Aruba Central (on-premises) User Guide
Aruba Central (on-premises) User Guide
Feb 8, 2022 — This user guide describes the features supported by Aruba Central (on-premises) and provides ... drwxr-xr-x 2 root root 4096 Jan 3 16:29 cop setup logs.
Not Your Device? Search For Manuals or Datasheets below:
File Info : application/pdf, 973 Pages, 11.80MB
Document DEVICE REPORTAruba-Central-on-premises-2.5.4.3-User-GuideAruba Central (on-premises) 2.5.4.x User Guide Copyright Information © Copyright 2022 Hewlett Packard Enterprise Development LP. Open Source Code This product includes code licensed under the GNU General Public License, the GNU Lesser General Public License, and/or certain other open source licenses. A complete machine-readable copy of the source code corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, send a check or money order in the amount of US $10.00 to: Hewlett Packard Enterprise Company 6280 America Center Drive San Jose, CA 95002 USA Contents About this Guide Intended Audience Related Documents Conventions Terminology Change Contacting Support About Aruba Central (on-premises) Key Features Scaling Devices for Aruba Central (on-premises) Supported Web Browsers Supported Devices Aruba Central (on-premises) 2.5.4.x What's New What's New in Aruba Central (on-premises) 2.5.4.5 New Feature Enhancement What's New in Aruba Central (on-premises) 2.5.4.3 New Features What's New in Aruba Central (on-premises) 2.5.4.2 New Features What's New in Aruba Central (on-premises) 2.5.4.0 Important Notes New Features Enhancements Getting Started with Aruba Central (on-premises) Aruba Central Subscriptions Provisioning Workflow Scaling Devices for Aruba Central (on-premises) Creating a Group Onboarding Devices Assigning Devices to Groups Assigning Labels Assigning Sites Connecting Aruba APs to Aruba Central Connecting Aruba Controllers to Aruba Central Connecting Aruba Switches to Aruba Central Configuring Communication Ports Aruba Central (on-premises) | User Guide Contents Contents 3 8 8 8 8 9 9 11 11 11 13 13 28 28 28 28 28 29 29 29 29 29 29 36 45 45 45 46 48 49 53 54 54 55 55 56 56 3 Configuring User Roles Predefined User Roles Custom Roles Module Permissions System Setup as Node or Cluster Verifying Device Configuration Status Local Overrides Viewing Status for Devices Assigned to a Template Group Viewing Configuration Status for a UI Group Viewing Configuration Status for Devices Assigned to a UI Group Using the Search Bar About the Network Operations App User Interface Types of Dashboards in the Network Operations App Navigating to the Switch, Access Point, or Controller Dashboard Workflow to Configure, Monitor, or Troubleshoot in the Network Operations App The Global Dashboard The Access Point Dashboard The Switch Dashboard The Controller Dashboard The Group Dashboard The Client Dashboard The Site Dashboard The Label Dashboard The Health Bar Account Home Page Command Line Interface Accessing the Aruba Central CLI Syntax Common Command Options Password Recovery Main Menu Options List of CLI Commands Network Structure Viewing the Network Structure Page Managing Groups Group Operations Group Configuration Modes Default Groups and Unprovisioned Devices Best Practices and Recommendations Groups Provisioning Devices Using UI-based Workflows Provisioning Devices Using Configuration Templates Managing APs Configuring APs Monitoring APs Managing AOS-CX Switches Getting Started with AOS-CX Deployments Using Configuration Templates for AOS-CX Switch Management Configuring AOS-CX Switches in UI Groups Managing an AOS-CX VSF Stack 58 58 59 60 61 61 62 63 64 65 65 69 70 71 71 72 74 76 99 100 102 103 104 105 114 115 115 115 115 116 116 116 142 142 144 145 145 145 146 146 157 159 172 172 352 390 391 410 413 470 Contents | 4 Configuring AOS-Switches Getting Started with AOS-Switch Deployments Using Configuration Templates for AOS-Switch Management Configuring AOS-Switches in UI Groups AOS-Switch Stack Managing Controllers Before You Begin Supported Aruba Mobility Controllers Adding Mobility Controllers Deleting a Controller Creating a WebSocket Connection The Controller Dashboard Managing Users and Roles Configuring System Users Configuring User Roles Two-Factor Authentication Support Access Managing Sites and Labels Managing Sites Creating a Site Adding Multiple Sites in Bulk Assigning a Device to a site Convert Existing Labels to Sites Editing a Site Deleting a Site Managing Labels Device Classification Creating a Label Assigning a Device to a Label Detaching a Device from a Label Editing a label Deleting a label Managing Sites Managing Labels Managing Certificates Device Certificates Uploading Device Certificates Deleting Device Certificates Appliance Certificates Viewing the Certificate Store Parameters Uploading Appliance Certificates Deleting Appliance Certificates Certificate Signing Request Supported Certificate Formats Wildcard Certificates Managing Licenses Changes to the Legacy Licensing Model Supported Devices Managing License Assignments Configuring External Authentication Aruba Central (on-premises) | User Guide 495 495 512 516 562 571 571 572 572 574 574 576 588 588 590 594 595 597 597 597 598 598 599 599 600 600 600 601 601 601 602 602 602 606 609 609 610 611 611 611 612 613 613 614 614 618 618 619 620 623 5 Configuring SAML SSO for Aruba Central Configuring RADIUS Authentication and Authorization Viewing Audit Logs for Federated Users in Aruba Central Viewing Federated Users in Aruba Central Monitoring Your Network Network Overview Network Health AI Insights All Clients Application Visibility About Floorplans Alerts & Events Reports Viewing Audit Trail RAPIDS Monitoring Sites in the Topology Tab Upgrading Device Firmware System Management Viewing System Management in the Account Homes Page Viewing System Performance Upgrade Watcher Version Network External Services Backing up and Restoring Aruba Central System Data Migrating the AirWave Server Validating the Migration Process Using Troubleshooting Tools Troubleshooting Network Issues Troubleshooting Device Issues Advanced Device Troubleshooting Troubleshooting System Issues Unified Communications Licensing Configuring UCC Monitoring UCC in List View Monitoring UCC in Summary View Aruba Central APIs API Gateway List of Supported APIs Creating Application and Token Using OAuth 2.0 for Authentication Obtaining Token Using Offline Token Mechanism Obtaining Token Using OAuth Grant Mechanism Viewing Usage Statistics Changes to Aruba Central APIs Webhook Streaming APIs Related Information Aruba Central (on-premises) Release Notes Aruba Central (on-premises) 2.5.4.3 PDF Documents 623 652 655 655 657 657 741 751 777 805 808 817 833 851 851 856 868 882 882 882 885 888 889 891 892 895 902 906 906 918 920 925 928 928 929 934 937 939 939 942 943 945 948 948 956 957 963 968 972 972 972 Contents | 6 Aruba Central (on-premises) 2.5.4.0 PDF Documents 972 Aruba Central (on-premises) APIs 972 ArubaOS and Aruba Instant Documentation 972 Aruba Switch Documentation 973 Accessing Documentation on Support Sites 973 Aruba Central (on-premises) | User Guide 7 Chapter 1 About this Guide About this Guide This user guide describes the features supported by Aruba Central (on-premises) and provides detailed instructions to set up and configure devices such as Campus APs, Instant APs, Switches, and Controllers. In Aruba Central, the only access points that you can configure are Instant APs. However, monitoring is supported for both Campus APs and Instant Access Points. Intended Audience This guide is intended for system administrators who configure and monitor their network using Aruba Central. Related Documents In addition to this document, the Aruba Central (on-premises) product documentation includes the following documents: n Aruba Central (on-premises) Installation and Setup Guide n Aruba Central (on-premises) Migration Guide n Aruba Central (on-premises) API Reference Guide n Aruba Central (on-premises) Release Notes Conventions The following conventions are used throughout this guide to emphasize important concepts: Table 1: Typographical Conventions Type Style Description Italics This style is used to emphasize important terms and to mark the titles of books. System items This fixed-width font depicts the following: n Sample screen output n System prompts Bold n Keys that are pressed n Text typed into a GUI element n GUI elements that are clicked or selected The following informational icons are used throughout this guide: Indicates helpful suggestions, pertinent information, and important things to remember. Aruba Central (on-premises) | User Guide 8 Indicates a risk of damage to your hardware or loss of data. Indicates a risk of personal injury or death. Terminology Change As part of advancing HPE's commitment to racial justice, we are taking a much-needed step in overhauling HPE engineering terminology to reflect our belief system of diversity and inclusion. Some legacy products and publications may continue to include terminology that seemingly evokes bias against specific groups of people. Such content is not representative of our HPE culture and moving forward, Aruba will replace racially insensitive terms and instead use the following new language: Usage Campus Access Points + Controllers Instant Access Points Switch Stack Wireless LAN Controller Firewall Configuration Types of Hackers Old Language Master-Slave Master-Slave Master-Slave Mobility Master Blacklist, Whitelist Black Hat, White Hat New Language Conductor-Member Conductor-Member Conductor-Member Mobility Conductor Denylist, Allowlist Unethical, Ethical Contacting Support Table 2: Contact Information Main Site arubanetworks.com Support Site asp.arubanetworks.com Airheads Social Forums and Knowledge community.arubanetworks.com Base North American Telephone 1-800-943-4526 (Toll Free) 1-408-754-1200 International Telephone arubanetworks.com/support-services/contact-support/ Software Licensing Site lms.arubanetworks.com End-of-life Information arubanetworks.com/support-services/end-of-life/ Security Incident Response Team Site: arubanetworks.com/support-services/security-bulletins/ About this Guide | 9 Open Source License Email: [email protected] Site: https://myenterpriselicense.hpe.com/cwp-ui/freesoftware/ArubaCentralOn-Premises-OSP Aruba Central (on-premises) | User Guide 10 Chapter 2 About Aruba Central (on-premises) About Aruba Central (on-premises) Aruba Central (on-premises) is a variant of Aruba Central, a SAAS platform that offers you a single intelligent console to monitor, analyze, and configure WLAN and wired networks. Aruba Central makes it easy and efficient to manage your networks by combining industry-leading functionality with an intuitive user interface, and enables network administrators and help desk staff to support and control even the largest networks. Network Operations is one of the apps in Aruba Central that helps you to manage, maintain, and analyze your network. Key Features Aruba Central offers the following key features and benefits: n Streamlined configuration and deployment of devices--Leverages the ZTP capability of Aruba devices to bring up your network in no time. Aruba Central supports group configuration of devices, which allows you to provision and manage multiple devices at once, with less administrative overhead. n Integrated wired and wireless Infrastructure management--Offers a centralized management interface for managing wireless and wired networks in distributed environments. n Advanced analytics and assurance--With continuous monitoring, AI-based analytics like NI-Lite provide real-time visibility and insight into what's happening in the Wi-Fi network. The NI-Lite utilizes machine learning that leverage a growing pool of network data and deep domain experience. n Health and usage monitoring--Provides a comprehensive view of your network, device status and health, and application usage. You can monitor, identify, and address issues by using data-driven dashboards, alerts, reports, and troubleshooting workflows. Aruba Central also utilizes the DPI feature of the devices to monitor, analyze, and block traffic based on application categories, application type, web categories, and website reputation. Using this data, you can prioritize business critical applications, limit the use of inappropriate content, and enforce access policies on a per user, device, or location basis. n Rogue AP detection and classification--Supports rogue detection and classification. The network administrators can view the intrusion events and unauthorized or rogue devices detected in their WLAN network, and take appropriate measure to secure their networks. n Value Added Services--Supports value added service such as Unified Communications. o The Unified Communication application actively monitors and provides visibility into Lync/Skype for Business traffic and allows you to prioritize sessions. Scaling Devices for Aruba Central (on-premises) Aruba Central supports switches, controllers, Instant APs, and Campus APs. Aruba Central can be implemented on multiple nodes. Accordingly, the number of supported devices increase. Supported Number of Devices - Summary Table The following table provides a summary of the number of devices supported across multiple nodes Aruba Central (on-premises) | User Guide 11 Table 3: Maximum Number of Supported Devices Node Size Campus APs (AP and Controller) Instant AP only Switches only (AOS-Switch and AOS-CX) Mixed-Mode Single 2000 Node 2000 1000 1600 APs (Instant AP or Campus AP) and 400 Switches ( AOS-Switch or AOS-CX) Three 8000 Node 8000 3000 6000 APs (Instant AP or Campus AP) and 2000 Switches ( AOS-Switch or AOS-CX) Five 16000 Node 12000 4000 12000 APs (Instant AP or Campus AP) and 4000 Switches ( AOS-Switch or AOSCX) Seven 25000 Node 16000 10000 (AOS-Switch) / 4000 (AOS-CX) 16000 APs (Instant AP or Campus AP) and 7000 Switches ( AOS-Switch) [ AOSCX up to 4000 Switches ] Supported Number of Devices - Detailed Table The following table details the number of devices that Aruba Central supports across multiple nodes. Table 4: Maximum Number of Supported Devices Nodes Maximum Number of Supported Devices Modes Single Node 2000 n 2000 APs where APs can be either Instant APs, Campus APs, or controllers that manage APs; or a mixed deployment of any of these devices. n 1000 switches where switches can be AOS-Switches or AOS-CX switches or a mix of the two. n In a mixed-mode of switches and APs, up to 1600 APs and 400 switches are supported. Three Node 8000 n 8000 APs, where APs can be either Instant APs, Campus APs, or APs along with the controllers that manage APs; or a mix of any of these devices. n 3000 AOS-Switches or AOS-CX switches or a mix of the two can be deployed in switch-only deployment. n In a mixed-mode of switches and APs, up to 6000 APs (Instant APs or Campus APs) and 2000 switches (AOSSwitch or AOS-CX) are supported. n 80000 total clients; tested and qualified with the scale of 10 clients per AP. Five Node 16000 n 16000 Campus APs along with the controllers that manage APs can be deployed. n 12000 Instant APs can be deployed. n 4000 AOS-Switches or AOS-CX switches or a mix of the two can be deployed in switch-only deployment. n In a mixed-mode of switches and APs, up to 12000 (Instant APs or Campus APs) and 4000 (AOS-Switch or AOS-CX) switches are supported. About Aruba Central (on-premises) | 12 Nodes Seven Node Maximum Number of Supported Devices 25000 Modes n 160000 total clients; tested and qualified with the scale of 10 clients per AP. n 25000 Campus APs along with the controllers that manage APs can be deployed. n 10000 AOS-Switches can be deployed in AOSSwitches only deployment. n 4000 AOS-CX switches can be deployed in AOS-CX switches only deployment. n In a mixed-mode of switches and APs, up to 16000 APs (Instant AP or Campus APs), 7000 AOS-Switches and 4000 (AOS-Switch or AOS-CX) switches are supported. n 240000 total clients; tested and qualified with the scale of 10 clients per AP. You can check maximum number of supported devices of the Aruba Central setup in the Account Home > Global Settings > Subscription Assignment page. If the device limit is exceeded, the device added to the system is displayed as Unsubscribed in the Account Home > Global Settings > Device Inventory page. Supported Web Browsers Aruba recommends that you use the following browsers to access the Aruba Central application. Browser Versions Google Chrome 39.0.2171.65 or later Mozilla FireFox 34.0.5 or later Internet Explorer 11 Internet Explorer 10 Operating System Windows Windows Windows Windows To view the Aruba Central UI, ensure that JavaScript is enabled on the web browser. Supported Devices This section provides the following information: n Supported APs n Supported AOS-Switch Platforms n Supported AOS-CX Switch Platforms n Supported Aruba Mobility Controllers Aruba Central (on-premises) | User Guide 13 Supported APs Aruba Central (on-premises) supports following types of Aruba access points (APs). n Instant APs--The Instant Access Point (IAP) based WLAN solution consists of a cluster of access points in a Layer 2 subnet. The IAPs serve a dual role as both Virtual Controller (VC) and member APs. The IAP WLAN solution does not require a dedicated controller hardware and can be deployed through a simplified setup process appropriate for smaller organizations, or for multiple geographically dispersed locations without an on-site administrator. IAPs run on the Aruba Instant. Aruba Central (on-premises) supports both monitoring and management of IAPs. With Aruba Central (on-premises), network administrators can configure, monitor, and troubleshoot IAP WLANs, upload new software images, monitor devices, generate reports, and perform other vital management tasks from remote locations. n Campus APs--The Campus Access Point (CAP)s are used in private networks where APs connect over private links (LAN, WLAN, WAN, or MPLS) and terminate directly on controllers. CAPs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on. Aruba Central (on-premises) supports only onboarding and monitoring the CAPs. Supported IAP Aruba Central (on-premises) supports the following IAP platforms and Aruba Instant software versions: Table 5: Supported Instant AP Platforms Instant AP Platform Installation Mode Latest Validated Aruba Instant Software Version Power Draw Support AP-655 Indoor 8.10.0.0 Yes AP-635 Indoor 8.9.0.0 Yes AP-567EX Outdoor 8.7.1.0 No AP-567 Outdoor 8.7.1.0 Yes AP-565EX Outdoor 8.7.1.0 No AP-565 Outdoor 8.7.1.0 Yes AP-503H Indoor 8.7.1.0 Yes AP-577EX Outdoor 8.7.0.0 Yes AP-577 Outdoor 8.7.0.0 Yes AP-575EX Outdoor 8.7.0.0 Yes AP-575 Outdoor 8.7.0.0 Yes AP-574 Outdoor 8.7.0.0 Yes About Aruba Central (on-premises) | 14 Instant AP Installation Mode Platform AP-518 AP-505H AP-505 AP-504 AP-535 Outdoor Indoor Indoor Indoor Indoor AP-534 Indoor AP-515 Indoor AP-514 Indoor AP-555 Indoor AP-387 Outdoor AP-303P Indoor AP-377EX Outdoor AP-377 Outdoor AP-375EX Outdoor AP-375 Outdoor AP-374 Outdoor AP-345 Indoor AP-344 Indoor AP-318 Indoor AP-303 Indoor AP-203H Indoor AP-367 Outdoor Latest Validated Aruba Instant Software Version 8.7.0.0 8.7.0.0 8.6.0.0 8.6.0.0 8.6.0.7 8.5.0.0 8.6.0.7 8.5.0.0 8.6.0.7 8.4.0.0 8.6.0.7 8.4.0.0 8.5.0.0 8.4.0.0 8.4.0.0 8.3.0.0 8.3.0.0 8.3.0.0 8.3.0.0 8.3.0.0 8.3.0.0 8.3.0.0 8.3.0.0 8.3.0.0 8.3.0.3 6.5.4.8 6.5.3.7 8.3.0.3 6.5.4.8 6.5.3.7 Power Draw Support Yes Yes Yes Yes No No Yes Yes No Yes No No Yes No Yes Yes Yes Yes Yes No No No Aruba Central (on-premises) | User Guide 15 Instant AP Platform Installation Mode AP-365 Outdoor AP-303HR Indoor AP-303H Indoor AP-203RP Indoor AP-203R Indoor IAP-305 Indoor IAP-304 Indoor IAP-207 Indoor IAP-335 Indoor IAP-334 Indoor IAP-315 Indoor IAP-314 Indoor IAP-325 Indoor Latest Validated Aruba Instant Software Version 8.3.0.3 6.5.4.8 6.5.3.7 6.5.2.0 8.3.0.3 6.5.4.8 6.5.3.7 8.3.0.3 6.5.4.8 6.5.3.7 8.3.0.3 6.5.4.8 6.5.3.7 8.3.0.3 6.5.4.8 6.5.3.7 8.3.0.3 6.5.4.8 6.5.3.7 8.3.0.3 6.5.4.8 6.5.3.7 8.3.0.3 6.5.4.8 6.5.3.7 8.3.0.3 6.5.4.8 6.5.3.7 8.3.0.3 6.5.4.8 6.5.3.7 8.3.0.3 6.5.4.8 6.5.3.7 8.3.0.3 Power Draw Support No No Yes No No Yes Yes No Yes Yes No Yes No About Aruba Central (on-premises) | 16 Instant AP Installation Mode Platform IAP-324 Indoor IAP-277 Outdoor IAP-228 Indoor IAP-205H Indoor IAP-215 Indoor IAP-214 Indoor IAP-205 Indoor IAP-204 Indoor IAP-275 Outdoor Latest Validated Aruba Instant Software Version Power Draw Support 6.5.4.8 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 8.3.0.3 No 6.5.4.8 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.3 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.3 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.8 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.3 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.3 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.8 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.8 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.3 No 6.5.3.7 Aruba Central (on-premises) | User Guide 17 Instant AP Platform Installation Mode IAP-274 Outdoor IAP-103 Indoor IAP-225 Indoor IAP-224 Indoor IAP-115 Indoor IAP-114 Indoor Latest Validated Aruba Instant Software Version Power Draw Support 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.3 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.8 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.3 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.3 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.8 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 6.5.4.8 No 6.5.3.7 6.4.4.8-4.2.4.10 6.4.3.4-4.2.1.0 n IAP-214, IAP-215, IAP-224, IAP-225, IAP-228, IAP-274, IAP-275, and IAP-277 IAPs are no longer supported from Aruba Instant 8.7.0.0 onwards. n IAP-103, IAP-114, IAP-115, IAP-204, IAP-205, and IAP-205H IAPs are no longer supported from Aruba Instant 8.3.0.0 onwards. n By default, AP-318, AP-374, AP-375, and AP-377 IAPs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba does not recommend you to upgrade these IAPs to Aruba Instant 8.5.0.0 or 8.5.0.1 firmware versions, as the upgrade process changes the uplink port from Eth1 to Eth0 port thereby making the devices unreachable. About Aruba Central (on-premises) | 18 Supported Campus APs Aruba Central (on-premises) supports the following CAP platforms and ArubaOS software versions: AP Platform AP-655 AP-635 AP-567EX AP-565EX AP-505HR AP-503HR AP-375EX AP-228 AP-207 AP-577EX AP-577 AP-575EX AP-575 AP-574 AP-567 AP-565 AP-555 AP-518 AP-535 Latest Validated ArubaOS Software Versions 8.10.0.0 8.9.0.0 8.9.0.0 8.8.0.0 8.9.0.0 8.8.0.0 8.9.0.0 8.8.0.0 8.9.0.0 8.8.0.0 8.9.0.0 8.8.0.0 8.9.0.0 8.8.0.0 8.9.0.0 8.8.0.0 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.7.1.0 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 Aruba Central (on-premises) | User Guide 19 AP Platform AP-534 AP-515 AP-514 AP-505H AP-505 AP-504 AP-503H AP-377EX AP-377 AP-375 AP-374 AP-367 AP-365 AP-345 AP-344 AP-335 AP-334 Latest Validated ArubaOS Software Versions 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 About Aruba Central (on-premises) | 20 AP Platform AP-325 AP-324 AP-318 AP-315 AP-314 AP-305 AP-304 AP-303P AP-303H AP-303 AP-277 AP-275 AP-274 AP-225 AP-224 Latest Validated ArubaOS Software Versions 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 Aruba Central (on-premises) | User Guide 21 AP Platform AP-215 AP-214 AP-205H AP-205 AP-204 AP-203RP AP-203H AP-203R AP-175P AP-175DC AP-175AC AP-135 AP-134 AP-115 Latest Validated ArubaOS Software Versions 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.2.1.0 6.5.4.8 6.5.3.7 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 About Aruba Central (on-premises) | 22 AP Platform AP-114 AP-104 AP-105 AP-103H Latest Validated ArubaOS Software Versions 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 8.7.1.0 8.6.0.7 6.5.4.16 n AP-635 and AP-655 IAPs are Wi-Fi 6E capable APs that support 6 GHz radio band, in addition to 2.4 GHz and 5 GHz radio bands. n For more information about Aruba's End-of-life policy and the timelines for hardware and software products at the end of their lives, see: https://www.arubanetworks.com/support-services/end-of-life/ n Data sheets and technical specifications for the supported AP platforms are available at: https://www.arubanetworks.com/products/networking/access-points/ Supported AOS-Switch Platforms n To manage your AOS-Switches using Aruba Central (on-premises), ensure that the switch software is upgraded to 16.09.0010 or a later version. However, if you already have switches running lower software versions in your account, you can continue to manage these devices from Aruba Central (on-premises). n Changing AOS-Switches firmware from latest version to earlier major versions is not recommended if the switches are managed in UI groups. For features that are not supported or not managed in Aruba Central (on-premises) on earlier AOS-Switch versions, changing firmware to earlier major versions might result in loss of configuration. The following tables list the switch platforms, corresponding software versions supported in Aruba Central (on-premises), and switch stacking details. Aruba Central (on-premises) | User Guide 23 Table 6: Supported AOS-Switch Series, Software Versions, and Switch Stacking Switch Platform Supported Software Versions Recommended Software Versions Switch Stacking Support Supported Stack Type (Frontplane (VSF) / Backplane (BPS)) Supported Configuration Group Type for Stacking (UI / Template) Aruba 2540 Switch Series n YC.16.08.0019 or later n YC.16.09.0015 or later n YC.16.10.0012 or later n YC.16.08.0019 N/A or later n YC.16.09.0015 or later n YC.16.10.0012 or later N/A UI and Template Aruba 2930F Switch Series n WC.16.08.0019 or later n WC.16.09.0015 or later n WC.16.10.0012 or later n WC.16.08.0019 Yes VSF or later n WC.16.09.0015 or later n WC.16.10.0012 or later Switch Software Dependency: n WC.16.08.0019 or later n WC.16.09.0015 or later n WC.16.10.0012 or later UI and Template Aruba 2930M Switch Series n WC.16.08.0019 or later n WC.16.09.0015 or later n WC.16.10.0012 or later n WC.16.08.0019 Yes BPS or later n WC.16.09.0015 or later n WC.16.10.0012 or later Switch Software Dependency: n WC.16.08.0019 or later n WC.16.09.0015 or later n WC.16.10.0012 or later UI and Template Aruba 3810 Switch Series n KB.16.08.0019 or later n KB.16.09.0015 or later n KB.16.10.0012 or later n KB.16.08.0019 Yes BPS or later n KB.16.09.0015 or later n KB.16.10.0012 or later Switch Software Dependency: n KB.16.08.0019 or later n KB.16.09.0015 or later n KB.16.10.0012 or later UI and Template Aruba 5400R Switch Series n KB.16.08.0019 or later n KB.16.09.0015 or later n KB.16.10.0012 or later n KB.16.08.0019 Yes VSF or later n KB.16.09.0015 or later n KB.16.10.0012 or later Switch Software Dependency: n KB.16.08.0019 or later n KB.16.09.0015 or later Template only About Aruba Central (on-premises) | 24 Switch Platform Supported Software Versions Recommended Software Versions Switch Stacking Support Supported Stack Type (Frontplane (VSF) / Backplane (BPS)) Supported Configuration Group Type for Stacking (UI / Template) n KB.16.10.0012 or later Provisioning and configuring of aruba 5400Aruba 5400R switches and Aruba 5400R switch stacks is supported only through configuration templates. Aruba Central (on-premises) does not support moving Aruba 5400R switches from the template group to a UI group. If an Aruba 5400R switch is pre-assigned to a UI group, then the device is moved to an unprovisioned group after it joins. Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/networking/switches/. Supported AOS-CX Switch Platforms To manage your AOS-CX switches using Aruba Central (on-premises), ensure that the switch software is upgraded to 10.05.0021 or a later version. AOS-CX switches with version 10.05.0021 or earlier might not connect to Aruba Central (on-premises) after ten days of operation. You must upgrade the AOS-CX switch to a recommended software version to connect to Aruba Central (on-premises). The following table lists the AOS-CX platforms and corresponding software versions supported in Aruba Central (on-premises). Aruba Central (on-premises) 2.5.4 does not support AOS-CX switch software version 10.09. Upgrading the AOS-CX switch to 10.09 version could result in loss of connectivity to Aruba Central (on-premises). The upcoming Aruba Central (on-premises) 2.5.5 release will support AOS-CX 10.09 version. Table 7: Supported AOS-CX Switch Series, Software Versions, and Switch Stacking Switch Platform Supported Software Versions Recommended Software Versions Supported Configuration Group Type (UI / Template) AOS-CX 4100i Switch Series 10.08.0001 10.08.0001 UI and Template AOS-CX 6000 Switch Series 10.08.1010 or later 10.08.1010 UI and Template AOS-CX 6100 Switch Series 10.06.0110 or later 10.06.0160 or 10.07.0040 UI and Template Aruba Central (on-premises) | User Guide 25 Switch Platform AOS-CX 6200 Switch Series AOS-CX 6300 Switch Series AOS-CX 6300 Switch Series [JL762A] Back 2 Front Power Supply SKU only AOS-CX 6400 Switch Series AOS-CX 8320 Switch Series AOS-CX 8325 Switch Series AOS-CX 8360 Switch Series AOS-CX 8400 Switch Series Supported Software Versions 10.05.0021 or later Recommended Software Versions Supported Configuration Group Type (UI / Template) 10.06.0160 or 10.07.0040 UI and Template 10.05.0021 or later 10.06.0160 or 10.07.0040 UI and Template 10.06.0001 or later 10.06.0160 or 10.07.0040 UI and Template 10.05.0021 or later 10.05.0021 or later 10.05.0021 or later 10.06.0001 or later 10.06.0001 or later 10.06.0160 or 10.07.0040 Template only 10.06.0160 or 10.07.0040 UI and Template 10.06.0160 or 10.07.0040 UI and Template 10.06.0160 or 10.07.0040 UI and Template 10.06.0160 or 10.07.0040 Template only Provisioning and configuring of AOS-CX 6400 and 8400 switch series is supported only through configuration templates. Data sheets and technical specifications for the supported switch platforms are available at: https://www.arubanetworks.com/products/networking/switches/. Supported Aruba Mobility Controllers Aruba Central supports provisioning, management, and monitoring of the following Aruba Mobility Controllers. Table 8: Supported Devices and Software Versions Supported Device Latest Validated Software Versions Aruba 7000 Series Mobility Controllers Aruba 7200 Series Mobility Controllers Aruba 9004 non-LTE Mobility Controllers 8.8.0.0 8.7.1.0 8.6.0.7 6.5.4.16 NOTE: About Aruba Central (on-premises) | 26 Supported Device Latest Validated Software Versions Controllers running ArubaOS 6.5.4.8 software image do not support WebSocket connection. You must manually add these controllers to Aruba Central. The minimum software version required for monitoring controller clusters and Mobility Conductor managed networks is ArubaOS 8.2.1.0. Aruba Central (on-premises) | User Guide 27 Chapter 3 Aruba Central (on-premises) 2.5.4.x What's New Aruba Central (on-premises) 2.5.4.x What's New The following features and enhancements are introduced. What's New in Aruba Central (on-premises) 2.5.4.5 New Feature The following section provides an overview of the new feature that is added to Aruba Central (on-premises) in this release. Support for the 6 GHz Radio Band Aruba Central (on-premises) supports the monitoring of 6 GHz radio band on the following WebUI pages: n Access Points >List n Overview > AP summary n RF tab n Live monitoring for IAP n Access point health bar dashboard n Analyze > Alerts and Events For more information, see the following topics: n Monitoring APs in List View n Access Point > Overview > Summary n Access Point > Overview > RF n Enabling Live IAP Monitoring n The Health Bar n Configuring Alerts Enhancement The following section provides an overview of the enhancement introduced in Aruba Central (on-premises) in this release. Enabling Application Visibility at Client and Site Level for Campus APs Aruba Central (on-premises) supports Application Visibility feature at client or site level for Campus APs. To enable the Application Visibility feature, the firewall visibility sessions telemetry must be grouped based on the same BSSID, and sent to Aruba Central (on-premises) server. For more information, see Enabling Application Visibility at Client and Site Level. What's New in Aruba Central (on-premises) 2.5.4.3 Aruba Central (on-premises) | User Guide 28 New Features The following sections provide an overview of the new features that are added to Aruba Central in this release. Support for 9004 non-LTE Mobility Controller Aruba Central (on-premises) supports the Aruba 9004 non-LTE Mobility Controller in discovery and monitoring. After Aruba Central (on-premises) discovers these controllers, you can receive diagnostics, reports, and triggers for these controllers. For a complete list of supported products, see Aruba Central (on-premises) Supported Devices Guide. What's New in Aruba Central (on-premises) 2.5.4.2 New Features The following sections provide an overview of the new features that are added to Aruba Central in this release. Alerts and Events The Enable All and Disable All buttons are added to the Access Point, Switch, Controller, and Central System tabs under the Alerts and Events > Config page of the WebUI. Click Enable All to enable all the alerts on a single click. Similarly, click Disable All to disable all the alerts. For more information, see Configuring Alerts. Bulk Replacement of APs Aruba Central (on-premises) now allows bulk replacement of Campus APs and Remote APs by using one of the following pages in the WebUI: n Manage> Overview > Device Replacement under Sites filter. n Manage Sites under Maintain > Organization > Network Structure > Sites. For more information, see Replacing APs in Bulk. What's New in Aruba Central (on-premises) 2.5.4.0 Important Notes It is recommended to upgrade all the Aruba Central (on-premises) nodes to 512 GB for optimum performance and using the 256 GB RAM might result in degraded performance. Note that the 256 GB RAM will not be supported in upcoming releases. New Features The following sections provide an overview of the new features that are added to Aruba Central in this release. What's New in Aruba Central (on-premises) 2.5.4.2 | 29 AOS-CX 4100i and 6100 Platform Support Aruba Central (on-premises) now supports configuring and monitoring AOS-CX 6100 Switch Series using UI options and MultiEdit mode. Aruba Central (on-premises) also supports configuring and monitoring AOS-CX 4100i Switch Series using UI options, MultiEdit mode, and templates. For more information, see Supported AOS-CX Switch Platforms. AOS-CX Stacking Configuration In addition to onboarding pre-configured AOS-CX VSF stacks, Aruba Central now supports configuring and managing AOS-CX VSF stacks using UI options and templates. VSF Stacking UI Configuration You can now configure an AOS-CX VSF stack using UI group. The following stack-related configurations can be performed using the web UI: n Creating a stack n Adding a stack member n Removing a stack member n Modifying VSF links n Changing the secondary member For more information, see Configuring AOS-CX VSF Stacks Using UI Groups. VSF Stacking Template Configuration You can now configure an AOS-CX VSF stack using templates group. The following stack-related configurations can be performed using templates: n Creating a stack n Adding a stack member n Removing a stack member n Modifying VSF links n Changing the secondary member For more information, see, Configuring AOS-CX VSF Stacks Using Template Groups. AOS-CX UI Configuration The following new features are available for the AOS-CX UI group and device configuration. Client Roles Client roles allow administrators to assign network access to clients. A network administrator can create configuration profiles (roles) and associate them to clients. Client roles allow you to create and manage roles and attributes for the network. For more information, see Configuring Client Roles for AOS-CX. Device Fingerprinting Device fingerprinting allows you to classify the end devices connected to an AOS-CX switch. You can find clients' details such as the type of device, host name, vendor identification, and capability of the device, using device fingerprinting. Aruba Central (on-premises) | User Guide 30 In this release, Aruba Central (on-premises) uses device fingerprinting to get only the clients' hostname. To enable Device Fingerprinting and DHCP Option 12 on the switch, run the following commands. (config)# client device-fingerprint profile dfp1 (config)# dhcp option-num 12 To apply Device Fingerprinting profile to the interfaces, for example 1/1/1 to 1/1/3, run the following commands. (config)# int 1/1/1-1/1/3 (config-if-1/1/1-1/1/3)# client device-fingerprint apply-profile dfp1 Enabling Device Fingerprinting on the AOS-CX switch displays the hostname of the client in the Client Name and Hostname columns on the Clients page. HTTP Proxy HTTP proxy enhances security for device management. An IP address can be made a proxy for all HTTP connections. If your network requires a proxy server for Internet access, ensure that you configure the HTTP proxy on the AOS-CX switch to download the image from the cloud server. For more information, see Configuring HTTP Proxy on AOS-CX. Managed Mode When an AOS-CX switch running 10.07 or a later version connects to Aruba Central (on-premises) 2.5.4 or a later version, Aruba Central (on-premises) takes control of modifying the configuration of the AOS-CX switch. A switch cannot be configured using the CLI when the switch is in the Aruba Central (on-premises) Manged mode. Aruba Central (on-premises) becomes the single source of configuration for the switch. For more information, see Getting Started with AOS-CX Deployments. Multiple Browser Tab Support and Configuration Drift Warning Aruba Central (on-premises) allows users to open multiple browser tab sessions of the same Aruba Central (on-premises) instance with a different switch group or device pages simultaneously. For example, you can open the group configuration of a switch in one browser tab and the device-level configuration of a switch in another browser tab. Aruba Central (on-premises) stores the data from the different browser tabs separately. However, if you edit the configuration of one AOS-CX switch in the MultiEdit mode in two different browser tab sessions, and try to save the configuration one after the other, the following events occur: n The configuration that you save first in the editor in any of the two browser tabs is saved on the switch. n When you try to save the configuration in the editor in the other browser tab, Aruba Central (on- premises) displays a warning that the configuration has been changed outside the current editor. n If you ignore the warning and continue to save the configuration, Aruba Central (on-premises) overwrites the changes saved earlier with the current changes. For more information, see Configuring AOS-CX Switches in UI Groups and Editing Configuration Using MultiEdit on AOS-CX. What's New in Aruba Central (on-premises) 2.5.4.0 | 31 Source Interface Aruba Central (on-premises) allows you to configure a single source interface for a service so that all traffic routed through the AOS-CX switch is sent with the same IP address. You can add the source interface only for Aruba Central (on-premises) and User-based Tunneling services in this release for the AOS-CX switch. For more information see Configuring Source Interface for AOS-CX. User-Based Tunneling User-based tunneling uses GRE to tunnel ingress traffic on a switch interface to a gateway for further processing. User-based tunneling enables a gateway to provide a centralized security policy, using per-user authentication, and access control to ensure consistent access and permissions. For more information, see Configuring User-Based Tunneling for AOS-CX. AOS-Switch UI Configuration The following new features are available for the AOS-Switch UI group and device and configuration. IP Client Tracker The IP Client tracker allows you to identify both trusted and untrusted clients that access the system. This feature is supported only on the AOS-Switch 2930F, 2930M, and 3810 switches. This feature is available on AOS-Switch versions 16.10.0008 and later. For more information, see Configuring IP Client Tracker on AOS-Switches. Device Identifier for Device Profile The Device Identifier configuration allows you to configure multiple identifiers for a single device profile. You can create different profiles with predefined rules applicable to a group of devices, directly connected to the switch. This feature is available on AOS-Switch version 16.10.0011 and later. For CDP, this feature is not supported by the AOS-Switch 2530 and 2920 switches. For more information, see Configuring Device Profile and Device Identifier on AOS-Switches. Loop Protection Disable Timer The Disable Timer parameter in the Loop Protection tab allows you to access the switch console with non-administrative credentials. This feature allows you to configure a timer to auto-recover ports if the switch detects a loop. For more information, see Configuring Loop Protection on AOS-Switch Ports. AI Insights The following new Switch insights are added in this release: Availability - Switch n The AOS-CX Switch Ports with High Power-over-Ethernet Problems insight provides information on the switches that have not received required power from PoE devices connected to them. For more information, see AOS-CX Switch Ports with High Power-over-Ethernet Problems n The AOS-Switch Ports with High Power-over-Ethernet Problems insight provides information on the switches that have not received required power from PoE devices connected to them. For more information, see AOS-Switch Ports with High Power-over-Ethernet Problems Aruba Central (on-premises) | User Guide 32 Network Structure Page Under Organization, the Network Structure landing page is added and the existing tabs such as Groups, Sites,and Labels, are added as tiles in this page. You can click a tile to navigate to the respective page. For more information, see Network Structure. Group Persona You can define a persona for devices in a group while creating a group. The persona of a device represents the role that the device plays in a network deployment. Persona and architecture are set at the group level. All devices within a group inherit the same persona from the group settings. You can save the preferred settings to apply the same persona and architecture for subsequent group creations. For more information, see Groups. Alerts and Events The following new alerts are added in this release: n Switch Reboot Alert--Generates an alert when a switch reboots or crashes. This alert is enabled by default and the alert severity is Critical. This alert is applicable only for AOS-Switch. For more information, see Switch Alerts. The following AP client events are added in this release: n Client Accounting Server Timeout n Client Authentication Server Timeout n Radius-COA Failure n Client Match Success n Client Match Steer Uncontrolled Moves n Client Match Steer No Move For more information, see Supported Client Events for Campus AP and Instant AP Devices. Aruba Central APIs This release introduces the following new APIs: WLAN Configuration APIs Following APIs are introduced in the Configuration > WLAN Configuration category: n [GET]: o /configuration/full_hotspot/{group_name_or_guid} o /configuration/full_hotspot/{group_name_or_guid}/{mode_name} o /configuration/full_hotspot/{group_name_or_guid}/template o /configuration/full_hotspot/{group_name_or_guid}/{hotspot_name}/{mode_name} n [DELETE]: o /configuration/full_hotspot/{group_name_or_guid}/{hotspot_name}/{mode_name} n [POST]: o /configuration/full_hotspot/{group_name_or_guid}/{hotspot_name}/{mode_name} What's New in Aruba Central (on-premises) 2.5.4.0 | 33 n [PUT]: o /configuration/full_hotspot/{group_name_or_guid}/{hotspot_name}/{mode_name} Troubleshooting APIs Following APIs are introduced in the Troubleshooting category: n [GET]: o /troubleshooting/v1/running-config-backup/serial/{serial} o /troubleshooting/v1/running-config-backup/serial/{serial}/prefix/{prefix} o /troubleshooting/v1/running-config-backup/name/{name} n [POST]: o /troubleshooting/v1/running-config-backup/serial/{serial}/prefix/{prefix} o /troubleshooting/v1/running-config-backup/group_name/{group_name}/prefix/{prefix} Clients APIs Following APIs are introduced in the Monitoring > Clients category: n [GET]: o /monitoring/v2/clients o /monitoring/v2/clients/{macaddr} Authentication & Policy APIs Following APIs are introduced in the Authentication & Policy > Client Policy category: n [GET]: o /client_policy n [DELETE]: o /client_policy n [PUT]: o /client_policy Following APIs are introduced in the Authentication & Policy > Client Registration category: n [GET]: o /client_registration n [DELETE]: o /client_registration/{mac_address} n [POST]: o /client_registration n [PATCH]: o /client_registration/{mac_address} Following APIs are introduced in the Authentication & Policy > User policy category: Aruba Central (on-premises) | User Guide 34 n [GET]: o /user_policy n [DELETE]: o /user_policy n [PUT]: o /user_policy Service IPMS APIs Following API is introduced in the Service IPMS > Aruba ipms category: n [GET]: o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ip_range/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ip_range/ {range_id}/ o /ipms-config/v1/node_list/{node_type}/{node_id}/ n [DELETE]: o /ipms-config/v1/node_list/{node_type}/{node_id}/config/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ip_range/ {range_id}/ n [POST]: o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ip_range/ {range_id}/ n [PUT]: o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ o /ipms-config/v1/node_list/{node_type}/{node_id}/config/address_pool/{pool_name}/ip_range/ {range_id}/ AI OPs APIs Following APIs are introduced in the AI OPs > Wi-Fi Connectivity at Global category: n [GET]: o /aiops/v1/connectivity/global/stage/{stage}/export o /aiops/v1/connectivity/site/{site_id}/stage/{stage}/export o /aiops/v1/connectivity/group/{group}/stage/{stage}/export Following APIs are introduced in the AI OPs > AI Insights List category: What's New in Aruba Central (on-premises) 2.5.4.0 | 35 n [GET]: o /aiops/v2/insights/global/list o /aiops/v2/insights/site/{site_id}/list o /aiops/v2/insights/ap/{ap_serial}/list o /aiops/v2/insights/client/{sta_mac}/list o /aiops/v2/insights/gateway/{gw_serial}/list o /aiops/v2/insights/switch/{sw_serial}/list Following APIs are introduced in the AI OPs > AI Insight Details category: n [GET]: o /aiops/v2/insights/global/id/{insight_id}/export o /aiops/v2/insights/site/{site_id}/id/{insight_id}/export o /aiops/v2/insights/ap/{ap_serial}/id/{insight_id}/export o /aiops/v2/insights/client/{sta_mac}/id/{insight_id}/export o /aiops/v2/insights/gateway/{gw_serial}/id/{insight_id}/export o /aiops/v2/insights/switch/{sw_serial}/id/{insight_id}/export For more information, see New APIs. Enhancements The following sections provide an overview of the enhancements introduced in Aruba Central in this release. Configuration The following UI and template configuration enhancements are introduced in this release. RRM Quiet IE in SSID The RRM Quiet IE in the Security > Fast Roaming WLAN SSID configuration UI page allows you to enable or disable the Radio Resource Management IE profile elements advertised by an AP in the SSID profile. For more information, see Basic WLAN Security Parameters. Mesh Support for Multiple Radios Aruba Central now allows you to configure mesh profiles for multiple radios in the System > Mesh UI page. Although most mesh deployments require only a single mesh cluster profile, you can configure and apply multiple mesh cluster profiles to an individual AP. For more information, see Configuring Mesh for Multiple Radios. Fast Roaming with Mesh The Mesh mobility RSSI threshold in the Access Points > Mesh configuration UI page allows you to trigger fast roaming on a mobility mesh point when the RSSI of the parent is lower than the threshold value. For more information, see Access Points Configuration Parameters. EST support for Radsec and AP1x Aruba Central now allows EST to support Radsec , AP1X CA, and AP1X Client Cert on the AP in the Security > Certificate Usage UI page. The Radsec use EST Server allows Radsec to use the certificates enrolled using the EST Profile. Aruba Central (on-premises) | User Guide 36 For more information, see Mapping IAP Certificates and Configuring an EST Profile DHCP Relay Support The DHCP Relay and Helper Address in the System > DHCP UI page allows the AP to relay the DHCP requests for Centralized DHCP Scopes, Local DHCP Scopes, and DHCP For WLANs. For more information, see Configuring a Centralized DHCP Scope, Configuring Local DHCP Scopes, and Configuring DHCP Server for Assigning IP Addresses to IAP Clients Campus AP or Remote AP Replacement n You can now replace a Campus AP or a Remote AP with different models on the AP Summary page. n After the device replacement, the new AP replaces the old AP's VisualRF floor plan if the old AP was associated with a VisualRF floor plan. For more information, see Replacing an Access Point. AOS-CX SNMP Enable Aruba Central allows you to enable or disable the SNMP service at the global level on AOS-CX switches. You can also select the VRF on which you want to configure SNMP on the switch. For more information, see Configuring SNMP on AOS-CX. AOS-CX Concurrent Authentication Concurrent authentication is added in the Ports table under the Authentication parameter. For more information, see Configuring Authentication on AOS-CX. AOS-CX Port Filter On the Interfaces > Ports & Link Aggregations page, in the device view, all access ports are shown by default. The port filter provides options to select All Uplink Ports or All Access Ports. You can also search for a port using the port name. For more information, see Configuring Ports and LAGs on AOS-CX. AOS-Switch Multiple DNS Server Support Aruba Central allows you to configure two static IPv4 addresses for the DNS servers for AOS-Switches. For more information, see Configuring a Name Server. IAP Local Probe Request Threshold and Min RSSI for Auth Request To improve the performance of the indoor Wi-Fi clients, this release supports configuring a WLAN SSID with Local Probe Request Threshold and Min RSSI for auth request advanced settings. Based on your selection, the local probe request threshold value and the Min RSSI for auth request changes to the recommended value automatically from the AI insight. For more information, see Configuring Wireless Network Profiles on IAPs. IAP Beacon Rate in SSID Profile The Beacon Rate for 2.4 GHz band and 5 GHz band under Advanced Settings in the SSID configuration page is modified. You can only set the maximum transmission rate from the 2.4 GHz and 5 GHz drop-down list. For more information, see Configuring Wireless Network Profiles on IAPs What's New in Aruba Central (on-premises) 2.5.4.0 | 37 IAP Add Named VLAN Aruba Central supports adding multiple VLAN IDs and VLAN range in the Add Named VLAN window in the SSID configuration page. For more information, see Configuring Wireless Network Profiles on IAPs Confirmation Message for Deleting a Site The delete site action now displays a confirmation message. Deleting a site disassociates all devices that are associated with it. The disassociated devices are moved to the unassigned devices list. For more information, see the Deleting a Site section in the Managing Sites page. UCC Configuration In the UCC configuration page, the Facetime protocol row and Server column are removed from the table. Additional system default carriers are added to the DNS Pattern list of Wi-Fi Calling protocol. For more information, see Configuring UCC. Monitoring The following monitoring enhancements are introduced in this release. LLDP Details support on Campus AP The LLDP Neighbor and LLDP Port details on the AP List page and the LLDP Details on the AP Summary page are now supported on Campus APs as well. For more information, see Network and Access Points Table. Location and Contact Details on AP Summary Page The AP Summary page for an AP with firmware version, ArubaOS 8.9.0.0 or later displays the following: n Physical location of an AP in the Location field. n Contact of an AP in the Contact field. For more information, see Device. Reboot a Campus Access Point or Remote Access Point The reboot action support is introduced for Campus Access Points and Remote Access Points in the Details page and List view. For more information, see Rebooting an AP in the Details Page and Rebooting an AP in the List View Radio Frequency for Campus Access Points and Remote Access Points The following features are added for monitoring the Campus APs and Remote APs: n The Frames - 802.11 graph in the RF tab for an AP has Issues & Transmitted Frames filter to view the trend of transmitted frames along with retries, errors and drops in frames per second and Issue % for percentage of retries, errors, and drops. n The Radio Errors graph has the Physical Errors and MAC Errors along with Total Packets in packets per second. For more information, see Access Point > Overview > RF. Aruba Central (on-premises) | User Guide 38 AOS-CX VSF Stack This release introduces the following enhancements to the Switch > LAN > Ports tab: The switch stack faceplate now displays the following configuration and connection errors related to the AOS-CX VSF stack. You can monitor and troubleshoot these errors from the Ports tab: n Auto-join eligibility error n VSF link error n Cabling error n Incompatible switch firmware error For more information, see Monitoring AOS-CX Switch Stacks. Application Visibility The following improvements are made to the Application > Visibility dashboards: n The Application > Visibility dashboard now includes Site and Client level support. You can now view the applications traffic flow for both the site and client. n In the Visibility > Applications tab, the Usage and Sent column are removed from the Applications table. You can use the filter option in the Applications and Category column to filter any application and category by its name. Use the sort icon to sort the list in an ascending or descending order. n In the Summary view, the Visibility dashboard user interface is enhanced to include a pie chart along with the stacked bars. The new graphs display both the Applications and Websites usage data, along with the clients traffic flow. You can select or deselect the application/ category check box to show or hide the traffic flow data from the pie chart and stacked bar. By hovering the mouse over the pie chart and stacked bar, you can view the size of the data. For more information, see Application Visibility. Global Dashboard The Connection Experience tile in the Summary view of Manage > Overview > WiFi Connectivity tab is changed to a time series graph. You can hover over the graph to see the connection success percentage for a specific time. For more information, see Wi-Fi Connectivity. Clients The List view in the Clients section is enhanced with the following features: n The filter criterion for the MAC Address column supports all delimiters when searching for a MAC address. You can search for a MAC address with any delimiter, Aruba Central automatically converts it to a semicolon and displays the corresponding results. n The download icon is moved next to the ellipsis icon in the Clients table for quick and easy access. The download icon exports the data in the table to a CSV file. n In the List view, you can hover over the row for a wireless client and select DISCONNECT FROM AP to disconnect the client from an AP. For more details, see All Clients and Disconnecting a Wireless Client from an AP. Download Client Live Events The clients Live Events page allows you to download the list of live events to a CSV file for offline analysis. What's New in Aruba Central (on-premises) 2.5.4.0 | 39 For more information, see Client Live Events. Download Live Events The IAP Live Events page allows you to download the list of live events to a CSV file for offline analysis. For more information, see Live Events. Health Bar on the Site Health Dashboard The Health Bar in the Overview > Site Health tab displays a short description for the potential issues at the site and the devices connected. For more information, see Site Health Dashboard and The Health Bar. Timezone on the Site Health Dashboard The Site Health dashboard now displays the timezone and local time of the site. For example, IST-11:25 AM. For more information, see Site Health Dashboard. Timezone on the Site Health Dashboard The clients graph in the AP Performance tab now displays the number of clients connected per radio. For more information, see Access Point > Overview > Performance. Wired Clients in Data Path - The AP Summary page displays the number of ports that include USB ports available in the AP and the number of wired clients connected to the AP in the data path. For more information, see Data Path. Topology Page In the Topology page, the Show Device Labels is now renamed to Show Device Names. For more information, see Monitoring Sites in the Topology Tab. UCC Monitoring The following improvements are made to the UCC monitoring dashboard: n The Summary bar is removed from the UCC > List page and added as a Call Quality column in the Calls table. You can filter the data by Good, Fair, Poor, or Unkonwn calls. The added to the CDR column to indicate wireless and wired connections. and icons are n In the UCC > Summary page, the default option to view the graph is changed to Protocol. The scatter plot graph is removed for the Health option. The per AP and per Client graphs are also removed from this page. For more information, see Monitoring UCC in List View and Monitoring UCC in Summary View. Floor Plan This release introduces the following enhancements to the Floor Plan feature: n The floor plan user interface for a site has been enhanced and now includes a Summary view and List view. The summary view in the Floor Plan dashboard now features the All Floors tile that displays all the available floors in a tile view for a selected site. You can add a new floor using the add icon and can also search for an AP or floor names using the search icon. The list view displays all the floors in a Aruba Central (on-premises) | User Guide 40 Floor table. n The view mode of a floor is also enhanced to provide a better user experience. For a selected floor, you can now view the floor details in the Floor Details window by clicking the icon. To view any device details in the <Device> Details window, click any device in the floor plan. You can also view the settings applied to the floor plan by clicking the eye icon. n The new Floor Plan dashboard for the site, allows you to delete or edit a floor plan directly from the summary view and the list view. For more information, see About Floorplans. Controller Summary The Location and Contact details are added to the Summary tab for a controller. For more information, see Controller > Overview > Summary. Firmware Upgrade and Compliance This release introduces the following enhancements to the Firmware dashboard: n Under the Later Date radio, the Select Zone drop-down menu includes the Device Local Time option that allows you to schedule compliance and upgrade based on the local site time. n The Set Compliance, Upgrade, and Upgrade All option includes a Install on drop-down option that allows you to select a Primary or Secondary partition to install the firmware. n The Firmware <Device> table includes a Group column that displays the group to which the devices are associated. This information is available only in the global context. n At the device level when you hover over the Compliance Status column, the following information is displayed: o version number and compliance configured level for a set compliance o date, time (UTC), and firmware version number o compliance configured level for a scheduled compliance For more information, see Upgrading Device Firmware. Reports The following enhancements are added to reports. Infra Inventory Report In the Infra Inventory report, the Device Types