > Summary Global > Overview > WAN Health > List Global > Overview > WAN Health > Summary Global > Network Services > Virtual Gateways Global > Firmware > Gateways Global > Network Services > SD-WAN Overlay > Route Site > Overview > Topology Global > Applications > SaaS Express > Map Getting Started with Aruba Central | 136 Table 44: Navigation Search Terms Search Terms ssh threats current threat map configure presence analytics view wifi connected devices setup guest access setup guest network ucc settings enable call prioritization for ucc list ucc call tutorials UI Page Global > Security > Gateway IDS/IPS > Threats List Global > Security > Gateway IDS/IPS > Summary Global > Guests > Presence Analytics > Config Global > Guests > Presence Analytics > Summary Global > Guests > Guest Access Group > Guests > Config > Guest Networks Global > Applications > UCC > Config > Settings Global > Applications > UCC > List WalkMe Menu for launching guided tutorials Aruba Central | User Guide 137 Chapter 4 Administering Aruba Central Administering Aruba Central Aruba Central is a cloud-native network operations and assurance solution for wired, wireless, and SD-WAN networks. Aruba Central unifies traditional management with AI-based network and user insights, and IoT device profiling in a single interface for simplified and secure management and control. Apps From the Account Home page, you can manage network inventory, subscriptions, and user access. You can provision or launch the following apps: n Network Operations n ClearPass Device Insight The application(s) displayed in the Apps section of the page are dependent on the app(s) that you selected while signing up for Aruba Central. For more information, see Creating an Aruba Central Account. To provision an app, click Get Started. After the app is provisioned, click Launch to navigate to the corresponding application UI. If the app provisioning fails, you can retry or contact Aruba Technical Support. Figure 35 All Apps Network Operations Network Operations is a unified network operations, assurance and security platform that simplifies the deployment, management, and service assurance of wireless, wired and SD-WAN environments. Network Operations provides a cloud-based network management platform for managing your wireless, WAN, and Aruba Central | User Guide 138 wired networks with Aruba APs, Gateways, and Switches. Along with device and network management functions, the app also offers value-added services such as customized guest access, client presence, and service assurance analytics. For more information, see Aruba Central Help Center. ClearPass Device Insight ClearPass Device Insight enables network and security administrators to discover, monitor, and automatically classify new and existing devices that connect to a network. You can identify devices that include loT devices, medical devices, printers, smart devices, laptops, VoIP phones, computers, gaming consoles, routers, servers, and switches. For more information, see Aruba ClearPass Device Insight Information Center. Global Settings In Aruba Central, most of the general administration tasks are grouped under Global Settings. The following table lists all the options and relevant app(s) to which the option is applicable: Table 45: Options & Apps Option App(s) User and Roles n Network Operations n ClearPass Device Insight Key Management n Network Operations n ClearPass Device Insight Device Inventory Network Operations License Assignment Network Operations Data Collectors Data Collectors option appears only if the ClearPass Device Insight app is provisioned. Audit Trail Network Operations Single Sign On Network Operations API Gateway API Gateway option appears only if the Network Operations app is provisioned and if the API Gateway license is enabled. Webhooks Network Operations Users and Roles Aruba Central users are broadly categorized as follows: n Network Administrators--Network administrators manage, configure, and monitor devices in their respective network or organization using the Aruba Central Standard Enterprise interface. n Service Provider Administrators--Service Provider administrators are referred to as the MSP administrators who create, manage, and monitor accounts for multiple organizations (tenants). For MSP Administering Aruba Central | 139 accounts, the Network Operations app provides a separate interface called the MSP View, using which MSP administrators can provision and manage their respective tenant accounts. Tenant account users' access is limited to their respective account or network setup. For more information on creating tenant accounts, see the Aruba Central MSP User Guide. Within each Aruba Central account, the admin users of the respective accounts can configure and manage the following types of users: n System users--Users who authenticate to the Aruba SSO server (public cloud deployments) or LocalDB servers (private cloud deployments). System users can access both the UI and API interface with their Aruba Central login credentials. Access for the system users is determined by the role to which they are mapped. For more information on configuring system users, see Configuring System Users. n External users--Users who log in to Aruba Central using an external authentication source. External user accounts are maintained by IT administrators of the respective organizations. External users are also referred to as federated users. To provide a secure and seamless sign-on experience for external users, Aruba Central supports a federation configuration module based on the SAML SSO framework. For more information on configuring the SAML SSO framework for federated users, see the Aruba Central SAML SSO Solution Guide. The following table lists the tasks that you can perform from the Users and Roles page: Table 46: Users and Roles--Tasks Task Create, modify, or delete users For more information... Configuring System Users Create, modify, or delete user roles Configuring User Roles Resend email invitation to users Resend Email Invite Enable Two-Factor Authentication (2FA) Two-Factor Authentication Enable support access to debug issues Support Access Configuring System Users In the Account Home page, the Users and Roles option under Global Settings allows you to create, modify, and delete users. This section describes the procedure for configuring users in an enterprise account. For information on how to configure system users in the MSP mode, see the Aruba Central Managed Service Provider User Guide. Adding a System User To add a user, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users and Roles page is displayed. 2. Click Add User. The New User window is displayed. Aruba Central | User Guide 140 3. Configure the following parameters: n Username--Email ID of the user. Enter a valid email address. n Description--Description of the user role. You can enter up to a maximum of 32 characters including alphabets, numbers, and special characters in the text field. n Language--Select a language. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. n Account Home--Select a user role for the Account Home page. If there are common modules between Account Home and other app(s), the Account Home user role has higher precedence. For example, the Devices and Subscription module in the Network Operations app. If an application is not provisioned, that application is not listed in the New User pop-up window. n Network Operations--Select a user role for the Network Operations application. If you assign the user role guestoperator, readonly, or readwrite, from the Select Groups drop-down list, select group(s). By default, the admin user role has access to all groups. n ClearPass Device Insight--Select a user role for the ClearPass Device Insight application. For more information on user roles, see Configuring User Roles. 4. Click Save. An email invite is sent to the user with a registration link. Users can use this link to access Aruba Central. Figure 36 New User Window The registration link in the email invite is valid for 15 days. The link expiry date is also mentioned in the registration email notification: Administering Aruba Central | 141 Figure 37 Aruba Central Registration Email Resend Email Invite If any user has not received the email invite, complete the following steps to resend the invite: 1. Click Actions and slide the Resend Invitation To Users toggle button to the right. 2. Enter the email ID and click Resend Invite. Viewing User Details In the Account Home page, under Global Settings, click Users and Roles. The Users tab is displayed. The List of Users table displays the following information: n Email ID of the user. n Type of user. The user can be system user or external user. n Description of the user. n Role assigned for the Network Operations app. n Role assigned for the ClearPass Device Insight app. This option is displayed only if the ClearPass Device Insight app is provisioned and if you have subscribed to the app. n Role assigned for the Account Home page. n Allowed groups for the user. Aruba Central | User Guide 142 n Last active time of the user. If the last active time cell is blank, the user has not logged in after the product upgrade. Editing a User To edit a user account, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens. 2. In the List of Users table, select the user and click the edit icon. 3. In the Edit User <"Username"> window, modify description, role, or allowed groups. 4. Click Save. Deleting a User To delete a user account: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens. 2. In the List of Users table, select the user and click the delete icon. 3. Confirm user deletion in the Confirm Action dialog box. Viewing Audit Trail Logs for Users Audit logs are generated when a new user is created and an existing user is modified or deleted from the Aruba Central account. It also records the login and logout activities of users. To view audit logs for Aruba Central users: 1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page is displayed. 2. To view audit logs for user addition, modification, or deletion, click the filter in the Classification column, and select User Management. 3. To filter audit logs about user activity, click the filter in the Classification column, and select User Activity. Configuring User Roles A role refers to a logical entity used for determining user access to devices and application services in Aruba Central. Users are always tagged to roles that govern the level of user access to the Aruba Central applications and services. Access control for federated users is determined by the attributes set in the IDP. Aruba Central supports a set of predefined roles with different privileges and access permissions. You can also configure custom roles. The following sections are covered in this page: n Predefined Roles n Module Permissions Administering Aruba Central | 143 n Custom Roles n Viewing Role Details n Editing a Role n Deleting a Role Predefined Roles The Users and Roles page allows you to configure the following types of users with system-defined roles: Table 47: Predefined Roles Application Role Privilege Account Home admin Administrator for the Account Home page. If there are common modules between Account Home and other app(s), the Account Home role has higher precedence and the user is granted permission if the operation is initiated from the Account Home page. guestoperator Has guest operator access to the Network Operations application. User does not have access to Account Home > Global Settings. readwrite Can view and modify settings in the Account Home page and all Global Settings pages. NOTE: The readwrite role does not have modify permission for the following pages: n Users and Roles n Single-Sign-On readonly Can view the Account Home page and all Global Settings pages. Network Operations admin Administrator for the Network Operations application. Has access to Account Home > Global Settings. This is applicable only if the Account Home role is not set or is not conflicting. deny-access Cannot view the Network Operations application. guestoperator Has guest operator access to the Network Operations application. User does not have access to Account Home > Global Settings. readonly Has read-only access to Account Home > Global Settings and the Network Operations application. readwrite Has read-write access to Account Home > Global Settings and the Network Operations application. Has access to view and modify data using the Aruba Central UI or APIs. However, the user cannot execute APIs to: n Enable or disable MSP mode. n Perform operations in the following pages: o Account Home > Users and Roles o Network Operations application > Organization > Labels and Sites ClearPass Device Insight admin deny-access readonly Administrator for the ClearPass Device Insight application. Cannot view the ClearPass Device Insight application. Can launch and view all the pages in the ClearPass Device Insight application. Aruba Central | User Guide 144 Module Permissions Aruba Central enables you to define roles with view or modify permissions. You can also block user access to some modules. If a module is blocked for a specific role, the corresponding pages are not displayed in the UI or can access the pages but no data is displayed and all actions are disabled for the role. Aruba Central supports setting permissions for the following modules: Table 48: Permissions Application Module Description Account Home Devices and Subscription Users Enables users to add devices and assign keys and subscriptions to devices in the Account Home page. Enables users to define a role with access (View, Modify, or Block) to the user details in the Users tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles. Roles SSO Network Operations MSP Enables users to define a role with access (View, Modify, or Block) to the role details in the Roles tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles. Enables users to define a role with access (View, Modify, and Block) to the Single Sign On profiles details in the Users tab in the Single-Sign-On page (Account Home > Single-Sign-On). Enables users to define a role with access (View, Modify, or Block) to the Single Sign On profiles details in the Single Sign On page. To navigate to the Single Sign On page, go to Account Home > Single Sign On. Enables users with administrator role and privileges to define user access to MSP modules such as Customer Management and Portal Customization. The MSP tenant account user does not have access to the MSP application. Even if a tenant account user is assigned a custom role having MSP application privileges: n Tenant account user does have access to the MSP application. n MSP does not appear in the Account Home > Global Settings > Users and Roles > Roles > Allowed Applications list. Group Management Enables users to create, view, modify, and delete groups and assign devices to groups. Devices and Subscription Users cannot edit or set permissions for this module. Modify and Block options are disabled. By default, the View Only permission is set. Network Management Enables users to configure, troubleshoot, and monitor Aruba Central-managed networks. You can customize the permissions (View or Modify or Block) for the following sub-modules: n Configuration n Configuration Variables Administering Aruba Central | 145 Application Module Description n Privileged Configuration n Firmware n Troubleshooting n Other Modules NOTE: For the Privileged Configuration, the Block option disables the Admin tab (Gateway > System > Admin) for the user. The user management privileges are disabled for this user for gateways at the device and group level. Guest Management Enables users to configure cloud guest splash page profiles. AirGroup Enables users to define or block user access to the AirGroup pages. Presence Analytics Enables users to access the Presence Analytics app and analyze user presence data. Floorplans Enables user to access Floorplans and RF heatmaps. Unified Enables users to access the Unified Communications pages. Communications Install Manager Enables users to manage installer profiles and site installations. Reports Enables users to view and create reports. Other Applications Enables users to access other applications modules such as notifications and Virtual Gateway deployment service. ClearPass Device Insight NOTE: This option is displayed only if the ClearPass Device Insight app is provisioned and if you have subscribed to the app. Classified devices Generic devices User classified devices Enables users to view or modify system and user-classified devices. Enables users to view or modify devices which are not classified by system or user. Enables users to view or modify user-classified devices. Discovery settings Enables users to view, create, modify, or delete discovery settings. Application settings Enables users to view or modify application level user settings Reports Enables users to view create and view reports Other Applications Enables users to define or block access to other applications. Custom Roles Along with the predefined roles, Aruba Central also enables you to create custom roles with specific security requirements and access control. However, only users with the administrator role and privileges can create, modify, clone, or delete a custom role in Aruba Central. Aruba Central | User Guide 146 With custom roles, you can configure access control at the application level and specify access rights to view or modify specific application services or modules. For example, you can create a custom role that enables access to a specific applications such as Guest Management or Network Management and assign it to a user. MSP tenant account users cannot add, edit, or delete roles. Adding a Custom Role The following are the permissions that you can associate with a custom role: n Roles with Modify permission can perform add, edit, or delete actions within the specific module. n Roles with View Only permission can only view the specific module. n Roles with Block permission cannot view that particular module or can view the corresponding pages but no data is displayed and all actions are disabled. To add a custom role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. Click Add Role. The New Role window is displayed. 4. Specify a name for the role. 5. From the drop-down list, select one of the following: n Account Home--To manage access to devices and subscriptions in Aruba Central. n Network Operations--To set permissions at the module level in the Network Operations application. n ClearPass Device Insight--To set permissions at the module level in the ClearPass Device Insight application. This option is displayed only if the ClearPass Device Insight app is provisioned and if you have subscribed to the app. 6. For Network Management and MSP modules, you can set access rights at the module level. To set view or edit permissions or block the users from accessing a specific module, complete the following steps: a. Click Customize. b. Select one of the following options for each module as required: n View Only n Modify n Block 7. Click Save. 8. Assign the role to a user account as required. Viewing Role Details To view the details of a role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. The Roles tab displays the following information: n Role Name--Name of the role. n Allowed Applications--The application(s) to which the user account is subscribed to. n Assigned Users--Number of users assigned to a role. Administering Aruba Central | 147 Editing a Role To edit a role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the edit icon. 4. In the Edit Role <"Rolename"> window, modify the permissions set for module(s). 5. Click Save. Deleting a Role To delete a role, ensure that the role is not associated to any user and complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the delete icon. 4. Confirm role deletion in the Confirm Action dialog box. Configuring SAML SSO for Aruba Central The SSO solution simplifies user management by allowing users to access multiple applications and services with a single set of login credentials. If the applications services are offered by different vendors, IT administrators can use the SAML authentication and authorization framework to provide a seamless login experience for their users. To provide seamless login experience for users whose identity is managed by an external authentication source, Aruba Central now offers a federated SSO solution based on the SAML 2.0 authentication and authorization framework. SAML is an XML-based open standard for exchanging authentication and authorization data between trusted partners; in particular, between an application service provider and identity management system used by an enterprise. With Aruba Central's SAML SSO solution, organizations can manage user access using a single authentication and authorization source. SAML SSO Solution Overview The SAML SSO solution consists of the following key elements: n Service Provider (SP)--The provider of a business function or service; For example, Aruba Central. The service provider requests and obtains an identity assertion from the IdP. Based on this assertion, the service provider allows a user to access the service. n Identity Provider (IdP)--The Identity Management system that maintains identity information of the user and authenticates the user. n SAML Request--The authentication request that is generated when a user tries to access the Aruba Central portal. n SAML Assertion--The authentication and authorization information issued by the IdP to allow access to the service offered by the service (Aruba Central portal). n Relying Party--The business service that relies on SAML assertion for authenticating a user; For example, Aruba Central. n Asserting Party--The Identity management system or the IdP that creates SAML assertions for a service provider. Aruba Central | User Guide 148 n Metadata--Data in the XML format that is exchanged between the trusted partners (IdP and Aruba Central) for establishing interoperability. n SAML Attributes--The attributes associated with the user; for example, username, customer ID, role, and group in which the devices belonging to a user account are provisioned. The SAML attributes must be configured on the IdP according to specifications associated with a user account in Aruba Central. These attributes are included in the SAML assertion when Aruba Central sends a SAML request to the IdP. n Entity ID--A unique string to identify the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as a URL by all providers. n Assertion Services Consumer URL--The URL that sends the SAML request and receives the SAML response from the IdP. n User--User with SSO credentials. n Aruba Central SAML SSO solution supports only the HTTP Redirect POST method for sending and receiving SAML requests and response. n The SAML SSO integration allows federated users to access only the Central UI. The API Gateway access is restricted to system users that are configured and managed from Aruba Central. How SAML SSO Works Aruba Central supports the following types of SAML SSO workflows: n SP-initiated SSO n IdP-initiated SSO SP-initiated SSO In an SP Initiated SSO workflow, the SSO request originates from the service provider domain, that is, from Aruba Central. When a user tries to access Aruba Central, a federation authentication request is created and sent to the IdP server. The following figure illustrates the standard SP-Initiated SAML SSO workflow: Administering Aruba Central | 149 Figure 38 SP-Initiated SSO The SP-initiated SSO workflow with Aruba Central is supported only through the HTTP Redirect POST method. In other words, Aruba Central sends an HTTP redirect message with an authentication request to the IdP through the user's browser. The IdP sends a SAML response with an assertion to Aruba Central through HTTP POST. The SP-initiated SSO workflow with HTTP Redirect POST includes the following steps: 1. The user tries to access Aruba Central and the request is redirected to the IdP. 2. Aruba Central sends an HTTP redirect message with the SAML request to the IdP for authentication through the user's browser. 3. The user logs in with the SSO credentials. 4. On successful authentication, the IdP sends a digitally signed HTML form with SAML assertion and attributes to Aruba Central through the web browser. 5. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access to the user. IdP-initiated SSO In the IdP-Initiated workflow, the SSO request originates from the IdP domain. The IdP server creates a SAML response and redirects the users to Aruba Central. The Aruba Central SAML SSO deployments support the IdP-initiated SSO workflow through the HTTP POST method. The IdP-initiated SSO workflow consists of the following steps: 1. The user is logged in to the IdP and tries to access Aruba Central. 2. The IdP sends a digitally signed HTML form with SAML assertion and attributes to Aruba Central through the web browser. 3. If the digital signature and the attributes in the SAML assertion are valid, Aruba Central allows access to the user. The following figure illustrates the standard IdP-Initiated SAML SSO workflow: Aruba Central | User Guide 150 Figure 39 IdP-Initiated SSO SAML SSO Single Logout Aruba Central supports Single Logout (SLO) of SAML SSO users. SLO allows users to terminate server sessions established using SAML SSO by initiating the logout process once. SAML SLO can be initiated either from the Service Provider or the IdP. However, Aruba Central supports only the IdP-initiated SLO. IdP-initiated SAML SLO The IdP-initiated logout workflow includes the following steps: 1. User logs out of the IdP. 2. The IdP sends a logout request to Aruba Central. 3. Aruba Central validates the logout request from the IdP, terminates the user session, and sends a logout response to the IdP. 4. User is logged out of Aruba Central. 5. After the IdP receives logout response from all service providers, the IdP logs out the user. Configuring SAML SSO The SAML SSO configuration for Aruba Central includes the following steps: 1. Configuring user accounts and roles in Aruba Central. For more information, see the Managing User Access topic in Aruba Central Help Center. 2. Configure SAML authorization profile in Aruba Central. 3. Configuring Service Provider metadata such as metadata URL, service consumer URL, Name and other attributes on the IdP server. Configuring SAML Authorization Profiles in Aruba Central For SAML SSO solution with Aruba Central, you must configure a valid SAML authorization profile in the Aruba Central portal. Administering Aruba Central | 151 Important Points to Note Following are the important points to note about the SAML authorization in Aruba Central: n The SAML authorization profile configuration feature is available only for the admin users of an Aruba Central account. Aruba Central allows only MSP admin users to configure SAML authorization profiles for their respective tenant accounts. n Each domain can have only one federation. There must be at least one verified user belonging to the domain in the system users' list. n Aruba Central allows only one authorization profile per domain. n SAML user access is determined by the role attribute included in the SAML token provided by the IdP. n SAML users with admin privileges can configure system users in Aruba Central. n SAML users can initiate a Single Sign On request by trying to log in to Aruba Central (SP-initiated login). However, SAML users cannot initiate a single logout request from Aruba Central. n The following menu options in Aruba Central UI are not available for a SAML user. o Enable MSP and Disable MSP--SAML users cannot enable or disable MSP deployment mode in Aruba Central. o Change Password--Aruba Central does not support changing the password of a SAML user account. Before You Begin Before you begin, ensure that you have the following information: n Entity ID--A unique string that identifies the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as URL by all providers. n Login URL--Login URL configured on the IdP server. n Logout URL--Logout URL configured on the IdP server. n Certificate Details--SAML signing certificate in the Base64 encoded format. The SAML signing certificates are required for verifying the identity of IdP server and relying applications such as Aruba Central. n Metadata URL--Service provider metadata URL configured on the IdP server. SAML profiles can also be configured using NB APIs. If you want to use NB APIs for configuring SAML profiles, use the APIs available under the SSO Configuration category in Aruba Central API Gateway. Configuring a SAML Authorization Profile To configure the SAML authorization profiles in Aruba Central, complete the following steps: 1. In the Account Home page, under Global Settings, click Single Sign On. The Single Sign On page is displayed. 2. To add an authorization profile, enter the domain name. n Ensure that the domain has at least one verified user. n For public cloud deployments, Aruba Central does not support adding hpe.com, arubanetworks.com and other free public domain names, such as Gmail.com, Yahoo.com, or Facebook.com, for SAML authorization profiles. Aruba Central | User Guide 152 3. Click Add SAML Profile. 4. To manually enter the metadata: a. Select Manual Setting and enter the following information: n Entity ID--Entity ID configured on the IdP server. n Login URL--Login URL configured on the IdP server. n Logout URL--Login URL configured on the IdP server. n Certificate--Certificate details. Ensure that the certificate content is in the Base64 encoded format. You can either upload a certificate or paste the contents of the certificate in the text box. Ensure that the Entity ID, Login URL, and Logout URL fields have valid HTTPS URLs. b. Click Save. The following figure shows an example for the manual entry of metadata: Administering Aruba Central | 153 Figure 40 Manual Addition of Metadata 5. If you have already configured the IdP server and downloaded the metadata file, you can upload the metadata file. To upload a metadata file: a. Select Metadata File. Ensure that the metadata file is in the XML format and it includes valid certificate content and HTTPS URLs for the Entity ID, Login URL, and Logout URL fields. b. Click Browse and select the IdP metadata file. Aruba Central extracts the Entity ID, Login URL, Logout URL, and certificate content. c. Verify the details. d. Click Save. The following figure shows an example for the content imported from a metadata file: Aruba Central | User Guide 154 Figure 41 Importing Information from a Metadata File Configuring Service Provider Metadata in IdP Aruba Central supports SAML SSO authentication framework with various Identity Management vendors such as ADFS, PingFederate, Aruba ClearPass Policy Manager, and so on. Aruba recommends that you look up the instructions provided by your organization for adding service provider metadata to the IdP server in your setup. Some of the generic and necessary attributes required to be configured on the IdP server for SAML integration with Aruba Central are described in the following list: Administering Aruba Central | 155 n Metadata URL--URL that provides service provider metadata. n Entity ID--A unique string that identifies the service provider that issues a SAML SSO request. According to the SAML specification, the string should be a URL, although not required as URL by all providers. n Assertion Services Consumer URL--The URL that sends SAML SSO login requests and receives authentication response from the IdP. n NameID--The NameID attribute must include the email address of the user. <NameID>[email protected]</NameID> If the NameID attribute does not return the email address of the user, you can use the aruba_user_ email attribute. Ensure that you configure the NameID or the aruba_user_email attribute for each user. n SAML Attributes--The following example shows the syntax structure for SAML attributes: #customer 1 aruba_1_cid = <customer-id> # app1, scope1 aruba_1_app_1 = central aruba_1_app_1_role_1 = <readonly> aruba_1_app_1_role_1_tenant = <admin> aruba_1_app_1_group_1 = groupx, groupy aruba_1_app_2 = device_profiling aruba_1_app_2_role_1 = <readonly> aruba_1_app_3 = account_setting aruba_1_app_3_role_1 = <readonly> #customer 2 aruba_2_cid = <customer-id> # app1, scope1 aruba_2_app_1 = central aruba_2_app_1_role_1 = <readonly> aruba_2_app_1_role_1_tenant = <admin> aruba_2_app_1_group_1 = groupx, groupy aruba_2_app_2 = device_profiling aruba_2_app_2_role_1 = <readonly> aruba_2_app_3 = account_setting aruba_2_app_3_role_1 = <readonly> Note the following points when defining SAML attributes in the IdP server: n cid--Customer ID. If you have multiple customers, define attributes separately for each customer ID. n app--Application. Set the value as per the following: o Network Operations--central o Clear Pass Device Insight--device_profiling o Account Home--account_setting n role--User role. Specify the user role. If no role is defined, Aruba Central assigns read-only role to the user. n tenant role--Tenant user role. If the tenant role is not defined in the IdP, the MSP role is assigned to the SAML user. n group--Group in Aruba Central. When a group is specified in the attribute, the user is allowed to access only the devices in that group. If the attribute does not include any group, Aruba Central allows SAML Aruba Central | User Guide 156 SSO users to access all groups. You can also configure custom attributes to add multiple groups if the user requires access to multiple groups. Aruba Central recommends you to configure the Account Home. However, If you do not return the Account Home application from the Idp, then the Network Operations role is applied by default. See Also: n Configuring Service Provider Metadata in Microsoft ADFS n Configuring Service Provider Metadata in PingFederate IdP n Configuring Service Provider Metadata in ArubaClearPass Policy Manager Configuring Service Provider Metadata in Microsoft ADFS This procedure describes the steps required for configuring service provider metadata in Microsoft Active Directory Federation Services (ADFS) for SAML integration with Aruba Central. ADFS runs on Windows Servers and provides users with SSO access to application services hosted by the trusted service providers. This topic provides a basic set of guidelines required for setting up the ADFS instance on a Windows Server 2016 as an IdP. The images used in this procedure may change with Windows Server updates. Before you Begin n Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central. n Ensure that the ADFS is installed and available for configuration on a Windows server. For more information, see the ADFS Deployment Guide. n Ensure that an Active Directory security group is configured and the users are added as group members. For more information, see the ADFS Deployment Guide. Steps to Configure Service Provider Metadata in ADFS To enable SAML integration with ADFS, complete the following steps: n Step 1:Adding a Relying Party Trust n Step 2:Configure the Name ID Attribute n Step 3:Configure the Customer ID Attribute n Step 4:Configure the Application Attribute n Step 5:Configure the Role Attribute n Step 6:Configure the Group Attribute n Step 7:Configure the Logout URL n Step 8:Exporting Token-signing Certificate n Step 9:SAML Authorization Profile in Aruba Central Step 1:Adding a Relying Party Trust To configure Aruba Central and ADFS as trusted partners, complete the following steps: Administering Aruba Central | 157 1. On Windows Server, click Start > Administrative Tools > AD FS Management. The ADFS administrative console opens. 2. Click AD FS folder and select Add Relying Party Trust from the Actions menu. Figure 42 AD FS Management 3. Select Enter data about the relying party manually. 4. Click Next. 5. Enter a Display Name. The name entered here will be displayed in the management console and to the users logging in to Aruba Central. 6. Click Next. 7. Select AD FS Profile and then click Next. 8. Select Enable support for the SAML 2.0 WebSSO protocol check box and enter the consumer URL that you want to use for sending SAML SSO login requests and receiving SAML response from the IdP. Figure 43 Enabling Support for SAML 2.0 WebSSO Protocol 9. Click Next. 10. Add Aruba Central URL as the relying party trust identifier. Figure 44 Adding Replying Party Trust Identifier 11. Click Next. 12. Select the preferred security setting. You can select Permit all users to access this relying party option to permit access to all users. 13. Click Close. 14. Verify if Aruba Central is added to the list of relying party trust. Aruba Central | User Guide 158 Step 2:Configure the Name ID Attribute The Name ID attribute is used for user identification. For SAML integration with Aruba Central, the Name ID attribute must include the email address of the user. If the Name ID attribute does not return the email address of the user, use the aruba_user_email attribute. To configure the Name-ID attribute: 1. Select the display name you just added for Aruba Central and click Edit Claim Issuance Policy. 2. In the Edit Claim Issuance Policy window, click Add Rule. 3. Set the Claim Rule template to Send LDAP Attributes as Claims rule. 4. Click Next. 5. In the Claim rule name text box, enter Name-ID. Figure 45 Adding Claim Rule Name 6. Select the LDAP as the Attribute store. 7. Select the User-Principal-Name as LDAP attribute and Name ID for the Outgoing Claim Type. 8. Click Finish. Step 3:Configure the Customer ID Attribute To create a rule with the customer ID attribute: 1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the customer ID attribute. For example, aruba-cid. Administering Aruba Central | 159 5. Select a user group. Figure 46 Selecting a User Group 6. Click OK. 7. Select a customer ID attribute for the Outgoing claim rule and enter a value for the Outgoing claim value. Aruba Central | User Guide 160 Figure 47 Configuring Claim Rule Details 8. Click Finish. 9. If you have multiple customers, define the customer ID attribute separately for each customer ID. Step 4:Configure the Application Attribute To add a rule for the application attribute, complete the following steps: 1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App Name. 5. Select a user group. 6. Select the application attribute for Outgoing claim type and enter a value for the Outgoing claim value. Administering Aruba Central | 161 Figure 48 Configuring the Application Attribute 7. Click Finish. Step 5:Configure the Role Attribute To add a rule for a role attribute, complete the following steps: 1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App Role. 5. Select a user group. 6. Select the role attribute for Outgoing claim type and enter a value for the Outgoing claim value. Figure 49 Configuring the Role Attribute Aruba Central | User Guide 162 7. Click Finish. If the role attribute is not configured, Aruba Central assigns a read-only role to the user. Step 6:Configure the Group Attribute If you want to restrict user access to a group in Aruba Central, you can configure the group attribute. If the group attribute is not configured, Aruba Central allows SAML SSO users to access all groups. To add a rule for a group attribute, complete the following steps: 1. In the Edit Claim Issuance Policy window, click Add Rule. 2. To send a claim based on a user's Active Directory group membership, set the Claim Rule template to Send Group Membership as a Claim. 3. Click Next. 4. In the Claim rule name text box, enter the application attribute. For example, Aruba Central App Group. 5. Select a user group. 6. Select a group attribute for Outgoing claim type and enter a value for the Outgoing claim value. 7. Click Finish. Step 7:Configure the Logout URL To enable IdP-initiated logout, complete the following steps: 1. Select the relying party trust entry created for Aruba Central and click Properties. 2. Click Endpoints. 3. To add a logout URL, click Add SAML. 4. Select the endpoint type as SAML Logout. 5. Select Redirect for Binding. 6. Enter the Aruba Central logout URL for Trusted URL. Sample Trusted URL: https://portal-yoda.arubathena.com/global_login/aaa_saml/adfsaruba.com?sls Administering Aruba Central | 163 7. Enter the IdP logout URL for Response URL. Figure 50 Configuring the Logour URL 8. Click OK. Step 8:Exporting Token-signing Certificate The token-signing certificate is required SAML authentication. To export the token-signing certificate: 1. In the ADFS management console, go to AD FS > Service > Certificates. 2. Click the certificate under Token-signing and select View Certificate from the contextual menu. Aruba Central | User Guide 164 3. Click Details > Copy to File. Figure 51 Exporting Token-Signing Certificate 4. Click Next and select Base-64 encoded X.509 (.CER) as the certificate format. 5. Click Next. 6. Save the certificate file on your local directory. Step 9:SAML Authorization Profile in Aruba Central For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central. Configuring Service Provider Metadata in PingFederate IdP This procedure describes the steps required for configuring service provider metadata in PingFederate. Administering Aruba Central | 165 This topic provides a basic set of guidelines required for service provider metadata on the PingFederate server. The images and attributes may change with PingFederate software updates. Before you Begin Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central. Steps to Configure Service Provider Metadata in PingFederate To configure service provider metadata in PingFederate, complete the following steps: n Step 1:Create an SP Connection Profile n Step 2:Configure Browser SSO Settings n Step 3:Configure Credentials n Step 4:Review Configuration n Step 5:SAML Authorization Profile in Aruba Central Step 1:Create an SP Connection Profile 1. Log in to the PingFederate administration console. 2. Click IdP Configuration > SP Connections > Create New. The SP Connections page opens. Figure 52 SP Connections Window 3. In the Connection Type tab, select Browser SSO Profiles. Figure 53 Connection Options 4. Click the General Info tab. Aruba Central | User Guide 166 5. Verify the Entity ID and select the logging mode. Figure 54 General Info Figure 55 Logging Mode 6. Click Next to configure the Browser SSO Settings. Step 2:Configure Browser SSO Settings 1. On the SP Connections page in PingFederate administrative console, click Browser SSO. Figure 56 Browser SSO 2. Click Configure Browser SSO. 3. Select the following SAML profiles: n Select IDP-INITITATED SSO n Select SP-INITITATED SSO Administering Aruba Central | 167 Figure 57 SAML Profiles 4. Click Next. The Assertion Lifetime tab opens. 5. Click Next. The Assertion Creation page opens. a. Click Configure Assertion Creation. The Assertion Creation wizard opens. Figure 58 Assertion Creation Window b. Click Next. The Attribute Contract page opens. c. Add the SAML attributes in the SAML assertion. The IdP sends these attributes in the SAML Assertion. Aruba Central | User Guide 168 Figure 59 Attribute Contract d. Click Next. The Authentication Source Mapping tab opens. Figure 60 Authentication Source Mapping e. Click Map New Adapter Instance. The adapter configuration screen opens. Figure 61 Adapter Insurance Administering Aruba Central | 169 f. Complete the following configuration steps: i. Click Mapping Method and select a mapping option. Figure 62 Mapping Method Selection ii. Click Attribute Sources and User Lookup iii. To add a data source, click Add Attribute Store and add the data store ID as shown in the following figure: Figure 63 Add Data Store ID iv. Click Save. 6. On the SP Connections > Browser SSO Settings page, click Protocol Settings to configure the Browser SSO Protocol Settings, SSO service URLs, and SAML bindings. Figure 64 Protocol Settings 7. Click Configure Protocol Settings and complete the following steps: a. Verify the Assertion Consumer Service URL. The endpoint URLs for Redirect and Post bindings are both automatically populated from the metadata. If not, enter the URL manually. The URL will be the same for both bindings. Aruba Central | User Guide 170 Figure 65 Assertion Consumer Service URL Verification b. Click Next. The Allowable SAML Bindings tab opens. c. Select Post and Redirect. Figure 66 SAML Bindings Selection d. Click Next. The Encryption Policy Settings tab opens. e. Select None. Figure 67 Encryption Policy Settings f. Click Next. Review the protocol setting. g. Click Done. Step 3:Configure Credentials 1. On the SP Connections page in the PingFederate administrative console, click Credentials. 2. Click Configure Credentials. 3. Click Digital Signature Settings. Administering Aruba Central | 171 4. Select the certificate to use for digital signature in SAML messages. Figure 68 Digital Signature Settings Step 4:Review Configuration To review the configuration, click the Activation & Summary tab. Step 5:SAML Authorization Profile in Aruba Central For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central. Configuring Service Provider Metadata in ArubaClearPass Policy Manager This procedure describes the configuration steps required for setting up ArubaClearPass Policy Manager as an IdP. ClearPass must be synced to NTP along with any other SAML SPs and IdPs. If clocks are out of sync, SAML will not function. Before you Begin n Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central. n Ensure that you have access to the ClearPass Policy Manager instance. n Ensure that you have downloaded the SAML metadata from Aruba Central. Steps to Configure ClearPass Policy Manager as an IdP To configure ClearPass as an IdP for providing SAML authentication and authorization services to Aruba Central, complete the following steps: n Step 1:Configuring Enforcement Profile and Policies n Step 2:Adding Roles n Step 3:Mapping Roles to Enforcement Policies n Step 4:Configuring an IdP Service n Step 5:Uploading SP Metadata n Step 6:Adding Local Users n Step 7:Configuring SAML Authorization Profile in Aruba Central Step 1:Configuring Enforcement Profile and Policies To configure an enforcement profile: Aruba Central | User Guide 172 1. Go to Configuration > Enforcement > Profiles. 2. Click Add to add a new enforcement profile. The Enforcement Profiles page is displayed. 3. In the Profile tab, select the template as Generic Application Enforcement from the Template drop-down list. 4. Enter a name and description for the profile in the Name and Description fields. 5. In the Action field, click and select Accept from the given options. 6. Click Next. The Attributes tab is displayed. 7. Click to add the attributes name and attributes value in the Attributes Name and Attributes Value fields. Ensure that you add Aruba-defined attributes and values. To know more about Aruba defined attributes, see Configuring Service Provider Metadata in IdP. 8. Click Next. The Summary tab is displayed. 9. In the Summary tab, check the information entered in the Profile and Attributes field and click Save to save the enforcement profile. To configure an enforcement policy, complete the following steps: 1. Go to Configuration > Enforcement > Policies. 2. Click Add to add a new enforcement policy. The Enforcement Policies page is displayed. 3. Enter a name and description for the policies in the Name and Description fields. 4. In the Enforcement Type field, click and select Application. 5. From the Default Profile drop-down list, select the profile which you created. 6. Click Next. The Rules tab is displayed. 7. For configuring the rules, follow the steps mentioned in Step 3 below. 8. Click Next. The Summary tab is displayed. 9. In the Summary tab, check and validate the information and click Save to save the enforcement policy. Step 2:Adding Roles To add a user role: 1. Go to Configuration > Identity > Roles. The Roles page is displayed. 2. To add a new role, click Add in the Roles page. Figure 69 Configuring Roles 3. Enter the role name and description in the Name and Description fields and click Save to save the role. Administering Aruba Central | 173 Figure 70 Adding Role Information Step 3:Mapping Roles to Enforcement Policies To map roles to enforcement policies: 1. Go to Configuration > Enforcement > Policies. The Enforcement Policies page is displayed. 2. Click and select the policy that you created. 3. Click the Rules tab and select Add rule to map a rule to the policy. 4. In the Rules Editor page, fill in the Type, Name, Operator, and Values as shown in the below example figure. Figure 71 Rules Editor Page 5. In the Profile Names under Enforcement Profiles, select the profile that you created and click Save. 6. Click Save. Step 4:Configuring an IdP Service To configure an IdP service, complete the following steps: 1. Go to Configuration > Services. The Services Page is displayed. 2. From the Services page, click Add to add a new service. Aruba Central | User Guide 174 3. In the Service tab, select Aruba Application Authentication as a type of authentication from the Type drop-down list. 4. Enter a name Prefix and description for the services in the Name and Description fields respectively. This prefix is used to name all of the services and enforcement policies/profiles created by the wizard. 5. Optionally, you can enable the monitor mode and more options by clicking the Monitor Mode and More Options check boxes. By default, both the check boxes are not selected. 6. From the Service Rule option, select ANY or All of the following conditions to match the conditions. 7. You can define Type, Name, Operator, and Values for the condition by clicking and selecting from the respective drop-down lists. 8. Click Next. The Authentication tab is displayed. 9. Select [Local User Repository] [Local SQL DB] as an authentication source from Authentication Sources drop-down list. 10. Click Next. The Roles tab is displayed. 11. Keep the Roles tab to default values. 12. Click Next. The Enforcement tab is displayed. 13. Add an enforcement policy from the Enforcement Policy drop-down list. 14. Click Next. The Summary tab is displayed. 15. In the Summary tab, check if all the information in Service, Authentication, Roles , and Enforcement fields are correct and click Save to save the service. Step 5:Uploading SP Metadata To upload SP metadata, complete the following steps: 1. In the Account Home page, under Global Settings, click Single Sign On. The Single Sign On page is displayed. 2. Select the SAML authorization profile configured for the ClearPass IdP service, click Show Metadata, and download the metadata. 3. To upload SP metadata, go to Configuration > Identity > Single Sign-On (SSO). 4. Click SAML IdP Configuration tab, and click Add SP metadata. 5. Set the SP name as Aruba Central and select the metadata file and click Upload. Figure 72 SAML IdP Configuration Administering Aruba Central | 175 Step 6:Adding Local Users To add local users, complete the following steps: 1. Go to Configuration > Identity > Local Users. The Local Users page is displayed. 2. In the Local Users page, click Add. The Add Local User page is displayed. 3. Enter the user id, name, and password in their respective fields. 4. Enter the password again to verify password in the Verify Password field. 5. By default, the Enable User check box is selected. 6. Select the Change Password check box if you want to force change the password on next user login. By default, the check box is not selected. 7. Select the role from the Role drop-down list and click Add to add the user. Below is an example figure for adding user: Figure 73 Adding a Local User Step 7:Configuring SAML Authorization Profile in Aruba Central For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central. Configuring Service Provider Metadata in G Suite This procedure describes the configuration steps required for setting up service provider metadata in G Suite. Before you Begin n Go through the SAML SSO feature description to understand how SAML framework works in the context of Aruba Central. n Ensure that you have a domain and administrator privileges access to the G Suite. For more information, see G Suite Admin Help. n Ensure that you have a verified user in Aruba Central. n Ensure that you have downloaded the SAML metadata from Aruba Central. Steps to Configure Service Provider Metadata in Google Admin Console. To configure Google Admin Console for providing SAML authentication and authorization services to Aruba Central, complete the following steps: Aruba Central | User Guide 176 n Step 1:Add Custom Attributes n Step 2:Add new user n Step 3:Add values to custom attributes n Step 4:Set up Custom SAML app n Step 5:Turn on SSO to your new SAML app Step 1:Add Custom Attributes To add custom attributes in Google Admin: 1. In the Google Admin console, go to Users > More > Manage custom attributes. The Manage user attributes page is displayed. 2. At the top right corner, click Add Custom Attribute. Figure 74 Manage User Attributes Administering Aruba Central | 177 3. In the Add custom fields pop-up window, configure the parameters as per the following table: Parameter Description Category Enter a name for the category you want to add. Description Optionally, enter a description for the category. Custom fields Configure the custom fields as per the following: n Name-- Enter the label you want to display on the user's account page. n Info type-- Select one of the following from the drop-down list: o Text o Whole Number o Yes or No o Decimal number o Phone o Email o Date n Visibility-- Select one of the following from the drop-down list: o Visible to user and admin o Visible to organization n No. of values-- Select one of the following from the drop-down list: o Multi-Value o Single-value NOTE: n You cannot edit the info type and No. of values once you have created the custom attribute. n You can add multiple numbers of custom attributes in the Custom fields. Make sure that you add the Aruba supported attributes in the Name field. For more information on Aruba supported attributes, see Configuring Service Provider Metadata in IdP. 4. Click Add to finish adding the custom attributes. Step 2:Add new user To add a new user in the Google Admin console, complete the following steps: 1. In the Google Admin console, go to Users > Add new user. The Add new user page is displayed. 2. To add an image for the user, click Add photo and select the image file from the storage. You can also add the image later if you do not have it ready. 3. Fill the account information as per the following table: Parameter First name Last name Primary email Description Enter the first name of the user. Enter the last name of the user. Enter the primary email of the user. Aruba Central | User Guide 178 Parameter Description Organization unit The field gets auto populated. Secondary email Optionally, enter the secondary email of the user Phone number Optionally, enter the phone number of the user. 4. You can either generate the password automatically by turning on the toggle button or enter the password manually. By default, you have to enter the password manually. While creating the password, make sure that the password is of at least 8 characters. 5. Optionally, turn on the toggle to ask the user to change the password at the next sign-in. 6. Click Add New User. Step 3:Add values to custom attributes You can add or update values for custom attributes on the User information page for an user. To add values to custom attributes: 1. In the Google Admin console, click Users. The user page is displayed. Figure 75 Users Page 2. From the users list, find the user by using a filter or Search bar. For more information on how to find the user, see Find a user account. 3. Click User information. Figure 76 User Information 4. Click the Aruba-Attributes section to edit. Administering Aruba Central | 179 5. Add or change values to custom attributes as shown in the following example figure: Figure 77 Editing Aruba-Attributes 6. Click Save. You can only assign roles to the user which are already existing and valid in Aruba Central. Step 4:Set up Custom SAML app To setup own custom SAML App: 1. Log in to G Suite. The Admin console is displayed. Figure 78 Google Admin Console 2. From the Admin Console main screen, click Apps. The Apps page is displayed. 3. From the Apps screen, click SAML apps. The SAML apps page is displayed. Figure 79 SAML Applications 4. Click the + sign at the bottom of the screen to add a new SAML app (or, you can edit an existing one). The Enable SSO for SAML Application window page is displayed. Aruba Central | User Guide 180 Figure 80 Enable SSO for SAML Application 5. Click Setup My Own Custom App. The Google IdP Information window opens and the SSO URL and Entity ID fields automatically populate. Figure 81 Setup Custom Application 6. Get the setup information needed using one of these methods: a. Copy the SSO URL and Entity ID and download the Certificate. b. Download the Idp metadata. Figure 82 Google IdP Information Administering Aruba Central | 181 7. In a separate browser tab or window, sign in to Aruba Central and enter the information you copied in step 6 above into the appropriate SSO configuration page, then return to the Admin console. For information on how to configure a SAML authorization profile, see Configuring SAML Authorization Profiles in Aruba Central. 8. Click Next. 9. In the Basic Information for Your Custom App window, add an application name and description. 10. Optionally, upload a PNG or GIF file to serve as an icon for your custom app. The icon image should be of size 256 x 256 pixels. Figure 83 Configuring Basic Information 11. Click Next. 12. In Aruba Central, select the SAML authorization profile configured for the domain, click show meta data, download the metadata, and return to the G Suite Admin console. 13. In the Service Provider Details window, enter an ACS URL, Entity ID, and Start URL (if needed) for your custom app. These values are all provided from the downloaded metadata. 14. By default, the Signed Response check box is not selected. 15. The Name ID and Name ID Format fields are automatically populated. Figure 84 Service Provider Details 16. Click Next. Aruba Central | User Guide 182 17. Optionally, click Add New Mapping and enter a new name for the attribute you want to map. 18. In the drop-down list, select the category and user attributes to map the attribute from the Google profile. Figure 85 Attribute Mapping 19. Click Finish. Step 5:Turn on SSO to your new SAML app To turn on SSO in your SAML app: 1. In the Google Admin console, go to Apps > SAML apps and select the SAML app that you created. 2. At the top right corner of the gray box, click Edit Service. Figure 86 Editing a Service 3. To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone from the Service status option, and click Save. Administering Aruba Central | 183 Figure 87 Configuring All Organizational Units Viewing Federated Users in Aruba Central If your Aruba Central account has SAML SSO users, Aruba Central displays these users as federated users. To view a list of federated users in your account: 1. In the Account Home page, under Global Settings, click Users & Roles. The Users & Roles page opens. 2. In the Users table, use the filter in User Type column to sort the table by federated users. Viewing Audit Logs for Federated Users in Aruba Central The federated or the SAML SSO user activity is logged in Aruba Central as audit trails. To view the audit logs for federated users, complete the following steps: 1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page is displayed. 2. To filter audit logs by federated user activity, click the filter in the Category column and select User Activity. To view audit logs for the SAML authorization profiles, in the Audit Trail page, select SAML Profile from the Classification filter. Converting System Users to Federated Users The system users in Aruba Central use the standard authentication method, whereas the federated users sign in to Aruba Central using the SAML-based SSO authentication method. If your business requires you to move system users from the standard authentication method to SAMLbased authentication, follow the steps described in this page. Before you Begin Check if the user is accessing Aruba Central application using the web application, API Gateway, or the mobile app. Aruba does not support SAML-Based SSO logins for Aruba Central API Gateway, Aruba Installer, and Aruba Central mobile apps; Hence, it is recommended that you do not convert the API Gateway and mobile app user profiles to federated users. Migrating Aruba Central Web Application Users to Federated User Profiles To move system users of the Aruba Central web application users to SAML-based authentication method: Aruba Central | User Guide 184 1. Back up the user profiles in the domain that is being migrated to SAML-based authentication framework. To view and create a backup of a list of existing user profiles, access the [GET] /platform/rbac/v1/users NB API. 2. Restore the current users in the system along with role and scope information defined for each user. To restore user profiles in bulk, use the [POST] /platform/rbac/v1/bulk_users API in the same domain. 3. Validate the configuration for one user. 4. If the migration is successful, remove the remaining system users in the domain, by using one of the following methods: n In the Account Home page, under Global Settings, click Users & Roles. page in the UI, select the user profile that you want to delete and click the delete icon. n Access the [DELETE] /platform/rbac/v1/bulk_users API and adding user account names in Parameters section. Example Param [ "[email protected]","[email protected]","[email protected]" ] 5. Ensure that there is at least one system admin user in the domain that you are migrating to SAMLbased SSO authentication framework. 6. Validate the SSO workflow for the users that you just migrated to the SAML-based SSO authentication method. Enabling NB API Access for Federated Users To enable NB API access for federated users: 1. Log in to Aruba Central web application using the SAML-based SSO authentication method. 2. In the Account Home page, under Global Settings, click API Gateway. 3. Click My Apps& Tokens. 4. Click + Add Apps & Tokens and generate an OAuth token. For more information on generating tokens and API Gateway bootstrapping, see Aruba Central API Gateway Documentation. Troubleshooting SAML SSO Authentication Issues This section provides troubleshooting guidelines and tips to help Aruba Central administrators to diagnose and fix issues related to SAML SSO authentication. Installing SAML Tracer on Web Browsers To view SAML trace logs, you can install SAML Tracer on your web browsers. To install SAML Tracer: n Mozilla FireFox-- Go to https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/. n Google Chrome--Go to https://chrome.google.com/webstore/category/extensions. Administering Aruba Central | 185 Viewing SAML Trace Logs To view the SAML trace logs, open the SAML Tracer add-on in the web browser. SAML Tracer records all HTTP requests sent or received by your browser. If the HTTP request contains SAML, the SAML tab in the SAML Trace window records the trace logs. For example, when the SAML user logs in, you can verify the SAML attributes that are recorded. Note the key elements in the SAML attributes output when diagnosing a SAML authentication error. <Subject> <NameID>[email protected]</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="ONELOGIN_ f937f6f66c3d29c4713eee99e09fd31e23ae6fec" NotOnOrAfter="2019-06-14T11:57:47.883Z" Recipient="https://portal-yodaacdc.arubathena.com/global_login/aaa_ saml/adfsaruba.com?acs" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2019-0614T11:52:47.881Z" NotOnOrAfter="2019-06-14T12:52:47.881Z" > <AudienceRestriction> <Audience>https://portal-yodaacdc.arubathena.com/global_ login/aaa_saml/adfsaruba.com/metadata</Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="aruba_1_cid"> <AttributeValue>ab8eeb91a8434025a3ecbdad9b8af705</AttributeValue> </Attribute> <Attribute Name="aruba_1_app_1"> <AttributeValue>central</AttributeValue> </Attribute> <Attribute Name="aruba_1_app_1_role_1"> <AttributeValue>admin</AttributeValue> </Attribute> <Attribute Name="aruba_1_app_1_role_1_tenant"> <AttributeValue>readonly</AttributeValue> </Attribute> Troubleshooting Tips for Most Common Errors Error 1--A blank page is displayed when the SAML user is redirected to the IdP server n Description: When a SAML user is redirected to the IdP server for authentication, the IdP server does not return the SAML response and displays a blank page. n Cause: This issue may occur when the Service Provider metadata for Aruba Central is not configured on the IdP server. n Resolution: Configure Service Provider metadata for your Aruba Central account in the IdP server. Error 2--The SAML user is logged out of Aruba Central after logging in to IdP n Description: The SAML user gets logged out of Aruba Central after logging in to the IdP server and the following error code is displayed in the browser: error_code=INVALID+EXTERNAL+AUTH+REQUEST n Reason: This issue may occur when the customer ID for the SAML user is not successfully retrieved from the IdP server. n Solution: Verify the trace logs, check the IdP configuration for customer ID details, and ensure that the IdP sends the correct customer ID. <NameID>[email protected]</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="ONELOGIN_ Aruba Central | User Guide 186 c000669424a538ea0f4793ec38dab3b57a635efb" NotOnOrAfter="2019-06-14T10:06:20.153Z" Recipient="https://compass.arubathena.com/global_login/aaa_saml/adfsaruba.com?acs"/> </SubjectConfirmation> </Subject> <Conditions NotBefore="2019-06-14T10:01:20.151Z" NotOnOrAfter="2019-06-14T11:01:20.151Z"> <AudienceRestriction> <Audience>https://compass.arubathena.com/global_login/aaa_ saml/adfsaruba.com/metadata</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2019-06-14T10:01:19.749Z" SessionIndex="_400366f7-75dc-4423-909c-2b3dc4e9fd9c"> <AuthnContext> Error 3--The web browser displays an error message when a SAML user is redirected to Aruba Central after logging in to IdP n Description: The web browser displays the following error message when the SAML user logs into IdP and is redirected to Aruba Central: error_code "FAILED EXTERNAL AUTH - SAML ACS PROCESSING" message "NameID not found in the assertion of the Response" n Cause: This issue may occur when the name-id attribute is not configured in the IdP server. n Solution: Verify the trace logs, check the IdP configuration, and ensure that the name-id attribute maps to the user's email address. Error 4--The web browser displays a 404 error message when a SAML user is redirected to Aruba Central after logging into IdP n Description: The web browser displays the following error message when a SAML user is redirected to Aruba Central after logging into IdP: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again. status_code 404 n Cause: This issue may occur due to one of the following reasons: o The name-id attribute does not contain user's email address. o The app-id attribute is not configured as Central in IdP. o The role attribute returned by the IdP is not configured in Aruba Central. o The group attribute in the IdP server is mapped to a group that is not available in your Aruba Central account. o IdP returns a tenant role for the SAML user of a standalone enterprise account. n Solution: Verify the trace logs, check your Aruba Central deployment setup and the IdP configuration, and ensure that the correct values are configured for these attributes in the IdP server. Error 5--Although the role attribute is not configured in IdP, the SAML user is assigned a readonly role n Description: Although the role attribute is not configured in the IdP server, the SAML user is assigned a readonly role after logging in to Aruba Central. Administering Aruba Central | 187 n Cause: By default, Aruba Central assigns readonly role for SAML users if role attribute is not configured in IdP. n Solution: If you want the SAML user to have a specific role assigned, configure the role attribute for the user in the IdP server. Error 6--A SAML user was able to log in to Aruba Central earlier, but cannot access Aruba Central now n Description: The SAML user who was able to log in to Aruba Central earlier gets the following message during login: The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again. status_code 404 This issue is observed when the customer ID of a SAML user is changed from an MSP to its tenant or from a tenant to its MSP in the IdP server. n Cause: This issue occurs when the Aruba Central user database already has a user entry for the SAML user who tries to log in to Aruba Central after the customer ID modification in the IdP server. n Solution: In the Account Home page, under Global Settings click Users & Roles page and delete the SAML user in Aruba Central. Verify if the user entry is removed from the user database. Error 7--The web browser displays SAML authentication error message when a SAML user tries to log in to Aruba Central n Description: When a SAML user tries the log in to Aruba Central, the following error message is displayed: FAILED EXTERNAL AUTH - SAML ACS PROCESSING message 0 "invalid_response" n Cause: This issue may occur due to certificate mismatch. n Solution: Verify the SAML authorization profile configured in Aruba Central and ensure that the correct certificate is uploaded. Error 8--The Aruba Central login page is displayed for the SAML user instead of the IdP login page n Description: When a SAML user tries to access Aruba Central, the user is redirected to the Aruba Central login page instead of the IdP login page. n Cause: This issue may occur when the SAML user is configured as a system user in Aruba Central. n Solution: If a SAML user is added as a system user in Aruba Central, delete the system user entry for the user in Aruba Central. Two-Factor Authentication Aruba Central now supports two-factor authentication for both computers and mobile phones to offer a second layer of security to your login, in addition to password. When two-factor authentication is enabled on a user account, the users can sign in to their Aruba Central account either through the mobile app or the Aruba Central | User Guide 188 web application, only after providing their password and the six-digit verification code displayed on their trusted devices. When two-factor authentication is enabled at the customer account level, all the users belonging to the customer account are required to complete the authentication procedure when logging in to Aruba Central. If a user account is associated with multiple customer accounts and if two-factor authentication is enabled on one of these accounts, the user must complete the two-factor authentication during the login procedure. If two-factor authentication is enabled on your accounts, you must install the Google Authenticator app on your devices such as mobile phones to access the Aruba Central application. When the users attempt to log in to Aruba Central with their credentials, the Google Authenticator app provides a six-digit verification code to complete the login procedure. Installing the Google Authenticator App For two-factor authentication, ensure that the Google Authenticator app is installed on your mobile device. During the registration process, the Aruba Central application shares a secret key with the mobile device of the user over a secure channel when the user logs in to Aruba Central. The key is stored in the Google Authenticator app and used for future logins to the application. This prevents unauthorized access to a user account as this authentication procedure involves two-levels for secure transaction. When you register your mobile device successfully, the Google Authenticator app generates a six-digit token for the second level authentication. The token is generated every thirty seconds. Enabling Two-factor Authentication for User Accounts To enable two-factor authentication, complete the following steps: 1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed. 2. From the Actions menu, slide the Two-Factor Authentication (2FA) toggle button to the right. The two-factor authentication is enabled for all the users associated with the account. Two-factor Authentication for Aruba Central Web Application When two-factor authentication is enabled for a customer account, the users associated with that customer account are prompted for two-factor authentication when they log in to Aruba Central. To complete two-factor authentication, perform the following actions: 1. Access the Aruba Central website. 2. Log in with your credentials. If two-factor authentication is enforced on your account, the two-factor authentication page opens. 3. Install the Google Authenticator app on your mobile device if not already installed. 4. Click Next. 5. If this is your first login since two-factor authentication is enforced on your account, open Google Authenticator on your mobile device. 6. Scan the QR Code. If you are unable to scan the QR code, perform the following actions: a. Click the Problem in Reading QR Code link. The secret key is displayed. b. Enter the secret key in the Google Authenticator app. c. Ensure that the Time-Based parameter is set. Aruba Central is added to the list of supported clients and a six-digit token is generated. 7. Click Next. Administering Aruba Central | 189 8. Enter the six-digit token. 9. Select the Remember 2FA for 30 Days check box if you want the authentication to expire only after 30 days. 10. Click Finish. Two-factor Authentication for the Aruba Central Mobile App Two-factor authentication must first be enabled for your account. If two-factor authentication is not enabled, you log in to the application directly after a successful SSO authentication. To log in to Aruba Central app on your mobile device, perform the following actions: 1. Open the Aruba Central app on your mobile device. 2. Enter your username and password and click Log in. If the registration process is pending, an error message is displayed: Please register for two-factor authentication in our web app to ensure secured authentication. 3. Enter the token. On successful authentication, the Aruba Central app opens. Registering a New Mobile Device If you have changed your mobile device, you need to install Google Authenticator app on your new device and register again using a web browser on your Desktop for two-factor authentication. To register your new mobile device, complete the following steps: 1. Log in to Aruba Central web application. The two-factor authentication page is displayed. 2. Click the Changed Your Mobile Device? link. 3. To register your new device and receive a reset email with instructions, click Send 2FA Reset Email. A reset email with instructions will be sent to your registered email address: Aruba Central | User Guide 190 Figure 88 Reset Tow-Factor Authentication Email 4. Follow the instructions in the email and complete the registration. Support Access Aruba technical support may ask you to enable Support Access to debug issues. After you enable Support Access, the Aruba support team can access your Aruba Central account remotely. Only users with administrator role can enable Support Access. Enabling Support Access To enable Support Access, complete the following steps: 1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed. 2. From the Actions menu, slide the Support Access toggle button to the right. 3. Set password expiry by selecting the number of days and click Get Password. A new password is generated. 4. Copy the password and share it with the Aruba technical support representative. Disabling Support Access After the remote support session is complete, do the following to disable Support Access: Administering Aruba Central | 191 1. In the Account Home page, under Global Settings, click Users & Roles. The Users and Roles page is displayed. 2. From the Actions menu, slide the Support Access toggle button to the left. Managing License Keys A license key is an alphanumeric string with 9 to 14 characters; for example, PQREWD6ADWERAS. Aruba Central can manage a device only if the corresponding license key of the device is added to Aruba Central. License keys can either be evaluation license keys that map to evaluation licenses or paid license keys that map to paid licenses. The evaluation license key is valid for 90 days. To use Aruba Central for managing, profiling, analyzing, and monitoring your devices, you must ensure that you have a valid license key and that the license key is listed in the Account Home > Global Settings > Key Management page. Evaluation License Key The evaluation license key is enabled for trial users by default. It allows you to add up to a total of 60 devices. For an evaluation user, a set of evaluation keys is generated. The Account Home > Global Settings > Key Management page displays the license expiration date in the Key Management table. You will receive license expiry notifications through email 30, 15, and 1 day before the license expiry and on day 1 after the license actually expires. The number of days left for license expiry is also displayed in the respective app under the Apps section of the Account Home page. Upgrading to a Paid Account If you have purchased a license for an AP, a switch, or a gateway, then upgrade your account by completing the following steps: 1. On the Account Home page, in the Network Operation app, click the link that shows the number of days left for the evaluation to expire. Figure 89 Network Operations Evaluation Account Aruba Central | User Guide 192 The Add a New License window is displayed. 2. Enter the new license key that you purchased from Aruba. 3. Click Add License. After you upgrade your account, you can add more devices, enable services, and continue using Aruba Central. Paid License Key If you have purchased a license key, you must ensure that your license key is added to Aruba Central. If you are logging in for the first time, Aruba Central prompts you to add your license key to activate your account. Ensure that you add the license key before on-boarding devices to Aruba Central. The Account Home > Global Settings > Key Management page displays the license expiration date. You receive the license expiry notifications through email 90, 60, 30, 15, and 1 day before expiry and two notifications each day on day 1 and day 2 after the license expires. When you upgrade or renew your license, or purchase another license key, you must add the key details in the Account Home > Global Settings > Key Management page to avail the benefits of the new license. Adding a License Key 1. On the Account Home page, under Global Settings, click Key Management. The Key Management page is displayed. 2. Enter your license key. 3. Click Add Key. The license key is added to Aruba Central and the contents of the license key are displayed in the Manage Keys table. Review the license details. If you add a Device Management token, the key is listed in the Convert Deprecated Licenses page. For more information, see Converting Legacy Tokens to New Licenses. Viewing License Key Details To view the license key details, navigate to Account Home > Global Settings > Key Management. The Key Management page provides information about license keys available for the devices and their details such as license tier, expiration date, and quantity of licenses. The Key Management sections are described in the next topics. License Summary For the selected device type or app, or for all devices, the License Summary section lists down all the available licenses, the total number of licenses, the number of assigned licenses, and the number of unassigned licenses. The available devices are APs, switches, and gateways. The Applications tab currently lists the license keys for the Network Operations app and the Clear Pass Device Insight app (where applicable). Click a single or multiple licenses in the License Summary section to display the details of the license type in the Key Management table. To unselect the license, click the selected license type again. Administering Aruba Central | 193 Figure 90 License Summary Details for APs The preceding screenshot shows the following details: n Total number of AP Foundation Licenses = 101 n Assigned AP Foundation Licenses = 2 n Unassigned AP Foundation Licenses = 99 n Total number of AP Advanced Licenses = 0 Key Management Table Details The following table describes the contents of the Key Management table: Table 49: License Key Details Data Pane Item Description Key License key number. License Tier Type Type of the license. Aruba Central supports the following types of licenses: n Foundation n Advanced The Foundation and Advanced licenses for APs, switches, and SD-WAN gateways are different from each other and cannot be used interchangeably. Expiration Expiration date for the license key. Aruba Central | User Guide 194 Data Pane Item Description License Quantity Number of licenses available. To arrange the rows in ascending or descending order, use the sorting icon ( ) in the table header rows. You can also use the row header indicated by the filter icon ( ) to type in search queries to refine the search. License Expiry Date The Key Management table displays the expiration date for each license. As the licenses expiration date approaches, users receive expiry notifications. The users with evaluation license receive license expiry notifications through email 30, 15, and 1 day before the license expiry and on day 1 after the license actually expires. The users with paid licenses receive license expiry notifications through email 90, 60, 30, 15, and 1 day before expiry and two notifications per day on day 1 and day 2 after the license expires. If a license for the particular device expires, Aruba Central no longer manages that device. Currently, Aruba Central does not give an option to remove the expired licenses from the UI. The expired licenses are displayed in the Key Management table with the expired date. Converting Legacy Tokens to New Licenses The conversion of unassigned Device Management tokens to Foundation Licenses for APs, switches, and gateways is a one-time operation for the selected Device Management tokens. The Device Management token can either be an evaluation token or a purchased token. The Service Management tokens are not converted into the Aruba Central Licenses. If you do not convert the unassigned Device Management tokens by 31 December 2021, all the tokens are automatically converted to AP Foundation Licenses. If you wish to revert a conversion, you must contact Aruba Technical Support. To complete the license conversion: 1. On the Account Home page, go to Global Settings > Key Management. The Key Management page is displayed. 2. Click Click here to complete license conversion. The Convert Deprecated Licenses page is displayed. 3. Select the key that you want to convert and click Convert on the row. The Convert Deprecated Licenses window is displayed. 4. Select the option to which you want to convert the unassigned device license for the key. 5. Click Convert. The Convert button is available only when all the licenses are assigned for the selected key. 6. View Global Settings > License Assignment page. A list of new licenses assigned for the deprecated keys is displayed. Administering Aruba Central | 195 Download Conversion Logs This option provides information about how legacy Device Management and Services subscription keys are converted to Aruba Central Licenses either using automatic or manual license assignment. The information can be downloaded as a PDF document. The document contains a table which provides following information: n Conversion Time--Date and time when the legacy keys are converted to Aruba Central Licenses. n SKU Type--Legacy key type as Device Management or Service subscription. n Subscription Key--Legacy subscription key details. n Start Date--Start date of the legacy subscription. n End Date--End date of the legacy subscription. n Remaining Unassigned Quantity--Number of Aruba Central Licenses that are not yet assigned (after the legacy subscription keys are converted). n Converted Subscriptions--Information about the Aruba Central Licenses to which the legacy keys are converted. Managing License Assignments Aruba offers two tiers of device licenses as part of the Aruba Central Licenses. The two tiers are Foundation and Advanced Licenses. The devices in Aruba Central that offer Foundation and Advanced Licenses include the following: n APs n Switches n SD-Branch Gateways The value-added services that previously required service subscriptions are now packaged as part of either a Foundation or an Advanced License. To know more about the different types of licenses available for the devices, and the services packaged with each license, see Overview of Aruba Central Foundation and Advanced Licenses. Before proceeding with the license assignment, ensure that all the license keys are available in Aruba Central. For more information on how to add license keys to Aruba Central, see Managing License Keys. For more information about MSP Licenses, see Managing MSP Licenses. Licensing Workflow in the Initial Setup Wizard To enable automatic assignment of licenses from the Initial Setup Wizard: 1. Verify that you have valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign License tab, turn on the Auto Assign License toggle switch. Licensing Workflow for a New User If you are a new user in Aruba Central, you can avail of either the evaluation license or a paid license. For an evaluation user, see the workflow at Starting Your Free Trial. For a paid user, see the workflow at Setting up Your Aruba Central Instance. Aruba Central | User Guide 196 If you are a new user in Aruba Central and have purchased one or several licenses, ensure that all of your license keys are added to Aruba Central. For license assignment to devices, you can avail of one of the following options: n Use the Auto-Assign Licenses option n Manually assign, update, or unassign licenses Enabling the Auto-Assign Licenses Option The Auto-Assign Licenses option in Aruba Central enables automatic assignment of available licenses to all of the devices available in the inventory. When you enable this option, you must specify the preferred license type as either Foundation or Advanced. You cannot manually assign licenses to devices if the AutoAssign Licenses option is enabled. The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if an Aruba 25xx Switch is in the inventory but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch. Before enabling the Auto-Assign License option for a specific device type, ensure that there are sufficient available licenses for the specific device type. To enable automatic assignment of licenses from the License Assignment page: 1. On the Account Home page, under Global Settings, click License Assignment. The License Assignment page is displayed. 2. Select the device type to assign the license. The available tabs are Access Points, Switches, and Gateways. The total number of devices for each device type is displayed for each of the tabs. 3. On the device tab, slide the Auto-Assign Licenses toggle switch to the On position. The Manage License Assignment (Auto) window is displayed. 4. Select the appropriate license type, Foundation or Advanced, from the drop-down menu, and then click Update. All the unassigned devices of the selected type in the inventory are enabled for automatic assignment of license. Manually Assigning, Updating, or Unassigning Licenses The License Assignment page enables you to assign, update, or even unassign a license from a device. Aruba Central monitors devices with a valid license only. The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if an Aruba 25xx Switch is in the inventory but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch. To manually assign licenses to devices or to change the existing license assignment: 1. On the Account Home page, under Global Settings, click License Assignment. The License Assignment page is displayed. Administering Aruba Central | 197 2. Select a device type tab. The available tabs are Access Points, Switches, and Gateways. The total number of devices for each device type is displayed for each of the tabs. 3. Under License Summary, ensure that the Auto-Assign Licenses option is disabled. You cannot manually assign licenses if the Auto-Assign Licenses option is enabled. 4. Select the device for which you want to assign or update the license. Clicking on a device type displays two additional sub-tabs: Licensed and Unlicensed. To manually assign or update licenses for all devices of a type, click Select All. You can also select devices at random. 5. Click Manage. The Manage License Assignment (Manual) window is displayed. 6. Do one of the following: a. To update or assign a license: Select the appropriate license from the drop-down menu and click Update. b. To unassign a license: Select Unassign to remove the existing license from that device. Migration Workflow for an Existing User Whether you are an evaluation user or a user with purchased licenses, the following is the migration workflow to the new Aruba Central Licenses: Any existing rules set about Service Management tokens through APIs are discarded during the migration. 1. For all existing APs and switches that are already assigned licenses in the legacy system, the licenses are automatically converted to device-specific Foundation Licenses in the new model. The gateway licenses remain unchanged. 2. To check how the migration was done, and to learn more about the new license keys and corresponding licenses, in the Account Home page, go to Global Settings > Key Management. For more information about the Key Management page, see Managing License Keys. 3. To check how the legacy licenses were converted, navigate to Account Home > Global Settings > Key Management page, and click the Download Conversion Logs link. 4. If there are unassigned evaluation or purchased Device Management tokens, you can convert the legacy tokens to license keys for the new Aruba Central Licenses. Service Management tokens are not converted. Instead, the AP licenses are pre-packaged with additional services. To know more about converting unassigned Device Management tokens, see Converting Legacy Tokens to New Licenses. 5. If you had the auto-licensing option enabled before migration, in the new licensing model the AutoAssign Licenses option is automatically enabled for APs, switches, and gateways. The Auto-Assign Licenses option for APs and switches is set with the corresponding device-specific Foundation Licenses. Aruba Central | User Guide 198 The Auto-Assign Licenses option for gateways is not enabled during the migration. For more information about the Auto-Assign Licenses option, see Enabling the Auto-Assign Licenses Option. 6. If you had the auto-licensing option disabled before migration, this option is also disabled in the new licensing system. Viewing the License Assignment Details The License Assignment page consists of three sections for the type of device selected from the tabs. The device can be Access Points, Switches, or Gateways, License Summary A summary about the type of licenses available for the selected device type, the number of licenses available, and number of licenses assigned. The available devices for Aruba Central include APs, switches, and gateways. Clicking on a device type displays two additional sub-tabs: Licensed and Unlicensed. Clicking on one or more license type in the License Summary section displays the details of the license type in the License Management section. To deselect the license, click the selected license type again. License Assignment The License Assignment section provides detailed information about all the devices in the inventory and license status for each of the device. This table provides following information about each device in the inventory: n Type n Serial Number n MAC address n Model n Customer n Assigned License Use the sorting icon ( ) in the table header row to arrange the rows in ascending or descending order. You can also use the row header indicated by the filter icon ( ) to type in search queries to refine the search. Renewing License Assignments To renew your license, contact your Aruba Sales team. Automatic License Assignment Workflow The Auto-Assign Licenses option can be set to either Foundation or Advanced. This option enables Aruba Central to automatically assign licenses to all the available APs, switches, and gateways. This section explains how the Auto-Assign Licenses option works with the help of a sample Aruba Central account. Sample Aruba Central Account Details Assume an Aruba Central account with the following devices: Administering Aruba Central | 199 n APs - 10 n Aruba 90xx Series Gateway and 1 Aruba 70xx Series Gateway - 1 n Aruba 29xx Series Switches - 2 Now assume that you have the following licenses: n AP Foundation Licenses - 5 n AP Advanced Licenses - 10 n Gateway Foundation Base Licenses - 5 n Gateway Advanced with Security Licenses - 5 n Switch Foundation Licenses for 6200/29xx - 5 Here are the available scenarios for the Auto-Assign Licenses option. Note that only one can be chosen during actual installation. n Auto-Assign Licenses Option Set to Foundation n Auto-Assign Licenses Option Set to Advanced If you have an Aruba Central account with legacy Device Management tokens, the tokens are utilized during the automatic license assignment workflow if and when there is no availability of licenses. The legacy tokens are converted to Foundation Licenses of the required type and assigned to the devices that did not have any licenses mapped. For more information, see Using Legacy Device Management Tokens. Auto-Assign Licenses Option Set to Foundation If you enable the Auto-Assign Licenses option and set the preference to Foundation, this is how the device-to-license mappings are done: n For APs--First, the Foundation Licenses for APs are used. Since there are five AP Foundation License, five APs are assigned with the Foundation Licenses. For the remaining five APs, the Advanced License pool for APs is used and the five remaining APs are assigned Advanced Licenses. n For Gateways--First, the Foundation Base Licenses for gateways are used. Since there are only two gateways and the Foundation Base Gateway Licenses are applicable to both the Aruba 70xx Series and 90xx Series Gateways, two Foundation Base Licenses for gateways are assigned. n For Switches--First, the Foundation Licenses for switches are used. Since there are only two 29xx Series Switches and two Foundation Licenses for 29xx Series Switches are available, these are assigned. The following is the final device-to-license mapping: n APs (10) - Five AP Foundation Licenses and five AP Advanced Licenses n Gateways (2) - Two Gateway Foundation Base Licenses n Switches (2) - Two Switch Foundation Licenses for 6200/29xx Auto-Assign Licenses Option Set to Advanced If you enable the Auto-Assign Licenses option and set the preference to Advanced, this is how the device-to-license mappings are done: n For APs--First, the Advanced Licenses for APs are used. Since there are five AP Advanced Licenses, five APs are assigned with the Advanced License. For the remaining five APs, the Foundation License pool for APs is used and the five remaining APs are assigned Foundation Licenses. Aruba Central | User Guide 200 n For Gateways--First, the Advanced with Security Licenses for gateways are used. Since there are only two gateways and the Advanced with Security Licenses are applicable to both the Aruba 70xx Series and 90xx Series Gateways, two Advanced with Security Licenses for gateways are assigned. n For Switches--There are no Advanced Licenses for switches available. Hence, the Foundation Switch Licenses for 6200/29xx are used. Since there are only two switches, two Foundation Licenses for switches are assigned. The following is the final device-to-license mapping: n APs (10) - Five AP Advanced Licenses and five AP Foundation Licenses n Gateways (2) - Two Gateway Advanced with Security Licenses n Switches (2) - Two Switch Foundation Licenses Using Legacy Device Management Tokens When you enable the Auto-Assign Licenses option, and there are no available Foundation or Advanced Licenses left to assign, Aruba Central has the option of checking if legacy Device Management tokens are available and use those tokens instead. The legacy tokens are converted to Foundation Licenses of the required type and assigned to the devices that did not have any licenses mapped. Assume that you have the following devices: n APs - 20 n Gateways - 2 n Switches - 2 For the sake of simplicity, the gateway and switch model types are omitted from this example. Now assume that you have the following licenses: n AP Foundation Licenses - 5 n AP Advanced Licenses - 10 n Legacy Device Management Tokens - 20 If you enable the Auto-Assign Licenses option and set the preference to Foundation Licenses, this is how the device to license mappings are done: n For APs--First, the Foundation Licenses for APs are used. Since there are five AP Foundation License, five APs are assigned with the Foundation Licenses. Next, the 10 AP Advanced Licenses are assigned. For the remaining five APs, there are no licenses available. Aruba Central then converts five legacy Device Management tokens to five AP Foundation Licenses and assigns them to the remaining five APs. There are now 15 legacy Device Management tokens available. n For Gateways--There are no available gateway licenses. Aruba Central converts two legacy Device Management tokens to two Gateway Foundation Licenses and assigns them to the two gateways. There are now 13 legacy Device Management tokens available. n For Switches--There are no available switch licenses. Aruba Centralconverts two legacy Device Management tokens to two Switch Foundation Licenses and assigns them to the two switches. There are now 11 legacy Device Management tokens available. The following is the final device to license mapping: Administering Aruba Central | 201 n APs (20) - 10 AP Foundation Licenses, five AP Advanced Licenses n Gateways (2) - Two Gateway Foundation Licenses n Switches (2) - Two Switch Foundation Licenses n Legacy Device Management Tokens left - 11 Aruba Central Licenses Feature Details This section provides a description about the different configuration and monitoring options available for Aruba Central features tied to Foundation and Advanced Licenses. Configuration AP Configuration License Applicability: AP configuration is available for AP Foundation License. Network administrators can manage APs through the Aruba Instant UI, Aruba Central, or AirWave management system. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AP deployments. For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled. AOS-Switch Configuration License Applicability: AOS-Switch configuration is available for Switch Foundation License. Network administrators can manage AOS-Switches through the Aruba Central UI menu options. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AOS-Switch deployments. AOS-CX Configuration License Applicability: AOS-CX configuration is available for Switch Foundation License. Network administrators can manage AOS-CX switches through the Aruba Central UI menu options and the MultiEdit mode. The MultiEdit mode in Aruba Central provides a single window for viewing and editing the configuration for one or more AOS-CX switches. In this mode, viewing and editing the configuration is performed using the CLI syntax. Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AOS-CX deployments. Auto-Commit License Applicability: Auto-Commit is available for Foundation and Advanced Licenses for APs, switches, and gateways. Aruba Central supports a two-staged configuration commit workflow for Instant APs. When the autocommit state is enabled for a group, the configuration changes are instantly applied to all devices where the auto-commit state is enabled. Aruba Central | User Guide 202 Configuration Audit License Applicability: Configuration Audit is available for Foundation and Advanced Licenses for APs, switches, and gateways. In Aruba Central, the Configuration Audit page provides an audit dashboard for reviewing configuration changes of the devices provisioned in the UI and template groups. The Configuration Audit page allows you to view configuration push errors, template synchronization errors, configuration sync, and device-level configuration overrides. Gateway Configuration License Applicability: Gateway configuration is available for Gateway Foundation and Foundation Base Licenses. Aruba Central supports the following methods to configure Gateway groups and Gateways in SD-Branch deployments: n Guided Setup--You can use the Guided Setup to quickly configure basic and essential parameters on Aruba Gateways for deploying the SD-WAN solution. The Guided Setup provides a wizard-based workflow for provisioning Gateways. n Basic Mode--Allows you to configure your Gateways in a non-linear fashion. This mode allows you to make configuration changes after you provision your gateways for the first time using a Guided setup. n Advanced Mode--Allows you to configure advanced features for SD-WAN deployments. Template groups in Aruba Central allow network administrators to create a common configuration output by using a combination of CLI commands and variables, and apply this configuration to the other Gateway devices provisioned in that group. Monitoring and Reporting Access, Spectrum, Monitor Mode of Radio Operations License Applicability: The Access, Spectrum, and Monitor modes of the radios of an access point are available for AP Foundation and Advanced Licenses. In the Access mode, the Instant AP serves clients, while also monitoring for rogue Instant APs in the background. In the Monitor mode, the Instant AP acts as a dedicated monitor, scanning all channels for rogue Instant APs and clients. In the Spectrum mode, the Instant AP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference, whether from the neighboring Instant APs or from non Wi-Fi devices such as microwaves and cordless phones. Alerts and Events License Applicability: Alerts and events for APs, Gateways, and switches is part of Foundation License and does not require any extra configuration. This tab shows data for all devices irrespective of device license type. The Alerts and Events dashboard displays a list of alerts and events generated for events pertaining to device provisioning, configuration, and user management. You can view the alerts and events in the List view and Summary view. Configuration view is used to configure alerts and is available only at the Global context. Application Visibility License Applicability: The Application Visibility feature is a part of a Foundation License. However, as API streaming is available for Advanced Licenses only, the Application Visibility streaming service is supported only for APs with an Advanced License. Administering Aruba Central | 203 Application Visibility is a custom-built Layer-7 firewall capability in Aruba Central that allows you to create firewall policies based on the types of applications in IAPs. Application Visibility provides features like deep packet inspection, application monitoring, and AirSlice Policy. Audit Trail License Applicability: Audit Trail logs for APs, gateways, and switches, is part of Foundation License and does not require any extra configuration. This tab shows data for all devices irrespective of device license type. The Audit Trail page in Aruba Central shows the total number of logs generated for all device management, configuration, and user management events triggered in the network. Client List and Details License Applicability: Clients monitoring is available for the Foundation License of AP, switch, and gateway. The Clients page is also called the unified clients list and it provides a list of all clients that are connected to access points, switches, or gateways in the network. The List and Summary views under the Clients tab serve as dashboards. It displays details about the network performance, client connection status, instantaneous client refresh, Go Live (only AP), and other information required for monitoring the clients. Floorplans License Applicability: Floorplans is available for AP and gateway Foundation Licenses. Floorplans allow you to plan sites, create and manage floorplans, and provision access points. Floorplans provide a real-time picture of the radio environment of your wireless network and the ability to plan the wireless coverage of new sites. Reports License Applicability: Reports is available for the Foundation License. The Reports feature enables you to generate reports for the Clients, Infrastructure, Security Compliance, and Applications categories. The Reports feature is present under the Analyze section of the Network Operations app. The functionalities present are creating a report, generating a report, scheduling the report generation, previewing a report, and downloading a report in PDF and CSV formats. The Custom range for the Summary report is available for the last one year, except the current date (today). All other reports are available for 90 days in Aruba Central 2.5.3. Topology License Applicability: Topology is available for Foundation and Advanced Licenses for APs, switches, and gateways. In Aruba Central, the Topology tab in the site dashboard provides a graphical representation of the site, including the network layout, details of the devices deployed, and the health of the WAN uplinks and tunnels. The topology map provides information about third-party devices and devices that are not managed by Aruba. It also provides information about orphan and offline third-party devices, and the VLANs configured on switches running AOS-Switch and AOS-CX software. Web Content Classification (WebCC) License Applicability: The WebCC feature is available for Foundation Licenses for APs and gateways. The WebCC allows you to classify website content based on reputation and take measures to block malicious sites. It fetches information about website content classification and geolocation of IPs. The IP reputation database contains known IP addresses associated with various malicious activities or threats such as botnet, DOS, and spam sources. The geolocation IP database contains the geographical location of Aruba Central | User Guide 204 the IP address from where the traffic is received or to which the traffic is sent. This provides geolocation and reputation filtering as part of the security suite. The table below lists the features supported for AP and gateway licenses: AP Foundation WebCC Firewall rules, visualization by reputation and category Gateway Foundation and Foundation Base WebCC Firewall rules, visualization by reputation and category Wi-Fi Connectivity License Applicability: The Wi-Fi Connectivity dashboard for APs is part of Foundation License and does not require any extra configuration. The Wi-Fi Connectivity page displays an overall view of the connection details for all clients that are connected to or tried to connect to each connection phase. The connection phases include the following: n All--Displays the aggregated success percentage of Association, Authentication, and DHCP for all clients connected to the network. n Association--Displays the percentage of successful attempts made by a client to connect to the network. n Authentication--Displays the percentage of successful attempts of client authentication. n DHCP--Displays the percentage of successful attempts of DHCP requests and responses when onboarding a client. n DNS--Displays the percentage of successful attempts in the detected DNS resolutions, when a client is connected to the network. AI Operations AI Insights License Applicability: AI Insights is available for Foundation and Advanced Licenses for APs, switches, and gateways. The Insights that require an Advanced License are marked as Advanced in the UI. The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level for the selected time range. Each insight provides specific details on the occurrences of these events for easy debugging. Different types of insights are generated by Aruba Central and they can be accessed from different contexts such as Global, Site, Clients, and Device. Some of the insights are part of an Advanced License only and they are marked as Advanced in the user interface. The following figure displays various AI Insights available and some are marked as Advanced. Administering Aruba Central | 205 Figure 91 AI Insights List The table below lists the features supported for AP, switch, and gateway licenses: AP Foundation License AP Advanced License n Connectivity--Wi-Fi n Wireless Quality n Availability--Access Points n Class and Company Baselines n Wireless Quality o Outdoor clients impacting Wi-Fi performance o Coverage Hole Detection o Transmit power optimization Switch Foundation n Availability--Switch n Class and Company Baselines Gateway Foundation, Foundation Base, and VGW n Availability-- Gateways n Class and Company Baselines In this release, all AI Insights are available irrespective of the user role or Aruba Central subscription. In the upcoming Aruba Central release, AI Insights marked as Advanced in the user interface would require an advanced subscription. AI Search License Applicability: AI Search feature is available for Foundation License for AP, switch, and gateway. The AI search feature in Aruba Central enables you to search for clients, devices, and infrastructure connected to the network. Using the search results, you can navigate to the configuration and troubleshooting pages. The search also retrieves relevant documentation to help you efficiently operate your networks. The search engine uses Natural Language Processing (NLP) to analyze queries and return relevant search results. Aruba Central | User Guide 206 Dynamic Logs License Applicability: Dynamic Log is available for both Foundation and Advanced Licenses for APs and gateways. The Dynamic Logs feature enables Aruba Central to dynamically run CLI show commands on APs and gateways, and collect the output as logs. You can also enable Aruba support notification option to notify TAC support regarding the logs generated. These logs can be used to troubleshoot the APs and gateways. Dynamic Logs is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. The following figure displays the available options for Dynamic Logs. Figure 92 Dynamic Logs Option For devices assigned with the Foundation License, the Dynamic Logs feature only supports the log collection activity. Even if you enable the Notify Aruba Support option, the option is not activated for devices licensed with Foundation License. For devices assigned with Advanced Licenses, Dynamic Logs support both log collection and the Aruba support notification option. For example, assume an Aruba Central account with Dynamic Logs enabled, where you configure a group of three Access Points (APs), AP1, AP2, and AP3. AP1 has a Foundation License while AP2 and AP3 have Advanced Licenses. For this group, both Dynamic logs collection and Notify Aruba Support options are enabled. However, the Aruba support notification option is only applicable for AP2 and AP3, which have Advanced Licenses. Troubleshooting Live Events Licensing Applicability: Live Events for clients, APs and switches is part of Foundation License and does not require any extra configuration. The clients Live Events page shows information required to troubleshoot issues related to a client or a site in real time for detailed analysis. Aruba Central also allows to troubleshoot issues related to access points. The AP Live Events feature is similar to client live troubleshooting, but in this case we can enable Live Events at the AP level. Currently, users can subscribe to Radio, VPN, and Spectrum events. Administering Aruba Central | 207 Live Packet Capture (PCAP) Licensing Applicability: Live PCAP for APs and switches is part of Foundation License and does not require any extra configuration. Aruba Central allows users to interact and launch a targeted packet capture on a client connected to a specific AP or a switch. When the user starts packet capture from the UI, Aruba Central notifies the AP and the switch. The default packet capture duration is 15 minutes. Troubleshooting Tools License Applicability: Troubleshooting for APs, gateways, and switches is part of Foundation License and does not require any extra configuration. The Tools menu option allows network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. The Tools page is divided into the following tabs: n Network Check--Allows you to run diagnostic checks on networks and troubleshoot client connectivity issues. n Device Check--Allows you to run diagnostic checks and troubleshoot switches. n Commands--Allows you to perform network health check on devices at an advanced level using command categories. Services AirGroup License Applicability: AirGroup is available for both AP Foundation and Advanced Licenses. AirGroup is a zeroconfiguration networking protocol that enables service discovery, address assignment, and name resolution for desktop computers, mobile devices, and network services. It is designed for flat, single-subnet IP networks such as wireless networking at home. AirGroup supports both wired and wireless devices. AirGroup is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. In InstantOS-based APs, the service is hosted on the IAP Virtual controller and all services are supported. AirMatch License Applicability: AirMatch is available for AP Foundation License. AirMatch channel planning evens out channel distributions in any size of network and in any subset of the contiguous network. AirMatch also minimizes channel coupling where adjacent radios are assigned to the same channel. AirSlice License Applicability: The AirSlice feature is available for only AP Advanced Licenses. The AirSlice feature allows network operators to build virtual networks suitable for specific application requirements. It allows network operators to monitor applications used by clients and supports multiple services such as gaming, IoT, voice, video, and so on. Aruba Central | User Guide 208 AirSlice is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. For devices that have Advanced Licenses, the AirSlice feature supports unlimited applications and provides prioritization of custom-applications with visibility and configuration. The table below lists the features supported for AP licenses: Advanced n Visibility and prioritization of applications n Maximum number of applications as supported by the Aruba Central platform ClientMatch License Applicability: ClientMatch is available for AP Foundation License. ClientMatch continually monitors the RF neighborhood for each client to provide ongoing client band steering, load balancing, and enhanced AP reassignment for roaming mobile clients. Presence Analytics License Applicability: Presence Analytics is available for Foundation AP License. Presence Analytics enables businesses to collect and analyze user presence data in public venues, enterprise environments, and retail hubs. Presence Analytics also enables businesses to collect real-time data on user footprints within the wireless network range. SaaS Express License Applicability: SaaS Express is available for Advanced Gateway License and Advanced with Security Gateway License only. The SaaS Express feature, on SD-WAN Gateways, enables discovery of the SaaS application servers, monitors application performance, and steers traffic to the best-available servers, and thus provides an improved user experience. Unified Communications License Applicability: Unified Communications is available for AP Advanced Licenses. The Unified Communications feature enables a seamless user experience for voice calls, video calls, and application-sharing when using communication and collaboration tools. It allows you to actively monitor voice, video, and application-sharing sessions, provide traffic visibility, prioritize the required sessions, and provide rich visual metrics for analytical purposes. Unified Communications is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. Security Cloud Guest License Applicability: Cloud Guest is available for the AP Foundation License. The Cloud Guest access enables the guest users to connect to the network. This is provided through the splash page profile that is created by the administrators for the guest users in the Guests tab under Administering Aruba Central | 209 Manage. The Summary page in the Manage > Guest Access application is the monitoring dashboard that displays the number of guests, guest SSID, client count, type of clients, and guest connection. Cloud Guest deals with the AP, so the license that is assigned to the AP is also applicable to Cloud Guest. By default, the Foundation License is applicable. The Advanced License features will also be available if the Cloud Guest is assigned to it. ClearPass Device Insight-Based Clients Profile License Applicability: ClearPass Device Insight (CPDI) based Clients Profile is available for Foundation License for APs and gateways.. The CPDI-based Clients Profile enables network and security administrators to discover, monitor, and automatically classify new and existing devices that connect to a network. You can identify devices that include IoT devices, medical devices, printers, smart devices, laptops, VoIP phones, computers, gaming consoles, routers, servers, switches, and so on. CPDI-based Clients Profile is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. The table below lists the features supported for AP and gateway licenses: Foundation n Basic client MAC Classification based on telemetry data n Client Family, Client Category, Client OS n Cloud Auth Integration Advanced n Access to Collector support in Central (not including physical collector costs) n ML-based client classification n Advanced Security Features (Risk / Posture / Vulnerability) n Security baseline of device behavior with Firewall recommendation Intrusion Detection and Prevention (IDS or IPS) License Applicability: IDS and IPS is available for Foundation with Security Gateway License, Foundation Base with Security Gateway License, and Advanced with Security Gateway License. The IDS and IPS monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDS or IPS adds an extra layer of security that focuses on users, applications, network connections, and can be integrated with the Aruba SD-Branch solution. RAPIDS License Applicability: RAPIDS is available for Foundation and Advanced Licenses for APs. The RAPIDS feature enables Aruba Central to quickly identify and act on interfering APs in the network that can be later considered for investigation, restrictive action, or both. Once the interfering APs are discovered, Aruba Central sends alerts for security events to the network administrators about the possible threat and provides essential information needed to locate and manage the threat. RAPIDS is supported in this release as an Early-Access feature. Contact your Aruba SE or Account Manager to enable it in your Aruba Central account. This feature is part of the AP Foundation License. However, as API streaming is available for Advanced License only, Aruba Central would not stream any security events for APs with Foundation License. For APs Aruba Central | User Guide 210 with Advanced License, API streaming of security events is available for further diagnosis and threat management. API Streaming APIs License Applicability: The Streaming API service requires that devices such as IAPs and gateways are assigned with Advanced License. The Streaming API feature enables you to subscribe to a select set of services, instead of polling the NB API to get an aggregated state, or statistics of the events, pertinent to the monitoring activities of Aruba Central. With Streaming API, you can write value-added applications based on the aggregated context. For example, with Streaming API, you are notified about the following types of events: n The UP and DOWN status of the devices n Change in location of stations The Streaming API feature in Aruba Central is enabled only when any one of the devices in the account has an Advanced License. If the account has devices with only Foundation License, the Steaming API tab is not displayed in Aruba Central. If the Streaming API feature is enabled, and the account has a mix of Foundation License and Advanced License for devices, the devices that are assigned with Foundation License do not stream any data for any topics. SD-Branch Application-based Policy License Applicability: The application-based policy configuration is available for Foundation License for Branch Gateways. The Application-based policy configuration helps in deep packet inspection of application usage by clients. Using this configuration, you can define applications, security, and service aliases. You can configure Access Control Lists (ACLs) to restrict user access to an application or application category. Dynamic Path Steering License Applicability: Dynamic Path Steering is available for Gateway Foundation and Foundation Base License. In the Path Steering tab, you can view traffic path steering details for the Dynamic Path Steering policies configured on the Branch Gateway. This tab also displays the number of policies that are compliant along with the total number of policies configured on the Branch Gateway. Full SD-LAN Control License Applicability: SD-LAN monitoring is available for Foundation License for Branch Gateways. The LAN Summary page displays a graphical representation of the LAN link availability of a Branch Gateway. It also provides a summary of all the LAN interfaces and port details. IPsec VPN License Applicability: IPsec VPN is available for Gateway Foundation and Foundation Base License. An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPsec tunnel to the controller secures corporate data. You can configure an IPsec tunnel from virtual controller using Aruba Central. Administering Aruba Central | 211 Role-based Access Policy License Applicability: Role-based Access Policy configuration is available for Foundation License for Branch Gateways. The Role-based Access Policy determines client access based on the user roles assigned to a client. Each user or device connected to the branch network is associated with a user role. Once the role is assigned, traffic and security policies are applied to devices based on the role. SD-WAN Overlay License Applicability: SD-WAN Overlay monitoring is available for Gateway Foundation License. The SD-WAN Overlay is an orchestrator service for branch deployments, which is done by setting up IPsec tunnels between the Branch Gateways and VPN Concentrators. This is achieved through Tunnel and Route orchestration. The tunnel configuration between the branch and hub sites is automatic and the route configuration is done by redistributing the routing information learnt from the branch in a dynamic way. The Map and Grid views of the Tunnel and Route tabs under SD-WAN Overlay serve as dashboards for monitoring purpose, providing information about the tunnels and routes configured for an individual Branch Gateway. Stateful Firewalls License Applicability: Stateful Firewalls is available for Gateway Foundation and Foundation Base License. Aruba Gateways support stateful firewall for stateful inspection of packets. Stateful firewalls provide an additional layer of security by tracking the state of network connections and using the state information from previous communications to monitor and control new communication attempts. To protect your network from external attacks and unauthorized communication attempts, you can configure match conditions and packet filtering criteria for the Aruba Gateways. Web Content Filtering License Applicability: Website content filtering is available for Foundation License for Branch Gateways. Aruba Gateways enhance branch security by providing real-time web content and reputation filtering. The Website Content Classification feature on Branch Gateways allows you to classify website content based on reputation and take measures to block malicious sites. Managing Your Device Inventory After you add the paid subscription key(s) to your Aruba Central account, device(s) purchased by you are automatically added to the device inventory in the respective Aruba Central account. For more information about subscription keys, see Managing License Keys. If the device you purchased does not show up in the inventory, you can manually add it. Aruba Central allows you to add up to 32 devices manually by entering the valid MAC and serial number combination for each device. Users having roles with Modify permission can add devices. Users having roles with View Only permission can only view the Device Inventory module. Viewing Devices The devices provisioned in your account are listed in the Account Home > Global Settings > Device Inventory page. A dashboard lists the total number of devices and the number of access points, switches, and gateways in the inventory. Aruba Central | User Guide 212 The following table describes the columns in the Devices table. Table 50: Device Details Parameter Description Serial Number MAC Address Serial number of the device. MAC address of the device. Type Type of the device, for example Instant AP, switch, or gateway. Model Hardware model of the device. Part Number Part number of the device. IMEI The International Mobile Equipment Identity (IMEI) number of the gateway device. This field is applicable only for 9004-LTE gateways. Click the ellipsis icon in the table to select this column. It is not displayed by default. IP Address IP address of the device. Name Name of the device. Group Group assigned to the device. Assigned License License assigned to the device. Adding Devices to Inventory For information on adding devices, see Onboarding Devices. Onboarding Devices Aruba Central supports the following options for adding devices: n If you are an evaluating user, you must manually add the serial number and MAC address of the devices that you want to manage from Aruba Central. This section includes the following topics: n Adding Devices (Evaluation Account) n Adding Devices (Paid Subscription) n Manually Adding Devices Adding Devices (Evaluation Account) Use one of the following methods to add devices to Aruba Central: n Using the Initial Setup Wizard n Using the Device Inventory Page Administering Aruba Central | 213 Using the Initial Setup Wizard 1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number and MAC address of your devices. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. 3. Click Done. 4. Review the devices in your inventory. Using the Device Inventory Page 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Click Add Devices. The Add Devices pop-up window is displayed. 3. Enter the serial number and the MAC address of each device. You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. 4. Click Done. 5. Review the devices in your inventory. Adding Devices (Paid Subscription) If your devices are not added to your inventory, set up a device sync by adding one device from your purchase order. To set up device sync, use one of the following methods: n In the Initial Setup Wizard n From the Device Inventory Page In the Initial Setup Wizard 1. Ensure that you have added a license key and click Next. 2. In the Add Devices tab, enter the serial number and MAC address of any one device from your purchase order. Most Aruba devices have the serial number and MAC address on the front or back of the hardware. 3. Click Add Device. Aruba Central imports all other devices mapped to your purchase order. 4. Review the devices in your inventory. 5. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support. From the Device Inventory Page Aruba Central | User Guide 214 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. Aruba Central imports only devices associated with your account from Activate. 2. Do any one of the following: n Click Sync Devices. Enter the serial number and MAC address and click Add Device. n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file. Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page. 3. Review the devices in your inventory. 4. Perform the following options: n Add Devices Manually--Manually add devices by entering the MAC address and serial number of each device. n Add Via Mobile App--Add devices from the Aruba Central mobile app. You can download the Aruba Central app from Apple App Store on iOS devices and Google Play Store on Android devices. n Contact support--Contact Aruba Technical Support. Manually Adding Devices Aruba Central allows you to set up only manual sync of devices from Activate database using one of the following methods: n Adding Devices Using MAC address and Serial Number n Adding Devices Using Activate Account n Adding Devices Using Cloud Activation Key You can only set up only a manual sync for Aruba Central-managed folders such as the default, licensed, and non-licensed folders. Adding Devices Using MAC address and Serial Number You can find the serial number and MAC address of Aruba devices on the front or back of the hardware. To add devices using MAC address and serial number, use any one of the following methods: n In the Initial Setup Wizard n From the Device Inventory Page In the Initial Setup Wizard If you are using the Initial Setup wizard: 1. In the Add Devices tab of the Initial Setup wizard, click Add Device. 2. Enter the serial number or the MAC address of your device. Administering Aruba Central | 215 3. Click Done. 4. Review the list of devices. From the Device Inventory Page To add devices from the Device Inventory page: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Perform one of the following: n Click Add Devices to manually add devices by entering the MAC address and serial number of each device. n If you are a paid subscriber, you can add devices using a CSV file. Click Import Via CSV and select the CSV file. For a sample CSV file, click Download sample CSV file. Manual addition of devices using a CSV file is restricted to 100 devices or to the number of available device management tokens. An error message is displayed if more than 100 devices are imported using the CSV file. You can view the status of the CSV upload in the Account Home > Audit Trail page. 3. Click Done. 4. Review the devices added to the inventory. When you add the serial number and MAC address of one AP from a cluster or a switch stack member, Aruba Central imports all devices associated in the AP cluster and switch stack respectively. Adding Devices Using Activate Account n Use this device addition method only when you want to migrate your inventory from Aruba AirWave or a standalone AP deployment to the Aruba Central management framework. n Use this option with caution as it imports all devices from your Activate account to the Aruba Central device inventory. n You can use this option only once. After the devices are added, Aruba Central does not allow you to modify or re-import the devices using your Aruba Activate credentials. To add devices from your Activate account: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Click Advanced and select Using Activate. 3. Enter the username and password of your Activate account. 4. Click Add. 5. Review the devices added to the inventory. Aruba Central | User Guide 216 Adding Devices Using Cloud Activation Key When you import devices using the Cloud Activation Key, all your devices from the same purchase order are added to your Aruba Central inventory. Before adding devices using cloud activation key, ensure that you have noted the cloud activation key and MAC address of the devices to add. Locating Cloud Activation Key and MAC Address To know the cloud activation key: n For APs: 1. Log in to the WebUI or CLI. n If using the WebUI, go to the Maintenance > About. n If using the CLI, execute the show about command. 2. Note the cloud activation key and MAC address. n For Aruba Switches: 1. Log in to the switch CLI. 2. Execute the show system | in Base and show system | in Serial commands. 3. Note the cloud activation key and MAC address in the command output. n For Mobility Access Switches 1. Log in to the Mobility Access Switch UI or CLI. n If using the UI, go to the Maintenance > About. n If using the CLI, execute the show inventory | include HW and show version commands. 2. Note the cloud activation key and MAC address. The activation key is enabled only if the switch has access to the Internet. Adding Devices Using Cloud Activation Key 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Click Advanced and select With Cloud Activation Key. The Cloud Activation Key pop-up window opens. 3. Enter the cloud activation key and MAC address of the device. 4. Click Add. If a device belongs to another customer account or is used by another service, Aruba Central displays it as a blocked device. As Aruba Central does not support managing and monitoring blocked devices, you may have to release the blocked devices before proceeding with the next steps. Archiving Devices in Aruba Central Aruba Central supports archiving devices that are not in use or devices that are yet to be installed. Archiving feature helps network administrators to hide devices in the Device Inventory page, to keep the device inventory organized. The archived devices are moved to the Archived tab on the Device Inventory page, and these can be unarchived and used whenever required. Administering Aruba Central | 217 Network administrators and users with a custom role and the Modify permission for the Device Inventory page can archive and unarchive devices in Aruba Central. The virtual gateway devices cannot be archived. Archiving Devices Complete the following steps to archive devices in Aruba Central: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Click the All tab. 3. Select the devices to be archived. 4. Click the Archive button. The Confirm Action window is displayed. If you click Yes and the selected devices are licensed, then the licenses applied to the devices are removed automatically, and devices are disconnected from the Aruba Central. The disconnected devices are moved to the Archived tab. For an MSP account, if a device of a tenant is archived, the device gets unlicensed and is moved back to the MSP account and then archived. Unarchiving Devices Complete the following steps to unarchive devices in Aruba Central: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed. 2. Click the Archived tab. 3. Select the devices to be unarchived. 4. Click the Unarchive button. The Confirm Action window is displayed. If you click Yes, the devices are moved out of the Archived tab, and if auto-licensing is enabled, then the devices get licensed automatically. 5. To see the unarchived devices, click the All tab . For an MSP account, if a device is unarchived, the device is moved back to the MSP account. The device continues to stay unlicensed with the MSP and does not move to the tenant. Aruba Central | User Guide 218 Data Collectors Data collectors host applications that process network data. Data collectors are available as a physical appliance or a virtual appliance. To create a data collector, set up and install on-premises at your organization the physical appliance or virtual appliance and then install an Aruba application. Managing Data Collectors High-Level Process Flow The following is a high-level process flow for managing data collectors: 1. Set up on-premises the physical or virtual appliance that will become the data collector. For more information, see Setting Up Appliances. 2. Create the data collector by installing an Aruba application on the physical or virtual appliance. For more information, see Creating Data Collectors. 3. Verify the status of the data collector. The status is Running if the data collector was created successfully. For more information, see Viewing Data Collectors. 4. Repeat Step 1 through 3 until you have created all of the data collectors that you require. 5. Set the auto-update preference for the data collectors. For more information, see Updating Data Collectors. 6. Monitor the status and performance of the different data collectors. For more information, see Viewing Data Collectors. 7. (Optional) Manually update one or all of the data collectors as required. This overrides the global auto-update preference you have set for all data collectors. For more information, see Updating Data Collectors. 8. (Optional) Delete the installed Aruba application from the data collector. This enables the appliance to be available to become a data collector again in the future for the same Aruba application or for a different Aruba application. For more information, see Deleting Data Collectors. About Data Collectors Page The Data Collectors page enables you to manage the data collectors for your organization. Using this page you can: n Create a registration token required for setting up a physical or virtual appliance. n Download the virtual appliance required for setting up a virtual appliance. n Create data collectors by installing an Aruba application on a physical or virtual appliance. n View data collectors (both managed and unmanaged). n Set the data collectors update preference and update data collectors. n Uninstall the Aruba application running on a data collector. When you uninstall the application, the appliance is freed up and can be used for creating another data collector in the future. This page contains the following four cards, which can be used to perform different data collector functions: n Managed Collectors n Other Collectors n Create Collector n Configure Appliance Administering Aruba Central | 219 Managed Collectors Card You can view and update the managed data collectors that you have created in the Managed Collectors card. The Managed Collectors card provides a Dashboard and a List view of the data collectors. Click the grid view icon ( ) in the upper right hand corner of the card to open the List view. Dashboard The Dashboard displays a donut chart showing the data collectors by status, by applications, or by update. By default, the data collectors by status are displayed in the chart. To change the display option for the chart, click the down arrow in the heading of the card and select another display option. Display options are: By Status, By Apps, and By Update. By Status The donut chart shows the data collectors by status. Next to the chart is a legend indicating the different data collector statuses. Statuses are: Starting (grey), Online (green), Offline (red), and Warning (yellow). Hover over the different color sections of the donut chart and a tool tip is displayed indicating the number of data collectors for each status. The total number of data collectors is displayed in the center of the chart. By Apps (Applications) The donut chart displays the data collectors by applications. Next to the chart is a legend indicating the different Aruba applications. Aruba applications include: ClearPass Device Insight. Each application is displayed in a different color. Hover over the different color sections of the donut chart and a tool tip is displayed indicating the number of data collectors for each Aruba application. The total number of data collectors is displayed in the center of the chart. By Update The donut chart shows the data collectors by update status. Next to the chart is a legend indicating the different update statuses. Statuses are: Up to date (yellow), Update in progress (red), and Update available (green). Hover over the different color sections of the donut chart and a tool tip is displayed indicating the number of data collectors for each update status. The total number of data collectors is displayed in the center of the chart. The Auto-Update field is displayed in the lower right corner of the card when you select this display option. By default, As soon as available is displayed in this field. When you click this field, the Collector Update dialog opens. Use the Collector Update dialog to set when you want updates to be installed for all data collectors. For more information about setting the data collectors global update preference, see Updating Data Collectors. List View The List view displays all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard. At the top of the List view are the following buttons: n Update All Click this button to update all of the data collectors at once. To update a specific data collector, you can expand a row in the grid and click the Update Now button for that specific data collector. For more information, see Updating Data Collectors. n Create Collector Aruba Central | User Guide 220 Opens the Create Collector dialog where you can create a data collector. For more information, see Creating Data Collectors. The following table describes the information that is displayed in the List view: Table 51: List View Field Description Name Data collector name. Status Status of the data collector. Statuses are: Starting, Online, Offline and Warning. Applications Aruba application installed on the data collector. Desired Update Time Desired update time for that specific collector. For more information, see Updating Data Collectors. Update Status Update status for the data collector. Statuses are: n Up to date n Update in progress n Update available When you hover over a row in the grid, the following icons are displayed in the row of the grid: n Delete icon is displayed to the right of Applications. Click the Delete icon to uninstall the Aruba application running on that data collector. When you uninstall the application, the appliance is freed up and can be used for creating another data collector in the future. For more information, see Deleting Data Collectors. Additional details for a data collector can be viewed by expanding a row in the grid. Click the plus icon next to a row in the grid to expand a row. When you expand the row, the row expands and the additional details for the data collector are displayed. Additional Details In the expanded row, additional overview details for the data collector are displayed. In the Collector Details area, the data collector name, status, creation date, and the Aruba application installed on the data collector are displayed. To the right in the expanded row, the Appliance In Collector table is displayed. The following table describes the information displayed in the table: Table 52: Appliance In Collector Table Field Description Name Appliance name. IP Address IP address of the appliance. Model Appliance model name. VMware Virtual Platform is displayed for virtual appliances. At the bottom of the expanded row, the Update Now button is either available or unavailable depending on whether there is an update available for the data collector. If there is no update available, the Update Now button is unavailable and No update available is displayed in the Version field. If there is an update available, the Update Now button is available and the update version is displayed in the Version field. Administering Aruba Central | 221 Click the Update Now button to update that specific data collector. To update all data collectors, you can click the Update All button at the top of the List view. For more information, see Updating Data Collectors. Other Collectors Card The Other Collectors card displays an overview of the number of unmanaged data collectors that are connected and not connected. The counts that are displayed in this card are: n Connected (Number of unmanaged data collectors that are connected) n Not Connected (Number of unmanaged data collectors that are not connected) The following actions can be performed within the card: n Click the Connected number to open the Other Collectors dialog where you can view the data collectors that are connected. n Click the Not Connected number to open the Other Collectors dialog where you can view the data collectors that are not connected. For more information, see Viewing Data Collectors. Create Collector Card The Create Collector card displays the number of appliances that are available to be used for creating a data collector. The appliance number is updated after you have successfully set up a physical appliance or virtual appliance. For more information about setting up appliances, see Setting Up Appliances. Click the Create Collector button to open the Create Collector dialog where you can create a data collector. For more information, see Creating Data Collectors. Configure Appliance Card The Configure Appliance card contains a Download Virtual Appliance link and a Registration Token button. Click the Registration Token button to create a registration token. The registration token is required when setting up a physical appliance or virtual appliance. Click the Download Virtual Appliance link to open the Download Virtual Appliance dialog where you can download either the small virtual appliance file (.ova file) or medium virtual appliance file (.ova file) that is required when setting up a virtual appliance. For more information about setting up appliances, see Setting Up Appliances. Setting Up Appliances Data collectors are available as physical appliances or virtual appliances. Appliances must be set up before you can create a data collector. This section contains: n Creating Registration Tokens n Downloading Virtual Appliances n Setting Up Physical Appliances n Setting Up Virtual Appliances n Using Command Line Interface Options Aruba Central | User Guide 222 Creating Registration Tokens A registration token is required when setting up a physical appliance or a virtual appliance. To create a registration token: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. If no data collectors have been created, the Get Started dialog is displayed. Otherwise, the Data Collectors page is displayed. 3. Click Registration Token in the Get Started dialog or the Configure Appliance card of the Data Collectors page. The registration token is created. The Registration Token dialog opens with the token that was created displayed. The date and time the registration token expires is displayed at the bottom of the dialog. 4. Click Copy Token. You can now enter this registration token when setting up a physical appliance or virtual appliance during the registration of the appliance (Option 3 (register)) on the Collector CLI. For more information about setting up appliances, see Setting Up Appliances. 5. Click Close. Downloading Virtual Appliances The virtual appliance file (.ova file) is required for setting up a virtual appliance. To download a virtual appliance: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. If no data collectors have been created, the Get Started dialog is displayed. Otherwise, the Data Collectors page is displayed. 3. Click get a virtual appliance in the Getting Started dialog or the Download Virtual Appliance link in the Configure Appliance card of the Data Collectors page. The Download Virtual Appliance dialog opens displaying a Small virtual appliance card and a Medium virtual appliance card. The small virtual appliance requires: 8 Core CPU, 16 GB Memory, and 256 GB disk. The medium virtual appliance requires: 24 Core CPU, 64 GB Memory, and 480 GB disk. Download the virtual appliance by performing the following: a. Hover over the Small card or the Medium card. The Download File link is displayed in the card. b. Click the Download File link in the Small card or Medium card. The virtual appliance file (.ova) is downloaded. When setting up a virtual appliance using VMWare, you will browse for and select this virtual appliance file (.ova file). For more information about setting up virtual appliances, see Setting Up Appliances. 4. Click Close. Setting Up Physical Appliances Data collectors are available as physical appliances or virtual appliances. Before you can use an Aruba application that uses data collectors, you need to set up appliances. To set up a physical appliance, you use several command line options from the Collector CLI on the appliance after it is installed. On the Collector CLI there are seven options that are available for selection. The options available are listed below: Options: 1. Configure Hostname 4. Configure Proxy 7. Advanced Options 2. Configure Network 5. Change Timezone/NTP 0. Exit 3. Register 6. Test Connectivity You use options 1 through 6 to set up a physical appliance. Perform the options in the order in which they are displayed. Administering Aruba Central | 223 For more information about the advanced options, see Using Command Line Interface Options. Before You Begin Before you begin to set up a physical appliance, you need to create a Registration Token. For more information, see Creating Registration Tokens. About the Physical Appliance Aruba provides one physical appliance for Aruba ClearPass Device Insight, the Aruba Central Data Collector physical appliance. Table 53: Physical Appliance Specifications Model vCPU Memory Disk NICs DC2000 (Medium) 24 64 GB 480 GB 8 (2 mgmt, 6 data) Setting Up Physical Appliances This section discusses how to set up a physical appliance. If you are using a proxy, configure the proxy prior to doing the registration. Additionally, it is recommended that you configure the time zone and NTP prior to registration if you plan on changing them. To set up a physical appliance: 1. Install on-premises the physical appliance. 2. Power on the appliance and log in to the appliance using these credentials: n Username = aruba n Password = aruba 3. Configure the hostname for the appliance using Option 1 (Configure Hostname) on the Collector CLI. 4. Configure the network interfaces for the appliance using Option 2 (Configure Network) on the Collector CLI: n Configure the eth0 Ethernet interface. n (Optional) Configure the eth1 Ethernet interface. 5. Configure Domain Name System (DNS) for the appliance using Option 2 (Configure Network) on the Collector CLI. 6. Configure routes for the appliance using Option 2 (Configure Network) on the Collector CLI. You only need to configure routes if you have configured the eth1 Ethernet interface. 7. Test the connectivity of the appliance to the Cloud URL discovery server using Option 6 (Test Connectivity) on the Collector CLI. 8. Register the appliance using Option 3 (Register) on the Collector CLI. 9. Test the connectivity of the appliance to the Aruba cloud using Option 6 (Test Connectivity) on the Collector CLI. Aruba Central | User Guide 224 10. Configure the proxy server using Option 4 (Configure Proxy) on the Collector CLI. 11. Change the time zone for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. 12. Configure the Network Time Protocol (NTP) server for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. For more information about the different command line options, see Using Command Line Interface Options. Setting Up Virtual Appliances Data collectors are available as virtual appliances or physical appliances. Before you can use an Aruba application that uses data collectors you need to set up appliances. You can set up virtual appliances using two different methods. You can set up a virtual appliance using the VMware ESXi Host Web Client or the VMware vSphere Desktop Client for Windows. Using either of these methods, you create the virtual machine and then you complete the setup using several command line options from the Collector CLI from the virtual machine. On the Collector CLI there are seven options that are available for selection. The options available are listed below: Options: 1. Configure Hostname 2. Configure Network 3. Register 4. Configure Proxy 7. Advanced Options 5. Change Timezone/NTP 0. Exit 6. Test Connectivity You use options 1 through 6 to set up a virtual appliance. Perform the options in the order in which they are displayed. For more information about the advanced options, see Using Command Line Interface Options. You perform the same command line options when setting up a virtual appliance as you would when setting up a physical appliance. Before You Begin Before you begin to set up a virtual appliance you need the following: n VMware ESXi server n A VMware ESXi server is required to set up a virtual appliance. You must know the ESXi server host name and IP address when setting up a virtual appliance. n Registration Token n A registration token is required to set up a virtual appliance. n For more information, see Creating Registration Tokens. n Virtual appliance file (.ova file) n A virtual appliance file (.ova file) is required to set up a virtual appliance using VMware. n For more information, see Downloading Virtual Appliances. About Aruba Virtual Appliances Aruba provides two virtual appliances for Aruba ClearPass Device Insight: Administering Aruba Central | 225 n Aruba Central Data Collector virtual appliance (small) n Aruba Central Data Collector virtual appliance (medium) Table 54: Virtual Appliance Specifications Model vCPU Memory DC1000V (Small) 8 16 GB DC2000V (Medium) 24 64 GB Disk NICs 256 GB 4 ports (1 G management, DPI up to 100 Mbps) 480 GB 4 ports (1 G management, DPI up to 1 Gbps) Setting Up Virtual Appliances Using the VMware ESXi Host Web Client If you are using a proxy, configure the proxy prior to doing the registration. Additionally, it is recommended that you configure the time zone and network time protocol (NTP) prior to registration if you plan on changing them. To set up a virtual appliance using the VMware ESXi Host Web Client: 1. Go to a web browser and enter the IP address for the VMware ESXi server. 2. Press Enter. The VMware ESXi Welcome window appears. 3. Click the Open the VMware Host Client link under Getting Started. The VMware ESXi Host Client Log In window appears. Aruba Central | User Guide 226 4. Enter the User name and Password for the ESXi host server. 5. Click Log In. 6. Click Create/Register VM icon. The New virtual machine- Select creation type window appears. Administering Aruba Central | 227 7. Select Deploy a virtual machine from an OVF or OVA file for creation type. 8. Click Next. The New virtual machine- Select OVF and VMDK files window appears. 9. Enter the following: a. Enter a name for the virtual machine. b. Browse for the ova file and select it. 10. Click Next. The New virtual machine - Select storage window appears. Aruba Central | User Guide 228 11. Select the datastore. 12. Click Next. The New virtual machine - Deployment options window appears. 13. Enter the following: You need to assign a management network and optionally a data network to the virtual machines network adaptors. A virtual machine has network adaptors 1 through 4 to which you can assign the management network, data network, and SPAN networks. You need to identify the network adaptor with the lowest MAC address and assign the management network to this network adaptor. If you have a separate data network, the network adaptor with the second lowest MAC address must be assigned to the data network. You can assign the rest of the network adaptors to the SPAN networks. a. Select the Network mapping for mgmt1. b. Select the Network mappings for data1, data2, and data3. Currently, Aruba ClearPass Device Insight supports one management network mapping and one data network mapping. c. Select the Disk provisioning option. Options are Thin or Thick. Thin appears by default. d. Click the Power on automatically check box to have the machine automatically power on. This check box appears selected by default. Administering Aruba Central | 229 14. Click Next. The New virtual machine - Additional settings window appears. 15. Click Next. The New virtual machine - Ready to complete window appears displaying the selections you made in the previous windows. Aruba Central | User Guide 230 16. Click Finish. The creation of the virtual machine is initiated. Under Recent tasks you can view the results of the new virtual machine tasks by monitoring the Result field status bar for each task. Wait until the Result field displays Completed successfully for each task. When this occurs you have created the virtual machine. 17. Select the new virtual machine that you just created in the upper region of the window and click the Console icon. The Collector CLI appears. Administering Aruba Central | 231 18. Configure the hostname for the appliance using Option 1 (Configure Hostname) on the Collector CLI. 19. Configure the network interfaces for the appliance using Option 2 (Configure Network) on the Collector CLI: n Configure the eth0 Ethernet interface. n (Optional) Configure the eth1 Ethernet interface. 20. Configure Domain Name System (DNS) for the appliance using Option 2 (Configure Network) on the Collector CLI. 21. Configure routes for the appliance using Option 2 (Configure Network) on the Collector CLI. You only need to configure routes if you have configured the eth1 Ethernet interface. 22. Test the connectivity of the appliance to the Cloud URL discovery server using Option 6 (Test Connectivity) on the Collector CLI. 23. Register the appliance using Option 3 (Register) on the Collector CLI. 24. Test the connectivity of the appliance to the Aruba cloud using Option 6 (Test Connectivity) on the Collector CLI. 25. Configure the proxy server using Option 4 (Configure Proxy) on the Collector CLI. 26. Change the time zone for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. 27. Configure the Network Time Protocol (NTP) server for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. For more information about the different command line options, see Using Command Line Interface Options. Setting Up Virtual Appliances Using the VMware vSphere Desktop Client for Windows If you are using a proxy, configure the proxy prior to doing the registration. Plus, it is recommended that you configure the time zone and network time protocol (NTP) prior to registration if you plan on changing them. To set up a virtual appliance using the VMware vSphere Desktop Client for Windows: Aruba Central | User Guide 232 1. Go to a web browser and enter the IP address for the VMware ESXi server. 2. Press Enter. The VMware ESXi Welcome window appears. 3. Click the Download vSphere Client for Windows link under Getting Started. The VMware vSphere Client Log In window appears. 4. Enter the User name and Password for the ESXi host server. Administering Aruba Central | 233 5. Click Login. The ESXi Host Details window appears. 6. Go to File > Deploy OVF Template. The Deploy OVF Template - Source window appears. Aruba Central | User Guide 234 7. Click Browse and browse for the ova file and select it. 8. Click Next. The Deploy OVF Template - OVF Template Details window appears displaying the OVF template details. Administering Aruba Central | 235 9. Click Next. The Deploy OVF Template - Name and Location window appears. Aruba Central | User Guide 236 10. In the Name field enter the name for the virtual appliance. 11. Click Next. The Deploy OVF Template - Disk Format window appears. 12. Enter the following: a. In the Datastore field enter the datastore. b. Select the disk format. Options are: Thick Provision Lazy Zeroed, Thick Provision Eager Administering Aruba Central | 237 Zeroed, and Thin Provision. Thin Provision appears selected by default. 13. Click Next. The Deploy OVF Template - Network Mapping window appears. 14. Enter the following: You need to assign a management network and optionally a data network to the virtual machines network adaptors. A virtual machine has network adaptors 1 through 4 to which you can assign the management network, data network, and SPAN networks. You need to identify the network adaptor with the lowest MAC address and assign the management network to this network adaptor. If you have a separate data network, the network adaptor with the second lowest MAC address must be assigned to the data network. You can assign the rest of the network adaptors to the SPAN networks. a. Select the Destination Network for mgmt1. b. Select the Destination Networks for data1, data2, and data3. Currently, Aruba ClearPass Device Insight supports one management destination network and one data destination network. Aruba Central | User Guide 238 15. Click Next. The Deploy OVF Template - Ready to Complete window appears. 16. Review the settings and select the Power on after deployment check box to have the machine automatically power on. The Power on after deployment check box appears selected by default. Administering Aruba Central | 239 17. Click Finish. The creation of the virtual machine is initiated. A dialog box appears displaying the status of the virtual machine creation. After the virtual machine is created, it is listed in the ESXi Host Details window. Aruba Central | User Guide 240 18. Select the virtual machine on the ESXi Host Details window and then select the Console tab. The Collector CLI appears. 19. Configure the hostname for the appliance using Option 1 (Configure Hostname) on the Collector CLI. 20. Configure the network interfaces for the appliance using Option 2 (Configure Network) on the Collector CLI: n Configure the eth0 Ethernet interface. n (Optional) Configure the eth1 Ethernet interface. 21. Configure Domain Name System (DNS) for the appliance using Option 2 (Configure Network) on the Collector CLI. Administering Aruba Central | 241 22. Configure routes for the appliance using Option 2 (Configure Network) on the Collector CLI. You only need to configure routes if you have configured the eth1 Ethernet interface. 23. Test the connectivity of the appliance to the Cloud URL discovery server using Option 6 (Test Connectivity) on the Collector CLI. 24. Register the appliance using Option 3 (Register) on the Collector CLI. 25. Test the connectivity of the appliance to the Aruba cloud using Option 6 (Test Connectivity) on the Collector CLI. 26. Configure the proxy server using Option 4 (Configure Proxy) on the Collector CLI. 27. Change the time zone for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. 28. Configure the Network Time Protocol (NTP) server for the appliance using Option 5 (Change Timezone/NTP) on the Collector CLI. For more information about the different command line options, see Using Command Line Interface Options. Using Command Line Interface Options This section describes how to use the different command line interface (CLI) options for an appliance. Several of these options are used when setting up a physical appliance or a virtual appliance. This section contains: n Configuring Hostname n Configuring Network n Registering the Appliance n Configuring Proxy Server n Changing Time Zone and Configuring NTP Server n Testing Appliance Connectivity n Performing Advanced Options Configuring Hostname This section describes how to configure hostname for an appliance and how to edit the hostname after it has been configured. Configuring Hostname To configure hostname: 1. Go to the Collector CLI. 2. In the Enter option field, enter 1 (Configure Hostname) and press Enter. 3. In the New hostname field, enter the hostname and press Enter. The hostname must start with a letter and can contain letters, numbers, and a hyphen "-". It can not contain any other special characters. A message is displayed stating that the hostname has been changed successfully. 4. Press Enter. Editing Configured Hostname This option is available only after you have configured the hostname. Aruba Central | User Guide 242 To edit configured hostname: 1. Go to the Collector CLI. 2. In the Enter option field, enter 1 (Configure Hostname) and press Enter. 3. In the Enter option field, enter 1 (Edit Hostname) and press Enter. 4. In the New hostname field, enter the hostname and press Enter. The hostname must start with a letter and can contain letters, numbers, and a hyphen "-". It can not contain any other special characters. A message is displayed stating that the hostname has been changed successfully. 5. Press Enter. Configuring Network This section describes how to configure the network interfaces, domain system name, and routes for the appliance and how to show the interfaces information for the appliance. Configuring Network Interfaces To configure network interfaces: 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 1 (Configure Network Interfaces) and press Enter. 4. In the Enter option field, enter 0 (eth0) and press Enter. You must configure the eth0 (management) Ethernet interface. Configuring the eth1 (data) Ethernet interface is optional. The MAC Address is displayed in brackets next to eth0 and eth1. 5. In the Enter IP Address field, enter the IP address for the appliance and press Enter. 6. In the Enter Subnet mask field, enter the subnet mask for the appliance and press Enter. 7. In the Enter Gateway field, enter the gateway address for the appliance and press Enter. 8. (Optional) Configure the second ethernet interface (eth1). Repeat steps 4 through 7 above except in step 4 enter 1 (eth1). 9. In the Enter option field, enter b (Back to Previous Menu) and press Enter. 10. Press Enter. 11. In the Enter option field, enter m (Main Menu) and press Enter. Configuring DNS To configure Domain Name System (DNS): 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 2 (Configure DNS) and press Enter. 4. In the Enter DNS field, enter the DNS address for the appliance and press Enter. 5. (Optional) In the Enter Secondary DNS field, enter the secondary DNS address for the appliance and press Enter. Otherwise, press Enter to proceed without entering a secondary DNS address. 6. Press Enter. 7. In the Enter option field, enter m (Main Menu) and press Enter. Administering Aruba Central | 243 Configuring Routes You only need to configure routes if you have configured ethernet interface eth1. Routes do not apply to ethernet interface eth0. Listing All Routes To list all routes: 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 3 (Configure Routes) and press Enter. 4. In the Enter option field, enter 1 (List all routes) and press Enter. All of the routes are displayed. 5. Enter b (Back to Previous Menu) and press Enter. 6. Press Enter. 7. In the Enter option field, enter m (Main Menu) and press Enter. Adding a Route Via eth1 To add a route through eth1: 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 3 (Configure Routes) and press Enter. 4. In the Enter option field, enter 2 (Add a route via eth1) and press Enter. 5. In the Enter destination IP Address field, enter the IP address of the node that needs to connect to the eth1 interface and press Enter. The route is created. The system assigns a sequential index number to the route. You can view the index number assigned to the route by using Option 1 - List all routes. 6. Enter b (Back to Previous Menu) and press Enter. 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter. Deleting a Route Via eth1 To delete a route through eth1: 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 3 (Configure Routes) and press Enter. 4. In the Enter option field, enter 3 (Delete a route via eth1) and press Enter. 5. In the Enter index of route to be deleted field, enter the index number associated with the route to be deleted and press Enter. 6. Enter b (Back to Previous Menu) and press Enter. 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter. Showing Interfaces Information To show interfaces information: Aruba Central | User Guide 244 1. Go to the Collector CLI. 2. In the Enter option field, enter 2 (Configure Network) and press Enter. 3. In the Enter option field, enter 4 (Show Interfaces Info) and press Enter. 4. The information for both eth0 and eth1 network interfaces is displayed. The IP address, Netmask, Gateway, and MAC Address is displayed for each interface. 5. Press Enter. 6. In the Enter option field, enter m (Main Menu) and press Enter. Registering the Appliance To register the appliance: 1. Go to the Collector CLI. 2. In the Enter option field, enter 3 (Register) and press Enter. 3. In the Registration code field, enter the registration code and press Enter. The registration process is initiated. The registration process associates the appliance with your customer account. After the registration process completes, a message is displayed that the registration was successful. The appliance is now available to be formed into a data collector by installing an Aruba application on it. The appliance count that is displayed in the Create Collector card on the Data Collectors page is incremented by one. For information about creating a data collector, see Creating Data Collectors. 4. Press Enter. Configuring Proxy Server This section describes how to configure a proxy server, edit a proxy server configuration, and unconfigure a proxy server. Configuring Proxy Server To configure proxy server: 1. Go to the Collector CLI. 2. In the Enter option field, enter 4 (Configure Proxy) and press Enter. 3. In the Proxy Server URL/IP field, enter the URL or IP address for the proxy server and press Enter. 4. In the Proxy Server Port field, enter the port and press Enter. Otherwise, press Enter to accept the default port. 3128 appears as the default port. 5. In the Username field, enter the user name for the server and press Enter. 6. In the Password field, enter the password for the server and press Enter. A password can not contain any special characters. A message is displayed stating the proxy server has been configured. 7. Press Enter. Editing Proxy Configuration This option is available only after you have configured a proxy server. To edit proxy configuration: 1. Go to the Collector CLI. 2. In the Enter option field, enter 4 (Configure Proxy) and press Enter. 3. In the Enter option field enter 1 (Edit Proxy Configuration) and press Enter. Administering Aruba Central | 245 4. In the Proxy Server URL/IP field, enter the URL or IP address for the proxy server and press Enter. 5. In the Proxy Server Port field, enter the port and press Enter. Otherwise, press Enter to accept the default port. 3128 appears as the default port. 6. In the Username field, enter the user name for the server and press Enter. 7. In the Password field, enter the password for the server and press Enter. A password can not contain any special characters. A message is displayed stating the proxy server has been configured. 8. Press Enter. Unconfiguring Proxy Configuration This option is available only after you have configured a proxy server. To unconfigure proxy configuration: 1. Go to the Collector CLI. 2. In the Enter option field, enter 4 (Configure Proxy) and press Enter. 3. In the Enter option field, enter 2 (Unconfigure Proxy) and press Enter. A message is displayed stating the proxy server is being disabled. 