and Models by Site (CSV) option is added to the Groups context. For more information, see Report Categories and Report Configuration Options. RF Health Report In the RF Health report, the Optional Widgets section is introduced to include the RF Details and IAP Uplink Usage details in the CSV format. The IAP Uplink Usage information is available only for Instant APs with Advanced license. For more information, see Report Categories and Report Configuration Options. What's New in Aruba Central (on-premises) 2.5.4.0 | 41 Uptime for an Offline IAP In the Network report, the - (hyphen) symbol in the Uptime column of APs table indicates that the corresponding IAP is in offline status. For more information, see Report Categories. Wired Client Support in Client and Network Reports n The explicit details for the wired clients are available in the Client Inventory, Client Usage, Client Session, and Network reports. o In the Client Inventory report, the Client Count by Connection Type table displays the client count by wireless and wired connection type. o In the Client Usage report, you can filter the data in the Top Ten Clients by Usage widget by All, Connection Type (wireless, wired, or remote) or SSIDs. The inbound and outbound clients data usage metrics is displayed in the Client Usage widget by Connection Type (wireless, wired, or remote) and client count data metrics is displayed in the Client Count widget by Connection Type (wireless, wired, or remote). o In the Network report, you can filter the data in the Top Ten Clients by Usage widget by All, Connection Type (wireless, wired, or remote) or SSIDs. The Wired Clients and Peak & Average Wired Data Usage widgets are also added. The client count is displayed on the time series graph in the Wired Clients widget. The inbound and outbound peak or average data usage metrics is displayed in the Peak & Average Wired Data Usage widget. o In the Client Session report, the Session Data By Role and Clients By Role widgets display the details by role, connection type (wireless or wired) and SSIDs. You can filter the data in the Top Ten Clients by Usage widget by All, Connection Type (wireless or wired) or SSIDs. For more information, see Report Categories. Alerts and Events The following alert and event enhancements are introduced in this release: Suppress Alerts In the Site context, while suppressing alert notifications, you can select Override or Append to either override or append the configured email addresses to receive notifications when an individual or site level alter alert is generated. You can also override or append the configured default recipient email list to receive alert notifications. For more information, see Suppressing Alert Notifications in the Site Dashboard and Adding Default Recipients. Filter Events The Events table columns enables filtration and search ability at all levels. It also allows free text search to enhance the search capability. You can also copy and paste text on the column headers to improve the search mechanism. For more information, see Viewing Events List View. Client Event Filter Aruba Central allows you to troubleshoot issues related to a wired or wireless client connected to IAPs. The Events tab in the client context provides a detailed drill-down capability to filter events further to identity a specific issue and perform troubleshooting in both List and Summary view. It provides an aggregate view Aruba Central (on-premises) | User Guide 42 of events in different categories to provide a deep insight to the client's health. For more information, see Client Events. Troubleshooting Tools In the Network Operations app, use the filter to select a group, label, site, or a device and then, select Analyze > Tools to use different troubleshooting tools. The Tools menu option enables users to troubleshoot AP, gateway, and switch issues in the network through various tests available in the Network Check, Device Check, and Commands tabs. The following troubleshooting enhancements are introduced in this release. Status Indicator in Logs Collection In the Analyze > Tools > Logs tab, the Status column now displays a status bar when you upload logs. The status bar displays the Scheduled, In Progress, Complete, or Failed statuses as a percentage value, as the logs are uploaded. This helps customers and internal users to understand the status of the log collection. Live Events Wired Client Packet Capture Aruba Central now allows read-write and admin users to launch targeted packet capture on a wired client connected to a gateway or switch. Packet capture can be done at a site level or for a selected client. For more information, see Client Live Events. API Gateway The API Gateway > Usage tab is now enhanced to include to include a Current usage status bar that displays the current usage of API calls assigned for a day along with the reset time in local time zone. For more information, see Viewing Usage Statistics. System Administration SCP Protocol for Data Backup The SCP option is added as a Protocol Type in the System Management > Backup and Restore tab to allow users to take data backup based on the available server. For more information, see Backing up and Restoring Aruba Central System Data. Aruba Central APIs Following are the API changes and enhancements: Clients APIs The following enhancements are made in the APIs in the Monitoring > Clients category: n [GET]: o /monitoring/v1/clients/wireless o /monitoring/v1/clients/wired Topology APIs The following enhancements are made in the APIs in the Topology category: What's New in Aruba Central (on-premises) 2.5.4.0 | 43 n [GET]: o /{site_id} o /devices/{device_serial} For more information, see Modified API. Aruba Central (on-premises) | User Guide 44 Chapter 4 Getting Started with Aruba Central (on- premises) Getting Started with Aruba Central (on-premises) For more information on configuring Aruba Central (on-premises), refer to the Aruba Central (on-premises) Installation Guide to reinstall the software or to set up the Aruba Central server or cluster. To start managing your networks using Aruba Central, complete the steps in this section. Aruba Central Subscriptions Ensure that you have a valid Aruba Central subscription key with device and network service subscriptions to deploy your network on cloud. n If you are an existing Aruba Central customer with a valid subscription key and device licenses, access the Aruba Central UI and complete the provisioning procedures. n If you are an existing Aruba customer with valid device licenses, but do not have an Aruba Central customer, sign up for an Aruba Central account and log in with your credentials. For more information, see Aruba Central Help Center. n If you are an existing Aruba Central customer with Aruba APs and Aruba Controllers already deployed in the network, you can skip the initial steps and navigate to the configuration procedures. offers a 90-day evaluation subscription for customers who want to evaluate the Aruba cloud solution for managing their networks. When you sign up for Aruba Central, an evaluation subscription is automatically assigned. To purchase subscriptions, contact the Aruba support team. Provisioning Workflow The provisioning workflow for Aruba Central deployments includes the following steps: Ensure that you have completed all the steps mentioned in the Setup and Upgrade Guide. n Creating a Group n Onboarding Devices n Assigning Devices to Groups n Assigning Labels n Assigning Sites n Connecting Aruba APs to Aruba Central n Connecting Aruba Controllers to Aruba Central n Configuring Communication Ports n Configuring User Roles n System Setup as Node or Cluster Aruba Central (on-premises) | User Guide 45 The following figure illustrates the workflow for getting started with Aruba Central (on-premises) Figure 1 Aruba Central (on-premises) Getting Started Workflow Scaling Devices for Aruba Central (on-premises) Aruba Central supports switches, controllers, Instant APs, and Campus APs. Aruba Central can be implemented on multiple nodes. Accordingly, the number of supported devices increase. Supported Number of Devices - Summary Table The following table provides a summary of the number of devices supported across multiple nodes Table 9: Maximum Number of Supported Devices Node Size Campus APs (AP and Controller) Instant AP only Switches only (AOS-Switch and AOS-CX) Mixed-Mode Single 2000 Node 2000 1000 1600 APs (Instant AP or Campus AP) and 400 Switches ( AOS-Switch or AOS-CX) Three 8000 Node 8000 3000 6000 APs (Instant AP or Campus AP) and 2000 Switches ( AOS-Switch or AOS-CX) Five 16000 Node 12000 4000 12000 APs (Instant AP or Campus AP) and 4000 Switches ( AOS-Switch or AOSCX) Seven 25000 Node 16000 10000 (AOS-Switch) / 4000 (AOS-CX) 16000 APs (Instant AP or Campus AP) and 7000 Switches ( AOS-Switch) [ AOSCX up to 4000 Switches ] Getting Started with Aruba Central (on-premises) | 46 Supported Number of Devices - Detailed Table The following table details the number of devices that Aruba Central supports across multiple nodes. Table 10: Maximum Number of Supported Devices Nodes Maximum Number of Supported Devices Modes Single Node 2000 n 2000 APs where APs can be either Instant APs, Campus APs, or controllers that manage APs; or a mixed deployment of any of these devices. n 1000 switches where switches can be AOS-Switches or AOS-CX switches or a mix of the two. n In a mixed-mode of switches and APs, up to 1600 APs and 400 switches are supported. Three Node 8000 n 8000 APs, where APs can be either Instant APs, Campus APs, or APs along with the controllers that manage APs; or a mix of any of these devices. n 3000 AOS-Switches or AOS-CX switches or a mix of the two can be deployed in switch-only deployment. n In a mixed-mode of switches and APs, up to 6000 APs (Instant APs or Campus APs) and 2000 switches (AOSSwitch or AOS-CX) are supported. Five Node 16000 n 16000 Campus APs along with the controllers that manage APs can be deployed. n 12000 Instant APs can be deployed. n 4000 AOS-Switches or AOS-CX switches or a mix of the two can be deployed in switch-only deployment. n In a mixed-mode of switches and APs, up to 12000 (Instant APs or Campus APs) and 4000 (AOS-Switch or AOS-CX) switches are supported. Seven Node 25000 n 25000 Campus APs along with the controllers that manage APs can be deployed. n 10000 AOS-Switches can be deployed in AOSSwitches only deployment. n 4000 AOS-CX switches can be deployed in AOS-CX switches only deployment. n In a mixed-mode of switches and APs, up to 16000 APs (Instant AP or Campus APs), 7000 AOS-Switches and 4000 (AOS-Switch or AOS-CX) switches are supported. You can check maximum number of supported devices of the Aruba Central setup in the Account Home > Global Settings > Subscription Assignment page. If the device limit is exceeded, the device added to the system is displayed as Unsubscribed in the Account Home > Global Settings > Device Inventory page. Limitations The following features are not supported: n Live Events on a single-node deployment n API Streaming on a single-node deployment n Live Packet Capture on a single-node deployment Aruba Central (on-premises) | User Guide 47 n API Gateway on a single-node deployment n RAPIDS on a single-node deployment n UCC on a single-node deployment n High Availability on a single-node deployment n Adding and replacing node on a single-node deployment n AI Insights is not supported on a single-node deployment n AI Insights on single-node and 3-node clusters. Creating a Group Aruba Central supports creating groups and assigning devices to groups for the ease of configuration and maintenance. For example, you can create a common group for APs that have similar configuration requirements. To create a group, complete the following procedure: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click (+) New Group. The Create New Group pop-up window opens. 4. Click the Groups tile. The Groups page is displayed. 5. Expand a group from which you want to move devices to the selected group. For example, expand the Unprovisioned Devices group, select the devices, and then click the Move devices icon. The Move Devices page is displayed. 6. Enter a name for the group. By default, enables template-based configuration method for switches and UI-workflow-based configuration method for AP 7. To enable template-based configuration method for all device categories: n For Instant APs, select the IAP check box. n For Switches, ensure that Switch check box is selected. The Switch check box is enabled by default. 8. To enable UI-based configuration method on all device categories: a. For APs, ensure that the IAP checkbox is cleared. b. For switches, clear the Switch checkbox. 9. Assign a password. This password enables administrative access to the device interface. 10. Click Add Group. You can also create a group that uses different provisioning methods for switch and IAP device categories. For example, you can create a group with template-based provisioning method for switches and UI-based provisioning method for APs. For more information, see Groups Getting Started with Aruba Central (on-premises) | 48 Onboarding Devices Aruba Central (on-premises) allows you to onboard devices using the offline mode. In this mode, you can manually add devices to the inventory by using one of the following options: n Adding Devices Using MAC Address and Serial Number n Adding Devices Using a CSV File n Adding Devices Using PSK n Adding Mobility Controllers Adding Devices Using MAC Address and Serial Number Aruba Central (on-premises) supports this method to also add factory default AOS-CX switches. To add devices: 1. In the Account Home page, under Global Settings, click Device Inventory. 2. In the Device Inventory page, click Add Devices. 3. Enter the Serial Number, MAC address, and Part Number of the devices. You can add up to 32 devices. Adding Devices Using a CSV File To import devices from a CSV file: 1. Create a CSV file with the device list. 2. Ensure that the CSV file includes column headers for part number, MAC address, serial number, and other optional fields such as firmware version and IP address of the device. 3. In the Account Home page, under Global Settings, click Device Inventory. 4. In the Device Inventory page, click Import Devices Via CSV. 5. Browse to your local directory, select the CSV file, and then click Open. 6. Click Import. Adding Devices Using PSK Aruba Central (on-premises) supports adding devices using a pre-shared key(PSK). If you want to add APs and switches to Aruba Central (on-premises), you can configure a shared secret key on the DHCP server. When you add the same shared secret key in Aruba Central (on-premises), the devices with the known PSK string are added to the Aruba Central (on-premises) device inventory. Adding Instant APs Using PSK To onboard APs using PSK: 1. Configure the following parameters on the DHCP server to which the APs connect. Option 60 with Aruba InstantAP Option 43 in the format <org>:<Aruba-Central IP>:<shared secret> Aruba Central (on-premises) | User Guide 49 Ensure that you provide only the IP address and not the host name. 2. In the Aruba Central (on-premises) UI, go to Account Home and under Global Settings, click Device Inventory. 3. Click Add/Delete PSK. The Add/Delete PSK window opens. 4. Enter the PSK name and PSK details. 5. Click Add. 6. Reboot the Instant APs. 7. Ensure that the Instant APs get the IP address from the DHCP server and connect to Aruba Central (on-premises). Adding AOS-Switches Using PSK To onboard AOS-Switches using PSK: 1. Ensure that the switches are running factory default configuration. 2. Configure the following parameters on the DHCP server: Option 43 in the format <Group>:<Topfolder>:<folder1>,<Aruba-Central IP>,<shared secret> Option 60 3. In the Aruba Central (on-premises) UI, go to Account Home and under Global Settings, click Device Inventory. 4. Click Add/Delete PSK. The Add/Delete PSK window opens. 5. Enter the PSK name and PSK details. 6. Click Add. 7. Reboot the switches. 8. Ensure that the switches get an IP address from the DHCP server, and connect to Aruba Central (onpremises). Adding AOS-CX switches Aruba Central (on-premises) supports adding factory default and pre-configured AOS-CX switches. Adding factory default AOS-CX switches To add factory default AOS-CX switches: 1. In the Account Home page, under Global Settings, click Device Inventory. 2. In the Device Inventory page, click Add Devices. 3. Enter the Serial Number, MAC address, and Part Number of the switches. Getting Started with Aruba Central (on-premises) | 50 Adding pre-configured AOS-CX switches To add pre-configured AOS-CX switches: 1. Create a backup of the configuration 2. Reset the switch using the erase all zeroize command in the CLI. This initiates ZTP on the switch, enabling the switch to obtain the IP address from the option 43 sent by the DHCP server and then connect to Aruba Central (on-premises). The <Group>:<Topfolder>:<folder1> portion in the option 43 is not used for AOS-CX switches. Adding Mobility Controllers Aruba Central (on-premises) offers monitoring service for WLAN networks configured and managed using Aruba Mobility Controllers. Aruba Central (on-premises) allows you to onboard and monitor controller clusters, the Mobility Conductor setup, and the conductor and local controller setup. When you add a conductor controller or a Mobility Conductor, Aruba Central (on-premises) discovers all the associated controllers and campus APs, and adds them to the device inventory. Aruba Central (on-premises) does not support configuring controllers. To configure and deploy controllers, use the ArubaOS WebUI and CLI. Before You Begin Before adding controllers to Aruba Central (on-premises), ensure that the controller has the following parameters configured: n Management Server profile--The Aruba Central (on-premises) server must be configured as a management server on the controller. n Advanced Monitoring Messages--Enable AMON for communication between the Aruba Central (onpremises) server and controller. When AMON is enabled on the controller over UDP 8211, the controller periodically sends information about user sessions, AP and client association, and other such information required for managing and monitoring controllers on Aruba Central (on-premises). n Syslog Messages and SNMP Traps--Although AMON is a preferred option for polling data from controllers, to obtain data pertaining to AP lists, you may want to enable SNMP, and configure SNMP traps and syslog server for logging system events. n Websocket connection--To enable controller firmware upgrade and troubleshooting from Aruba Central (on-premises), ensure that the Aruba Central (on-premises) server URL and IP address are configured on the controllers running ArubaOS 6.5.3.6 or later. n For more information on configuring controllers, see ArubaOS User Guide. Controllers running ArubaOS 6.5.4.8 version do not support Websocket connection, due to which Aruba Central (on-premises) cannot onboard these controllers. Aruba Central (on-premises) | User Guide 51 Configuring SNMP and HTTPS Connection Profiles To configure connection profiles for adding controllers: 1. In the Account Home page, under Global Settings, click Device Inventory. 2. Click Controller Management. The Controller Management pop-up window opens. 3. Under Connection Profile, configure the SNMP and HTTPS connection profiles as per your requirement. 4. To add an SNMP connection profile: a. Click SNMP and add the following details: n Name--Name of the connection profile. n SNMP Version--SNMP version, for example V2 or V3. n Community String--Community string required for the management of controller. n Click Save. 5. To add an HTTPS connection profile: a. Click HTTPS and add the following details: n Name--Name of the connection profile. n HTTPS User--Username for HTTPS authentication. n HTTPS Password and Confirm HTTPS Password--Password for HTTPS authentication. b. Click Save. Adding a Controller To add controllers, click the Add MM/Controllers tab. 1. Click + to add a controller. 2. Enter a name for the controller. 3. Enter the IP address of the controller. 4. Select an SNMP or HTTPS profile. 5. Click Save. 6. Return to the Device Inventory page and verify if your controller is added. Controllers come up in the Monitoring page only if it is licensed. You can choose auto subscription or license each controller manually. For more information on licensing, see Managing Licenses. Viewing Devices The devices provisioned in your account are listed under Global Settings > Device Inventory page. Table 1 shows the contents of the Device Inventory page. Table 11: Predefined Variables Example Parameter Description MAC Address MAC address of the device. Getting Started with Aruba Central (on-premises) | 52 Parameter Description Type Type of the device, for example AP or Switch. IP address IP address of the device. Device Name Name of the device. Labels Name of the label to which the device are assigned. Model Hardware model of the device. Group Name of the group to which the device is assigned. This column is displayed only for the Aruba Central Standard Enterprise mode users. Status Status of the subscription assignment. Deleting a Device To delete a device: 1. On the Global Settings > Device Inventory page, click Delete Devices. The Delete Devices window opens and displays the list of devices provisioned in your network. 2. Select the devices from the list. 3. Click Delete. Assigning Devices to Groups To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory: 1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign. 4. Click Assign Device(s). To assign a device to a group from the Groups page: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Expand a group from which you want to move devices to the selected group. For example, expand the Unprovisioned Devices group, select the devices, and then click the Move devices icon. The Move Devices page is displayed. 5. Select the Destination Group from the drop-down list. Aruba Central (on-premises) | User Guide 53 6. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. Assigning Labels In Aruba Central, assigning Sites and Labels is an optional step. Labels refer to the tags attached to a device provisioned in the network. You can use labels for tagging devices to a specific area in a physical location, to an owner or a specific branch, or a business unit. You can use these labels as filters for monitoring branch and device health, and generating reports. To assign a label to a device, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Labels tile. The Manage Labels page is displayed. 4. Locate the label to which you want to assign a device. You can also create a new label by clicking Add Label and providing a label name. 5. In the table that lists the labels, you can perform one of the following actions: n Click All Devices to view all devices. n Click Unassigned to view all the devices that are not assigned to any labels. 6. Select Unassigned. A list of devices that are not assigned to any label is displayed. 7. Select one or several devices from the list of devices. 8. Drag and drop the selected devices to a specific label. A pop-up window opens and prompts you to confirm the label assignment. 9. To confirm the assignment, click Yes. For more information, see Managing Labels. Assigning Sites In Aruba Central, assigning Sites and Labels is an optional step. A site in Aruba Central refers to a physical location where a set of devices are installed; for example, campus, branch, or a venue. You can create a branch or campus site; for example Branch A or Campus A, for a specific geographical location and assign devices to it. You can use these sites as filters for viewing your deployment topology, monitoring network and device health. To assign devices to a site: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Sites tile. The Manage Sites page is displayed. 4. Under Manage Sites, locate the site to which you want to assign a device. You can also add a new site by clicking (+)New Site and providing details, such as site name and address. Getting Started with Aruba Central (on-premises) | 54 5. To view devices that are not assigned to any site, click Unassigned. 6. Select one or several devices from the list of devices. 7. Drag and drop the devices to the site on the left. A pop-up window opens and prompts you to confirm the site assignment. 8. To confirm the assignment, click Yes. For more information, see Managing Sites. Connecting Aruba APs to Aruba Central The Aruba IAPs have the ability to automatically provision themselves and connect to Aruba Central (onpremises) once they are powered on. To provision IAPs: 1. Connect your IAP to the provisioning network through PSK onboarding. 2. Wait for the device to obtain an IP address through DHCP. 3. Observe the LED indicators. For more information, refer to the AP Installation Guide. When an IAP identifies Aruba Central (on-premises) as its management entity, it connects to Aruba Central (on-premises) and shows up as a connected device in Aruba Central (on-premises). Connecting Aruba Controllers to Aruba Central The Aruba Controllers can automatically provision themselves and connect to Aruba Central once they are powered on. To provision Controllers you must configure SNMP and HTTPS Connection Profiles. To configure connection profiles for adding controllers: 1. In the Account Home page, under Global Settings, click Device Inventory. 2. Select Controllers and click Controller Management. The Controller Management pop-up window opens. 3. Under Connection Profile, configure the SNMP and HTTPS connection profiles as per your requirement. 4. To add an SNMP connection profile: a. Click SNMP and add the following details: n Name--Name of the connection profile. n SNMP Version--SNMP version, for example V2 or V3. n Community String--Community string required for the management of controller. n Click Save. 5. To add an HTTPS connection profile: a. Click HTTPS and add the following details: n Name--Name of the connection profile. n HTTPS User--Username for HTTPS authentication. n HTTPS Password and Confirm HTTPS Password--Password for HTTPS authentication. b. Click Save. Aruba Central (on-premises) | User Guide 55 Adding a Controller To add controllers, click the Add MM/Controllers tab. 1. Click + to add a controller. 2. Enter a name for the controller. 3. Enter the IP address of the controller. 4. Select an SNMP or HTTPS profile. 5. Click Save. 6. Return to the Device Inventory page and verify if your controller is added. Controllers come up in the Monitoring page only if it is licensed. You can choose auto subscription or license each controller manually. For more information on licensing, see Managing Licenses. Connecting Aruba Switches to Aruba Central The Aruba switches have the ability to automatically provision themselves and connect to Aruba Central once they are powered on. The switches support zero touch provisioning (ZTP) using which devices obtain the IP address in the option 43 from the DHCP server. To provision Switches: 1. Connect your switches to the provisioning network. 