4. Press Enter. Changing Time Zone and Configuring NTP Server This section describes how to change the time zone and how to configure the NTP server. Changing Time Zone To change the time zone: 1. Go to the Collector CLI. 2. In the Enter option field, enter 5 (Change Timezone/NTP) and press Enter. 3. In the Enter option field, enter 1 (Change Timezone) and press Enter. The following regions are displayed: l 1- Africa l 2 - America l 3 - Antarctica l 4 - Arctic l 5 - Asia l 6 - Atlantic l 7 - Australia l 8 - Europe l 9 - Indian l 10 - Pacific l 11 - UTC 4. In the Select region field, enter the number for the region and press Enter. For example, to select the Pacific region enter 10. The time zones for the region you selected are displayed. 5. In the Select timezone field, enter the number for the time zone and press Enter. A message is displayed that the time zone was configured. Press Enter. 6. In the Enter option field enter m (Main Menu) and press Enter. Aruba Central | User Guide 246 Configuring NTP Server To configure Network Time Protocol (NTP) server: 1. Go to the Collector CLI. 2. In the Enter option field, enter 5 (Change Timezone/NTP) and press Enter. 3. In the Enter option field, enter 2 (Configure NTP) and press Enter. 4. In the NTP Server field, enter the NTP server hostname and press Enter. A message is displayed that the NTP server has been configured. 5. Press Enter. 6. In the Enter option field, enter m (Main Menu) and press Enter. Testing Appliance Connectivity The section describes how to test the appliances connectivity to the Aruba cloud and to another host. Testing Aruba Cloud Reachability To test Aruba cloud reachability: 1. Go to the Collector CLI. 2. In the Enter option field, enter 6 (Test Connectivity) and press Enter. 3. In the Enter option field, enter 1 (Test Aruba Cloud reachability) and press Enter. This process performs two connectivity tests. The first test, tests the reachability of the appliance to the Cloud URL discovery server. This test you perform before you register the appliance. The second test, tests the reachability of the appliance to the Aruba cloud. This test you perform after you register the appliance. When you perform this process before registration, the following messages are displayed: Testing reachability to Cloud URL discovery server ... Cloud URL discovery server reachable Aruba Cloud URL is not set. Please activate the node. When you perform this process after registration, the following messages are displayed: Testing reachability to Cloud URL discovery server ... Cloud URL discovery server reachable Testing cloud reachability..... Aruba cloud is reachable 4. Press Enter. Testing Connectivity to Another Host To test connectivity to another host: 1. Go to the Collector CLI. 2. In the Enter option field, enter 6 (Test Connectivity) and press Enter. 3. In the Enter option field, enter 2 (Test connectivity to another host (using PING)) and press Enter. Administering Aruba Central | 247 4. In the Type host address field, enter the host address you want to reach and press Enter. A message is displayed whether the host is reachable or not. 5. Press Enter. Performing Advanced Options This section describes how to complete advanced tasks for appliances such as changing the password, enabling support access, and resetting the factory settings. Rebooting or Shutting Down Rebooting To reboot: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 1 (Reboot/Shutdown) and press Enter. 4. In the Enter option field, enter 1 (Reboot) and press Enter. 5. At the prompt, Are you sure you want to reboot the node? enter y and press Enter. The appliance is rebooted. Shutting Down To shutdown: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 1 (Reboot/Shutdown) and press Enter. 4. In the Enter option field, enter 2 (Shutdown) and press Enter. 5. At the prompt, Are you sure you want to shutdown the node? enter y and press Enter. The appliance is shutdown. Changing Password To change password: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 2 (Change password) and press Enter. 4. At the prompt, Are you sure you want to change the password? enter y and press Enter. 5. In the Enter new UNIX password field, enter the new password and press Enter. 6. In the Retype new UNIX password field, re-enter the new password and press Enter. A message is displayed that the password has been updated successfully. 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter. Enabling Support Access Enabling support access provides a way for Aruba customer support to access the collector remotely for any troubleshooting. This requires both enabling support access on the collector and providing consent in Aruba Central. Enabling Support Access on the Collector Aruba Central | User Guide 248 To enable support access on the collector: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 3 (Enable support access) and press Enter. 4. In the Select an option field, enter 1 (Enable support access) and press Enter. 5. In the Allow access for user field, enter the email address for the Aruba Technical Assistance Center (TAC) support contact you wish to enable access and press Enter. An Access Token is generated and is displayed. 6. Send that Access Token to the Aruba TAC support contact through email or when speaking with them over the phone. The TAC support contact takes that access token and generates a decoded password. From there they can access the appliance remotely using an application such as Webex or Remote Control Service (RCS). 7. Press Enter. 8. In the Enter option field, enter m (Main Menu) and press Enter. Providing Consent in Aruba Central To provide consent in Aruba Central: 1. Go to Aruba Central (if you are in the Analyzer portal, there is an option on the top right to switch to Aruba Central. 2. Go to User Management. 3. In the Actions drop down located in the top right, select Enable Support Access. A popup appears. 4. Toggle the Enable Support Access option and enable it. 5. Select Get Password. We do not need the password. It can be ignored for the purpose of accessing the collector. Disabling Support Access The support access, once enabled, remains until it is disabled. For security reasons it is recommended that you disable the access once it is no longer required by Aruba customer support. To disable support access: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 3 (Enable support access) and press Enter. 4. In the Select an option field, enter 2 (Disable support access) and press Enter. 5. Press Enter. Transferring Logs Through SCP When troubleshooting an issue, you may want to transfer the logs that have been generated from the appliance. For this transfer to occur you need to have a Linux server that is Secure Shell (SSH) enabled. To transfer logs through SCP: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 4 (Transfer logs through SCP) and press Enter. Administering Aruba Central | 249 4. In the SCP server configuration field, enter the hostname and IP address for the server and press Enter. Before the logs are transferred they are compressed. On the Collector CLI the status of the compression is displayed. 100% is displayed after compression is complete. 5. In the server password field, enter the password for the server and press Enter. A tar file is created for the logs. The date and time when the tar file was created is a part of the name of the file. For example, if a tar file is named (ISO-38-41-PH_logs_11021729.tar.gz) the date and time it was created is November, 2 at 17:29. The time zone reflected is the appliance time zone where the tar file was created. 6. Press Enter. Resetting Factory Settings This option applies only to physical appliances. To reset factory settings: 1. Go to the Collector CLI. 2. In the Enter option field, enter 7 (Advanced Options) and press Enter. 3. In the Enter option field, enter 5 (Factory Reset) and press Enter. 4. At the prompt, Are you sure you want to do a factory reset? enter y and press Enter. The appliance is reset to the state it was when it came from the factory and then the appliance reboots. To use the appliance perform the appliance setup process again. For more information, see Setting Up Physical Appliances. 5. Press Enter. Creating Data Collectors Before You Begin Before you can create a data collector, you must have already successfully set up a physical appliance or virtual appliance. For information, see Setting Up Appliances. ClearPass Device Insight Requirements This topic lists the ClearPass Device Insight requirement. Network Requirements for CPDI Collector The network requirements for CPDI collector include: n Static IP address n Outbound Internet Access on TCP port 443 n Optional: Proxy Server Network Services (Internal or External) from the collector The network services (internal or external) requirements from the data collector include: n TCP/UDP 53 (DNS) n UDP 123 (NTP) Aruba Central | User Guide 250 Recommended access to network devices from the collector The recommended access to network devices from the collector include UDP 161: SNMP (V1 through 3, but 3 is preferred). Recommended access from the network devices to the collector The recommended access to network devices from the collector include: n UDP 67: DHCP for the ip-helpers / DHCP relays n When used: Netflow or IPFix Recommended access to endpoints from the collector The recommended access to endpoints from the collector include: n TCP, UDP, ICMP - For nmap profiling and WMI profiling n TCP:22 - For SSH scans n UDP:161 - for SNMP scans Creating Data Collectors To create a data collector: 1. Go to the Account Home page. 2. Under Global Settings, click Data Collectors. 3. If no data collectors have been created, the Get Started dialog is displayed. Otherwise, the Data Collectors page is displayed. 4. The number of appliances that are available to form new data collectors is displayed in the Get Started dialog and in the Create Collector card of the Data Collectors page. 5. Click Create Collector in the Get Started dialog or the Create Collector card in the Data Collectors page. The Create Collector dialog is displayed. The Create Collector dialog can also be accessed by clicking the Create Collector button within the Managed Collectors card - List view. 6. In the Give collector a name field, enter a name for the data collector. 7. Select the application you want to install on the data collector. Applications include ClearPass Device Insight. 8. Click Next. All of the appliances that are available to become data collectors are listed in a grid. The appliance Name, IP Address, and Model are displayed. 9. Select the row in the grid for the appliance you want to become the data collector. 10. Click Create. The application you previously selected is installed on the appliance and the data collector is created. You can manage this data collector using the Managed Collectors card. Plus, the data collector is now available for use by the application that was installed on the data collector. For more information, see About Data Collectors Page. Viewing Data Collectors Using the Data Collectors page you can view managed data collectors in the Managed Collectors card and view the unmanaged data collectors that are connected or not connected in the Other Collectors card. Administering Aruba Central | 251 Viewing Managed Data Collectors To view managed data collectors: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens, displaying all of the managed data collectors in the Managed Collectors card by status by default. 3. (Optional) Click the down arrow in the Managed Collectors card heading and select By Apps, to view the data collectors by applications. 4. (Optional) Click the down arrow in the Managed Collectors card heading and select By Update, to view the data collectors by update status. 5. Click the View Grid icon to view more details for the data collectors. The Managed Collectors - List view opens, displaying all of the data collectors in a grid format. 6. Expand a row in the grid to view additional details for a specific data collector. The row is expanded displaying an Overview tab and a Performance tab. View the data collector overview information in the Overview tab. View the data collector performance information in the Performance tab. For more information, see About Data Collectors Page. Viewing Unmanaged Data Collectors To view unmanaged data collectors: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page is displayed. 3. Click the Connected number in the Others card to view the connected unmanaged data collectors. The Other Collectors dialog opens, displaying the connected data collectors in a grid format. The following table describes the information that is displayed in the grid: Table 55: Other Collectors Dialog Field Description Name Data collector name. Status Status of the data collector. Connected is displayed for data collectors that are connected. Address IP address for the data collector. 4. Click the Not Connected number in Others card to view the unmanaged data collectors that are not connected. The Other Collectors dialog opens, displaying the data collectors that are not connected in a grid format. The following table describes the information that is displayed in the grid: Table 56: Other Collectors Dialog Field Description Name Data collector name. Aruba Central | User Guide 252 Table 56: Other Collectors Dialog Field Description Status Status of the data collector. Not Connected is displayed for data collectors that are not connected. Address IP address for the data collector. For more information, see About Data Collectors Page. Updating Data Collectors Setting the Data Collectors Global Auto-Update Preference To set the data collectors global auto-update preference: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens, displaying all of the managed data collectors in the Managed Collectors card by status by default. 3. Click the down arrow in the Managed Collectors card heading and select By Update. The Managed Collectors card displays the data collectors by update status. In lower right hand corner of the card is displayed an Auto-Update field that displays the current global setting for the data collector auto-update preference. As soon as available is displayed by default in this field. 4. Click the Auto-Update field. The Collector Update dialog opens displaying the data collector update options. 5. Select when you want to install the updates for all data collectors. Options are: n Apply Instantly: All data collectors will be updated as soon as a new version is available. n Apply on specific time: All data collectors will be updated at the day and time that you set when a new version is available. When you select this option, a Day field and Time field are displayed. Click the down arrow next to the Day field and select the day. Day options are: Monday through Sunday. Click the up and down arrows in the Time field and select the time. You can also update one or more data collectors earlier than what you have specified with the auto-update option, by clicking the Update All button or Update Now button on the Managed Collectors card - List view. For more information, see Manually Updating All Data Collectors and Manually Updating a Specific Data Collector. 6. Click Save. Manually Updating All Data Collectors To manually update all data collectors: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens displaying all of the managed data collectors in the Managed Collectors card by status by default. 3. Click the down arrow in the Managed Collectors card heading and select By Update. The Managed Collectors card displays the data collectors by update status. In lower right hand corner of the card is displayed an Auto-Update field that displays the current setting for the data collector global auto-update preference. Administering Aruba Central | 253 4. Click the Grid View icon in the upper right corner of the Managed Collectors card. The Managed Collectors card - List view opens displaying all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard view. If an update is available for one or more data collectors, the Update All button is available at the top of the List view. 5. Click Update All. All of the data collectors are updated. Manually Updating a Specific Data Collector To update a specific data collector: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens displaying all of the managed data collectors in the Managed Collectors card by status by default. 3. Click the down arrow in the Managed Collectors card heading and select By Update. The Managed Collectors card displays the data collectors by update status. In lower right hand corner of the card is displayed an Auto-Update field that displays the current setting for the data collector global auto-update preference. 4. Click the Grid View icon in the upper right corner of the Managed Collectors card. The Managed Collectors card - List view opens displaying all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard view. If an update is available for one or more data collectors, Update available is displayed in the Update Status for those data collectors in the grid. 5. Expand the row in the grid for the individual data collector that you want to update. The row expands displaying the additional overview details for that specific data collector. In the lower portion of the expanded row, the update version is displayed in the Version field and the Update Now button is available. 6. Click Update Now. The data collector is updated. Deleting Data Collectors To delete a data collector: 1. Go to Account Home. 2. Under Global Settings, click Data Collectors. The Data Collectors page opens, displaying all of the managed data collectors in the Managed Collectors card by status by default. 3. Click the Grid View icon in the upper right corner of the Managed Collectors card. The Managed Collectors card - List view opens, displaying all of the data collectors in a grid format. The List view lists the data collectors that are currently represented in the Dashboard view. 4. Hover over a data collector row in the grid that you want to delete. The Delete icon is displayed to the right of Applications. 5. Click the Delete icon. The Delete Collector dialog opens asking if you are sure you want to delete the data collector. 6. Click Delete. The Aruba application running on the collector is uninstalled from the collector. The appliance is freed up and can be used for creating another data collector in the future. For more information about creating a data collector, see Creating Data Collectors. Aruba Central | User Guide 254 Webhooks Webhooks allow you to implement event reactions by providing real-time information or notifications to other applications. Aruba Central allows you to create Webhooks and select Webhooks as the notification delivery option for all alerts. Using Aruba Central, you can integrate Webhooks with other third-party applications such as ServiceNow, Zapier, IFTTT, and so on. You can access the Webhooks service either through the Aruba Central UI or API Gateway. Aruba Central supports creating up to 10 Webhooks. To enable redundancy, Aruba Central allows you to add up to three URLs per Webhook. From Aruba Central, you can add, list, or delete Webhooks; get or refresh Webhooks token; get or update Webhooks settings for a specific item; and test Webhooks notification. This section includes the following topics: n Creating and Updating Webhooks Through the UI n Refreshing Webhooks Token Through the UI n Creating and Updating Webhooks Through the API Gateway n List of Webhooks APIs n Sample Webhooks Payload Format for Alerts In the Alerts & Events page, click the Configuration icon to configure and enable an alert. In the Notification Options, select Webhooks as the notification delivery option. The following figure illustrates how Aruba Central integrates with third-party applications using Webhooks. Figure 93 Webhooks Integration Administering Aruba Central | 255 Creating and Updating Webhooks Through the UI To access the Webhooks service from the UI: 1. In the Account Home page, under Global Settings, click Webhooks.The Webhooks page is displayed. 2. In the Webhook tab, click + sign. The Add Webhook pop-up window is displayed. Figure 94 Webhooks Page Figure 95 Add Webhooks Page 3. To create webhooks, enter the following details: a. Name--Enter a name for the Webhook. b. Retry Policy--Select one of the following options: Aruba Central | User Guide 256 n None--No retries. n Important--Up to 5 retries over 6 minutes. n Critical--Up to 5 retries over 27 hours. c. URLs--Enter the URL. Click + to enter another URL. You can add up to three URLs. 4. Click Save. The Webhooks is created and listed in the Webhook table. Viewing Webhooks To view the Webhooks, complete the following steps: 1. In the Account Home page, under Global Settings, click Webhooks. 2. The Webhooks page with Webhook table is displayed. The Webhook table allows you to edit or delete Webhooks and also displays the following information: n Name--Name of the Webhooks. n Number of URL Entries--Number of URLs in Webhooks. Click the number to view the list of URLs. n Updated At--Date and time at which Webhooks was updated. n Webhook ID--Webhooks ID. n Token--Webhooks token. Webhooks token enables header authentication and the third-party receiving service must validate the token to ensure authenticity. n Edit--Select the Webhook from the list and click the Edit icon to edit the Webhook. You can refresh the token and add URLs. Click Save to save the changes. n Delete--Select the Webhook from the list and click the Delete icon and click Yes to delete the Webhook. n Test Webhooks--Select the Webhook from the list and click the Test Webhooks icon to test the Webhook by posting sample webhook payload to the configured URL. The Test Webhooks table provides the URL and Status of the selected Webhook. n View Dispatch Logs--Select the Webhook from the list and click the View Dispatch Log icon to view the Dispatch Logs for the selected Webhook. The Dispatch Logs table provides the URL, Status, and Dispatched Time. Click the arrow against each row to view the Log Details and Attempts in the drop-down for the respective URL. Administering Aruba Central | 257 Figure 96 Dispatch Logs Details Page Refreshing Webhooks Token Through the UI To refresh Webhooks token through the UI: 1. In the Account Home page, under Global Settings, click Webhooks. The Webhooks page is displayed. 2. In the Webhook table, select the Webhook from the list and click Edit icon to edit. 3. In the pop-up window, click the Refresh icon next to the token. The token is refreshed. Creating and Updating Webhooks Through the API Gateway The following HTTP methods are defined for Aruba Central API Webhooks resource: n GET n POST n PUT n DELETE You can perform CRUD operation on the Webhooks URL configuration. The key configuration elements that are required to use API Webhooks service are Webhooks URL and a shared secret. A shared secret token is generated for the Webhooks URL when you register for Webhooks. A hash key is generated using SHA256 algorithm by using the payload and the shared secret token. The API required to refresh the shared secret token is provided for a specific Webhooks configuration. You can choose the frequency at which you want to refresh the secret token. To access and use the API Webhooks service: Aruba Central | User Guide 258 1. In the Account Home page, under Global Settings, click API Gateway.The API Gateway page is displayed. 2. In the APIs tab, click the Swagger link under the Documentation header. The Swagger website opens. 3. In the Swagger website, from the URL drop-down list, select Webhook. All available Webhooks APIs are listed under API Reference. For more information on Webhooks APIs, see: https://app1-apigw.central.arubanetworks.com/swagger/central. List of Webhooks APIs Aruba Central supports the following Webhooks APIs: n GET /central/v1/webhooks--Gets a list of Webhooks. The following is a sample response: { "count": 1, "settings": [ { "wid": "e26450be-4dac-435b-ac01-15d8f9667eb8", "name": "AAA", "updated_ts": 1523956927, "urls": [ "https://example.org/webhook1", "https://example.org/webhook1" ], "secure_token": "KEu5ZPTi44UO4MnMiOqz" } ] } n POST /central/v1/webhooks--Creates Webhooks. The following is a sample response: { "name": "AAA", "wid": "e829a0f6-1e36-42fe-bafd-631443cbd581" } n DELETE /central/v1/webhooks/{wid}--Deletes Webhooks. The following is a sample response: { "wid": "e26450be-4dac-435b-ac01-15d8f9667eb8" } n GET /central/v1/webhooks/{wid}--Gets Webhooks settings for a specific item. Administering Aruba Central | 259 The following is a sample response: { "wid": "e26450be-4dac-435b-ac01-15d8f9667eb8", "name": "AAA", "updated_ts": 1523956927, "urls": [ "https://example.org/webhook1", "https://example.org/webhook1" ], "secure_token": "KEu5ZPTi44UO4MnMiOqz" } n PUT /central/v1/webhooks/{wid}--Updates Webhooks settings for a specific item. The following is a sample response: { "name": "AAA", "wid": "e829a0f6-1e36-42fe-bafd-631443cbd581" } n GET /central/v1/webhooks/{wid}/token--Gets the Webhooks token for the Webhooks ID. The following is a sample response: { "name": "AAA", "secure_token": "[{\"token\": \"zSMrzuYrblgBfByy2JrM\", \"ts\": 1523957233}]" } n PUT /central/v1/webhooks/{wid}/token--Refreshes the Webhooks token for the Webhooks ID. The following is a sample response: { "name": "AAA", "secure_token": "[{\"token\": \"zSMrzuYrblgBfByy2JrM\", \"ts\": 1523957233}]" } n GET /central/v1/webhooks/{wid}/ping--Tests the Webhooks notification and returns whether success or failure. The following is a sample response: "Ping Response [{'url': 'https://example.org', 'status': 404}]" Sample Webhooks Payload Format for Alerts URL POST <webhook-url> Custom Headers Content-Type: application/json X-Central-Service: Alerts X-Central-Event: Radio-Channel-Utilization Aruba Central | User Guide 260 X-Central-Delivery-ID: 72d3162e-cc78-11e3-81ab-4c9367dc0958 X-Central-Delivery-Timestamp: 2016-07-12T13:14:19-07:00 X-Central-Customer-ID: <########> Refer to the following topics to view sample JSON content: n Access Point Alerts--Sample JSON n Switch Alerts--Sample JSON n Gateway Alerts--Sample JSON n Miscellaneous Alerts--Sample JSON Access Point Alerts--Sample JSON This section includes sample JSON content for the following alerts: AP Disconnected { "alert_type": "AP disconnected", "description": "AP with Name 84:d4:7e:c5:c8:8c and MAC address 84:d4:7e:c5:c8:8c disconnected, Group:unprovisioned", "timestamp": 1564326129, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-4", "state": "Open", "nid": 4, "details": { "_rule_number": "0", "group": "1", "labels": "", "conn_status": "disconnected", "params": [ "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c" ], "time": "2019-07-28 15:02:09 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm2zVQO1ZtiGF20e", "severity": "Critical" } AP Connected Clients { "alert_type": "AP_CONNECTED_CLIENTS", "description": "Number of Clients connected to AP with name 84:d4:7e:c5:c8:8c has been above 1 for about 5 minutes since 2019-07-29 12:26:00 UTC.", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1255", "state": "Open", "nid": 1255, "details": { "_rule_number": "0", "group": "1", "labels": "", "name": "84:d4:7e:c5:c8:8c", "duration": "5", "threshold": "1", "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", Administering Aruba Central | 261 "device_id": "CT0779239", "id": "AWw5Gm1zVGH9ZtiGF20d", "severity": "Major" } AP CPU Over Utilization { "alert_type": "AP_CPU_OVER_UTILIZATION", "description": "CPU utilization for AP 84:d4:7e:c5:c8:8c with serial CT0779239 has been above 10% for about 5 minutes since 2019-07-28 14:21:00 UTC.", "timestamp": 1564323960, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1250", "state": "Open", "nid": 1250, "details": { "_rule_number": "0", "group": "1", "name": "84:d4:7e:c5:c8:8c", "duration": "5", "time": "2019-07-28 14:21:00 UTC", "threshold": "10", "ds_key": "201804170291.CT0779239.cpu_utilization.5m", "serial": "CT0779239", "unit": "%" }, "operation": "create", "device_id": "CT0779239", "id": "AWw4-VVrVQO1ZtiGFkZ3", "severity": "Critical" } AP Memory Over Utilization { "alert_type": "AP_MEMORY_OVER_UTILIZATION", "description": "Memory utilization for AP iap-303-iphone456-offline with serial CNGHKGX004 has been above 40% for about 5 minutes since 2019-07-24 07:11:00 UTC.", "timestamp": 1563952560, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1251", "state": "Open", "nid": 1251, "details": { "_rule_number": "1", "group": "3", "name": "iap-303-iphone456-offline", "labels": "3,118", "duration": "5", "time": "2019-07-24 07:11:00 UTC", "threshold": "40", "ds_key": "201804170291.CNGHKGX004.memory_utilization.5m", "serial": "CNGHKGX004", "unit": "%" }, "operation": "create", "device_id": "CNGHKGX004", "id": "AWwi1jihVQO1ZtiGThDA", "severity": "Major" } AP Radio Noise Floor Aruba Central | User Guide 262 { "alert_type": "AP_RADIO_NOISE_FLOOR", "description": "Noise floor on AP iap-303-iphone456-offline operating on Channel 10 and serving 0 clients has been above -110 dBm for about 10 minutes since 2019-07-24 07:06:00 UTC.", "timestamp": 1563952560, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1253", "state": "Open", "nid": 1253, "details": { "_rule_number": "0", "group": "3", "name": "iap-303-iphone456-offline", "_radio_num": "1", "client_count": "0", "labels": "3,118", "_band": "0", "duration": "10", "time": "2019-07-24 07:06:00 UTC", "threshold": "110", "ds_key": "201804170291.CNGHKGX004.radio.noisefloor", "serial": "CNGHKGX004", "channel": "10" }, "operation": "create", "device_id": "CNGHKGX004", "id": "AWwi1jjgVQO1ZtiGThDB", "severity": "Critical" } AP Radio Over Utilization { "alert_type": "AP_RADIO_OVER_UTILIZATION", "description": "Radio utilization on AP 84:d4:7e:c5:c8:8c operating on Channel 36E and serving 0 clients has been above 1% for about 5 minutes since 2019-07-28 14:31:00 UTC.", "timestamp": 1564324560, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1252", "state": "Open", "nid": 1252, "details": { "_rule_number": "0", "group": "1", "name": "84:d4:7e:c5:c8:8c", "_radio_num": "0", "client_count": "0", "_band": "1", "duration": "5", "unit": "%", "time": "2019-07-28 14:31:00 UTC", "threshold": "1", "ds_key": "201804170291.CT0779239.radio.busy64", "serial": "CT0779239", "channel": "36E" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5An08VQO1ZtiGFpgm", "severity": "Critical" } Client Attack detected Administering Aruba Central | 263 { "alert_type": "Client attack detected", "description": "An AP (NAME iap-303-iphone456-o and MAC 90:4c:81:cf:27:74 on RADIO 1) detected an unencrypted frame between a valid client (88:63:df:bb:2a:9d) and access point (BSSID 90:4c:81:72:77:55) with source 88:63:df:bb:2a:9d and receiver ff:ff:ff:ff:ff:ff SNR value is 55", "timestamp": 1564392710, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-13", "state": "Open", "nid": 13, "details": { "group": "3", "labels": "3,142,141", "params": "None", "_rule_number": "0", "time": "2019-07-29 09:31:50 UTC" }, "operation": "create", "device_id": "CNGHKGX004", "id": "AWw9EmBxVQO1ZtiGO1Q8", "severity": "Critical" } Connected Clients { "alert_type": "CONNECTED_CLIENTS", "description": "Number of Clients connected to swarm with name SetMeUp-CA:35:56 has been above 1 for about 5 minutes since 2019-07-29 12:26:00 UTC.", "timestamp": 1564403460, "webhook": "68612ee3-3ee9-4da4-b07b-13977a350344", "setting_id": "b8be21720dc04a8e9f0028374b6a9bbd-1254", "state": "Open", "nid": 1254, "details": { "_rule_number": "0", "group": "1", "name": "SetMeUp-CA:35:56", "duration": "5", "aggr_context": "swarm", "time": "2019-07-29 12:26:00 UTC", "threshold": "1", "ds_key": "b8be21720dc04a8e9f0028374b6a9bbd.cluster.156.device.clients.5m", "serial": "156" }, "operation": "create", "device_id": "156", "id": "AWw9tmhNVQO1ZtiGQR5U", "severity": "Critical" } Infrastructure Attack Detected { "alert_type": "Infrastructure attack detected", "description": "An AP (NAME iap-303-iphone456-o and MAC 90:4c:81:cf:27:74 on RADIO 1) detected that the Access Point with MAC f0:5c:19:23:56:10 and BSSID f0:5c:19:23:56:10 has sent a beacon for SSID tan This beacon advertizes channel 149 but was received on channel 161 with SNR 50 ", "timestamp": 1564400165, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-12", Aruba Central | User Guide 264 "state": "Open", "nid": 12, "details": { "group": "3", "labels": "3,142,141", "params": "None", "_rule_number": "0", "time": "2019-07-29 11:36:05 UTC" }, "operation": "create", "device_id": "CNGHKGX004", "id": "AWw9hCLAVQO1ZtiGP1ig", "severity": "Critical" } Insufficient Power Alert { "alert_type": "INSUFFICIENT_POWER_ALERT", "description": "Insufficient inline power supplied to AP-205 with name 04:bd:88:c3:b6:f0", "timestamp": 1564403450, "webhook": "68612ee3-3ee9-4da4-b07b-13977a350344", "setting_id": "b8be21720dc04a8e9f0028374b6a9bbd-21", "state": "Open", "nid": 21, "details": { "group": "0", "name": "04:bd:88:c3:b6:f0", "labels": [], "label_site_desc": "", "time": "2019-07-29 12:30:50 UTC", "serial": "CM0381143", "group_name": "default", "ap_model": "AP-205" }, "operation": "create", "device_id": "CM0381143", "id": "AWw9tkNGVQO1ZtiGQRz-", "severity": "Major" } Modem Plugged { "alert_type": "Modem Plugged", "description": "Modem plugged to ap with name 84:d4:7e:c5:c8:8c'and MAC address 84:d4:7e:c5:c8:8c", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-18", "state": "Open", "nid": 18, "details": { "_rule_number": "0", "group": "1", "labels": "", "params": [ "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zJKL90tiGF20d", "severity": "Critical" Administering Aruba Central | 265 } Modem Unplugged { "alert_type": "Modem Unplugged", "description": "Modem unplugged from ap with name 84:d4:7e:c5:c8:8c'and MAC address 84:d4:7e:c5:c8:8c", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-19", "state": "Open", "nid": 19, "details": { "_rule_number": "0", "group": "1", "labels": "", "params": [ "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiGF20d", "severity": "Critical" } New AP Detected { "alert_type": "New AP detected", "description": "New AP with Name 84:d4:7e:c5:c8:8c and MAC address 84:d4:7e:c5:c8:8c detected, Group:unprovisioned", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-3", "state": "Open", "nid": 3, "details": { "_rule_number": "0", "group": "1", "labels": "", "params": [ "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiJH56e", "severity": "Major" } New Virtual Controller Detected { "alert_type": "New Virtual Controller detected", "description": "New Virtual Controller with Name SetMeUp-CA:51:D6, Version 8.4.0.0_69847 and IP address 10.29.43.70 detected, Group:unprovisioned", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-1", "state": "Open", Aruba Central | User Guide 266 "nid": 1, "details": { "_rule_number": "0", "group": "1", "labels": "", "params": [ "SetMeUp-CA:51:D6", "8.4.0.0_69847", "10.29.43.70" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiJH56j", "severity": "Critical" } Rogue AP Detected { "alert_type": "Rogue AP detected", "description": "An AP (NAME 84:d4:7e:c5:c8:8c and MAC address 84:d4:7e:c5:c8:8con RADIO 1) detected an access point (BSSID 0c:00:01:34:69:62 and SSID ssid1 on CHANNEL 52) as rogue", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-10", "state": "Open", "nid": 10, "details": { "_rule_number": "0", "group": "1", "labels": "", "params": [ "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c", "1", "0c:00:01:34:69:62", "ssid1", "52" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiJK89l", "severity": "Critical" } Uplink Changed { "alert_type": "Uplink Changed", "description": "Uplink changed from 0 to 1 for ap'with name {params[2]} and MAC address {params[3]}", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-17", "state": "Open", "nid": 17, "details": { "_rule_number": "0", "group": "1", "labels": "", "params": [ Administering Aruba Central | 267 "0", "1", "84:d4:7e:c5:c8:8c", "84:d4:7e:c5:c8:8c" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiGF20d", "severity": "Critical" } Virtual Controller Disconnected { "alert_type": "Virtual controller disconnected", "description": "Virtual Controller with Name SetMeUp-CA:51:D6, Version 8.4.0.0_69847 and IP address 10.29.43.70 disconnected, Group:unprovisioned", "timestamp": 1564326128, "webhook": "780c65a0-10b6-4eb1-b725-21b0d52aa432", "setting_id": "201804170291-2", "state": "Open", "nid": 2, "details": { "_rule_number": "0", "group": "1", "labels": "", "conn_status": "disconnected", "params": [ "SetMeUp-CA:51:D6", "8.4.0.0_69847", "10.29.43.70" ], "time": "2019-07-28 15:02:08 UTC" }, "operation": "create", "device_id": "CT0779239", "id": "AWw5Gm1zVQO1ZtiGF20d", "severity": "Critical" } Switch Alerts--Sample JSON This section includes sample JSON content for the following alerts: Switch Disconnected { "alert_type": "Switch Disconnected", "description": "Switch with serial CN8AHKW095, MAC address 54:80:28:b8:f6:20 IP address 10.22.41.3 and Hostname Aruba-2930F-24G-PoEP-4SFPP disconnected, Group:unprovisioned", "timestamp": 1569475139, "webhook": "f8b021a2-8127-4c28-a755-8ee6e01ada66", "setting_id": "e344d961bccd411dbd279bf92f61b989-203", "state": "Open", "nid": 203, "details": { "_rule_number": "0", "group": "1", "labels": "", "conn_status": "disconnected", "params": [ Aruba Central | User Guide 268 "CN8AHKW095", "54:80:28:b8:f6:20", "10.22.41.3", "Aruba-2930F-24G-PoEP-4SFPP" ], "time": "2019-09-26 05:18:59 UTC" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1sAhfAYu0OgJ2anzUD", "severity": "Major" } New Switch Connected { "alert_type": "New Switch Connected", "description": "New Switch with serial CN8AHKW095, MAC address 54:80:28:b8:f6:20 IP address 10.22.41.3 and Hostname Aruba-2930F-24G-PoEP-4SFPP connected, Group:unprovisioned", "timestamp": 1569476559, "webhook": "f8b021a2-8127-4c28-a755-8ee6e01ada66", "setting_id": "e344d961bccd411dbd279bf92f61b989-201", "state": "Open", "nid": 201, "details": { "group": "1", "labels": "", "params": [ "CN8AHKW095", "54:80:28:b8:f6:20", "10.22.41.3", "Aruba-2930F-24G-PoEP-4SFPP" ], "_rule_number": "0", "time": "2019-09-26 05:42:39 UTC" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1sF8IGYu0OgJ2an0Aq", "severity": "Major" } Switch Memory Over Utilization { "alert_type": "SWITCH_MEMORY_OVER_UTILIZATION", "description": "Memory utilization for Switch Aruba-2930F-24G-PoEP-4SFPP with serial CN8AHKW095 has been above 10% for about 5 minutes since 2019-09-26 05:48:00 UTC", "timestamp": 1569477180, "webhook": "f8b021a2-8127-4c28-a755-8ee6e01ada66", "setting_id": "e344d961bccd411dbd279bf92f61b989-1301", "state": "Open", "nid": 1301, "details": { "_rule_number": "0", "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "duration": "5", "time": "2019-09-26 05:48:00 UTC", "threshold": "10", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN8AHKW095.memory_utilization.5m", "serial": "CN8AHKW095", "unit": "%" }, "operation": "create", Administering Aruba Central | 269 "device_id": "CN8AHKW095", "id": "AW1sITrfYu0OgJ2an0UP", "severity": "Critical" } Switch CPU Over Utilization { "alert_type": "SWITCH_CPU_OVER_UTILIZATION", "description": "CPU utilization for Switch Aruba-2930F-48G-PoEP-4SFPP with serial CN88HKX1CR has been above 5% for about 5 minutes since 2019-09-26 06:07:00 UTC.", "timestamp": 1569478320, "webhook": "f8b021a2-8127-4c28-a755-8ee6e01ada66", "setting_id": "e344d961bccd411dbd279bf92f61b989-1300", "state": "Open", "nid": 1300, "details": { "_rule_number": "0", "group": "41", "name": "Aruba-2930F-48G-PoEP-4SFPP", "duration": "5", "time": "2019-09-26 06:07:00 UTC", "threshold": "5", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN88HKX1CR.cpu_utilization.5m", "serial": "CN88HKX1CR", "unit": "%" }, "operation": "create", "device_id": "CN88HKX1CR", "id": "AW1sMqB4Yu0OgJ2an055", "severity": "Critical" } Switch Interface Rx Rate { "alert_type": "SWITCH_INTERFACE_RX_RATE", "description": "Receive rate for Interface 15 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 1 % for about 5 minutes since 2019-09-26 13:18:00 UTC.", "timestamp": 1569504180, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1303", "state": "Open", "nid": 1303, "details": { "_rule_number": "0", "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "max_value_for_percentage": "1000.0", "threshold": "1", "intf_name": "15", "time": "2019-09-26 13:18:00 UTC", "duration": "5", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN8AHKW095.intf.rx_utilization.5m", "serial": "CN8AHKW095", "unit": "%" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1tvTgBYu0OgJ2 aoCgl", "severity": "Critical" } Switch Interface Tx Rate Aruba Central | User Guide 270 { "alert_type": "SWITCH_INTERFACE_TX_RATE", "description": "Transfer rate for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 1 % for about 5 minutes since 2019-09-26 13:18:00 UTC.", "timestamp": 1569504180, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1302", "state": "Open", "nid": 1302, "details": { "_rule_number": "0", "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "max_value_for_percentage": "1000.0", "threshold": "1", "intf_name": "19", "time": "2019-09-26 13:18:00 UTC", "duration": "5", "ds_key": "e344d961bccd411dbd279bf92f61b989.CN8AHKW095.intf.tx_utilization.5m", "serial": "CN8AHKW095", "unit": "%" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW1tvTgBYu0OgJ2aoCgk", "severity": "Critical" } Switch POE Utilization { "alert_type": "SWITCH_POE_UTILIZATION", "description": "PoE utilization for Switch Aruba-2930F-24G-PoEP-4SFPP with serial CN69HKW05T MAC address e0:07:1b:c4:8d:80 and IP address 10.22.182.78 has been above 1%", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Interface Input Errors { "alert_type": "SWITCH_INTERFACE_INPUT_ERRORS", "description": "Input errors for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 90% for about 30 minutes since 2019-09-26 06:07:00 UTC .", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", Administering Aruba Central | 271 "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Interface Output Errors { "alert_type": "SWITCH_INTERFACE_OUTPUT_ERRORS", "description": "Output errors for Interface 19 on Switch Aruba-2930F-24G-PoEP-4SFPP has been above 90% for about 30 minutes since 2019-09-26 06:07:00 UTC.", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Mismatch Config { "alert_type": "Switch Mismatch Config", "description": "Config mismatch occurred in switch with serial CN69HKW05T MAC address e0:07:1b:c4:8d:80 and IP address 10.22.182.78 and Hostname Aruba-2930F-48G-PoEP-4SFPP ", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", Aruba Central | User Guide 272 "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Hardward Failure { "alert_type": "SWITCH_HARDWARE_FAILURE", "description": "Switch with serial CN8AHKW095 : Fan 1 failed ", "timestamp": 1569505920, "webhook": "4d588353-3355-487d-81af-c97f62b0abb0", "setting_id": "e344d961bccd411dbd279bf92f61b989-1307", "state": "Open", "nid": 1307, "details": { "group": "0", "name": "Aruba-2930F-24G-PoEP-4SFPP", "ip": "10.22.182.78", "labels": [], "mac": "e0:07:1b:c4:8d:80", "time": "2019-09-26 13:52:00 UTC", "threshold": "1", "serial": "CN69HKW05T" }, "operation": "create", "device_id": "CN69HKW05T", "id": "AW1t18ccYu0OgJ2aoDYw", "severity": "Critical" } Switch Interface Duplex Mode { "alert_type": "SWITCH_INTERFACE_DUPLEX_MODE", "description": "Interface 19 on switch Aruba-2930F-24G-PoEP-4SFPP with serial CN8AHKW095 is operating at Half-Duplex mode", "timestamp": 1569901561, "webhook": "c71404f4-00c1-4241-8bf4-c8d3f981caa2", "setting_id": "e344d961bccd411dbd279bf92f61b989-1306", "state": "Open", "nid": 1306, "details": { "group": "1", "name": "Aruba-2930F-24G-PoEP-4SFPP", "labels": "", "mode": "Half", "intf_name": "19", "time": "2019-10-01 03:46:01 UTC", "serial": "CN8AHKW095" }, "operation": "create", "device_id": "CN8AHKW095", "id": "AW2FbMiOYu0OgJ2asaWh", "severity": "Critical" } Gateway Alerts--Sample JSON This section includes sample JSON content for the following alerts: WAN Uplink Flap Administering Aruba Central | 273 { "alert_type": "WAN_UPLINK_FLAP", "description": "Uplink link1_inet link status flapped 1% on device with CNHHKLB031 for about 15 minutes since 2019-07-25 12:36:00 UTC.", "timestamp": 1564059060, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1600", "state": "Open", "nid": 1600, "details": { "status": "DOWN", "_rule_number": "0", "group": "77", "labels": "8,661", "current_status": "UP", "duration": "15", "intf_name": "link1_inet", "time": "2019-07-25 12:36:00 UTC", "threshold": "1", "ds_key": "abce082bef4a428bb31366f6d6ff223f.CNHHKLB031.uplink.flap.5m", "serial": "CNHHKLB031", "uplink_tag": "link1_inet", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpL0fvVQO1ZtiGh-2_", "severity": "Critical" } WAN Tunnel Flap { "alert_type": "WAN_TUNNEL_FLAP", "description": "Tunnel data-vpnc-00:1a:1e:03:83:30-link1_inet status flapped 1% on device CNHHKLB031 for about 15 minutes since 2019-07-25 12:26:00 UTC.", "timestamp": 1564058460, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1601", "state": "Open", "nid": 1601, "details": { "alias_map_name": "data-vpnc-00:1a:1e:03:83:30-link1_inet", "_rule_number": "0", "group": "77", "dst_ip": "172.168.101.9", "labels": "8,661", "src_ip": "192.168.51.254", "duration": "15", "time": "2019-07-25 12:26:00 UTC", "threshold": "1", "ds_key": "abce082bef4a428bb31366f6d6ff223f.CNHHKLB031.uplink.tunnel.flap.5m", "serial": "CNHHKLB031", "uplink_tag": "link1_inet", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpJiAiVQO1ZtiGh5tw", "severity": "Critical" } WAN Auto Negotiation Flap Aruba Central | User Guide 274 { "alert_type": "WAN_AUTO_NEGOTIATION_FLAP", "description": "Uplink GE0/0/1 speed flapped 1% on device CNHHKLB031 for about 15 minutes since 2019-07-25 12:32:00 UTC.", "timestamp": 1564058820, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1602", "state": "Open", "nid": 1602, "details": { "new_speed": "Auto", "group": "77", "labels": "8,661", "duration": "15", "_rule_number": "0", "intf_name": "GE0/0/1", "time": "2019-07-25 12:32:00 UTC", "threshold": "1", "ds_key": "abce082bef4a428bb31366f6d6ff223f.CNHHKLB031.uplink.speed.flap.5m", "serial": "CNHHKLB031", "speed": "1000", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpK55sVQO1ZtiGh8zr", "severity": "Minor" } WAN IPsec SA Establishment Failed { "alert_type": "WAN_IPSEC_SA_ESTABILSHMENT_FAILED", "description": "IPSec Tunnel Establishment from 192.168.51.254 to 172.168.101.9 failed on device CNHHKLB031 at 2019-07-25 12:49:56 UTC", "timestamp": 1564058996, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1550", "state": "Open", "nid": 1550, "details": { "alias_map_name": "data-vpnc-00:1a:1e:03:83:30-link1_inet", "group": "77", "name": "None", "labels": [ "8", "661" ], "src_ip": "192.168.51.254", "link_tag": "link1_inet", "time": "2019-07-25 12:49:56 UTC", "dst_ip": "172.168.101.9", "serial": "CNHHKLB031" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpLlB0VQO1ZtiGh-WS", "severity": "Minor" } WAN IPsec SA Down { "alert_type": "WAN_IPSEC_SA_DOWN", "description": "IPSec tunnel from 192.168.52.254 to 172.168.101.9 is DOWN on device Administering Aruba Central | 275 CNHHKLB031. Reason: Administrator cleared IPSEC SA at 2019-07-25 12:40:22 UTC", "timestamp": 1564058422, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1551", "state": "Open", "nid": 1551, "details": { "alias_map_name": "data-vpnc-00:1a:1e:03:83:30-link2_mpls", "group": "77", "name": "None", "labels": [ "8", "661" ], "src_ip": "192.168.52.254", "reason": "Administrator cleared IPSEC SA", "time": "2019-07-25 12:40:22 UTC", "dst_ip": "172.168.101.9", "serial": "CNHHKLB031", "uplink_tag": "link2_mpls" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpJY4aVQO1ZtiGh5c-", "severity": "Minor" } WAN IPsec SA All Down { "alert_type": "WAN_IPSEC_SA_ALL_DOWN", "description": "All IPSec SAs down for device CNHHKLB031 at 2019-07-25 12:40:22 UTC", "timestamp": 1564058446, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1552", "state": "Close", "nid": 1552, "details": { "serial": "CNHHKLB031", "labels": [ "8", "661" ], "group": "77", "name": "None", "time": "2019-07-25 12:40:22 UTC" }, "operation": "update", "device_id": "CNHHKLB031", "id": "AWwpJY3NVQO1ZtiGh5c9", "severity": "Critical" } CFG Set Advertisement Failure { "alert_type": "CFG_SET_ADVERTISEMENT_FAILURE", "description": "CFG-Set advertisement failure for Gateway with CNHHKLB031 on tunnel data- vpnc-00:1a:1e:03:83:30-link1_inet from 192.168.51.254 to 172.168.101.9", "timestamp": 1564059635, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1554", "state": "Open", "nid": 1554, Aruba Central | User Guide 276 "details": { "alias_map_name": "data-vpnc-00:1a:1e:03:83:30-link1_inet", "group": "77", "name": "None", "labels": [ "8", "661" ], "src_ip": "192.168.51.254", "time": "2019-07-25 13:00:35 UTC", "map_name": "data-vpnc-00:1a:1e:03:83:30-link1_inet", "dst_ip": "172.168.101.9", "serial": "CNHHKLB031" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpOBCVVQO1ZtiGiD0f", "severity": "Major" } Controller CPU Over Utilization { "alert_type": "CONTROLLER_CPU_OVER_UTILIZATION", "description": "CPU utilization for Gateway Aruba9004_40_0C_28 with serial CNHHKLB031 has been above 1% for about 15 minutes since 2019-07-25 09:30:00 UTC.", "timestamp": 1564047900, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1351", "state": "Open", "nid": 1351, "details": { "_rule_number": "0", "group": "77", "name": "Aruba9004_40_0C_28", "labels": "8,661", "duration": "15", "time": "2019-07-25 09:30:00 UTC", "threshold": "1", "ds_key": "abce082bef4a428bb31366f6d6ff223f.CNHHKLB031.cpu_utilization.5m", "serial": "CNHHKLB031", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwohP4LVQO1ZtiGgfbQ", "severity": "Critical" } Controller Memory Over Utilization { "alert_type": "CONTROLLER_MEMORY_OVER_UTILIZATION", "description": "Memory utilization for Gateway Aruba9004_40_0C_28 with serial CNHHKLB031 has been above 1% for about 10 minutes since 2019-07-25 09:30:00 UTC.", "timestamp": 1564047600, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1352", "state": "Open", "nid": 1352, "details": { "_rule_number": "0", "group": "77", "name": "Aruba9004_40_0C_28", Administering Aruba Central | 277 "labels": "8,661", "duration": "10", "time": "2019-07-25 09:30:00 UTC", "threshold": "1", "ds_key": "abce082bef4a428bb31366f6d6ff223f.CNHHKLB031.memory_utilization.5m", "serial": "CNHHKLB031", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwogGqYVQO1ZtiGgc2L", "severity": "Major" } Controller OSPF Session Error { "alert_type": "CONTROLLER OSPF SESSION ERROR", "description": "OSPF session state change for Gateway with hostname GSK_VPNC2 and serial CW0003307 from Init State to Down State for neighbor 1.0.0.2 on interface 100 with reason No hello packets received from neighbour.Inactivity timer fired", "timestamp": 1564121712, "webhook": "60785e88-9513-4352-94d6-ec25fedbeddc", "setting_id": "b27f67fa44234c51a890fccea7c9b83e-1354", "state": "Open", "nid": 1354, "details": { "dst_state": "Down State", "neighbour_ip": "1.0.0.2", "group": "4", "uniq_identifier": "100-16777218", "labels": [ "2", "11", "12", "15", "13", "8" ], "src_state": "Init State", "reason": "No hello packets received from neighbour.Inactivity timer fired", "time": "2019-07-26 06:15:12 UTC", "interface": "100", "serial": "CW0003307", "hostname": "GSK_VPNC2" }, "operation": "create", "device_id": "CW0003307", "id": "AWws60Yxon2R5PyMmUU4", "severity": "Major" } Gateway Base License Capacity Exceeded { "alert_type": "GATEWAY_BASE_LICENSE_CAPACITY_EXCEEDED", "description": "Base license capacity limit exceeded for Gateway with name: Dev-BR1-GW- Kafka, serial: CP0015859", "timestamp": 1564141290, "webhook": "1348bcc4-ce00-4180-b314-32849c3638a1", "setting_id": "2fb4b8a7e77c496395950510a1d270bc-1356", "state": "Open", "nid": 1356, "details": { "serial": "CP0015859", "labels": [], Aruba Central | User Guide 278 "group": "1", "name": "Dev-BR1-GW-Kafka", "time": "2019-07-26 11:41:30 UTC" }, "operation": "create", "device_id": "CP0015859", "id": "AWwuFgZqnGtA5yFV0hCr", "severity": "Critical" } DHCP Pool Consumption Alert { "alert_type": "DHCP_POOL_CONSUMPTION_ALERT", "description": "DHCP Pool Consumption on Gateway CNHHKLB031 is 12% at 2019-07-25 13:02:39 UTC for 192.168.53.0/24", "timestamp": 1564059759, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1510", "state": "Open", "nid": 1510, "details": { "subnet": "192.168.53.0/24", "group": "77", "name": "None", "labels": "8,661", "time": "2019-07-25 13:02:39 UTC", "threshold": "12", "serial": "CNHHKLB031", "unit": "%" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpOfQAVQO1ZtiGiE2H", "severity": "Critical" } WAN Auto Negotiation { "alert_type": "WAN_UPLINK_AUTONEGOTIATION_STATE_CHANGE", "description": "WAN ports autonegotiaton speed changed from 1000 Mbps to Auto Mbps for device with CNHHKLB031 for uplink GE0/0/1 at 2019-07-25 12:46:36 UTC", "timestamp": 1564058796, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1506", "state": "Open", "nid": 1506, "details": { "new_speed": "Auto", "group": "77", "name": "None", "labels": [ "8", "661" ], "intf_name": "GE0/0/1", "time": "2019-07-25 12:46:36 UTC", "serial": "CNHHKLB031", "speed": "1000" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwpK0IxVQO1ZtiGh8oh", "severity": "Minor" } Administering Aruba Central | 279 WAN Uplink Status Change { "alert_type": "WAN_UPLINK_STATUS_CHANGE", "description": "Uplink port link1_inet status change UP -> DOWN for device with CNHHKLB031 at 2019-07-25 09:22:31 UTC", "timestamp": 1564046551, "webhook": "394c7a3c-ca41-4476-8afc-857e54aa4b3b", "setting_id": "abce082bef4a428bb31366f6d6ff223f-1505", "state": "Open", "nid": 1505, "details": { "status": "UP", "group": "77", "name": "None", "labels": [ "8", "661" ], "current_status": "DOWN", "intf_name": "link1_inet", "time": "2019-07-25 09:22:31 UTC", "serial": "CNHHKLB031", "uplink_tag": "link1_inet" }, "operation": "create", "device_id": "CNHHKLB031", "id": "AWwocGtYVQO1ZtiGgT03", "severity": "Major" } Gateway Threat Count { "alert_type": "GW_IDS_IPS_ALERT_THREAT_OVER_A_PERIOD", "id": "AXX7N0IhaFBUFq6FQ2R1", "nid": 2305, "setting_id": "8fc0df01a43b42aa9f8e9fbc3d3b9d35-2305", "device_id": "TWJ6KSP005", "description": "Dear Incident Manager, Your Aruba Central Portal admin configured an email alert notification to be sent to this email address Why this alert? Aruba Branch Gateway https://app-yoda.arubathena.com/frontend/#/GATEWAYDETAIL/OVERVIEW/TWJ6KSP005aruba9004 _lte with serial number TWJ6KSP005exceeded 50 threat events in last 10 minutes, triggering this CRITICAL Alert notification What is next? Reach out to your Aruba Central Portal admin to address this incident .If not addressed or if the situation escalates, you may continue to receive similar alert notifications. More Information Go to https://app-yoda.arubathena.com/frontend/#/IDPS_DASHBOARDSystem Generated Email from Aruba Central based on alert configuration; do not reply Thanks, Aruba Central", "state": "Close", "severity": "Critical", "operation": "update", "timestamp": 1606238738, "details__threshold": 50, "details__agg_field_name": "device", "details__duration": 10, "details__device": "TWJ6KSP005", "details__severity": "CRITICAL", "details__rule_id": 0, "details__serial": "TWJ6KSP005", "details__name": "aruba9004_lte", "details__group_id": 73, "details__time": "2020-11-24 16:55:04 UTC", "webhook": "001378a5-bfb1-465e-a955-0034ef801136", "text": "Dear Incident Manager, Your Aruba Central Portal admin configured an email Aruba Central | User Guide 280 alert notification to be sent to this email address Why this alert? Aruba Branch Gateway https://app-yoda.arubathena.com/frontend/#/GATEWAYDETAIL/OVERVIEW/TWJ6KSP005aruba9004 _lte with serial number TWJ6KSP005exceeded 50 threat events in last 10 minutes, triggering this CRITICAL Alert notification What is next? Reach out to your Aruba Central Portal admin to address this incident. If not addressed or if the situation escalates, you may continue to receive similar alert notifications. More Information Go to https://app-yoda.arubathena.com/frontend/#/IDPS_DASHBOARDSystem Generated Email from Aruba Central based on alert configuration; do not reply Thanks, Aruba Central" } Gateway Threat Count per Signature { "alert_type": "GW_IDS_IPS_ALERT_THREAT_SID_OVER_A_PERIOD", "id": "AXX7N0LFaFBUFq6FQ2R2", "nid": 2306, "setting_id": "8fc0df01a43b42aa9f8e9fbc3d3b9d35-2306", "device_id": 2003068, "description": "Dear Incident Manager, Your Aruba Central Portal admin configured an email alert notification to be sent to this email address Why this alert? Threat events of signature id 2003068 exceeded the threshold 30 in last 30minutes, triggering this CRITICAL Alert notification. What is next? Reach out to your Aruba Central Portal admin to address this incident. If not addressed or if the situation escalates, you may continue to receive similar alert notifications. More Information Go to https://app-yoda.arubathena.com/frontend/#/IDPS_DASHBOARDSystem Generated Email from Aruba Central based on alert configuration; do not reply Thanks, Aruba Central", "state": "Close", "severity": "Critical", "operation": "update", "timestamp": 1606239938, "details__threshold": 30, "details__duration": 30, "details__agg_field_name": "signature", "details__signature": 2003068, "details__severity": "CRITICAL", "details__rule_id": 0, "details__serial": 2003068, "details__time": "2020-11-24 16:35:04 UTC", "webhook": "001378a5-bfb1-465e-a955-0034ef801136", "text": "Dear Incident Manager, Your Aruba Central Portal admin configured an email alert notification to be sent to this email address .Why this alert? Threat events of signature id 2003068 exceeded the threshold30 in last 30minutes, triggering this CRITICAL Alert notification. What is next? Reach out to your Aruba Central Portal admin to address this incident. If not addressed or if the situation escalates, you may continue to receive similar alert notifications. More Information Go to https://app-yoda.arubathena.com/frontend/#/IDPS_DASHBOARD System Generated Email from Aruba Central based on alert configuration; do not reply Thanks, Aruba Central" } Miscellaneous Alerts--Sample JSON This section includes sample JSON content for the following alerts: Device Config Change Detected { "alert_type": "DEVICE_CONFIG_CHANGE_DETECTED", "description": "Config change detected on group nbapi_test for device type Switch by user [email protected].\n\nSerial: None, \nMacAddress: None, Administering Aruba Central | 281 \nConfig Content: Template Updated \nmodel: ALL\nversion: ALL\ndevice_type: HPPC\ntemplate changes: \n @@ -18,6 +18,6 @@\n\n\n ip address dhcp-bootp\n\n exit\n\n vlan 13\n\n- name \"vlan_8888\"\n\n+ name \"vlan_ 44\"\n\n no ip address\n\n exit ", "timestamp": 1564383294, "webhook": "272eda1a-f79b-4192-ad6f-b35da11515bc", "setting_id": "715e45fe3ff8453da355cd34aff2afa5-2000", "state": "Open", "nid": 2000, "details": { "config_change": "Template Updated\nmodel: ALL\nversion: ALL\ndevice_type: HPPC\ntemplate changes: \n @@ -18,6 +18, 6 @@\n\n\n ip address dhcp-bootp\n\n exit\n\n vlan 13\n\n- name \"vlan_8888\"\n\n+ name \"vlan_44\"\n\n no ip address\n\n exit ", "macaddr": "None", "group": "8", "dev_type": "Switch", "labels": "None", "group_name": "nbapi_test", "_rule_number": "0", "params": "None", "user": "[email protected]", "time": "2019-07-29 06:54:54 UTC", "serial": "None" }, "operation": "create", "device_id": "", "id": "AWw8grSBeZ6A6PlBvMk4", "severity": "Warning" } User Account Deleted { "alert_type": "User account deleted", "description": "User with name [email protected] deleted.", "timestamp": 1569234480, "webhook": "057b0a95-9f06-4a0f-b4bf-149a28d749b3", "setting_id": "573b0412517a41c8a73a80f3e74ff0d2-15", "state": "Open", "nid": 15, "details": { "group": "-1", "labels": "None", "params": [ "[email protected]" ], "_rule_number": "0", "time": "2019-09-23 10:28:00 UTC" }, "operation": "create", "device_id": "", "id": "AW1dqe6rYu0OgJ2alXzT", "severity": "Major" } New User Account Added { "alert_type": "New User account added", "description": "User account setting updated for user: [email protected] with language:en_US and idle timeout: 1800", "timestamp": 1569234534, "webhook": "057b0a95-9f06-4a0f-b4bf-149a28d749b3", "setting_id": "573b0412517a41c8a73a80f3e74ff0d2-14", Aruba Central | User Guide 282 "state": "Open", "nid": 14, "details": { "group": "-1", "labels": "None", "params": [], "_rule_number": "0", "time": "2019-09-23 10:28:54 UTC" }, "operation": "create", "device_id": "", "id": "AW1dqr6nYu0OgJ2alX1l", "severity": "Major" } User Account Edited { "alert_type": "User account edited", "description": "User with Name [email protected], role readwrite and access [] updated.", "timestamp": 1569235100, "webhook": "057b0a95-9f06-4a0f-b4bf-149a28d749b3", "setting_id": "573b0412517a41c8a73a80f3e74ff0d2-16", "state": "Open", "nid": 16, "details": { "group": "-1", "labels": "None", "params": [ "[email protected]", "readwrite", "[]" ], "_rule_number": "0", "time": "2019-09-23 10:38:20 UTC" }, "operation": "create", "device_id": "", "id": "AW1ds2LcYu0OgJ2alYM2", "severity": "Major" } Integrating Aruba Central with ServiceNow ServiceNow is an IT service management platform that allows you to automatically create incidents or IT tickets based on a live data feed from a Webhook service. If you have a ServiceNow instance, you can configure a Webhook service in Aruba Central to send a notification feed. The ServiceNow integration enables your current IT Infrastructure management systems to automatically generate an IT incident or a ticket whenever an alert is triggered due to a user-generated event in Aruba Central. Before You Begin Before you begin, ensure that you have a valid ServiceNow account. If you do not have a ServiceNow instance, create an instance before you proceed with the steps described in following sections. For more information on creating a ServiceNow instance, see the ServiceNow user documentation. Integration Workflow Complete the following steps to enable ServiceNow integration with Aruba Central: Administering Aruba Central | 283 n Step 1: Add the Hash Library to Your ServiceNow Instance n Step 2: Create a Scripted REST API to Obtain a Webhook URL n Step 3: Configure a Webhook in Aruba Central n Step 4: Configure an Alert in Aruba Central n Step 5: Verify the Integration Status Step 1: Add the Hash Library to Your ServiceNow Instance To get started with the ServiceNow integration, create a new script with the hash library in your ServiceNow instance. The hash library is required for header authentication. 1. Log in to ServiceNow with your user credentials. 2. Click Manage > Instance and log in to your instance. 3. Go to System Definition > Script Includes. 4. Click New. 5. Name the script as Hashes. 6. Select All application scopes from the Accessible from drop-down list. 7. Select the Client callable check box. 8. Go to the GitHub Gist website that hosts the hash library. 9. Copy the snow_hashes.js file content and paste it in the Script text box. 10. Click Submit. Step 2: Create a Scripted REST API to Obtain a Webhook URL To create a Scripted REST API: 1. In your ServiceNow instance, go to System Web Services > Scripted REST APIs. 2. Click New. The REST API creation page is displayed. 3. Enter a name and the API ID. 4. Click Submit. The API is added to the list of REST APIs. 5. Open the REST API that you created. 6. To add a REST resource with the header and query parameters, click New in the Resources tab. The Scripted REST Resource New record page is displayed. 7. Provide a name for the resource. 8. Select POST for the HTTP method. 9. Clear the Requires authentication check box. 10. In the Script section, add the following text: (function process( /*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) { // Calcuate signature for verification using request headers, data and token var centralService = request.getHeader('X-Central-Service'); var centralDeliveryId = request.getHeader('X-Central-Delivery-ID'); Aruba Central | User Guide 284 var centralDeliveryTimestamp = request.getHeader('X-Central-DeliveryTimestamp'); var token = "<webhook_token>"; var body = request.body.dataString; var message = body + centralService + centralDeliveryId + centralDeliveryTimestamp; var calculatedSign = new Hashes.SHA256().b64_hmac(token, message); var signFromServer = request.getHeader('X-Central-Signature'); // Signature sent by Aruba Central var low_severities = ["Minor", "Warning"]; if (calculatedSign == signFromServer) { event = JSON.parse(body); // Only process events from Central which has status Open if (event.state == "Open") { var inc = new GlideRecord('incident'); inc.initialize(); inc.short_description = event.alert_type; inc.state = 1; if (low_severities.includes(event.severity)) { inc.impact = 3; inc.urgency = 3; } else if (event.severity == "Major") { inc.impact = 2; inc.urgency = 2; } else if (event.severity == "Critical") { inc.impact = 1; inc.urgency = 1; } inc.description = event.description; inc.insert(); } response.setStatus(200); response.setBody({ status: "success" }); } else { response.setStatus(200); response.setBody({ status: "failure" }); } })(request, response); After you create a Webhook in Aruba Central replace the Webhook token (see highlighted text in the above code sample) in your Scripted REST API. Administering Aruba Central | 285 11. Click Submit. The Scripted REST API that you created is added to the list of APIs. 12. Note the base API path. The base API path must be appended to your Webhook URL. 13. Ensure that your Webhook URL is in the following format: https://<yourInstanceName>.service-now.com/<baseApiPath>. Step 3: Configure a Webhook in Aruba Central To create a Webhook in Aruba Central: 1. In the Account Home page, under Global Settings, click Webhooks. The Webhooks page is displayed. 2. In the Webhook tab, click the + sign. The Add Webhook window is displayed. Aruba Central | User Guide 286 a. Name--Enter a name for the Webhook b. Retry Policy-- Select any one of the following options: n None--Select this to have no retry. n Important--Select this to have up to 5 retries over 6 minutes. n Critical--Select this to have up to 5 retries over 27 hours. c. URLs--Enter the URL. Click + to enter another URL. You can add up to three URLs. https://<yourInstanceName>.service-now.com/<baseApiPath> The URL must include your ServiceNow instance and the base API path generated for your Scripted REST API. 3. Click Save. The Webhooks is created and listed in the Webhook table. 4. Note the token ID. 5. Go back to your ServiceNow instance and update the Webhook token in the script text of the Scripted REST API you created in step 2. You can also create a Webhook using the API interface. For more information, see Webhook documentation in Aruba Central documentation portal. Step 4: Configure an Alert in Aruba Central To configure an alert in Aruba Central: 1. In the Network Operations app, set the filter to Global. 2. Under Analyze, click Alerts & Events to view the alert and events dashboard. Administering Aruba Central | 287 3. To configure alerts, click the Config icon. 4. In the Alert Severities & Notifications page, click All. 5. Select an alert and click + to enable the alert with default settings. 6. Configure the following alert parameters. a. Severity--Set the severity. The available options are Critical, Major, Minor, and Warning. b. Duration--Enter the duration in minutes. c. Device Filter Options--(Optional) You can restrict the scope of an alert by setting any of the following parameters: n Group--Select a group to limit the alert to a specific group. n Label--Select a label to limit the alert to a specific label. n Device--Select a device to limit the alert to a specific device. d. Select Webhook check box under Notification Options and select a webhook from the dropdown list. e. Click Save. Step 5: Verify the Integration Status To verify if the integration is successful: 1. Trigger an alert from Aruba Central. 2. Verify if an incident is created in your ServiceNow instance. Streaming API Streaming API allows customers to subscribe to select set of services instead of polling the NB API to get an aggregated state or statistics of the events. For example, with Streaming API, the customers can get notifications about the following types of events: n The UP and DOWN status of the devices n Change in location of stations For a complete list of supported services, with Streaming API, users can write value-added applications based on the aggregated context. Aruba Central | User Guide 288 n Streaming API service in Aruba Central is enabled if one of the devices in the account has an Advanced License. If the account has only Foundation License, Steaming API tab is not displayed in Aruba Central. For more information about streaming API feature in the Aruba Central licensing model, see Aruba Central Licensing Guide. n Streaming API service is not supported at MSP level. Supported Services Streaming API supports the following services: n Audit--The Audit messages are sent to notify events like device connectivity, configuration status, and firmware status. n AppRF--AppRF stream is the flow of all the client sessions. For each connected devices (IAP/BGW), It lists the client's web session information of the past 14/15 minutes (Ip, Rx/Tx, Timestamp, etc). n Monitoring--The monitoring streaming event is generated for state message (on state change) and stats message (received for every 5 minutes). n Presence --The Presence events are sent to provide details of all associated and unassociated clients detected by Instant AP devices. n Location--A location event is generated when the location of a client is computed using RSSI values reported by IAPs. The event message includes co-ordinates of the client on the VisualRF floorplan. n Security--The Security streaming event is generated when the IAPs have enabled Intrusion Detection. This feed contains all the IDS detections reported by the IAPs in the network. Viewing the Streaming API Page Perform the following steps to view the Streaming API page: 1. Log in to Account Home. 2. Under Global Settings, click the Webhooks menu option. 3. Click the Streaming tab. The following is an illustration of the Streaming API page: Administering Aruba Central | 289 Figure 97 View of the Streaming API Page The parameters in the page are described in the following table. Refer to the callout numbers. Table 57: Parameters of the Streaming API Page Callout API Description 1 Topic A list of available topics for streaming APIs. To receive streaming events from a topic, subscribe to the specific topic. 2 Subscribe Enables Aruba Central to stream events for a specific topic when this box is enabled. 3 Protobuf Definition of the specific topic. All WebSocket response messages are Definition encapsulated in a protocol buffer, the format of which you can download. 4 Key Access token for establishing a WebSocket connection. 5 Endpoint WebSocket endpoint address for the Aruba Central instance. 6 Streaming The protocol buffer in which all the incoming streaming messages are Protobuf encapsulated. This protobuf is further used to identify the topic of the message Definition received and decode the topic-specific protobuf message. Subscribing to a Streaming API Topic n Only Aruba Central admin users can subscribe to, or unsubscribe from, a topic. n In case a live WebSocket connection breaks, reconnect the connection. To subscribe to a streaming API topic: 1. In the Account Home page, under Global Settings, click Webhooks. The Webhooks page is displayed. 2. In the Webhooks page, click Streaming tab. The Streaming page is displayed. Aruba Central | User Guide 290 3. In the Streaming APIs table, select the check box corresponding to the topic that you want to subscribe. To unsubscribe a topic, clear the corresponding check box. 4. In the Webhooks > Streaming page, the following details are displayed: n Key--Access token. The token comes with a validity of seven days after which a new token needs to be generated. n Endpoint--WebSocket endpoint. n Streaming Protobuf Definition--Allows you to download the Streaming protocol buffer definition. Use the WebSocket endpoint and access token to establish a WebSocket connection and start streaming data for the topics you have subscribed to. Downloading Protobuf Definition for a Streaming API topic To download the protobuf definition, complete the following steps: 1. In the Streaming APIs table, click the Download button corresponding to the protobuf definition for the topic to which you have subscribed. The following topics are available for download: n Apprf--Protocol buffer specification of the AppRF topic. n Audit--Protocol buffer specification of the Audit topic. n Monitoring--Protocol buffer specification of the Monitoring topic. n Presence--Protocol buffer specification of the Presence topic. n Location--Protocol buffer specification of the Location topic. n Security--Protocol buffer specification of the Security topic. Retrieving a New Token The access token comes with a validity of seven days after which a new token needs to be generated. You can retrieve the token either directly from the UI or by using the API. 1. To retrieve the new access token from the Aruba Central UI, complete the following steps: a. In the Account Home page, under Global Settings, click Webhooks > Streaming tab. The Streaming page is displayed. b. You can retrieve the valid token from the Key field. The token gets refreshed automatically after seven days of its generation. 2. To retrieve the new access token from the API, here are the details required: n API-- https://<central-host>/streaming/token/validate n Method--GET n Authorization--Enter the current token The API will return the same token if the old token is not expired or will return a new token in case the old token is expired. Enabling Data Streaming From a Topic Complete the following steps to receive streaming events from Aruba Central: Administering Aruba Central | 291 1. Create a WebSocket connection: wss://<central-host>/streaming/api 2. Set the following additional headers: n UserName--Username of the admin. This is an optional header. n Authorization--Access token. For more information about how to generate the key, see Subscribing to a Streaming API Topic. n Topic--Value of the topic to which you have subscribed. The value should be one of the following: o apprf o monitoring o audit o presence o location o security 3. Start the read loop to read the events. The payload is a protocol buffer message. Decoding WebSocket Response Messages All WebSocket response messages are encapsulated in a protocol buffer. When a message is received, use the subject (topic) to identify the message and invoke an appropriate message processor. To decode the message, refer to the protocol buffer specification of the respective topic. The format is as follows: message MsgProto { string subject = 2; // subject bytes data = 3; // payload int64 timestamp = 4; // received timestamp string customer_id = 5; // customer id to which this data belongs string msp_id = 6; // optional field indicating the msp_id } Viewing Audit Trails in the Account Home Page The Audit Trail page shows the logs for all the device management, configuration, and user management events triggered in Aruba Central. To view audit trail logs: 1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page opens. 2. From the Select App drop-down list, select one of the following: n All Apps--Displays audit trail logs for all apps. n Network Operations--Displays audit trail logs for the Network Operations app. n ClearPass Device Insight--Displays audit trail logs for the ClearPass Device Insight app. The following table describes the fields displayed in the Audit Trail table: Aruba Central | User Guide 292 Table 58: Audit Trail Details Parameter Description Occurred On Time stamp of the events for which the audit trails are shown. IP Address IP address of the client device. Username Username of the admin user who applied the changes. Target Group or device to which the changes were applied. Source Tenant account in which the changes occurred. NOTE: This column is applicable only in the MSP mode. Category Type of modification and the affected device management category. Description A short description of the changes such as subscription assignment, firmware upgrade, and configuration updates. Click to view the complete details of the event. For example, if an event was not successful, click the ellipsis to view the reason for the failure. Administering Aruba Central | 293 Chapter 5 Maintaining Aruba Central Maintaining Aruba Central The Maintain menu includes the following options: n Firmware--Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information see, Managing Software Upgrades. n Organization--Allows you to create groups, sites or labels, upload certificates, and manage site installations. See the following topics: o Groups for Device Configuration and Management o Sites and Labels o Certificates o Installation Management Groups for Device Configuration and Management Aruba Central simplifies the configuration workflow for managed devices by allowing administrators to combine a set of devices into groups. A group in Aruba Central is the primary configuration element that functions as a container for device management, monitoring, and maintenance. Groups enable administrators to manage devices efficiently by using either a UI-based configuration workflow or CLI-based configuration template. Groups provide the following functions and benefits: n Ability to provision multiple devices in a single group. For example, a group can consist of multiple Instant AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to member Instant APs in their respective Instant AP clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location. n Ability to provision different types of devices in a group. For example, a group can consist of Instant APs, Gateways, and Switches. n Ability to create a configuration base and add devices as necessary. When you assign a new device to a group, it inherits the configuration that is currently applied to the group. n Ability to create a clone of an existing group. If you want to build a new group based on an existing group, you can create a clone of the group and customize it as per your network requirements. n A device can be part of only one group at any given time. n Groups in Aruba Central are mutually exclusive (independent) and do not follow a hierarchical model. The following figure illustrates a generic group deployment scenario in Aruba Central: Aruba Central | User Guide 294 Figure 98 Group Deployment Group Operations The following list shows the most common tasks performed at a group level: n Configuration-- Add, modify, or delete configuration parameters for devices in a group n User Management--Control user access to device groups and group operations based the type of user role n Device Status and Health Monitoring--View device health and performance for devices in a specific group. n Report Generation--Run reports per group. n Alerts and Notifications--View and configure notification settings per group. n Firmware Upgrades--Enforce firmware compliance across all devices in a group. Group Configuration Modes Aruba Central allows network administrators to manage device configuration using either UI workflows or configuration templates: n UI-based configuration method--For device groups that use UI-based workflows, Aruba Central provides a set of UI menu options. You can use these UI menu options to configure devices in a group. You can also secure the UI-based device groups with a password and thus restrict user access. n Template-based configuration method--For device groups that use a template-based workflow, Aruba Central allows you to manage devices using configuration templates. A device configuration template includes a set of CLI commands and variable definitions that can be applied to all other devices deployed in a group. If your site or store has different types of devices, such as the Instant APs, Switches, and Gateways, and you want to manage these devices using different configuration methods, that is, either using the UI or template-based workflows, you can create a single group and define a configuration method to use for each type of device. This allows you to use a single group for both UI and template based configuration and eliminates the need for creating separate groups for each configuration method. For example, you can create a group with the name Group1 and within this group, you can enable templatebased configuration method for switches and UI-based configuration method for Instant APs and Maintaining Aruba Central | 295 Gateways. Aruba Central identifies both these groups under a single name ( Group1). If a device type in the group is marked for template-based configuration method, the group name is prefixed with TG prefix is added (TG Group1. You can use Group1 as the group ID for workflows such as user management, monitoring, reports, and audit trail. When you add Instant APs, Gateways, and switches to a group, Aruba Central groups these devices based on the configuration method you chose for the device type, and displays relevant workflows when you try to access the respective configuration menu. For information on how to create a group, see Creating a Group. Default Groups and Unprovisioned Devices The default group is a system-defined group to which Aruba Central assigns all new devices with factory default configuration. When a new device with factory default configuration connects to Aruba Central, it is automatically added to the default group. If a device has customized configuration and connects to Aruba Central, Aruba Central marks the device as Unprovisioned. If you want to preserve the device configuration, you can create a new group and assign this device to the newly created group. If you want to overwrite the configuration, you can move the unprovisioned device to an existing group. The unprovisioned state does not apply to Aruba Switches as only the factory-default switches can join Aruba Central. Best Practices and Recommendations Use the following best practices and recommendations for deploying devices in groups: n Determine the configuration method (UI or template-based) to use based on your deployment, configuration, and device management requirements. n If there are multiple sites with similar characteristics--for example, with the same device management and configuration requirements--assign the devices deployed in these sites to a single group. n Apply device-level or cluster-level configuration changes if necessary. n Use groups cloning feature if you need to create a group with an existing group configuration settings. n If the user access to a particular site must be restricted, create separate groups for each site. Working with Groups See the following topics for detailed information and step-by-step instructions on how to manage groups and provision devices assigned to a group: n Managing Groups n Provisioning Devices Using UI-based Workflows n Provisioning Devices Using Configuration Templates Managing Groups The Groups page allows you to create, edit, or delete a group, view the list of groups provisioned in Aruba Central, and assign devices to groups. This section describes the following topics: Aruba Central | User Guide 296 n Creating a Group n Assigning Devices to Groups n Creating a New Group by Importing Configuration from a Device n Viewing Groups and Associated Devices n Cloning a Group n Moving Devices between Groups n Configuring Device Groups n Deleting a Group Creating a Group Aruba Central allows you to manage configuration for different types of devices, such as Aruba Instant APs, Gateways, and switches in your inventory. These devices can be configured using either UI workflows or configuration templates. You can define your preferred configuration method when creating a group. Aruba Central allows you to create a single group with different configuration methods defined for each device type. For example, you can create a group with the name Group1 and within this group, you can enable template-based configuration method for switches and UI-based configuration method for Instant APs and Gateways. Aruba Central identifies both these groups under a single name ( Group1). If a device type in the group is marked for template-based configuration method, the group name is prefixed with TG, (TG Group1. You can use Group1 as the group ID for workflows such as user management, monitoring, reports, and audit trail. After you assign devices to group and when you access configuration containers, Aruba Central automatically displays relevant configuration options based on the configuration method you defined for the device group. To create a group: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. Click (+) New Group. The Create New Group pop-up window opens. 4. Enter a name for the group. The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports all special characters excluding the ">" character. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names. By default, Aruba Central enables template-based configuration method for switches and UI-workflowbased configuration method for Instant AP and Gateway. 5. To enable template-based configuration method for all device categories: n For Instant APs or Gateways, select the IAP and Gateway check box. n For Switches, ensure that Switch check box is selected. The Switch check box is enabled by default. 