2. Wait for the device to obtain an IP address through DHCP. 3. Observe the LED indicators. For more information, refer to the Switch Installation Guide. n If the device has factory default configuration, you must manually add either the serial number, MAC address, or part number of the switch in Aruba Central (on-premises) for the switch to connect to Aruba Central (on-premises). o If the device has preconfigured configuration, you must first create a backup of the configuration, then reset the switch using the erase all zeroize command in the CLI. This initiates ZTP on the switch, enabling the switch to obtain the IP address from the option 43 sent by the DHCP server and then connect to Aruba Central (on-premises). n When a Switch identifies Aruba Central as its management entity, it connects to Aruba Central and shows up as a connected device in Aruba Central. n If the Switch is running a software version that is not compatible with Aruba Central, upgrade the Switch to a supported software version and wait for it to connect to Aruba Central. Configuring Communication Ports Most of the communication between devices on the remote site and Aruba Central server is carried out through HTTPS (TCP 443). However, verify if the ports listed in Table 12 are open to allow the Aruba Central server and the managed devices to communicate over a network firewall. Table 12: Domain Names and Ports for Aruba Central Protocol and port Domain Names and Purpose Inbound Ports Traffic Getting Started with Aruba Central (on-premises) | 56 Protocol and port Domain Names and Purpose TCP 443 To access and manage Aruba Central (on-premises). For HTTPS and websocket between Aruba Central (on-premises) and devices. UDP 8211, 8285 To receive AMON messages and view data for controllers in the Aruba Central monitoring dashboard. TCP 22 For management access through SSH and cluster setup. For CLI between Aruba Central (on-premises) and devices. TCP 80 For browser redirect from HTTP to HTTPS. TCP 2379, 2380, 4433, 6433, and 10250 For communication between Aruba Central nodes in a cluster. TCP 4343 To access the setup-wizard installation. TCP 30633 To allow the devices to set up a connection with the OpenFlow controller. TCP 8888 For HTTP-based firmware image download for CX and PVOS devices. Outbound Ports Traffic TCP 25, 456, or 587 Dependent on the SMTP configuration for alerts, reports, and Aruba Central (onpremises) account registration. UDP 123 To access ntp.ubuntu.com. NOTE: This is default destination. Users can reconfigure this port. UDP 161, 162 TCP 4343 TCP 22 For SNMP and traps. For device bootstrap to controllers. To access nexus2.airwave.com to support connection. Aruba Central (on-premises) | User Guide 57 Protocol and port TCP 443 Domain Names and Purpose To access coreupdate.central.arubanetworks.com and allow Aruba Central to check firmware versions for automatic upgrades. To access images from the following registries: n quay.io n docker.io n docker.com n docker.elastic.co NOTE: Quay.io traffic can originate from multiple IP ranges, refer to the article to allow traffic from Quay nodes. To access maps.googleapis.com to translate address. To access api.mapbox.com to view maps from user's browser. To access d1c50u1zbkqmph.cloudfront.net for CDN from user's browser. To access https://enterpriselicense.hpe.com for licensing. To access help.arubanetworks.com for documentation from user's browser. The Aruba appliance opens multiple ports. Aruba recommends that you host the Aruba appliance behind a firewall. Configuring User Roles A role refers to a logical entity used for determining user access to devices and application services in Aruba Central. Users are always tagged to roles that govern the level of user access to the Aruba Central applications and services. Aruba Central supports a set of predefined roles with different privileges and access permissions. You can also configure custom roles. Predefined User Roles The Users and Roles page allows you to configure the following types of users with system-defined roles: Table 13: Predefined User Roles Application User Role Privilege Account Settings admin readwrite Administrator for the Account Home page. Can view and modify settings in the Account Home page and all Global Settings pages. readonly Can view the Account Home page and all Global Settings pages. Getting Started with Aruba Central (on-premises) | 58 Application User Role Network Operations admin deny-access readonly readwrite Privilege Administrator for the Account Home page. Cannot view the Network Operations application. Can view all pages in the Network Operations application. Has access to view and modify data using the Aruba Central UI or APIs. However, the user cannot execute APIs to: n Perform operations in the following pages: lAccount Home > Users and Roles lNetwork Operations application > Organization > Sites and Labels Custom Roles Along with the predefined user roles, Aruba Central also allows you to create custom roles with specific security requirements and access control. However, only users with the administrator role and privileges can create, modify, clone, or delete a custom role in Aruba Central. With custom roles, you can configure access control at the application level and specify access rights to view or modify specific application services or modules. For example, you can create a custom role that allows access to a specific applications like Network Management and assign it to a user. tenant account users cannot add, edit, or delete roles. Adding a Custom Role The following are the permissions that you can associate with a custom role: n User roles with Modify permission can perform add, edit, or delete actions within the specific module. n User roles with View Only permission can only view the specific module. n User roles with Block permission cannot view that particular module. To add a custom role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. Click Add Role. The New Role window is displayed. 4. Specify a name for the role. 5. From the drop-down list, select one of the following: n Account Home--To manage access to devices and subscriptions in Aruba Central. n Network Operations--To set permissions at the module level in the Network Operations application. n ClearPass Device Insight--To set permissions at the module level in the ClearPass Device Insight application. 6. For Network Management and MSP modules, you can set access rights at the module level. 7. Click Customize. Select one of the following options for each module as required: Aruba Central (on-premises) | User Guide 59 8. Click Save. 9. Assign the role to a user account as required. Module Permissions Aruba Central allows you to define user roles with view or modify permissions. You can also block user access to some modules. Aruba Central supports setting permissions for the following modules: Table 14: Permissions Application Module Description Account Home Devices and Subscription Allows users to add devices and assign keys and subscriptions to devices. Network Operations Group Management Allows users to create, view, modify, and delete groups and assign devices to groups. Devices and Subscription Allows users to add devices and assign subscriptions to devices. Network Management Allows users to configure, troubleshoot, and monitor Aruba Central-managed networks. VisualRF Allows user to access VisualRF and RF heatmaps. Unified Communications Allows users to access the Unified Communications pages. Reports Allows users to view and create reports. Viewing User Role Details To view the details of a user role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. The Roles tab displays the following information: n Role Name--Name of the user role. n Allowed Applications--The applications to which the users have access. n Assigned Users--Number of users assigned to a role. Editing a User Role To edit a user role, complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the edit icon. 4. In the Edit Role <"Rolename"> window, modify the permissions set for module(s). 5. Click Save. Getting Started with Aruba Central (on-premises) | 60 Deleting a User Role To delete a user role, ensure that the role is not associated to any user and complete the following steps: 1. In the Account Home page, under Global Settings, click Users and Roles. 2. Click the Roles tab. 3. In the List of Roles table, select the role and click the delete icon. 4. Confirm role deletion in the Confirm Action dialog box. System Setup as Node or Cluster Aruba Central can be implemented on multiple nodes. Accordingly, the number of supported devices increases. You can check the maximum number of supported devices of the Aruba Central set up in the Account Home > Global Settings > Subscription Assignment page. If the device limit is exceeded, the device added to the system is displayed as Unsubscribed in the Account Home > Global Settings > Device Inventory page. For more information on verifying the system setup see, System Management . Verifying Device Configuration Status Aruba Central provides an audit dashboard for reviewing configuration changes for the devices provisioned in UI and template groups. The Configuration Audit menu option under Manage > Devices allows you to view the configuration template errors, configuration sync, and device level configuration overrides. Viewing Configuration Audit Page To access the Configuration Audit page: n For APs: a. In the Network Operations app, use the filter bar to select a group or device. b. Under Manage > Devices > Access Points. c. Click the configuration icon and click Show Advanced. d. Click Configuration Audit. n For switches: a. In the Network Operations app, use the filter bar to select a group or device b. Under Manage > Devices > Switches. c. Click the configuration icon and click Show Advanced. d. Click Configuration Audit. Aruba Central (on-premises) | User Guide 61 Configuration Synchronization Errors The devices managed by Aruba Central receive the configuration changes from Aruba Central. Occasionally, an Aruba Central-managed device may fail to receive a configuration change from Aruba Central. Such instances are marked as Failed changes in the Configuration Audit dashboard. If the condition persists, contact Aruba Technical Assistance. Local Overrides In Aruba Central, devices are assigned to groups that serve as the primary configuration elements. Occasionally, based on the network provisioning requirements, the administrators may need to modify the configuration of a specific device in a group. As these modifications override the configuration settings that the device has inherited from the group, Aruba Central marks these as local overrides. Viewing Status for a Template Group On selecting a template group, the Configuration Audit page displays the options listed in Table 15: Table 15: Configuration Audit Status for a Template Group Data Pane Content Description Template Errors Provides details of the number of devices with template errors for the selected template group. Devices deployed in the template group are provisioned using configuration templates. If there are errors in the templates or variable definitions, the configuration push to the devices fails. Aruba Central records such failed instances as template errors and displays these errors on the Configuration Audit page. To view a complete list of errors, click View Template Errors. The Template Errors window allows you to view and resolve the template errors issues if any for the devices in the group. Configuration Status Provides details of the number of devices with configuration sync errors for the selected template group. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Group & Device Modes Allows you to view and edit devices that are set to managed or monitored operation mode. n Managed Mode Devices--Click the View & Edit link. The Managed Mode Devices window is displayed with the list of devices operating in the managed mode. To change the device operation mode to monitored, click Change to Monitor Mode. n Monitored Mode Devices--Click the View & Edit link. The Monitored Mode Devices window is displayed. To change the device operation mode to managed, click Change to Managed Mode. Getting Started with Aruba Central (on-premises) | 62 Table 15: Configuration Audit Status for a Template Group Data Pane Content Description Configuration Backup & Restore Allows you to create a backup of templates and variables applied to the devices in the template group. . n New Configuration Backup--Allows you to create a new backup of templates and variables applied to the devices in the template group. All Devices The All Devices table provides the following device information for the selected group: n Name--The name of the device. n Type--The type of the device. n Auto Commit--The status of the auto commit state for all the devices within the group. n Config Sync--Indicator showing configuration sync errors. n Template Error--Indicator showing configuration template errors for the devices deployed in template groups. Viewing Status for Devices Assigned to a Template Group On selecting a device that is provisioned in a template group, the Configuration Audit page displays the options listed in Table 15: Table 16: Configuration Audit Status for Devices in Template Groups Data Pane Content Description Template Applied Displays the template that is currently applied on the selected device. Template Errors Displays the number of template errors for the selected device. To view a complete list of errors, click View Template Errors. Configuration Status Displays the configuration sync errors for the selected device. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Config Comparison Tool Allows you to view the difference between the current configuration (Device Running Configuration) and the configuration that is yet to be pushed to the device (Attempted Configuration). To view the running and attempted configuration changes side by side, click View. Group & Device Modes Allows you to view and edit devices that are operating in the managed or monitored mode. n Managed Mode Devices--Click the View & Edit link. The Managed Mode Devices window is displayed with the list of devices operating in the managed mode. To change the device operation mode to monitored, click Change to Monitor Mode. Aruba Central (on-premises) | User Guide 63 Table 16: Configuration Audit Status for Devices in Template Groups Data Pane Content Description n Monitored Mode Devices--Click the View & Edit link. The Monitored Mode Devices window is displayed. To change the device operation mode to managed, click Change to Managed Mode. Viewing Configuration Status for a UI Group On selecting a UI group, the Configuration Audit page displays the options listed in Table 15. Table 17: Configuration Audit Status for a UI Group Data Pane Content Description Configuration Status Local Overrides All Devices Displays the number of devices with configuration sync errors for the selected UI group. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Displays the number of devices with local overrides. To view a complete list of overrides, click the Manage Local Overrides link. The Local Overrides window is displayed. n To preserve the overrides, click Close. n To remove the overrides, select the group name with local override, click Remove and click OK. The All Devices List table provides the following device information for the selected group: n Name--The name of the device. n Type--The type of the device. n Auto Commit--The status of the auto commit state for all the devices within the group. n Config Sync--Indicator showing configuration sync errors. n Local Override--Indicator showing configuration overrides for the devices deployed in UI groups. Getting Started with Aruba Central (on-premises) | 64 Viewing Configuration Status for Devices Assigned to a UI Group On selecting a device assigned to a UI group, the Configuration Audit page displays the options listed in Table 15. Table 18: Configuration Audit Status for a Device Assigned to a UI Group Data Pane Content Description Configuration Status Displays the number of devices with configuration sync errors for the selected device. To view the configuration sync errors, click View Details. The Configuration Sync Issues window is displayed with the following tabs: n Not In Sync Configuration--Displays the configuration changes that are not synched with the switch. n Device Running Configuration--Displays the running configuration on the switch. To resolve the configuration sync errors, click Re-Sync Configuration. Aruba Central will attempt to synchronize the configuration with the switch again. Click Yes in the confirmation window. To check whether the configuration was synchronized and pushed to the switch, see the Audit Trail page. Local Overrides Displays the number of local overrides. To view a complete list of overrides, click Manage Local Overrides. The Local Overrides window is displayed. The overrides are grouped based on the features that are configured in the UI and are displayed as drop-down sections. For example, all overrides for IGMP are listed under a separate drop-down with the heading IGMP. n To preserve the overrides, click Close. n To remove the overrides, click Remove, and click OK. Using the Search Bar The search bar in the Network Operations app enables users to search for clients, devices, and infrastructure connected to the network. The search engine uses Natural Language Processing (NLP) to analyze queries and return relevant search results. The following figure illustrates the search bar option in Aruba Central. Figure 2 Search Bar To start a search in the Aruba Central UI, click the search bar or press / (forward slash) on your computer keyboard. The search results display cards relevant to the search terms. The Search Cards display a monitoring summary of the devices in the Network Operations app. Device Search Terms The search bar helps you to search all devices monitored by Aruba Central. The search enables you to navigate to the monitoring pages of the devices in the Network Operation app. Using the search bar you can perform the following tasks: Aruba Central (on-premises) | User Guide 65 n Hover over a search card to view the monitoring summary for the device. n Click the client name to open the Device Details page. The cards might vary for each device based on the context. You can click on the search card to navigate to the details page of that device in the app. You can see the search cards when you search with the device name, IP address, MAC address, site, or label. Following are the examples for APs, switches, and controllers. Figure 3 Search Card for a Device Name Figure 4 Search Card for a Device Serial Figure 5 Search Card for a Device MAC Address Following is an example for the device serial search: Figure 6 Search Card for a Device IP Address Client Search Terms The search bar helps you to search a client's information in the Network Operation app. Using the search bar you can perform the following tasks: n Hover over a client search card to view the monitoring summary for the client. n Click the client name to open the Client Details page. You can see the search cards when you search with the client name, IP address, or MAC address. You can see the following details on the search card: Getting Started with Aruba Central (on-premises) | 66 n Client Name n IP Address n MAC Address n Username n Status Following is an example for the client name search: Figure 7 Search Card for Client Name Following is an example for the client IP address search: Figure 8 Search Card for Client IP Address Following is an example for the client MAC address search: Figure 9 Search Card for Client MAC Address Site Search Terms The search bar helps you to search a site's information in the Network Operation app. Using the search bar you can perform the following tasks: n Hover over a client search card to view the monitoring summary for the site. n Click the client name to open the Site Details page. Following is an example for the site search: Aruba Central (on-premises) | User Guide 67 Figure 10 Search Card for a Site Getting Started with Aruba Central (on-premises) | 68 Chapter 5 About the Network Operations App User Interface About the Network Operations App User Interface The Network Operations app is one of the apps in Aruba Central that helps to manage, monitor, and analyze your network. you can manage your respective accounts end-to- end. Here, the customers have complete access to their accounts. You can also provision and manage the accounts. The following image displays the navigational elements of the Network Operations app. Figure 11 Navigation Elements of the Network Operations App Callout Number 1 2 3 4 5 6 7 8 9 Description Filter to select an option under Group, Label, Site. For all devices, select Global. A corresponding dashboard is displayed. Item under the left navigation contextual menu. The menu is dependent on the filter selection. First-level tab on the dashboard. Second-level tab on the dashboard. Dashboard content for the selected view and filter. For example, the current dashboard in the image displays the UCC tab under Manage > Applications in the List view for the Global filter. Time range filter. This is displayed for selected dashboards only. List view to display tabular data for the selected filter. This is displayed for selected dashboards only. Summary view to display charts for the selected filter. This is displayed for selected dashboards only. Config view to enable configuration options for the selected filter. This is displayed for selected dashboards only. Aruba Central (on-premises) | User Guide 69 Types of Dashboards in the Network Operations App The Network Operations app uses a filter to set the dashboard context for the app. The menu for the left navigation pane changes according to the selected filter value. Selecting any item on the left navigation pane displays a corresponding dashboard. Accordingly, for different values of the filter, the content displayed for the left navigation menu and the dashboard context differs. The following table lists down all the available dashboards and the link to the detailed description of each type of dashboard. Table 19: Types of Dashboards Link to the Dashboard Filter Value and Dashboard Description The Global Dashboard When the filter is set to Global (for standard enterprise modes) or All Groups (for managed service modes), the dashboard context displayed is for all available devices registered to the specific Aruba Central account. This is called the global dashboard. The Group Dashboard When the filter is set to a specific group, the dashboard context displayed is only for the devices that are configured as part of that group. This is called the group dashboard. The Site Dashboard The Label Dashboard When the filter is set to a specific site, the dashboard context displayed is only for the devices that are configured as part of that site. This is called the site dashboard. When the filter is set to a specific label, the dashboard context displayed is only for the devices that are configured as part of that label. This is called the label dashboard. The Controller Dashboard When the filter is set to a controller, the dashboard context displayed is only for that specific controller. This is called the controller dashboard. The controller dashboard enables you to manage and monitor a specific controller. The Access Point Dashboard When the filter is set to an access point, the dashboard context displayed is only for that specific access point. This is called the access point dashboard. The access point dashboard enables you to manage and monitor a specific access point. The Switch Dashboard When the filter is set to a switch, the dashboard context displayed is only for that specific switch. This is called the switch dashboard. The switch dashboard enables you to manage and monitor a specific switch. The Client Dashboard In the Network Operations app, the client dashboard is displayed under Manage > Clients for any filter value. The dashboard for any item on the left navigation menu can have a combination of the following views: n Summary view-- Click the Summary icon to display the summary dashboard. The summary dashboard displays a number of charts. For example, for the global dashboard, under Manage, the Overview > Network Health tab in Summary view displays a map of the available sites and their corresponding health. If available, use the time range filter to change the time-lines for the charts. About the Network Operations App User Interface | 70 n List view-- Click the List icon to display tabular data for a selected dashboard. For example, for the global dashboard under Manage, the Overview > Network Health tab in List view displays a list of the available sites managed by Aruba Central. If available, use the time range filter to change the time- lines for the tabular data. n Config view-- Click the Config icon to enable the configuration options for a specific dashboard. For example, for the global dashboard under Manage, the Applications > UCC tab in Config view displays various configuration options for UCC. Navigating to the Switch, Access Point, or Controller Dashboard In the Network Operations app, you can navigate to a device dashboard for a switch, access point, or controller. The device dashboard enables you to monitor, troubleshoot, or configure a single device. In order to do this, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Group, Label, or Site. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. 2. 1. Under Manage > Devices, select one of the following options: n To view an access point dashboard, click the Access Points tab. n To view a switch dashboard, click the Switches tab. n To view a controller dashboard, click the Controllers tab. The list of devices is displayed in List view. 3. Click a device listed under Device Name. The dashboard context for the specific device is displayed. To exit the device dashboard, click the back arrow on the filter. Workflow to Configure, Monitor, or Troubleshoot in the Network Operations App The following image displays a flowchart to help you navigate the Network Operations app to complete any task. Aruba Central (on-premises) | User Guide 71 Figure 12 Navigation Workflow for Network Operations App The Global Dashboard In the Network Operations app, the global dashboard is displayed when the filter is set to Global. The global dashboard displays information related to all devices registered to that account in Aruba Central. Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. About the Network Operations App User Interface | 72 Table 20: Contents of the Global Dashboard Left Navigation Menu First-Level Tabs Description Manage > Overview Network Health Displays information of the networks sorted by site, including information on network devices and WAN connectivity of individual sites. For more information, see Network Health. Summary Manage > Devices Access Points Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range Filter. For more information, see Global--Summary Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View Switches Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View Controllers Displays the controller information in the following view: n Summary view: Controller > Overview > Summary Manage > Clients Clients Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients. Manage > Applications Visibility Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility. UCC Monitors voice, video, and application sharing sessions, provides traffic visibility, and allows you to prioritize the required sessions. The app also leverages the functions of the service engine on the cloud platform to provide visual metrics for analytical purposes. For more information, see Unified Communications. Manage > Security RAPIDs Helps to identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. For more information, see RAPIDS. Firewall Monitors traffic coming into and going out of the Aruba Centralmanaged network and acts as an investigative resource for users to track blocked sessions within the network. For more information, see Configuring Firewall Parameters for Wireless Network Protection. Analyze > Alerts and Events Alerts & Events Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events. Aruba Central (on-premises) | User Guide 73 Left Navigation Menu Analyze > Audit Trail Analyze > Tools First-Level Tabs Description Audit Trail n Network Check n Device Check n Commands Shows the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. For more information, see Viewing Audit Trail. Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools. Analyze > Reports Reports Maintain > Firmware n Access Points n Switches n Controllers Maintain Groups >Organization Sites and Labels Certificates Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports . Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Upgrading Device Firmware. A group in Aruba Central is the primary configuration element that functions as a container for device management, monitoring, and maintenance. Groups enable administrators to manage devices efficiently by using either a UI-based configuration workflow or CLIbased configuration template. For more information, see Managing Groups. A site refers to a physical location where a set of devices are installed; for example, campus, branch, or venue. Labels are tags attached to a device provisioned in the network. Labels determine the ownership, departments, and functions of the devices. For more information, see Managing Sites and Managing Labels. Enables administrators to upload a valid certificate signed by a root CA so that devices are validated and authorized to use Aruba Central. For more information, see Managing Certificates. The Access Point Dashboard In the Network Operations app, the access point dashboard is displayed when the filter is set to an access point. To navigate to an access point dashboard, see Navigating to the Switch, Access Point, or Controller Dashboard. The following table lists all the available menu items in the Network Operations app for the access point dashboard. About the Network Operations App User Interface | 74 Table 21: Contents of the Access Point Dashboard Left Navigation Menu First-Level Tabs Manage > Overview Summary AI Insights Floor Plan Performance RF Manage > Device Access Point Configuration using UI groups Access Point Configuration using template groups Description The Summary tab displays the AP device details, network information, radio details including the topology of clients connected to each radio, and the health status of the AP in the network. See Access Point > Overview > Summary. The AI Insights tab displays information on AP performance issues such as excessive channel changes, excessive reboots, airtime utilization, and memory utilization. See Access Point > Overview > AI Insights. The Floor Plan tab provides information regarding the current location of the Instant AP. See Access Point > Overview > Floor Plan. The Performance tab displays the size of data transmitted through the AP. See Access Point > Overview > Performance. The RF tab provides details corresponding to 2.4 GHz, 5 GHz, and 5 GHz Secondary radios of the AP. See Access Point > Overview > RF. Enables Access Point configuration in the Config view. See Configuring APs. Configuration using UI groups contains the following secondlevel tabs: n WLANs--Configure wireless network profiles on Instant APs. See Configuring Wireless Network Profiles on IAPs. n Access Points--Configure device parameters on Instant APs. See Configuring Device Parameters . n Radios--Configure ARM and RF parameters on Instant APs. See Configuring ARM and RF Parameters on IAPs. n Interfaces--Configuring interfaces parameters on Instant APs. See Configuring Uplink Interfaces on IAPs. n Security--Configure authentication and security profiles on Instant APs. See Configuring Authentication and Security Profiles on IAPs. n VPN--Configure VPN host settings on an Instant AP to enable communication with a controller in a remote location. See Configuring IAPs for VPN Tunnel Creation. n Services--Configure AirGroup, location services, Lawful Intercept, OpenDNS, and Firewall services on Instant APs. See Configuring Services. n System--Configure system parameters on Instant APs. See Configuring System Parameters for an AP . n Configuration Audit--View configuration sync errors and overrides. See Verifying Device Configuration Status. Configuration using template groups contains the following second-level tabs: n Templates--Configure Access Points using template groups. See Configuring APs Using Templates. n Variables--Modify, download, or upload variables associated with devices that you can use in template Aruba Central (on-premises) | User Guide 75 Left Navigation Menu First-Level Tabs Manage > Clients Clients Manage > Security VPN Analyze > Alerts and Events Alerts & Events Analyze > Audit Trail Audit Trail Analyze > Tools Commands Maintain > Firmware Access Points Description configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See Verifying Device Configuration Status. The Clients tab displays details of all the clients connected to a specific AP. See Access Point > Clients > Clients. The VPN tab provides information on VPN connections associated with the Virtual Controller along with information on the tunnels and the data usage through each of the tunnels. See Access Point > Security > VPN. The Alerts & Events tab displays details of the alerts and events generated for the AP. See Access Point > Alerts & Events > Alerts & Events. The Audit Trail tab displays the logs for all the device management, configuration, and user management events triggered in Aruba Central. See Viewing Audit Trail. The Commands tab allows network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. See Advanced Device Troubleshooting The Access Points tab allow the user to view the firmware details for devices provisioned in Aruba Central. See Upgrading Device Firmware The Switch Dashboard In the Network Operations app, the switch dashboard is displayed when the filter is set to a switch. To navigate to a switch dashboard, see Navigating to the Switch, Access Point, or Controller Dashboard. Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central (onpremises) account. Also, some tabs or some fields inside tabs are only applicable either for AOS-Switch or AOSCX switch series. Table 22: Contents of the Switch Dashboard Left Navigation Menu First-Level Tabs Description Manage > Overview Summary Displays details about a specific switch, including device information, network summary, and port and hardware status. It also displays uplink and usage details. Use the time range filter to change the time period for the displayed information. See Switch > Overview > Summary. About the Network Operations App User Interface | 76 Left Navigation Menu First-Level Tabs Description Hardware Displays switch hardware details, including status of power supplies and fans, CPU and memory utilization, and device temperature. See Switch > Overview > Hardware. Routing Displays routing information for the switch, such as, type of route, number of static and connected routes, and distance of the route. See Switch > Overview > Routing. NOTE: The Routing tab is displayed only for AOS-Switches. Manage > Clients Manage > LAN Manage > VSX Clients Neighbours Ports PoE VLAN VSX Displays details about the wired clients that are connected to the switch. See Switch > Clients > Clients. Displays details about the devices neighboring the switch. See Switch > Clients > Neighbours. Displays details about ports and the LAGs configured in the switch. Also displays information about AOS-CX switch stacks and stack-related errors. See Switch > LAN > Ports. For information about AOS-CX switch stack-related errors, see Monitoring AOS-CX Switch Stacks. Displays details about PoE status, PoE ports, and the power consumption from these ports. See Switch > LAN > PoE. Displays VLAN information configured on the switch and details about tagged and untagged ports. See Switch > LAN > VLAN. Displays VSX configuration details between AOS-CX switches and the status of the inter-switch link (ISL). See Switch > VSX. NOTE: The VSX tab is displayed only for AOS-CX switch series. Manage > Device AOSSwitch-- Configuration using UI groups Enables AOS-Switch configuration in the AOS-S Config view. See Configuring AOS-Switches in UI Groups. Configuration using UI groups contains the following second-level tabs: n Switches--Configure and view general switch properties, such as, hostname, IP address, and netmask. See Configuring or Viewing the Switch Properties. n Stacks--Create stacks, add members, or view stacking details, such as, stack type, stack id, and topology. See Configuring AOS-Switch Stacks Using UI Groups. n Interface: o Ports--Assign or view port properties, such as, PoE, access policies, and trunk groups. See Configuring Switch Ports on AOS-Switches. o PoE--Configure or view PoE settings for each port. See Configuring PoE Settings on AOS-Switch Ports. o Trunk Groups--Configure or view trunk groups and their associated Aruba Central (on-premises) | User Guide 77 Left Navigation Menu First-Level Tabs Description properties, such as, members of the trunk group, and type of trunk group. See Configuring Trunk Groups on AOS-Switches in UI Groups. o VLANs--Configure or view VLAN details and the associated ports and access policies. See Configuring VLANs on AOS-Switches. o Spanning Tree--Configure or view spanning tree protocol and its associated properties. See Enabling Spanning Tree Protocol on AOSSwitches in UI Groups. o Loop Protection--Configure or view loop protection and its associated properties. See Configuring Loop Protection on AOS-Switch Ports. n Security: o Access Policies--Add or view access policies. See Configuring Access Policies on AOS-Switches. o DHCP Snooping--Configure or view DHCP snooping, authorized DHCP servers IP addresses, and their associated properties. See Configuring DHCP Snooping on AOS-Switches. o Port Rate Limit--View or specify bandwidth to be used for inbound or outbound traffic for each port. See Configuring Port Rate Limit on AOSSwitchesin UI Groups. o RADIUS--Configure RADIUS (Remote Authentication Dial-In User Service) server settings on AOS-Switches. See Configuring RADIUS Server Settings on AOS-Switches. o Downloadable User Role--Enable DUR and configure ClearPass settings to download user roles, policy, and class from the ClearPass Policy Manager server. See Configuring Downloadable User Role on AOS-Switches. o Tunneled Node Server--Configure user-based tunnel or port-based tunnel on switches. See Configuring Tunnel Node Server on AOSSwitches. o Authentication--Configure and enable 802.1X and MAC authentication on switches. You can also configure authentication order and priority for authentication methods. See Configuring Authentication for AOSSwitches. n System: o Access/DNS--Configure or view the administrator and operator logins. See Configuring System Parameters for AOS-Switches. o Time--Configure time synchronization in switches. See Configuring Time Synchronization on AOS-Switches. o SNMP--Add or view SNMP v2c and v3 community and its trap destination. See Configuring SNMP on AOS-Switches. o CDP--Configure CDP and its associated properties. See Configuring CDP on AOS-Switches. o DHCP--Add or view a DHCP pool and its associated properties. See Configuring DHCP on AOS-Switches. o IP Client Tracker--Enable AOS-Switches to learn the IP address of all, trusted, or only untrusted clients connected to the switch. See Configuring IP Client Tracker on AOS-Switches. About the Network Operations App User Interface | 78 Left Navigation Menu First-Level Tabs Description n Routing--Configure or view a specific routing path to a gateway. See Configuring Routing on AOS-Switches. n IGMP--Configure IGMP and its associated properties. See Configuring IGMP on AOS-Switches. n QoS--Configure QoS traffic policies on switches to classify and prioritize traffic throughout a network. See Configuring QoS Settings on AOSSwitches. n Device Profile--Configure device profile on switches to dynamically detect devices based on certain parameters. See Configuring Device Profile and Device Identifier on AOS-Switches. n Configuration Audit--View configuration sync errors and overrides. See Verifying Device Configuration Status. AOSSwitch-- Configuration using templates See Using Configuration Templates for AOS-Switch Management. Configuration of AOS-Switches using template groups contains the following second-level tabs: n Templates--Configure switch using template groups. See Provisioning Devices Using Configuration Templates. n Variables--Modify, download, or upload variables associated with devices that you can use in template configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See Verifying Device Configuration Status. AOS-Switch Stack-- Configuration using templates Configuration of AOS-Switch stacks using template groups contains the following second-level tabs: n Templates--Configure switch stack using template groups. See Configuring AOS-Switch Stacks Using Template Groups. n Variables--Modify, download, or upload variables associated with devices that you can use in template configuration. See Managing Variable Files. n Configuration Audit--View configuration sync errors and overrides. See Verifying Device Configuration Status. AOS-CX-- Configuration using UI groups Enables AOS-CX configuration in the AOS-CX Config view. See Configuring AOS-CX Switches in UI Groups. Configuration using UI groups allows you to configure the following features: n System: o Properties--Edit system property settings such as contact, location, time zone, and administrator password. You can also select the VRF to be used and add the DNS and NTP servers. See Configuring System Properties on AOS-CX. o HTTP Proxy--Edit the HTTP proxy configuration details for the switch. See Configuring HTTP Proxy on AOS-CX. o SNMP--Add, edit, or delete SNMP v2 communities, v3 users, and trap notifications. See Configuring SNMP on AOS-CX. o Logging--Add, edit, or delete logging servers to view event logs from the AOS-CX switches. Configure FQDN or IP address, log severity level, and the VRF to be used for each of the logging servers. Also configure Aruba Central (on-premises) | User Guide 79 Left Navigation Menu First-Level Tabs Description the global level debug log severity. See Configuring Logging Servers for AOS-CX. o Administrator--Add, edit, or delete server groups to be used for authentication, authorization, and accounting. You must also configure the protocol required to enable connection to these server groups. See Configuring AAA for AOS-CX. o Source Interface--Add, modify, or delete source interface configuration for Central and User-based tunneling interfaces for AOS-CX switches. See Configuring Source Interface for AOS-CX. o Stacking--Create stack, add stack members, modify VSF link, change the secondary conductor, delete stack and delete stack members. See Configuring AOS-CX VSF Stacks Using UI Groups. n Routing: o Static Routing--Add, edit, or delete static routes manually and configure destination IP addresses and next hop values, VRF, and the administrative distance. You can add different static routes for different VRFs on the switch. See Configuring Static Routing on AOS-CX. n Interfaces: o Ports & Link Aggregations--View and edit port settings such as description, VLAN mode, speed duplex, routing, and the operational status of the port. Add, edit, or delete LAGs by combining different ports and configuring the speed duplex, VLAN mode, aggregation mode, and the operational status of the LAG. See Configuring Ports and LAGs on AOS-CX. n Security: o Authentication Servers--Add, edit, or view the RADIUS and TACACS servers for authentication. Add settings such as FQDN or IP address of the servers, authentication port number, response timeout, retry count, and the VRF to be used when communicating with the servers. See Configuring Authentication Servers on AOS-CX. o Authentication--View or edit details about 802.1X and MAC authentication methods. Configure the precedence order and other parameters such as reauthentication timeout, cached reauthentication timeout, and quiet period. See Configuring Authentication on AOS-CX. o Access Control--View or add access policies and rules to permit or deny passage of traffic. See Configuring Access Control on AOS-CX. o Dynamic Segmentation--Enable user-based tunneling on the switch to provide a centralized security policy based on user authentication. See Configuring User-Based Tunneling for AOS-CX. o Client Roles--Add or delete client roles and associate these roles to clients. See Configuring Client Roles for AOS-CX. n Bridging: o VLANs--Add, edit, delete, or view VLANs, and associated parameters such as type of IP assignment, operational status, IP address of the DHCP relay. See Configuring VLANs on AOS-CX. About the Network Operations App User Interface | 80 Left Navigation Menu First-Level Tabs Description Configuration using UI groups allows you to configure the following features: n System: o Proper ties-- Edit system proper ty setting s such as contac t, locatio n, time zone, and admini strator passw ord. You can also select the VRF to be used and add the DNS a nd NTP server s. See Config uring System Proper ties on Aruba Central (on-premises) | User Guide 81 Left Navigation Menu First-Level Tabs Description AOSCX. o HTTP Proxy --Edit the HTTP p roxy configu ration details for the switch. See Config uring HTTP P roxy on AOSCX. o SNMP --Add, edit, or delete SNMP v2 comm unities, v3 users, and trap notifica tions. See Config uring SNMP on AOSCX. o Loggin About the Network Operations App User Interface | 82 Left Navigation Menu First-Level Tabs Description g-- Add, edit, or delete logging servers to view event logs from the AOSCX switch es. Config ure FQDN or IP addr ess, log severit y level, and the VRF to be used for each of the logging server s. Also configu re the global level debug log severit y. See Config uring Loggin Aruba Central (on-premises) | User Guide 83 Left Navigation Menu First-Level Tabs Description g Server s for AOSCX. o Admin istrato r--Add, edit, or delete server groups to be used for authen ticatio n, authori zation, and accoun ting. You must also configu re the protoc ol require d to enable connec tion to these server groups. See Config uring AAA for AOSCX. About the Network Operations App User Interface | 84 Left Navigation Menu First-Level Tabs Description o Source Interfa ce-- Add, modify, or delete source interfa ce configu ration for Central and Userbased tunneli ng interfa ces for AOSCX switch es. See Config uring Source Interfa ce for AOSCX. o Stacki ng-- Create stack, add stack memb ers, modify VSF lin k, Aruba Central (on-premises) | User Guide 85 Left Navigation Menu First-Level Tabs Description change the second ary conduc tor, delete stack and delete stack memb ers. See Config uring AOSCX VSF Stacks Using UI Groups . n Routing: o Static Routin g-- Add, edit, or delete static routes manua lly and configu re destina tion IP addr esses and next hop About the Network Operations App User Interface | 86 Left Navigation Menu First-Level Tabs Description values, VRF, and the admini strative distanc e. You can add differe nt static routes for differe nt VRFs on the switch. See Config uring Static Routing on AOSCX. n Interface s: o Ports & Link Aggreg ations --View and edit port setting s such as descrip tion, VLAN Aruba Central (on-premises) | User Guide 87 Left Navigation Menu First-Level Tabs Description mode, speed duplex, routin g, and the operati onal status of the port. Add, edit, or delete LAGs by combin ing differe nt ports and configu ring the speed duplex, VLAN mode, aggreg ation mode, and the operati onal status of the LAG. See Config uring Ports and LAGs About the Network Operations App User Interface | 88 Left Navigation Menu First-Level Tabs Description on AOSCX. n Security: o Authe nticati on Server s-- Add, edit, or view the RADIU S and TACAC S servers for authen ticatio n. Add setting s such as FQDN or IP addr ess of the server s, authen tication port numbe r, respon se timeou t, retry count, and the VRF to Aruba Central (on-premises) | User Guide 89 Left Navigation Menu First-Level Tabs Description be used when comm unicati ng with the server s. See Config uring Authen tication Server s on AOSCX. o Authe nticati on-- View or edit details about 802.1X and MAC authen tication metho ds. Config ure the preced ence order and other param eters such as reauth enticati on About the Network Operations App User Interface | 90 Left Navigation Menu First-Level Tabs Description timeou t, cached reauth enticati on timeou t, and quiet period. See Config uring Authen tication on AOSCX. o Access Contro l--View or add access policies and rules to permit or deny passag e of traffic. See Config uring Access Control on AOSCX. o Dyna mic Segme ntatio Aruba Central (on-premises) | User Guide 91 Left Navigation Menu First-Level Tabs Description n-- Enable userbased tunneli ng on the switch to provide a central ized securit y policy based on user authen ticatio n. See Config uring UserBased Tunneli ng for AOSCX. o Client Roles --Add or delete client roles and associ ate these roles to clients. See Config uring About the Network Operations App User Interface | 92 Left Navigation Menu First-Level Tabs Description Client Roles for AOSCX. n Bridging: o VLANs --Add, edit, delete, or view VLANs, and associ ated param eters such as type of IP assi gnmen t, operati onal status, IP addr ess of the DHCP r elay. See Config uring VLANs on AOSCX. o Loop Preve ntion -- Enable Aruba Central (on-premises) | User Guide 93 Left Navigation Menu First-Level Tabs Description or disable loop protect ion and spanni ng tree protoc ol, and associ ated param eters such as the mode and priorit y. Enable or disable various MSTP moderelated setting s such as BPDU filter, BPDU protect ion, admin edge, and root guard. See Config uring Loop Preven About the Network Operations App User Interface | 94 Left Navigation Menu First-Level Tabs Description tion on AOSCX. AOS-CX-- Configuration using MultiEdit mode Enables AOSCX configuration using the MultiEdit mode in the AOS-CX Config view. View and edit configuration on the AOSCX switches using the CLI syntax. You can also apply predefined set of configuration settings such as NAE to the switches. See Using MultiEdit View for AOSCX. Configuration using the MultiEdit mode contains the following options: n View Config-- View configura tion of AOS-CX switches and find differenc es in the configura tion across switches. See Aruba Central (on-premises) | User Guide 95 Left Navigation Menu First-Level Tabs Description Viewing Configura tion Using MultiEdit on AOSCX. n Edit Config-- Edit configura tion for one or more AOS-CX switches in the MultiEdit mode. Edit the entire configura tion in a familiar looking CLI with syntax checking, colorizati on, and command completio n. See Editing Configura tion Using MultiEdit on AOSCX. n Express Config-- Apply predefine d set of configura About the Network Operations App User Interface | 96 Left Navigation Menu First-Level Tabs Description tion settings such as NAE scrip ts and device profile to a single or multiple switches. See Express Configura tion Using MultiEdit on AOSCX. AOS-CX-- Configuration using templates Enables AOSCX switch configuration in the AOSCX view. See Using Configuration Templates for AOS-CX Switch Management . Configuration of AOS-CX switches using template groups contains the following second-level tabs: n Templat es-- Configure switch using template groups. See Aruba Central (on-premises) | User Guide 97 Left Navigation Menu First-Level Tabs Description Creating a Configura tion Template. n Configur ation Audit-- View configura tion sync errors and overrides. See Verifying Device Configura tion Status. n Configur ation Status-- View configura tion status of AOS-CX switches that are managed through UI groups in Aruba Central (onpremise s). See Using Configura tion Status on AOS-CX. About the Network Operations App User Interface | 98 Left Navigation Menu First-Level Tabs Description AOS-CX VSF Stack-- Configuration Enables AOSCX switch stack configuration in the AOSCX view. See Managing an AOS-CX VSF Stack. Analyze > Alerts & Events Alerts & Events The Alerts & Events tab displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. See Alerts & Events. You can also configure and enable certain categories of switch alerts. See Switch Alerts. Analyze > Audit Trail Audit Trail Displays the details of logs generated for all device management, configuration, and user management events triggered in Aruba Central (onpremises). See Viewing Audit Trail. Analyze > Tools Network Check The Network Check tab allows administrators and users with troubleshooting permission to diagnose issues related to wired network connections. See Troubleshooting Network Issues. Device Check The Device Check tab allows network administrators and users with troubleshooting permission to identify, diagnose, and debug issues on AOSSwitch and AOS-CX switches using predefined tests. See Troubleshooting Device Issues. Commands The Commands tab allows network administrators and user with troubleshooting permission to identify, diagnose, and debug issues on AOSSwitch and AOS-CX switches at an advanced level using commands. See Advanced Device Troubleshooting. Analyze > Reports Reports The Reports tab allows you to create, manage, and view various reports. You can create recurrent reports, generate reports on demand, or schedule reports to run at a later time. See Reports . Maintain > Firmware Switches The Switches tab allows the user to view the firmware details and upgrade the devices provisioned in Aruba Central (on-premises). See Upgrading Device Firmware The Controller Dashboard In the Network Operations app, the controller dashboard is displayed when the filter is set to a controller. To navigate to a controller dashboard, see The following table lists all the available menu items in the Network Operations app for the controller dashboard. Aruba Central (on-premises) | User Guide 99 Table 23: Contents of the Controller Dashboard Left Navigation Menu Manage > Overview First-Level Tabs Summary Routing Manage > LAN Summary Manage > Clients Clients Description The Summary tab displays the controller device details, client count, usage, top APs, top clients, and health status. See Controller > Overview > Summary. Displays a summary of the IP routes configured on the controller. See Controller > Overview > Routing Displays information about LAN port and LAN status. See Controller > LAN > Summary. Displays a list of clients connected to a controller. See All Clients. Analyze > Alerts and Events Analyze > Audit Trail Alerts & Events Audit Trail Analyze > Tools Network Check Commands Analyze > Reports Reports Maintain > Firmware List Config The Alerts & Events tab displays details of the alerts and events generated for the controllers. See Controller Alerts Displays the total number of logs generated for all device management, configuration, and user management events triggered in Aruba Central (on-premises). See Viewing Viewing Audit Trail. Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central (onpremises). See Troubleshooting Network Issues. The Commands tab allows network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. See Using Troubleshooting Tools. Enables network administrators to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports . Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Upgrading Device Firmware. Provides an upgrade status and compliance status for APs that are connected to the selected controller. For more information, see Upgrading Device Firmware. The Group Dashboard In the Network Operations app, the group dashboard is displayed when the filter is set to a UI or template group. A template group is marked by a superscript TG tag. The following table lists all the available menu items in the Network Operations app for the group dashboard. About the Network Operations App User Interface | 100 Some tabs may not be seen in your dashboard view if you are not an administrator for the Aruba Central account. Table 24: Contents of the Group Dashboard Left Navigation Menu First-Level Tabs Description Manage > Overview Summary Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter. For more information, see Global--Summary Manage > Devices Access Points Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View n Config view: Provisioning APs Switches Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View n Config view: Getting Started with AOS-Switch Deployments Controllers Displays the controller information in the following view: n Summary view: Controller > Overview > Summary Manage > Clients Clients Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients. Manage > Visibility Applications Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility. Manage > Security RAPIDs Helps to identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. For more information, see RAPIDS. Analyze > Alerts and Events Alerts & Events Analyze > Audit Trail Audit Trail Analyze > Tools n Network Check n Commands Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events. Shows the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. For more information, see Viewing Audit Trail. Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools. Aruba Central (on-premises) | User Guide 101 Left Navigation Menu First-Level Tabs Analyze > Reports Reports Maintain > Firmware n Access Points n Switches n Controllers Description Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports . Provides an overview of the latest supported version of firmware for the device, details of the device, and the option to upgrade the device. For more information, see Upgrading Device Firmware. The Client Dashboard In the Network Operations app, the clients dashboard is displayed when the filter is set to one of the options under Groups, Labels, Sites, or Global. The following table lists all the available menu items in the Network Operations app for the clients dashboard. Table 25: Contents of the Clients Dashboard Left Navigation Menu Manage > Overview First-Level Tabs Summary Location Sessions Manage > Applications Analyze > Events Description Displays the client details about the type of data path that the client uses, the network and connectivity details, and basic client details such as IP address of the client, type of encryption etc. See Client Details. Displays the current physical location of the client device on the floor map. See Client Details. Displays the firewall session details for the client connected to an AP or a Branch Gateway. The Sessions page displays information filtered by the IP address of the client. See Client Details. Displays the client details for passive motoring of the client connected to a wireless network. The Visibility dashboard provides a summary of client traffic and their data usage to and from applications, and websites. See Application Visibility. Displays the details of events generated by the AP and client association. See Alerts & Events About the Network Operations App User Interface | 102 The Site Dashboard In the Network Operations app, the site dashboard is displayed when the filter is set to any of the options under Sites. The site dashboard displays information related to all devices configured for that site in Aruba Central. Table 26: Contents of the Site Dashboard Left Navigation Menu First-Level Tabs Description Manage > Overview Site Health Displays details of wired and wireless devices deployed on the site. This page includes information on client connectivity statistics, change logs, health of devices, and RF health of the site. For more information, see Managing Sites. Summary Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter. For more information, see Global--Summary WAN Health Displays details for the wired, wireless, and controller devices deployed on the site. For more information, see WAN Health--Site. Topology Provides a graphical representation of the site including the network layout, details of the devices deployed, and the health of the WAN uplinks and tunnels. For more information, see Topology Tab. Floor Plans Manage > Devices Access Points Provides information regarding the current location of the AP. For more information, see Access Point > Overview > Floor Plan. Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View Switches Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View Controllers Displays the controller information in the following view: n Summary view: Controller > Overview > Summary Manage > Clients Clients Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients. Manage > Visibility Applications Provides a summary of client traffic and their data usage to and from applications and websites. Also, analyzes the client traffic flow using the graphs displayed. For more information, see Application Visibility. Aruba Central (on-premises) | User Guide 103 Left Navigation Menu First-Level Tabs Manage > Security RAPIDS Analyze > Alerts and Events Alerts & Events Analyze > Tools Network Check Commands Analyze > Reports Reports Description Identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central sends alerts to the network administrators about the possible threat and provides essential information needed to locate and manage the threat. For more information, see RAPIDS. Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events. Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools. Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports . The Label Dashboard In the Network Operations app, the label dashboard is displayed when the filter is set to any of the options under Labels. The label dashboard displays information related to all devices configured for that label in Aruba Central. Table 27: Contents of the Label Dashboard Left Navigation Menu First-Level Tabs Description Manage > Devices All Devices Displays details such as the bandwidth usage, client count, top APs by usage, top 5 clients, top AP clusters by usage, top AP clusters by clients, and WLAN network details. By default, the graphs are plotted for a time range of 3 hours. To view the graphs for a different time range, click the Time Range filter. For more information, see Global--Summary Access Points Displays the access points information in the following views: n Summary view: Monitoring APs in Summary View n List view: Monitoring APs in List View Switches Displays the switches information in the following views: n Summary view: Monitoring Switches in Summary View n List view: Monitoring Switches in List View Controllers Displays the controller information in the following view: n Summary view: Controller > Overview > Summary About the Network Operations App User Interface | 104 Left Navigation Menu First-Level Tabs Description Manage > Clients Clients Displays information about all the clients connected to the devices configured for the group. For more information, see All Clients. Manage UCC > Applications Displays a variety of charts and lists that allow you to assess the quality of calls in the network. For more information, see Unified Communications. Manage > Security RAPIDs Identify and act on interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central sends alerts to the network administrators about the possible threat and provides essential information needed to locate and manage the threat. For more information, see RAPIDS. Analyze > Alerts and Events Alerts & Events Displays all types of alerts and events generated for events pertaining to device provisioning, configuration, and user management. For more information, see Alerts & Events. Analyze > Tools n Network Check n Device Check n Commands Enables network administrators and users with troubleshooting permission to perform troubleshooting or diagnostics tests on devices and networks managed by Aruba Central. For more information, see Using Troubleshooting Tools. Analyze > Reports Reports Enables you to create various types of reports. You can create recurrent reports or configure the reports to run on demand. For more information, see Reports . The Health Bar The Health Bar provides a snapshot of the overall health of the devices configured as part of the specific dashboard. The applicable dashboards include global, group, site, client, and device dashboards. The topic discusses the following: n Health Bar Dashboard for Global n Health Bar Dashboard for Group n Health Bar Dashboard for Site n Health Bar Dashboard for Access Point n Health Bar Dashboard for Switch n Health Bar Dashboard for Controller n Health Bar Dashboard for Wireless Client n Health Bar Dashboard for Wired Client Viewing the Health Bar Dashboard To view the Health Bar, perform the following steps: Aruba Central (on-premises) | User Guide 105 1. In the Network Operations app, select one of the following options: n To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. n To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points, Switches, or Gateways. A list of devices is displayed in the List view. c. Click a device listed under Device Name. The dashboard context for the device is displayed. n To select a client: a. Set the filter to Global. b. Under Manage, click Clients. A list of clients is displayed in the List view. c. Click a client listed under Client Name. The dashboard context for the client is displayed. The Health Bar icon displays the overall health of the network of the selected filter as either online or offline. 2. In the selected filter, click the Health Bar icon to expand the Health Bar dashboard. 3. Use the pin icon to pin the Health Bar dashboard to the Network Operations app display. Health Bar Dashboard for Global The following image shows the health bar for the global dashboard. Figure 13 Expanded but Unpinned Health Bar in the Global Dashboard About the Network Operations App User Interface | 106 Health Bar Icons Icon Type Description This icon is specific to Site, Device, and Client dashboard. It indicates that there are no issues in the connection. This icon is specific to Site, Device, and Client dashboard. It indicates that there is an issue in the connection. This icon is specific to the Global and Group dashboards, and the health is not calculated at these levels. Device and Clients Status Icons Icon Type Description n For devices, indicates the number of devices that are online. n For clients, indicates the number of clients that are connected. n For devices, indicates the number of devices that are offline. n For clients, indicates the number of failed clients. n For AI Insights, indicates the number of insights that are of high priority. For AI Insights, indicates the number of insights that are of medium priority. For AI Insights, indicates the number of insights that are of low priority. The following table includes information on the various parameters of the Health Bar displayed for a global dashboard. The health bar in a global dashboard is in the context of all devices. Parameter Description Access Points n Displays the number of access points that are online and the number of access points that are offline. n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view. Switches n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in Listview. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view. Aruba Central (on-premises) | User Guide 107 Parameter Description Controllers n Displays the number of controllers that are online and the number of controllers that are offline. n The number in green indicates the number of controllers that are online. n Clicking the number in green redirects you to Manage > Devices > Controllers > Online in List view. n The number in red indicates the number of controllers that are offline. n Clicking the number in red redirects you to Manage > Devices > Controllers > Offline in List view. Clients n Displays the number of clients that are connected and the number of clients that are failed. n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view. Health Bar Dashboard for Group The following table includes information on the various parameters of the Health Bar displayed for a group dashboard. The health bar in a group dashboard is in the context of all devices configured as part of that group. Parameter Description Access Points n Displays the number of access points that are online and the number of access points that are offline. n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view. Switches n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view. Controllers n Displays the number of controllers that are online and the number of controllers that are offline. n The number in green indicates the number of controllers that are online. n Clicking the number in green redirects you to Manage > Devices > Controllers > Online in List view. n The number in red indicates the number of controllers that are offline. n Clicking the number in red redirects you to Manage > Devices > Controllers > Offline in List view. About the Network Operations App User Interface | 108 Parameter Description Clients n Displays the number of clients that are connected and the number of clients that are failed. n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view. Health Bar Dashboard for Site The following table includes information on the various parameters of the Health Bar displayed for a site dashboard. The Health Bar in a site dashboard is in the context of all devices configured as part of that site. The values are refreshed every minute. When there is any issue in the connection, short descriptions are displayed for the Potential Issues label. If there are multiple criteria issues, only the issue criteria with the highest priority is displayed. The <+x> next to the description indicates that there are more issues. You can hover over the value to view the description of the issue. For more information, see Site Health Dashboard. Parameter Description Access Points n Displays the number of access points that are online and the number of access points that are offline. n The number in green indicates the number of access points that are online. n Clicking the number in green redirects you to Manage > Devices > Access Points > Online in List view. n The number in red indicates the number of access points that are offline. n Clicking the number in red redirects you to Manage > Devices > Access Points > Offline in List view. Switches n Displays the number of switches that are online and the number of switches that are offline. n The number in green indicates the number of switches that are online. n Clicking the number in green redirects you to Manage > Devices > Switches > Online in List view. n The number in red indicates the number of switches that are offline. n Clicking the number in red redirects you to Manage > Devices > Switches > Offline in List view. Controllers n Displays the number of controllers that are online and the number of controllers that are offline. n The number in green indicates the number of controllers that are online. n Clicking the number in green redirects you to Manage > Devices > Controllers > Online in List view. n The number in red indicates the number of controllers that are offline. n Clicking the number in red redirects you to Manage > Devices > Controllers > Offline in List view. Clients n Displays the number of clients that are connected and the number of clients that are failed. n The number in green indicates the number of clients that are connected. n The number in red indicates the number of clients that are failed. n Clicking the numbers redirects you to Manage > Clients > Clients in List view. AI Insights n Displays the number of insights categorized by status. Aruba Central (on-premises) | User Guide 109 Parameter Description n The number in red indicates the insights are of high priority. n The number in orange indicates the insights are of medium priority. n The number in yellow indicates the insights are of low priority. n Clicking the numbers redirects you to Manage > Overview > AI Insights at the site context. Health Bar Dashboard for Access Point The following table includes information on the various parameters of the Health Bar displayed for an AP. If the AP is not online and running, not all of the following data is available. Parameter Description AP Status n Value can be Online Since, Offline, or Operating under Thermal Management. n If the value is Online Since, it also displays the time period, in the format of days-hours- minutes, for which the AP has been online and running. n When an AP operates under thermal management, the device health is displayed as Poor and the radios are in disabled mode. For more information, see Thermal Shutdown Support in IAP. Device Health n Displays the performance of the AP in terms of the CPU and memory usage. n For example, the device health is Good when the CPU usage is less than or equal to 70% and the memory usage is less than or equal to 90%. If the value of the CPU and/or memory usage falls below the threshold, the device health is displayed as Poor. If the AP is down, the value is Offline. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Device Health status to get the exact percentage value of the memory and CPU usage. Radio 2.4 GHz n Displays the performance of the AP in terms of the channel utilization and noise floor in the 2.4 GHz channel. n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Radio 2.4 GHz status to get the exact value of the channel utilization and noise floor. Radio 5 GHz n Displays the performance of the AP in terms of the channel utilization and noise floor in the 5 GHz channel. n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Radio 5 GHz status to get the exact value of the channel utilization and noise floor. About the Network Operations App User Interface | 110 Parameter Description Radio 5 GHz (Secondary) n Displays the performance of the AP in terms of the channel utilization and noise floor in the 5 GHz (Secondary) channel. n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Radio 5 GHz (Secondary) status to get the exact value of the channel utilization and noise floor. NOTE: In the Health Bar dashboard, the Radio 5 GHz (Secondary) data is available only for AP555 access points and only if the tri-radio mode is enabled. For more information, see About TriRadio Mode. Radio 6 GHz n Displays the performance of the AP in terms of the channel utilization and noise floor in the 6 GHz channel. n For example, the device health is Good when the channel utilization is less than or equal to 70% and the noise floor is less than or equal to -80 dBm. If the value of the channel utilization and noise floor falls below the threshold, the device health is displayed as Poor. If the AP is online, but the radio is down, the value displayed is Disabled. If the scenario is not applicable, a "-" sign is displayed. n Hover over the Radio 6 GHz status to get the exact value of the channel utilization and noise floor. NOTE: The Radio 6 GHz data is only available for devices with 6 GHz capability. Virtual Controller Indicates if the AP is connected to a virtual controller. If the AP is connected, clicking on the virtual controller name redirects you to the Manage > Overview > Summary page for the virtual controller. Health Bar Dashboard for Switch The following table includes information on the various parameters of the Health Bar displayed for a switch. If the switch is not online and running, not all of the following data is available. Parameter Description Switch Status Displays the time period for which the switch has been online and running or its offline status. Device Health n Displays the performance of the switch in terms of the CPU and memory usage. n For example, the device health is Good when the CPU usage is less than or equal to 70% and the memory usage is less than or equal to 70%. If the value of the CPU and/or memory usage falls below the threshold, the device health is displayed as Poor. n Hover over the Device Health status to get the exact percentage value of the memory and CPU usage. Aruba Central (on-premises) | User Guide 111 Parameter Description Port Status n Displays the number of ports on the switch that are online and the number of ports that are offline. n The number in green indicates the number of switch ports that are online. n The number in red indicates the number of switch ports that are offline. Port Alerts n Displays the total number of open alerts. Health Bar Dashboard for Controller The following table includes information on the various parameters of the Health Bar displayed for a controller. If the controller is not online and running, not all of the following data is available. Parameter Controller Status LAN Alerts Description Displays the time period, in the format of days-hours-minutes, for which the controller has been running or its offline status. n Displays the number of LAN ports as online or offline. n The number in green indicates the number of LAN ports that are online. n The number in red indicates the number of LAN ports that are offline. n Clicking the numbers redirects you to Manage > LAN > Summary. n Displays the total number of open alerts. n Clicking the number redirects you to Analyze > Alerts & Events in List view. Health Bar Dashboard for Wireless Client The following table includes information on the various parameters of the Health Bar displayed for a wireless client. Parameter Description Client Status Displays the connection status of the client. Device Health Displays the device health of the client. Signal Quality Displays the signal quality in dB. Tx | Rx Rate Displays the transmit and receive rate in Mbps. Connected To n Displays the device to which the wired client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that device. Refresh icon Refreshes the data on the Health Bar for the client. About the Network Operations App User Interface | 112 Health Bar Dashboard for Wired Client The following table includes information on the various parameters of the Health Bar displayed for a wired client. Parameter Description Client Status Displays the connection status of the client. Connected Port Displays the port to which the client is connected. Connected To n Displays the device to which the wired client is connected. n Clicking on the device redirects you to the Manage > Overview > Summary page for that device. Refresh icon Refreshes the data on the Health Bar for the client. Aruba Central (on-premises) | User Guide 113 Chapter 6 Account Home Page Account Home Page Aruba Central includes a unified network operations and assurance platform and an intelligent, machine learning based solution for device discovery, profiling and visibility. Each of these solutions work individually and collectively to support Aruba's APs, Switches, and Controllers. From the Account Home page, you can manage network inventory, APIs, user access and so on. Under Global Settings, you have the following tiles: n Users and Roles--Aruba Central users can be broadly categorized as system and external users. A role refers to a logical entity used for determining user access to devices and application services in Aruba Central. Users are always tagged to roles that govern the level of user access to the Aruba Central applications and services. For more information on users and roles, see Managing Users and Roles. n Key Management--The Key Management menu option in the Account Home page allows you to view and track subscriptions key. n Device Inventory--In Aruba Central, you can add devices either in the online or offline mode. n License Assignment--Aruba offers two tiers of device licenses as part of the multi-tier licensing model. The two tiers are Foundation and Advanced Licenses. n Audit Trail--This page shows the total number logs generated for all device management, configuration, and user management events triggered in Aruba Central. For more information, see Viewing Audit Trail. n Authentication--The Single Sign On (SSO) solution simplifies user management by allowing users to access multiple applications and services with a single set of login credentials. If the applications services are offered by different vendors, IT administrators can use the SAML authentication and authorization framework to provide a seamless login experience for their users. For more information, see SAML SSO. n API Gateway--Aruba Central supports a robust set of REST APIs to enable users to build custom applications and integrate the APIs with their applications. The Aruba Central API framework uses OAuth protocol to authenticate and authorize third-party applications, and allows them to obtain secure and limited access to an Aruba Central service. For more information on APIs, refer to the API Reference Guide. n Webhooks--Contains the Streaming API and the Webhooks tabs. Streaming APIs allow customers to subscribe to a select set of services instead of polling the NB API to get an aggregated state or statistics of the events. With streaming API, the customers can write value-added applications based on the aggregated context. For more information on streaming APIs, refer to the API Reference Guide. This tile also contains the Webhook tab. An application can provide real-time information or notifications to other applications using the Webhook service. You can access the Webhook service through the Account Home or API Gateway. Using the Webhook service, you can list, add, or delete Webhooks; get Webhook token; refresh Webhook token; update Webhook settings; do Webhook settings for a specific item; and test for Webhook notification. For more information on webhooks, refer to the API Reference Guide. n System Management--This page shows the overall status and performance of the Aruba Central system. For more information, see System Management . Aruba Central (on-premises) | User Guide 114 Chapter 7 Command Line Interface Command Line Interface The command-line interface features allows you to install, setup, manage, and troubleshoot Aruba Central (on-premises) deployments. The CLI is accessed through a console or through a Secure Shell (SSH) session from a remote management console or workstation. Accessing the Aruba Central CLI The following procedure describes how to access the SSH and start executing CLI commands: 1. From a secure shell (SSH) client, open an SSH connection. 2. Login as an administrator. 3. When prompted, enter the administrator password. A list of commands is displayed. For example: login as: copadmin [email protected] password: Last login: Wed Aug 7 05:43:22 2019 from 10.20.15.180 Syntax Enter option [0 - <option number> ] : <enter option> For example: 1. System 2. File Operations 3. Show ... 0. exit ... Enter option [ 0 - 9 ]: Common Command Options The following common options are used to: n 0 Exit--Use this command option to exit the SSH connection. n b Back--Use this command option to go back to the previous menu. n m -Main menu--Use this command option to go to the main menu. Aruba Central (on-premises) | User Guide 115 Password Recovery The password recovery system helps create a new password for the copadmin user. If you have forget the password, login to the console with the user, coprecovery, and the following options are displayed to generate the recovery key. n Generate Recovery Key--The recovery key is generated and stored in an encrypted .asc file. You can either copy it or use the SCP command to copy the file. Once the key is copied to the local server, contact customer support to decrypt the recovery key to get a new password. n SCP Recovery Key--The recovery key is generated and an SCP command is used to copy the file to a local server. Once the key is copied to the local server, contact customer support to decrypt the recovery key to get a new password. n Activate Recovery secret--The secret key is provided and verified by the customer support. A reset option is used to rest the password in all nodes. n Retrieve "core" Password--Aruba does not recommend using core user access. The customer support will decode the secret file provided by the user to provide access to the core user. Main Menu Options When you login to the Aruba Central (on-premises) SSH, the main set of commands are displayed. Using the main menu command options, you can perform various other actions as described in the table. 1. System 2. File Operations 3. Show 4. System Configuration 5. Advanced 6. Security 7. Support 8. Temporary Root Shell 9. Search Commands ==================================== 0. exit Enter option [ 0 - 9 ]: List of CLI Commands The following table lists all the commands supported in Aruba Central (on-premises) deployment: Option Number 1 1-1 1-2 1-3 Command System Reboot Shutdown Factory Reset Description Reboots or resets the system. Reboots the system. Shutdowns the system. Resets the system to factory settings. Command Line Interface | 116 Option Number 2 2-1 2-2 2-3 2-4 2-5 3 3-1 3-2 3-3 3-4 3-5 3-6 3-7 3-8 3-9 4 4-1 4-2 4-3 4-4 4-5 4-6 5 Command Description File Operations Uploads a file to the host. Upload via (SCP) Uploads a file to the host over SCP. Upload via (SFTP) Uploads a file to the host over SFTP. Upload via (HTTP/HTTPS) Uploads a file to the host over HTTP or HTTPS Download File from COP Downloads a file that is saved on the host. Delete File Deletes the files that was uploaded by the upload file command. Show Show commands are used to view or display the settings or parameters configured. Version (Detail) Displays the version (Detail) of the Aruba Central (on-premises) deployment. List Files Displays the total number of files in the pod. Backup Restore Status Display the backup and restore status of the pod Configuration Display the updated network settings, cluster details, NTP/Timezone information. System Display system information like usage of memory, activate information, and uptime. User Sessions Displays the list of user sessions. Show Clock Displays the date, week, month, time details. App status Pod status of any Aruba Central (on-premises) application. Cluster Status Displays the cluster details for Aruba Central (on-premises) System Configuration System configuration commands are used to configure system parameters like network setup, cluster setup, timezone setup and also, upgrade the setup or perform a complete factory reset. Upgrade Upgrades the system for either an online customer or an offline customer. Network Setup Sets up a network permanently or temporarily. Proxy Setup Setup proxy configuration for Aruba Central (on-premises) Setup Timezone Sets up a timezone. Setup NTP Sets up an NTP server. Node Setup Sets up a node. Advanced Advanced commands are used to ping or check connectivity. Aruba Central (on-premises) | User Guide 117 Option Number 5-1 5-2 5-3 6 6-1 6-2 6-3 7 7-1 7-2 7-3 7-4 7-5 7-6 8 9 Command Description Test Connectivity Tests the connectivity to any URL. Nslookup Performs a DNS lookups for any host names. Toggle CDN Used to enable CDN, disable CDN , or show CDN Status. Security Security commands are used to reset or update the password. Reset Password GUI Resets the GUI password. Reset Password CLI Resets the CLI password. Reset debug apps password Resets the debug applications password. Support Support commands are used to collect information that are useful to TAC. Support Connection Starts or stops support connection for remote TAC access. Collect All Logs Collects Aruba Central (on-premises) diagnostic tar for debugging. Log Snapshot Operations Generates and downloads snapshots. It also deletes snapshots and downloads upgrade reports. Download COP Setup Logs Downloads the COP setup logs. Restart Applications Restarts the applications. System Operations Lock Restarts a particular application. Management Temporary Root Shell Creates a temporary user and allows access to SSH for 2 days at a time. Search Displays a list of available command options. System Commands Enter the command option 1 from the main menu to reboot, shutdown, or reset the system to factory settings. Enter option [ 0 - 9 ]: 1 1. Reboot 2. Shutdown 3. Factory Reset ==================================== b. back m. main menu 0. exit Enter option [ 0 - 3 ]: Command Line Interface | 118 Reboot Enter the command option 1 from the System menu to reboot the system. Enter option [ 0 - 3 ]: 1 Are you sure you want to reboot the node (Y/N): Shutdown Enter the command option 2 from the System menu to shutdown the system. Enter option [ 0 - 3 ]: 2 Executing shutdown... Shutdown scheduled. Node will shutdown after 1 minute. Press [Enter] key to continue... Factory Reset Enter the command option 3 from the System menu to reset the system to its factory settings. Currently, it is a complete data reset. Enter option [ 0 - 3 ]: 3 Error: Please run the reset command from physical or remote console (ILO) Press [Enter] key to continue... File Operations Commands Enter the command option 2 from the main menu to upload a file to the host. Enter option [ 0 - 9 ]: 2 1. Upload via (SCP) 2. Upload via (SFTP) 3. Upload via (HTTP/HTTPS) 4. Download File from COP 5. Delete file ==================================== b. back m. main menu 0. exit Enter option [ 0 - 5 ]: The Upload via (HTTP/HTTPS) option is not available for a FIPS-enabled Aruba Central (on-premises) setup. Upload via (SCP) Enter the command option 1 from the File Operations menu to upload a file to the host over SCP. Enter option [ 0 - 4 ]: 1 This will scp a file from the remote server to COP server Enter remote hostname and path (username@hostname:<filepath>): [email protected]:/home/auto/packages.txt Aruba Central (on-premises) | User Guide 119 Copying [email protected]:/home/auto/packages.txt to COP server FIPS mode initialized [email protected]'s password: packages.txt 100% 3555 4.4MB/s 00:00 Press [Enter] key to continue... Upload via (SFTP) Enter the command option 2 from the File Operations menu to upload a file to the host over SFTP. Enter option [ 0 - 4 ]: 2 This will scp a file from the remote server to COP server Enter remote hostname and path (username@hostname:<filepath>): [email protected]:/home/auto/inst_packages.txt Copying [email protected]:/home/auto/inst_packages.txt to COP server FIPS mode initialized [email protected]'s password: Connected to 10.22.158.92. Fetching /home/auto/inst_packages.txt to /var/airwave/appliance/localdisk/inst_ packages.txt /home/auto/inst_packages.txt 100% 1583 127.9KB/s 00:00 Press [Enter] key to continue... Upload via (HTTP/HTTPS) Enter the command option 3 from the File Operations menu to upload a file to the host over HTTP or HTTPS. Enter option [ 0 - 5 ]: 3 This will copy a file from the url to COP server Enter full url path for file : http://10.22.154.165/a.html a.html 100% [=============================================================================>] 391.90M 106MB/s in 3.7s Upload file successful. Press [Enter] key to continue... Download File from COP Enter the command option 3 from the File Operations menu to download a file that is saved on the host. Enter option [ 0 - 4 ]: 3 ! Files present under the directory ! cop_setup_logs inst_packages.txt packages.txt sftp.txt Enter the file name to copy from COP server to the remote server: packages.txt This will scp packages.txt from localdisk to the remote server Enter remote hostname and path (username@hostname:<filepath>): [email protected]:/home/auto Command Line Interface | 120 Copying localdisk files to [email protected]:/home/auto FIPS mode initialized The authenticity of host '10.22.158.92 (10.22.158.92)' can't be established. RSA key fingerprint is SHA256:e9KqvWRV5YQhrPLoJQMiKFKKWVx7ZWz2T34oF31WvpU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.22.158.92' (RSA) to the list of known hosts. [email protected]'s password: packages.txt 100% 3555 2.9MB/s 00:00 Press [Enter] key to continue... Delete File Enter the command option 4 from the File Operations menu to delete the files that was uploaded by the upload file command. Enter option [ 0 - 4 ]: 4 ! Files present under the directory ! cop_setup_logs inst_packages.txt packages.txt sftp.txt Enter file/directory to delete: packages.txt Deleting file /var/airwave/appliance/localdisk/packages.txt Are you sure you want to delete this file(Y/N): Y File /var/airwave/appliance/localdisk/packages.txt deleted Press [Enter] key to continue... Show Commands Show commands are used to view or display various elements of the Aruba Central (on-premises) deployment like configurations currently performed, user sessions, status, and so on. Enter the command option 3 from the main menu to view all the show commands supported. Enter option [ 0 - 9 ]: 3 1. Version (Detail) 2. List Files 3. Backup-Restore Status 4. Configuration 5. System 6. User Sessions 7. Clock 8. App Status 9. Cluster Status ==================================== b. back