6. To enable UI-based configuration method on all device categories: a. For Instant APs and Gateways, ensure that the IAP and Gateway check box is cleared. b. For switches, clear the Switch check box. 7. Assign a password. This password enables administrative access to the device interface. 8. Click Add Group. Maintaining Aruba Central | 297 You can also create a group that uses different provisioning methods for switch, and IAP and Gateway device categories. For example, you can create a group with template-based provisioning method for switches and UIbased provisioning method for Instant APs and Gateways. Assigning Devices to Groups To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory. 1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign. 4. Click Assign Device(s). To assign a device to a group from the Groups page: 1. In the Network Operations app, set the filter to Global. The dashboard context for the selected filter is displayed. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. From the devices table on the right, select the device that you want to assign to a new group. 4. Drag and drop the device to the group to which you want to assign the device. Viewing Groups and Associated Devices To view the groups dashboard, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Groups page is displayed. The groups table on the left side of the page displays the following information: n Group Name--Name of the group. n Devices--Number of devices assigned to a group. n All Connected Devices--Total number of devices provisioned in Aruba Central. The devices table on right side of the page shows all the devices provisioned in Aruba Central. n Unassigned Devices--Total number of devices that are yet to be assigned. The devices table on the right shows the devices are not assigned any group. The devices table is not available for MSP users as the devices are primarily assigned to tenant accounts. However, MSP administrators can drill down to a tenant account and view devices mapped to a group. 3. To view the devices assigned to a group, select the group from the table on the left. The devices table displays the following information: n Name--Name of the device. n Location--Physical location of the device. n Type--Type of the device such as Instant AP or Switch. n Serial--Serial number of the device. n MAC Address--MAC address of the device. Aruba Central | User Guide 298 Creating a New Group by Importing Configuration from a Device To import configuration from an existing device to a new group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. Select the device from which you want to import the configuration. 4. Click Import Configuration to New Group. The Import Configuration pop-up window opens. 5. Enter a name for the group. 6. Configure a password for the group. 7. Click Import Configuration. Cloning a Group To clone a group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. To create a clone of an existing group, select the group from the groups table and click Clone Selected Group. 4. Enter a name for the cloned group. 5. Click Add Group. When you clone a group, Aruba Central also copies the configuration templates applied to the devices in the group. Moving Devices between Groups To move a device from one group to another group: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. From the devices table on the right, select from the following device options that you want to move: n Virtual Controller--Moving a Commander VC also moves the member IAP(s) to the new group. n Switch stack--Moving a commander stack also moves the member switches to the new group. n Standalone IAP--Moving a standalone IAP moves only that particular IAP to the new group. n Standalone switch--Moving a standalone switch moves only that particular switch to the new group. n Gateways (MC)--Moving a standalone MC moves only that particular MC to the new group. 4. Drag and drop the device to group to which you want to assign the device. 5. Click Yes when the system prompts you to confirm device movement. MSP mode does not support moving devices across different groups. Maintaining Aruba Central | 299 Configuring Device Groups For information on provisioning devices in groups, see the following topics: n Provisioning Devices Using UI-based Workflows n Provisioning Devices Using Configuration Templates Configuring Groups in MSP Mode For information on using groups in the MSP mode and instructions on how to assign devices to MSP tenants, see the Aruba Central Managed Service Provider User Guide. Deleting a Group When you delete a group, Aruba Central removes all configuration, templates, and variable definitions associated with the group. Before deleting a group, ensure that there are no devices attached to the group. To delete a group: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. From the list of groups, select the group that you want to delete. 4. Click the delete icon. 5. Confirm deletion. Assigning Devices to Groups In Aruba Central, devices are assigned to groups for configuration, monitoring, and management purposes. A group in Aruba Central is a primary configuration element that acts like a container. In other words, groups are a subset of one or several devices that share common configuration settings. Aruba Central supports assigning devices to groups for the ease of configuration and maintenance. For example, you can create a common group for Branch Gateways or Instant APs that have similar configuration requirements. Assigning Instant APs to Groups The Instant AP groups may consist of the configuration elements: n Instant AP Cluster--Consists of a conductor Instant AP and a set of member Instant APs in the same VLAN. n Virtual Controller--A virtual controller provides an interface for entire cluster. The member Instant APs and conductor Instant APs function together to provide a virtual interface. n Conductor Instant AP and Member Instant AP--In a typical Instant AP deployment scenario, the first Instant AP that comes up is elected as the conductor Instant AP. All other Instant APs joining the cluster function as the member Instant APs. When a conductor Instant AP is elected, the member Instant APs download the configuration changes. The following table describes the group assignment criteria for Instant APs: Aruba Central | User Guide 300 Table 59: Instant AP Group Assignment APs with Default Configuration APs with Non-Default Configuration If an Instant AP with factory default configuration joins Aruba Central, it is automatically assigned to the default group or to an existing group with similar configuration settings. The administrators can perform any of the following actions: n Manually assign them to a pre-provisioned group. n Create a new group. If an Instant AP with non-default or custom configuration joins Aruba Central, it is automatically assigned to an unprovisioned group. The administrators can perform any of the following actions: n Create a new group for the device and preserve device configuration. n Move the device to an existing group and override the device configuration. To manually assign Instant AP(s) to a group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. To view a list of unassigned devices, click Unassigned Devices. A list of unassigned devices is displayed in the devices table. 4. Select the group to which you want to assign the devices. 5. From the devices table on the right, select Instant AP(s) to assign. 6. Drag and drop the Instant APs to the group that you selected. Assigning Switches to Groups Aruba Central allows switches to join groups only if the switches are running factory default configuration. Switches with factory default configuration are automatically assigned to the default group. Administrators can either move the switch to an existing group or create a new group. Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central. To manually assign switch(s) to a group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. To view a list of unassigned devices, click Unassigned Devices. A list of unassigned devices is displayed in the devices table. 4. Select the group to which you want to assign the devices. 5. From the devices table on the right, select the switch(s) to assign. 6. Drag and drop the switches to the group that you selected. Maintaining Aruba Central | 301 Moving Instant Access Point(s) Between Groups In Aruba Central, an Instant AP device group may consist of any of the following: n Instant AP--Consist a commander Instant AP. n Virtual Controller (VC)--VC provides an interface for entire cluster. The member Instant APs and commander Instant APs function together to provide a virtual interface. In typical Instant AP deployment scenario, the first Instant AP that comes up is elected as the commander Instant AP. All other Instant AP(s) joining the cluster function as the member Instant AP(s). When a commander Instant AP is configured, the member Instant AP(s) download the configuration changes. The commander Instant AP may change as necessary from one device to another without impacting network performance. To move an Instant AP or VC from one group to another group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. From the groups table on the left, select the group from which you want to move the Instant APs. 4. From the devices table on the right, select the standalone IAP or VC that you want to move. Moving a VC also moves the member IAP(s) to the new group. 5. Drag and drop the IAP to the group that you want to assign the IAP to. 6. Click Yes when the system prompts you to confirm device movement. MSP mode does not support moving devices across different groups. Important Points to Note n The instant AP(s) inherits the configuration of the group to which it is moved. However, only the system configuration is inherited and the Per AP Settings on the IAP(s) are retained. n If the instant AP(s) did not inherit the configuration of the new group, go to the Configuration Audit page of the IAP(s) to check the configuration difference. For more information, see Viewing Configuration Status. n If firmware compliance is enabled on the new group and if the firmware version enforced by the group is different from the IAP(s) firmware version, the firmware is upgraded and the IAP(s) reboots. Provisioning Devices Using UI-based Workflows This section describes the important points to consider when assigning devices to UI groups: n Provisioning Instant APs using UI-based Configuration Method n Provisioning Switches Using UI-based Configuration Method n Provisioning Aruba Gateways Using UI-based Configuration Method Provisioning Instant APs using UI-based Configuration Method An Instant AP device group may consist of any of the following: Aruba Central | User Guide 302 n Instant AP Cluster--Consists of a conductor Instant AP and member Instant APs in the same VLAN. n VC--A virtual controller. VC provides an interface for entire cluster. The member Instant APs and conductor Instant APs function together to provide a virtual interface. n Conductor Instant AP and Member Instant AP--In typical Instant AP deployment scenario, the first Instant AP that comes up is elected as the conductor Instant AP. All other Instant APs joining the cluster function as the member Instant APs. When a conductor Instant AP is configured, the member Instant APs download the configuration changes. The conductor Instant AP may change as necessary from one device to another without impacting network performance. Aruba Central allows configuration operations at the following levels for a device group with Instant APs. n Per group configuration--Aruba Central allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all VCs within a group can have common SSID settings. n Per VC Configuration--Any changes that need to applied at the Instant AP cluster level can be configured on a VC within a group. For example, VCs within a group can have different VLAN configuration for the SSIDs. n Per Device Configuration--Although devices are assigned to a group, the users can maintain device specific configuration such as radio, power, or uplink settings for an individual AP within a group. When the APs that are not pre-provisioned to any group join Aruba Central, they are assigned to groups based on their current configuration. Table 60: Instant AP Provisioning APs with Default Configuration APs with Non-Default Configuration If an Instant AP with factory default configuration joins Aruba Central, it is automatically assigned to the default group or an existing group with similar configuration settings. The administrators can perform any of the following actions: n Manually assign them to an existing group. n Create a new group. If an Instant AP with non-default or custom configuration joins Aruba Central, it is automatically assigned to an unprovisioned group. The administrators can perform any of the following actions: n Create a new group for the device and preserve device configuration. n Move the device to an existing group and override the device configuration. Ensure that the conductor Instant AP and member Instant APs are assigned to the same group. You must convert the member Instant AP to a standalone AP in order to move the member Instant AP to another group independently. In the following illustration, Instant APs from three different geographical locations are grouped under California, Texas, and New York states. Each state has unique SSIDs and can support devices from multiple locations in a state. As shown in Figure 99, the California group has devices from different locations and has the same SSID, while devices in the other states/groups have different SSIDs. When a device with the factory default configuration connects to Aruba Central, it is automatically assigned to the default group. If the device has custom configuration, it is marked as unprovisioned. If you want to preserve the custom configuration, create a new group for the device. If you want to overwrite the custom configuration, you can assign the device to an existing group. Maintaining Aruba Central | 303 Figure 99 Instant AP Provisioning For more information on how to configure Instant APs using UI-based configuration workflows, see Deploying a Wireless Network Using Instant APs. To view local overrides and configuration errors, select a template group and navigate to Devices > Access Points > Settings > Configuration Audit page. Provisioning Switches Using UI-based Configuration Method Aruba Central allows switches to join UI groups only if the switches are running factory default configuration. Aruba Central assigns switches with factory default configuration to the default group. The administrators can either move the switch to an existing group or create a new group. Provisioning and configuring of Aruba 5400R switch series and switch stacks is supported only through configuration templates. Aruba Central does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins Aruba Central Aruba Central allows the following configuration operations at the following levels for switches in a UI group: n Per group configuration-- Aruba Central allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all switches within a group can have common VLAN settings. n Per Device Configuration--Although the Switches inherit group configuration, the users can maintain device-specific configuration, for example, ports or DHCP pools. For more information on how to configure switches using UI-based configuration workflows, see Configuring or Viewing AOS-Switch Properties in UI Groups. To view local overrides and configuration errors, select a template group and navigate to Devices > Switches > Settings > Configuration Audit page. Provisioning Aruba Gateways Using UI-based Configuration Method For SD-Branch deployments with Aruba Gateways, the following recommendations apply: Aruba Central | User Guide 304 n Combine Branch Gateways of identical characteristics and configuration requirements under a single group. n Create groups according to your branch requirements. o You can create separate groups for the small, medium, and large sized branches. o You can also create separate groups for the branch sites in different geographical locations; for example, East Coast and West Coast branch sites. If these groups have similar characteristics with minor differences, you can create the first group and then clone it. o You can use either a single group for all their devices or deploy devices in multiple groups. For example, you can deploy 7008 controllers and Aruba 2930F Switch Series with 24 ports in a single group for every branch. o You can also deploy 7005 controller and Aruba 2930F Switch Series with 24 ports in one group and provision 7008 controller with Aruba 2930F Switch Series with 48 ports in another group. Important Points to Note n The groups in Aruba Central are not device-specific, however, Aruba recommends that you use the following guidelines for provisioning SD-WAN Gateways. o Assign Branch Gateways and VPN Concentrators to separate groups. Because the configuration requirements for Branch Gateways and VPN Concentrators are different, the Branch Gateways and VPN Concentrators must be assigned to different groups. o Ensure that the configuration group for SD-WAN Gateways consists of the same type of devices. For example, Branch Gateways assigned to a group must have the same number of ports. n Before assigning SD-WAN Gateways to groups, you must set the device persona or role as Branch Gateway or VPN Concentrator. Example The following figures shows a few sample group deployment scenarios for Aruba Branch Gateways and VPN Concentrators: Maintaining Aruba Central | 305 Figure 100 Branch Gateway Groups Figure 101 VPN Concentrator Groups For more information on how to configure Aruba using UI-based configuration workflows, see the SDBranch Configuration section in Aruba Central Help Center. To view local overrides and configuration errors, select a template group and navigate to Devices > Gateways > Settings > Configuration Audit page. Provisioning Devices Using Configuration Templates Aruba Central allows you to provision devices using UI-based or template-based configuration method. If you have groups with template-based configuration enabled, you can create a template with a common set Aruba Central | User Guide 306 of CLI scripts, configuration commands, and variables. Using templates, you can apply CLI-based configuration parameters to multiple devices in a group. If the template-based configuration method is enabled for a group, the UI configuration wizards for the devices in that group are disabled. Creating a Group with Template-Based Configuration Method To create a template group, complete the following steps: 1. In the Network Operations app, set the filter to Global. The dashboard context for selected filter is displayed. 2. Under Maintain, click Organization. By default, the Groups page is displayed. 3. Click (+) New Group. The Create New Group window is displayed. 4. Enter the name of the group. 5. Select one of the following device types for which you want to create a template group: n IAP and Gateway n Switch 6. Enter the password and confirm the password. 7. Click Save. If the group is set as a template group, a configuration template is required for managing device configuration. Provisioning Devices Using Configuration Templates and Variable Definitions For information on configuration template, see the following topics: n Configuring APs Using Templates n Using Configuration Templates for AOS-Switch Management n Managing Variable Files Managing Variable Files Aruba Central allows you to configure multiple devices in bulk using templates. However, in some cases, the configuration parameters may vary per device. To address this, Aruba Central identifies some customizable CLI parameters as variables and allows you to modify the definitions for these variables as per your requirements. You can download a sample file with variables for a template group or for the devices deployed in a template group, update the variable definitions, upload the file with the customized definitions, and apply these configuration changes in bulk. Important Points to Note n Variables are associated to a device and not to a group. If you move a device between groups, variables remain with the device. n Variables are displayed as part of the group to which the device belongs. After you upload the variables for a device, the association would stay in the system even if the device is moved to a UI group or template group. Maintaining Aruba Central | 307 n If the device is part of a UI group, variables are unused and not displayed in the UI. Aruba Central ignores the variables. n If the device is moved to a template group, variables are displayed in the UI and used for configuration purposes. Downloading a Sample Variables File The sample variables file includes a set of sample variables that the users can customize. You can download the sample variables file in the JSON or CSV format. To download a sample variables file: 1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select one of the following formats to download the sample variables file: n JSON--shows the file in JSON format. n CSV--Shows the variables in different columns. 6. Click Download Sample Variables File. The sample variables file is saved to your local directory. Modifying a Variable File The CSV file includes the following columns for which the variable definitions are mandatory: n _sys_serial--Serial number of the device. n _sys_lan_mac--MAC address of the device. n modified--Indicates the modification status of the device. The value for this column is set to N in the sample variables file. When you edit a variable definition, set the modified column to Y to allow Aruba Central to parse the modified definition. Predefined Variables for Aruba Switches The system defined variables in the sample variables files are indicated with sys prefix. Table 61 lists the predefined variables for switches. Table 61: Predefined Variables Example Variable Name Description _sys_gateway Populates gateway IP address. _sys_hostname Maintains unique host name. _sys_ip_address Indicates the IP address of the device. _sys_module_command Populates module lines. _sys_netmask Netmask of the device. Variable Value 10.22.159.1 HP-2920-48G-POEP 10.22.159.201 module 1 type j9729a 255.255.255.0 Aruba Central | User Guide 308 Variable Name _sys_oobm_command _sys_snmpv3_engineid _sys_stack_command _sys_template_header _sys_use_dhcp _sys_vlan_1_untag_command _sys_vlan_1_tag_command Description Variable Value Represents Out of Band Management (OOBM) block. oobm ip address dhcp-bootp exit Populates engine ID. 00:00:00:0b:00:00:5c:b9:01:22:4c:00 Represents stack block. stacking member 1 type "J9729A" mac-address 5cb901224c00 exit Represents the first two lines of the configuration file. Ensure that this variable is the first line in the template. ; J9729A Configuration Editor; Created on release #WB.16.03.0003+ ; Ver #0f:3f.f3.b8.ee.34.79.3c.29.eb.9f.fc.f3.ff.37.ef:91 Indicates DHCP status 0 (true or false) of VLAN 1 Indicates untagged ports 1-28,A1-A2 of VLAN 1 Indicates tagged ports of 28-48 VLAN 1 The _sys_template_header_ and _sys_snmpv3 engineid are mandatory variables that must have the values populated, irrespective of their use in the template. If there is no value set for these variables, Aruba Central reimports the values for these mandatory variables when it processes the running configuration of the device. Predefined Variables for APs For APs, the sample variables file includes the _sys_allowed_ap variable for which you can specify a value to allow new APs to join the Instant AP cluster. Conditions The following conditions apply to the variable files: n The variable names must be on the left side of condition and its value must be defined on the right side. For example, %if var=100% is supported and %if 100=var% is not supported. n The < or <= or > or >= operators should have only numeric integer value on the right side. The variables used in these 4 operations are compared as integer after flooring. For example, if any float value is set as %if dpi_value > 2.8%, it is converted as %if dpi_value > 2 for comparison. n The variable names should not include white space, and the & and % special characters. The variable names must match regular expression [a-zA-Z0-9_]. If the variables values with % are defined, ensure that the variable is surrounded by space. For example, wlan ssid-profile %ssid_name%. n The first character of the variable name must be an alphabet. Numeric values are not accepted. n The values defined for the variable must not include spaces. If quotes are required, they must be included as part of the variable value. For example, if the intended variable name is wlan ssid-profile Maintaining Aruba Central | 309 "emp ssid", then the recommended format for the syntax is "wlan ssid-profile %ssid_name%" and variable as "ssid_name": "\"emp ssid\"". n If the configuration text has the percentage sign % in it--for example, "url "/portal/scope.cust5001098/Splash%20Profile%201/capture"--Aruba Central treats it as a variable when you save the template. To allow the use of percentage % as an escape character, use \" in the variable definition as shown in the following example: Template text wlan external-captive-portal "Splash Profile 1_#guest#_"server naw1.cloudguest.central.arubanetworks.comport url %url% Variable "url": "\"/portal/scope.cust-5001098/Splash%20Profile%201/capture\"" n Aruba Central supports adding multiple lines of variables in Instant AP configuration templates. If you want to add multiple lines of variables, you must add the HAS_MULTILINE_VARIABLE directive at the beginning of the template. Example #define HAS_MULTILINE_VARIABLE 1 %if allowed_aps% %allowed_aps% %endif% Variable "allowed_aps": "allowed-ap 24:de:c6:cb:76:4e\n allowed-ap ac:a3:1e:c5:db:d8\n allowed-ap 84:d4:7e:c4:8f:2c" For Instant APs, you can configure a variable file with a set of values defined for a master AP in the network. When the variable file is uploaded, the configuration changes are applied to all Instant AP devices in the cluster. Examples The following example shows the contents of a variable file in the JSON format for Instant APs: { "CK0036968": { "_sys_serial": "CK0036968", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:7a", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", Aruba Central | User Guide 310 "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_1" }, "CJ0219729": { "_sys_serial": "CJ0219729", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:cb:04:92", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_2" }, "CK0112486": { "_sys_serial": "CK0112486", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c8:29:76", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_3" }, "CT0779001": { "_sys_serial": "CT0779001", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c5:c6:b0", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_4" }, "CM0640401": { "_sys_serial": "CM0640401", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c4:8f:2c", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_6" }, "CK0037015": { "_sys_serial": "CK0037015", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:d8", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", Maintaining Aruba Central | 311 "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_7" }, "CK0324517": { "_sys_serial": "CK0324517", "ssid": "s1", "_sys_lan_mac": "f0:5c:19:c0:71:24", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_8" } } Figure 102 shows a sample variables file in the CSV format: Figure 102 Variables File in the CSV Format Uploading a Variable File To upload a variable file, complete the following steps: While uploading the variables file to Aruba Central in the CSV format, make sure to choose the default language in Microsoft Excel as English (United States). 1. Ensure that the _sys_serial and _sys_lan_mac variables are defined with the serial number and MAC address of the devices, respectively. 2. In the Network Operations app, set the filter to one of the template groups under Groups. 3. Under Manage, click Devices > Switches. 4. Click the Config icon. 5. Click Variables. 6. Click Upload Variables File and select the variable file to upload. 7. Click Open. The contents of the variable file is displayed in the Variables table. 8. To search for a variable, specify a search term and click Search icon. 9. To download variable file with device-specific definitions, click the download icon in the Variables table. Modifying Variables To modify variables without downloading a variable file, modifying the variable file, and uploading the customized variable file: Aruba Central | User Guide 312 1. In the Network Operations app, set the filter to one of the template groups under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select a device and variable. 6. Modify the value and click Add to Modifications. 7. Click Save. Alternatively, to modify a single variable without downloading a variable file, modifying the variable file, and uploading the customized variable file: 1. In the Network Operations app, set the filter to one of the template groups under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Hover over a desired variable and click Edit. 5. Modify the value and click Save. 6. Click Save. Backing Up and Restoring Configuration Templates Aruba Central allows you to create a backup of configuration templates and variables that you can restore in the event of a failure or loss of data. The Configuration Backup and Restore feature is available in the Configuration Audit page for devices deployed using the template-based configuration method. The Configuration Backup and Restore feature enables administrators to perform the following functions: n Back up templates and variable files applied to the devices, managed using the template-based configuration method. n Restore an earlier known working combination of the configuration template and device variables in the event of a failure. Important Points to Note n The backup and restoration options are available for devices deployed using the template-based configuration method. n When the backup or restore for a group is in progress, you cannot make configuration changes to that group. n The restore operation restores the variables only for the devices that are currently provisioned or preprovisioned to the group. n The restore operation is terminated if the firmware version running on any one device in the group does not match the firmware version in the backed up file that is being restored. For example, if the configuration file was backed up when a switch was running 16.03.0003 and was later upgraded to 16.04.0003, the restore operation fails for the group. n The restore operation deletes any templates applied to the group before the restore. It also deletes and replaces device variables with the backed up version that is being restored. n The details pertaining to the actions carried out during the backup and restore operations are logged in the Audit Trail page. Maintaining Aruba Central | 313 Creating a Configuration Backup To back up configuration templates and variables applied to devices: 1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click New Configuration Backup. The Create New Backup window is displayed. 4. Enter a Backup Name. 5. Select Do Not Delete if you do not want the backed up file to be deleted by a new backup after the threshold of 20 backups is exceeded. You can create and maintain up to 20 backed up configuration files. If the number of backup files exceed 20, the old backed up configuration files are overwritten. However, if the backed up files are marked as Do not Delete, Aruba Central does not overwrite the backed up configuration files. 6. Click OK. The Confirm Backup window is displayed. 7. Read through the information. Select the check box to confirm that configuration changes to the group cannot be done when the backup is in progress. 8. Click Proceed. The backup for the group configuration is created. Viewing Contents of a Backed Up Configuration To view the contents of a backed up configuration: 1. Click the Manage Backup option. 2. Download the backup and untar the downloaded file. The following example shows the tree structure of a typical backup download. <backup-name_timestamp> templates <hppctemplate1.tmpl> <iaptemplate1.tmpl> template_meta.json variables HPPC_variables_1.json IAP_variables_1.json devices_meta.json The variables are stored according the device type, such as, Instant APs and Aruba Switches. For example, for all Instant APs, the variables are aggregated and stored together. The aggregated file can include variables for up to 80 devices or up to 5 MB of variables data, based on whichever condition is met first. When the number of variables or the data size exceeds this limit, new aggregate files are created and added to the backup until all the variables in the selected group are backed up. The variable data limit applies only to the aggregated files. Aruba Central does not impose any limit on the number of devices or the device variables that can be backed up. The following details are available for a backed up configuration snapshot: Aruba Central | User Guide 314 n Backups--Provides details of the number of available and allowed backup and allows you to perform the following actions: o Manage group configuration backups o Create new configuration backups o Modify backup delete protection n Last Backup--Provides details of the status and the timestamp of the last backup. n Last Restore--Provides details of the status and the timestamp of the last restore. Restoring a Backed Up Configuration To restore a backed up configuration snapshot: 1. In the Network Operations app, use the filter to select a group that uses template-based configuration method. 2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click Restore Configuration Backup. The Restore from Backup window is displayed. 4. Select the backup name that you want to restore, from the Backup Name drop-down list. 5. Select the required device type from the Device Type drop-down list. Selecting a device type allows you to restore the backed up configuration by the specific device type, for example, Instant APs, Aruba Switch. By default, All is selected. When the device type is set to All, configuration restore does not follow any specific order. 6. Click OK. The Confirm Configuration Restore window is displayed. 7. Read the instructions and select the check boxes to confirm your action for configuration restore. 8. Click Proceed. The selected backup configuration is restored. Aruba recommends that the administrators take a backup of the current configuration of the group before the restore operation. Managing Backups To manage the backed up configuration files: 1. In the Network Operations app, use the filter to select a group that uses template-based configuration method. 2. Navigate to the Configuration Audit page. See Viewing Configuration Status. 3. Under Configuration Backup and Restore, click Manage Backup. The Last <#> Backups window is displayed. 4. View the backup details such as date and time of backup, backup name, username, and the delete protection status for each configuration backup. 5. Click Close. 6. Click Last Backup Log to view the details of the latest backup. The Last Backup Log window displays the following details: Maintaining Aruba Central | 315 n Group name n Backup name n Username that initiated the configuration backup n Details on whether templates and device variables are being saved, and completion of the configuration backup process. 7. To get the status of the last restore, click Last Restore Log. To get the error log for a restore error event, click Last Restore Error Log. Backing Up and Restoring Templates and Variables Using APIs Aruba Central supports the following NB APIs for the backup and restore feature: n Create new configuration backup for group [POST] /configuration/v1/groups/snapshot/{group} n Create backups for multiple groups associated with a customer account [POST]/configuration/v1/groups/snapshot/create_backups Aruba Central creates a backup of configuration template and variables only for the groups included in the API request payload. You can use the include or exclude parameters to create backups for specific list of groups. The following table describes the API response based on the inputs provided in the parameters: Table 62: API Functionality for Backup Creation include_groups exclude_groups API Functionality No groups specified No groups specified Raises an exception to either include or exclude groups. group names group names Raises an exception to include or exclude groups. [] No groups specified Raises an exception to provide valid values for the include groups parameter. group names No groups specified Includes selected groups for the backup operation. No groups specified ALL_GROUPS Creates a backup for all groups. No groups specified group names Does not create backup for the excluded groups. n Restore a backed up version of the configuration template for all devices in a group: [POST] /configuration/v1/groups/<group_name>/snapshots/<snapshot_name>/restore The API restores a specific version of the backup snapshot for the group specified in the API request. n Restore a backed up version of the configuration template by device type: The [POST]/configuration/v1/groups/{group}/snapshots/{snapshot}/restore API provides you an option to restore the configuration by device type. By selecting a specific device type, you can control the order in which the configuration is restored by device type. This minimizes the impact of the configuration restore activity on the network. Aruba Central | User Guide 316 If monitor mode is enabled at the device level, the selected device functions in the monitor mode. If the monitor mode is enabled at the group level, all devices in the group inherit this setting. If a device managed by Aruba Central displays a configuration sync issue and persistently fails to receive configuration updates from Aruba Central, contact Aruba Central Technical Support. Sites and Labels Sites A site in refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Aruba Central allows you to use sites as a primary navigation element. For example, if your devices are deployed in a campus, you could create a site called CampusA. You can also tag the devices within CampusA using labels. For example, if the campus consists of multiple buildings, the devices deployed in the campus can be labeled as Building1 or Lobby. If the devices in a specific location or an area within a specific location must have similar configuration, the devices can be grouped together. For more information, see Managing Sites. Labels Labels are tags attached to a device provisioned in the network. Labels determine the ownership, departments, and functions of the devices. You can use labels for creating a logical set of devices and use these labels as filters when monitoring devices and generating reports. For example, consider an Instant AP labeled as Building 25 and Lobby. These tags identify the location of the Instant AP within the enterprise campus or a building. The Instant APs in other buildings within the same campus can also be tagged as Lobby. To filter and monitor Instant APs in the lobbies of all the campus buildings, you can tag all the Instant APs in a lobby with the label Lobby. For more information, see Managing Labels. Device Classification Devices can also be classified using Groups and Sites. n The group classification can be used for role-based access to a device, while labels can be used for tagging a device to a location or a specific area at a physical site. However, if a device is already assigned to a group and has a label associated with it, it is classified based on both groups and labels. n The site classification is used for logically grouping devices deployed at a given physical location. You can also convert labels to sites. Managing Sites The Sites page allows you to create sites, view the list of sites configured in your setup, and assign devices to sites. The Sites page includes the following functions: Table 63: Sites Page Name Contents of the Table Convert Labels to Sites Allows you to convert existing labels to sites. To convert labels, download the CSV file with the list of labels configured in your setup, add the site information, and upload the CSV file. For more information, see Creating a Site. Maintaining Aruba Central | 317 Name Contents of the Table Sites table Displays a list of sites configured. It provides the following information: n Site Name--Name of the site. n Address--Physical address of the site. n Device Count--Number of devices assigned to a site. The table also includes the following sorting options to reset the table view on the right: n All Devices--Displays all the devices provisioned in Aruba Central. n Unassigned--Displays the list of devices that are not assigned to any site. You can also use the filter and sort icons on the Sites and Address columns to filter and sort sites respectively. New Site Allows you to create a new site. Bulk upload Allows you to add sites in bulk from a CSV file. Devices table Displays a list of devices provisioned. It provides the following information: n Name--Name of the device n Group--Group to which the device is assigned. n Type--Type of the device. Creating a Site To create a site, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. To add a new site, click (+) New Site. The Create New Site pop-up window opens. 6. In the Create New Site pop-up window, enter the following details: a. Site Name--Name of the site. The site name can be a maximum of 255 single byte characters. Special characters are allowed. b. Street Address--Address of the site. c. City--City in which the site is located. d. Country--Country in which the site is located. e. State/Province--State or province in which the site is located. f. ZIP/Postal Code--(Optional) ZIP or postal code of the site. 7. Click Add. The new site is added to the Sites table. Adding Multiple Sites in Bulk To import site information from a CSV file in bulk, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Click (+) Bulk upload. The Bulk Upload pop-up opens. 6. Download a sample file. Aruba Central | User Guide 318 7. Fill the site information and save the CSV file in your local directory. The CSV file for bulk upload of sites must include the mandatory information such as the name, address, city, state, and country details. 8. In the Aruba Central UI, click Browse and add the file from your local directory. 9. Click Upload. The sites from the CSV file are added to the site table. Assigning a Device to a Site To assign devices to a site, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Select Unassigned. The list of devices that are not assigned to any site is displayed. 6. Select device(s) from the list of devices. It is recommended not to add more than 20 devices at a time for seamless operation. 7. Drag and drop the devices to the site on the left. A pop-up window opens and prompts you to confirm the site assignment. 8. Click Yes. Converting Existing Labels to Sites To convert existing labels to sites, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Click Convert Labels to Sites. The Confirm Conversion pop-up window opens. 6. To download a CSV file with the list of labels configured in your setup, click Download a File. A CSV file with a list of all the labels in your setup is downloaded to your local directory. 7. Enter address, city, state, country, and ZIP code details for the labels that you want to convert to sites. In the CSV file, you must enter the following details: address, city, state, and country. 8. Save the CSV file. 9. On the Confirm Conversion pop-up window, click Browse and select the CSV file with the list of labels to convert. 10. Click Upload. 11. Click Convert. The labels are converted to sites. Maintaining Aruba Central | 319 Points to Note n If the conversion process fails for some labels, Aruba Central generates and opens an Excel file showing a list of labels that could not be converted to sites. Verify the reason for the errors, update the CSV file, and re-upload the file. n Aruba Central does not allow conversion of sites to labels. If the existing labels are converted to sites, you cannot revert these sites to labels. n When the existing labels are converted to sites, Aruba Central retains only the historical data for these labels. Aruba Central displays the historical data for these labels only in reports and on the monitoring dashboard. Editing a Site To modify site details, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Select the site to edit and click the edit icon. 6. Modify the site information and click Update. Deleting a Site To delete a site, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Site(s). 5. Select the site to delete and click the delete icon. 6. Confirm deletion. Managing Labels The Labels page allows you to create labels, view a list of labels, and assign devices to labels. The page includes two tables. The table on the left lists the labels, whereas the table on the right lists the devices. These tables provide the following information: Table 64: Labels Name Contents of the Table Labels Displays a list of labels configured. The table provides the following information: n Name of the label n Number of devices assigned to a label The table also includes the following sorting options to reset the table view on the right: n All Devices--Displays all the devices provisioned in Aruba Central. n Unassigned--Displays the list of devices that are not assigned to any label. Devices Displays a list of devices provisioned. The table provides the following information about the devices: Aruba Central | User Guide 320 Name Contents of the Table n Name--Name of the device n Group--Group to which the device is assigned n Type--Type of the device n Labels--Number of labels assigned to a device Creating a Label To create a label, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. To add a new label, click (+) Add Label. The Create New Label pop-up window opens. 6. Enter a name for the label. The label name can be a maximum of 255 single byte characters. Special characters are allowed. 7. Click Add. The new label is added to the All Labels table. Assigning a Label to a Device To assign a label to a device, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Locate the label to which you want to assign a device. 6. In the table that lists the labels, you can perform one of the following actions: n Click All Devices to view all devices. n Click Unassigned to view all the devices that are not assigned to any labels. 7. Select Unassigned. The list of devices that are not assigned to any label is displayed. 8. Select device(s) from the list of devices. It is recommended not to add more than 20 devices at a time for seamless operation. 9. Drag and drop the selected device(s) to a specific label. A pop-up window asking you to confirm the label assignment opens. 10. Click Yes. Aruba Central allows you to assign up to five label tags per device. Detaching a Device from a Label To remove a label assigned to a device, complete the following steps: Maintaining Aruba Central | 321 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Select the device from the table on the right. 6. Click the delete icon. 7. To detach labels from the multiple devices at once, select the devices, and click Batch Remove Labels. 8. Confirm deletion. Editing a Label To edit a label, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Select the label to edit. 6. Click the edit icon. 7. Edit the label and click Update. Deleting a Label To delete one or several labels, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Sites and Labels tab. 4. Set the toggle switch to Labels. 5. Select the label to delete. 6. Click the delete icon. 7. Confirm deletion. Certificates By default, Aruba Central includes a self-signed certificate that is available on the Certificates page. The default certificate is not signed by a root certificate authority (CA). For devices to validate and authorize Aruba Central, administrators must upload a valid certificate signed by a root CA. Aruba devices use digital certificates for authenticating a client's access to user-centric network services. Most devices such as controllers and Instant APs include a server certificate by default for captive portal server authentication. However, Aruba recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CA. Certificates can be stored locally on the devices and used for validating device or user identity during authentication. Aruba Central-managed devices such as Instant AP and switches support the following root CA certificates: Aruba Central | User Guide 322 Instant APs n AddTrust n GeoTrust n VeriSign n Go Daddy Switches n Comodo n GeoTrust Uploading Certificates To upload certificates, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Select the Certificates tab. The Certificates page opens. 4. Click the plus icon to add the certificate to the certificate store. 5. In the Add Certificate dialog box, do the following: a. In the Name text box, specify the certificate name. b. Select the type of certificate. You can select any one of the following certificates: n CA --Digital certificates issued by the CA. n Server--Server certificates required for communication between devices and authentication servers. n CRL--Certificate Revocation List that contains the serial numbers of certificates that have been revoked. This certificate is required for performing a certificate revocation check. n OCSP Responder Cert--OCSP responder certificates. n OCSP Signer Cert--OCSP Response Signing Certificate. OCSP certificates are required for OCSP server authentication. c. From the Format drop-down list, select a certificate format; for example, PEM, DER, and PKCS12. d. In the Passphrase text box, enter a passphrase. e. In the Retype Passphrase text box, retype the passphrase for confirmation. The Passphrase and Retype Passphrase text boxes are displayed only when you select Server Certificate from the Type drop-down list. f. In the Certificate File field, click Browse and select the certificate files. g. Click Add. The certificate is added to the Certificate Store. Managing Certificates on Instant APs Configured Using Templates Aruba Central supports uploading multiple certificates to Instant APs configured using templates. You can manage certificates either from the Aruba Central UI or through the API Gateway. For more information about APIs, see API Documentation. To push certificates to Instant APs configured using templates: 1. Upload certificate(s) through one of the following methods: n UI--See Uploading Certificates. n API--Use the [POST] /configuration/v1/certificates API. Maintaining Aruba Central | 323 2. Get the certificate name and MD5 checksum through one of the following methods: n UI--In the Network Operations app, filter All Devices. Under Maintain, click Organization and select the Certificates tab. The Certificate Store table displays these details. n API--Use the [GET] /configuration/v1/certificates API. 3. In the template, anywhere before the per-ap settings block, depending on your requirement, add one or more of the following commands: ca-cert-checksum <ca_cert_checksum/ca_cert_name> cp-cert-checksum <captive_portal_cert_checksum/captive_portal_cert_name> radsec-ca-checksum <radsed_ca_checksum/radsed_ca_name> radsec-cert-checksum <radsed_cert_checksum/radsed_cert_name> server-cert-checksum <server_cert_checksum/server_cert_name> You can either use the certificate name or the checksum value in the command. Or, you can set it as a variable and enter the variable value for the Instant AP. Aruba recommends using the certificate name. Example 1 ca-cert-checksum my_default_cert Example 2 ca-cert-checksum %ca_cert_name% variable: { "ca_cert_name": "my_default_cert" } Installation Management Site installations and device deployments at customer premises require extensive coordination between the IT administrators and installation personnel. If there are multiple sites to deploy, businesses may require more time and manual effort to coordinate and manage site installations. The Aruba Installation Management service simplifies and automates site deployments, and helps IT administrators manage site installations with ease. The Installation Management service includes the following components: n Install Manager on Aruba Central portal--Intended for IT administrators who oversee the installation management activities in an organization. Using Install Manager, network administrators can create installer profiles, assign site deployments to installers, and monitor deployment status for each site from a remote location. Aruba Central users can access the Install Manager application from the app selection pane in the UI. n Aruba Installer mobile app--Intended for the installation personnel who deploy devices on a site. The Aruba Installer mobile app allows the installers to scan devices and add them to the provisioning network. The Aruba Installer mobile app is available for downloads on Apple® App Store and Google Play Store. Aruba Central | User Guide 324 Installation Management and Monitoring The Install Manager feature in Aruba Central includes the following menu options: n Site Installations --Displays a list of sites associated with an Aruba Central account. n Installers--Displays a list of installers added using the Install Manager application. Installation Management Workflow The following figure illustrates the installation management workflow for the Install Manager users: Figure 103 Installation Management Workflow Installer Workflow Installers are technicians who are assigned the task of visiting a physical site or location, and install devices. The Aruba Installer mobile app enables installers to scan devices and report the task status to IT administrators. The following figure illustrates the installation workflow for the Aruba Installer mobile app users: Maintaining Aruba Central | 325 Figure 104 Installer Workflow Managing Site Deployments Before you begin, ensure that the following tasks are completed: n Onboarding Devices n Managing License Assignments The steps required for completing a site installation procedure are listed in the following table: Table 65: Installation Management Administrator Workflow Installer Workflow n Creating a Site n Assigning Groups to a Site n Adding an Installer and Assigning Sites for Installation n Monitoring and Troubleshooting Installation Issues n Downloading the Installer Mobile App n Registering as an Aruba Installer n Installing Devices on a Site Creating a Site To create a site in Aruba Central, complete the steps described in Creating a Site. Assigning Groups to a Site To assign groups to a site, complete the following steps: Aruba Central | User Guide 326 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Install Manager tab. 4. On the Site Installations page, click on the site you want to edit. 5. Select the group for each device category. 6. Click Save. To assign groups to multiple sites, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Install Manager tab. 4. On the Site Installations page, select the sites. The Assign Groups button is displayed. 5. Click Assign Groups. 6. In the Assign Groups to Sites pop-up window, select a group for each device category. 7. Click Save. You can also add installation notes for sites. The installers can view the notes by clicking the info icon in the Installer mobile app. Adding an Installer and Assigning Sites for Installation Administrators can add installers and assign installation tasks to these installers through the Aruba Installer mobile app. To add an installer profile in Aruba Central, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Click the Install Manager tab. 4. In the Install Manager tab, click Installers. The Installers page is displayed. 5. Click + Add Installer. The Add Installer page is displayed. 6. Enter the name and phone number of the technician to whom you want to assign a site for installing the devices. 7. Specify the time until which the installer's profile is valid. The technicians will be automatically logged out of the Aruba Installer app on the specified date. 8. On the Add Installer page, you can do the following: n Select a site in the Sites not assigned table and click Add > to add the site. n Select a site in the Sites Selected table and click < Remove to remove the site. n Click Add all > to add all the sites. n Click < Remove all to remove all sites. Maintaining Aruba Central | 327 Figure 105 Assigning Sites 9. Click Save. An SMS notification is sent to the installer's mobile device. The site(s) assigned are displayed in the Sites Assigned table. To start the installation, the installer must download the Aruba Installer mobile app and sign up as an installer. The administrators can verify the installer registration status on the Installers dashboard in the Install Manager application in Aruba Central. The Installers dashboard displays the following status indicators for installers. n Invited--The installer is added and an SMS notification is sent to the installer. n Registered--The installer has registered using the Aruba Installer mobile app. n Verified--The installer has accepted the installation invite and successfully completed the registration with the Aruba Installer app. Downloading the Installer Mobile App When an installer is added in the Install Manager application in Aruba Central, an SMS notification is sent to the installer's mobile device. The SMS notification includes the links for downloading the Aruba Installer mobile app. If you are an installer and have received the SMS notification with the Aruba Installer mobile app details, download the Aruba Installer mobile app. The Aruba Installer mobile app is available in App Store for iOS devices and Google Play Store for Android devices. Registering as an Aruba Installer To register as an installer, complete the following steps: 1. Open the Aruba Installer app. 2. In the Sign Up tab, enter your first name, last name, country code and mobile number. 3. Click Register. A verification code is sent to your mobile device. 4. Enter the verification code received through the text message in the Code field. 5. Click Validate Code. If the code is valid, the installer is registered. Installing Devices on a Site To install a device on a site, complete the following steps: 1. Sign in to Aruba Installer mobile app. 2. View the sites assigned for deployment. 3. Select the site that you want to deploy. Aruba Central | User Guide 328 4. Note the devices assigned for the site and installation notes if any. 5. Click Scan Device. Scan the serial number of the device. The Aruba Installer app verifies if the device is onboarded to Aruba Central device inventory and is assigned a valid subscription. 6. Power on the device and connect it to the Internet. The device automatically connects to Aruba Central and is provisioned in the group to which it is already assigned. 7. Verify the installation status and report errors if any. Before scanning a device, ensure that the device is not connected to Aruba Central. If the device is already connected to Aruba Central, Install Manager will not assign it to a group. Monitoring and Troubleshooting Installation Issues To monitor the installation progress, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Select the Install Manager tab. The Site Installations table is displayed. 4. To view the status of a site installation, check the Status column: n In Progress--Indicates that the device installation is in progress. n Completed--Indicates that the device installation is completed. If the installation status displays an error: n Check if the devices are onboarded to Aruba Central. n Verify if the devices are assigned a valid subscription. n Check if the sites are assigned to a group. n View the audit trails. 5. If the installation is completed, click the site name to navigate to the site details page and click Mark Completed. You can mark a site as completed even if Install Manager was not used to install or onboard the device. 6. Click Save. Viewing Configuration Status Aruba Central provides an audit dashboard for reviewing configuration changes for the devices provisioned in UI and template groups. The Configuration Audit page is available for Instant APs, switches, and gateways. The Configuration Audit page and the Auto Commit feature is available for Foundation and Advanced licenses for APs, switches, and gateways. Viewing the Configuration Audit Page To view the Configuration Audit page, complete the following steps: Maintaining Aruba Central | 329 n For Instant APs: a. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Access Points. c. Click the Config icon. The tabs to configure access points are displayed. d. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed. n For Aruba switches: a. In the Network Operations app, set the filter to a group that contains at least one switch. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon. The tabs to configure switches are displayed. d. Click Configuration Audit. The Configuration Audit details page is displayed. n For Aruba gateways: a. In the Network Operations app, set the filter to a group that contains at least one Branch Gateway. The dashboard context for the selected group is displayed. b. Under Manage, click Devices > Gateways. c. Click the Config icon. The tabs to configure gateways are displayed. d. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed. Applying Configuration Changes Aruba Central supports a two-staged configuration commit workflow for Instant APs and switches. Aruba Central now supports the auto commit feature at a group level. When auto commit state is enabled for a group, the configuration changes are instantly applied to all devices where auto commit state is enabled. In the Configuration Audit page of the group, the Auto Commit State section allows administrators to switch their preference for committing configuration changes to the devices within the group. n To enable auto commit, click Change to Auto commit state ON. When auto commit state is enabled for a group, the configuration changes are instantly applied to all devices where auto commit state is enabled. n To disable auto commit, click Change to Auto commit state OFF. When auto commit state is disabled for a group, an administrator can build a candidate configuration, save it on cloud, review it, and then commit the configuration changes to all devices within the group. Aruba Central | User Guide 330 Aruba Central resets the auto commit state, when a device moves to another group. The device inherits the auto commit state of the group to which the device is moved. When auto commit state is disabled for a group, Aruba Central restricts modification to the auto commit state at a device level. When auto commit state is enabled for a group, Aruba Central allows modification to the auto commit state at a device level. The auto commit at a group level is not applicable for Aruba MAS switches and Aruba gateways in the Configuration Audit page. Auto commit state is always enabled for Aruba MAS switches and Aruba gateways. Viewing and Editing To modify the auto commit state of devices within the group, when Auto Commit State for a group is enabled, complete the following steps: 1. Click View & Edit under Auto Commit State: ON tile. 2. Select a device name, click Disable Auto Commit, and then click OK. 3. Click Yes in the Confirm Action dialog box. To modify the auto commit state of devices within the group, when Auto Commit State for a group is disabled, complete the following steps: 1. Click View & Edit under Auto Commit State: OFF tile. 2. Select a device name, click Enable Auto Commit, and then click OK. 3. Click Yes in the Confirm Action dialog box. When auto commit state for a group is disabled, the View & Edit link is disabled to restrict modifications to the auto commit state of the devices within the group. When auto commit state for a group is enabled, the View & Edit link allows you to modify the auto commit state of the devices within the group. Auto Commit Workflow To enable Aruba Central to commit configuration changes instantly, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP and a switch. The dashboard context for the selected group is displayed. 2. Under Manage, click Devices > Access Points. In Aruba Central, the auto commit workflow for a group can be implemented either from the switch configuration audit page or Instant AP configuration audit page. Alternatively, you can navigate to Devices > Switches. 3. Click the Config icon. The tabs to configure access points are displayed. 4. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed. 5. Ensure that the Auto Commit State for the group is set to ON. Maintaining Aruba Central | 331 6. Based on configuration mode set for the devices in the group, use either the UI workflows or a configuration template to complete the configuration workflow and save the changes. Aruba Central automatically commits the configuration changes to all devices where auto commit state is enabled. 7. View the Local Overrides and Configuration Sync Issues, if any. Aruba Central does not support the two-staged configuration commit workflow for Aruba MAS switches and Aruba gateways. The tenant accounts in the MSP deployments do not inherit the Auto Commit State configured at the MSP level. The tenant account users can enable or disable Auto Commit state for the devices in their respective accounts. Manual Commit Workflow To build configuration and review it before committing the configuration changes, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP and a switch. The dashboard context for the selected group is displayed. 2. Under Manage, click Devices > Access Points. In Aruba Central, the manual commit workflow for a group can be implemented either from the switch configuration audit page or Instant AP configuration audit page. Alternatively, you can navigate to Devices > Switches. 3. Click the Config icon. The tabs to configure access points are displayed. 4. Click Show Advanced, and click the Configuration Audit tab. The Configuration Audit details page is displayed. 5. Ensure that the Auto Commit State for the group is set to OFF. 6. Based on configuration mode set for the device, use either the UI workflows or a configuration template to complete the configuration workflow and save the changes. When you try to save the save changes, Aruba Central displays the following warning message: 7. When the auto commit state for a group is set to OFF, and changes are configured to the devices at a group level, Aruba Central displays the following warning message when you try to save the changes: 8. View the Local Overrides and Configuration Sync Issues, if any. 9. Click Commit Now to commits the configuration changes to all devices within the group. Aruba Central | User Guide 332 Viewing Configuration Overrides and Errors The Configuration Audit page allows you to view the configuration push errors, template synchronization errors, configuration sync, and device level configuration overrides. Some of notable status indicators available on the page includes: n Configuration Status--Provides details of the number of devices with configuration sync errors. To view the devices with configuration sync errors, click View Details. The Config Difference window is displayed. You can view configuration differences for each device within the group. n Local Overrides--Provides details of the number of devices with local overrides. To view a complete list of overrides, click Manage Local Overrides. The Local Overrides window is displayed. You can view configuration differences for each device within the group. The overrides are grouped based on the features that are configured in the UI and are displayed as drop-down sections. For example, all overrides for IGMP are listed under a separate drop-down with the heading IGMP. To preserve the overrides, click Close. To remove the overrides, select the group name with local override, type REMOVE in the text box and click OK. n Configuration Conflicts--Provides details of the number of devices with configuration conflict errors. To view a complete list of configuration conflicts, click Manage Configuration Conflicts. The Configuration Conflict window is displayed. To resolve the configuration conflicts, enable the check box against each conflict, and then click Remove to remove the conflict. n Template Errors--Provides the details of the number of devices with template errors. To view a complete list of configuration template errors, click View Template Errors. The Template Errors window is displayed. You can view a list of templates with errors. n Move Failures--Aruba Central supports moving a device from one group to another. If the move operation fails, Aruba Central logs such instances as Move Failures. Viewing Configuration Status for Devices at the Group Level (Template Configuration Mode) When you select a template group from the filter, the Configuration Audit page displays the following information: Table 66: Configuration Audit Status for a Template Group Data Pane Content Description Template Errors Provides details of the number of devices with template errors for the selected template group. Devices deployed in the template group are provisioned using configuration templates. If there are errors in the templates or variable definitions, the configuration push to the devices fails. Aruba Central records such failed instances as template errors and displays these errors on the Configuration Audit page. To view a complete list of errors, click View Template Errors. The Template Errors window allows you to view and resolve the template errors issues if any. Configuration Status Provides details of the number of devices with configuration sync errors for the selected template group. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are Maintaining Aruba Central | 333 Table 66: Configuration Audit Status for a Template Group Data Pane Content Description not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. Configuration Backup & Restore To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Allows you to create a backup of templates and variables applied to the devices in the template group. For more information, see Backing Up and Restoring Configuration Templates. n New Configuration Backup--Allows you to create a new backup of templates and variables applied to the devices in the template group. All Devices The All Devices table provides the following device information for the selected group: n Name--The name of the device. n Type--The type of the device. n Auto Commit--The status of the auto commit state for all the devices within the group. n Config Sync--Indicator showing configuration sync errors. n Template Errors--Indicator showing configuration template errors for the devices deployed in template groups. Viewing Configuration Status for a Device (Template Configuration Mode) When you select a device that is provisioned in a template group, the Configuration Audit page displays the following information: Table 67: Configuration Audit Status for Devices in Template Groups Data Pane Content Description Template Applied Displays the template that is currently applied on the selected device. Template Errors Displays the number of template errors for the selected device. To view a complete list of errors, click View Template Errors. Configuration Status Displays the configuration sync errors for the selected device. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. Aruba Central | User Guide 334 Table 67: Configuration Audit Status for Devices in Template Groups Data Pane Content Description To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Config Comparison Tool Allows you to view the difference between the current configuration (Device Running Configuration) and the configuration that is yet to be pushed to the device (Attempted Configuration). To view the running and attempted configuration changes side by side, click View. Viewing Configuration Status for Devices at the Group Level (UIbased Configuration Mode) When you select an UI group, the Configuration Audit page displays the following information: Table 68: Configuration Audit Status for a UI Group Data Pane Content Description Configuration Status Displays the number of devices with configuration sync errors for the selected UI group. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Local Overrides Displays the number of devices with local overrides. To view a complete list of overrides, click Manage Local Overrides. The Local Overrides window is displayed. The overrides are grouped based on the features that are configured in the UI and are displayed as drop-down sections. For example, all overrides for IGMP are listed under a separate drop-down with the heading IGMP. n To preserve the overrides, click Close. n To remove the overrides, select the group name with local override, type REMOVE in the text box and then click OK. All Devices The All Devices table provides the following device information for the selected group: n MAC Address--MAC address of the device. n Name--The name of the device. n IP Address--IP address of the device. n Site--Name of the site to which the device is assigned. n Type--The type of the device. Maintaining Aruba Central | 335 Table 68: Configuration Audit Status for a UI Group Data Pane Content Description n Auto Commit--The status of the auto commit state for all the devices within the group. n Config Sync/Config Status--Indicator showing configuration sync errors. n Local Overrides--Indicator showing configuration overrides for the devices deployed in the UI groups. NOTE: The MAC Address, IP Address, Site, and Config Status columns are available only for groups in which Aruba gateways are provisioned (Manage > Device > Gateways, click the Config icon. The gateway configuration page is displayed. Navigate to Configuration Audit). Viewing Configuration Status for a Device (UI-based Configuration Mode) When you select a device assigned to a UI group, the Configuration Audit page displays the following information: Table 69: Configuration Audit Status for a Device Assigned to a UI Group Data Pane Content Description Configuration Status Displays the number of devices with configuration sync errors for the selected device. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. Local Overrides To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Displays the number of local overrides. To view a complete list of overrides, click Manage Local Overrides. The Local Overrides window is displayed. The overrides are grouped based on the features that are configured in the UI and are displayed as drop-down sections. For example, all overrides for IGMP are listed under a separate drop-down with the heading IGMP. n To preserve the overrides, click Close. n To remove the overrides, click Remove Local Overrides, type REMOVE in the text box and then click OK. Backing up and Restoring Configuration Templates Aruba Central allows you to back up configuration templates assigned to the devices deployed in a template group. The Configuration Audit pages for Instant AP, switch, and gateway configuration containers allow Aruba Central | User Guide 336 you to create and manage backed up files and restore these files when required. For more information, see Backing Up and Restoring Configuration Templates. If monitor mode is enabled at the device level, the selected device functions in the monitor mode. If the monitor mode is enabled at the group level, all devices in the group inherit this setting. If a device managed by Aruba Central displays a configuration sync issue and persistently fails to receive configuration updates from Aruba Central, contact Aruba Central Technical Support. Managing Software Upgrades The Firmware page provides an overview of the latest firmware version supported on the device, details of the device, and the option to upgrade the device. Changing AOS-Switches firmware from latest version to earlier major versions is not recommended if the switches are managed in UI groups. For features that are not supported or not managed in Aruba Central on earlier AOS-Switch versions, changing firmware to earlier major versions might result in loss of configuration. Viewing Firmware Details To view the firmware details for devices provisioned in Aruba Central, perform the following steps: 1. In the Network Operations app, select one of the following options: n To select a group in the filter, set the filter to one of the options under Group. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed. c. Click a device listed under Device Name. The dashboard context for the device is displayed. 2. Under Maintain, click Firmware. The Firmware dashboard displays the following information: The following image displays the Firmware dashboard at the global level: Figure 106 Firmware Dashboard at Global Level Firmware Maintenance Window The following are the data pane items and description: Maintaining Aruba Central | 337 1. Access Points--Displays the following information: n Name--Name of the AP. Clicking on the device name opens a window with connected APs and allows you to select and view the device Summary page. For more information, see Clients > Wireless Client > Overview. n Site--Displays the site information only on global context. n Firmware Version--The current firmware version running on the device. n Latest Firmware Version--The latest firmware version available on the public firmware server. n Recommended Version--The version to which the device is recommended for the upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date n Compliance Status--Status of the firmware compliance setting. The value displayed in this column is either Set, Not Set, and Compliance scheduled on. The Compliance scheduled on displays the date and time that is set in the Firmware Compliance Setting page. Clicking on the device name from the Name columns, opens a window with connected APs and allows you to select and view the device Summary page. For more information, see Clients > Wireless Client > Overview. Click any site name from the Site column to view the site associated APs with their firmware details page. 2. Switches--Displays the following details about Aruba switches managed through Aruba Central: n Name--Host name of the switch. n Family--Displays the following types of switches: o AOS-S o CX This information is only available for Aruba switch and Aruba CX switches. n Site--Displays the site information only on global context. n MAC Address--MAC address of the switch. n Model--Hardware model of the switch. n Firmware Version--The current firmware version running on the switch. n Recommended Version--The version to which the device is recommended for the upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date n Compliance Status--Status of the firmware compliance setting. The value displayed in this column is either Set, Not Set, and Compliance scheduled on. The Compliance scheduled on displays the date and time that is set in the Firmware Compliance Setting page. Aruba Central | User Guide 338 n The Switch-MAS tab is only available for accounts with MAS-switches. n The Switches tab displays details of both Aruba Switch and Aruba CX switches. 3. Gateways--Displays the following details about the SD-WAN Gateways managed through Aruba Central in Standalone mode: n Name--Host name of the SD-WAN Gateway. n Site--Displays the site information only on global context. n MAC Address--MAC address of the SD-WAN Gateway. n Model--Hardware model of the SD-WAN Gateway. n Firmware Version--The current firmware version running on the SD-WAN Gateway. n Recommended Version--The version to which the device is recommended for the upgrade. n Upgrade Status--Filters the device list based on any of the following firmware upgrade status: o New firmware available o Scheduled o In progress o Failed o Firmware up to date n Compliance Status--Status of the firmware compliance setting. The value displayed in this column is either Set, Not Set, and Compliance scheduled on. The Compliance scheduled on displays the date and time that is set in the Firmware Compliance Setting page. 4. Set Compliance--Allows you to set firmware compliance for devices within a group. Click Set Compliance and turn on the toggle switch to enable and view the list of supported firmware versions for each device in a group in the Manage Firmware Compliance page. a. Set Compliance for Access Points--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select a specific group or multiple groups for which the compliance must be set. Select All Groups if you want to set compliance for all the groups. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time. o Now--To set the compliance to be carried out immediately. o Later Date--To set at the later date and time. n Click Save and Upgrade button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch. b. Set Compliance for Switches--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select the group for which the compliance must be set. Select the specific group to set compliance at group level. n AOS-S Firmware Version--Select the AOS-S firmware version number from the drop-down list to which the compliance is required to be set. n CX Firmware Version--Select the Aruba CX switch version number from the drop-down list to which the compliance is required to be set. Maintaining Aruba Central | 339 n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: o Now--To set the compliance to be carried out immediately. o Later Date--To set at the later date and time. n Click Save and Upgrade button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch. Aruba Central lists all available Aruba CX switches software versions. Select the software version that is applicable to the Aruba CX switch to which compliance is required to be set. For example, version 10.04.0020 is not applicable to Aruba CX 6200 and 6400 switch series. c. Set Compliance for Gateways in Standalone Mode--To ensure firmware version compliance, complete the following parameters in the Manage Firmware Compliance page: n Groups--Select a specific group or multiple groups for which the compliance must be set. Select All Groups if you want to set compliance for all the groups. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: o Now--To set the compliance to be carried out immediately. o Later Date--To set at the later date and time. n Click Save and Upgrade button to save the firmware compliance with the above settings. To clear the compliance, turn off the toggle switch. 5. Upgrade All--Allows you to simultaneously upgrade firmware for all devices. Click Upgrade All to view a list of supported firmware versions for each device. a. To Upgrade all Access Points--Click Upgrade All and complete the following parameters in the Upgrade Access Points Firmware page: n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also search for the site in the search filter. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. Select None for none of the firmware versions. n When --Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: o Now--To set the compliance to be carried out immediately. o Later Date--To set at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade. While upgrading a large number of APs, cancel operation may not work as intended, and continues to upgrade. b. To Upgrade all Switches--Click Upgrade All and complete the following parameters in the Upgrade Switch Firmware page: Aruba Central | User Guide 340 n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also search for the site in the search filter. n AOS-S Firmware Version--Select the AOS-S firmware version number from the drop-down list to which the compliance is required to be set. n CX Firmware Version--Select the CX switch firmware version number from the drop-down list to which the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time: o Now--To set the compliance to be carried out immediately. o Later Date--To set at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade. c. To Upgrade all Gateways in Standalone Mode--click Upgrade All and complete the following parameters in the Upgrade Gateway Firmware page: n Sites--Select a specific site or multiple sites for which the upgrade must be set. You can also search for the site in the search filter. n Firmware Version--Select the firmware version number from the drop-down list to which the compliance is required to be set. n Auto Reboot--Select this check box to reboot Aruba Central automatically after the build is downloaded on the device. On reboot, the new build is installed on the device. n When--Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time. o Now--To set the compliance to be carried out immediately. o Later Date--To set at the later date and time. n Upgrade--Click this button to start the upgrade with the above settings. n Cancel--Click this button to cancel the upgrade. 6. Search Filter--Allows you to define a filter criterion for searching devices based on the following properties: n Common to all devices--Name, Firmware Version, Recommended Version and Upgrade Status of the device. n Specific to switches and gateways--MAC address and Model. 7. Column Filter--Clicking view. icon enables you to customize the table columns or set it to the default 8. Continue--Allows you to continue with firmware upgrade. 9. Cancel Upgrade--Cancels a scheduled upgrade. 10. Cancel All--Cancels a scheduled upgrade for all devices. This section also includes the following topics: n Upgrading a Single Device or Multiple Devices n Upgrading Devices using Upgrade All Option n Setting Firmware Compliance For Access Points n Setting Firmware Compliance For Switches n Setting Firmware Compliance For Gateways in Standalone Mode Maintaining Aruba Central | 341 Upgrading a Single Device or Multiple Devices To check a new version for a single device or multiple devices, complete the following steps: 1. In the Network Operations app, select one of the following options: a. To select a group, site or global in the filter: n Set the filter to one of the options under Group or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n Under Maintain, click Firmware. n Select one or more devices from the device list and click the Upgrade icon at the bottom of the page or hover over one of the selected device and click the Upgrade icon. The Upgrade <Device> Firmware pop-up window opens. b. To select a device in the filter: n Set the filter to Global. n Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed. n Click a device listed under Device Name. The dashboard context for the device is displayed. n Under Maintain, click Firmware and click Upgrade in the Firmware Details window. The Upgrade <Device> Firmware pop-up window opens. 2. In the Upgrade <Device> Firmware pop-up window, select the appropriate firmware version. You can either select a recommended version or manually choose a specific firmware version. To obtain custom build details, contact Aruba Central Technical Support. 3. Select Auto Reboot if you want Aruba Central to automatically reboot after device upgrade. The Auto Reboot option is available for Mobility Access Switches, Aruba Switch, Aruba CX switches, and Branch Gateways. 4. Specify if the upgrade must be carried out immediately or at a later date and time. 5. Click Upgrade. The device downloads the image from the server, saves it to flash, and reboots. Depending on the progress and success of the upgrade, one of the following messages is displayed: n Upgrading--While image upgrade is in progress. n Upgrade failed--When the upgrade fails. 6. If the upgrade fails, retry upgrading your device. After upgrading a switch, click Reboot. Upgrading Devices using Upgrade All Option To upgrade multiple devices using the Upgrade All option, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Group or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. 2. Under Maintain, click Firmware. The firmware dashboard for Access Points is displayed by default. 3. Click Upgrade All. The Upgrade <Device> Firmware pop-up window opens. Aruba Central | User Guide 342 4. In the Upgrade <Device> Firmware pop-up window, select the specific site or multiple sites from the Sites drop-down list. This option is available only at the global context. 5. Select the appropriate firmware version (for Access points and Gateways) and AOS-S firmware version and CX firmware version (for Mobility Access Switches, Aruba Switch and Aruba CX switches) from their respective drop-down list. You can either select a recommended version or manually choose a specific firmware version. To obtain custom build details, contact Aruba Central Technical Support. 6. Select Auto Reboot if you want Aruba Central to automatically reboot after device upgrade. The Auto Reboot option is available for Mobility Access Switches, Aruba Switch, Aruba CX switches, and Branch Gateways. 7. Specify if the upgrade must be carried out immediately or at a later date and time. 8. Click Upgrade. The device downloads the image from the server, saves it to flash, and reboots. Depending on the progress and success of the upgrade, one of the following messages is displayed: n Upgrading--While image upgrade is in progress. n Upgrade failed--When the upgrade fails. 9. If the upgrade fails, retry upgrading your device. After upgrading a switch, click Reboot. The following image displays the Upgrade <Device> Firmware window for the switches: Maintaining Aruba Central | 343 Figure 107 Upgrade Switch Firmware Setting Firmware Compliance For Access Points Aruba Central allows you to run a firmware compliance check and force firmware upgrade for all APs in a group. To force a specific firmware version for all APs in a group, complete the following steps: 1. In the Global dashboard, under Maintain, click Firmware. The Access Points tab is selected by default. 2. Verify the firmware upgrade status for all APs. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select one of the following as required: n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 7. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. Aruba Central | User Guide 344 The following image displays the Manage Firmware Compliance window for Access Points: Figure 108 Manage Firmware Compliance Setting Firmware Compliance For Switches To force a specific firmware version for all MAS switches in a group, complete the following steps: 1. In the Global dashboard, under Maintain, click Firmware > Switch-MAS tab. 2. Verify the firmware upgrade status for all MAS switches. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful device upgrade. 7. Select one of the following as required: n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 8. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. The following image displays the Manage Firmware Compliance window for MAS switches: Maintaining Aruba Central | 345 Figure 109 Manage Firmware Compliance Window for MAS Switches To force a specific firmware version for all Aruba switches in a group, complete the following steps: 1. In the Global dashboard, under Maintain, click Firmware > Switches tab. 2. Verify the firmware upgrade status for all switches. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a AOS-S firmware version from the AOS-S Firmware Version drop-down list. 6. Select a CX firmware version from the CX Firmware Version drop-down list. 7. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful device upgrade. 8. Select one of the following as required: n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 9. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. The following image displays the Manage Firmware Compliance window for Aruba switches: Aruba Central | User Guide 346 Figure 110 Manage Firmware Compliance Window for Aruba Switches Setting Firmware Compliance For Gateways in Standalone Mode To force a specific firmware version for all gateways in standalone mode, complete the following steps: 1. In the Global dashboard, under Maintain, click Firmware > Gateways tab. All the gateways with standalone mode is displayed. 2. Verify the firmware upgrade status for all gateways. 3. Click Set Compliance at the top right and turn on the toggle switch to enable the Manage Firmware Compliance window. 4. In the Groups drop-down list, select a single group, multiple, or All Groups. 5. Select a firmware version from the Firmware Version drop-down list. 6. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful device upgrade. 7. Select one of the following as required: n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 8. Click Save and Upgrade. Aruba Central initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. The following image displays the Manage Firmware Compliance window for gateways: Maintaining Aruba Central | 347 Figure 111 Manage Firmware Compliance Viewing Audit Trail in the Standard Enterprise Mode and MSP Mode The Audit Trail page in the Standard Enterprise Portal shows the total logs generated for all the device management, configuration, and user management events triggered in Aruba Central. You can search or filter the audit trail records based on any of the following columns: n Occurred on (Custom Range) n Username n IP Address n Category n Description n Target To view the audit trail log details in Aruba Central, perform the following steps: 1. In the Network Operations app, select one of the following options: n To select a group or all devices in the filter, set the filter to Group. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed. Aruba Central | User Guide 348 2. Under Analyze, click Audit Trail. The Audit Trail table is displayed with the following details: n Occurred On-- Timestamp of the audit log. Use the sort option to sort the audit logs by date and time. Use the filter option to select a specific time range to display the audit logs. n IP Address--IP address of the client device. n Username--Username of the admin user who applied the changes. n Target--The group or device to which the changes were applied. n Category--Type of modification and the affected device management category. n Description--A short description of the changes such as subscription assignment, firmware upgrade, and configuration updates. Click to view the complete details of the event. For example, if an event was not successful, clicking the ellipsis displays the reason for the failure. To customize the Audit Trail table, click the eclipses icon to select the required columns, or click Reset to default to set the table to the default columns. Classification of Audit Trails The audit trail is classified according to the type of modification and the affected device management category. The category can be one of the following: n Configuration n Firmware Management n Reboot n Device Management n Templates n User Management n Variables n Label Management n MSP n Guest n Groups n Subscription Management n API Gateway n RBAC n Sites Management n SAML Profile n User Activity n Federated User Activity n Alert Configuration n Install Manager n Tools Maintaining Aruba Central | 349 Removing Devices The device monitoring dashboards allow you to remove an offline device. However, you will not be able to remove a device completely from Aruba Central database, because the device entry remains in the Device Inventory page. The devices appearing in the Device Inventory page shows the hardware devices that belong to your account or purchase order. For information on removing an offline device, see the following topics: n Deleting an Offline AP n Deleting an Offline Switch n Deleting a Gateway Removing a Device from the Device Inventory Page You cannot remove a device completely from Aruba Central, but you can unsubscribe the device. After you unsubscribe, the device status changes to Unsubscribed in the Device Inventory page. If you have more than one Aruba Central account and if another Aruba Central user adds this unsubscribed device to another Aruba Central account, the device entry is removed from the Device Inventory page in your Aruba Central account. Aruba Central | User Guide 350 Chapter 6 The AI Insights Dashboard The AI Insights Dashboard In an environment of rapidly changing business and user expectations driven by an explosion of connectivity requirements from the edge to the cloud, a new approach to network management is required. Aruba AIOps (Artificial Intelligence for IT operations) is the next generation of AI-powered solutions that integrates proven Artificial Intelligence solutions with recommended and automated action to provide both fast response to identified problems, along with proactive prediction and prevention. With data collected from over 750,000 access points, switches, and gateways, Aruba Central and built-in AI Insights proactively identifies and solves issues, and provides pinpoint configuration recommendations. As the data is stored in the cloud, it is easy to view the network performance across all locations from a single pane of glass. Utilizing the cloud also provides the ability to anonymously compare a network with a peer network or the baselines for a broader perspective and optimization. All of this comes from Aruba's advantage in accessing an enormous volume and variety of data that is factored into insights. Aruba does not collect or process personal data. In this release the insights are classified under three categories: n Connectivity--Issues related to the wireless connectivity in the network. n Wireless Quality--Issues related to the RF Info or RF Health in the network. n Availability--Issues related to the health of your network infrastructure and the devices in the network such as, APs, switches, and gateways. The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. These are anomalies observed at the access point, connectivity, and client level for the selected time range. Each insight provides specific details on the occurrences of these events for easy debugging. To launch the AI Insights dashboard, complete the following steps: 1. In the Network Operations app, set the filter to Global.The dashboard context for the selected filter is displayed. 2. Under Manage, click Overview > AI Insights. The Insights table is displayed. AI Insights listed in the dashboard are sorted from high priority to low priority. 3. Click the arrow against each insight to view the further details. Aruba Central | User Guide 351 Figure 112 Insight Details Callout Number Description 1 Click this arrow to expand any specific insight to view further details. 2 Displays the insight severity, using the following colors: Red--High priority Orange--Medium priority Yellow--Low priority NOTE: The following three configuration recommendation insights are marked in blue color ( ) in the severity column: lAccess Point Transmit Power can be Optimized lCoverage Holes Identified lOutdoor Clients Impacting Wi-Fi Performance 3 Short description of the insight. 4 Insight Summary displays the reason why the insight was generated along with recommendation. It also shows the number and percentage of failures that occurred against each failure reason. The reasons are classified into: n Static--These reasons rely on Aruba's domain expertise. n Dynamic--These reasons are generated based on error codes that is received from infrastructure devices. 5 Time Series graph is a graphical representation of the failure percentage or failure events that occurred for the selected time range. The entries in each time series bar can be customized to highlight a specific entry by clicking on it. Only one specific entry can be highlighted at a time. 6 Category of the insight. Insight category can be filtered by clicking the filter icon. The AI Insights Dashboard | 352 Callout Number Description 7 Short description of the impact. 8 Cards display additional information specific to each insight. Cards might vary for each insight based on the context the insight is accessed from. For more information, see Cards. All AI Insights generated are listed in the Global > AI Insights dashboard. Alternatively, AI Insights for a specific site, device, or client can be viewed by selecting the respective context. For more information on available insights and the context, see Insights Context. AI Insights are displayed for a selected time period based on the time selected in the Time Range Filter ( ). You can select one of the following: 3 Hours, 1 Week, 1 Day, or 1 Month. Figure 113 AI Insights Dashboard Insights Context Insights can be accessed from different contexts such as Global, Site, Clients, and Device. The following table lists the different types of insights generated by Aruba Central and the path from where it can be accessed. In this release, all AI Insights are available irrespective of the user role or Aruba Central subscription. In the upcoming Aruba Central release, AI Insights marked as Advanced in the user interface would require an advanced subscription. Aruba Central | User Guide 353 Table 70: Navigating Insights Insights Category Context Navigation Access Points with High CPU Utilization Availability - Access Point Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Access Points with High Memory Usage Availability - Access Point Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Telemetry Information not Received from APs or Radios Availability - Access Point Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Access Points with High Number of Reboots Availability - Access Point Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights The AI Insights Dashboard | 354 Insights AOS-CX Switches with High Port Flaps Category Availability - Switch AOS-CX Switches with High Port Errors Availability - Switch AOS-CX Switch Ports with High Power-overEthernet Problems Availability - Switch AOS-CX Switches with High CPU Utilization Availability - Switch Context Navigation Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights Aruba Central | User Guide 355 Insights AOS-CX Switches with High Memory Usage Category Availability - Switch AOS-Switches with High Port Flaps Availability - Switch AOS-Switches with High Port Errors Availability - Switch AOS-Switch Ports with High Power-overEthernet Problems Availability - Switch Context Navigation Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights The AI Insights Dashboard | 356 Insights AOS-Switches with High CPU Utilization Category Availability - Switch AOS-Switches with High Memory Usage Availability - Switch Failure to Establish Gateway Tunnels Availability - Gateway Gateways with High CPU Utilization Availability - Gateway Context Navigation Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Switches Network Operations > Global > Devices > Switches > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Gateways Network Operations > Global > Devices > Gateways > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Gateways Network Operations > Global > Devices > Gateways > Device Name > AI Insights Aruba Central | User Guide 357 Insights Gateways with High Memory Usage Category Availability - Gateway Clients who Roamed Excessively Connectivity - Wi-Fi Clients with High Roaming Latency Connectivity - Wi-Fi Context Navigation Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Gateways Network Operations > Global > Devices > Gateways > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights The AI Insights Dashboard | 358 Insights Clients with Captive Portal Authentication Problems Category Connectivity - Wi-Fi Clients with High Number of Wi-Fi Association Failures Connectivity - Wi-Fi Context Navigation Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights Aruba Central | User Guide 359 Insights Delayed DNS Request or Response Category Connectivity - Wi-Fi DNS Servers Rejected High Number of Queries Connectivity - Wi-Fi Context Navigation Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights The AI Insights Dashboard | 360 Insights Clients with DHCP Server Connection Problems Category Connectivity - Wi-Fi DNS Queries Failed to Reach or Return from the Server Connectivity - Wi-Fi Context Navigation Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Aruba Central | User Guide 361 Insights Category Clients with High MAC Connectivity - Wi-Fi Authentication Failures Clients with High Wi-Fi Security Key-Exchange Failures Connectivity - Wi-Fi Context Navigation Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights The AI Insights Dashboard | 362 Insights Clients with High 802.1X Authentication Failures Category Connectivity - Wi-Fi Access Point Transmit Power can be Optimized Wireless Quality Access Points Impacted by High 2.4 GHz Usage Wireless Quality Access Points Impacted by High 5 GHz Usage Wireless Quality Context Navigation Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights Global Network Operations > Global > Overview > AI Insights Global Site Access Points Global Site Access Points Network Operations > Global > Overview > AI Insights Network Operations > Sites > Overview > AI Insights Network Operations > Global > Devices > Access Points > Device Name > AI Insights Network Operations > Global > Overview > AI Insights Network Operations > Sites > Overview > AI Insights Network Operations > Global > Devices > Access Points > Device Name > AI Insights Aruba Central | User Guide 363 Insights Category Dual-band (2.4/5 GHz) Clients Primarily using 2.4 GHz Wireless Quality Clients with Low SNR Minutes Wireless Quality Coverage Holes Identified Wireless Quality Context Navigation Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Clients Network Operations > Global > Clients > Client Name > AI Insights Network Operations > Site > Clients > Client Name > AI Insights Global Network Operations > Global > Overview > AI Insights The AI Insights Dashboard | 364 Insights Access Points with Excessive Number of Channel Changes Category Wireless Quality Access Points Radios Wireless Quality with Frequent Transmit Power Changes Outdoor Clients Impacting Wi-Fi Performance Wireless Quality Context Navigation Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Site Network Operations > Sites > Overview > AI Insights Access Points Network Operations > Global > Devices > Access Points > Device Name > AI Insights Global Network Operations > Global > Overview > AI Insights Cards All the insights in Aruba Central display certain cards with additional information specific to that insight. The top view of each card usually shows the most impacted data in a pie chart or a bar graph view. The data in a pie chart can be modified based on your requirement. To highlight specific entries in a card, click the check box next to each label. Few cards have further drill down option available, in the form of a drop-down. Additionally, a few cards have an expandable view option to view the graph. The cards might vary for each insight based on the context the insight is accessed from. The following table displays the cards available in different insights: Table 71: Cards Card Description Site The Site card displays the number of sites impacted by an insight. Click the arrow to expand the card and view the most impacted sites where the issue occurred. Aruba Central | User Guide 365 Card Access Points Clients Server RF Info Switch Wired Clients Roam Tunnel Gateway VPNC Outdoor Clients Description The Access Point card displays the number of APs impacted by an insight. Click the arrow to expand the card and view the most impacted APs where the issue occurred. You can also click the drop-down list to view further details about the impacted access points. The Client card displays the number of clients impacted by an insight. Click the arrow to expand the card and view the most impacted clients where the issue occurred. The Server card displays the number of servers impacted by an insight. Click the arrow to expand the card and view the most impacted servers where the issue occurred. The RF Info card displays the number of channels, band, and SSID information based on the insight it is accessed from. Click the arrow to expand the card and view the relevant information. You can also click the drop-down list to view further details about the impacted RF bands. The Switch card displays the number of switches impacted by an insight. Click the arrow to expand the card and view the most impacted switches where the issue occurred. You can also click the drop-down list to view further details about the impacted switches. The Wired Client card displays the number of wired clients impacted by an insight. Click the arrow to expand the card and click the drop-down list to view further details about the impacted wired clients. The Roam card displays the percentage of client latency roams. Click the arrow to expand the card and click the drop-down list to view further details about the roaming latency and band. The Tunnel card displays the number of gateway tunnels down. Click the arrow to expand the card and view the reasons for the cause of tunnel down. The Gateway card displays the number of gateways impacted by an insight. Click the arrow to expand the card and view the most impacted gateways where the issue occurred. You can also click the drop-down list to view further details about the impacted gateways. The VPNC card displays the number of VPNC gateways on which the tunnels are down. Click the arrow of VPNC tunnel down. to expand the card and view the reasons for the cause The Outdoor Clients card is available only for Outdoor Clients Impacting Wi-Fi Performance insight and it displays the percentage of avoided outdoor client minutes. Click the arrow of the data. to expand the card and view graphical representation The AI Insights Dashboard | 366 Card Outdoor Minutes Port CPU Memory Power Channel Description The Outdoor Minutes card is available only for Outdoor Clients Impacting WiFi Performance insight and it displays the percentage of avoided outdoor clients minutes and affected indoor client minutes. Click the arrow and view graphical representation of the data. to expand the card The Port card is available for the switch port health insights and it displays the number of ports experiencing excessive flaps or errors. Click the arrow to expand the card and view the most impacted ports where the issue occurred. The CPU card is available at the device (Gateways and Switches) context and displays the number of gateways and switches impacted by high CPU utilization in the network. Click the arrow representation of the data. to expand the card and view graphical The Memory card is available at the device (Gateways and Switches) context and displays the number of gateways and switches impacted by high memory utilization in the network. Click the arrow graphical representation of the data. to expand the card and view The Power card displays the number of power changes in access points in the network. Click the arrow to expand the card and click the drop-down list to view further details about the impacted access points. The Channel card displays the number of channels changes per channel for a specific access point in the network. Click the arrow to expand the card and click the drop-down list to view further details about the impacted channels. If you click on the number displayed on each card, further details specific to that card is displayed in a tabular format. The filter icon allows you to filter data in each table columns. The and icon allows you to sort the columns in ascending and descending order. Few columns are displayed by default whereas, there are few columns which does not appear in the table by default. To customize a table, click the ellipses icon to select the required columns, or click Reset to default to set the table to the default columns. Click to download the card details in a CSV format. Baselines Baseline enables you to compare your network performance with similar peer groups. Baseline is calculated on a weekly basis and is available in the trend chart for insights in the Site context only. Baseline is displayed as a blue line in the trend chart. The following two baselines are available in Aruba Central: n Class baseline--Provides a comparison with similar peer groups in the networks. Peer group classification is done based on various parameters such as number of access points, neighboring devices information, and so on. n Company baseline--Provides a comparison of the network within the entire customer ID (CID). Aruba Central | User Guide 367 Baseline is supported for the following insights: n Clients with High MAC Authentication Failures n Clients with High Wi-Fi Security Key-Exchange Failures n Clients with High 802.1X Authentication Failures n Clients with DHCP Server Connection Problems n DNS Queries Failed to Reach or Return from the Server n DNS Servers Rejected High Number of Queries n Delayed DNS Request or Response n Access Points with High CPU Utilization n Access Points with High Memory Usage n Access Points with High Number of Reboots n Telemetry Information not Received from APs or Radios n Access Points with Excessive Number of Channel Changes n Access Points Impacted by High 2.4 GHz Usage n Access Points Impacted by High 5 GHz Usage n Access Point Transmit Power can be Optimized n Dual-band (2.4/5 GHz) Clients Primarily using 2.4 GHz n Clients with Low SNR Minutes Access Points with High Number of Reboots The Access Points had a high number of reboots insight can be accessed from the Global, Site, and Access Points context. This insight provides information about APs that have been rebooted the maximum times and is categorized under availability as the clients connected to these APs experience connectivity drops. This insight displays the following information: n Time Series Graph n Cards Time Series Graph The time series graph displays the number of AP reboots that occurred during the selected time period. You can hover your mouse over each bar graph to see the exact number of reboots. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: The AI Insights Dashboard | 368 Table 72: Cards Context Cards Context Site Global Access Point Global, Site Site Lists the number of sites where the APs experience excessive reboots. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Reboots--Number of APs that experience expressive reboots in each site. n APs--Number reboots that occurred in each AP in a specific site. Access Point Lists the number and details of reboots observed in an AP. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following: n Time Series--Pictorial graph of the AP reboots that occurred on different dates but similar timestamp. n FW Version--Pictorial graph of AP reboots classified by AP firmware versions. n AP Model--Pictorial graph of AP reboots classified by AP models. Click the number displayed on the Access Point card, to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n AP Serial--Serial number of the AP. n FW Version--Version of the firmware running on each AP. n Model--Model number of each AP. n Site--Name of the site where the AP resides. n Reboots--Number of reboots over time. Access Points with Excessive Number of Channel Changes The Access Points had an excessive number of channel changes insight can be accessed from the Global, Site, and Access Points context. This insight provides information about AP radios on the network that changed channels excessively in the network. It is categorized under wireless quality as the connected clients might have to reconnect after an AP changes channel for a better network performance. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Aruba Central | User Guide 369 Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the APs changed channels on the network. n Recommendation--Displays the recommendation against each failure to resolve the same. n Channel Changes--Displays the exact number and percentage of failures that occurred against each failure reason. Time Series Graph The time series graph displays the number of channel changes per channel for a specific AP during the selected time period. You can hover your mouse on each bar graph to see the exact number of channel changes. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 73: Cards Context Cards Context Site Global Access Point Global, Site Client Global, Site, Device Channel Global, Site, Device Site Lists the number of sites that experience excessive AP radio channel changes in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Channel Changes--Total number of channel changes in each site. n Impacted Sessions--Number of times the insight is triggered on each site. n Total Session--Total number of session count in each site. n Impacted Radio--Number of radios with high airtime. n Total Radios--Total number of radios in each site. Access Point Lists the number and details of APs that experience excessive AP radio channel changes in the network. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following: The AI Insights Dashboard | 370 n Model--Pictorial graph of the channel changes classified by AP models. n FW Version--Pictorial graph of channel changes classified by AP firmware versions. Click the number displayed on the Access Point card to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Serial--Serial number of the AP. n Model--Model number of each AP. n Band--Bandwidth where each AP dwells. n Channel Changes--Number of channel changes on each AP. n Impacted Sessions--Number of times the insight is triggered on each AP. n Total Sessions--Total number of session count in each AP. Client Lists the MAC Address, name, host name, auth ID, and the corresponding number of channel changes for each client. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Clients card, to view a detailed description of the impacted clients: n Client Name--Name of the client impacted by the insight and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Times Impacted--Number of channels changed on each client. Channel Number of channel changes per channel for a specific AP during the selected time period. Click the arrow to expand the card and view the pictorial graph of the channel changes. Click the Channel drop-down list to view the following: n Band-- Pictorial graph of the channel changes based on both 2.4 GHz and 5 GHz. n Channel--Pictorial graph of the number of channel changes per channel for a specific AP during the selected time period. It shows a comparison of the channel change between the peer network and AP. Click to expand the channel data. Click the number displayed on the Channel card to view a detailed description of the impacted channels: n From Channel--Total number of channels. n Changes--Number of channels that experienced excessive changes. Access Points with High CPU Utilization The Access Points had unusually high CPU utilization insight can be accessed from the Global, Site, and Access Points context. This insight provides information about APs that have higher than normal CPU utilization and is categorized under availability as the clients connected to these APs experience intermittent connectivity drops. This insight displays the following information: Aruba Central | User Guide 371 n Time Series Graph n Cards Time Series Graph The time series graph displays the number of APs that experience high CPU utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of APs. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 74: Cards Context Cards Context Site Global Access Point Global, Site Site Lists the number of sites where the APs experience high CPU utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n APs--Number of APs that experience high CPU utilization in each site. n Time (min)--Time range of high CPU utilization in each site. Access Point Lists the number and details of APs that experience high CPU utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following: n AP Model--Pictorial graph of CPU utilization classified by AP models. n FW Version--Pictorial graph of CPU utilization classified by AP firmware versions. Click the number displayed on the Access Point card to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP. n AP Serial--Serial number of the AP. n Firmware--Version of the firmware running on each AP. n Model--Model number of each AP. n Site--Name of the site where the AP resides. n Time (min)--Time range of high CPU utilization on each AP. n Max CPU (%)--Percentage of high CPU utilization on each AP. The AI Insights Dashboard | 372 Access Points Impacted by High 2.4 GHz Usage The Access Points impacted by high 2.4 GHz usage insight can be accessed from the Global, Site, and Access Points context. This insight provides information about AP radios whose Wi-Fi channel utilization deviated from the normal utilization range, as compared to other APs broadcasting in the same location, RF band, and time of day. It is categorized under wireless quality as the connected clients experience poor Wi-Fi performance. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the APs experience higher airtime utilization in the network. n Recommendation--Displays the possible recommendation against each failure to resolve the same. Time Series Graph The time series graph displays the number of APs that experience high 2.4 GHz airtime utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of APs. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 75: Cards Context Cards Context Site Global Access Point Global, Site Client Global, Site, Device RF Info Global, Site, Device Site Lists the number of sites that experience high 2.4 GHz airtime utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Duration (mins)--Time range that an AP in each site experienced high airtime utilization. n Clients--Number of clients impacted by the insight. Aruba Central | User Guide 373 n APs--Number of APs impacted by the insight in each site. n Reasons--Cause of the high 2.4 GHz airtime utilization in each site. Access Point Lists the number and details of APs that experience high 2.4 GHz airtime utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point dropdown list, to view the following: n Model--Pictorial graph of the high 2.4 GHz airtime utilization percentage classified by AP models. Click the number displayed on the Access Point card to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Serial--Serial number of the AP. n Consumed Airtime (mins)--Time range of the consumed airtime in each AP. n Duration (mins)--Time range that the AP experienced high airtime utilization. n Reasons--Cause of the high 2.4 GHz airtime utilization in each AP. n Clients Impacted--Number of clients impacted by the insight connected to each AP. n Avg Channel Utilization (%)--Average percentage of the airtime utilization in each AP. n AP Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. Client Lists the MAC Address, name, host name, auth ID, and the corresponding percentage of high 2.4 GHz airtime utilization of each client. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the client impacted by the insight and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Duration (mins)--Time range that the client experienced high airtime utilization. n Reason--Cause of the high 2.4 GHz airtime utilization for each client. n Site--Name of the site where the client exists. RF Info Number of channels impacted by high 2.4 GHz airtime utilization. Click the arrow to view the pictorial graph of the impacted band. Click the RF Info drop-down list to view the following: n Channel--Chart of AP radio channels that experienced excessive AP airtime utilization. It displays the channels impacted by this issue over the selected time period, sorted by airtime utilization score, which is calculated from the severity of the utilization level and the duration of time that the channel was over utilized. Click to expand the channel data. n Reason--Pictorial graph of the percentage of causes for high 2.4 GHz airtime utilization in a channel. The AI Insights Dashboard | 374 n Utilization--Pictorial graph of the airtime utilization in each AP on a specific date and time. Click to expand the utilization data. n Power Distribution--Pictorial graph of Tx Power distribution (dBm) for both the 2.4 GHz and 5 GHz band during the time it is transmitting signal to the client. Click data. to expand the power distribution n Hour of Day--Pictorial graph of which hours of the day the network was most impacted by excessive AP airtime utilization. Click to expand the hourly data. n SNR Percentile--Pictorial graph of the average Signal-to-Noise Ratio of the AP in different percentiles (25th, 50th, 75th, 90th, 99th) in 2.4 GHz band and 5 GHz band. Click data. to expand the SNR percentile n Click the number displayed on the RF Info card to view a detailed description of the impacted channels: n Channel--Number of channels that experienced excessive AP airtime utilization. n Airtime (mins)--Time range of the consumed airtime in each client. Access Points Radios with Frequent Transmit Power Changes The Access Point radios changed their transmit power frequently insight can be accessed from the Global, Site, and Access Points context. This insight provides information on AP radios that frequently changed transmission power levels in the network. It is categorized under wireless quality since the connected clients experience frequent throughput fluctuations. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the APs experience frequent transmit power changes in the network. n Recommendation--Displays the recommendation against each failure to resolve the same. Time Series Graph The time series graph displays the number of AP power changes in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of power changes. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Aruba Central | User Guide 375 Table 76: Cards Context Cards Context Site Global Access Point Global, Site Power Global, Site, Device Site Lists the number of sites that experience power transmit changes in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Insight--Number of power changes occurred in each site. n Radio--Number of AP radios in each site that changed transmission power level. Access Point Lists the number and details of APs that experience power transmit changes in the network. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the number displayed on the Access Point card to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP insight. n AP MAC--MAC address of the AP and link to the specific insight at the AP insight. n Serial--Serial number of the AP. n Power Changes--Number of power changes occurred in each AP. n Model--Model number of each AP. n Firmware--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. Power Displays the number of power changes that occurred in APs in the network. Click the arrow pictorial graph of the impacted band. Click the Power drop-down list to view the following: to view the n Power Changes over Time--Pictorial graphs of power transmit changes observed across time for 2.4 GHz and 5 GHz radio. Click to expand the power change data. n Power Distribution--Pictorial graph of the percentage of time spent across power levels for the time period in the 2.4 GHz and 5 GHz band. Click to expand the power distribution data. n Band--Pictorial graph of the percent of number of changes observed in the 2.4 GHz and 5 GHz bands. n Variance--Pictorial graph of the percentage of variance in transmission power across number of APs in that power variance for the 2.4 GHz and 5 GHz band. Click to expand the variance data. Click the number displayed on the Power card to view a detailed description of the impacted channels: The AI Insights Dashboard | 376 n Band--Number of power changes observed in the 2.4 GHz and 5 GHz bands. n Changes--Number of power changes that occurred in each band. Access Point Transmit Power can be Optimized The Access Point transmit power can be optimized insight can be accessed only at the Globalcontext. This insight generates when the transmit power is not set optimally on the radios of access points existing in the network. This insight detects that wireless clients are experiencing a poor Wi-Fi connectivity due to the transmit power settings of the access points. It is categorized under wireless quality as the clients connected to these APs can communicate with the APs well but, the APs have difficulty to communicate with the clients in return. This insight displays the following information: n Insight Summary n Card Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the transmit power of APs are not set optimally. n Recommendation--Displays the possible recommendation against each failure to resolve the same. Card The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 77: Cards Context Cards Context Mixed Global Power Global Mixed Number of channels in the APs impacted by transmit power setting in the network. Click the arrow to view the pictorial graph of the impacted band. Click the Mixed drop-down list to view the following: n Band--Pictorial graph of power changes in both the frequency bands by the AP (2.4 GHz or 5 GHz). n SSID--Pictorial graph of the percent of AP dwell bands (2.4 GHz or 5 GHz) sorted by SSIDs. Click to expand the SSID data. Power Displays the number of power changes that occurred in a specific access point. Click the arrow to expand the card to view the pictorial graph of the band and power distribution in the network. Click the Power drop-down list, to view the following: Aruba Central | User Guide 377 n Power Distribution--Pictorial graph of the percentage of time spent across power levels for the time period in the 2.4 GHz and 5 GHz band. n Band--Graph of the percent of number of changes observed in the 2.4 GHz and 5 GHz bands. Click the number displayed on the Power card, to view a detailed description of the impacted clients: n Band--Band where the maximum power changes occurred. n Changes--Number of power changes that occurred in each band. Access Points Impacted by High 5 GHz Usage The Access Points were impacted by high 5 GHz usage insight can be accessed from the Global, Site, and Access Points context. This insight provides information about AP radios whose Wi-Fi channel utilization deviated from the normal utilization range, as compared to other APs broadcasting in the same location, RF band, and time of day. Access Points were impacted by high 5 GHz usage is categorized under wireless quality as the connected clients experience poor Wi-Fi performance. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the APs experience higher airtime utilization in the network. n Recommendation--Displays the possible recommendation against each failure to resolve the same. Time Series Graph The time series graph displays the number of APs that experience high 5 GHz airtime utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of APs. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 78: Cards Context Cards Context Site Global Access Point Global, Site Client Global, Site, Device RF Info Global, Site, Device The AI Insights Dashboard | 378 Site Lists the number of sites that experience high 5 GHz airtime utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Duration (mins)--Time range that an AP in each site experienced high airtime utilization. n APs--Number of APs impacted by the insight in each site. n Clients--Number of clients impacted by the insight. n Reason--Cause of the high 5 GHz airtime utilization in each site. Access Point Lists the number and details of APs that experience high 5 GHz airtime utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point dropdown list, to view the following: n Model--Pictorial graph of the high 5 GHz airtime utilization percentage classified by AP models. Click the number displayed on the Access Point card to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Serial--Serial number of the AP. n Consumed Airtime (mins)--Time range of the consumed airtime in each AP. n Duration (mins)--Time range that the AP experienced high airtime utilization. n Reason--Cause of the high 5 GHz airtime utilization in each AP. n Clients Impacted--Number of clients impacted by the insight connected to each AP. n Avg Channel Utilization (%)--Average percentage of the airtime utilization in each AP. n AP Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. Client Lists the MAC Address, name, host name, auth ID, and the corresponding percentage of high 5 GHz airtime utilization for each client. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the client impacted by the insight and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Duration (mins)--Time range that the client experienced high airtime utilization. n Reason--Cause of the high 5 GHz airtime utilization for each client. n Site--Name of the site where the client exists. RF Info Number of channels impacted by high 5 GHz airtime utilization. Click the arrow to view the pictorial graph of the impacted band. Click the RF Info drop-down list to view the following: Aruba Central | User Guide 379 n Channel--Chart of AP radio channels that experienced excessive AP airtime utilization. It displays the channels impacted by this issue over the selected time period, sorted by airtime utilization score, which is calculated from the severity of the utilization level and the duration of time that the channel was over utilized. Click to expand the channel data. n Reason--Pictorial graph of the percentage of causes for high 5 GHz airtime utilization in a channel. n Utilization--Pictorial graph of the airtime utilization in each AP on a specific date and time. Click to expand the utilization data. n Power Distribution--Pictorial graph of Tx Power distribution (dBm) for both the 2.4 GHz and 5 GHz band during the time it is transmitting signal to the client. Click data. to expand the power distribution n Hour of Day--Pictorial graph of which hours of the day the network was most impacted by excessive AP airtime utilization. Click to expand the hourly data. n SNR Percentile--Pictorial graph of the average Signal-to-Noise Ratio of the AP in different percentiles (25th, 50th, 75th, 90th, 99th) in 5 GHz band. Click to expand the SNR percentile data. n Click the number displayed on the RF Info card to view a detailed description of the impacted channels: n Channel--Number of channels that experienced excessive AP airtime utilization. n Airtime (mins)--Time range of the consumed airtime in each client. Access Points with High Memory Usage The Access Points with unusually high memory usage were found insight can be accessed from the Global, Site, and Access Points context. This insight provides information about APs that have higher than normal memory utilization and is categorized under availability as the clients connected to these APs experience intermittent connectivity drops. This insight displays the following information: n Time Series Graph n Cards Time Series Graph The time series graph displays the number of APs that experience high memory utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of APs. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 79: Cards Context Cards Context Site Global Access Point Global, Site The AI Insights Dashboard | 380 Site Lists the number of sites where the APs experience high memory utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n APs with High Memory--Number of APs that experience high memory utilization in each site. n Minutes with High Memory--Time range of high memory utilization in each site. Access Point Lists the number and details of APs that experience high memory utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following: n AP Model--Pictorial graph of memory utilization classified by AP models. n FW Version--Pictorial graph of memory utilization classified by AP firmware versions. Click the number displayed on the Access Point card to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP. n AP Serial--Serial number of the AP. n Firmware--Version of the firmware running on each AP. n Model--Model number of each AP. n Site--Name of the site where the AP resides. n Time (min)--Time range of high memory utilization on each AP. n Max Memory (%)--Percentage of high memory utilization on each AP. Clients with High Roaming Latency The Clients experienced high latency while roaming insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides reports on wireless clients that have experienced long roam times to the target AP. The threshold to detect a delayed and long client roaming is set to 50 ms and all the data and analysis pattern is perceived from the target AP issues if you access this insight from the global, site, or client context. When you access this insight from device context, data is received from the home AP issues. Clients experienced high latency while roaming is categorized under connectivity since it helps the network administrators to take necessary actions if there are any clients experiencing long delays to roam between APs. This insight displays the following information: n Time Series Graph n Cards Time Series Graph The time series graph displays the total number of roams and the percentage of high latency roams that occurred in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number and percentage of roams. Aruba Central | User Guide 381 Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 80: Cards Context Cards Context Site Global Access Point Global, Site, Client Client Global, Site, Device Roam Global, Site, Device, Client Site Lists the number of sites where the clients have experience high roaming latency in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n High Latency Roams (%)--Number and percentage of high latency roams in each site. n Impacted Clients Count--Number of clients impacted with high roaming latency in each site. Access Point Lists the number and details of APs where the clients have experience high roaming latency. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following: n Model--Pictorial graph of high roaming latency classified by AP models. n FW Version--Pictorial graph of high roaming latency classified by AP firmware versions. Click the number displayed on the Access Point card to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n Serial--Serial number of the AP. n High Latency Roams (%)--Number and percentage of high latency roams in each AP. n Clients From--Number of clients that roamed in each AP. n Latency (min/avg/max) msec--The minimum, average, and maximum latency that occurred in each AP. n AP MAC--MAC address of the impacted AP and link to the specific insight at the AP context. n IP--IP address of the impacted AP. n Model-- Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. The AI Insights Dashboard | 382 Client Lists the MAC Address, name, host name, auth ID, and the number of clients that have experience high roaming latency. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the impacted clients and link to the specific insight at the client context. n Client MAC--MAC address of the impacted client and link to the specific insight at the client context. n High Latency Roams (%)--Number and percentage of high latency roams in each client. n Top AP-- AP where the client roamed maximum as compared to other APs in the network. Roam Displays the percentage of client latency roams in the network. This card includes the raw telemetry feed sorted based on latency at each context. Click the arrow to expand the Roam card and click the drop-down list, to view the following: n Latency--Pictorial graph of latency versus concurrences. Click to expand the latency data. n Band--Pictorial graph of clients roaming trends between 2.4 GHz and 5 GHz. Click the number displayed on the Roam card, to view a detailed description of the impacted clients: n Timestamp--Timestamp of the event received. n Latency (msec)--Latency value in microsecond per client. n Client Name--Name of the roaming client and link to the specific insight at the client context. n Client MAC--MAC Address of the roaming client and link to the specific insight at the client context. n From AP Name--Name of the home AP from the where the client roamed to the target AP. n To AP Name--Name of the target AP to where the client roamed from the home AP. n From Channel--Number of channel the client roamed from. n Roaming Type--Type of the roam that occurred in each client. n From AP MAC--MAC address of the home AP from the where the client roamed to the target AP. n From AP Serial--Serial number of the home AP from the where the client roamed to the target AP. n To AP MAC--MAC address of the target AP to where the client roamed from the home AP. n To AP Serial--Serial number of the target AP to where the client roamed from the home AP. n RSSI (dBm)--Received Signal Strength Indicator (RSSI) value of the client. n To Channel--Number of channels the client roamed to. Clients with Low SNR Minutes The Clients had a significant number of Low SNR minutes insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information about access points that have a low-quality signal-strength connection and is categorized under wireless quality as the clients connecting at a Low SNR have low throughput and high retransmissions. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Aruba Central | User Guide 383 Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the APs experience low-quality SNR connection in the network. n Recommendation--Displays the possible recommendation against each failure to resolve the same. Time Series Graph The time series graph displays the number of clients with low SNR uplink AP during the selected time period. You can hover your mouse on each bar graph to see the number of SNR links. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 81: Cards Context Cards Context Site Global Access Point Global, Site, Client Client Global, Site, Device RF Info Global, Site, Device Site Lists the number of sites where the APs and clients experience low signal connection. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n APs with Low SNR--Number of APs with low signal connection. n Clients with Low SNR--Number of clients with low signal connection. n Uplink Minutes of Low SNR--Duration of uplink with low signal connection in each site. n Downlink Minutes of Low SNR--Duration of downlink with low signal connection in each site. Access Point Lists the number and details of APs that experience low signal connection in the network. Click the arrow to view the pictorial graph of the Most Impactedaccess points. Click the Access Point drop-down list, to view the following: n TX Power--Pictorial graph of the percentage of Tx Power distribution (dBm) in both the 2.4 GHz and 5 GHz band during the time it is transmitting signal to the client. Click the number displayed on the Access Point card to view a detailed description of the impacted access points: The AI Insights Dashboard | 384 n AP Name--Name of the access points and link to the Access Point Details page. n AP MAC--MAC address of the AP and link to the Access Point Details page. n Serial--Serial number of the AP n AP Model--Model number of each AP. n Clients--Number of clients that experience low signal connection in each AP. n Uplink Low SNR (Total|2.4 GHz|5 GHz|min)--Duration of uplink with low signal minutes in both bands during the time it is transmitting signal to the AP. n Downlink Low SNR (Total|2.4 GHz|5 GHz|min)--Duration of downlink with low signal connection in both the bands during the time it is transmitting signal to the AP. Client Lists the MAC Address, name, host name, auth ID, and the number of clients experiencing low signal quality. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the Client drop-down list, to view the following: n Client Type--Pictorial graph of the number and percentage of low SNR clients classified by vendors. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Number of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Type--Device type of the client. n Uplink Minutes of Low SNR--Duration of uplink with low signal connection in each client. n Uplink Low SNR (Total|2.4 GHz|5 GHz|min)--Duration of uplink with low signal minutes in both bands during the time it is transmitting signal to the AP. n Downlink Low SNR (Total|2.4 GHz|5 GHz|min)--Duration of downlink with low signal connection in both the bands during the time it is transmitting signal to the AP. n Site--Name of the site where the client resides. RF Info Number of channels impacted by low-quality signal-strength connection in the network. Click the arrow to view the pictorial graph of the impacted band. Click the RF Info drop-down list to view the following: n Band-- Pictorial graph of devices experiencing a low signal-quality link using 2.4 GHz or 5 GHz radio bands. n Good vs Bad--Pictorial graph of the amount of time (minutes) with Low SNR (Bad) and High SNR (Good) for all the clients. Click the number displayed on the RF Info card to view a detailed description of the impacted channels: n Band--Number of channel changes between 2.4 GHz and 5 GHz. n Time (min)--Number of power changes. Clients with High MAC Authentication Failures The Clients had an unusual number of MAC authentication failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive MAC authentication failures observed in the network and is categorized under connectivity as the users are Aruba Central | User Guide 385 unable to connect to the Wi-Fi network. It also helps in order to identify the rogue users in a network. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure reason. Time Series Graph The time series graph displays the number of MAC authentication failures that occurred during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 82: Cards Context Cards Context Site Global Access Point Global, Site, Client Client Global, Site, Device Site Lists the number of sites that experienced MAC authentication failures in the network. Click the arrow to view a pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Failures--Number of failures occurred in each site. n Total--Total number of MAC authentication in each site. Access Point Lists the number and the details of APs that faced the MAC authentication failures in the network. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point dropdown list to view the following: The AI Insights Dashboard | 386 n SSID--Pictorial graph of the percentage of MAC authentication failures sorted by SSIDs. n Model--Pictorial graph of the percentage of MAC authentication failures sorted by AP models. n FW Version--Pictorial graph of the percentage of MAC authentication failures sorted by AP firmware version. Click the number displayed on the Access Point card, to view the detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n MAC--MAC address of the access point and link to the specific insight at the AP context. n Failures--Number of failures occurred in each AP. n Total--Total number of MAC authentication in each AP. n Serial--Serial number of the AP n IP--IP address of each AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. Client Lists the MAC address, name, host name, and auth ID of clients that failed MAC authentication. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Name--Name of the impacted client and link to the specific insight at the client context. n MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number of failures occurred in each client. n Client OS--OS type of the device. Clients with DHCP Server Connection Problems The Clients had DHCP server connection problems insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive client to AP DHCP failures observed in the network. This insight occurs when Wi-Fi clients attempt to acquire a DHCP IP address multiple times but fails to do so. It is insight is categorized under connectivity since the users fail to get an IP address and are unable to connect to the Wi-Fi network. It displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure reason. Aruba Central | User Guide 387 Time Series Graph The time series graph displays the number of DHCP failures that occurred during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 83: Cards Context Cards Context Site Global Server Global, Site, Device, Client Access Point Global, Site, Client Client Global, Site, Device Site Lists the number of sites that experience DHCP server connection problems in the network. Click the arrow to view a pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of DHCP requests. Server Lists the number of DHCP servers involved in this insight. Click the arrow to view the pictorial graph of theMost Impacted sites. Click the number displayed on the Server card, to view a detailed description of the impacted servers: n Server IP--IP address of the server impacted by this insight. n Failures--Number of failures occurred in each server. n Total--Total number of DHCP requests. Access Point Lists the number and the details of the DHCP server connection problems observed in an AP. Click the arrow to view a pictorial graph of the Most Impactedaccess points. Click the Access Point drop-down list to view the following: n SSID--Pictorial graph of the percentage of DHCP failures sorted by SSIDs. n Model--Pictorial graph of the percentage of DHCP failures sorted by AP models. n FW Version--Pictorial graph of the percentage of DHCP failures sorted by AP firmware version. The AI Insights Dashboard | 388 Click the number displayed on the Access Point card, to view the detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of DHCP requests. n Serial--Serial number of the AP n IP--IP address of each AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Site name of the AP where the failure occurred. Client Lists the MAC address, host name, and auth ID of clients that failed DHCP handshake. Click the arrow to view the pictorial graph of the Most Impactedclients. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number of failures occurred in each client. n Total--Total number of DHCP requests. n Client OS--OS type of the device. Clients with High 802.1X Authentication Failures The Clients had excessive 802.1x authentication failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive 802.1X authentication failures observed in the network. It is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure reason. Time Series Graph The time series graph displays the number of 802.1X authentication failures observed in the network during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures. Aruba Central | User Guide 389 Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 84: Cards Context Cards Context Site Global Server Global, Site, Device, Client Access Point Global, Site, Client Client Global, Site, Device Site Lists the number of sites that experienced 802.1X authentication failures in the network. Click the arrow to view a pictorial graph with the Most Impactedsites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and lick to the specific insight at the site context. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of 802.1X authentication in each site. Server Lists the number of servers that failed 802.1X authentication in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Server card, to view a detailed description of the impacted servers: n Server IP--IP address of each server. n Failures--Number of 802.1X authentication failures in each server. n Total--Total number of 802.1X authentication. Access Point Lists the number and the details of APs that failed 802.1X authentication in the network. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point drop-down list to view the following: n SSID--Pictorial graph of the percentage of 802.1X authentication failures sorted by SSIDs. n Model--Pictorial graph of the percentage of 802.1X authentication failures sorted by AP models. n FW Version--Pictorial graph of the percentage of 802.1X authentication failures sorted by AP firmware version. Click the number displayed on the Access Point card, to view the detailed description of the impacted access points: The AI Insights Dashboard | 390 n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. Client Lists the MAC address, name, host name, and auth ID of clients that failed 802.1X authentication. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device. Clients with High Wi-Fi Security Key-Exchange Failures The Clients had excessive Wi-Fi security key-exchange failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive Wi-Fi security key-exchange failures observed in the network. When this failure occurs, users connecting to Wi-Fi using PSK or 802.1x authentication, experience higher EAPOL Key exchange failures. This insight is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes of Wi-Fi security key-exchange failure in the network. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure reason. Time Series Graph The time series graph displays the number of Wi-Fi security key-exchange failures that occurred in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number of failures. The following graph shows data trend for 3 hours in a day. Aruba Central | User Guide 391 Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 85: Cards Context Cards Context Site Global Access Point Global, Site, Client Client Global, Site, Device Site Lists the number of sites that experienced excessive Wi-Fi security key-exchange failures in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of failures in each site. Access Point Lists the number APs that experienced Wi-Fi security key-exchange failures in the network. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following: n SSID: Pictorial graph of 4-way handshake authentication failures sorted by SSIDs. n Model: Pictorial graph of 4-way handshake failures classified by AP models. n FW Version: Pictorial graph of 4-way handshake failures classified by AP firmware versions. Click the number displayed on the Access Point card to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. Client Lists the MAC Address, name, host name, and auth ID of clients that failed Wi-Fi security key-exchange authentication. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the The AI Insights Dashboard | 392 number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device. Clients with Captive Portal Authentication Problems The Clients had problems authenticating with the Captive Portal insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on captive portal failures observed in the network. It is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure reason. Time Series Graph The time series graph displays the number of client captive portal failures observed in the network during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 86: Cards Context Cards Context Site Global Access Point Global, Site, Client Client Global, Site, Device Site Lists the number of sites that experienced captive portal failures in the network. Click the arrow to view a pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed Aruba Central | User Guide 393 description of the impacted sites: n Site--Name of the site impacted by the insight. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of captive portal authentication in each site. Access Point Lists the number and the details of APs that failed captive portal authentication in the network. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point dropdown list to view the following: n SSID--Pictorial graph of the percentage of captive portal authentication failures sorted by SSIDs. n Model--Pictorial graph of the percentage of captive portal authentication failures sorted by AP models. n FW Version--Pictorial graph of the percentage of captive portal authentication failures sorted by AP firmware version. Click the number displayed on the Access Point card, to view the detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. Client Lists the MAC address, name, host name, and auth ID of clients that failed captive portal authentication. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device. Clients with High Number of Wi-Fi Association Failures The Clients had a high number of Wi-Fi Association failures insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on Wi-Fi association failures observed in the network. It is categorized under connectivity since the users are unable to connect to the WiFi network. This insight displays the following information: The AI Insights Dashboard | 394 n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure reason. Time Series Graph The time series graph displays the number of association failures observed in the network during the selected time period. You can hover your mouse over each bar graph to see the exact number of failures. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 87: Cards Context Cards Context Site Global Access Point Global, Site, Client Client Global, Site, Device Site Lists the number of sites that experienced association authentication failures in the network. Click the arrow to view a pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight. n Failures--Number and percentage of failures occurred in each site. n Total--Total number of association failures in each site. Access Point Lists the number and the details of APs that experienced association failures in the network. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point drop-down list to view the following: n SSID--Pictorial graph of the percentage of association failures sorted by SSIDs. n Model--Pictorial graph of the percentage of association failures sorted by AP models. n FW Version--Pictorial graph of the percentage of association failures sorted by AP firmware version. Aruba Central | User Guide 395 Click the number displayed on the Access Point card, to view the detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP link to the specific insight at the AP context. n Failures--Number and percentage of failures occurred in each AP. n Total--Total number of failures in each AP. n Serial--Serial number of the AP. n IP--IP address of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. Client Lists the MAC address, name, host name, and auth ID of clients that experienced association failures in the network. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Failures--Number and percentage of failures occurred in each client. n Total--Total number of failures in each client. n Client OS--OS type of the device. Clients who Roamed Excessively The Clients roamed excessively insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides reports on wireless clients that roam to the target APs more than normal from the home AP. This insight is categorized under connectivity since this helps to reduce the frequency of roaming clients in the customer network. It also helps network administrators to eliminate anonymous users and deploy additional access points in case the users get effected due to poor network performance. This insight displays the following information: n Time Series Graph n Cards Time Series Graph The time series graph displays the total number of roams and the percentage of excessive roams that occurred in the network during the selected time period. You can hover your mouse on each bar graph to see the exact number and percentage of roams. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: The AI Insights Dashboard | 396 Table 88: Cards Context Cards Context Site Global Access Point Global, Site, Client Client Global, Site, Device Site Lists the number of sites where the clients have experience excessive roams in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Impacted Clients (%)--Number and percentage of clients impacted with excessive roaming in each site. Access Point Lists the number and details of APs where the clients have experience excessive roams. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point drop-down list, to view the following: n Model--Pictorial graph of excessive roams classified by AP models. n FW Version--Pictorial graph of excessive roams classified by AP firmware versions. Click the number displayed on the Access Point card to view a detailed description of the impacted access points: n From AP--The AP name from where the client roamed excessively. n Impacted Clients (%)--Clients impacted by excessive roams in each AP. n AP MAC--MAC address of the APs and link to the specific insight at the AP context. n Serial--Serial number of the AP. n IP--IP Address of each AP. n Model-- Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. Client Lists the MAC Address, name, host name, auth ID, and the number of clients that have experience high roaming latency. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the clients impacted by the insight and link to the specific insight at the client context. n Client MAC--MAC address of the client impacted by the insight and link to the specific insight at the client context. n Excessive Roams--Number of excessive roams for each client. Aruba Central | User Guide 397 n Delayed Roams--Number of delayed roams by the client. n Top AP--AP where the client roamed maximum as compared to other APs in the network. Coverage Holes Identified The Coverage Hole detected insight can be accessed only at the Global context. This insight determines the connection status of Wi-Fi clients with the APs due to poor Wi-Fi coverage. Machine learning determines when a relatively large proportion of the client minutes that consistently have low SNR links. The exact location of the coverage hole can be identified from the location of the clients listed with poor coverage and implies that there is a need to deploy one more AP which will avoid the low SNR clients in the network. Coverage Hole detected is categorized under wireless quality since the clients in coverage holes have poor or intermittent Wi-Fi connectivity causing loss of productivity. This insight displays the following information: n Insight Summary n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the clients experience poor Wi-Fi coverage in the network. n Recommendation--Displays the recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure reason. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 89: Cards Context Cards Context Site Global Access Point Global Client Global Site Lists the sites where the clients experience poor Wi-Fi coverage in the network. Click the arrow the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: to view n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Clients--Number of clients that experience coverage hole in each site. n Coverage Holes--Total number clients that needs to be deployed in the network due to coverage holes. The AI Insights Dashboard | 398 Access Point Lists the number and details of APs which has clients with poor connections due to a coverage hole in the network. This is measured by the amount of time the client experiences poor vs good connectivity. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the Access Point dropdown list, to view the following: n Most Impacted by Low Uplink SNR--Pictorial graph of APs impacted maximum by low uplink SNR. n Most Impacted by Low 5 GHz Downlink SNR--Pictorial graph of APs impacted maximum by low 5 GHz downlink SNR. n Most Impacted by Low 2.4 GHz Downlink SNR--Pictorial graph of APs impacted maximum by low 2.4 GHz downlink SNR. Click the number displayed on the Access Point card, to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of each AP and link to the specific insight at the AP context. n Impacted (Time)--Time range of the coverage hole detected in each AP. n Clients--Number of clients with poor Wi-Fi coverage in each AP. n Coverage Hole Type--The type of coverage hole detected in each AP. n AP Serial--Serial number of each AP. n Firmware--Version of the firmware running on each AP. n Model--Model number of each AP. Client Lists the MAC Address, name, host name, auth ID, and the number of connected clients affected by poor connections determined by the total number of minutes spend in the coverage hole. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the Client drop-down list, to view the following: n Low Uplink SNR Minutes--Pictorial graph of clients impacted maximum by low uplink SNR minutes. n Low 5 GHz Downlink SNR--Pictorial graph of clients impacted maximum by low 5 GHz downlink SNR. n Low 2.4 GHz Downlink SNR--Pictorial graph of clients impacted maximum by low 2.4 GHz downlink SNR. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the client and link to the specific insight at the client context. n Client MAC--MAC address of the client and link to the specific insight at the client context. n Impacted (Time)--Time range of the coverage hole detected in each client. n Client OS--Operating system of the client. n Average SNR (dB)--Average SNR of the client on the AP. n Coverage Hole Type--The type of coverage hole detected in each AP. Dual-band (2.4/5 GHz) Clients Primarily using 2.4 GHz The Dual-band (2.4/5 GHz) capable clients primarily used 2.4 GHz insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provide reports on Dual band capable clients Aruba Central | User Guide 399 that spent more airtime on 2.4 GHz band instead of 5 GHz band. Dual-band (2.4/5 GHz) capable clients primarily used 2.4 GHz is categorized under wireless quality since the 2.4 GHz band has more interference, more clients, and less bandwidth capabilities than the 5 GHz band. Dual-band clients have a better user experience when they are on the 5 GHz band. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the client is excessively dwelling in the 2.4 GHz band in the network. n Recommendation--Displays the recommendation against each cause to resolve the same. Time Series Graph The time series graph displays the percentage of clients over dwelling in the 2.4 GHz band in the network during the selected time period. You can hover your mouse on each bar graph to see the exact percentage of the dwelling time. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 90: Cards Context Cards Context Site Global Access Point Global, Site Client Global, Site, Device Site Lists the number of sites where the clients are dwelling excessively in the 2.4 GHz band. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Clients Impacted--Number of clients in each site that is excessively dwelling in the 2.4 GHz band. n APs Impacted--Number of APs impacted by the insight in each site. Access Point Lists the number and details of APs where the clients are dwelling excessively in the 2.4 GHz band. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the number displayed on the Access Point card to view a detailed description of the impacted access points: The AI Insights Dashboard | 400 n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP. n Serial--Serial number of the AP. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. n Total Clients--Total number of clients connected to each AP. n Clients (%)--Number of clients that is dwelling excessively on 2.4 GHz band. Client Lists the MAC Address, name, host name, auth ID, and the corresponding percentage of time spent for each client in the radio bands. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the Client drop-down list, to view the following: n Client Type--Pictorial graph of the percent of clients dwelling in the 2.4 GHz band sorted by client device type. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Name of the client impacted by the insight. n Client MAC--MAC address of the client impacted by the insight and link to the specific insight at the client context. n Device Type--Clients dwelling in the 2.4 GHz band sorted by client device type. n Site--Name of the site where the client resides. n 2.4 GHz Dwell (min, %)--Duration and percentage of time of each client dwelling in the 2.4 GHz band. n 5 GHz Dwell (min, %)--Duration and percentage of time of each client dwelling in the 5 GHz band. n Total Dwell Minutes--Total duration of each client dwelling on both the bands. Delayed DNS Request or Response The DNS request/responses were significantly delayed insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on significant delays in response from the DNS servers. It is categorized under connectivity since there is a high delay in response from the DNS server. This insight displays the following information: n Time Series Graph n Cards Time Series Graph The time series graph displays the number of delays from the DNS server that occurred during the selected time. You can hover your mouse on each bar graph to see the exact number of delays. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Aruba Central | User Guide 401 Table 91: Cards Context Cards Context Site Global Server Global, Site, Device Access Point Global, Site Site Lists the number sites that experience delays from the DNS server in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Min (ms)--Packet latency (delay) is measured. The lowest value of delay in the measurement interval is the minimum response delay. n Avg (ms)--Packet latency (delay) is measured. The average value of delay in the measurement interval is the minimum response delay. n Max (ms)--Packet latency (delay) is measured. The maximum value of delay in the measurement interval is the maximum response delay. Server Lists the number of DNS servers that is impacted by this insight. Click the arrow to view the pictorial graph of the Most Impacted servers. Click the number displayed on the Server card, to view a detailed description of the impacted servers: n Server IP--IP address of each server. n Avg (ms)--Packet latency (delay) is measured. The average value of delay in the measurement interval is the minimum response delay. n Min (ms)--Packet latency (delay) is measured. The lowest value of delay in the measurement interval is the minimum response delay. n Max (ms)--Packet latency (delay) is measured. The maximum value of delay in the measurement interval is the maximum response delay. Access Point Lists the number and details of APs that has the most DNS response delays. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the number displayed on the Access Point card, to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n AP Serial--Serial number of the AP. n Avg (ms)--Packet latency (delay) is measured. The average value of delay in the measurement interval is the minimum response delay. The AI Insights Dashboard | 402 n Min (ms)--Packet latency (delay) is measured. The lowest value of delay in the measurement interval is the minimum response delay. n Max (ms)--Packet latency (delay) is measured. The maximum value of delay in the measurement interval is the maximum response delay. n Servers--Server ID where the AP resides. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. DNS Servers Rejected High Number of Queries The DNS server(s) rejected a high number of queries insight can be accessed from the Global, Site, Access Points, and Clients context. This insight provides information on excessive request failures from the DNS servers. It is categorized under connectivity since there is a high number of request failures. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. n Failures--Displays the exact number and percentage of failures that occurred against each failure reason. Time Series Graph The time series graph displays the number of request failures from the DNS server that occurred during the selected time. You can hover your mouse on each bar graph to see the exact number of failures. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 92: Cards Context Cards Context Site Global Server Global, Site, Device Access Point Global, Site Aruba Central | User Guide 403 Site Lists the number sites that experience request failures from the DNS server in the network. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Total Failures(%)--Total number of failure packets at the site multiplied by 100. n Query Attempts--Number of query attempts sent to the DNS server in a site. n Query Success(%)--Percentage of successful DNS queries in a site. n Query Format Error--Error in the DNS query format sent to the DNS server in a site. n Request Failed to Complete--DNS request failed to complete, and the server responds with an error code. n Domain Name Does Not Exist--Domain name sent to the DNS server does not exist and the server responds with an error code n Function Not Implemented--Function is not implemented on the DNS server and the server responds with an error code. n Server Refused to Answer Query--Server refused to answer the query and responds with an error code. Server Lists the number of servers that has the most number of DNS request rejections. Click the arrow to view the pictorial graph of the Most Impacted servers. Click the number displayed on the Server card, to view a detailed description of the impacted servers: n Server IP--IP address of each server. n Total Failures(%)--Total number and percentage of failure packets at the site multiplied by 100. n Query Attempts--Number of query attempts sent to the DNS server. n Query Success(%)--Percentage of successful DNS queries. n Query Format Error--Error in the DNS query format sent to the DNS server in a site. n Request Failed to Complete--DNS request failed to complete, and the server responds with an error code. n Domain Name Does Not Exist--Domain name sent to the DNS server does not exist and the server responds with an error code n Function Not Implemented--Function is not implemented on the DNS server and the server responds with an error code. n Server Refused to Answer Query--Server refused to answer the query and responds with an error code. Access Point Lists the number and details of access points that has the most number of DNS request rejections. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point dropdown list to view the following: n Success Rate--Graphical representation of the total failures and total successful requests that occurred at the server. The AI Insights Dashboard | 404 Click the number displayed on the Access Point card, to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n AP Serial--Serial number of the AP. n Total Failures(%)--Total number and percentage of failure packets at the site multiplied by 100. n Query Attempts--Number of query attempts sent to the DNS server in each AP. n Query Success(%)--Percentage of successful DNS queries in each AP. n Query Format Error--Error in the DNS query format sent to the DNS server in each AP. n Request Failed to Complete--DNS request failed to complete, and the server responds with an error code. n Domain Name Does Not Exist--Domain name sent to the DNS server does not exist and the server responds with an error code n Function Not Implemented--Function is not implemented on the DNS server and the server responds with an error code. n Server Refused to Answer Query--Server refused to answer the query and responds with an error code. n Site--Name of the site where the AP resides. Gateways with High Memory Usage The Gateways had high Memory usage insight can be accessed from the Global, Site, and Gateways context. This insight provides information about gateways that have higher than normal memory utilization. It is categorized under availability since the clients connected to these gateways experience intermittent connectivity drops. This insight displays the following information: n Time Series Graph n Cards Time Series Graph The time series graph displays the percentage of impacted in the network during the selected time period. You can hover your mouse on each bar graph to see the percentage of impacted gateways. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 93: Cards Context Cards Context Site Global Gateway Global, Site Memory Device Aruba Central | User Guide 405 Site Lists the number of sites where the gateways experience high memory utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Number of Gateways--Number of gateways that experience high memory utilization in each site. n Duration (mins)--Amount of time (minutes) high memory utilization observed in each site. Gateway Lists the number and details of gateways that experience high memory utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted gateways. Click the Gateway drop-down list, to view the following: n Gateway Model--Pictorial graph of memory utilization classified by gateway models. n FW Version--Pictorial graph of memory utilization classified by gateway firmware versions. n Mode--Operational mode of the gateway. Click the number displayed on the Gateway card to view a detailed description of the impacted gateways: n Serial--Serial number of each gateway and link to the specific insight at the gateway context. n Gateway Name--Name of the gateway that experience high memory utilization. n Mode--Operational mode of the mode. n Max Memory--Maximum memory consumed by the gateway. n Minutes with High Memory--Amount of time (minutes) high memory utilization observed in each gateway. n Model--Model number of each gateway. n FW Version--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides. Memory Memory card is displayed only when this insight is accessed from the device context. Click the arrow to expand the card and view the graphical representation of the time series of memory utilization percentage in the selected gateway. Gateways with High CPU Utilization The Gateways had unusually high CPU utilization insight can be accessed from the Global, Site, and Gateways context. This insight provides information about gateways that have higher than normal CPU utilization. It is categorized under availability since the clients connected to these gateways experience intermittent connectivity drops. This insight displays the following information: n Time Series Graph n Cards The AI Insights Dashboard | 406 Time Series Graph The time series graph displays the percentage of impacted gateways in the network during the selected time period. You can hover your mouse on each bar graph to see the percentage of impacted gateways. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 94: Cards Context Cards Context Site Global Gateway Global, Site CPU Device Site Lists the number of sites where the gateways experience high CPU utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Number of Gateways--Number of gateways that experience high CPU utilization in each site. n Duration (mins)--Amount of time (minutes) high CPU utilization observed in each site. Gateway Lists the number and details of gateways that experience high CPU utilization in the network. Click the arrow to view the pictorial graph of the Most Impacted gateways. Click the Gateway drop-down list, to view the following: n Gateway Model--Pictorial graph of CPU utilization classified by gateway models. n FW Version--Pictorial graph of CPU utilization classified by gateway firmware versions. n Mode--Operational mode of the gateway. Click the number displayed on the Gateway card to view a detailed description of the impacted gateways: n Serial--Serial number of each gateway and link to the specific insight at the gateway context. n Gateway Name--Name of the gateway that experience high CPU utilization. n Mode--Operational mode of the gateway. n Max CPU--Rate of maximum CPU utilization observed in each gateway. n Minutes with High CPU--Amount of time (minutes) high CPU utilization observed in each gateway. n Model--The hardware model of each gateway. n FW Version--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides. Aruba Central | User Guide 407 CPU CPU card is displayed only when this insight is accessed from the device context. Click the arrow to expand the card and view the graphical representation of the time series of CPU utilization percentage in the selected gateway. Failure to Establish Gateway Tunnels The Gateway tunnels failed to get established insight can be accessed from the Global, Site, and Gateways context. This insight provides information about gateway tunnels that are marked down in the network. It is categorized under availability since the clients connected to these gateways experience connectivity drops. Gateway Tunnels Down insight is available for branch and VPNC gateways in the network. Tunnels are marked down in the network based on the following scenarios: n If Aruba Central receives telemetry from branch gateway that a specific tunnel is down n If Aruba Central receives telemetry from the VPNC that a specific tunnel is down n Lack of telemetry from both branch and VPNC gateway This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for tunnel down in the network. n Minutes Down--Displays the exact number and percentage of tunnel down that occurred against each failure reason. Time Series Graph The time series graph displays the percentage and number of tunnels down in the network during the selected time period. You can hover your mouse on each bar graph to see the exact percentage of tunnels down. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 95: Cards Context Cards Context Site Global The AI Insights Dashboard | 408 Cards Context Gateway Global, Site VPNC Global, Site, Device Tunnel Global, Site, Device Site Lists the number of sites where the gateways experience tunnel down. Click the arrow to expand the card and click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight. n Number of Down Tunnels--Number of tunnels down in each site that experience high memory utilization in each site. n Total Tunnels--Total number of gateway tunnels in each site. n Number of Impacted Gateways--Number of gateways impacted by tunnel down in each site. n Number of Impacted VPNC--Number of VPNC gateways that experience tunnel down in each site. Gateway Lists the number and the reason for the cause of tunnel down in gateways. Click the arrow to expand the card and click the number displayed on the Gateway card to view a detailed description of the impacted gateways: n Serial--Serial number of each gateway and link to the Gateway Details page. n Gateway Name--Name of the gateway that experience tunnel down. n Mode--Operational mode of the gateway. n Number of Tunnels--Number of tunnels down in each gateway. n Total Tunnels--Total number tunnels in each gateway. n Duration (mins)--Time range of tunnel down in each gateway. n Model--The hardware model number of the gateway. n FW Version--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides. VPNC Displays the total number of VPNC gateways experiencing tunnel down. Click the arrow to expand the card and view the amount of time (minutes) and the reasons for the cause of down tunnels on the VPNC gateways. Click the number displayed on the VPNC card to view a detailed description of the impacted VPNC gateways: n Serial--Serial number of each gateway and link to the specific insight at the gateway context. n Gateway Name--Name of the gateway that experience tunnel down. n Mode--Operation mode of the VPNC. n Total Number of Tunnels Down--Number of tunnels down in each gateway. Aruba Central | User Guide 409 n Total Number of Tunnels--Number of tunnels down in each gateway. n Number of Gateways--Number of gateways impacted by tunnel down. n Number of Sites--Number of site impacted by tunnel down. n Duration (mins)--Time range of tunnel down in each gateway. n Model--The hardware model number of the gateway. n FW Version--Version of the firmware running on each gateway. n Site--Name of the site where the gateway resides. Tunnel Displays the total number of gateways experiencing tunnel down. Click the arrow to expand the card to view the amount of time (minutes) and the reasons for the cause of tunnel down in the network. Click the number displayed on the Tunnel card to view a detailed description of the impacted tunnels: n Site--Name of the site where the tunnel residee and link to the specific insight at the site context. n Gateway IP--IP address of the impacted gateway. n VPNC IP--IP address of the impacted VPNC gateway. n Duration (mins)--Time range of tunnel down. n Gateway VLAN--VLAN ID of the gateway. n VPNC VLAN--VLAN ID of the VPNC. n Gateway Name--Name of the gateway where the tunnel is down. n Gateway MAC--MAC address of the impacted gateway. n VPNC Name--Name of the VPNC gateway where the tunnel is down. n VPNC MAC--MAC address of the impacted VPNC gateway. n Gateway Serial--Serial number of the gateway and link to the specific insight at the gateway context. n VPNC Serial--Serial number of VPNC gateway. DNS Queries Failed to Reach or Return from the Server The DNS queries failed to reach or return from the serverinsight can be accessed from the Global, Site, and Access Points context. This insight provides information about wireless APs that experience a higher than normal number of connection failures with the DNS server. It is categorized under connectivity since the wireless clients are unable to reach the destination URL. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the possible recommendation against each failure to resolve the same. The AI Insights Dashboard | 410 Time Series Graph The time series graph displays the number of connection loss with the DNS server that occurred during the selected time. You can hover your mouse on each bar graph to see the exact number of loss. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 96: Cards Context Cards Context Site Global Server Global, Site, Device Access Point Global, Site Site Lists the number sites that experience connection loss with the DNS server in the network. Click the arrow to view the pictorial graph of the Most Impactedsites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Lost DNS Queries (%)--Total count of the DNS packets that get lost in the network. DNS server does not receive these packets. n Total Queries--Total number of successful DNS queries, denied DNS queries, and lost queries in the DNS server. Server Lists the number of servers that have higher number of DNS connection failures in the network. Click the arrow to view the pictorial graph of the Most Impacted servers. Click the number displayed on the Server card, to view a detailed description of the impacted servers: n Server IP--IP address of each server. n Lost DNS Queries (%)--Total count of the DNS packets that get lost in the network. DNS server does not receive these packets. n Total Queries--Total number successful DNS queries, denied DNS queries, and lost queries in the DNS server. Access Point Lists the number and details of APs that have higher number of DNS connection failures in the network. Click the arrow to view a pictorial graph of the Most Impacted access points. Click the Access Point drop-down list to view the following: n Success RateGraphical representation of the total failures and total successful requests that occurred at the AP. Aruba Central | User Guide 411 Click the number displayed on the Access Point card, to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n AP Serial--Serial number of the AP. n Lost DNS Queries (%)--Total count of the DNS packets that get lost in the network. DNS server does not receive these packets. n Total Queries--Total number successful DNS queries, denied DNS queries, and lost queries in the DNS server. n Model--Model number of each AP. n FW Version--Version of the firmware running on each AP. n Site--Name of the site where the AP resides. Telemetry Information not Received from APs or Radios The Information (telemetry) was not received from APs/Radios insight can be accessed from the Global and Site, and Access Points context. This insight provides information about AP radios that missed sending telemetry data to Aruba Central, and is categorized under availability since AI insights loses visibility of the APs. This insight displays the following information: n Time Series Graph n Cards Time Series Graph The time series graph displays the number of 2.4 GHz and 5 GHz radios that failed to send telemetry data during the selected time period. You can hover your mouse over each bar graph to see the exact number of missing radios. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 97: Cards Context Cards Context Site Global Access Point Global, Site Site Lists the number of sites where the APs experience missing telemetry. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Radios Impacted--Number radio channels that missed telemetry data. The AI Insights Dashboard | 412 n Minutes Missing--Time range of missing telemetry in each site. n Hours Missing--Hourly data of the missing telemetry in each site. Access Point Lists the number and details of APs that experience missing telemetry. Click the arrow to view the pictorial graph of the Most Impacted access points. Click the number displayed on the Access Point card, to view a detailed description of the impacted access points: n AP Name--Name of the access points and link to the specific insight at the AP context. n Total Time (HH:MM)--Total time range (minutes/hours) of missing telemetry in both 2.4 GHz and 5 GHz bands. n 2.4 GHz Time (HH:MM, %)--Time range (minutes/hours) and percentage of missing telemetry in 2.4 GHz band. n 5 GHz Time (HH:MM,%)--Time range (minutes/hours) and percentage of missing telemetry in 5 GHz band. n AP MAC--MAC address of the AP and link to the specific insight at the AP context. n AP Serial--Serial number of the AP. n Firmware--Version of the firmware running on each AP. n Model--Model number of each AP. n Site--Name of the site where the AP resides. Outdoor Clients Impacting Wi-Fi Performance The Outdoor clients are impacting Wi-Fi performance insight is used to understand which outdoor clients are affecting the performance of the indoor AP. This insight can be accessed only at the Global context, and is triggered when the probe SNR threshold is not set optimally. This insight is categorized under wireless quality as low SNR clients (outdoor) experience poor Wi-Fi connectivity, which in turn affects other indoor clients. This insight provides information about the optimum probe/auth SNR threshold value per AP and per SSID. It also provides the recommended configuration value for probe/auth SNR threshold below which APs ignore probe requests and authentication requests from outdoor clients. Important Points to Note n The outdoor clients are located far from the AP having low SNR value, whereas the indoor clients are located near the AP having high SNR value. n Ensure that the SNR threshold value is set between 8 dBm and 16 dBm. If the value is set below 8 dBm, the system sets it back to 8 dBm. If the value is set above 16 dBm, the system sets it back to 16 dBm. If the value is set between +3 and -3, no specific recommendation is provided as there might be a few clients in the network. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: Aruba Central | User Guide 413 n SSID--The list of SSIDs impacted by outdoor clients. n Recommendation--Change the Probe SNR/RSSI threshold and the Auth SNR/RSSI threshold to the recommended value to improve the performance for the indoor Wi-Fi clients. Time Series Graph The time series graph displays the current and the recommended threshold (dBm) for each client type in the network. To rectify the issue, the Probe SNR threshold must be set to the recommended value. This frees up airtime and AP resources for indoor users. The following figure displays the SNR threshold graph based on the SSID selected from the drop-down list and contains the recommended SNR threshold value: Figure 114 Sample Probe SNR Threshold Graph The probe SNR threshold graph provides the following details: n Outdoor--The number of outdoor minutes at that SNR. n Indoor--The number of indoor minutes at that SNR. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 98: Cards Context Cards Context Access Point Global Outdoor Clients Global Outdoor Minutes Global Access Point Displays the details of APs that are impacted by outdoor clients. Click the arrow to view the pictorial graph of the Most Impacted access points. Select an SSID from the Access Point drop-down list to view the most impacted APs. Click the number displayed on the Access Point card, to view a detailed description of the impacted APs: n AP Name--Name of the impacted AP and link to the specific insight at the AP context. n SSID--The impacted SSID name. n Low SNR Minutes--The duration for which the connected clients have low SNR value. n Recommended Threshold--The recommended value of the Probe SNR/RSSI Threshold and Auth SNR/RSSI Threshold. n Site--Name of the site where the AP resides. The AI Insights Dashboard | 414 Outdoor Clients Lists the name, MAC address, duration, SSID, client OS, and site of clients below the proposed SNR threshold. Click the arrow to view the pictorial graph of the Most Impacted clients. Select an SSID from the Outdoor Clients drop-down list to view the most impacted clients. Click the number displayed on the Client card, to view a detailed description of the impacted clients: n Client Name--Host name of the impacted client and link to the specific insight at the client context. n Client MAC--MAC address of the impacted client and link to the specific insight at the client context. n Duration (mins)--Number of minutes client was outside below the recommended Probe/Auth SNR threshold. n SSID--The SSID impacted by outdoor clients. n Client OS--OS type of the device. n Site--Name of the site where the client resides. Outdoor Minutes Displays the percentage of avoided outdoor clients minutes and affected indoor client minutes in a chart. Click the arrow to view a pictorial graph of the Most Impacted outdoor minutes. Click the number displayed on the Outdoor Minutes card, to view a detailed description of the impacted SSIDs: n SSID--The impacted SSID name. n Total Traffic (%)--The percentage of total traffic impacted. n Current Authentication Threshold (min-max)--The minimum and maximum value of the current SNR/RSSI authentication threshold. n Recommended Auth Threshold--The recommended value of the SNR/RSSI authentication threshold. n Current Probe Threshold (min-max)--The minimum and maximum value of the current probe SNR/RSSI threshold. n Recommended Probe Threshold--The recommended value of the probe SNR/RSSI threshold. n Outdoor Minutes Rejected if recommendation is applied to all APs--The outdoor minutes that are rejected if recommendation is applied to all APs. n Indoor Minutes sacrificed if recommendation is applied to all APs--The indoor minutes that are sacrificed if recommendation is applied to all APs. n Outdoor Minutes Rejected if recommendation is applied to recommended subset of APs--The outdoor minutes that are rejected if recommendation is applied to recommended subset of APs. n Indoor Minutes sacrificed if recommendation is applied to recommended subset of APs--The indoor minutes that are sacrificed if recommendation is applied to recommended subset of APs. AOS-CX Switches with High CPU Utilization The CX Switches had unusually high CPU utilization insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches experiencing higher than normal CPU utilization. It is categorized under availability since the impacted switches and the associated devices experience connectivity issues. This insight displays the following information: n Time Series Graph n Cards Aruba Central | User Guide 415 Time Series Graph In Global and Site context the time series graph displays the count of switches experiencing high CPU utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing high CPU utilization during the selected time period. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 99: Cards Context Cards Context Site Global Switch Global, Site CPU Device Site Lists the number of sites where the switches experience high CPU utilization. Click the arrow to view the pictorial graph of the Most Impacted impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Switches with High CPU--Number of switches experiencing high CPU utilization in each site. n Minutes with High CPU--Amount of time (minutes) high CPU utilization observed in each site. Switch Lists the number of switches that experience high CPU utilization. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following: n Switch Model--Pictorial graph of the high CPU utilization sorted by switch models. n FW Version--Pictorial graph of high CPU utilization sorted by switch firmware versions. Click the number displayed on the Switch card to view a detailed description of the impacted switches: n Switch Name--Name of the switch experiencing high CPU utilization and link to the specific insight at the switch context. n Serial--Serial number the switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Max CPU--Maximum utilization of the CPU in each switch. n Minutes with High CPU--Time range of high CPU utilization on each switch. n Model--Model number of each switch. The AI Insights Dashboard | 416 n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists. CPU Lists the time series of CPU utilization percentage for a switch. Click the arrow to expand the card and view the graphical representation of the data in the selected switch. Click the number displayed on the CPU card to view a detailed description of the impacted switch: n Switch Name--Name of the switch experiencing high memory utilization. n Max CPU--Maximum utilization of the CPU in a specific switch. n Total Metrics--Total metrics of the utilization. n Percentage Metrics--Percentage metrics of the utilization. n Model--Model number of each switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists. AOS-CX Switches with High Memory Usage The CX Switches had unusually high memory usage insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches experiencing higher than normal memory utilization, and is categorized under availability since the impacted switches and the associated devices experience connectivity issues. This insight displays the following information: n Time Series Graph n Cards Time Series Graph In Global and Site context the time series graph displays the count of switches experiencing high memory utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing high memory utilization during the selected time period. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 100: Cards Context Cards Context Site Global Switch Global, Site Memory Device Aruba Central | User Guide 417 Site Lists the number of sites where the switches experience memory utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Switches with High Memory--Number of switches experiencing high memory utilization in each site. n Minutes with High Memory--Amount of time (minutes) high memory utilization observed in each site. Switch Lists the number of switches that experience high memory utilization. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following: n Switch Model--Pictorial graph of the high memory utilization sorted by switch models. n FW Version--Pictorial graph of high memory utilization sorted by switch firmware versions. Click the number displayed on the Switch card to view a detailed description of the impacted switches: n Switch Name--Name of the switch experiencing high memory utilization and link to the specific insight at the switch context. n Serial--Serial number the switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Max Memory--Maximum utilization of memory in each switch. n Minutes with High Memory--Time range of high memory utilization on each switch. n Model--Model number of each switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists. Memory Lists the time series of memory utilization percentage for a switch. Click the arrow to expand the card and view the graphical representation of the data in the selected switch. Click the number displayed on the Memory card to view a detailed description of the impacted switch: n Switch Name--Name of the switch experiencing high memory utilization. n Max Memory--Maximum utilization of memory in a specific switch. n Avg Memory--Average utilization of memory in a specific switch. n Total Metrics--Total metrics of the utilization. n Percentage Metrics--Percentage metrics of the utilization. n Model--Model number of each switch. n FW Version--Version of the firmware running on each switch. n Site Name--Name of the site where the switch exists. The AI Insights Dashboard | 418 AOS-CX Switch Ports with High Power-over-Ethernet Problems The CX Switch ports had a high number with Power-over-Ethernet problems insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that have not received required power from PoE devices connected to them. PoE issues occur in switches when power is denied, or power is demoted from the device connected to them. It is categorized under availability since the impacted switches are unable to receive sufficient power. This insight displays the following information: n Time Series Graph n Cards Time Series Graph In Global and Site context the time series graph displays the count of switches experiencing power issues in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing power issues during the selected time period. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 101: Cards Context Cards Context Site Global Switch Global, Site Wired Clients Global, Site Site Lists the number of sites where switches have PoE issue. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context. n Events--Number of events generated pertaining to PoE failures in each site. n Ports--Number of ports for which power is denied. n Switches--Number of switches for which power is denied. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each site. Switch Lists the number of switches that experience PoE issues in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following: Aruba Central | User Guide 419 n Switch Model--Pictorial graph of PoE issues classified by switch models. n FW Version--Pictorial graph of PoE issues classified by switch firmware versions. Click the number displayed on the Switch card to view a detailed description of the impacted switches: n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Events--Number of events generated pertaining to PoE failures in each switch. n Wired Clients--Number of clients impacted by the PoE failures. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each switch. n Stack ID--Stack ID of the impacted switch. n Number of Events--Number of events generated pertaining to PoE failures in each switch. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists. Wired Clients Lists the MAC Address, name, host name, and auth ID of the clients connected to a switch that experience PoE issues. Click the arrow to view the pictorial graph of the Most Impacted clients. Click the Wired Clients drop-down list to view the following: n Model--Pictorial graph of all the device types models connected to the impacted switch. n Vendor--Pictorial graph of the device type vendors connected to the impacted switch. Click the number displayed on the Wired Clients card to view a detailed description of the impacted switches: n Wired Client--Name of the client. n Client MAC--MAC address of the client. n Description--An overview of the connected devices, including the OS type, model, and version. n Switch Name--Name of the impacted switch where the client resides and link to the specific insight at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch where the client resides. n Port Number--Port number of the switch the client device is connected to. n Power Requested/Offered--PoE consumption for each client. n Reason--Cause of the denied PoE power in each client. n Status--Status of client. n Model--Hardware model of the impacted switch where the client resides. n Vendor--Vendor of the wired client. n Site--Name of the site where the client resides. AOS-CX Switches with High Port Errors The CX Switches had an unusual number of port errors insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that experience excessive port The AI Insights Dashboard | 420 errors confined to the Layer1 and Layer2 in the network. This insight is categorized under availability since the wired devices connected to the affected ports experience connectivity issues. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the recommendation against each failure to resolve the same. n Errors--Displays the exact number and percentage of failures that occurred against each failure reason. Time Series Graph In Global and Site context the time series graph displays the count of switches experiencing port errors in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing port errors during the selected time period. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 102: Cards Context Cards Context Site Global Switch Global, Site Port Global, Site, Device Site Lists the number of sites where switches have port errors. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context. n Switches with Port Errors--Number of the switches experiencing port errors. n Number of Errors--Number of errors in each site. n Number of Ports--Number of ports experiencing errors in each site. Aruba Central | User Guide 421 Switch Lists the number of switches that experience excessive port errors in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following: n Switch Model--Pictorial graph of port errors classified by switch models. n FW Version--Pictorial graph of port errors classified by switch firmware versions. Click the number displayed on the Switch card to view a detailed description of the impacted switches: n Switch Name--Name of the switch experiencing port errors and link to the specific insight at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Number of Errors--Number of port errors in each switch. n Number of Ports--Number of ports experiential excessive errors. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists. Port Number of ports experiencing excessive errors. Click the arrow to view the pictorial graph of the Most Impacted impacted ports. Click the number displayed on the Port card, to view a detailed description of the impacted ports: n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Switch MAC--MAC address of the impacted switch. n Port Number--Port number of the switch. n Number of Errors--Number of port errors in each port. n Status--Status of the impacted switch. n Connected Device--MAC address of the connected device. n Connected Device MAC--MAC address of the client device. n Connected Device Description--An overview of the connected devices, including the OS type, model ,and version. AOS-CX Switches with High Port Flaps The CX Switches had excessive port flaps insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that experience port flaps in the network. It is categorized under availability since this causes connectivity drops and also triggers the reboot of PoE devices. This insight displays the following information: The AI Insights Dashboard | 422 n Time Series Graph n Cards Time Series Graph In Global and Site context the time series graph displays the count of switches experiencing port flaps in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing port flaps during the selected time period. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 103: Cards Context Cards Context Site Global Switch Global, Site Port Global, Site, Device Site Site card is accessible only when this insight is accessed from the global context. It lists the number of sites where switches have port flaps. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context. n Switches with Excessive Flaps--Number of the switches experiencing port flaps. n Number of Flaps--Number of errors in each site. n Number of Ports--Number of ports experiencing flaps in each site. Switch Lists the number of switches that experience excessive port flaps in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following: n Switch Model--Pictorial graph of port flaps classified by switch models. n FW Version--Pictorial graph of port flaps classified by switch firmware versions. Click the number displayed on the Switch card to view a detailed description of the impacted switches: n Switch Name--Name of the switch experiencing port flaps and link to the specific insight at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. Aruba Central | User Guide 423 n Stack ID--Stack ID of the impacted switch. n Number of Flaps--Number of port flaps in each switch. n Number of Ports--Number of ports effected by excessive flaps. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists. Port Number of ports experiencing excessive flaps. Click the arrow to view the pictorial graph of the Most Impacted ports. Click the number displayed on the Port card, to view a detailed description of the impacted ports: n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Switch MAC--MAC address of the impacted switch. n Port Number--Port number of the switch. n Number of Flaps--Number of port flaps in each port. n Status--Status of the impacted switch. n Connected Device--MAC address of the connected device. n Connected Device MAC--MAC address of the client device. n Connected Device Description--An overview of the connected devices, including the OS type, Model , and Version. AOS-Switches with High Port Errors The PVOS Switches had an unusual number of port errors insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that experience excessive port errors confined to the Layer1 and Layer2 in the network. This insight is categorized under availability since the wired devices connected to the affected ports experience connectivity issues. This insight displays the following information: n Insight Summary n Time Series Graph n Cards Insight Summary The insight summary provides the following details: n Reason--Displays the possible causes for which the failure occurred. n Recommendation--Displays the recommendation against each failure to resolve the same. n Errors--Displays the exact number and percentage of failures that occurred against each failure reason. The AI Insights Dashboard | 424 Time Series Graph In Global and Site context the time series graph displays the count of switches experiencing port errors in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing port errors during the selected time period. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 104: Cards Context Cards Context Site Global Switch Global, Site Port Global, Site, Device Site Lists the number of sites where switches have port errors. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context. n Switches with Port Errors--Number of the switches experiencing port errors. n Number of Errors--Number of errors in each site. n Number of Ports--Number of ports experiencing errors in each site. Switch Lists the number of switches that experience excessive port errors in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following: n Switch Model--Pictorial graph of port errors classified by switch models. n FW Version--Pictorial graph of port errors classified by switch firmware versions. Click the number displayed on the Switch card to view a detailed description of the impacted switches: n Switch Name--Name of the switch experiencing port errors and link to the specific insight at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Number of Errors--Number of port errors in each switch. n Number of Ports--Number of ports experiential excessive errors. Aruba Central | User Guide 425 n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists. Port Number of ports experiencing excessive errors. Click the arrow to view the pictorial graph of the Most Impacted ports. Click the number displayed on the Port card, to view a detailed description of the impacted ports: n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Switch MAC--MAC address of the impacted switch. n Port Number--Port number of the switch. n Number of Errors--Number of port errors in each port. n Status--Status of the impacted switch. n Connected Device--MAC address of the connected device. n Connected Device MAC--MAC address of the client device. n Connected Device Description--An overview of the connected devices, including the OS type, model ,and version. AOS-Switches with High Port Flaps The PVOS Switches had excessive port flaps insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that experience port flaps in the network. It is categorized under availability since this causes connectivity drops and also triggers the reboot of PoE devices. This insight displays the following information: n Time Series Graph n Cards Time Series Graph In Global and Site context the time series graph displays the count of switches experiencing port flaps in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing port flaps during the selected time period. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: The AI Insights Dashboard | 426 Table 105: Cards Context Cards Context Site Global Switch Global, Site Port Global, Site, Device Site Site card is accessible only when this insight is accessed from the global context. It lists the number of sites where switches have port flaps. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context. n Switches with Excessive Flaps--Number of the switches experiencing port flaps. n Number of Flaps--Number of errors in each site. n Number of Ports--Number of ports experiencing flaps in each site. Switch Lists the number of switches that experience excessive port flaps in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following: n Switch Model--Pictorial graph of port flaps classified by switch models. n FW Version--Pictorial graph of port flaps classified by switch firmware versions. Click the number displayed on the Switch card to view a detailed description of the impacted switches: n Switch Name--Name of the switch experiencing port flaps and link to the specific insight at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Number of Flaps--Number of port flaps in each switch. n Number of Ports--Number of ports effected by excessive flaps. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site Name--Name of the site where the switch exists. Port Number of ports experiencing excessive flaps. Click the arrow to view the pictorial graph of the Most Impacted ports. Click the number displayed on the Port card, to view a detailed description of the impacted ports: n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context. Aruba Central | User Guide 427 n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Switch MAC--MAC address of the impacted switch. n Port Number--Port number of the switch. n Number of Flaps--Number of port flaps in each port. n Status--Status of the impacted switch. n Connected Device--MAC address of the connected device. n Connected Device MAC--MAC address of the client device. n Connected Device Description--An overview of the connected devices, including the OS type, Model , and Version. AOS-Switches with High CPU Utilization The PVOS Switches had unusually high CPU utilization insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches experiencing higher than normal CPU utilization. It is categorized under availability since the impacted switches and the associated devices experience connectivity issues. This insight displays the following information: n Time Series Graph n Cards Time Series Graph In Global and Site context the time series graph displays the count of switches experiencing high CPU utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing high CPU utilization during the selected time period. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 106: Cards Context Cards Context Site Global Switch Global, Site CPU Device Site Lists the number of sites where the switches experience high CPU utilization. Click the arrow to view the pictorial graph of theMost Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: The AI Insights Dashboard | 428 n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Switches with High CPU--Number of switches experiencing high CPU utilization in each site. n Minutes with High CPU--Amount of time (minutes) high CPU utilization observed in each site. Switch Lists the number of switches that experience high CPU utilization. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following: n Switch Model--Pictorial graph of the high CPU utilization sorted by switch models. n FW Version--Pictorial graph of high CPU utilization sorted by switch firmware versions. Click the number displayed on the Switch card to view a detailed description of the impacted switches: n Switch Name--Name of the switch experiencing high CPU utilization and link to the specific insight at the switch context. n Serial--Serial number the switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Max CPU--Maximum utilization of the CPU in each switch. n Minutes with High CPU--Time range of high CPU utilization on each switch. n Model--Model number of each switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists. CPU Lists the time series of CPU utilization percentage for a switch. Click the arrow to expand the card and view the graphical representation of the data in the selected switch. Click the number displayed on the CPU card to view a detailed description of the impacted switch: n Switch Name--Name of the switch experiencing high memory utilization. n Max CPU--Maximum utilization of the CPU in a specific switch. n Total Metrics--Total metrics of the utilization. n Percentage Metrics--Percentage metrics of the utilization. n Model--Model number of each switch. n Firmware--Version of the firmware running on each switch. n Site--Name of the site where the switch exists. AOS-Switches with High Memory Usage The PVOS Switches had unusually high memory usage insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches experiencing higher than normal memory utilization, and is categorized under availability since the impacted switches and the associated devices experience connectivity issues. This insight displays the following information: n Time Series Graph n Cards Aruba Central | User Guide 429 Time Series Graph In Global and Site context the time series graph displays the count of switches experiencing high memory utilization in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing high memory utilization during the selected time period. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 107: Cards Context Cards Context Site Global Switch Global, Site Memory Device Site Lists the number of sites where the switches experience memory utilization. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site impacted by the insight and link to the specific insight at the site context. n Switches with High Memory--Number of switches experiencing high memory utilization in each site. n Minutes with High Memory--Amount of time (minutes) high memory utilization observed in each site. Switch Lists the number of switches that experience high memory utilization. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following: n Switch Model--Pictorial graph of the high memory utilization sorted by switch models. n FW Version--Pictorial graph of high memory utilization sorted by switch firmware versions. Click the number displayed on the Switch card to view a detailed description of the impacted switches: n Switch Name--Name of the switch experiencing high memory utilization and link to the specific insight at the switch context. n Serial--Serial number the switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch. n Max Memory (%)--Maximum utilization of memory in each switch. n Minutes with High Memory--Time range of high memory utilization on each switch. n Model--Model number of each switch. The AI Insights Dashboard | 430 n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists. Memory Lists the time series of memory utilization percentage for a switch. Click the arrow to expand the card and view the graphical representation of the data in the selected switch. Click the number displayed on the Memory card to view a detailed description of the impacted switch: n Switch Name--Name of the switch experiencing high memory utilization. n Max Memory--Maximum utilization of memory in a specific switch. n Avg Memory--Average utilization of memory in a specific switch. n Total Metrics--Total metrics of the utilization. n Percentage Metrics--Percentage metrics of the utilization. n Model--Model number of each switch. n Firmware--Version of the firmware running on each switch. n Site Name--Name of the site where the switch exists. AOS-Switch Ports with High Power-over-Ethernet Problems The PVOS Switch ports had a high number with Power-over-Ethernet problems insight can be accessed from the Global, Site, and Switches context. This insight provides information on the switches that have not received required power from PoE devices connected to them. PoE issues occur in switches when power is denied, or power is demoted from the device connected to them. It is categorized under availability since the impacted switches are unable to receive sufficient power. This insight displays the following information: n Time Series Graph n Cards Time Series Graph In Global and Site context the time series graph displays the count of switches experiencing power issues in the network during the selected time period. You can hover your mouse on each bar graph to see the number of impacted switches during the selected time under each severity. In the Device context this graph displays the severity level of the selected switch experiencing power issues during the selected time period. Cards The cards vary based on the context that you access the insight from. Click one of the cards to view further details: Table 108: Cards Context Cards Context Site Global Aruba Central | User Guide 431 Cards Context Switch Global, Site Wired Clients Global, Site Site Lists the number of sites where switches have PoE issue. Click the arrow to view the pictorial graph of the Most Impacted sites. Click the number displayed on the Site card, to view a detailed description of the impacted sites: n Site--Name of the site where the impacted switch resides and link to the specific insight at the site context. n Events--Number of events generated pertaining to PoE failures in each site. n Ports--Number of ports for which power is denied. n Switches--Number of switches for which power is denied. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each site. Switch Lists the number of switches that experience PoE issues in the network. Click the arrow to view the pictorial graph of the Most Impacted switches. Click the Switch drop-down list to view the following: n Switch Model--Pictorial graph of PoE issues classified by switch models. n FW Version--Pictorial graph of PoE issues classified by switch firmware versions. Click the number displayed on the Switch card to view a detailed description of the impacted switches: n Switch Name--Name of the switch experiencing power issues and link to the specific insight at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Events--Number of events generated pertaining to PoE failures in each switch. n Wired Clients--Number of clients impacted by the PoE failures. n Impact (Minutes)--Amount of time (minutes) for which power is denied in each switch. n Stack ID--Stack ID of the impacted switch. n Number of Events--Number of events generated pertaining to PoE failures in each switch. n Model--Model number of the impacted switch. n FW Version--Version of the firmware running on each switch. n Site--Name of the site where the switch exists. Wired Clients Lists the MAC Address, name, host name, and auth ID of the clients connected to a switch that experience PoE issues. Click the arrow to view the pictorial graph of the Top 5 impacted clients. Click the Wired Clients drop-down list to view the following: n Model--Pictorial graph of all the device types models connected to the impacted switch. n Vendor--Pictorial graph of the device type vendors connected to the impacted switch. The AI Insights Dashboard | 432 Click the number displayed on the Wired Clients card to view a detailed description of the impacted switches: n Wired Client--Name of the client. n Client MAC--MAC address of the client. n Description--An overview of the connected devices, including the OS type, model, and version. n Switch Name--Name of the impacted switch where the client resides and link to the specific insight at the switch context. n Serial--Serial number of the impacted switch and link to the specific insight at the switch context. n Stack ID--Stack ID of the impacted switch where the client resides. n Port Number--Port number of the switch the client device is connected to. n Power Requested/Offered--PoE consumption for each client. n Reason--Cause of the denied PoE power in each client. n Status--Status of client. n Model--Hardware model of the impacted switch where the client resides. n Vendor--Vendor of the wired client. n Site--Name of the site where the client resides. Aruba Central | User Guide 433 Chapter 7 Managed Service Provider Managed Service Provider Aruba Central is a SaaS platform that provides a single customer login for all cloud applications delivered by Aruba. Aruba Central in MSP mode consists of the Network Operations app and the Account Home page. The Network Operations app in Aruba Central provides a cloud-based network management platform for managing your wireless and wired networks with Aruba Instant APs and Switches. Along with device and network management functions, the Network Operations app offers value-added services such as customized guest access, client presence and service assurance analytics. In Account Home, you can manage network inventory, subscriptions, user access and other functions. The Managed Service Provider (MSP) mode is a multi-tenant operational mode that Aruba Central accounts can be converted into, provided these accounts have subscribed to the Network Operations app. Enabling MSP mode for the Network Operations app provides additional options that an administrator can use to manage multiple independent Aruba Central accounts from a single interface. With the MSP mode enabled, MSP administrators can provision tenant accounts, allocate devices, assign subscriptions, and monitor tenant accounts. MSP administrators can drill down to a specific tenant account and perform additional administration and configuration tasks. Terminology Take a few minutes to familiarize yourself with the following key terms: Term Standard Enterprise mode MSP mode n Tenant accounts n Customer accounts Description Refers to the Aruba Central deployment mode in which customers manage their respective accounts end-toend. The Standard Enterprise mode is a singletenant environment for a single end-customer. Refers to the Aruba Central deployment mode in which service providers centrally manage and monitor multiple tenant accounts from a single management interface. End-customer accounts created in the MSP mode. Each tenant is an independent instance of Aruba Central. Aruba Central | User Guide 434 Term MSP administrator n Tenant users n Customers Description Refers to owners of the primary account. These users have administrator privileges to provision, manage, and monitor tenant accounts. Refers to the owners of an individual tenant account provisioned in the Managed Service Provider mode. The MSP administrator can create a tenant account. Getting Started with MSP Solution Before you get started with your onboarding and provisioning operations, we recommend that you browse through the following topics to know the key capabilities of Aruba Central MSP Solution. n Operational Modes and Interfaces n About the Managed Service Portal User Interface Navigate through the following steps to view help pages that describe the onboarding and provisioning procedures for MSP and tenant accounts: 1. Set up your Aruba Central account 2. Accessing Aruba Central Portal 3. Enabling Managed Service Mode 4. Onboard devices 5. Add subscription keys 6. Create groups 7. Provision tenant accounts 8. Assign devices to tenant accounts 9. Assign subscription to devices and services 10. Configure users and roles 11. Customize tenant account view 12. Add Certificates 13. Monitor tenant accounts Enabling Managed Service Mode The Enable MSP option is only available if the following conditions are met: n You sign into Aruba Central as an administrator. n The Aruba Central account is only subscribed to the Network Operations app. If the account has multiple subscriptions, such as both Network Operations and ClearPass Device Insight, the Enable MSP option is not available. Managed Service Provider | 435 Figure 115 Do Not Select the ClearPass Device Insight n You access the User Settings icon from the Network Operations app and not the Account Home page. To enable MSP mode, perform the following steps: 1. Log in to your Aruba Central account as an administrator. 2. Launch the Network Operations app. If you have subscriptions to other apps, enabling MSP mode is not supported, and the Enable MSP option is not available. In this case, create a new Aruba Central account with the Networks Operations app and contact Aruba Technical Support to migrate devices and licenses to the new account. 3. Click the user icon. Aruba Central | User Guide 436 4. Click Enable MSP. Figure 116 Click Enable MSP 5. In the Managed Service Mode pop-up window, fill in the required details and click Submit. In the confirmation pop-up window, the following message is displayed if the submitted information meets the acceptance criteria: MSP Mode is enabled for this account. If the submitted information does not meet the acceptance criteria, a request denied message is displayed along with the reason on why the MSP mode is not recommended. MSP mode is not recommended and the MSP application is denied if one of the following conditions are true: n Your deployment of Aruba Central does not require you to deliver network management services to your end customers. n You are going to manage Aruba Central for your customers, however, the network devices are purchased by the customers. In this scenario, you can manage the customer accounts from the Standard Enterprise Mode by using the Switch Customer option. For more information on this deployment model, see End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2). Managed Service Provider | 437 6. Click OK. The page is automatically redirected to the MSP Dashboard view. If your online application is rejected because the conditions for enabling MSP were not met, and you wish to revise the provided information, the Enable MSP option is reset after 30 minutes for you to try again. Disabling the Managed Service Mode If you do not want to use Managed Service Mode, you can switch to the Standard Enterprise mode. Delete all tenant account data before you proceed. To disable Managed Service mode: 1. Click the user icon. 2. Click Disable MSP. The option is grayed out if tenant account data exists. 3. In the Managed Service Mode pop-up window, click Disable Managed Service Mode. MSP Mode Enablement Scenarios You can convert the Standard Enterprise mode in the Network Operations app to MSP mode. Only the Network Operations app supports the MSP mode and it must be the only app running in Aruba Central for enabling the MSP mode. The following is a list of possible scenarios you might encounter while subscribing to the Network Operations app. n Scenario 1: You sign up for Aruba Central to evaluate the Networks Operations app as well as the ClearPass Device Insight app. Subsequently, you wish to enable MSP mode on the Network Operations app. MSP mode conversion is not allowed in this scenario. Create another Aruba Central account with only the Network Operations app and convert this account to MSP mode. Contact Aruba Support for migrating the devices and licenses. n Scenario 2: You sign up for an Aruba Central account to evaluate the ClearPass Device Insight app. After that, you also sign up for evaluating the Network Operations app in standard enterprise mode in the same account. This mode of operation is supported. n Scenario 3: You sign up for an Aruba Central account to evaluate the Network Operations app. After that, you also sign up for evaluating the ClearPass Device Insight in the same Aruba Central account. If you are running the Network Operations app in the standard enterprise mode, this mode of operation is supported. Managing MSP Licenses Aruba Central in the Managed Service Provider (MSP) mode supports the following types of licenses for APs, switches, and gateways: n Foundation--Allows you to manage and monitor the APs, switches, and gateways of your customers or tenants through the Aruba Central MSP mode. This license provides all the features included in the legacy Device Management subscription and some additional features that were available as a value- added services for APs in the earlier licensing model. n Advanced--This license provides all the features of a Foundation License, with additional features related to AI Insights. Aruba Central | User Guide 438 The licenses for APs, switches, and gateways cannot be used interchangeably. For example, you cannot use an AP Foundation License on a gateway. Similarly, if an Aruba 25xx Switch is in the inventory but the license available is for an Aruba 29xx Switch, the Aruba 29xx Switch license cannot be applied to the Aruba 25xx Switch. Before enabling the Auto-Assign License option for a specific device type, ensure that there are sufficient available licenses for the specific device type. For more information on the different types of available licenses, see Aruba Central License Feature Details. A license key is an alphanumeric string with 9 to 14 characters; for example, PQREWD6ADWERAS. Aruba Central can manage a device only if the corresponding license key of the device is added to Aruba Central. License keys can either be evaluation license keys that map to evaluation licenses or paid license keys that map to paid licenses. The evaluation license key is valid for 90 days. To use Aruba Central for managing, profiling, analyzing, and monitoring your devices, you must ensure that you have a valid license key and that the license key is listed in the Account Home > Global Settings > Key Management page. The license keys are not mapped directly to devices. Before assigning a license key to a device, the system only checks whether there are licenses available in the pool for the device. All license keys that are added to an MSP account goes to a license pool and devices are licensed from this MSP license pool. Licenses can be assigned to devices only when the devices are already mapped to customer accounts. In the MSP mode, all the hardware and licenses are owned by the MSP. The MSP temporarily assigns devices and their corresponding licenses to customers for the duration of the managed service contract. When the contract ends, the devices and the licenses are returned back to the common pool of resources of the MSP and can be reassigned to another customer. You can either enable automatic assignment of licenses or manually assign licenses for devices added in Aruba Central MSP mode. Enabling Automatic License Assignments If you, as an MSP administrator, want to enable automatic assignment of licenses to the devices mapped to your customer accounts, note the following points: n Aruba Central assigns licenses only if the devices are mapped to a customer account. n When a device is moved from a customer account back to the MSP pool, Aruba Central removes the license assigned to this device. n When the automatic license assignment is enabled, Aruba Central disables the device-specific and customer-specific overrides. n When the automatic license assignment is enabled, all the existing customers and newly created customers in the MSP account inherit the license assignment settings. Subsequently, Aruba Central assigns licenses to the customers and their respective devices. n If you migrate from the Standard Enterprise mode to the MSP mode, Aruba Central retains your license settings. n If the devices are no longer mapped to a customer account, MSP administrators cannot assign licenses to these devices. n If auto-assignment is enabled and the device license expires, you are notified about the license expiry. Aruba Central checks if an equivalent license of the same tier or capacity is available and reassigns that license to the device automatically. If an equivalent license is unavailable, Aruba Central un-assigns a set of devices to match the number of expiring licenses and you are notified that the device license is updated. Managed Service Provider | 439 You can configure automatic license assignment either during initial setup or later from the Account Home page. Automatic License Assignment from the Initial Setup Wizard To enable automatic assignment of licenses from the Initial Setup Wizard: 1. Verify that you have a valid license key. 2. Ensure that you have successfully added your devices to the device inventory. 3. In the Assign License tab, slide the Auto-Assign Licenses toggle switch to the On position. Automatic License Assignment from Account Home To enable automatic assignment of licenses from the License Assignment page: 1. On the Account Home page, under Global Settings, click License Assignment. The License Management page is displayed. 2. In the Assign License tab, slide the Auto-Assign Licenses toggle switch to the On position. All the devices in your inventory are selected for automatic assignment of licenses. You can edit the list by clearing the existing selection and re-selecting devices. When a license assigned to a device expires, or is canceled, Aruba Central checks for the available licenses in your account and assigns an available license of the longest validity to the device. If your account does not have an adequate number of licenses, you may have to manually assign licenses to as many devices as possible. To view the license utilization details and the number of licenses available in your account, go to the Account Home > Global Settings > Key Management page. Enabling Manual License Assignments You can disable the Auto-assign License option and manually assign licenses to devices. Licenses can be assigned only for devices which are mapped to a customer account. To manually assign licenses to devices or override the current assignment: 1. In the Account Home page, under Global Settings, click License Assignment. The License Management page is displayed. 2. Ensure that the Auto-Assign Licenses toggle switch is turned off. When you turn off the Auto-Assign Licenses toggle switch: n Automatic assignment of licenses for all the existing customers, including the MSP devices, are disabled. n All device licenses assigned to devices are preserved. n Devices must be assigned to customer accounts before assigning a license to it. If a license is assigned to a device that is not mapped to any specific customer account, Aruba Central displays the following error message: Please assign this device to a customer before licensing it. Customer assignment can be performed in the Device Inventory page. 3. Click one of the tabs for Access Points, Switches, or Gateways. Each of the device tabs has two sub-tabs: Unlicensed and Licensed. 4. You can use the Customer filter to display a specific customer. Aruba Central | User Guide 440 5. In the Unlicensed tab, you can select one or multiple devices and click Manage or Manage Assignment. The Manual License Assignment (Manual) window is displayed. 6. From the Choose License Type drop-down menu, select a suitable license and click Update to assign a license. If the license update is successful, you get a notification and the device in not listed anymore under the Unlicensed tab. Removing or Updating a License from a Device You can remove a license from a device or change the license assigned to a device from the License Assignment window. 1. In the Account Home page, under Global Settings, click License Assignment. Ensure that the Auto-Assign License toggle is turned off. 2. Click one of the tabs for Access Points, Switches, or Gateways. Each of the device tabs has two sub-tabs: Unlicensed and Licensed. 3. You can use the Customer filter to display a specific customer. 4. In the Licensed tab, you can select one or multiple devices for which you want to either update or remove a license. 5. Click Manage or Manage Assignment. The Manual License Assignment (Manual) window is displayed. 6. You can do one of the following: n To remove a license, click Unassign. The devices with unassigned licenses are no longer listed in the Licensed tab. n To update to a new license, from the Choose License Type drop-down menu, select a suitable license and click Update. If the license update is successful, you get a notification and the Licensed tab displays the updated licenses. Acknowledging License Expiry Notifications In the Account Home page, under Global Settings, click Key Management. The Key Management page displays the expiration date for each license. As the licenses expiration date approaches, users receive expiry notifications. The users with an evaluation license receive license expiry notifications through email 30, 15, and 1 day before the license expiry and on day 1 after the license actually expires. The users with paid licenses receive license expiry notifications through email 90, 60, 30, 15, and 1 day before expiry and two notifications per day on day 1 and day 2 after the license expires. Acknowledging Notifications through Email If the user has multiple licenses, a consolidated email with the expiry notifications for all licenses is sent to the user. Users can acknowledge these notifications by clicking the Acknowledge All link in the email notification. Managed Service Provider | 441 Figure 117 Acknowledging Notifications through Email Acknowledging Notifications in the UI If a license has already expired, or is about to expire within 24 hours, a license expiry notification message is displayed in a pop-up window when the user logs in to Aruba Central. To prevent Aruba Central from generating expiry notifications, click Acknowledge. Renewing Licenses To renew your licenses, contact Aruba Sales team. System Users and User Roles in MSP Mode The Users and Roles page under Global Settings enables you to view, create, and modify users and roles. The Users and Roles page has two tabs: Users and Roles. The following topics are included: n About Roles in MSP Home Account o Module Permissions for Roles o Adding a Custom Role in MSP Account Home o Viewing Role Details o Editing a Role o Deleting a Role n About Users in MSP Account Home o Adding a User in MSP Account Home o Editing a User in MSP Account Home o Deleting a User in MSP Account Home o Viewing Audit Trail Logs for Users About Roles in MSP Home Account Aruba Central MSP mode supports role-based access control. Aruba Central allows you to create predefined user roles and custom roles. As shown in the following figure, MSP user A is mapped to two roles. MSP role admin gives the user administrator access to all MSP applications and the tenant role readonly gives the user read-only access to all tenant accounts. MSP user B is tied to MSP role admin and tenant role admin. The tenant administrator role provides the user administrator access to all tenant accounts. Tenant user A is mapped to the admin role. This role gives the user administrator access to all tenant A applications. Tenant user B is mapped to the readonly role. This role gives the user read-only access to tenant B applications. Tenant user A and tenant user B can access only their respective accounts. Aruba Central | User Guide 442 Figure 118 MSP Role-Based Access Control The Roles tab has the following predefined roles. Table 109: Predefined Roles Application Role Privilege Account Home admin Administrator for the Account Home page. If there are common modules between Account Home and other app(s), the Account Home role has higher precedence and the user is granted permission if the operation is initiated from the Account Home page. readwrite Can view and modify settings in the Account Home page and all Global Settings pages. NOTE: Note: The 'readwrite' role will not have modify permission for the following pages: n Users and Roles n Single-Sign-On readonly Can view the Account Home page and all Global Settings pages. Network Operations admin Administrator for the Network Operations application. Has access to Account Home > Global Settings. This is applicable only if the Account Home role is not set or is not conflicting. deny-access Cannot view the Network Operations application. guestoperator Has guest operator access to the Network Operations application. User does not have access to Account Home > Global Settings. readonly Has read-only access to Account Home > Global Settings and the Network Operations application. readwrite Has read-write access to Account Home > Global Settings and the Network Operations application. Has access to view and modify data using the Aruba Central UI or APIs. However, the user cannot execute APIs to: n Enable or disable MSP mode. n Perform operations in the following pages: o Account Home > Users and Roles o Network Operations application > Organization > Labels and Sites Managed Service Provider | 443 Module Permissions for Roles Aruba Central enables you to define roles with view or modify permissions. You can also block user access to some modules. If a module is blocked for a specific role, the corresponding pages are not displayed in the UI or can access the pages but no data is displayed and all actions are disabled for the role. Aruba Central supports setting permissions for the following modules: Table 110: Permissions Application Module Description Account Home Devices and Subscription Enables users to add devices and assign keys and subscriptions to devices in the Account Home page. Users Enables users to define a role with access (View, Modify, or Block) to the user details in the Users tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles. Roles Enables users to define a role with access (View, Modify, or Block) to the role details in the Roles tab in the Users and Roles page. To define the role, navigate to Account Home > Global Settings > Users and Roles. SSO Enables users to define a role with access (View, Modify, and Block) to the Single Sign On profiles details in the Users tab in the Single-Sign-On page (Account Home > Single-Sign-On). Enables users to define a role with access (View, Modify, or Block) to the Single Sign On profiles details in the Single Sign On page. To navigate to the Single Sign On page, go to Account Home > Single Sign On. Network Operations MSP Enables users with administrator role and privileges to define user access to MSP modules such as Customer Management and Portal Customization. The MSP tenant account user does not have access to the MSP application. Even if a tenant account user is assigned a custom role having MSP application privileges: n Tenant account user does have access to the MSP application. n MSP will not appear in the Account Home > Global Settings > Users and Roles > Roles > Allowed Applications list. Group Management Devices and Subscription Enables users to create, view, modify, and delete groups and assign devices to groups. Users cannot edit or set permissions for this module. Modify and Block options are disabled. By default, the View Only permission is set. Network Management Enables users to configure, troubleshoot, and monitor Aruba Centralmanaged networks. You can customize the permissions (view or modify or block) for the following sub-modules: n Configuration n Configuration Variables n Privileged Configuration n Firmware n Troubleshooting n Other Modules NOTE: For the Privileged Configuration, the 'Block' option disables the Admin tab (Gateway>System>Admin) for the user. The user management privileges are disabled for this user for gateways at the Aruba Central | User Guide 444 Application Module Description device and group level. Guest Management Enables users to configure cloud guest splash page profiles. AirGroup Enables users to define or block user access to the AirGroup pages. Presence Analytics Enables users to access the Presence Analytics app and analyze user presence data. Floorplans Enables user to access Floorplans and RF heatmaps. Unified Enables users to access the Unified Communications pages. Communications Install Manager Enables users to manage installer profiles and site installations. Reports Enables users to view and create reports. Other Applications Enables users to access other applications modules such as notifications and Virtual Gateway deployment service. Adding a Custom Role in MSP Account Home The following are the permissions that you can associate with a custom role: n Roles with Modify permission can perform add, edit, or delete actions within the specific module. n Roles with View Only permission can only view the specific module. n Roles with Block permission cannot view that particular module or can view the corresponding pages but no data is displayed and all actions are disabled. To add a custom role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. Click Add Role. The New Role window is displayed. 4. Specify a name for the role. 5. From the drop-down list, select one of the following: n Account Home--To manage access to devices and subscriptions in Aruba Central. n Network Operations--To set permissions at the module level in the Network Operations application. 6. For Network Management and MSP modules, you can set access rights at the module level. To set view or edit permissions or block the users from accessing a specific module, complete the following steps: a. Click Customize. b. Select one of the following options for each module as required: n View Only n Modify n Block Managed Service Provider | 445 7. Click Save. 8. Assign the role to a user account as required. Viewing Role Details To view the details of a role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. The Roles tab displays the following information: n Role Name--Name of the role. n Allowed Applications--The application(s) to which the user account is subscribed to. n Assigned Users--Number of users assigned to a role. Editing a Role To edit a role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the edit icon. 4. In the Edit Role <"Rolename"> window, modify the permissions set for module(s). 5. Click Save. Deleting a Role To delete a role, ensure that the role is not associated to any user and complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the delete icon. 4. Confirm role deletion in the Confirm Action dialog box. About Users in MSP Account Home In the Account Home page, under Global Settings, click Users and Roles. The Users tab is displayed. The List of Users table displays the following information: n Email ID of the user. n Type of user. The user can be system user or external user. n Description of the user. n MSP role n Tenant role n Account Home role n Allowed groups for the user. n Last active time of the user. If the last active time cell is blank, the user has not logged in after the product upgrade. The Actions link offers the following options: n Resend invitation to users--If any user has not received the email invite, you can use this link to resend invitations Aruba Central | User Guide 446 n Two-Factor Authentication (2FA)--Enables Two-factor authentication. n Support Access--Enables you to generate a new password of a specified validity to give access to a support person from Aruba. Adding a User in MSP Account Home To add a user, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users and Roles page is displayed. 2. Click Add User. The New User window is displayed. 3. Configure the following parameters: n Username--Email ID of the user. Enter a valid email address. n Description--Description of the user role. You can enter up to a maximum of 32 characters including alphabets, numbers, and special characters in the text field. n Language--Select a language. The Aruba Central web interface is available in English, French, Spanish, German, Brazilian Portuguese, Chinese, and Japanese languages. n Account Home--Select a user role for the Account Home page. n Network Operations--Select an MSP role and Tenant role for the Network Operations application. 4. Click Save. An email invite is sent to the user with a registration link. Users can use this link to access Aruba Central. The registration link in the email invite is valid for 15 days. Track Progress Click the Track Progress link to open the Operations Status page that provides the user account creation or modification status. The status can be in progress or failed. No status is displayed if the user account is successfully created. Editing a User in MSP Account Home To edit a user account, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens. 2. In the List of Users table, select the user and click the edit icon. 3. In the Edit User <"Username"> window, modify description, role, or allowed groups. 4. Click Save. Deleting a User in MSP Account Home To delete a user account: 1. In the Account Home page, under Global Settings, click Users and Roles. The Users tab opens. Managed Service Provider | 447 2. In the List of Users table, select the user and click the delete icon. 3. Confirm user deletion in the Confirm Action dialog box. Viewing Audit Trail Logs for Users Audit logs are generated when a new user is created and an existing user is modified or deleted from the Aruba Central account. It also records the login and logout activities of users. To view audit logs for Aruba Central users: 1. In the Account Home page, under Global Settings, click Audit Trail. The Audit Trail page is displayed. 2. To view audit logs for user addition, modification, or deletion, click the filter in the Classification column, and select User Management. 3. To filter audit logs about user activity, click the filter in the Classification column, and select User Activity. Groups in the MSP Mode MSP groups are UI groups mapped to the default UI groups in the tenant account. If a tenant account is associated to a specific group in the MSP mode, the configuration changes to the devices associated with this tenant account are pushed only to the default group in the tenant account view. However, MSP administrators can create more groups for a specific tenant by drilling down to a tenant account. Template groups are not supported in the MSP mode. However, template groups can be defined and managed at each tenant account individually. MSP Group Illustration As shown in the following figure, tenant A and tenant B are mapped to MSP group 1. The default group configuration for these tenants is inherited from MSP group 1 configuration. Tenant A has two additional user-defined groups that are independent of MSP group 1 configuration. Tenant B has one additional userdefined group that is independent of MSP group 1 configuration. Tenant C is mapped to MSP group 2 configuration. Its default group configuration is inherited from MSP group 2. It also has one additional user-defined group that is independent of MSP group 2 configuration. Tenant D has only one default group and its configuration is inherited from MSP group 3. Tenant E is not mapped to any MSP group. Its default group configuration is independent of any MSP group configuration. It can have additional user-defined groups as well, if required. Aruba Central | User Guide 448 Figure 119 MSP Groups Tenant Default Group Overrides If a tenant is mapped to an MSP group, the configuration of its default group is inherited from the MSP group it is mapped to. Once mapped, except for any newly created WLAN SSID and WLAN PSK, other configurations are overridden. As shown in the following figure, the mentioned configuration options are allowed on a tenant default group that is mapped to an MSP group: n Creating a new WLAN SSID. n Overriding the WLAN PSK for a WLAN inherited from an MSP group. Managed Service Provider | 449 Figure 120 Default Group Overrides Creating an MSP UI Group To manage device configuration using UI configuration containers in Aruba Central, you can create a UI group and assign devices. To create an MSP UI group: 1. From the Network Operations app, filter All Groups. 