m. main menu 0. exit Enter option [ 0 - 9 ]: The following section describes the set of commands that can be executed under the Show commands category. Version (Detail) Enter command option 1 from the Show commands menu to display the version (Detail). Aruba Central (on-premises) | User Guide 121 Enter option [ 0 - 9 ]: 1 COP Version: 2.5.5.0 Build: 10.0.0-GA01.139 ISO Installed: Ok COP Software Installed: Ok Setup Cluster: Ok Pulling ILO details. Please wait. HPE Smart Array P408i-a SR Gen10: "4.11" iLO 5: "2.18 Jun 22 2020" System ROM: "U32 v2.34 (04/08/2020)" Press [Enter] key to continue... List Files Enter command option 2 from the Show commands menu to display the total number of files. Enter option [ 0 - 9 ]: 2 total 4 drwxr-xr-x 2 root root 4096 Jan 3 16:29 cop_setup_logs Press [Enter] key to continue... BackupRestore Status Enter command option 3 from the Show commands menu to display the backup and restore status. Enter option [ 0 - 9 ]: 3 ############################ backup/restore status ############################ {"details": [ { "message": "Postgres backup success", "status": "success" }, { "message": "Cassandra backup success", "status": "success" }, { "message": "Elasticsearch backup success", "status": "success" }, { "message": "Minio backup success", "status": "success" }, { "message": "Tar creation success", "status": "success" }, { "message": "Transferring the backup to repository success", "status": "success" } ], "endedOn": "Wed, 26 Jun 2019 12:52:29 GMT", "operation": "Backup", "startedOn": "Wed, 26 Jun 2019 11:59:43 GMT", Command Line Interface | 122 "status": "Completed" } Configuration Enter command option 4 from the Show commands menu to display the updated network settings, AirWave cluster details, and NTP/Timezone information. Enter option [ 0 - 9 ]: 4 1. Network-config/Cluster-info 2. NTP/Timezone Info Enter option [ 0 - 2 ]: n Network-config/Cluster-info--Enter command option 1 from the Configuration menu to view the network configuration and cluster information. Enter option [ 0 - 2 ]: 1 Updated Network Settings ------------------------ Hostname : node182-158.arubathena.com IP Address : 10.22.158.182 Subnet Mask : 255.255.255.0 Gateway : 10.22.158.2 DNS : 10.20.50.10 Secondary DNS : 10.20.50.25 Timezone : UTC COP Cluster Details ----------------------- Cluster IP : 10.22.158.27 Cluster FQDN : node3vip.arubathena.com Pod CIDR : 172.16.0.0/16 Service CIDR : 10.3.0.0/23 Router ID : 27 Time Zone : UTC Cluster Node Count : 3 Cluster Node List : NAME STATUS ROLES AGE VERSION 10.22.158.181 Ready master 8h v1.14.5 10.22.158.182 Ready master 8h v1.14.5 10.22.158.77 Ready master 8h v1.14.5 n NTP/Timezone Info--Enter command option 2 from the Configuration menu to view the NTP/Timezone info. Enter option [ 0 - 2 ]: 2 ############################ NTP Info ############################ Default NTP server configured is - ntp.ubuntu.com ############################ TimeZone Info ############################ UTC Aruba Central (on-premises) | User Guide 123 System Enter command option 5 from the Show commands menu to display system information like usage of memory, system information, and so on. Enter option [ 0 - 9 ]: 5 1. Memory/Hard disk/CPU Usage 3. Uptime ==================================== b. back m. main menu 0. exit Enter option [ 0 - 2 ]: n Memory/Hard disk/ CPU Usage--Enter the command option 1 from the System menu to view the usage of memory, hard disk, and CPU information. Enter option [ 0 - 2 ]: 1 ############################ Memory Usage ############################ total used free shared buff/cache available Mem: 251G 113G 111G 990M 26G Swap: 0B 0B 0B ############################ Hardisk Usage ############################ Filesystem Size Used Avail Use% Mounted on udev 126G 0 126G 0% /dev tmpfs 26G 17M 26G 1% /run /dev/sdb4 15G 6.0G 8.3G 42% / tmpfs 126G 0 126G 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 126G 0 126G 0% /sys/fs/cgroup /dev/sdb3 465M 109M 328M 25% /boot /dev/sdb2 241M 512 241M 1% /boot/efi /dev/sdb5 15G 41M 15G 1% /secondary /dev/sdb6 1.7T 82G 1.6T 5% /data tmpfs 26G 0 26G 0% /run/user/1003 tmpfs 26G 0 26G 0% /run/user/1001 tmpfs 26G 0 26G 0% /run/user/1004 ############################ CPU Usage ############################ %Cpu(s): 7.0 us, 2.2 sy, 0.0 ni, 90.1 id, 0.4 wa, 0.0 hi, 0.3 si, Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 80 On-line CPU(s) list: 0-79 Thread(s) per core: 2 Core(s) per socket: 20 Socket(s): 2 NUMA node(s): 2 Vendor ID: GenuineIntel CPU family: 6 Model: 85 Model name: Intel(R) Xeon(R) Gold 6138 CPU @ 2.00GHz Stepping: 4 137G 0.0 st Command Line Interface | 124 CPU MHz: CPU max MHz: CPU min MHz: BogoMIPS: Virtualization: L1d cache: L1i cache: L2 cache: L3 cache: NUMA node0 CPU(s): NUMA node1 CPU(s): Flags: 2866.513 3700.0000 1000.0000 4000.00 VT-x 32K 32K 1024K 28160K 0-19,40-59 20-39,60-79 fpu vme de pse tsc msr pae mce cx8 apic sep mtrr n Uptime--Enter the command option 2 from the System menu to view the uptime duration of a Aruba Central (on-premises) pod. Enter option [ 0 - 2 ]: 2 ############################ uptime ############################ 06:44:21 up 8:49, 7 users, load average: 17.89, 11.79, 10.51 User Sessions Enter command option 6 from the Show commands menu to display the list of user sessions. Enter option [ 0 - 9 ]: 6 ############################ List of user sessions ############################ copadmin pts/0 2020-07-27 05:26 01:17 ineedshell pts/1 2020-07-27 05:02 01:42 cop_shell pts/2 2020-07-27 05:30 01:10 copadmin pts/3 2020-07-27 05:54 . ineedshell pts/4 2020-07-27 06:05 00:39 ineedshell pts/5 2020-07-27 06:11 00:32 ineedshell pts/6 2020-07-27 06:42 00:02 ) 51432 (10.240.125.20) 3261 (10.20.13.62) 54299 (10.240.125.20) 76741 (10.240.126.221) 47373 (10.20.13.113) 36861 (10.20.44.187) 68881 (10.240.130.81 Clock Enter command option 7 from the Show commands menu to display the date, week, month, and time details. Enter option [ 0 - 9 ]: 7 Thu Aug 8 03:33:50 UTC 2019 App status Enter command option 8 from the Show commands menu to provide the pod status of any Aruba Central (on-premises) application. Following example shows the status of the Aruba Central (on-premises) application. Aruba Central (on-premises) | User Guide 125 Enter option [ 0 - 9 ]: 8 Enter the application name, to list all apps press Enter key:central Enter the application name, to list all apps press Enter key:central acp-system central-grafana-dashboard-7c845956dc-92xgj 1/1 Running 7h42m 172.16.2.94 10.22.158.181 <none> <none> 1 central acp-ae-rapids-api-deployment-b8d794d49-4sxck 1/1 Running 0 7h30m 172.16.0.172 10.22.158.182 <none> central acp-ae-rapids-bootstrap-deployment-789f85cbbd-dtjsb 1/1 Running 0 7h38m 172.16.4.131 10.22.158.77 central acp-ae-rapids-deployment-588b4989b5-kc58v 1/1 Running 0 7h38m 172.16.0.134 10.22.158.182 <none central acp-ae-rapids-deployment-588b4989b5-q7mw8 1/1 Running 0 7h38m 172.16.4.130 10.22.158.77 <non central acp-ae-rapids-deployment-588b4989b5-q7mw8 1/1 Running 0 7h38m 172.16.4.130 10.22.158.77 <none central acp-ae-rapids-deployment-588b4989b5-xx5ks 1/1 Running 0 7h38m 172.16.2.121 10.22.158.181 central acp-device-visibility-deployment-5f97648f6f-nxq28 1/1 Running 0 7h42m 172.16.4.102 10.22.158.77 <none> central acp-device-visibility-deployment-5f97648f6f-nxq28 1/1 Running 0 7h42m 172.16.4.102 10.22.158.77 <none> central admin-api-deployment-7d4f4984f7-9wq5h 1/1 Running 0 7h37m 172.16.2.150 10.22.158.181 <none> <none> <none> <none> <none> <none> <none> <none> <none> <none> Cluster Status Enter command option 9 from the Show commands menu to display the cluster details for Aruba Central (on-premises). Enter option [ 0 - 9 ]: 9 COP Cluster Details ----------------------- Cluster IP : 10.22.158.27 Cluster FQDN : node3vip.arubathena.com Pod CIDR : 172.16.0.0/16 Service CIDR : 10.3.0.0/23 Router ID : 27 Time Zone : UTC Cluster Node Count : 3 Cluster Node List : NAME STATUS ROLES AGE VERSION 10.22.158.181 Ready master 8h v1.14.5 10.22.158.182 Ready master 8h v1.14.5 10.22.158.77 Ready master 8h v1.14.5 System Configuration Commands The System Configuration commands are used to configure system parameters like network setup, cluster setup, timezone setup and also, upgrade the setup or perform a complete factory reset. Enter command option 4 from the main menu to view all the system configuration commands supported. Command Line Interface | 126 Enter option [ 0 - 9 ]: 4 1. Upgrade 2. Network Setup 3. Proxy Setup 4. Setup Timezone 5. Setup NTP 6. Node Setup ==================================== b. back m. main menu 0. exit Enter option [ 0 - 6 ]: The following section describes the set of commands that can be executed under the system configuration category. Upgrade Enter command option 1 from the System Configuration commands menu to upgrade the system for either an online user or an offline user. Enter option [ 0 - 6 ]: 1 COP Server Status --------------------------------------------------------- Current Version : 2.5.2.0 Latest Version : 2.5.2.0 Online Customer : true Upgrade Status : UP_TO_DATE Upgrade Available : false File Transfer Completion Percentage : 0 Upgrade Stage Completion Percentage : 0 --------------------------------------------------------- Last File Transfer Status : Last File Transfer Message : Last File Transfer Time : Last Upgrade Status : Last Upgrade Message : Last Upgrade Time : --------------------------------------------------------- ===== COP is in latest version ===== Network Setup Enter command option 2 from the System Configuration commands menu to setup a network permanently or temporarily. Enter option [ 0 - 6 ]: 2 1. Permanent (Network settings) 2. Temporary (Network settings) ==================================== b. back m. main menu 0. exit Enter option [ 0 - 2 ]: Aruba Central (on-premises) | User Guide 127 n Permanent (Network settings)--Enter command option 1 from the Network Setup commands menu to setup the permanent network settings. Enter option [ 0 - 2 ]: 1 Network Settings Hostname : ccs-1n-cophost.arubathena.com IP Address : 10.22.154.57 Interface : eno1 Enter Subnet mask : 255.255.255.0 Enter Gateway : 10.22.154.2 Enter DNS : 10.20.50.10 Secondary DNS is optional. Press ENTER to proceed Enter Secondary DNS : 10.20.50.25 Network settings exist; will be reset to new value To list timezones, enter 'list' Enter timezone : UTC =========================== Updated Network Settings =========================== Hostname IP Address Subnet Mask Gateway DNS Secondary DNS Timezone : ccs-1n-cophost.arubathena.com : 10.22.154.57 : 255.255.255.0 : 10.22.154.2 : 10.20.50.10 : 10.20.50.25 : UTC ================================================================================ Press [Enter] key to continue... n Temporary (Network settings)--Enter command option 2 from the Network Setup commands menu to setup the temporary network settings. Enter option [ 0 - 2 ]: 2 Network Settings Hostname : ccs-1n-cophost.arubathena.com IP Address : 10.22.154.57 Interface : eno1 Enter Subnet mask : 255.255.255.0 Enter Gateway : 10.22.154.2 Enter DNS : 10.20.50.10 Secondary DNS is optional. Press ENTER to proceed Enter Secondary DNS : 10.20.50.25 Network settings exist; will be reset to new value To list timezones, enter 'list' Enter timezone : UTC Command Line Interface | 128 =========================== Updated Network Settings =========================== Hostname IP Address Subnet Mask Gateway DNS Secondary DNS Timezone : ccs-1n-cophost.arubathena.com : 10.22.154.57 : 255.255.255.0 : 10.22.154.2 : 10.20.50.10 : 10.20.50.25 : UTC ================================================================================ Press [Enter] key to continue... Proxy Setup Enter command option 3 from the System Configuration menu to add, delete, or get proxy URL. Enter option [ 0 - 6 ]: 3 1. Add Proxy 2. Delete Proxy 3. Get Proxy Enter option [ 0 - 3 ]: n Add Proxy--Enter command option 1 from the Proxy Setup commands menu from the Proxy Setup menu to add a proxy URL. Enter option [ 0 - 3 ]: 1 Enter the proxy url: Enter Port: Enter username(optional): Enter password(optional): Enter option [ 0 - 3 ]: 1 Enter the proxy url: www.techpubs.com Enter port: 98 Enter username(optional): Enter password(optional): n Delete Proxy--Enter command option 2 from the Proxy Setup commands menu menu to delete a proxy. Enter option [ 0 - 3 ]: 2 Proxy deleted Press [Enter] key to continue... n Get Proxy--Enter command option 3 from the Proxy Setup menu to get the details of a proxy. Enter option [ 0 - 3 ]: 3 "url": "10.22.154.228", "username": "admin", "password": "", Aruba Central (on-premises) | User Guide 129 "port": "3128" Setup Timezone Enter command option 4 from the System Configuration menu to setup a timezone. Enter option [ 0 - 6 ]: 4 To list timezones, enter 'list' Enter timezone [UTC]: GMT Setting TimeZone for other nodes in this cluster... configmap/airwave-config patched (no change) Press [Enter] key to continue... Setup NTP Enter command option 5 from the System Configuration menu to setup an NTP. Enter option [ 0 - 6 ]: 5 Enter primary NTP server : 10.22.158.230 Enter secondary NTP server (Optional) :10.22.154.165 Enter tertiary NTP server (Optional): Is NTP Authentication required (y/n) : n Configuring NTP for node : 10.22.154.57 FIPS mode initialized 10.22.158.230 NTP configured on node 10.22.154.57 10.22.154.165 NTP configured on node 10.22.154.57 FIPS mode initialized FIPS mode initialized NTP is configured node : 10.22.154.57 Press [Enter] key to continue... All the nodes in a multi-cluster must synchronize to the same NTP server. Run the command NTP/Timezone info to verify if all the nodes are synchronized with the same NTP server. To run the NTP/Timezone info, enter command option 2 from the show configuration menu. You also have an option to authenticate the NTP server by using the secure key. n If you are using iLO when configuring NTP servers and require the authentication for NTP server, you must either use the WebUI or CLI to copy the NTP server key. The copy and paste operation is not supported on the iLO console. Logon to the CLI with iLO credentials and use the VSP command to get the secure key. n If Setup NTP is executed after the cluster is configured, then the modified details of NTP server is updated to the cluster. If cluster is not configured, then the modified NTP server details is updated only to the node. Node Setup Enter command option 6 from the System Configuration menu to setup a node. Enter option [ 0 - 6 ]: 6 Command Line Interface | 130 Advanced Commands Enter command option 5 from the main menu to check test connectivity and NsLookup. Enter option [ 0 - 9 ]: 5 1. Test Connectivity 2. NsLookup 3. Toggle CDN 4. Configure ILO IP ==================================== b. back m. main menu 0. exit Test Connectivity Enter command option 1 from the Advanced commands menu to test the connectivity to any URLs. Enter option [ 0 - 4 ]: 1 1. Ping 2. Dependent Servers Reachability ==================================== b. back m. main menu 0. exit Enter option [ 0 - 2 ]: n Ping--Enter command option 1 from the Test Connectivity menu to ping an IP address or hostname. Enter option [ 0 - 2 ]: 1 Enter the IP address or hostname to ping:10.22.154.56 PING 10.22.154.56 (10.22.154.56) 56(84) bytes of data. 64 bytes from 10.22.154.56: icmp_seq=1 ttl=63 time=0.473 ms 64 bytes from 10.22.154.56: icmp_seq=2 ttl=63 time=1.61 ms 64 bytes from 10.22.154.56: icmp_seq=3 ttl=63 time=2.63 ms 64 bytes from 10.22.154.56: icmp_seq=4 ttl=63 time=1.58 ms 64 bytes from 10.22.154.56: icmp_seq=5 ttl=63 time=2.99 ms n Dependent Servers Reachability--Enter command option 2 from the Test Connectivity menu to check the reachability of the dependent servers. Enter option [ 0 - 2 ]: 2 Connection to coreupdate (coreupdate.central.arubanetworks.com) successful. Connecting to coreupdate(coreupdate-prod.central.arubanetworks.com) ... You are going to access FED system . Required policy 1 LINE 1 2 LINE 2 3 LINE 3 4 LINE 4 5 LINE 5 Aruba Central (on-premises) | User Guide 131 Connection to coreupdate (coreupdate-prod.central.arubanetworks.com) successful. Connecting to quay(quay.io) ... You are going to access FED system . Required policy 1 LINE 1 2 LINE 2 3 LINE 3 4 LINE 4 5 LINE 5 Connection to quay (quay.io) successful. Connecting to nexus(nexus2.airwave.com) ... Connection to nexus(nexus2.airwave.com) successful. ----- All dependent HTTP(S) servers are reachable ----- Press [Enter] key to continue... NsLookup Enter option 2 from the Advanced commands menu to get the DNS lookups for any host names. Enter option [ 0 - 4 ]: 2 Enter the hostname or IP Address for NS Lookup:google.com ../../../lib/dns/hmac_link.c:349: FIPS mode is 1: MD5 is only supported if the value is 0. Please disable either FIPS mode or MD5. Server: 10.20.50.10 Address: 10.20.50.10#53 Non-authoritative answer: Name: google.com Address: 142.250.76.46 Name: google.com Address: 2404:6800:4007:814::200e Press [Enter] key to continue... Toggle CDN Enter command option 3 from the Advanced commands menu to enable CDN, disable CDN , or show CDN Status. Enter option [ 0 - 4 ]: 3 1. Enable CDN 2. Disable CDN 3. Show CDN status ==================================== b. back m. main menu 0. exit Enter option [ 0 - 3 ]: Command Line Interface | 132 n Enable CDN--Enter command option 1 from the Toggle CDN commands menu to enable CDN. Enter option [ 0 - 3 ]: 1 CDN enabled Press [Enter] key to continue... n Disable CDN--Enter command option 2 from the Toggle CDN commands menu to disable CDN. Enter option [ 0 - 3 ]: 2 CDN enabled Press [Enter] key to continue... n Show CDN Status--Enter command option 3 from the Toggle CDN commands menu to show the status of CDN. Enter option [ 0 - 3 ]: 3 { "monitoring": "//d1c50u1zbkqmph.cloudfront.net", "configuration": "//d1c50u1zbkqmph.cloudfront.net", "base": "//d1c50u1zbkqmph.cloudfront.net", "enabled": false, "guest": "//d1c50u1zbkqmph.cloudfront.net", "msp": "//d1c50u1zbkqmph.cloudfront.net" } Configure ILO IP Enter command option 4 from the Advanced commands menu to configure the IP address of the ILO. Enter option [ 0 - 4 ]: 4 Security Commands Enter the command option 6 from the main menu to either reset the GUI or CLI password or update the iLO password. Enter option [ 0 - 11 ]: 6 1. Reset Password GUI 2. Reset Password CLI 3. Reset debug apps password ==================================== b. back m. main menu 0. exit Enter option [ 0 - 3 ]: Reset Password GUI Enter the command option 1 from the Security Commands menu to reset the GUI password. Aruba Central (on-premises) | User Guide 133 Enter option [ 0 - 3 ]: 1 Do you want to reset GUI admin user password(y/n) : Reset Password CLI Enter the command option 2 from the Security commands menu to reset the CLI password. Enter option [ 0 - 3 ]: 2 Do you want to reset copadmin password(y/n) : Reset debug apps password Enter the command option 3 from the Security commands menu to reset the debug apps password. Enter option [ 0 - 3 ]: 3 Do you want to reset debug apps password(y/n) : Support Commands Enter the command option 7 from the main menu to start or stop the support connection, collect logs, and restart a particular application.\ Enter option [ 0 - 9 ]: 7 1. Support Connection 2. Collect All Logs 3. Log Snapshot Operations 4. Download COP Setup Logs 5. Restart Application 6. System Operations Lock Management ==================================== b. back m. main menu 0. exit Enter option [ 0 - 6 ]: Support Connection Enter the command option 1 from the Support commands menu to start, stop, restart the support connection from remote TAC access or check the status of the support connection and upload the support connection file. Enter option [ 0 - 6 ]: 1 1. Start Support Connection 2. Stop Support Connection 3. Restart Support Connection 4. Support Connection Status 5. Upload Support Connection File 6. Add Support User 'copsupport' 7. Delete Support User 'copsupport' 8. Show contents of copsupport.gpg ==================================== b. back Command Line Interface | 134 m. main menu 0. exit Enter option [ 0 - 8 ]: 1 n Start Support Connection--Enter command option 1 from the Support Connection commands menu to start a support connection. Enter option [ 0 - 8 ]: 1 { "support_connection_status": "stopped", "active_from": "_", "connection": "inactive" } Press [Enter] key to continue... n Stop Support Connection--Enter command option 2 from the Support Connection commands menu to stop a support connection. Enter option [ 0 - 8 ]: 2 { "support_connection_status": "stopped" } Press [Enter] key to continue... n Restart Support Connection--Enter command option 3 from the Support Connection commands menu to restart a support connection. Enter option [ 0 - 8 ]: 3 { "support_connection_status": "stopped" } { "support_connection_status": "stopped", "active_from": "_", "connection": "inactive" } Press [Enter] key to continue... n Support Connection Status--Enter command option 4 from the Support Connection commands menu to check the status of the support connection. Enter option [ 0 - 8 ]: 4 { "support_connection_status": "stopped", "active_from": "_", "connection": "inactive", "node": "_" } Press [Enter] key to continue... Aruba Central (on-premises) | User Guide 135 n Upload Support Connection File--Enter command option 5 from the Support Connection commands menu to upload the support connection file. Enter option [ 0 - 8 ]: 5 This will scp a file from the remote server to cop server Enter remote hostname and path (username@hostname:<filepath>): [email protected]:/home/auto/support_connection.tar Copying [email protected]:/home/auto/support_connection.tar to COP server FIPS mode initialized [email protected]'s password: Connected to 10.22.158.92. Fetching /home/auto/isupport_connection.tar to /var/airwave/appliance/localdisk/support_connection.tar /home/auto/support_connection.tar 100% 1988 127.9MB/s 00:00 Press [Enter] key to continue... n Add Support User 'copsupport'--Enter command option 6 from the Support Connection commands menu to add support connection for user, copsupport. Enter option [ 0 - 8 ]: 6 copsupport user account expires on: Mar 10, 2022 8 10:48:17 -----BEGIN PGP MESSAGE----- hQIMA0wNcZIn82zzAQ//bj0kS7h2s2wMJWX0JlYcfX053lFjWUa2XqHJ5xKk1OP7 jzvVRw+yFApKy5R0DP1RbXnifLHFGGxZx+x40H592agTehIqrI3L5put4Ewi/uK2 RZg9znigDmTe8jKTNWIbrN80VBpTz4QXaArD+4yhAJ80JFhFyFij9fWz1dSCwIUj oej3JpKtDzVNmRZqANje8HeF62Y6WYWXFFn8VrzBPaasIPk1KQU5MZEKXtZyB3zD nmi3IyM5rF/+uqFniR7vYlQfYXwySB17ToPKvjbO4tvEt5WWwfXeEg+DczdNkdIz EpxXwgoby958Le0xCgcV8efbRtGCkxrtks37pPMAGJlVc0qtSJ/74DZc/BHD0WrZ r4euZjWD/F1Eaxq56nMUHal0jzyLVj5w7DP5Rhj9mnCYl+jsy6ZTIbxpfDzembUF LwTbVdjrbq79Ib+RFSHMUwFCv9CPGMjMmCJokYpdL82wksdJyOaWwF4AclmA19sU IuyUtwiXb5bZqwCM0N3+mVQhaUqti0Xu4K5K5E8kSje3QOAyUz0ogS9axGkJQUWx FpthJUF8ZKwH/tHU07K/So5LhahMcIa+qnCxycUC1X9G5R9EhvpGzEEQrUwy59lp zCz9w4M0ON/QwNh4IVssnZMTW6WLUv0r9fHEjnJAj/toIsRAVbKSAMgzXKNiwc/S dQEKZuFfFlPufJW4BWIoAn5PeThJQOrNlKxocI+e3H7eUKMZVof38MACsl6DJdy+ RCVrl4Wie3Ek/i2jXawz9QhBQza5c6BhdnjWqhQ+U9swEB0REnUbTqlaVhTXNVnW qMGdxD77nPuKKJuTluTONXJLdsF0KA== =gWUQ -----END PGP MESSAGE----Press [Enter] key to continue... n Delete Support User 'copsupport'--Enter command option 7 from the Support Connection commands menu to delete support connection for the user, copsupport. Enter option [ 0 - 8 ]: 7 Are you sure you want to delete support user 'copsupport' (Y/N)y Removing user `copsupport' ... Done. Support user 'copsupport' deleted successfully. Press [Enter] key to continue... Command Line Interface | 136 n Show contents of copsupport.gpg--Enter command option 8 from the Support Connection commands menu to show the contents of copsupport.gpg file. Enter option [ 0 - 8 ]: 8 -----BEGIN PGP MESSAGE----- hQIMA0wNcZIn82zzARAAmuLy9Jure2AHc9/oSKXc0OEZ9ZW35O6r+mvWFk98zrMz V1IW4wocFj1KhcpfMnMZ0O/nBY0oZIb1CK6CpLnaxFAM+T6NLv7Kroz6wqKfVSt8 pjsrmSh3eyfmMK9FlIkU3u2LglB9xUxMFGqjgvqTqcieqwzWFG5LmK1ALUWsUMoE 4PsWTTdVO+gRGkx17hsa7c9US0iVFaeOQJBdfCnOgP3rfqJzoVhbnL3JEnJSZrYs R/sBIB47LNyw+E0i5ei8mbZ6S3rlWOCexxqFIdmyw+S52xrDPcACW/oqcnW31ubh u6jD4JqSZqavaf+QZKM80/I0r9N0jAXMExCkOT0TQX3mmg5K5pFgo38j5hnifXTN O+3rAcjRAgWhu1Nq3+1qpdG0esBCYPGdVs5f2mOej+cNBIsfg+RTemejOa71IeVf R4/NWpMJa0STYk3/qSybEXjLiYxwwwsJILiqjfE5TVKOcAJhoUVyTH/8t9l4zn+/ qASXne52ocPaa4lxI3SxKGKz159cYcQxlXsJh+CS6RudZaAh8m/WKtWi2g2SqGhk UsnJXttG5ruFnbFQPk1DdUSPnSzy4SZaBnwC0fvwkbQNUhTuYJmgQEQe8M9on5su swhivSLvWYZTg6EYTlRveMRjh/iMbsDqp/ylsKH21jLQf9QA+tBM8yuPTmgAjPPS dQH6+RPsiSlhdjkWnH6ZItIwX1WB1DpZaBjjx/PTTG+7Wi5XerA+8v1liJJOo6X/ yIdMnqlrGrQALRO/xPAXJUc4pQxXIDgHpWTQd3VWlCX5oSl2tPIiUAeq5iDds3vS 5KgqEvskPIeY9BJyMWa+LX2sx175HQ== =t1Xn -----END PGP MESSAGE----Press [Enter] key to continue... Collect All Logs Enter the command option 2 from the Support commands menu to collect the log files into a tar.gz file. Enter option [ 0 - 6 ]: 2 cluster_log_collection... Collect COP logs along with diagnostic information (Y/N):Y Collecting all logs from Elasticsearch takes around 1-3 hours. It can be also collected from "Log Snapshot Operations" by selecting all as cate Do you want to collect logs from Elasticsearch(Y/N):Y gory. Collecting COP diagnostic information may take 2-5 minutes COP diagnostic information dumped and will be zipped to logs as well Starting Elasticsearch snapshot for all logs... Logs are being collected from 10.22.156.209 now @Tue Feb 8 11:15:25 UTC 2022 tar: /var/log/snmp: Cannot open: No such file or directory tar: Error is not recoverable: exiting now 0 kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead. mv: cannot stat 'cop-156-209.arubathena.com_log_collection_2022-02-08_11-15-25_ UTC.tar.gz': No such file or directory log_compression... The following archive(tar.gz) contains all the log information to help debugging the problem: cop-156-209.arubathena.com_log_collection_2022-02-08_11-14-18_UTC.tar.gz Please share it with COP customer support team. cp: cannot stat '/home/copadmin/log_collection': No such file or directory Press [Enter] key to continue... Aruba Central (on-premises) | User Guide 137 Log Snapshot Operations Enter the command option 3 from the Support commands menu to generate and download snapshots for a category or node, generate logs for various pods, delete snapshots, and download upgrade reports. Enter option [ 0 - 6 ]: 3 1. Generate Snapshots for a Category 2. Generate System Operation Logs 3. Generate Pod Logs 4. Generate Node Snapshot 5. Download Logs/Snapshots 6. Delete Logs/Snapshots 7. Download Upgrade Reports ==================================== b. back m. main menu 0. exit Enter option [ 0 - 7 ]: n Generate Snapshots for a Category--Enter command option 1 from the Log Snapshot Operations commands menu to collect log snapshots of specific categories (kube. nginx, alert, infra, syslog, and system). Enter option [ 0 - 7 ]: 1 Enter a category to create the snapshot [kube nginx alert infra syslog system all]... alert Enter the time range for snapshot creation [3h, 1d, 1w, 1M, 3M]... 1w { "status": "Accepted", "snapshotId": "alert-snap-7d-1644406412" } Press [Enter] key to continue... n Generate System Operation Logs--Enter command option 2 from the Log Snapshot Operations commands menu to collect system operation logs. Enter option [ 0 - 7 ]: 2 Enter a category to create the snapshot [upgrade backuprestore migration]... migration % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 105 100 105 0 0 652 0 --:--:-- --:--:-- --:--:-- 660 { "status": "Accepted", "snapshotId": "migration-plain-1m-1644910302", "category": "migration" } Press [Enter] key to continue... n Generate Pod Logs--Enter command option 3 from the Log Snapshot Operations commands menu to collect pod logs. Enter option [ 0 - 7 ]: 3 Enter a pod name to generate logs... postgres-cluster-0 { "status": "Accepted", "snapshotId": "postgres-cluster-0-1m-1644410009", Command Line Interface | 138 "category": "pod" } Press [Enter] key to continue... n Generate Node Snapshot--Enter command option 4 from the Log Snapshot Operations commands menu to collect log snapshots for specific nodes. Enter option [ 0 - 7 ]: 4 Enter node to generate logs [10.22.154.57]... 10.22.154.57 { "status": "Accepted", "snapshotId": "10.22.154.57-snap-1m-1644410130" } Press [Enter] key to continue... n Download Logs/Snapshots--Enter command option 5 from the Log Snapshot Operations commands menu to download the log snapshot file. Enter option [ 0 - 7 ]: 5 List of available snapshots and their status ---------------------------------------------------------------- create time snapshot name status ---------------------------------------------------------------- 2022-02-08 11:12:35, "all-snap-7d-1644318755": "in_progress" ---------------------------------------------------------------- Select a name to be downloaded (without quotes)... n Delete Logs/Snapshots--Enter command option 6 from the Log Snapshot Operations commands menu to delete log snapshots. Enter option [ 0 - 7 ]: 6 List of available snapshots and their status ---------------------------------------------------------------- create time snapshot name status ---------------------------------------------------------------- 2022-02-08 11:12:35, "all-snap-7d-1644318755": "in_progress" ---------------------------------------------------------------- Select a name to be deleted (without quotes)... n Download Upgrade Reports--Enter command option 7 from the Log Snapshot Operations commands menu to download upgrade reports. Enter option [ 0 - 7 ]: 7 Added `minio` successfully. mc: Configuration written to `/home/copadmin/.mc/config.json`. Please update your access credentials. mc: Successfully created `/home/copadmin/.mc/share`. mc: Initialized share uploads `/home/copadmin/.mc/share/uploads.json` file. Aruba Central (on-premises) | User Guide 139 mc: Initialized share downloads `/home/copadmin/.mc/share/downloads.json` file. mc: <ERROR> Unable to validate source minio/deployment/ Press [Enter] key to continue... Download COP Setup Logs Enter the command option 4 from the Support commands menu to download the Aruba Central (onpremises) setup logs. Enter option [ 0 - 6 ]: 4 ################################################################################ SCP would be used to copy the logs to a remote host ################################################################################ Enter remote hostname and path (username@hostname:<filepath>): Restart Application Enter the command option 5 from the Support commands menu to restart applications. Enter option [ 0 - 6 ]: 5 Enter an application name to restart: System Operations Lock Management Enter the command option 6 from the Support commands menu to manage the system operations lock management. Enter option [ 0 - 6 ]: 6 1. Lock status 2. Release Lock 3. Update Lock Setting ==================================== b. back m. main menu 0. exit Enter option [ 0 - 3 ]: n Lock status--Enter command option 1 from the System Operations Lock Management commands menu to lock the status of the system operation. Enter option [ 0 - 3 ]: 1 No system operation is active currently Press [Enter] key to continue... n Release Lock--Enter command option 2 from the System Operations Lock Management commands menu to release the lock of the system operation. Command Line Interface | 140 Enter option [ 0 - 3 ]: 2 1. Upgrade 2. Backup 3. Restore 4. Migration 5. Add node 6. Replace node 7. Reboot node ==================================== b. back m. main menu 0. exit Enter option [ 0 - 7 ]: n Update Lock Setting--Enter command option 3 from the System Operations Lock Management commands menu to update the lock settings of the system operation. 