2. Under Maintain, click Organization to display the Groups dashboard. 3. To create a new group, click New Group. The Create New Group pane is displayed. 4. Enter a name for the group. 5. Configure a password to restrict group access to authorized users only. 6. Click Add Group. About Provisioning Tenant or Customer Accounts After adding a device in the MSP mode, the device must be mapped to a tenant account for device management and monitoring operations. Aruba Central | User Guide 450 With MSP mode enabled, the MSP administrator manages the creation and deletion of tenant accounts. After a tenant account is created, the MSP administrator can add tenant users to the account. To create a tenant user, the MSP administrator must provide a valid email address for the user. A verification email is sent to this email address. Tenant users have access to their individual tenant account only. Tenant users do not have access to other tenant accounts managed by the MSP. The group associated to the tenant account in the MSP mode shows up as the default group for tenant account users. In the MSP mode, all configuration changes made to the group associated to the tenant account are applied to the default group on the tenant account. Flowchart for Tenant Account Mapping in MSP The following flowchart displays a visual representation of how you can create a tenant account and map it to an MSP group. Figure 121 Tenant Account Mapping to an MSP Group Creating a Tenant Account and Mapping to an MSP Group The following are the usage guidelines for creating a tenant account: Managed Service Provider | 451 n If the tenant account provisioning fails, the task is marked as Provision Failed in the UI and PROVISION_FAILED in the [GET] /msp/v1/customers API response. To view the task status in the UI, under Manage, click Overview to display the Dashboard page. Click the Customers tab. If the provisioning fails, you can delete the tenant account and try again. n Tenant account users can only view reports generated for the default group. The administrators of a specific tenant account can drill down to the tenant account and generate reports for the default group. n If cloud guest provisioning fails, cloud guest features for the tenant may get impacted. In such instances, contact Aruba Central Technical Support. To add a tenant account, complete the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview. The Dashboard is displayed. 3. Click Add New Customer. The Add Customer page is displayed. 4. Enter the name of the tenant in the Customer Name text box. The MSP customer name can be a maximum of 70 single byte characters. All special characters, ASCII, and Unicode are allowed. 5. Enter the description of the tenant in the Description text box. The MSP customer description field can be a maximum of 32 single byte characters. All special characters, ASCII, and Unicode are allowed. 6. If you want to associate the tenant to a group, click the Add to group toggle switch. 7. From the Group drop-down list, select a group to which you want to assign the tenant. The group associated to the tenant account in the MSP mode shows up as the default group for tenant account users. In the MSP mode, all configuration changes made to the group associated to the tenant account are applied to the default group on the tenant account. 8. If you want to prevent the users of the tenant account from modifying SSID settings of the device group, select the Lock SSID check box. 9. Click Save. Viewing Tenant Account Details To view the tenant account details, perform the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview to display the Dashboard page. 3. Click the Customers tab. 4. Hover over the tenant account and click expand. The customer details window displays the following sections. Click the X mark on the top right-corner of the screen to exit the window and return to the dashboard. Summary n Customer ID--Displays the subscription renewal schedule for the next 12 months. The graph plots the total count of subscriptions that are due for renewal for each month. n Customer Created--Displays the count of devices that are managed in the network over a period of time. Aruba Central | User Guide 452 n MSP Group--Displays the total number of tenants added to Aruba Central over a period of time. n Description--Description of the tenant account. n Customer Name--Name of the tenant account. Devices This section is a graphical representation of the devices assigned to the selected tenant account, as well as the licensed and unlicensed count for each device type. n The section consists of three doughnut charts, each chart representing one of the following types of devices, APs, switches, and gateways. n The number in the center of the chart indicates the total number of devices, both licensed and unlicensed, of a specific type allocated to the tenant account. n The two colors on the ring of the doughnut indicates the number of licensed and unlicensed devices of a specific type allocated to the tenant account. You can hover over one segment of the doughnut to see the numbers corresponding to the selected segment. n You can also deselect and reselect the Licensed and Unlicensed options for each chart. For example, in the following image, the tenant account has three APs, one switch, and one gateway. Out of this, only one AP is unlicensed. Figure 122 Devices Section of the Expand Tenant Account Page Licenses This section is a graphical representation of the device subscriptions assigned to the devices for the selected tenant account. The section also shows the number of Foundation and Advanced licenses for each type of device. n The section consists of three doughnut charts, each chart representing one of the following types of devices, APs, switches, and gateways. n The number in the center of the chart indicates the total number of licensed devices of a specific type allocated to the tenant account. n The two colors on the ring of the doughnut indicates the number of Advanced and Foundation licenses assigned to a device of a specific type allocated to the tenant account. You can hover over one segment of the doughnut to see the numbers corresponding to the selected segment. n You can also deselect and reselect the Advanced and Foundation options for each chart. For example, in the following image, the tenant account has two APs, one switch, and one gateway, each assigned with a Foundation license. Managed Service Provider | 453 Figure 123 Licenses Section of the Expand Tenant Account Page Editing a Tenant Account When editing the group associated with the MSP customer or tenant, the default group configuration of the tenant account is also impacted. To edit a tenant account, complete the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview. The Dashboard is displayed. 3. Hover over the tenant account that you want to edit and click edit. 4. Modify the account details. If you want to associate the tenant account to a different group, turn on the Add to group toggle switch and select a group. 5. Click Save. Deleting a Tenant Account To delete a tenant account, complete the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Manage, click Overview. The Dashboard is displayed. 3. Hover over the tenant account that you want to delete and click delete. 4. Click Yes to confirm the action. If the tenant account deletion fails, the provisioning status is marked as Delete Failed in the UI and DELETE_FAILED in the [GET] /msp/v1/customers/{customer_id} API response. To view the task status in the UI, under Manage, click Overview to display the Dashboard page. Click the Customers tab. Assigning Devices to Tenant Accounts Before assigning devices to tenant accounts, ensure that you have completed the following: onboarded devices, assigned subscriptions, and provisioned tenant accounts. To assign devices to tenant accounts, complete the following steps: Aruba Central | User Guide 454 1. In the Account Home page, under Global Settings, click Device Inventory. A list of devices provisioned in the MSP mode is displayed. 2. Select one or several devices from the table. To select multiple devices, press and hold the Ctrl key and select the devices. The Assign Customer button is displayed under the table. 3. Click Assign Customer. A window showing a list of tenant accounts provisioned in the MSP mode is displayed. 4. Select the tenant account to which you want to assign the device. The groups associated with the tenant accounts are displayed. 5. Click Assign Device (s). 6. Click Yes when prompted for confirmation. MSP Dashboard The MSP dashboard provides a summary of hardware and subscriptions owned by the MSP and details about the tenant accounts managed by the MSP. The hardware includes APs, switches, and gateways. Viewing the MSP Dashboard To view the MSP dashboard, perform the following steps: 1. In the Network Operations app, set the filter to All Groups. The filter context changes to Global. 2. Under Manage, click Overview to display the Dashboard. The number is parenthesis () for Customers indicates the total number of customers for that MSP account. In the following image, the total number of customers is 54. The Dashboard page includes the following sections: n A summary section for the dashboard--Displays the assigned and unassigned devices and the assigned and unassigned licenses for APs, switches, and gateways. n Overview--Displays the list of customers, the types of devices assigned to each customer, as well as critical alerts, if any. n Trends--Displays charts for license renewal, the number of devices under MSP management, and the number of customers added over the last year. n Add New Customer--Enables you to add a new tenant to the MSP account. Perform the steps detailed in About Provisioning Tenant or Customer Accounts. Managed Service Provider | 455 Figure 124 Viewing the MSP Dashboard Dashboard Summary The summary section for Dashboard displays the total number of assigned and unassigned devices, and the total number of assigned and unassigned licenses for three categories of hardware devices that include APs, switches, and gateways. In MSP mode, you must first assign a device to a tenant account before assigning a license to the device. The summary section includes the following details: n Access Points o Devices--Number of available APs. Click the number to navigate to Account Home > Device Inventory to see the details of the APs in the MSP inventory. l Unassigned--Number of APs that are not assigned to any tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the unassigned APs in the MSP inventory. l Assigned--Number of APs that are already assigned to a tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the assigned APs in the MSP inventory. o Licenses--Number of available licenses for APs. Click the number to navigate to Account Home > License Assignment > Access Points to see the details of all the licenses for APs in the MSP inventory. l Unassigned--Number of AP licenses that are not assigned to any AP. Click the number to navigate to Account Home > License Assignment > Access Points > Unlicensed to see the details of all the unassigned licenses for APs in the MSP inventory. l Assigned--Number of AP licenses that are already assigned to APs. Click the number to navigate to Account Home > License Assignment > Access Points > Licensed to see the details of all the assigned licenses for APs in the MSP inventory. n Switches o Devices--Number of available switches. Click the number to navigate to Account Home > Device Inventory to see the details of the switches in the MSP inventory. l Unassigned--Number of switches that are not assigned to any tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of the switches in the MSP inventory. Aruba Central | User Guide 456 l Assigned--Number of switches that are already assigned to a tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the assigned switches in the MSP inventory. o Licenses--Number of available licenses for switches. Click the number to navigate to Account Home > License Assignment > Switches to see the details of all the licenses for switches in the MSP inventory. l Unassigned--Number of switch licenses that are not assigned to any switches. Click the number to navigate to Account Home > License Assignment > Switches > Unlicensed to see the details of all the unassigned licenses for switches in the MSP inventory. l Assigned--Number of switch licenses that are already assigned to switches. Click the number to navigate to Account Home > License Assignment > Switches > Licensed to see the details of all the assigned licenses for switches in the MSP inventory. n Gateways o Devices--Number of available gateways. Click the number to navigate to Account Home > Device Inventory to see the details of the gateways in the MSP inventory. l Unassigned--Number of gateways that are not assigned to any tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the unassigned gateways in the MSP inventory. l Assigned--Number of gateways that are already assigned to a tenant account. Click the number to navigate to Account Home > Device Inventory to see the details of only the assigned gateways in the MSP inventory. o Licenses--Number of available licenses for gateways. Click the number to navigate to Account Home > License Assignment > Gateways to see the details of all the licenses for gateways in the MSP inventory. l Unassigned--Number of gateway licenses that are not assigned to any gateways. Click the number to navigate to Account Home > License Assignment > Gateways > Unlicensed to see the details of all the unassigned licenses for gateways in the MSP inventory. l Assigned--Number of gateway licenses that are already assigned to gateways. Click the number to navigate to Account Home > License Assignment > Gateways > Licensed to see the details of all the assigned licenses for gateways in the MSP inventory. Customer | Overview By default, the Customers | Overview table is displayed. The table provides an overview of tenant accounts. MSP administrators can perform tasks such as drilling down to a tenant account, editing an existing tenant account, and deleting a tenant account. n Customer Name Name of the tenant account. Click the customer name to go to the tenant account view for the customer. Hover over the tenant account name to view the following options: o expand--Opens a new pop-up window showing the tenant account details. For more information, see Viewing Tenant Account Details. o edit--Opens the Edit Customer pop-up window. For more information, see Editing a Tenant Account . o delete--Opens the confirmation dialog box. For more information, see Deleting a Tenant Account. Hover over the icon next to the tenant account name to view the provisioning status. The status can be one of the following: Managed Service Provider | 457 o In Progress o Provision Failed Use the filter icon on the column header to filter by tenant account name. n Customer ID Unique ID of the tenant account. The ID can be in one of the following formats: o Numerical format o UUID format Use the column filter to search for a particular customer ID. Note that you must enter the full customer ID. The Customer ID column is not displayed in the default view. Use the column selector and select the Customer ID check box to add the column to the table. Figure 125 Selecting the Customer ID for Display n Access Points o Up--Total number of online APs. Click the number to view the list of online APs. o Down--Total number of offline APs. Click the number to view the list of offline APs. Click the sort icon to sort the column in ascending or descending order. Sometimes, the total number of APs that are displayed as Down for a tenant account in MSP view may not equal the total number of corresponding APs displayed as Offline under Manage > Access Points in the tenant account view. This discrepancy is corrected by an automatic and periodic sync between the MSP database and tenant view database. The periodic sync happens every 12 hours. The number in parentheses () indicates the number of devices that are not onboarded. n Switches o Up--Total number of online switches. Click the number to view the list of online switches. o Down--Total number of offline switches. Click the number to view the list of offline switches. Aruba Central | User Guide 458 Click the sort icon to sort the column in ascending or descending order. Sometimes, the total number of switches that are displayed as Down for a tenant account in MSP view may not equal the total number of corresponding switches displayed as Offline under Manage > Switches in the tenant account view. This discrepancy is corrected by an automatic and periodic sync between the MSP database and tenant view database. The periodic sync happens every 12 hours. The number in parentheses () indicates the number of devices that are not onboarded. The number of switches displayed in the MSP dashboard corresponds to the total number of switches available for the tenant. However, in the tenant view, a switch stack is considered as a single entity. For example, if there are two switch stacks for a tenant account, and each stack has two members, the MSP dashboard displays the count as four whereas the tenant account displays the count as two. n Gateways o Up--Total number of online gateways. Click the number to view the list of online gateways. o Down--Total number of offline gateways. Click the number to view the list of offline gateways. Click the sort icon to sort the column in ascending or descending order. Sometimes, the total number of gateways that are displayed as Down for a tenant account in MSP view may not equal the total number of corresponding gateways displayed as Offline under Manage > Gateways in the tenant account view. This discrepancy is corrected by an automatic and periodic sync between the MSP database and tenant view database. The periodic sync happens every 12 hours. The number in parentheses () indicates the number of devices that are not onboarded. n Critical Alerts Total number of critical alerts for the tenant account. Click the number to navigate to the Alerts page of the tenant account. For more information, see MSP Alerts. Customers | Trends Go to Customers | Trends to view the following sections: n License Renewal Schedule (1 Year)--Displays the subscription renewal schedule for the next 12 months. The entries include the license renewal date and the total count of subscriptions of each type that are due for renewal on that date. n Device Under Management graph--Displays the count of devices that are managed in the network over the last 12 months. The dates are plotted on the x-axis and the number of devices on the y-axis. Hover over any part of the chart to see the number of devices the MSP is managing on that specific date. n Customers graph--Displays the total number of tenants added to Aruba Central over the last 12 months. The dates are plotted on the x-axis and the number of tenants on the y-axis. Hover over any part of the chart to see the number of tenants the MSP added on that specific date. Click Total to view the total number of tenant accounts. Using the Switch Customer Option If you are an MSP administrator and if your user ID has been added to multiple tenant accounts, after you log in to Aruba Central, you must select the tenant account that you want to access. Managed Service Provider | 459 Figure 126 Select Account To select a different tenant account, click the User icon tenant account that you want to access. , select Switch Customer, and then select the Aruba Central | User Guide 460 Figure 127 Switch Customer MSP Certificates You can view and add certificates in MSP. Viewing Certificates in MSP Mode 1. In the Network Operations app, use the filter to select All Groups. The global dashboard is displayed for the MSP mode. 2. Under Maintain, click Organization. 3. Click the Certificates tab. 4. The Certificate Store displays the following information: Managed Service Provider | 461 Table 111: Certificate Store Parameters Date Pane Item Description Certificate Name of the certificate. Name Status Status of the certificate as either Active or Expired. Expiry Date Date of expiry for the certificate. Type Type of certificate. For example, a server certificate. MD5 The Message Digest 5 (MD5) algorithm is a widely used hash function producing a 128-bit hash Checksum value from the data input. Checksum value of the certificate. SHA-1 The Secure Hash Algorithm 1 (SHA-1) is a cryptographic hash function which takes an input and Checksum produces a 160-bit (20-byte) hash value. Checksum value of the certificate. Uploading Certificates in the MSP Mode MSP administrators can upload certificates to Aruba Central certificate store. They can also map the certificate usage for server and user authentication for the groups associated to a tenant account. To upload certificates to the certificate store: 1. In the Network Operations app, use the filter to select All Groups. The global dashboard is displayed. 2. Under Maintain, click Organization. 3. Click the Certificates tab. 4. To add a new certificate to the Certificate Store, click the + sign. The Add Certificate dialog box is displayed. 5. Enter the certificate name in the Name text box. 6. Select the certificate type from the Type list. 7. Select the certificate format from the Format drop-down. The supported certificate formats are PEM, DER, and PKCS12. 8. For server certificates, enter and then retype the passphrase. 9. Click Choose File to browse to your local directory and select the certificate to upload. 10. Click Add. Aruba Central | User Guide 462 Aruba Central allows percolation of certificates that are mapped to the MSP group, to the tenant account. When a certificate is removed from the Device > Access Points > WLANs >Show Advanced > Security > Certificate Usage section in the group dashboard in MSP, the respective certificate is also removed from the tenant's Certificates Store, if the certificate is mapped to the tenant's default group and is no longer used by the tenant. If the certificate is used by any of the tenant's non-default groups, the certificate is retained in the tenant's certificate store, even if the certificate is removed from the MSP. The Device>Access Points> WLANs>Show Advanced >Security> Certificate Usage menu is displayed only when you select a group from the filter. Navigating to the Tenant Account MSP users with administrative privileges to tenant accounts can drill down to tenant accounts. To drill down to a specific tenant account: 1. In the Network Operations app, set the filter to All Groups. 2. Under Manage, click Overview to display the Dashboard. The Dashboard page includes the following sections: n Dashboard summary bar n Overview and trends for customers 3. In the Customers | Overview table, click the tenant account name and click Expand. The tenant account details window is displayed. Close the window. 4. To go to the tenant account, click on the tenant account name. The tenant account is displayed in Standard Enterprise Mode. To return to the MSP view, click Return to MSP View. Aruba recommends that you not use the Back button of the web browser to go back to the MSP view. Points to Note: n The group attached to tenant account in the MSP mode shows up as a default group for the users of the tenant account. n Configuration changes to the group attached to a tenant account in the MSP mode are applied to the default group in the interface displayed for the tenant accounts. n The administrators can add users to a tenant account using the Users & Roles menu in the Global Settings app. n Tenant account administrators can allow or prevent user access to specific groups by configuring custom roles. MSP Alerts Aruba Central MSP mode enables administrators to trigger alerts when tenant provisioning, network, device, or user management events occur. An MSP administrator can configure alerts at the MSP level which percolate down to all tenant accounts managed by the MSP. For example, if the MSP administrator has configured an alert to be triggered when an AP is disconnected, the MSP is notified when an AP is disconnected in any of the tenant networks managed by the MSP. This allows for faster reactive support and makes monitoring and troubleshooting easy across multiple tenant accounts. Managed Service Provider | 463 The MSP administrator can configure additional alerts at the tenant account level. At the tenant account level, alerts can be configured based on groups, labels, sites, or devices. Tenant account administrators can also configure additional alerts for their account. In this case, the alert is triggered only for the corresponding tenant account. The MSP administrator can edit an alert configured by the tenant account administrator. However, the tenant account administrator cannot edit an alert created by the MSP administrator. MSP level and tenant level alert configurations are managed separately. For example, if an alert is configured and enabled at both the MSP level and tenant level, two separate notifications are triggered for the event. Figure 128 MSP Alerts This section includes the following topics: n Viewing MSP Alerts Dashboard n MSP Alerts in List View n MSP Alerts in Summary View n MSP Alerts in Config View Viewing MSP Alerts Dashboard 1. In the Network Operations app, filter All Groups. 2. Under Analyze, click Alerts to display the Alerts dashboard. The Alerts dashboard enables you to configure, view, and acknowledge alerts. The dashboard has three views: Aruba Central | User Guide 464 n Alerts in List View n Alerts in Summary View n Alerts in Config View 3. The Search bar allows you to search for alerts by tenant account. Enter the name of the tenant account and select the tenant account from the list. 4. To view the list of alerts, click the List icon. a. The list view displays the number of alerts in the following categories: n Critical n Major n Minor n Warning b. Click Acknowledge All to acknowledge all the alerts at once. c. Enable the Show Acknowledged Alerts button to display the list of acknowledged alerts. d. Clicking icon enables you to customize the Alerts table columns or set it to the default view. 5. To view detailed graphs about the alerts, click the Summary icon . Select each tab, All, Access Points, Switches, or Gateways to view the graphs pertaining to each device type. 6. To configure alerts, click the Config icon. For more information, see xxx. MSP Alerts in List View The MSP Alerts page in list view displays a list of alerts for all customers associated with the MSP account. Use the Search Customer Name field to filter alerts by customer name. The Alerts summary bar displays a list of all the alerts categorized by severity level. You can click on any of the categories to display the list of alerts for that category. Figure 129 MSP Alerts in List View All the alerts are displayed in a tabular format and displays the following information: Table 112: Viewing the MSP Alerts in List View Data Pane Content Description Occurred On Timestamp of the alert. Use the sort option to sort the alerts by date and time. Managed Service Provider | 465 Data Pane Content Category Label Site Customer Group Severity Description Description Displays the category of the alert. Use the filter option to filter the alert by category. Displays the label name of the alert. Displays the site name of the alert. Displays the customer name of the alert. Displays the group name of the alert. Displays the severity level of the alert. The severity can be Critical, Major, Minor, or Warning. Displays a description of the alert. Use the search option in filter bar to filter the alert based on description. MSP Alerts in Summary View The Summary view lists all the alerts in charts. The available charts are: n Alerts by Type--This horizontal bar chart plots the number of alerts versus the category of alerts. You can hover over a bar to get the exact data for the number of alerts for that category. Clicking on a bar redirects you to the list view for that category of alerts. An example is displayed in the next image. n Alerts by Severity--This vertical bar chart plots the number of alerts versus the severity of alerts. You can hover over a bar to get the exact data for the number of alerts for that severity. Clicking on a bar redirects you to the list view for that severity of alerts. Figure 130 Alerts by Type Chart in MSP Alerts Summary View Select each tab, All, Access Points, Switches, or Gateways to view the graphs pertaining to each device type. Aruba Central | User Guide 466 MSP Alerts in Config View The Alerts page in Config view enables you to configure alerts. You can configure alerts at the MSP level and the tenant account level. Configuring Alerts at the MSP Level To configure alerts at the MSP level, complete the following steps: 1. In the Network Operations app, filter All Groups. 2. Under Analyze, click Alerts to display the Alerts dashboard. 3. Click the Config icon . At the MSP level, you cannot configure alerts based on groups, labels, sites, or devices. 4. Use the tabs to navigate between the alert categories. Select an alert and click + to enable the alert with default settings. To configure alert parameters, click on the alert tile (anywhere within the rectangular box) and do the following: a. Severity--Set the severity. The available options are Critical, Major, Minor, and Warning. By default, the following alerts are enabled and the severity is Major: n Virtual Controller Disconnected n Rogue AP Detected n New User Account Added n Switch Detected n Switch Disconnected b. Notification Options--See Alert Notification Delivery Options. n Click Save. n Add Rule--(Optional) For a few alerts, the Add Rule option appears. For such alerts, you can add additional rule(s). Configuring Alerts at the Tenant Account Level To configure alerts at the tenant account level, complete the following steps: 1. Navigate to the tenant account. See Navigating to the Tenant Account. 2. In the Network Operations app, set the filter to a group or a device. 3. To configure alerts, click the settings icon under Analyze > Alerts & Events. By default, the Alerts & Events > User category is displayed. 4. Use the tabs to navigate between the alert categories. Select an alert and click + to enable the alert with default settings. To configure alert parameters, click on the alert tile (anywhere within the rectangular box) and do the following: a. Severity--Set the severity. The available options are Critical, Major, Minor, and Warning. By default, the following alerts are enabled and the severity is Major: n Virtual Controller Disconnected n Rogue AP Detected n New User Account Added n Switch Detected n Switch Disconnected Managed Service Provider | 467 For a few alerts, you can configure threshold value for one or more alert severities. To set the threshold value, select the alert and in the exceeds text box, enter the value. The alert is triggered when one of the threshold values exceed the duration. b. Duration--Enter the duration in minutes. c. Device Filter Options--(Optional) You can restrict the scope of an alert by setting one or more of the following parameters: n Group--Select a group to limit the alert to a specific group. n Label--Select a label to limit the alert to a specific label. n Device--Select a device to limit the alert to a specific device. n Sites--Select a site to limit the alert to a specific site. d. Notification Options n Email--Select the Email check box and enter an email address to receive notifications when an alert is generated. You can enter multiple email addresses, separate each value with a comma. n Webhook--Select the Webhook check box and select the Webhook from the drop-down list. e. Click Save. f. Add Rule--(Optional) For a few alerts, the Add Rule option appears. For such alerts, you can add additional rule(s). The rule summaries appear at the top of the pag Viewing Enabled Alerts To view alerts enabled at the MSP level or tenant account level, do the following: 1. In the Network Operations app, filter All Groups. 2. Under Analyze, click Alerts to display the Alerts dashboard. 3. On the Alerts page, click Enabled. The Enabled tab lists the alerts that you have enabled. Click the tabs to see enabled alerts for each category. Alert Notification Delivery Options When you configure an alert, you can select how you want to be notified when an alert is generated. Aruba Central supports the following notification types: n Email--Select the Email check box and enter an email address to receive notifications when an alert is generated. You can enter multiple email addresses; separate each value with a comma. n Webhook--Select the Webhook check box and select the desired Webhooks from the drop-down list. Before you select this option, you must create Webhooks. For more information about creating and modifying Webhooks, see the Aruba Central Online documentation. MSP Audit Trails The Audit Trail page shows the logs for all the device management, configuration, and user management events triggered in Aruba Central. You can search or filter the audit trail records based on any of the following columns: n Occurred on (Custom Range) n Username Aruba Central | User Guide 468 n IP Address n Category n Description n Target n Source Viewing the Audit Trail Page To view the audit trail log details in Aruba Central MSP mode: 1. From the Network Operations app, set the filter to All Groups. 2. Under Analyze, click Audit Trail. 3. Adjust the time filter to get the display for the required time range. The Audit Trail logs are displayed for the following types of operations in the MSP: n Addition, modification, and deletion of tenant accounts n Addition, modification and deletion of users associated with a tenant account n Subscription assignment to devices n Modification of groups associated with a tenant account n Configuration push, override , and updates for the devices associated with a tenant account n Addition, modification, and deletion of MSP admin users n License reconciliation The Audit Trail page in the MSP mode displays the following information: Table 113: Audit Trail Pane in the MSP Mode Parameter Description Occurred On Time stamp of the events for which the audit trails are shown. Use the filter option to select a specific time range to display the events. Username The username of the admin user who applied the changes. IP Address IP address of the client device. Category Type of modification and the affected device management category. See Classification of Audit Trails. Target The group, device, or tenant account to which the changes were applied. Source The tenant account in which the changes occurred. Description A short description of the changes such as subscription assignment, firmware upgrade, and configuration updates. Click to view the complete details of the event. For example, if an event was not successful, clicking the ellipsis displays the reason for the failure. Classification of Audit Trails The audit trail is classified according to the type of modification and the affected device management category. The category can be one of the following: Managed Service Provider | 469 n Configuration n Firmware Management n Reboot n Device Management n Templates n User Management n Variables n Label Management n MSP n Guest n Groups n Subscription Management n API Gateway n RBAC n Sites Management n SAML Profile n User Activity n Federated User Activity n Alert Configuration n Install Manager n Tools MSP Reports The MSP Reports page enables you to create reports. You can configure these reports to run on demand or periodically. You must have read and write privileges or you must be an Admin user to create reports. The Reports page is only applicable to the global MSP dashboard. MSP reports are generated at the end of day, so the current day data is not available in the report. MSP reporting data is supported from version 2.5.0 onwards, the data is available only after an upgrade to version 2.5.0 or later. Data prior to the 2.5.0 upgrade is not available in the report. Viewing the MSP Reports Page To navigate to the Reports page, complete the following procedure: 1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed. 2. Under Analyze, click Reports. The Reports dashboard is displayed. The Reports dashboard has the following sections: n Browse--Explore, email, download, or delete generated reports. Displays the number of generated reports. Click Browse to displays the Reports page in List view. n Manage--Edit or delete scheduled reports. Displays the number of scheduled reports. Aruba Central | User Guide 470 Click Manage to displays the Reports page in Config view. In the Config view, click + to generate a new report. n Create--Creates a report that can be run instantly or periodically. Displays the number of report categories and the number of report types. Click Create to generate a new report. Currently, only Device and Subscription Inventory reports are supported in MSP. Types of Reports To access the Reports dashboard, set the filter to All Groups in the Network Operations app. Under Analyze, click Reports. Reports that are already run are listed under Browse > Generated Reports. If any report is yet to run, that report is available under Browse > Scheduled Reports. The following table explains the parameters available in the Device and Subscription Inventory report. Table 114: Device and Subscription Inventory Report Description Parameter Description Access Points Inventory The Access Points Inventory page lists the following options both in table and graph form: n Opening Stock--Total number of unassigned APs in the beginning of the time period. n Purchased--Number of APs purchased during the time period. n Returned--Number of APs returned by the tenants to the customer during the time period. n Assigned--Number of APs assigned to the tenants during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned) Switch Inventory The Switch Inventory page lists the following options both in table and graph form: n Opening Stock--Total number of unassigned switches in the beginning of the time period. n Purchased--Number of switches purchased during the time period. n Returned--Number of switches returned by the tenants to the customer during the time period. n Assigned--Number of switches assigned to the tenants during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned) Gateway Inventory The Gateway Inventory page lists the following options both in table and graph form: n Opening Stock--Total number of unassigned gateways in the beginning of the time period. n Purchased--Number of gateways purchased during the time period. n Returned--Number of gateways returned by the tenants to the customer during the time period. Managed Service Provider | 471 Parameter Device Management License Gateway Foundation License Gateway Advanced License Description n Assigned--Number of gateways assigned to the tenants during the time period. n Closing Stock--Total of (Opening + Purchased + Returned Assigned) The Device Management License page lists the following options both in table and graph form: n Opening Stock--Total number of all licenses available in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The Gateway Foundation License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The Gateway Advanced License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) Aruba Central | User Guide 472 Parameter Gateway Base License Access Points Foundation License Access Points Advanced License Switch Foundation License Description The Gateway Base License page lists the following options both in table and graph form: n Opening--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The Access Points Foundation License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The Access Points Advanced License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The Switch Foundation License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. Managed Service Provider | 473 Parameter Switch Advanced License Description n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned Assigned -Expired) The Switch Advanced License page lists the following options both in table and graph form: n Opening Stock--Total number of licenses in the beginning of the time period. n Purchased--Number of licenses purchased during the time period. n Returned--Number of licenses returned by the tenants to the customer during the time period. n Assigned--Number of licenses assigned to the tenants during the time period. n Expired--Number of licenses that expired during the time period. n Closing Stock--Total of (Opening + Purchased + Returned - Assigned -Expired) The following table explains the parameters available in Generated Reports . Table 115: Generated Reports Description Parameter Description Title Name of the report. Date Run Time when the report was last run. For Scheduled Reports, this is replaced by Next Run which indicates the time when the report will run in the future. Scope List of devices or subscription for which the report was run. Report Type Type of report, currently the only supported value is MSP Inventory. Created by Email address of the user who created the report. The following table explains the parameters available in Scheduled Reports Aruba Central | User Guide 474 Table 116: Scheduled Reports Description Parameter Description Title Name of the report. Next Run Time when the report will run in the future. Status Status of the report, whether scheduled, failed, running, rerun, or waiting. Scope List of devices or subscription for which the report was run. Report Type Type of report, currently the only supported value is MSP Inventory. Recurrence Time period of the scheduled report. Created by Email address of the user who created the report. Creating a Report The MSP Reports page in Summary view enables you to browse, manage, and create reports. To create a report, perform the following steps: 1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed. 2. Under Analyze, click Reports. The Reports page is displayed. 3. In the Reports page, click the Summary icon. Click the Create tile. Else, click the Config view and then click the + sign in the Scheduled Reports page. The Infrastructure page is displayed. 4. Under Infrastructure, click Device and Subscription Inventory and then click Next. 5. Under Scope, select All or a combination of the other choices and then click Next: n All--Generates a report for all access points, gateways, switches, and subscriptions. n Access Points--Generates a report only for access points. n Gateways--Generates a report only for gateways. n Switches--Generates a report only for switches. n Subscriptions--Generates a report only for subscriptions. 6. Under Report period, select one of the following options and then click Next: n Last Month n Last 3 Months n Last 6 Months n Custom Range 7. Select one of the recurrent options: n One Time (now) n One Time (later) n Every day n Every week n Every month Managed Service Provider | 475 8. For Report Information, enter the title of the report and an email address where the report will be delivered. 9. Select the format as either PDF or CSV. 10. Click Generate. 11. If you select One Time as an option in step 6, the report is available in the Generated view as Generated Reports. If the report is yet to run, the report is available under Scheduled Reports. Editing a Report To edit a report, complete the following procedure: 1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed. 2. Under Analyze, click Reports. The Reports page is displayed. 3. In the Reports page, click the Scheduled view icon. The Scheduled Reports dashboard is displayed. 4. Under Scheduled Reports, select the report you want to edit and then click the edit icon. The Infrastructure page is displayed. 5. Under Scope, select one or a combination of the following choices and then click Next: n All--Generates a report for all access points, gateways, switches, and subscriptions. n Access Points--Generates a report only for access points. n Gateways--Generates a report only for gateways. n Switches--Generates a report only for switches. n Subscriptions--Generates a report only for subscriptions. 6. Under Report period, select one of the following options and then click Next n Last Month n Last 3 Months n Last 6 Months n Custom Range 7. Select one of the recurrent options: n One Time (now) n One Time (later) n Every day n Every week n Every month 8. For Report Information, enter the title of the report and an email address where the report will be delivered. 9. Select the format as either PDF or CSV. 10. Click Generate. 11. If you select One Time as an option, the report is available under Generated Reports. If the report is yet to run, the report is available under Scheduled Reports. Viewing or Downloading a Report To view or download a report, complete the following procedure: Aruba Central | User Guide 476 1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed. 2. Under Analyze, click Reports. The Reports page is displayed. 3. In the Reports page, click the Generated view icon. The Generated Reports dashboard is displayed. 4. Under Generated Reports, select the report you want to view or download. n To view the report online, click the report name. n To download the report, click the report and then click the download icon for either the CSV or PDF file. n To email the report, click the email to icon. n To delete the report, click the delete icon. Deleting a Report or Multiple Reports To delete a report or multiple reports, complete the following procedure: 1. From the Network Operations app, set the filter to All Groups. The Global dashboard is displayed. 2. Under Analyze, click Reports. The Reports page is displayed. 3. In the Reports page, click the Generated view icon. Reports that are already run are listed under Generated Reports. If any report is yet to run, that report is available under Scheduled Reports. 4. Select the report you want to delete and then click the delete icon. You can select multiple reports to delete. Firmware Upgrades for MSP Mode The Firmware menu under Maintenance displays a list of tenant accounts and the status of the devices assigned to the tenant accounts. Viewing the Firmware Dashboard 1. In the Network Operations app, use the filter to select All Groups. 2. Under Maintain, click Firmware. 3. Select one of the following tabs: Access Points, Switch-MAS, Switch-Aruba, or Gateways The Firmware menu displays the Access Points, Switch-MAS, Switch-Aruba, and Gateways tabs that list all the tenants with firmware and compliance status for each of the device types. The following table displays the Firmware dashboard for Access Points, the table for the other tabs are similar: Managed Service Provider | 477 Table 117: Firmware Dashboard Parameters for APs Tab Date Pane Item Description Customer Name Name of the customer. Upgrade Status Status of the devices associated with the tenant account. This column displays one of the following: n Upgrading n Scheduling in progress n Downloading firmware n Upgrade successful, ready for reboot n Upgrade successful and rebooting AP n Upgrade in process n Firmware upgrade failed. Please try again. n Rebooting n Live upgrade initiating n Live upgrade initiated Compliance Status Status of compliance for the tenant. This column indicates the compliance status such as Set, Not Set, or Compliance scheduled on <date and time> for a specific tenant. Manage Firmware Compliance Enables you to plan upgrades. See Managing Firmware Compliance Based on Tenant Account. Managing Firmware Compliance Based on Device Tabs 1. In the Network Operations app, use the filter to select All Groups. 2. Under Maintain, click Firmware. 3. Select one of the following tabs: Access Points, Switch-MAS, Switch-Aruba, or Gateways 4. Click Manage Firmware Compliance at the top right. The Manage Firmware Compliance window opens. 5. Select the firmware version and the time for upgrade. 6. Select Auto Reboot if you want Aruba Central to automatically reboot the device after a successful device upgrade. The Auto Reboot option is not available for Access Points. 7. Select one of the following options as required: n Select Now to set the compliance to be carried out immediately. n Select Later Date to set the compliance at the later date and time. 8. Click Save and Upgrade. 9. MSP initiates a firmware upgrade operation only for the devices that support the selected firmware version. If any of selected devices do not support the firmware version selected for the upgrade, a list of unsupported devices is displayed. Managing Firmware Compliance Based on Tenant Account 1. In the Network Operations app, use the filter to select All Groups. 2. Under Maintain, click Firmware. 3. Select one of the following tabs: Access Points, Switch-MAS, Switch-Aruba, or Gateways Aruba Central | User Guide 478 4. From the dashboard, select one or more customer name and click Continue. 5. The Upgrade <Device Type> Firmware page is displayed. You can click the check box on the table heading of tenant details table to include all the tenants for the firmware upgrade listed in the current page. To manually upgrade firmware for specific tenants, select the check box corresponding to the tenant that requires a manual firmware upgrade in the tenant details table. Clicking the Continue button displays the Upgrade <Device Type> Firmware page. The Filter by upgrade status drop-down list disappears when the Update All button is clicked. 6. Perform the following actions: Table 118: Upgrade <Device Type> Firmware Component Description Firmware Version The firmware version to which the tenant is required to be upgraded. Aruba Central considers the recommended firmware version as the default if no version is specified in the field. Auto Reboot Select this check box to reboot the device automatically after the download of the new version. NOTE: The Auto Reboot option is not applicable for Instant APs. Schedule Cancel Select one of the following radio buttons to specify if the compliance must be carried out immediately or at a later date and time. n Now--To set the firmware upgrade to be carried out immediately. n Later Date--To set the firmware upgrade to take place at a later date and time. Click the Upgrade button to upgrade the firmware. Click this button to cancel the settings and go back to the Maintenance > Firmware page. 7. The Firmware page also displays the Cancel All button. Click Cancel All button to cancel the manual firmware upgrade for all the tenants in the MSP mode. The compliance upgrade settings for the tenants and the tenant devices takes precedence over the manual firmware upgrade. The scheduled manual firmware upgrade becomes invalid when you set or schedule the compliance upgrade. Firmware Upgrade in MSP Through NB API Aruba Central provides an option to upgrade firmware for all the tenants mapped to the MSP through APIs in Maintenance > API Gateway. To set or get the country code at group level through API: 1. In the Account Home page, click API Gateway. 2. Click System Apps & Tokens tab and generate a token key. 3. Download and copy the generated token. 4. Click the link displayed in the APIs tab of the API Gateway. The Central Network Management APIs page opens. Managed Service Provider | 479 5. On the left navigation pane, select Firmware from the URL drop-down list. 6. Paste the token key in the Token field and press enter. 7. In Firmware Management, the following options are displayed: n [POST] /firmware/v1/msp/upgrade--Upgrades firmware at the MSP level. To configure the firmware upgrade for all the tenants of a specific device type, enter the following inputs in the corresponding labels of the script { "firmware_scheduled_at": 0, "device_type": "string", "firmware_version": "string", "reboot": true, "exclude_groups": "string", "exclude_customers": "string" }: Table 119: Firmware Upgrade at MSP level Label Description Firmware_ scheduled_ at The time at which the firmware upgrade must be initiated. The value entered in this field is the count in seconds from the current time. Device_ type The type of device for which the firmware upgrade must be initiated. Firmware_ version The firmware version to which the device is required to be upgraded. Aruba Central takes the recommended firmware version as the default version if no version is specified in the field. Reboot True or false value to enable or disable the reboot of device once the firmware upgrade build is downloaded. NOTE: The Reboot option is not applicable for Instant APs. Excludegroups The list of groups to be excluded from firmware upgrade. Exclude_ The list of tenants to be excluded from firmware upgrade. customers n [POST] /firmware/v1/msp/upgrade/customers/{customer_id}--Upgrades firmware at the tenant level. To configure the firmware upgrade for a specific tenant of a specific device type, enter the following inputs in the corresponding labels of the script { "firmware_scheduled_at": 0, "device_type": "string", "firmware_version": "string", "reboot": true, "exclude_groups": "string" }. Aruba Central | User Guide 480 Table 120: Firmware Upgrade at the Tenant level Label Description Firmware_ The time at which the firmware upgrade must be initiated. The value entered in this scheduled_ field is the count in seconds from the current time. at Device_ type The type of device for which the firmware upgrade must be initiated. Firmware_ version The firmware version to which the device is required to be upgraded. Aruba Central takes the recommended firmware version as the default version if no version is specified in the field. Reboot True or false value to enable or disable the reboot of device once the firmware upgrade build is downloaded. NOTE: The Reboot option is not applicable for Instant APs. Excludegroups List of groups to be excluded from firmware upgrade. n [POST] /firmware/v2/msp/upgrade/cancel--Cancels a scheduled upgrade firmware of devices specified by device_type. Enter the following inputs in the corresponding labels of the script { "device_type": "string", "exclude_groups": "string", "exclude_customers": "string" }. Table 121: Cancel Scheduled Upgrade at MSP Level Label Description Device_type The type of device for which the firmware upgrade schedule must be canceled. Exclude-groups List of groups to be excluded while canceling scheduled upgrade. Exclude_customers List of customer IDs to be excluded while canceling scheduled upgrade. n [POST] /firmware/v2/msp/upgrade/customers/{customer_id}/cancel--Cancels a scheduled upgrade firmware of devices specified by device_type for a tenant. Enter the following inputs in the corresponding labels of the script { "device_type": "string", "exclude_groups": "string" }. Managed Service Provider | 481 Table 122: Cancel Scheduled Upgrade at the Tenant Level Label Description Device_type The type of device for which the firmware schedule must be canceled. Exclude-groups List of groups to be excluded while canceling scheduled upgrade. The following APIs that include v1 version will be deprecated from API Gateway and is replaced with v2 version: n [POST] /firmware/v1/msp/upgrade/cancel n [POST] /firmware/v1/msp/upgrade/customers/{customer_id}/cancel Order of Precedence For Compliance The devices in the MSP mode inherits the compliance set in the following order of precedence from highest to lowest: n Group level n Tenant level n MSP level The devices in MSP mode exhibits the following behavior related to compliance settings: n The compliance set at the group level overrides the compliance set at the tenant level or MSP level. If there is no compliance at the group level, the devices in the group inherits the compliance configured at the tenant level. n The compliance set at the tenant level overrides the compliance set at the MSP level. If there is no compliance at the tenant level and group level, the tenant devices inherit the compliance configured at the MSP level. Customizing the Portal in MSP Mode The Portal Customization page enables you to customize the look and feel of the user interface and the email notifications sent to the customers and users. For example, you can use your company logo in the user interface and company address in the email notifications sent to the customers or users. Aruba Central | User Guide 482 Figure 131 Customizing the Portal in the Network Operations App To customize the look and feel of the portal, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Portal Customization. 3. The Portal Customization page is displayed. 4. Under Customization, configure the following information: n Product Name--Name of the product. n Provider Name--Name of the company. n Contact Link--The URL to the company website that shows the contact address of the company. n Sender Email Address--The email address from which the notifications are sent. n Mailing Address--The postal address of the company. n Service Link--The URL to the company website showing the service related information. n Terms and Conditions Link--The URL to the company website listing the terms and conditions. 5. If you want customize the logo of your portal, click Skinning. 6. Browse to your local directory and upload the logo image. 7. Click Save Settings. The customized logo is displayed in the following pages: n Tenant account--All the apps and pages applicable to the tenant. For more information about tenant accounts, see Provisioning Tenant Accounts. Managed Service Provider | 483 Figure 132 Sample Logo for a Customer Account n Email invite--Email invite sent while adding a new user. The email contains the registration link. For more information about adding a new user, see Adding a Custom Role in MSP Account Home. MSP Deployment Models The MSP mode supports multiple configuration constructs such as UI groups, template groups, local overrides, and so on. This section describes various MSP deployment models using examples. MSP supports the following deployment models: n MSP Owns Devices and Subscriptions (Deployment Model 1) n End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2) n Hybrid MSP Deployment Model (Deployment Model 3) MSP Owns Devices and Subscriptions (Deployment Model 1) In this model, the MSP offers Network as a Service (NaaS). The MSP owns both the devices and subscriptions. The MSP acquires end-customers and manages the end-customer's network. The MSP temporarily assigns devices and subscriptions to end-customers for the duration of the managed service contract. Once the contract ends, the devices and the subscriptions are returned back to the MSP's common pool of resources and can be reassigned to another end-customer. Setup and Provisioning After the MSP purchases the devices and subscriptions, the MSP administrator has to do the following: n Set up the Aruba Central account. n Onboard devices. n Assign device subscriptions and network services subscriptions. Aruba Central | User Guide 484 MSPs can provide Network as a Service to end-customers using Aruba Central MSP mode capabilities. Aruba Central provides simplified provisioning. The Overview > Dashboard page under Manage in the MSP view allows you to add, view, edit, and delete tenant accounts. After adding a device, the MSP administrator must map the device to the tenant account for device management and monitoring operations. After you create a tenant account, you can map the tenant to a group. The group associated to the tenant account in the MSP mode shows up as the default group for tenant account users. In the MSP mode, all configuration changes made to the group associated to the tenant account are applied to the default group on the tenant account. Customizing the Portal MSPs can customize their Aruba Central MSP portal and guest splash pages by uploading their own logo. The Portal Customization pane allows you to customize the look and feel of the user interface and the email notifications sent to customers and users. Aruba Central also allows MSPs to localize various pages to support a diverse customer market. Monitoring and Reporting Using the MSP Dashboard, MSPs can monitor and observe trends on end-customer networks. MSPs can do the following from the MSP Dashboard: n View total number of tenant accounts and consolidated device inventory and subscription status. n View graphs representing the devices under management, tenant accounts added, and subscription renewal schedule n Navigate to each tenant account. Managing Firmware and Maintenance MSPs can streamline and automate end-customer's network management while maintaining complete control. MSPs can perform one-click firmware updates or schedule specific updates, manage user accounts across end-customers with different levels of access and tag devices with labels to simplify firmware management and configuration. Example Deployment Scenario In this scenario, an MSP is offering the following wireless management services: n WiFiConnectGo--In this program, for a monthly fee per Instant AP, customers part of this program agree to broadcast MSP's free public WiFi SSID WiFiConnectGo. Customers can add up to 15 additional custom SSIDs, including guest, of their own. Tenant account administrators are responsible for configuring any additional SSIDs and ongoing monitoring and maintenance. MSP is responsible for installing and bringing up the Instant AP only. n WiFiConnectGo-Plus--In this program, for an additional monthly fee per Instant AP, customers part of this program need not broadcast the free public WiFi SSID WiFiConnectGo. Customers can add up to 15 custom SSIDs, including guest, of their own. MSP is responsible for installing Instant APs, configuring custom SSIDs, and ongoing monitoring and maintenance. Configuring WiFiConnectGo Using Default UI Groups Use this deployment model if your customer deployments are identical. UI groups support an inheritance model from MSP to tenant. As shown in the following figure, MSP uses MSP UI groups to push SSID configuration to the default group in each tenant account. Tenants can choose to add additional custom SSIDs to the default group. All sites are mapped to the same default group. Managed Service Provider | 485 Figure 133 MSP Deployment Using Default UI Groups Configuring WiFiConnectGo-Plus Using User-Defined UI Groups Use this deployment model if your customer deployments are unique and if you wish to use the Aruba Central user interface for configuring. UI groups support an inheritance model from MSP to tenant. As shown in the following figure, each tenant has their own custom SSID configuration. In this scenario, the MSP administrator can create separate user-defined UI groups for each tenant. Sites with common SSID are mapped to the same UI group. MSP administrators can use the available UI group APIs add, modify, or remove allowed wireless configuration options. Aruba Central | User Guide 486 Figure 134 MSP Deployment Using User-Defined UI Groups Configuring WiFiConnectGo-Plus Using Template Groups As shown in the following figure, one template group is defined for each tenant and all devices are associated to the same group. Using the if/else conditional statements, you can push SSIDs to Instant APs selectively. MSP administrators can use the template and variable APIs to add, modify, or remove any wireless configuration. You can use this deployment model if you wish to automate your customer deployments using Aruba CLIs and Aruba Central APIs. Managed Service Provider | 487 Figure 135 MSP Deployment Using Template Groups End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2) In this deployment model, the account type must be Standard Enterprise Mode. Aruba recommends that you contact your Aruba Central sales representative or the Aruba Central Support team if you are an MSP proposing this model to your end-customer. In this model, the end-customer owns both the devices and subscriptions, but the MSP manages the endcustomer's network. The end-customer can be one of the following: n An existing Aruba customer who owns Aruba devices, but does not have an Aruba Central account. n An existing Aruba customer who owns Aruba devices and is managing the network using Aruba Central. In this model, to manage end-customer-owned devices and subscriptions, the MSP can use the Aruba Central Standard Enterprise mode. The MSP need not create an Aruba Central account of their own, but can instead add their (MSP) administrator to the end-customer's Aruba Central account. The MSP administrator will only have access to each end-customer account. Setup and Provisioning The end-customer purchases the devices and subscriptions. The end-customer contacts the MSP to manage the network. As the devices and subscriptions are owned by the end-customer, the MSP uses the Aruba Central Standard Enterprise mode to set up and provision the tenant account. Aruba Central | User Guide 488 The MSP has to request the end-customer to add the MSP administrator to their Aruba Central account. The MSP administrator can use the Switch Customer option to switch between end-customer accounts. Monitoring and Reporting As the MSP is not using the MSP mode, there is no single pane view of end-customer accounts managed by the MSP. The MSP has to monitor each end-customer individually. The MSP administrator has to use the Aruba Central Standard Enterprise mode to monitor the end-customer network. Managing Firmware and Maintenance The MSP has to use the Firmware menu under Maintain to view the latest supported firmware version of the device, details of the device, and the option to upgrade the device. The MSP administrator has to manage software upgrades for each end-customer individually. Example Deployment Scenario In this scenario, an MSP has to configure Instant APs and manage end-customer networks at two different sites. The following are the site details: Site 1 Location: University Ave, Berkeley, CA SSID Name: "WiFi_CE" Security: WPA2-PSK SSID Password: "password@123" VLAN: 20 Site 2 Location: University Ave, Berkeley, CA SSID Name: "WiFi_CE" Security: WPA2-PSK SSID Password: "password@123" VLAN: 40 Considering the requirements, each site needs two Instant APs. The only difference between the sites is the VLAN ID. Deployment Using User-Defined UI Groups The MSP can configure Instant APs at both sites using user-defined UI groups. As the Wi-Fi configuration per site is different, one UI group must be created for each site. For each site, the tenant account administrator has to do the following: 1. Create a new UI group for each site. 2. Configure the UI group with Wi-Fi settings specific to each site. 3. Map the Instant APs in each site to the respective UI group. Points to Note: n One user-defined UI group is created for each site. n For any new site with a different VLAN ID, the tenant account administrator must create a new UI group. Managed Service Provider | 489 n If a configuration change is required at all sites, the tenant account administrator must manually edit each UI group as each group is independent of the other. For example, to change the Wi-Fi SSID name from WiFi_CE to WiFi_Secure_CE, the tenant account administrator must edit UI group. Deployment Using Template Groups The MSP can configure Instant APs at both sites using template groups. The tenant account administrator can create a single template group for both sites with a variable file that differentiates the VLAN setting per device. Template groups are not supported at the MSP level. However, template groups can be defined and managed at each tenant account individually. For both sites, the tenant account administrator has to do the following: 1. Create one tenant template group. 2. Configure the newly created template group by uploading a base configuration with the WiFi_CE setting and a variable for the SSID VLAN. 3. Upload a variable file with unique entries for each Instant AP. For the Instant APs part of Site 1, the VLAN variable value is 20. For the Instant APs part of Site 2, the VLAN variable value is 40. 4. Map Site 1 and Site 2Instant APs to the common template group. Points to Note: n One tenant template group is created for both sites. n For every additional site with a different VLAN ID, the same template group can be used with a modified variable file. n If a configuration change is required at all sites, the common template group can be updated and pushed to all sites. For example, to change the Wi-Fi SSID name from WiFi_CE to WiFi_Secure_CE, the tenant account administrator can edit the common template group and push the configuration changes to all sites. Hybrid MSP Deployment Model (Deployment Model 3) In this model, Aruba Central supports a hybrid deployment model for the MSP. The MSP can use the following deployment models in conjunction to manage the end-customers' network: n MSP Owns Devices and Subscriptions (Deployment Model 1)--The MSP owns both the devices and subscriptions. The MSP acquires the tenants and uses the Aruba Central MSP mode to manage the tenant's network and monitors multiple tenant accounts using the MSP Dashboard. n End-Customer Owns Both Devices and Subscriptions But MSP Manages (Deployment Model 2)--The MSP manages end-customer's network in which the end-customer owns both the devices and subscriptions. The MSP uses the Aruba Central Standard Enterprise mode to manage the network and the MSP administrator uses the Switch Customer option to navigate between different end-customer accounts. In this deployment model if the end customer owns both devices and subscriptions, the account type must be Standard Enterprise Mode. Aruba recommends that you contact your Aruba Central sales representative or the Aruba Central Support team if you are an MSP proposing this model to your end-customer. Aruba Central | User Guide 490 Frequently Asked Questions How do I create an Aruba Central MSP account? As MSP mode is an operational mode of the Network Operations app which is one of the apps in Aruba Central, the first step to create an MSP account is to create an Aruba Central account, subscribe only to the Network Operations app, and then enable Managed Service Mode. n Sign up for Aruba Central evaluation here. n Enable MSP mode. Should tenants sign up for an Aruba Central account as well? No. With MSP mode enabled, the MSP administrator manages the creation and deletion of tenant accounts. After a tenant account is created, the MSP administrator can add tenant users to the account. To create a tenant user, the MSP administrator must provide a valid email address for the user. A verification email is sent to this email address. Tenant users have access to their individual tenant account only. Tenant users do not have access to other tenant accounts managed by the MSP. Who owns the hardware and subscriptions? In the MSP mode, all the hardware and subscriptions are owned by the MSP. The MSP temporarily assigns devices and their corresponding subscriptions to tenants for the duration of the managed service contract. When the contract ends, the devices and the subscriptions are returned back to the common pool of resources of the MSP and can be reassigned to another tenant. Can existing Aruba Central customers migrate to an MSP account? End customers who own their own devices and subscriptions cannot transfer ownership of the devices to an MSP. However, the MSP administrator can manage the end customer network. What are the supported devices and architectures? MSP supports all devices and architectures supported by Aruba Central. See Supported APs and Supported Switches. Aruba Central support wireless, wired, and SD-WAN deployments, either independently or in combination. For example, as an MSP, you can manage the following combinations: n Customer environments having a wireless deployment. n Customer environments having both wired and wireless deployments. n Customer environments having an SD-WAN deployment. Aruba Central does not support managing gateways at the MSP level. However, gateways can be configured and managed at the tenant account level. Which group is the default group for the tenant account? The MSP group associated to the Tenant account shows up as the default group for Tenant account users. All configuration changes made to the "MSP group" associated to the "Tenant account" are applied to the Managed Service Provider | 491 default group on the Tenant account. What are predefined user roles? The Users & Roles tile under Global Settings in the Account Home page allows you to configure the following types of users with system-defined roles: User Role Standard Enterprise Mode MSP Mode admin n Has full access to all devices. n Can provision devices and enable access to application services. n Can create or update users, groups, and labels. n Has full access to tenant accounts. n Can create, modify, provision, and manage tenant accounts. readwrite n Has access to the groups and devices assigned in the account. n Can add, modify, configure, and delete a device in the account. Can access and modify tenant accounts. readonly n Can view the groups and devices. n Can view generated reports. Can view tenant accounts. guestoperator n Can access and modify cloud guest splash page profiles. n Can configure visitor accounts for the cloud guest splash page profiles. n Can access and modify cloud guest splash page profiles. n Can configure visitor accounts for the cloud guest splash page profiles. What are custom user roles? Along with the predefined user roles, Aruba Central allows you to create custom roles with specific security requirements and access control. However, only the users with the administrator role and privileges can create, modify, clone, or delete a custom role in Aruba Central. With custom roles, you can configure access control at the application level and specify access rights to view or modify specific application services or modules. For example, you can create a custom role that allows access to a specific applications like Guest Access or network management and assign it to a user. You can create a custom role with specific access to MSP modules. The MSP application allows users with administrator role and privileges to define user access to MSP modules such as Customer Management and Portal Customization. The MSP tenant account user does not have access to the MSP application. Even if a tenant account user is assigned a custom role having MSP application privileges, the tenant account user will not have access to the MSP application and MSP will not appear in the Global Settings > Users & Roles > Roles > Allowed Applications list. What tasks can be performed by an MSP user and tenant user? In the MSP mode, MSP users have a superset of administration options compared to tenant users. An MSP administrator can perform the following administrative tasks: n Tenant account management. n Device and subscription management across all tenants. n Monitoring and event management across all tenants. Aruba Central | User Guide 492 n Configuration management across all tenants. n User management across all tenants. n API management for the MSP and across all tenants. A tenant account administrator can perform the following administrative tasks for their respective tenant account only: n Monitoring and event management. n Configuration management. n User management. n API management. Managed Service Provider | 493 Chapter 8 Instant APs Instant APs Instant APs offer an enterprise-grade networking solution with a simple setup. The WLAN solution with Instant APs supports simplified deployment, configuration, and management of Wi-Fi networks. Instant APs run the Aruba Instant software that virtualizes Aruba Mobility Controller capabilities on 802.11 APs and offers a feature-rich enterprise-grade Wi-Fi solution. Instant APs are often deployed as a cluster. An Instant AP cluster includes a conductor AP and set of other APs that act as member APs. In an Instant deployment scenario, only the first AP or the conductor AP that is connected to a provisioning network is configured. All other Instant APs in the same VLAN join the conductor AP inherit the configuration changes. The Instant AP clusters are configured through a common interface called Virtual Controller. A Virtual Controller represents the combined intelligence of the Instant APs in a cluster. Supported Deployment Modes Aruba Instant APs can be deployed in the following modes in Aruba Central: n Cluster mode--In this mode, several Instant APs form a cluster when connected to a provisioning network and a conductor Instant AP is elected. In the cluster mode, new Instant AP onboarded to Aruba Central can join an existing Instant AP cluster. n Standalone mode--In this mode, individual Instant APs are provisioned in groups and managed from Aruba Central. Configuration and Management Network administrators can manage Instant APs through the Aruba Instant UI, Aruba Central, or AirWave management system. For information on how to configure Instant APs using the Aruba Instant UI, see the Aruba Instant User Guide. For more information on how to deploy, provision, manage, and monitor Instant APs from Aruba Central, see the following topics: n Supported Instant APs n Provisioning Instant APs n Configuring Device Parameters n Configuring Network Profiles on Instant APs n Configuring Time-Based Services for Wireless Network Profiles n Configuring ARM and RF Parameters on Instant APs n Configuring IDS Parameters on APs n Configuring Authentication and Security Profiles on Instant APs n Configuring Instant APs for VPN Services n Configuring DHCP Pools and Client IP Assignment Modes on Instant APs n Configuring Services Aruba Central | User Guide 494 n Configuring Uplink Interfaces on Instant APs n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Opening a Remote Console n Mapping Instant AP Certificates n Configuring APs Using Templates n Managing Variable Files n Viewing APs Configuration Tabs Supported Instant APs The following table lists the Instant AP platforms, the installation mode, the minimum supported Aruba Instant software versions, and the Instant APs supporting power draw: Table 123: Supported Instant AP Platforms Instant AP Platform Installation Mode Minimum Supported Aruba Instant Software Version Power Draw Support AP-567EX Outdoor Aruba Instant 8.7.1.0 No AP-567 Outdoor Aruba Instant 8.7.1.0 Yes AP-565EX Outdoor Aruba Instant 8.7.1.0 No AP-565 Outdoor Aruba Instant 8.7.1.0 Yes AP-503H Indoor Aruba Instant 8.7.1.0 Yes AP 577EX Outdoor Aruba Instant 8.7.0.0 Yes AP-577 Outdoor Aruba Instant 8.7.0.0 Yes AP-575EX Outdoor Aruba Instant 8.7.0.0 Yes AP-575 Outdoor Aruba Instant 8.7.0.0 Yes AP-574 Outdoor Aruba Instant 8.7.0.0 Yes AP 518 Outdoor Aruba Instant 8.7.0.0 Yes AP-505H Indoor Aruba Instant 8.7.0.0 Yes AP-505 Indoor Aruba Instant 8.6.0.0 Yes AP-504 Indoor Aruba Instant 8.6.0.0 Yes AP-555 Indoor Aruba Instant 8.5.0.0 No AP-535 Indoor Aruba Instant 8.5.0.0 No AP 534 Indoor Aruba Instant 8.5.0.0 No Instant APs | 495 Instant AP Platform Installation Mode AP 515 AP-514 AP-387 AP-303P AP-377EX AP-377 AP-375EX AP-375 AP-374 AP-345 AP-344 AP-318 AP-303 AP-203H AP-367 AP-365 AP-303HR AP-303H AP-203RP AP-203R IAP-305 IAP-304 IAP-207 IAP-335 IAP-334 IAP-315 IAP-314 Indoor Indoor Outdoor Indoor Outdoor Outdoor Outdoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Minimum Supported Aruba Instant Software Version Power Draw Support Aruba Instant 8.4.0.0 Yes Aruba Instant 8.4.0.0 Yes Aruba Instant 8.4.0.0 Yes Aruba Instant 8.4.0.0 No Aruba Instant 8.3.0.0 No Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 No Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 Yes Aruba Instant 8.3.0.0 No Aruba Instant 6.5.3.0 No Aruba Instant 6.5.2.0 No Aruba Instant 6.5.2.0 No Aruba Instant 6.5.2.0 No Aruba Instant 6.5.2.0 Yes Aruba Instant 6.5.2.0 No Aruba Instant 6.5.2.0 No Aruba Instant 6.5.1.0-4.3.1.0 Yes Aruba Instant 6.5.1.0-4.3.1.0 Yes Aruba Instant 6.5.1.0-4.3.1.0 No Aruba Instant 6.5.0.0-4.3.0.0 Yes Aruba Instant 6.5.0.0-4.3.0.0 Yes Aruba Instant 6.5.0.0-4.3.0.0 No Aruba Instant 6.5.0.0-4.3.0.0 Yes Aruba Central | User Guide 496 Instant AP Platform Installation Mode IAP-325 IAP-324 IAP-277 IAP-228 IAP-205H IAP-215 IAP-214 IAP-205 IAP-204 IAP-275 IAP-274 IAP-103 IAP-225 IAP-224 IAP-115 IAP-114 RAP-155P RAP-155 RAP-109 RAP-108 RAP-3WN RAP-3WNP Indoor Indoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Outdoor Outdoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Indoor Minimum Supported Aruba Instant Software Version Power Draw Support Aruba Instant 6.4.4.3-4.2.2.0 No Aruba Instant 6.4.4.3-4.2.2.0 No Aruba Instant 6.4.3.1-4.2.0.0 No Aruba Instant 6.4.3.1-4.2.0.0 No Aruba Instant 6.4.3.1-4.2.0.0 No Aruba Instant 6.4.2.0-4.1.1.0 No Aruba Instant 6.4.2.0-4.1.1.0 No Aruba Instant 6.4.2.0-4.1.1.0 No Aruba Instant 6.4.2.0-4.1.1.0 No Aruba Instant 6.4.0.2-4.1.0.0 No Aruba Instant 6.4.0.2-4.1.0.0 No Aruba Instant 6.4.0.2-4.1.0.0 No Aruba Instant 6.3.1.1-4.0.0.0 No Aruba Instant 6.3.1.1-4.0.0.0 No Aruba Instant 6.3.1.1-4.0.0.0 No Aruba Instant 6.3.1.1-4.0.0.0 No Aruba Instant 6.2.1.0-3.3.0.0 No Aruba Instant 6.2.1.0-3.3.0.0 No Aruba Instant 6.2.0.0-3.2.0.0 No Aruba Instant 6.2.0.0-3.2.0.0 No Aruba Instant 6.1.3.1-3.0.0.0 No Aruba Instant 6.1.3.1-3.0.0.0 No Instant APs | 497 n RAP-155, RAP-155P, IAP-214, IAP-215, IAP-224, IAP-225, IAP-228, IAP-274, IAP-275, and IAP-277 IAPs are no longer supported from Aruba Instant 8.7.0.0 onwards. n IAP-103, RAP-108, RAP-109, IAP-114, IAP-115, IAP-204, IAP-205, and IAP-205H IAPs are no longer supported from Aruba Instant 8.3.0.0 onwards. n By default, AP-318, AP-374, AP-375, and AP-377 IAPs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba does not recommend you to upgrade these IAPs to Aruba Instant 8.5.0.0 or 8.5.0.1 firmware versions, as the upgrade process changes the uplink port from Eth1 to Eth0 port thereby making the devices unreachable. n For more information about Aruba's End-of-life policy and the timelines for hardware and software products at the end of their lives, see: https://www.arubanetworks.com/support-services/end-of-life/. n Data sheets and technical specifications for the supported AP platforms are available at: https://www.arubanetworks.com/products/networking/access-points/. Provisioning Instant APs The following figure illustrates the procedure for bringing up Instant APs and configuring a basic WLAN setup. To view a detailed description of the tasks, click the task link in the flowchart. The UI-based provisioning of APs is available for Foundation and Advanced licenses for APs. When you click a task in the flowchart, the linked topic opens in a pop-up window. After you browse through the topic, click outside the pop-up window to return to this page. Aruba Central | User Guide 498 Figure 136 Getting Started--Instant APs Configuring APs Using Templates Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AP deployments. The template-provisioning of APs is available for Foundation and Advanced licenses for APs. To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba APs. For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled. To create a template for the APs in a template group, complete the following steps: Instant APs | 499 1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure APs in a template group are displayed. 4. In the Templates table, click + to add a new template. The Add Template window is displayed. 5. Under Basic Info, enter the following information: a. Template Name--Enter the template name. b. Model--Set the model parameter to ALL. c. Version--Set the model parameter to ALL. 6. Under Template, add the CLI script content. 7. Check the following guidelines before adding content to the template: n Ensure that the command text indentation matches the indentation in the running configuration. n The template allows multiple per-ap-settings blocks. The template must include the per-ap- settings %_sys_lan_mac% variable. The per-ap-settings block uses the variables for each AP. The general VC configuration uses variables for conductor AP to generate the final configuration from the provided template. Hence, Aruba recommends that you upload all variables for all devices in a cluster and change values as required for individual AP variables. n You can obtain the list of variables for per-ap-settings by using the show amp-audit command. The following example shows the list of variables for per-ap-settings. (Instant AP)# show amp-audit | begin per-ap per-ap-settings 70:3a:0e:cc:ee:60 hostname EE:60-335-24 rf-zone bj-qa ip-address 10.65.127.24 255.255.255.0 10.65.127.1 10.65.6.15 "" swarm-mode standalone wifi0-mode access wifi1-mode access g-channel 6+ 21 a-channel 140 26 uplink-vlan 0 g-external-antenna 0 a-external-antenna 0 ap1x-peap-user peap22 282eaf1077b8d898b91ec41b5da19895 The commands in the template are case-sensitive. IF ELSE ENDIF conditions are supported in the template. If the template text includes the if condition, % sign is required at the beginning and the end of the text. For example, %if guest%. The following example shows the template text with the IF ELSE ENDIF condition. wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes Aruba Central | User Guide 500 %else% opmode opensystem %endif% Templates also support nesting of the IF ELSE END IF condition blocks. The following example shows how to nest such blocks: %if condition1=true% routing-profile route 10.10.0.0 255.255.255.0 10.10.0.255 %if condition2=true% routing-profile route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else% routing-profile route 10.40.0.0 255.255.255.0 10.40.0.255 %if condition3=true% routing-profile route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile route 10.60.0.0 255.255.255.0 10.60.0.255 %endif% %endif% For profile configuration CLI text, for example, vlan, interface, access-list, ssid and so on, the first command must start with no white space. The subsequent local commands in given profile must start with at least one initial space (' ') or indented as shown in the following examples: Example 1 vlan 1 name "vlan1" no untagged 1-24 ip address dhcp-bootp exit Example 2 %if vlan_id1% vlan %vlan_id1% %if vlan_id1=1% ip address dhcp-bootp %endif% no untagged %_sys_vlan_1_untag_command% exit %endif% To comment out a line in the template text, use the pound sign (#). Any template text preceded by # is ignored when processing the template. Instant APs | 501 To allow or restrict APs from joining the Instant AP cluster, Aruba Central uses the _sys_allowed_ ap_ system-defined variable. Use this variable only when allowed APs configuration is enabled. For example, _sys_allowed_ap: "a_mac, b_mac, c_mac". Use this variable only once in the template. 8. Click OK. n The variables configured for the Instant AP devices functioning as the VCs are replaced with the values configured at the template level. n If any device in the cluster has any missing variables, the configuration push to those AP devices in the cluster fails. The audit trail for such instances shows the missing variables. n You can configure the RF zone for an AP by adding the rf-zone %rfzone% variable in the template. Similarly, you can add the wifi0-mode %wifi0-mode% variable to configure a Wi-Fi0 interface of an AP to function in the access, monitor, or spectrum monitor mode. Sample Template The following example shows the typical contents allowed in a template file for APs: virtual-controller-country %countrycode% virtual-controller-key d2d8c79e010af35667dae85f950cf144b476ab4beba9ce5696 organization %org% name %VCname% virtual-controller-ip %vcip% terminal-access clock time zone none 00 00 rf-band all allow-new-aps allowed-ap 38:17:c3:cd:34:ca hash-mgmt-password hash-mgmt-user admin password cleartext public syslog-level debug syslog-level warn ap-debug arm wide-bands none a-channels 44,44+,40,36 g-channels 13,1+ min-tx-power 15 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode fair-access channel-quality-aware-arm-disable client-match client-match nb-matching 55 client-match calc-interval 5 client-match slb-mode 2 wlan access-rule default_wired_port_profile index 0 rule any any match any any any permit wlan access-rule wired-SetMeUp index 1 rule masterip 0.0.0.0 match tcp 80 80 permit Aruba Central | User Guide 502 rule masterip 0.0.0.0 match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permit wlan access-rule %ssid_name% index 2 rule any any match any any any permit wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes %else% opmode opensystem %endif% type employee essid %ssid_name% wpa-passphrase %pw% max-authentication-failures 0 auth-server InternalServer rf-band all captive-portal disable dtim-period 1 broadcast-filter arp denylist dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64 okc %if condition1=true% routing-profile route 10.10.0.0 255.255.255.0 10.10.0.255 %if condition2=true% routing-profile route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else% routing-profile route 10.40.0.0 255.255.255.0 10.40.0.255 %if condition3=true% routing-profile route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile route 10.60.0.0 255.255.255.0 10.60.0.255 %endif% %endif% wired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe Instant APs | 503 type guest captive-portal disable no dot1x wired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1x enet0-port-profile default_wired_port_profile enet1-port-profile wired-SetMeUp uplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180 cluster-security allow-low-assurance-devices per-ap-settings %_sys_lan_mac% hostname %hostname% rf-zone %rfname% swarm-mode %mode% wifi0-mode %wifi0mode% wifi1-mode %wifi1mode% g-channel %gch% %gtx% a-channel %ach% %gtx% Password Management in Configuration Templates for AP In Aruba Central, the AP management user passwords are stored and displayed as hash instead of plain text. Password for an AP can be set using the following commands: mgmt-user <user-name> <password> mgmt-user <user-name> <password> guest-mgmt mgmt-user <user-name> <password> read-only The mgmt-user commands are used for APs running below Aruba InstantOS 4.3 firmware version. The hash-mgmt-user commands is enabled by default on the APs provisioned in the template and UI groups. If a pre-configured AP joins Aruba Central and is moved to a new group, Aruba Central uses the hash-mgmt-user configuration settings and discards mgmt-user configuration settings, if any, on the AP. In other words, Aruba Central hashes management user passwords irrespective of the management user configuration settings running on an AP. Aruba Central | User Guide 504 The mgmt-user commands can only be used for APs running firmware versions equal to or above Aruba InstantOS 4.3. Password for AP can be set using the following hash-mgmt-user commands: hash-mgmt-user <user-name> password hash <hash-password> hash-mgmt-user <user-name> password cleartext <cleartext-password> hash-mgmt-user <user-name> password hash <hash-password> usertype read-only hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype readonly hash-mgmt-user <user-name> password hash <hash-password> usertype guest-mgmt hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype guestmgmt hash-mgmt-user <user-name> password hash <hash-password> usertype local hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype local n Aruba Central supports the use of hash commands with clear text, however, Aruba recommends you to use hash passwords instead of clear text passwords to avoid password disclosures. n Aruba Central allows you to re-use the hash from one AP on another AP. n All AP templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates. Viewing APs Configuration Tabs Aruba Central now constantly displays the default tabs under the Show Advanced and Hide Advanced options in the Devices > Access Points page. When you click the Show Advanced or Hide Advanced option, a set of default configuration tabs are displayed. The respective default tabs under these two options are still displayed when you navigate out of the page, and visit the same page next time. Following are the default tabs displayed when you navigate to Devices > Access Points page and click the Config icon: n WLANs n Access Points n Radios When you click the Show Advanced option, the following tabs are displayed: n WLANs n Access Points n Radios n Interfaces n Security n VPN Instant APs | 505 n Services n System n Configuration Audit To view the default tabs, click Hide Advanced. Navigating to Virtual Controller Configuration Dashboard To navigate to the virtual controller configuration dashboard, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. In the Virtual Controller column, click on the virtual controller to navigate to the Access Points > List view of the virtual controller. 4. Click the Config icon. The default tabs to configure the virtual controller are displayed. 5. Click Show Advanced to view advanced configuration options. For more information about the various configuration options, see Deploying a Wireless Network Using Instant APs. Deploying a Wireless Network Using Instant APs This section describes how to configure WLAN SSIDs, radio profiles, DHCP profiles, VPN routes, security and firewall settings, uplink interfaces, and logging servers on Instant APs. For more information on Instant AP configuration, see the following topics: n Configuring Device Parameters n Configuring Network Profiles on Instant APs n Configuring Time-Based Services for Wireless Network Profiles n Configuring ARM and RF Parameters on Instant APs n Configuring IDS Parameters on APs n Configuring Authentication and Security Profiles on Instant APs n Configuring Instant APs for VPN Services n Configuring DHCP Pools and Client IP Assignment Modes on Instant APs n Configuring Services n Configuring Systems n Configuring Uplink Interfaces on Instant APs n Configuring Mobility for Clients n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Viewing APs Configuration Tabs Aruba Central | User Guide 506 n Opening a Remote Console n Mapping Instant AP Certificates Setting Country Code The initial Wi-Fi setup of an Instant AP requires you to specify the country code for the country in which the Instant AP operates. This configuration sets the regulatory domain for the radio frequencies that the Instant AP uses. The available 20 MHz, 40 MHz, or 80 MHz channels are dependent on the specified country code. Country Code Configuration in Aruba Central from UI If you provision a new Instant AP without the country code, Aruba Central exhibits the following behavior: Table 124: Instant AP Provisioned to Aruba Central Country Code Configured at Instant AP Country Code Configured in Group Behavior No Yes The country code of the group is pushed to the newly added Instant AP. No No Aruba Central displays the Country Code not set. Config not updated message in Audit Trail. A notification is also displayed at the bottom of the main window to set the country code of the new Instant AP. To set the country code, perform the following actions: 1. Click Set Country Code now link on the notifications pane. The Set Country Code pop up is displayed. 2. In the Device(s) without country code table, click the edit icon. 3. Specify a country code from the Country Code drop-down list. 4. Click Save. Setting Cory Code At Group Level If an Instant AP has a country code and joins Aruba Central using ZTP configuration, then the country code of the Instant AP is retained. In this case, Aruba Central will not push the group country code. Setting Country Code at a Group Level To set the country code of the Instant AP at the group level, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The default tabs to configure the virtual controller are displayed. 4. Click Show Advanced to view advanced configuration options. 5. Click the System tab. The System details page is displayed. 6. Expand the General accordion. Instant APs | 507 7. In the Set Country code for group drop-down list, select the country code for the Instant AP. 8. Click Save Settings and then reboot the Instant AP. n By default, the value corresponding to the Set Country code for group field is empty. This indicates that any Instant AP with different country codes can be a part of the group. n When the Set Country code for group field is set, the field cannot revert to the default value. When the country code of the group is changed, the country code of the already connected Instant AP also will be updated. Setting Country Code at a Device Level To set the country code of the Instant AP at the device level, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. In the Virtual Controller column, click the virtual controller link to navigate to the Access Points > List view of the virtual controller. When you click the virtual controller link in the Virtual Controller column, the dashboard context for the virtual controller is dispalyed. 4. Click the Config icon. The default tabs to configure the virtual controller are displayed. 5. Click Show Advanced to view advanced configuration options. 6. Click the System tab. The System details page is displayed. 7. Expand the General accordion. 8. In the Virtual Controller table, select a virtual controller and then click the edit icon. 9. In the Edit IP Address window, select the country code from the Country Code drop-down list. 10. Click Ok. 11. Click Save Settings and then reboot the Instant AP. n By default, the value corresponding to the Country code is the country code set at the group level which can be then modified at the device level from the drop-down list. The country code of the Instant AP will always be the most recently set country code at the group level or device level. n If there is a discrepancy in the country code configuration, Aruba Central displays it as an override in the Configuration Audit page. Country Code Configuration at Group Level from API Aruba Central provides an option to set and get the country code at group level through the APIs in API Gateway. To set or get the country code at group level through API, complete the following steps: Aruba Central | User Guide 508 1. In the Account Home page, click API Gateway. The API Gateway page is displayed. 2. Click the Authorized Apps & Tokens tab and generate a token key. The token key is valid only for 2 hours from the time it was generated. 3. Download and copy the generated token. 4. In the All Published APIs window, click the url link listed under the Documentation column. The Central Network Management APIs page is displayed. 5. On the left navigation pane, select Configuration from the URL drop-down list. 6. Paste the token key in the Token field and press enter. 7. Click NB UI Group Configuration. The following options are displayed: n Set country code at group level ([PUT]/configuration/v1/country)--This API allows to set country code for multiple groups at once. Aruba Central currently allows country codes of up to 50 Instant AP device groups to be configured simultaneously. To set the country codes of multiple groups, enter the group names and country code as inputs corresponding to the groups and country labels respectively in the script { "groups": [ "string" ], "country": "string" } within the set_ group_config_ country_ code text box. n Get country code set for group ([GET]/configuration/v1/{group}/country)--This API allows to retrieve the country code set for a specific Instant AP group. To get the country code information of the Instant AP group, enter the name of the group for which the country code is being queried corresponding to the country label in the script { "country": "string"} within the group text box. The APIs for setting and retrieving country code information are not available for the Instant AP devices deployed in template groups. The following are the response messages displayed in the Set country code at group level and Get country code set for group sections: Table 125: Response Messages Set country code at group level Get country code set for group n 201 - Successful operation n 400 - Bad Request n 401 - Unauthorized access, authentication required n 403 - Forbidden, do not have write access for group n 413 - Request-size limit exceeded n 417 - Request-size limit exceeded n 429 - API Rate limit exceeded n 500 - Internal Server Error n 503 - Service unavailable, configuration update in progress n 400 - Bad Request n 401 - Unauthorized access authentication required n 403 - Forbidden, do not have read access for group n 413 - Request-size limit exceeded n 417 - Request-size limit exceeded n 429 - API Rate limit exceeded n 500 - Internal Server Error n 503 - Service unavailable, configuration update in progress Instant APs | 509 For further details on APIs, see https://app1-apigw.central.arubanetworks.com/swagger/central. Configuring Device Parameters To configure device parameters on an access point (AP), complete the following steps: 1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point. 2. Click the Config icon. The tabs to configure the APs are displayed. 3. Click the Access Points tab. The Access Points page is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Configure the parameters described below: Table 126: Access Points Configuration Parameters UI Parameters Description Basic Info Name Configure a name for the Instant AP. For Instant APs running Aruba InstantOS 8.7.0.0 or later versions, you can enter up to 128 ASCII or non-ASCII characters. For Instant APs running Aruba InstantOS 8.6.0.0 or earlier versions, you can enter up to 32 ASCII or non-ASCII characters. AP Zone Configure the Instant AP zone. For Instant APs running Aruba InstantOS 6.5.4.7 or later versions, and 8.3.0.0 or later versions, you can configure multiple AP zones by adding zone names as comma separated values. Aruba recommends that you do not configure zones in both SSID and in the Per AP settings of an Instant AP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide. RF Zone Allows you to create an RF zone for the Instant AP. Aruba Central | User Guide 510 UI Parameters Description With RF zone, you can configure different power transmission settings for APs in different zones or sections of a deployment site. For example, you can configure power transmission settings to make Wi-Fi available only for the devices in specific areas of a store. You can also configure separate RF zones for the 2.4 GHz and 5 GHz radio bands for the Instant APs in a cluster. For more information, see Configuring Radio Parameters. Aruba recommends that you configure RF zone for either individual AP or for the cluster. Any discrepancy in the RF zone names may lead to configuration errors. Swarm Mode Allows you to set one of the following operation modes: n Cluster--Allows an Instant AP to operate in the cluster mode. When an Instant AP operates in the cluster mode, it can form a cluster with other virtual controller Instant APs in the same VLAN. n Standalone--Allows an Instant AP to operate in the standalone mode. When an Instant AP operates in the standalone mode, it cannot join a cluster of Instant APs even if the Instant AP is in the same VLAN. n Single-AP--Allows an Instant AP to operate in the single AP mode that is specifically designed for Instant AP deployments with only one AP in the site. This mode is a type of standalone AP deployment with additional security when the AP is directly facing a WAN connection. When configured as a single AP, the AP will not send or receive management frames such as mobility packets, roaming packets, and hierarchy beacons through the uplink port. NOTE: After changing the AP operation mode, ensure that you reboot the Instant AP. LACP Mode Preferred Conductor IP Address For Access Point Allows you to set one of the following LACP modes: n Active--Allows you to enable the LACP on an Instant AP. In this mode, both the ethernet ports on the Instant AP forms a static LAG. n Passive--Allows you to set the LACP on an Instant AP in a passive mode. n Disabled--Allows you to disable the LACP on an Instant AP. Select the Preferred Conductor check-box to provision the Instant AP as a conductor Instant AP. After provisioning the Instant AP as a conductor Instant AP, ensure that you reboot the AP. Select one of the following options: n Get IP Address from DHCP server--Allows IP to get Instant APs | 511 UI Parameters Description an IP address from the DHCP server. By default, the Instant APs obtain IP address from a DHCP server. n Static--You can also assign a static IP address to the Instant AP. To specify a static IP address for the Instant AP, complete the following steps: n Enter the new IP address for the Instant AP in the IP Address text-box. n Enter the subnet mask of the network in the Netmask text-box. n Enter the IP address of the default gateway in the Default Gateway text-box. n Enter the IP address of the DNS server in the DNS Server text-box. n Enter the domain name in the Domain Name textbox. You can configure up to two DNS servers separated by a comma. If the first DNS server goes down, the second DNS server takes control of resolving the domain name. Aruba Central | User Guide 512 UI Parameters Description Radio Dual 5G Mode Select the Dual 5G Mode check-box to enable the dual 5G mode. In the Dual 5G Mode, the Mode remains as Access and is non-editable. The Dual 5G Mode is only supported on AP-344 and AP-345 running on Aruba InstantOS 8.3.0.0. For more information, see Configuring Dual 5 GHz Radio Bands on an Instant AP. Split Radio Select the Split Radio check-box to allow the radios of the Instant AP to operate in the tri-radio mode. The Split Radio is only supported on AP-555 running on Aruba InstantOS 8.5.0.0. For more information, see About TriRadio Mode. Enable Radio Select the Enable Radio check-box under 2.4GHz Band and 5 GHz Band to enable the radio. Mode From the Mode drop-down list, select any of the following options: n Access--In this mode, the Instant AP serves clients, while also monitoring for rogue Instant APs in the background. n Monitor--In this mode, the Instant AP acts as a dedicated monitor, scanning all channels for rogue Instant APs and clients. n Spectrum--In this mode, the Instant AP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference, whether from the neighboring Instant APs or from non-Wi-Fi devices such as microwaves and cordless phones. For more information, see Spectrum Scan Overview. To get accurate monitoring details and statistics, it is highly recommended to reboot the Instant APs once the Instant APs are toggled from the 2.4 or 5 GHz mode to dual 5 GHz radio mode or vice-versa. The access, spectrum, and monitor mode of the radios of an access point is available for Foundation and Advanced licenses for APs. Adaptive radio management assigned You can configure a radio profile on an Instant AP either manually or by configuring the Adaptive radio management assigned option. Adaptive Radio Management (ARM) feature is enabled on Aruba Central by default. It automatically assigns appropriate channel and power settings for the Instant APs. Administrator assigned You can also assign an administrator by using the Administrator assigned option and selecting the number of channels in the Channel drop-down list. In the Transmit Power field, enter the signal strength measured in dBm. Installation Installation Type Type Configure the Installation Type of the Instant AP. The Installation Type drop-down consists of the following options: Instant APs | 513 UI Uplink Parameters Description n Default--Select this option to change the installation type to the default mode. n Indoor--Select this option to change the installation type to the indoor mode. n Outdoor--Select this option to change the installation type to the outdoor mode. The options in the Installation Type drop-down are listed based on the Instant AP model. Uplink Management VLAN The uplink traffic on Instant AP is carried out through a management VLAN. However, you can configure a nonnative VLAN as an uplink management VLAN. After an Instant AP is provisioned with the uplink management VLAN, all management traffic sent from the Instant AP is tagged to the management VLAN. To configure a non-native uplink VLAN, click Uplink and specify the VLAN in Uplink Management VLAN. Eth0 Mode Allows you to change the Eth0 bridging mode in your wired network. The Eth0 Mode drop-down consists of the following options: n Uplink--Select this option to change the Eth0 bridging mode to the uplink port. n Downlink--Select this option to change the Eth0 bridging mode to the downlink port. Eth1 Mode Allows you to change the Eth1 bridging mode in your wired network. The Eth1 Mode drop-down consists of the following options: n Default--Select this option to change the Eth1 bridging mode to the default port. n Uplink--Select this option to change the Eth1 bridging mode to the uplink port. n Downlink--Select this option to change the Eth1 bridging mode to the downlink port. USB Port PEAP User Select the USB Port check-box if you do not want to use the cellular uplink or 3G/4G modem in your current network setup. Create the PEAP user credentials for certificate based authentication. Enter the username, password, and retype password in the Username, Password, and Retype Password field for creating the PEAP user. Aruba Central | User Guide 514 UI Mesh External Antenna Parameters Description Mesh enable Select the Mesh enable check-box to allow mesh access points to form mesh network. The mesh feature ensures reliability and redundancy by allowing the network to continue operating even when an Instant AP is nonfunctional or if the device fails to connect to the network. For more information, see Configuring Mesh Instant AP Clusterless mesh name Enter the name of mesh access points that do not belong to any cluster. The Clusterless mesh name field is disabled when the Mesh enable option is enabled. Clusterless mesh key Enter the key of the mesh access points that do not belong to any cluster. The Clusterless mesh key field is disabled when the Mesh enable option is enabled. Retype Re-enter the clusterless mesh key. The Retype is disabled when the Mesh enable option is enabled. Antenna Gain Enter the Antenna Gain values in dBi for the 2.4 GHz Antenna Gain and the 5 GHz Antenna Gain. For more information, see Configuring External Antenna Antenna Polarization Type From the Antenna Polarization Type drop-down list, select any of the following: n co-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be same. n cross-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be different. The integrated antenna of the wireless bridge sends a radio signal that is polarized in a particular direction. The receive sensitivity of the antenna is also higher for radio signals that have the same polarization. To maximize the performance of the wireless link, both antennas must be set to the same polarization direction. 6. Click Save Settings and then reboot the Instant AP. Configuring Systems This section describes how to configure the General, Administrator, Time-Based Services, DHCP, Layer-3 Mobility, Enterprise Domains, Logging, SNMP, WISPr, Proxy, Named VLAN Mapping, and IPM parameters on an Instant AP. n Configuring System Parameters for an AP n Configuring Users Accounts for the Instant AP Management Interface n Configuring Time-Based Services for Wireless Network Profiles n Configuring DHCP Pools and Client IP Assignment Modes on Instant APs n Configuring Mobility for Clients n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events Instant APs | 515 n Configuring SNMP Parameters n Supported Authentication Methods n Configuring HTTP Proxy on an Instant AP n Configuring VLAN Name and VLAN ID n Configuring Intelligent Power Monitoring Configuring VLAN Name and VLAN ID Aruba Central allows you to map VLAN name to a VLAN ID for the ease of identifying the existing VLANs. To map a VLAN name to a VLAN ID, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Named VLAN Mapping accordion. 7. Click the + icon in the VLAN Name to VLAN ID Mapping pane. The VLAN Name to VLAN ID Mapping window is displayed. 8. In the VLAN Name to VLAN ID Mapping window, enter the VLAN Name and VLAN ID. 9. Click OK. The VLAN Name to VLAN ID Mapping table in the Named VLAN Mapping section lists all the mapped VLAN. You can find the Named VLAN Mapping feature applied in the following fields of corresponding UI pages of Aruba Central: n The VLAN ID field in the VLANs tab, when for when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during WLAN SSID creation. For more information, see Creating a Wireless Network Profile. n The VLAN ID field in the VLANs tab, when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during wired port profile creation. For more information, see Configuring Wired Port Profiles on Instant APs. n The Access rules page in the Interfaces > Access tab and the WLANs > Access tab, when you add rules for selected roles. Select VLAN Assignment as the rule type in the Access rules page to find the mapped VLAN name in the VLAN ID field. You can also map VLAN ID to a VLAN name when you customize the Client VLAN Assignment configuration in VLANs tab during network profile creation. For more information, see VLANs Parameters. Aruba Central | User Guide 516 Points to Remember n The maximum number of Named VLAN ID Mapping allowed in Aruba Central is 32. n VLAN mapping cannot be performed if the VLAN name does not exist. n The VLAN mapping record is deleted from the VLAN Name to VLAN ID Mapping table when the VLAN name is deleted. n You can only map a single VLAN id to a VLAN name. n The VLAN name field is not case-sensitive. Configuring External Antenna If the Instant AP has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system's EIRP is in compliance with the limit specified by the regulatory authority of the country in which the Instant AP is deployed. You can also measure or calculate additional attenuation between the device and antenna before configuring the antenna gain. To know, if the Instant AP device supports external antenna connectors, see the Installation Guide that is shipped along with the Instant AP device. EIRP and Antenna Gain The following formula can be used to calculate the EIRP limit related RF power based on selected antennas (Antenna Gain) and feeder (Coaxial Cable Loss): EIRP = Tx RF Power (dBm)+GA (dB) - FL (dB) The following table describes this formula: Table 127: Formula Variable Definitions Formula Element Description EIRP Limit specific for each country of deployment. Tx RF Power RF power measured at RF connector of the unit. GA Antenna gain FL Feeder loss Configuring Antenna Gain To configure antenna gain for Instant APs with external connectors, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. Instant APs | 517 n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point. 2. Click the Config icon. The tabs to configure the APs are displayed. 3. Click the Access Points tab. The Access Points page is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click the External Antenna tab. 6. Enter the Antenna Gain values in dBi for the 2.4 GHz Antenna Gain and the 5 GHz Antenna Gain. 7. From the Antenna Polarization Type drop-down list, select any of the following: n co-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be same. n cross-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be different. 8. Click Save Settings. After configuring the external antenna parameters, ensure that you reboot the Instant AP. Adding an Instant AP To add an Instant AP to Aruba Central, assign an IP address and a subscription. After an Instant AP is connected to the network and if the Auto Join Mode feature is enabled, the Instant AP inherits the configuration from the virtual controller and is listed in the Access Points tab. Deleting an Instant AP from the Network To delete an Instant AP, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. In the Access Points table, hover over the offline AP that you want to delete. 4. Click the delete icon. Configuring Intelligent Power Monitoring The Intelligent Power Monitoring (IPM) feature actively measures the power utilization of an AP and dynamically adapts to the power resources. IPM allows you to define the features that must be disabled to Aruba Central | User Guide 518 save power, allowing the APs to operate at a lower power consumption without hampering the performance of the related features. This feature constantly monitors the AP power consumption and adjusts the power saving IPM features within the power budget. IPM dynamically limits the power requirement of an AP as per the available power resources. IPM applies a sequence of power reduction steps as defined by the priority definition until the AP functions within the power budget. This happens dynamically as IPM constantly monitors the AP power consumption and applies the next power reduction step in the priority list if the AP exceeds the power threshold. To manage this prioritization, you can create IPM policies to define a set of power reduction steps and associate them with a priority. The IPM policies, when applied to the AP, are based on IPM priorities, where the IPM policy can be configured to disable or reduce certain features in a specific sequence to reduce the AP power consumption below the power budget. IPM priority settings are defined by integer values, where the lower values have the highest priority and are implemented first. The Intelligent Power Monitoring feature is available only on AP devices running Aruba InstantOS 8.6.0.3. To configure Intelligent Power Monitoring, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the IPM accordion. 7. Select the IPM Activation check box to enable IPM. 8. Click the + icon in the IPM Power Reduction Steps With Priorities pane. The IPM Power Reduction Steps With Priorities window is displayed. 9. In the IPM Step Priority field, enter a value from 1 to 16 to define IPM priority. 10. From the IPM Step drop-down list, select a setting as described in the following table: Table 128: Intelligent Power Monitoring Step Parameters Parameters Description cpu_throttle_25 Reduces CPU frequency to 25% of normal. cpu_throttle_50 Reduces CPU frequency to 50% of normal. cpu_throttle_75 Reduces CPU frequency to 75% of normal. disable_alt_eth Disables the second Ethernet port. Instant APs | 519 Parameters disable_pse disable_usb radio_2ghz_chain_1 radio_2ghz_chain_2 radio_2ghz_chain_3 radio_2ghz_power_3dB radio_2ghz_power_6dB radio_5ghz_chain_1 radio_5ghz_chain_2 radio_5ghz_chain_3 radio_5ghz_power_3dB radio_5ghz_power_6dB Description Disables Power Sourcing Equipment (PSE). Disables USB. Reduces 2 GHz chains to 1x1. Reduces 2 GHz chains to 2x2. Reduces 2 GHz chains to 3x3. Reduces 2 GHz radio power by 3 dB from the maximum value. Reduces 2 GHz radio power by 6 dB from the maximum value. Reduces 5 GHz chains to 1x1. Reduces 5 GHz chains to 2x2. Reduces 5 GHz chains to 3x3. Reduces 5 GHz radio power by 3 dB from the maximum value. Reduces 5 GHz radio power by 6 dB from the maximum value. 11. Click OK. The IPM Power Reduction Steps With Priorities table in the IPM section lists all the IPM settings. 12. Click Save Settings and reboot the Instant AP for changes to take effect. The following figure shows the IPM steps and priorities listed in the IPM Power Reduction Steps With Priorities table: Figure 137 IPM Steps and Priorities Aruba Central | User Guide 520 Setting a low-priority value for a power reduction step reduces the power level sooner than setting a highpriority value for a power reduction step. However, if the power reduction step is of the same type but different level, the smallest reduction should be allocated the lowest priority value so that the power reduction step takes place earlier. For example, the cpu_throttle_25 or radio_2ghz_power_3dB parameter should have a lower priority level than the cpu_throttle_50 or radio_2ghz_power_6dB, respectively, so that Intelligent Power Monitoring reduces the CPU throttle or power usage based on the priority list. Points to Remember n By default, Intelligent Power Monitoring is disabled. n When enabled, IPM enables all Instant AP functionality initially. IPM then proceeds to shut down or restrict functionality if the power usage of the AP goes beyond the power budget of the Instant AP. Configuring Dual 5 GHz Radio Bands on an Instant AP Aruba Central provides an option to retrieve the radio numbers of Instant AP through the APIs. It also provides an option to filter AP details using radio numbers in the AP monitoring dashboard. For regular Instant APs with non-dual band, Central automatically assigns Radio 1 to 2.4 GHz band and Radio 0 to 5 GHz band respectively. To retrieve the radio numbers through API, complete the following steps: 1. In the Account Home page, click API Gateway. The API Gateway page is displayed. 2. Click the APIs tab. The token key is valid only for 2 hours from the time it was generated. 3. In the All Published APIs window, click the url link listed under the Documentation column. The Central Network Management APIs page is displayed. 4. On the left navigation pane, select Monitoring from the URL drop-down list. 5. Click API Reference > AP. The following APIs allow you to retrieve the radio number for the APs: Table 129: APIs to Get Radio Number in APs API Description [GET]/monitoring/v1/aps/ {serial}/neighbouring_clients Allows you to filter data of neighbouring clients for a specific radio number in a given time period. When there is no radio number entered in the radio_number field, the API filters the data of neighbouring clients for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the data of neighboring clients for a specific radio number. [GET]/monitoring/v1/aps/rf_ summary Retrieves information on RF summary such as channel utilization and noise floor in positive, errors, drops for a given time period. Instant APs | 521 API Description This API can also be used to filter RF health statistics for a specific radio number in a given time period. When there is no radio number entered in the radio_number field, the API filters the RF health statistics for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the RF health statistics for a specific radio number. [GET]/monitoring/v1/aps/bandwith_ usage This API can also be used to filter out bandwidth usage data for a specific radio number in a given time period. When there is no radio number entered in the radio_number field, the API filters the bandwidth usage for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the bandwidth usage for a specific radio number. 6. On the left navigation pane, click API Reference > Client. The following APIs allow you to retrieve the radio number for the total number of clients connected: Table 130: APIs to Get Radio Number in Connected Clients API Description [GET]/monitoring/v1/clients/count This API is used to filter out the data for connected clients for a specific radio number of AP in a given time period. When there is no radio number entered in the radio_number field, the API filters the clients count for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the total count of clients for a specific radio number. For further details on APIs, see https://app1-apigw.central.arubanetworks.com/swagger/central. Support for Dual 5 GHz AP Aruba Central supports automatic opmode selection for dual 5 GHz AP. When the opmode is set to automatic, AirMatch determines whether to convert a radio in an AP to 5 GHz operation instead of the 2.4 GHz and 5 GHz dual band operation. Automatic is the default dual 5G mode where Airmatch detects what is an optimal mode for the radios dual band or dual 5G and updates the running opmode without requiring an AP reboot between the mode changes. Manual setting of dual band and dual 5G is possible and the manual setting overrides the automatic mode and explicitly enables or disables the dual 5G mode. In this scenario, the AP immediately switches to the specified mode without a reboot and AirMatch maintains the specified channel and power assignments in the specified mode. Automatic mode is not supported on AP-344. By default, AP-344 assumes the automatic mode to be the same as dual 5G disabled and operates in the dual band mode. To switch AP-344 to dual 5G mode, select the Dual 5G Mode check-box. To configure automatic opmode selection for dual 5 GHz AP, complete the following steps: Aruba Central | User Guide 522 1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point. 2. Click the Config icon. The tabs to configure the APs are displayed. 3. Click the Access Points tab. The Access Points page is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click the Radio tab. 6. Set Dual 5G Mode to Automatic. 7. Optionally, specify the manual channel by setting Channel Assignment to Manual. 8. Optionally, specify the transmit power by setting Transmit Power Assignment to Manual. 9. Click Save Settings. Configuring System Parameters for an AP To configure system parameters for an AP, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. Instant APs | 523 6. Click the General accordion and configure the following parameters: Table 131: System Parameters Data Pane Item Description Virtual Controller This parameter configuration is only applicable for APs that operate in a cluster deployment environment. To configure the virtual controller name and IP address, click edit icon and update the name and IP address. The IP address serves as a static IP address for the multiAP network. When configured, this IP address is automatically provisioned on a shadow interface on the AP that takes the role of a virtual controller. The AP sends three ARP messages with the static IP address and its MAC address to update the network ARP cache. n Name--Name of the virtual controller. n IP address--IPv4 address configured for the virtual controller. The IPv4 address uses the 0.0.0.0 notation. n IPv6 address--IPv6 address configured for the virtual controller. You can configure IPv6 address for the virtual controller only if the Allow IPv6 Management feature is enabled. IPv6 is the latest version of IP that is suitable for large-scale IP networks. IPv6 supports a 128-bit address to allow 2128, or approximately 3.4×1038 addresses while IPv4 supports only 232 addresses. The IP address of the IPv6 host is always represented as eight groups of four hexadecimal digits separated by colons. For example 2001:0db8:0a0b:12f0:0000:0000:0000:0001. However, the IPv6 notation can be abbreviated to compress one or more groups of zeroes or to compress leading or trailing zeroes; for example 2001:db8:a0b:12f0::0:0:1. Set Country code for group To configure a country code for the AP at the group level, select the country code from the Set Country code for group drop-down list. By default, no country code is configured for the AP device groups. When a country code is configured for the group, it takes precedence over the country code setting configured t the device level. Timezone Preferred Band To configure a time zone, select a time zone from the Timezone drop-down list. If the selected time zone supports DST, the UI displays the "The selected country observes Daylight Savings Time" message. Assign a preferred band by selecting an appropriate option from the Preferred Band drop-down list. Reboot the AP after modifying the radio profile for changes to take effect. NTP Server This parameter allows you to configure NTP servers for the Instant AP. Up to four NTP servers can be configured for the AP, each one separated by a comma. To facilitate communication between various elements in a network, time synchronization between the elements and across the network is critical. Time synchronization allows you to: n Trace and track security gaps, network usage, and troubleshoot network issues. n Validate certificates. n Map an event on one network element to a corresponding event on another. n Maintain accurate time for billing services and similar. n NTP helps obtain the precise time from a server and regulate the local time in each network element. Connectivity to a valid NTP server is required to synchronize the AP clock to set the correct time. If NTP server is not configured in the AP network, an AP reboot may lead to variation in time data. Aruba Central | User Guide 524 Table 131: System Parameters Data Pane Item Description By default, the AP tries to connect to pool.ntp.org to synchronize time. The NTP server can also be provisioned through the DHCP option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server pool.ntp.org is used if no NTP server is configured or provisioned through DHCP option 42. To configure an NTP server, enter the IP address or the URL of the NTP server and reboot the AP to apply the configuration changes. Virtual Controller Netmask Virtual Controller Gateway Virtual Controller DNS Virtual Controller VLAN This parameter configuration is only applicable for APs that operate in a cluster deployment environment. The IP configured for the virtual controller can be in the same subnet as AP or can be in a different subnet. Ensure that you configure the virtual controller VLAN, gateway, and subnet mask details only if the virtual controller IP is in a different subnet. Ensure that virtual controller VLAN is not the same as native VLAN of the AP. DHCP Option 82 XML The DHCP Option 82 XML is not applicable for cloud APs. DHCP Option 82 XML can be customized to cater to the requirements of any ISP using the conductor AP. To facilitate customization using a XML definition, multiple parameters for Circuit ID and Remote ID options of DHCP Option 82 XML are introduced. The XML file is used as the input and is validated against an XSD file in the conductor AP. The format in the XML file is parsed and stored in the DHCP relay which is used to insert Option 82 related values in the DHCP request packets sent from the client to the server. From the drop-down list, select one of the following XML files: n default_dhcpopt82_1.xml n default_dhcpopt82_2.xml For more information, see Configuring DHCP Scopes on Instant APs. Dynamic CPU Utilization APs perform various functions such as wired and wireless client connectivity and traffic flows, wireless security, network management, and location tracking. If an AP is overloaded, prioritize the platform resources across different functions. Typically, the APs manage resources automatically in real time. However, under special circumstances, if dynamic resource management needs to be enforced or disabled altogether, the dynamic CPU management feature settings can be modified. To configure dynamic CPU management, select any of the following options from Dynamic CPU Utilization. n Automatic--When selected, the CPU management is enabled or disabled automatically during run-time. This decision is based on real time load calculations taking into account all different functions that the CPU needs to perform. This is the default and recommended option. n Always Disabled in all APs--When selected, this setting disables CPU management on all APs, typically for small networks. This setting protects user experience. n Always Enabled in all APs--When selected, the client and network management functions are protected. This setting helps in large networks with high client density. Instant APs | 525 Table 131: System Parameters Data Pane Item Description Auto-Join Mode When enabled, APs can automatically discover the virtual controller and join the network. The Auto-Join Mode feature is enabled by default. APs allowed for Auto-Join Mode Displays the number of APs allowed for Auto-Join Mode. n Click View Allowed APs to view the details of AP allowed for Auto-Join mode. n Click Hide Allowed APs to hide the details of AP allowed for Auto-Join mode. When Auto-Join Mode is enabled, the APs are automatically discovered and are allowed to join the cluster. When the Auto-Join Mode is disabled on the AP, the list of allowed APs on Aruba Central may not be synchronized or up-to-date. In such cases, you can manually add a list of APs that can join the AP cluster in the Aruba Central UI. To manually add the list of allowed AP devices, complete the following steps: 1. Under View Allowed APs, click + in the Allowed APs pane. 2. In the Add Allowed AP window, enter the MAC address of the AP in the MAC Address field. 3. Click Save. Allow IPv6 Management Uplink switch native VLAN Terminal Access Login Session Timeout Console Access WebUI Access Telnet Server LED Display Extended SSID Advanced Zone Enables IPv6 address configuration for the virtual controller. You can configure an IPv6 address for a virtual controller IP only when Allow IPv6 Management feature is enabled. Allows you to specify a VLAN ID, to prevent the AP from sending tagged frames for clients connected on the SSID that uses the same VLAN as the native VLAN of the switch. By default, the AP considers the native VLAN of the upstream switch, to which it is connected, as the VLAN ID 1. When enabled, the users can access the AP CLI through SSH. Allows you to set a timeout for login session. When enabled, the users can access AP through the console port. If an AP is connected to Aruba Central, you can use this option to disable AP Web UI access and any communication via HTTPS or SSH. If you enable this feature, you can manage the AP only from Aruba Central. When enabled, the users can start a Telnet session with the AP CLI. Enables or disables the LED display for all APs in a cluster. The LED display is always enabled during the AP reboot. Extended SSID is enabled by default in the factory default settings of APs. This disables mesh in the factory default settings. For AP devices that support Aruba Instant 8.4.0.0 firmware versions and above, you can configure up to 14 SSIDs. By enabling Extended SSID, you can create up to 16 networks. Turn on the Advanced Zone toggle switch to broadcast the same ESSIDs on APs that are part of the same AP zone in a cluster. NOTE: When the advanced-zone feature is enabled and a zone is already Aruba Central | User Guide 526 Table 131: System Parameters Data Pane Item Description configured with 16 SSIDs, ensure to remove the zone from two WLAN SSID profiles if you want to disable extended SSID. Deny Inter User Bridging If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same AP on the same VLAN. When inter-user bridging is denied, the clients can connect to the Internet but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision. To disable inter-user bridging, turn off the Deny Inter User Bridging toggle switch. Deny Local Routing If you have security and traffic management policies defined in upstream devices, you can disable routing traffic between two clients connected to the same AP on different VLANs. When local routing is disabled, the clients can connect to the Internet but cannot communicate with each other, and the routing traffic between the clients is sent to the upstream device to make the forwarding decision. To disable local routing, move the slider to the right. Dynamic RADIUS Proxy If your network has separate RADIUS authentication servers (local and centralized servers) for user authentication, you may want to enable Dynamic RADIUS proxy to route traffic to a specific RADIUS server. When Dynamic RADIUS proxy is enabled, the IP address of the virtual controller is used for communication with external RADIUS servers. To enable Dynamic RADIUS Proxy, you must configure an IP address for the Virtual Controller and set it as a NAS client in the RADIUS server profile. Dynamic TACACS Proxy If you want to route traffic to different TACACS servers, enable Dynamic TACACS Proxy. When enabled, the AP cluster uses the IP address of the Virtual Controller for communication with external TACACS servers. If an IP address is not configured for the Virtual Controller, the IP address of the bridge interface is used for communication between the AP and TACACS servers. However, if a VPN tunnel exists between the Instant AP and TACACS server, the IP address of the tunnel interface is used. Cluster Security This parameter is required to be set only for APs that operate in a cluster deployment environment. Enables or disables the cluster security feature. When enabled, the control plane communication between the AP cluster nodes is secured. The Disallow Non-DTLS Members toggle switch appears. Turn on the toggle switch to allow member APs to join a DTLS enabled cluster. For secure communication between the cluster nodes, the Internet connection must be available, or at least a local NTP server must be configured. After enabling or disabling cluster security, ensure that the configuration is synchronized across all devices in the cluster, and then reboot the cluster. The Disallow Non-DTLS Members feature is only supported in AP devices supporting Aruba Instant 8.4.0.0 firmware versions and above. Low Assurance PKI Turn on the toggle switch to allow low assurance devices that use non-TPM chip, in the network. To enable the cluster security feature, turn on the Low Assurance PKI toggle switch. For more information on Low Assurance PKI, refer to Cluster Security section in Aruba Instant User Guide. The Low Assurance PKI toggle switch is supported in AP devices running Aruba Instant 6.5.3.0 firmware versions and later. Instant APs | 527 Table 131: System Parameters Data Pane Item Description Mobility Access Switch Integration Turn on the toggle switch to enable LLDP protocol for Mobility Access Switch integration. With this protocol, APs can instruct the switch to turn off ports where rogue access points are connected, as well as take actions such as increasing PoE priority and automatically configuring VLANs on ports where APs are connected. URL Visibility Turn on the toggle switch to enable URL data logging for client HTTP and HTTPS sessions and allows APs to extract URL information and periodically log them on ALE for DPI and application analytics. Restrict uplink port to specified VLANs Turn on the toggle switch to restrict the uplink port to the specified VLANs. VOIP QOS Trust Turn on the toggle switch to enable the RTP traffic based on the DSCP value set by the end user device. 7. Click Save Settings. Enabling 802.1X Authentication on Uplink Ports of an AP If your network requires all wired devices to authenticate using PEAP or TLS protocol, you must enable 802.1X authentication type on uplink ports of an AP, so that the APs are granted access only after completing the authentication as a valid client. To enable 802.1X authentication on uplink ports using PEAP or TLS protocol, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Expand the AP1X section. n To set PEAP based authentication, select PEAP in the AP1X Type drop-down list. If you select PEAP protocol, ensure that the PEAP User is configured on the uplink port by selecting an AP group and navigating to Uplink section in the Access Points tab. n To set TLS based authentication: a. Select TLS in the AP1X Type drop-down list. b. Select User in the Certificate Type drop-down list. Aruba Central | User Guide 528 8. Select the Validate Server check-box to validate the server credentials using server certificate. Ensure that the server certificates for validating server credentials are available in the Instant AP database. 9. Click Save Settings. Configuring HTTP Proxy on an Instant AP If your network requires a proxy server for Internet access, ensure that you configure the HTTP proxy on the Instant AP to download the image from the cloud server. After setting up the HTTP proxy settings, the Instant AP connects to the Activate server, Aruba Central, or OpenDNS server through a secure HTTP connection. You can also exempt certain applications from using the HTTP proxy (configured on an Instant AP) by providing their host name or IP address under Exception. Aruba Central allows the user to configure HTTP proxy on an Instant AP. To configure HTTP proxy on Instant AP through Aruba Central, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Proxy accordion and specify the following: a. Enter the HTTP proxy server IP address in the Server text-box. b. Enter the port number in the Port text-box. 7. Click Save Settings. Aruba Central displays the Username, Password, and Retype Password fields under System > Proxy for Instant AP running Aruba Instant 8.3.0.0. The Instant APs with the Aruba InstantOS 8.3.0.0 firmware require user credentials for proxy server authentication. Configuring Network Profiles on Instant APs This section describes the following procedures: n Configuring Wireless Network Profiles on Instant APs n Configuring Wireless Networks for Guest Users on Instant APs n Configuring Wired Port Profiles on Instant APs n Configuring Wired Networks for Guest Users on Instant APs n Editing a Wireless Network Profile n Deleting a Network Profile Configuring Wireless Network Profiles on Instant APs You can configure up to 14 SSIDs. By enabling Extended SSID in the System > General accordion, you can create up to 16 networks. Instant APs | 529 If more than 16 SSIDs are assigned to a zone and the extended zone option is disabled, an error message is displayed. This section describes the following topics: n Creating a Wireless Network Profile n Configuring VLAN Settings for Wireless Network n Configuring Security Settings for Wireless Network n Configuring ACLs for User Access to a Wireless Network n Viewing Wireless SSID Summary Creating a Wireless Network Profile To configure WLAN settings, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the WLANs tab, click + Add SSID. The Create a New Network pane is displayed. 6. In General tab, enter a name that is used to identify the network in the Name (SSID) text-box. 7. Under Advanced Settings, configure the following parameters: Table 132: Advanced Settings Parameters Parameter Description Broadcast/Multicast Broadcast filtering Select any of the following values: n All--The Instant AP drops all broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols. n ARP--The Instant AP drops broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols. Additionally, it converts ARP requests to unicast and sends frames directly to the associated clients. By default, the Instant AP is configured to ARP mode. n Unicast ARP Only--This option enables Instant AP to convert ARP requests to unicast frames thereby sending them to the associated clients. n Disabled--The Instant AP forwards all the broadcast and multicast traffic is forwarded to the wireless interfaces. Aruba Central | User Guide 530 Parameter DTIM Interval Multicast Transmission Optimization Dynamic Multicast Optimization (DMO) Description The DTIM Interval indicates the DTIM period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the Instant AP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode. Range is 1 to 10 beacons. The default value is 1, which means the client checks for buffered data on the Instant AP at every beacon. You can also configure a higher DTIM value for power saving. Select the check-box if you want the Instant AP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients. When this option is enabled, multicast traffic can be sent up to a rate of 24 Mbps. The default rate for sending frames for 2.4 GHz is 1 Mbps and that for 5 GHz is 6 Mbps. This option is disabled by default. Select the check-box to allow Instant AP to convert multicast streams into unicast streams over the wireless link. Enabling DMO enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients. NOTE: When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN. DMO channel utilization threshold Specify a value to set a threshold for DMO channel utilization. With DMO, the Instant AP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the Instant AP sends multicast traffic over the wireless link. NOTE: This option will be enabled only when Dynamic Multicast Optimization is enabled. Transmit Rates (Legacy Only) 2.4 GHz If the 2.4 GHz band is configured on the Instant AP, specify the minimum and maximum transmission rates. The default value for minimum transmission rate is 1 Mbps and maximum transmission rate is 54 Mbps. 5 GHz If the 5 GHz band is configured on the Instant AP, specify the minimum and maximum transmission rates. The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps. Zone Zone Specify the zone for the SSID. If a zone is configured in the SSID, only the Instant AP in that zone broadcasts this SSID. If there are no Instant APs in the zone, SSID is broadcast. If the Instant AP cluster has devices running Aruba Instant firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple AP zones by adding zone names as comma separated values. NOTE: Aruba recommends that you do not configure zones in both SSID and in the device specific settings of an Instant AP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide. Bandwidth Control Instant APs | 531 Parameter Airtime Downstream Description Select this to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage. Enter the downstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per User check-box. NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level. Upstream Enter the upstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per user check-box. NOTE: The bandwidth limit set in this method is implemented at the device level and not cluster level. Each Radio Enable 11n Select this to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients. The value ranges from 1 through 65535. When this option is selected, there is no disabling of High-Throughput (HT) on 802.11n devices for the 5 GHz radio band. If HT is enabled for the 5 GHz radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, HT is enabled on all SSIDs. NOTE: If you want the 802.11ac Instant APs to function as 802.11n Instant APs, clear this check-box to disable VHT on these devices. Enable 11ac When this option is selected, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, VHT is enabled on all SSIDs. NOTE: If you want the 802.11ac Instant APs to function as 802.11n Instant APs, clear this check-box to disable VHT on these devices. Enable 11ax When this option is selected, VHT is enabled on the 802.11ax devices. If VHT is enabled for a radio profile on an Instant AP, it is automatically enabled for all SSIDs configured on an Instant AP. By default, VHT is enabled on all SSIDs. WiFi Multimedia Background Wifi Multimedia Share Allocates bandwidth for background traffic such as file downloads or print jobs. Specify the appropriate DSCP mapping values within a range of 063 for the background traffic in the corresponding DSCP mapping text-box. Enter up to 8 values with no white space and no duplicate single DHCP mapping value. Best Effort Wifi Multimedia Share Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS. Specify the appropriate DSCP mapping values within a range of 063 for the best effort traffic in the corresponding DSCP mapping text-box. Video Wifi Multimedia Share Allocates bandwidth for video traffic generated from video streaming. Specify the appropriate DSCP mapping values within a range of 063 for the video traffic in the corresponding DSCP mapping text-box. Aruba Central | User Guide 532 Parameter Voice Wifi Multimedia Share Description Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication. Specify the appropriate DSCP mapping values within a range of 063 for the voice traffic in the corresponding DSCP mapping text-box. NOTE: In a non-WMM or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best Effort Wifi Multimedia share and Voice Wifi Multimedia Share to allocate a higher bandwidth to clients transmitting best effort and voice traffic. Traffic Specification (TSPEC) Select this check-box to set if you want the TSPEC for the wireless network. The term TSPEC is used in wireless networks supporting the IEEE 802.11e Quality of Service standard. It defines a series of parameters, characteristics and Quality of Service expectations of a traffic flow. TSPEC Bandwidth Enter the bandwidth for the TSPEC. Spectralink Voice Protocol (SVP) Select this check-box to opt for SVP protocol. WiFi Multimedia Power Save (UAPSD) Select this check-box to enable WiFi Multimedia Power Save (U-APSD). The U-APSD is a power saving mechanism that is an optional part of the IEEE amendment 802.11e, QoS. Miscellaneous Band Select a value to specify the band at which the network transmits radio signals in the Band drop-down list. You can set the band to 2.4 GHz, 5 GHz, or All. The All option is selected by default. Content Filtering Select this check-box to route all DNS requests for the non-corporate domains to OpenDNS on this network. Primary Usage Based on the type of network profile, select one of the following options: n Mixed Traffic--Select this option to create an employee or guest network profile. The employee network is used by the employees in an organization and it supports passphrase-based or 802.1X-based authentication methods. Employees can access the protected data of an enterprise through the employee network after successful authentication. The guest network is created for guests, visitors, contractors, and any non-employee users who use the enterprise Wi-Fi network. The VC assigns the IP address for the guest clients. Captive portal or passphrase-based authentication methods can be set for this wireless network. Typically, a guest network is an unencrypted network. However, you can specify the encryption settings when configuring a guest network. n Voice Only--Select this option to configure a network profile for devices that provide only voice services such as handsets or applications that require voice traffic prioritization. NOTE: When a client is associated with the voice network, all data traffic is marked and placed into the high priority queue in QoS. Instant APs | 533 Parameter Description Inactivity timeout Specify an interval for session timeout in seconds, minutes, or hours. If a client session is inactive for the specified duration, the session expires and the user is required to log in again. You can specify a value within the range of 6086,400 seconds (24 hours) for a client session. The default value is 1000 seconds. Hide SSID Select this check-box if you do not want the SSID to be visible to users. Disable Network Select this check-box if you want to disable the SSID. When selected, the SSID is disabled, but is not removed from the network. By default, all SSIDs are enabled. Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN. You can specify a value within the range of 0255. The default value is 64. Local Probe Request Threshold Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests if required. You can specify a RSSI value within range of 0100 dB. Min RSSI for auth request Enter the minimum RSSI threshold for authentication requests. Deauth inactive clients Select this option to allow the Instant AP to send a de-authentication frame to the inactive client and the clear client entry. Can be used without uplink Select this check-box if you do not want the SSID profile to use the uplink. Deny inter user bridging Disables bridging traffic between two clients connected to the same SSID on the same VLAN. When this option is enabled, the clients can connect to the Internet, but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision. Enable SSID when Select an option from the drop-down list and specify the time period. Disable SSID when Select an option from the drop-down list and specify the time period. Deny Intra VLAN Traffic Disables intra VLAN traffic to enable the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. For more information, see Configuring Client Isolation. Management Frame Protection Turn on the Management Frames Protection toggle switch to provide high network security by maintaining data confidentiality of management frames. The Management Frame Protection (MFP) establishes encryption keys between the client and Instant AP using 802.11i framework. For more information, see Configuring Management Frames Protection. Fine Timing Measurement (802.11mc) Responder Mode Turn on the toggle switch to enable the fine timing measurement (802.11mc) responder mode. Time Range Profiles Aruba Central | User Guide 534 Parameter Time Range Profiles Description Ensure that the NTP server connection is active. Select a time range profile from the Time Range Profiles list and apply a status form the drop-down list. Click + New Time Range Profile to create a new time range profile. For more information, see Configuring Time-Based Services for Wireless Network Profiles. Configuring VLAN Settings for Wireless Network To configure VLANs settings for an SSID, complete the following steps: 1. In the VLANs tab, select any of the following options for Client IP Assignment: n Instant AP assigned--When selected, the client obtains the IP address from the VC. n External DHCP server assigned--When selected, the client obtains the IP address from the network. Instant APs | 535 2. Based on the type of client IP assignment mode selected, configure the following parameters: Table 133: VLANs Parameters Parameter Description Instant AP assigned When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet and VLAN on the Instant AP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on Instant APs. If this option is selected, specify any of the following options in Client VLAN Assignment: n Internal VLAN--Assigns IP address to the client in the same subnet as the Instant APs. By default, the client VLAN is assigned to the native VLAN on the wired network. n Custom--Allows you to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. When this option is selected, select the scope from the VLAN ID drop-down list. External DHCP server assigned When this option is selected, specify any of the following options in Client VLAN Assignment: n Static--In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. o To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps: a. Click +Add Named VLAN. The Add Named VLAN window is displayed. b. Enter the VLAN Name and VLAN details, and then click OK. n Dynamic--Assigns the VLANs dynamically from a DHCP server. o To add a new VLAN assignment rule, complete the following steps: a. Click + Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed. b. Enter the Attribute, Operator, String, and VLAN details, and then click OK. o To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules window, and then click the delete icon. o To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps: a. Click +Add Named VLAN. The Add Named VLAN window is displayed. b. Enter the VLAN Name and VLAN details, and then click OK. o To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon. n Native VLAN--Assigns the client VLAN is assigned to the native VLAN. 3. Click Next. Configuring Security Settings for Wireless Network To configure security settings for mixed traffic or voice network, complete the following steps: Aruba Central | User Guide 536 1. In the Security tab, specify any one of the following options in the Security Level: n Enterprise--On selecting Enterprise security level, the authentication options applicable to the network are displayed. n Personal--On selecting Personal security level, the authentication options applicable to the personalized network are displayed. n Captive Portal--On selecting Captive Portal security level, the authentication options applicable to the captive portal is displayed. For more information on captive portal, see Configuring Wireless Networks for Guest Users on Instant APs. n Open--On selecting Open security level, the authentication options applicable to an open network are displayed. The default security setting for a network profile is Personal. 2. Based on the security level specified, configure the following basic parameters: Table 134: Basic WLAN Security Parameters Data Pane Item Description Key Management For Enterprise security level, select an encryption key from Key Management dropdown list: n WPA-2 Enterprise--Select this option to use WPA-2 security. The WPA-2 Enterprise requires user authentication and requires the use of a RADIUS server for authentication. n WPA Enterprise--Select this option to use both WPA Enterprise. n Both (WPA-2 & WPA)--Select this option to use both WPA-2 and WPA security. n Dynamic- WEP with 802.1X--If you do not want to use a session key from the RADIUS Server to derive pairwise unicast keys, turn on the Use Session Key for LEAP toggle switch. This is required for old printers that use dynamic WEP through LEAP authentication. The Use Session Key for LEAP feature is Disabled by default. n WPA-3 Enterprise(CNSA)--Select this option to use WPA-3 security employing CNSA encryption. n WPA-3 Enterprise(CCM 128)--Select this option to use WPA-3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text. n WPA-3 Enterprise(GCM 256)--Select this option to use WPA-3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text. NOTE: When any of the aforementioned encryption types is selected and if 802.1x authentication method is configured, ensure that the Opportunistic key caching (OKC) and 802.11r toggle switches under Advanced Settings are turned on. This enables OKC and 802.11r protocols and allows faster roaming of clients without the need for a complete 802.1x authentication. You can configure both OKC and 802.11r roaming only for the Enterprise security level. For Personal security level, select an encryption key from Key Management dropdown list: n For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 Personal keys, specify the following parameters: Instant APs | 537 Data Pane Item Description a. Passphrase Format--Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters. b. Passphrase--Enter a passphrase. c. Retype--Retype the passphrase to confirm. n For Static WEP, specify the following parameters: a. WEP Key Size--Select an appropriate value for WEP key size from the drop-down list. Select an appropriate value from the Tx Key drop-down list. b. WEP Key--Enter an appropriate WEP key. c. Retype WEP Key--Retype the WEP key to confirm. n For MPSK-AES, select a primary server from the drop-down list. n For MPSK-LOCAL, select a Mpsk Local server from the drop-down list. For Captive Portal security level, select an encryption key from Key Management drop-down list: n For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 Personal keys, specify the following parameters: a. Passphrase Format--Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters. b. Passphrase--Enter a passphrase. c. Retype--Retype the passphrase to confirm. n For Static WEP, specify the following parameters: a. WEP Key Size--Select an appropriate value for WEP key size from the drop-down list. Select an appropriate value from the Tx Key drop-down list. b. WEP Key--Enter an appropriate WEP key. c. Retype WEP Key--Retype the WEP key to confirm. For information on configuring captive portal, see Configuring Wireless Networks for Guest Users on Instant APs. For Open security level, the Key Management includes Open and Enhanced Open options. EAP offload This option is applicable to Enterprise security levels only. To terminate the EAP portion of 802.1X authentication on the Instant AP instead of the RADIUS server, turn on the EAP offload toggle switch. Enabling EAP offload can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the Instant AP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the Instant AP acts as a relay for this exchange. When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. It can also reduce the number of exchange packets between the Instant AP and the authentication server. Instant supports the configuration of primary and backup authentication servers in an EAP termination-enabled SSID. If you are using LDAP for authentication, ensure that Instant AP termination is configured to support EAP. Authentication Configure the following parameters: Server n MAC Authentication--Turn on the MAC Authentication toggle switch to allow Aruba Central | User Guide 538 Data Pane Item Users Description MAC address based authentication for Personal, Captive Portal, and Open security levels. n Primary Server--Set a primary authentication server. The Primary Server option appears only for Enterprise security level, internal and external captive portal types. Select one of the following options from the drop-down list: n Internal Server--To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs. Aruba Central allows you to configure an external RADIUS server, TACACS or LDAP server, and External Captive Portal for user authentication. n Secondary Server--To add another server for authentication, configure another authentication server. n Authentication Survivability--If an external server is configured for authentication, you can enable authentication survivability. Specify a value in hours for Cache Timeout to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours. By default, authentication survivability is disabled. n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring External Authentication Servers for APs. Click Users to add the users. The registered users of Employee type will be able to access the users of Enterprise network. To add a new user, click + Add User and enter the new user in the Add Userpane. The Primary Server option appears only for Enterprise security level, Internal Captive Portal, and External Captive Portal. 3. Based on the security level specified, specify the following parameters in the Advanced Settings section: Table 135: Advanced WLAN Security Parameters Data pane item Description Use Session Key for LEAP Turn on the toggle switch to use the session key for Lightweight Extensible Authentication Protocol. This option is available only for Enterprise level. MAC Authentication for Enterprise Networks To enable MAC address based authentication for Personal and Open security levels, turn on the toggle switch to enable MAC Authentication. For Enterprise security level, the following options are available: n Perform MAC authentication before 802.1X--Select this to use 802.1X authentication only when the MAC authentication is successful. n MAC Authentication Fail-Through--On selecting this, the 802.1X authentication is attempted when the MAC authentication fails. Instant APs | 539 Data pane item Description n If MAC Authentication is enabled, configure the following parameters: n Delimiter Character--Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the Instant AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. n Uppercase Support--Turn on the toggle switch to allow the Instant AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled. Reauth Interval Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. If the re-authentication interval is configured: n On an SSID performing L2 authentication (MAC or 802.1X authentication): When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role. n On an SSID performing both L2 and L3 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client. n On an SSID performing only L3 authentication (captive portal authentication): When re-authentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through captive portal to regain access. Denylisting Enforce DHCP By default, this option is disabled. To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled. Enforces WLAN SSID on Instant AP clients. When DHCP is enforced: n A layer-2 user entry is created when a client associates with an Instant AP. n The client DHCP state and IP address are tracked. n When the client obtains an IP address from DHCP, the DHCP state changes to complete. n If the DHCP state is complete, a layer-3 user entry is created. n When a client roams between the Instant APs, the DHCP state and the client IP address is synchronized with the new Instant AP. WPA3 Transition Enable this option to allow transition from WPA3 to WPA2 and vice versa. The WPA3 Transition appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level. Aruba Central | User Guide 540 Data pane item Description Legacy Support Enable this option to allow backward compatibility of encryption modes in networks. The Legacy Support appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level. Use IP for Calling Station ID Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed: n Called Station ID Type--Select any of the following options for configuring called station ID: o Access Point Group--Uses the VC ID as the called station ID. o Access Point Name--Uses the host name of the Instant AP as the called station ID. o VLAN ID--Uses the VLAN ID of as the called station ID. o IP Address--Uses the IP address of the Instant AP as the called station ID. o MAC address--Uses the MAC address of the Instant AP as the called station ID. n Called Station ID Include SSID--Appends the SSID name to the called station ID. NOTE: The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled. n Called Station ID Delimiter--Sets delimiter at the end of the called station ID. n Max Authentication Failures--Sets a value for the maximum allowed authentication failures. Delimiter Character Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the Instant AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. Uppercase Support Select this option to allow the Instant AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled. Fast Roaming Enable the following fast roaming features as per your requirement: n Opportunistic Key Caching (OKC)--Turn on the Opportunistic key caching (OKC) toggle switch to reduce the time needed for authentication. When OKC is enabled, multiple APs can share Pairwise Master Keys (PMKs) and use these keys when clients roam to a neighboring AP. NOTE: The Opportunistic key caching (OKC) toggle switch is disabled by default when you select any of the encryption types from the Key Management dropdown list. n 802.11k--Turn on the 802.11k toggle switch to enable 802.11k roaming. The 802.11k protocol enables Instant APs and clients to dynamically measure the available radio resources. When 802.11k is enabled, Instant APs and clients send neighbor reports, beacon reports, and link measurement reports to each other. n 802.11v--Turn on the 802.11v toggle switch to enable 802.11v based BSS transition. The 802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows the client Instant APs | 541 Data pane item Description devices to exchange information about the network topology and RF environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam. n 802.11r--Turn on the 802.11r toggle switch to enable 802.11r roaming. Selecting this option enables fast BSS transition. The fast BSS transition mechanism minimizes the delay when a client transitions from one BSS to another within the same cluster. NOTE: For Enterprise security level, the 802.11r toggle switch is disabled by default when you select WPA2 Enterprise or Both (WPA2 & WPA) encryption types from the Key Management drop-down list. However, the 802.11r toggle switch is not available when you select the remaining encryption types from the Key Management drop-down list. Once you enable the 802.11r, the following field is displayed: n MDID--In the MDID text-box, enter the mobility domain identifier to configure a mobility domain identifier. In a network of standalone Instant APs within the same management VLAN, 802.11r roaming does not work. This is because the mobility domain identifiers do not match across Instant APs. They are auto-generated based on a virtual controller key. You can set a mobility domain identifier for 802.11r SSIDs. For standalone Instant APs in the same management VLAN, 802.11r roaming works only when the mobility domain identifier is configured with the same value. 4. Click Next. Configuring ACLs for User Access to a Wireless Network You can configure up to 64 access rules for a wireless network profile. To configure access rules for a network, complete the following steps: 1. In the Access tab, turn on the Downloadable Role toggle switch to allow downloading of preexisting user roles. For more information, see Configuring Downloadable Roles. n The Downloadable Role feature is optional. The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8. n At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for Instant APs 2. Click the action corresponding to the server. The Edit Server page is displayed. Viewing Wireless SSID Summary In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Save Settings to complete the network profile creation and save Aruba Central | User Guide 542 the settings. Configuring Client Isolation Aruba Central supports the Client Isolation feature isolates clients from one another and disables all peerto-peer communication within the network. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. Client Isolation can only be configured through the CLI. When Client Isolation is configured, the Instant AP learns the IP, subnet mask, MAC, and other essential information of the gateway and the DNS server. A subnet table of trusted destinations is then populated with this information. Wired servers used in the network should be manually configured into this subnet table to serve clients. The destination MAC of data packets sent by the client is validated against this subnet table and only the data packets destined to the trusted addresses in the subnet table are forwarded by the Instant AP. All other data packets are dropped. Client Isolation feature is supported only in IPv4 networks. This feature does not support AirGroup and affects Chromecast and Airplay services. Enabling Client Isolation for Wireless Networks in Aruba Central To enable the Client Isolation feature, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the WLANs page, click + Add SSID. The Create a New Network page is displayed. 6. Click Advanced Settings and expand Miscellaneous. 7. Turn on the Deny Intra VLAN Traffic toggle switch. 8. Click Next. Configuring Management Frames Protection Aruba Central supports the Management Frame Protection (MFP) feature in networks that include Aruba Instant 8.5.0.0 firmware version and later. This feature protects networks against forged management frames spoofed from other devices that might otherwise disrupt a valid user session. The MFP increases the security by providing data confidentiality of management frames. MFP uses 802.11i framework that establishes encryption keys between the client and Instant AP. Enabling Management Frames Protection for Wireless Networks in Aruba Central To enable the MFP feature, complete the following steps: Instant APs | 543 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the WLANspage, click + Add SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon. 6. In the General tab, click Advanced Settings. 7. Expand Miscellaneous. 8. Turn on the Management Frames Protection toggle switch to enable the MFP feature. 9. Click Next. 10. Click Save Settings. The MFP configuration is a per-SSID configuration. The MFP feature can be enabled only on WPA2-PSK a