1. on 2. off ==================================== b. back m. main menu 0. exit Enter option [ 0 - 2 ]: 1 Do you really want to update system operation lock settings?(y/n): Temporary Root Shell Commands Enter command option 8 from the main menu to create a temporary user, cop_shell with a random password and the system encrypts this password. Provide this key to the customer support. The customer support will then be able to access the Aruba Central (on-premises) SSH using the username, cop_shell for 2 days from the date of creation. Use this option to get access to the Shell for a limited period of time for checking pods, collecting logs, or for executing other CLI commands. This is useful if you want to troubleshoot or debug an issue. Enter option [ 0 - 9 ]: 8 This will reset the previous COP root shell's pwd. proceed? (y/n): Y No changes made. Press [Enter] key to continue... After the expiry, you can repeat the same process to extend the temporary root access by another 2 days. Search Commands Enter option 8 from the main menu to view a list of available command options. Enter option [ 0 - 9 ]: 8 Aruba Central (on-premises) | User Guide 141 Enter the text to get the list of available command options (case insensitive) : cluster 1) Show -> Configuration -> Network-config/Cluster-info 2) Show -> Cluster Status Use number to select a command and execute it, enter (stop) to quit: 1 Updated Network Settings -----------------------Hostname IP Address Subnet Mask Gateway DNS Secondary DNS Timezone : cop-156-209.arubathena.com : 10.22.156.209 : 255.255.255.0 : 10.22.156.2 : 10.20.50.10 : 10.20.50.25 : UTC COP Cluster Details ----------------------- Cluster IP : 10.22.156.192 Cluster FQDN : copvip-156-192.arubathena.com Pod CIDR : 172.16.0.0/16 Service CIDR : 10.3.0.0/23 Router ID : 192 Time Zone : UTC Cluster Node Count : 1 Cluster Node List : NAME STATUS 10.22.156.209 Ready ROLES AGE VERSION conductor 35d v1.18.6 Press [Enter] key to continue... Network Structure The Network Structure page shows tiles view for groups, sites, labels, install manager, and certificates sections. You can click on a tile to navigate to the respective page in Aruba Central. Viewing the Network Structure Page To view the Network Structure page, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. 3. Select the Network Structure tab. The Network Structure page is displayed. Network Structure | 142 Figure 14 Network Structure Page The Network Structure page displays tiles view for the following sections: n Groups--Displays the number of groups and number of unprovisioned devices. Click on the tile to navigate to the Groups page. n Sites--Displays the number of sites and number of unassociated devices. Click on the tile to navigate to the Managing Sites page. n Labels--Displays the number of labels and number of unassociated devices. Click on the tile to navigate to the Managing Labels page. n Install Manager--Displays the number of site installations that are either in progress or completed, and the number of authorized installers. Click on the tile to navigate to the Install Manager page. n Certificates--Displays the number of certificates available to upload. Click on the tile to navigate to the Managing Certificates page. Aruba Central (on-premises) | User Guide 143 Chapter 8 Managing Groups Managing Groups Aruba Central (on-premises) simplifies the configuration workflow for managed devices by allowing administrators to combine a set of devices into groups. A group in Aruba Central is the primary configuration element that functions as a container for device management, monitoring, and maintenance. Groups enable administrators to manage devices efficiently by using either a UI-based configuration workflow or CLI-based configuration template. Groups provide the following functions and benefits: n Ability to provision multiple devices in a single group. For example, a group can consist of multiple AP Virtual Controllers (VCs). These VCs can share common configuration settings and push the configuration updates to member APs in their respective AP clusters. For example, you can apply a common security policy for the devices deployed in a specific geographical location. n Ability to provision different types of devices in a group. For example, a group can consist of APs and Switches. n Ability to create a configuration base and add devices as necessary. When you assign a new device to a group, it inherits the configuration that is currently applied to the group. n Ability to create a clone of an existing group. If you want to build a new group based on an existing group, you can create a clone of the group and customize it as per your network requirements. A device can be part of only one group at any given time. Groups in Aruba Central are mutually exclusive (independent) and do not follow a hierarchical model. The following figure illustrates a generic group deployment scenario in Aruba Central: Figure 15 Group Deployment Aruba Central (on-premises) | User Guide 144 Group Operations The following list shows the most common tasks performed at a group level: n Configuration-- Add, modify, or delete configuration parameters for devices in a group n User Management--Control user access to device groups and group operations based the type of user role n Device Status and Health Monitoring--View device health and performance for devices in a specific group. n Report Generation--Run reports per group. n Alerts and Notifications--View and configure notification settings per group. n Firmware Upgrades--Enforce firmware compliance across all devices in a group. Group Configuration Modes Aruba Central allows network administrators to manage device configuration using either UI workflows or configuration templates: n UI-based configuration method--For device groups that use UI-based workflows, Aruba Central provides a set of UI menu options. You can use these UI menu options to configure devices in a group. You can also secure the UI-based device groups with a password and thus restrict user access. n Template-based configuration method--For device groups that use a template-based workflow, Aruba Central allows you to manage devices using configuration templates. A device configuration template includes a set of CLI commands and variable definitions that can be applied to all other devices deployed in a group. n If your site or store has different types of devices, such as the Instant APs, Switches, and Controllers, and you want to manage these devices using different configuration methods, that is, either using the UI or template-based workflows, you can create a single group and define a configuration method to use for each type of device. This allows you to use a single group for both UI and template based configuration and eliminates the need for creating separate groups for each configuration method. n For example, you can create a group with the name Group1 and within this group, you can enable template-based configuration method for switches and UI-based configuration method for APs and Controllers. Aruba Central identifies both these groups under a single name ( Group1). If a device type in the group is marked for template-based configuration method, the group name is prefixed with TG prefix is added (TG Group1. You can use Group1 as the group ID for workflows such as user management, monitoring, reports, and audit trail. n When you add APs, Controllers, and switches to a group, Aruba Central groups these devices based on the configuration method you chose for the device type, and displays relevant workflows when you try to access the respective configuration menu. For information on how to create a group, see Creating a Group. Default Groups and Unprovisioned Devices The default group is a system-defined group to which Aruba Central assigns all new devices with factory default configuration. When a new device with factory default configuration connects to Aruba Central, it is automatically added to the default group. Managing Groups | 145 If a device has customized configuration and connects to Aruba Central, Aruba Central marks the device as Unprovisioned. If you want to preserve the device configuration, you can create a new group and assign this device to the newly created group. If you want to overwrite the configuration, you can move the unprovisioned device to an existing group. The unprovisioned state does not apply to Aruba Switches as only the factory-default switches can join Aruba Central. Best Practices and Recommendations Use the following best practices and recommendations for deploying devices in groups: n Determine the configuration method (UI or template-based) to use based on your deployment, configuration, and device management requirements. n If there are multiple sites with similar characteristics--for example, with the same device management and configuration requirements--assign the devices deployed in these sites to a single group. n Apply device-level or cluster-level configuration changes if necessary. n Use groups cloning feature if you need to create a group with an existing group configuration settings. n If the user access to a particular site must be restricted, create separate groups for each site. Groups The Groups page allows you to create, edit, or delete a group, view the list of groups provisioned in Aruba Central, and assign devices to groups. This section describes the following topics: n Group Persona n Creating a Group Persona with ArubaOS8 Architecture n Creating a Group n Assigning Devices to Groups n Creating a New Group by Importing Configuration from a Device n Viewing Groups and Associated Devices n Cloning a Group n Moving Devices between Groups n Configuring Device Groups n Deleting a Group Creating a Group Aruba Central (on-premises) allows you to manage configuration for different types of devices, such as Aruba APs, controllers, and switches in your inventory. These devices can be configured using either UI workflows or configuration templates. You can define your preferred configuration method when creating a group. After you assign devices to group and when you access configuration containers, Aruba Central (onpremises) automatically displays relevant configuration options based on the configuration method you defined for the device group. For more information, see Creating a Group Persona with ArubaOS8 Architecture Aruba Central (on-premises) | User Guide 146 Assigning Devices to Groups To assign a device to a group, in the Account Home page, under Global Settings, click Device Inventory: 1. Select the device that you want to assign to a group. 2. Click Assign Group. The Assign Group pop-up window opens. 3. Select the group to which you want to assign. 4. Click Assign Device(s). To assign a device to a group from the Groups page: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Expand a group from which you want to move devices to the selected group. For example, expand the Unprovisioned Devices group, select the devices, and then click the Move devices icon. The Move Devices page is displayed. 5. Select the Destination Group from the drop-down list. 6. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. Viewing Groups and Associated Devices To view the groups dashboard: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. The groups table lists all the groups and displays the following information: n Group Name--Name of the group. n Devices--Number of devices assigned to a group. n All Connected Devices--Total number of devices provisioned in Aruba Central (on-premises). The devices table on right side of the page shows all the devices provisioned in Aruba Central (onpremises). n Unassigned Devices--Total number of devices that are yet to be assigned. The devices table on the right shows the devices are not assigned any group. 4. To view the devices assigned to a group, select the group from the table on the left. The devices table displays the following information: n Device Name--Name of the device. n Type--Type of the device such as AP, Switch, or Controller. Managing Groups | 147 n Serial Number--Serial number of the device. n MAC Address--MAC address of the device. Creating a New Group by Importing Configuration from a Device You can create a new group by importing configuration from a device. The import configuration is supported only for IAPs with ArubaOS 8 architecture. You can create a new group for IAPs with ArubaOS 8 architecture by importing configuration from an IAP. You can add more devices later by editing the group. To import configuration from an existing device to a new group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Expand a group which has IAP devices. 5. Select the IAP with ArubaOS 8 architecture. 6. Click the Import Group icon. The Import Configuration pop-up window is displayed. 7. Enter a name for the group. 8. Click Add. A group is created with the configuration imported from a device. Cloning a Group Cloning a group will clone the same architecture and persona from the source group. To clone a group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. To create a clone of an existing group, hover over the group in the groups table and click the Group icon. The Clone Group page is displayed. 5. Enter a name for the cloned group. 6. Click Clone. A new group is created from the source group settings. Clone When you clone a group, Aruba Central (on-premises) also copies the configuration templates applied to the devices in the group. Aruba Central (on-premises) | User Guide 148 Moving Devices between Groups This feature allows the user to move the Mobility Conductor and all the associated devices like the standby Mobility Conductor, Managed Devices, and access points to a different group. When you move the Mobility Conductor to a new group, the associated devices will automatically move to the same new group. Similarly, when you move the managed device, all the managed devices in that cluster and the corresponding APs will move automatically to the destined group. 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Expand a group from which you want to move devices to the selected group. For example, expand the Unprovisioned Devices group, select the devices, and then click the Move devices icon. The Move Devices page is displayed. 5. Select the Destination Group from the drop-down list. Based on the device, the following actions are performed automatically: a. If you have selected a Mobility Conductor to move to a different group, all the associated devices like the standby Mobility Conductor, clusters and access points will automatically move to the destined group. b. If you have selected a managed device to move to a different group, all the managed devices in that cluster and the corresponding APs will move automatically to the destined group. 6. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. 7. You can verify the device or group move information by navigating to Analyze > Audit Trail page. The sites and labels page should also display the updated group information. Configuring Device Groups For information on provisioning devices in groups, see the following topics: n Provisioning Devices Using UI-based Workflows n Provisioning Devices Using Configuration Templates Deleting a Group When you delete a group, Aruba Central (on-premises) removes all configuration, templates, and variable definitions associated with the group. Before deleting a group, ensure that there are no devices attached to the group. Managing Groups | 149 To delete a group: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. From the list of groups, hover over the group in the groups table and click the icon. The Delete Group confirmation window is displayed. 5. Click Yes to confirm. The group is deleted. Delete Group Group Persona A persona of a device represents the role that the device plays in a network deployment. Creating persona for devices helps in customizing configuration workflows, automating parts of configurations, showing the default configuration, showing relevant settings for the device. Persona configuration also helps in customizing the monitoring screens and troubleshooting workflows appropriate for the device. Creating a Persona Persona can be created when creating a group. Persona and architecture can be set at the group level. All devices within a group inherit the same persona from the group settings. While creating a group, the architecture and persona settings of the current group can be marked as preferred settings for adding subsequent groups. For subsequent groups, you can either automatically apply the preferred settings or manually select settings for the new group. Persona for Access Points Access Points can have the following persona: n Campus/Branch--In this persona, AP provides WLAN functionality. Persona for Controllers Controllers can have the following persona: n Branch--In this persona, controllers provide Aruba Instant OS SD-Branch (LAN + WAN) functionality. Architecture The following architecture is supported for creating groups: n ArubaOS 8--Instant AP-based deployment, including 6.x/8.x IAP, IAP-VPN, or 8.x SD-Branch deployments. Creating a Group Persona with ArubaOS8 Architecture To manage device configuration using configuration containers in Aruba Central, you can create a group and assign devices. During the group creation, you can assign a device persona and select an architecture for the group. Aruba Central (on-premises) | User Guide 150 Adding a Group To add a group and assign a persona and ArubaOS 8 architecture, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Click (+) Add Group on the Groups table. The Add Group page is displayed. 5. Enter a name for the group. The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports all special characters excluding the ">" character. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names. By default, Aruba Central enables the UI-based configuration. The template-based configuration is displayed only when you select devices in the Add group page. Use the toggle button to enable the Configure using templates. 6. Select device types that will be part of this group. A group can contain following devices: n Access points n Controllers n Switches For detailed device combinations, refer to the Device Combinations table. 7. Click Next. By default the ArubaOS 8 architecture is applied for access points and controllers. 8. Select the check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations. 9. Click Add. A group with persona configuration is created. You can also create a group that uses different provisioning methods for switch, IAP, device categories. For example, you can create a group with template-based provisioning method for switches and UI-based provisioning method for Instant APs. Device Combinations The following table lists the valid combinations for a group persona with ArubaOS 8 architecture. Table 28: Device Combinations for a Group Persona Managing Groups | 151 Device Type Architecture APs Controllers Switches ArubaOS 8 ArubaOS 8 No architecture n APs n Controllers ArubaOS 8 n APs n Switches ArubaOS 8 n APs n Controllers n Switch ArubaOS 8 AP Network Role Controller Network Role Campus/Branch N/A N/A Branch N/A N/A Campus/Branch Branch Campus/Branch N/A Campus/Branch Branch Switches N/A N/A n AOS-CX only n AOS-S only n Both AOS-CX and AOS-S N/A n AOS-CX only n AOS-S only n Both AOS-CX and AOS-S n AOS-CX only n AOS-S only n Both AOS-CX and AOS-S Monitoring Only N/A N/A Monitoring only for AOS-S (not applicable for AOSCX only switch types) N/A Monitoring only for AOS-S (not applicable for AOSCX only switch types) Monitoring only for AOS-S (not applicable for AOSCX only switch types) Editing a Group You can edit a group to add a new device type to the group. The group architecture and persona cannot be changed through group edit. You can mark the settings of an edited group as preferred settings for subsequent group creations. To edit a group, complete the following steps: 1. From the Network Operations app, filter All Groups. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. Aruba Central (on-premises) | User Guide 152 4. To edit an existing group, hover over the group in the groups table and click the icon. Edit Group The Edit Group page is displayed. 5. Add a new device type and its persona. 6. For valid edit operations, refer to the Editing a Group table. 7. Select check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations. 8. Click Save. The group edit changes are saved. The following table lists the behavior for various edit operations: Table 29: Editing a Group Original State Architecture ArubaOS 8 ArubaOS 8 No architecture Devices and Persona AP - Campus/Branch No Controllers No AP Controllers - Branch No Access Points No Controllers Switches - AOS-CX only or AOS-S only or Both AOS-CX and AOS-S Action Edit Group Behaviour n Add Controller n Add Switches Allowed Controller persona - Branch Switch types: AOS-CX only or AOS-S only or Both AOS-CX and AOS-S n Add AP n Add Switches Allowed AP persona - Campus/Branch Switch types: AOS-CX only or AOS-S only or Both AOS-CX and AOS-S n Add AP n Add Controllers Allowed AP persona - Campus/Branch Controllers persona - Branch Creating Groups for Switches You can create a group with switches only in it or you can also add a switch to an existing group containing other devices such as APs and gateways. A switch group will not have any architecture. Adding a Switch Group To add a switch group, complete the following steps: 1. From the Network Operations app, filter Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Click (+) Add Group on the Groups table. The Add Group page is displayed. Managing Groups | 153 5. Enter a name for the group. The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports all special characters excluding the ">" character. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names. By default, Aruba Central enables the UI-based configuration. The template-based configuration is displayed only when you select devices in the Add group page. Use the toggle button to enable the Configure using templates. 6. From the Group will contain section, select the switch check box. 7. Click Next. 8. Select the type of switches used in this group: n AOS-CX only n AOS-S only n Both AOS-CX and AOS-S You can select the 'Monitoring only for AOS-S' option for the AOS-S switches. 9. Select the check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations. 10. Click Add. A group for the selected switch type is created. To add a switch type to an existing group, see Creating a Group Persona with ArubaOS8 Architecture Assigning Devices to Groups In Aruba Central, devices are assigned to groups for configuration, monitoring, and management purposes. A group in Aruba Central is a primary configuration element that acts like a container. In other words, groups are a subset of one or several devices that share common configuration settings. Aruba Central supports assigning devices to groups for the ease of configuration and maintenance. For example, you can create a common group for Branch Gateways or Instant APs that have similar configuration requirements. Assigning Instant APs to Groups The Instant AP groups may consist of the configuration elements: n Instant AP Cluster--Consists of a master Instant AP and a set of slave Instant APs in the same VLAN. n Virtual Controller--A virtual controller provides an interface for entire cluster. The slave Instant APs and master Instant APs function together to provide a virtual interface. n Master Instant AP and Slave Instant AP--In a typical Instant AP deployment scenario, the first Instant AP that comes up is elected as the master Instant AP. All other Instant APs joining the cluster function as the slave Instant APs. When a master Instant AP is elected, the slave Instant APs download the configuration changes. The following table describes the group assignment criteria for Instant APs: Aruba Central (on-premises) | User Guide 154 Table 30: Instant AP Group Assignment APs with Default Configuration APs with Non-Default Configuration If an Instant AP with factory default configuration joins Aruba Central, it is automatically assigned to the default group or to an existing group with similar configuration settings. The administrators can perform any of the following actions: n Manually assign them to a pre- provisioned group. n Create a new group. If an Instant AP with non-default or custom configuration joins Aruba Central, it is automatically assigned to an unprovisioned group. The administrators can perform any of the following actions: n Create a new group for the device and preserve device configuration. n Move the device to an existing group and override the device configuration. To manually assign Instant AP(s) to a group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. To view a list of unassigned devices, expand Unprovisioned Devices. A list of unassigned devices is displayed. 5. From the list of devices, select Instant AP(s) to assign. 6. Click the Move devices icon. The Move Devices page is displayed. 7. Select the Destination Group from the drop-down list. 8. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. Assigning Switches to Groups Aruba Central allows switches to join groups only if the switches are running factory default configuration. Switches with factory default configuration are automatically assigned to the default group. Administrators can either move the switch to an existing group or create a new group. Aruba Central does not support UI-based configuration workflows for Aruba 5400R Switch Series and switch stacks. Aruba recommends that you assign these devices to template groups and provision them using configuration templates. Aruba Central does not support moving Aruba 5400R Switch Series from the template group to a UI group. If Aruba 5400R Switch Series is pre-assigned to a UI group, the device is moved to an unprovisioned group after it joins Aruba Central. Managing Groups | 155 To manually assign switch(s) to a group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. To view a list of unassigned devices, expand Unprovisioned Devices. A list of unassigned devices is displayed. 5. From the list of devices, select the switch(s) to assign. 6. Click the Move devices icon. The Move Devices page is displayed. 7. Select the Destination Group from the drop-down list. 8. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. Assigning Controllers to Groups Aruba Central allows controllers to join groups and the controllers with factory default configuration are automatically assigned to the default group. Administrators can either move the controller to an existing group or create a new group. To manually assign controller(s) to a group, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. To view a list of unassigned devices, expand Unprovisioned Devices. A list of unassigned devices is displayed. 5. From the list of devices, select the controller(s) to assign. 6. Click the Move devices icon. The Move Devices page is displayed. 7. Select the Destination Group from the drop-down list. 8. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. Aruba Central (on-premises) | User Guide 156 Provisioning Devices Using UI-based Workflows This section describes the important points to consider when assigning devices to UI groups: n Provisioning APs using UI-based Configuration Method n Provisioning Switches Using UI-based Configuration Method Provisioning APs using UI-based Configuration Method An AP device group may consist of any of the following: n AP Cluster--Consists of a conductor AP and member APs in the same VLAN. n VC--A virtual controller. VC provides an interface for the entire cluster. The member APs and conductor APs function together to provide a virtual interface. n Conductor AP and Member AP--In a typical AP deployment scenario, the first AP that comes up is elected as the conductor AP. All other APs joining the cluster function as the member APs. When a conductor AP is configured, the member APs download the configuration changes. The conductor AP may change as necessary from one device to another without impacting network performance. Aruba Central (on-premises) allows configuration operations at the following levels for a device group with APs. n Per group configuration--Aruba Central (on-premises) allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all VCs within a group can have common SSID settings. n Per VC Configuration--Any changes that need to be applied at the AP cluster level can be configured on a VC within a group. For example, VCs within a group can have different VLAN configuration for the SSIDs. n Per Device Configuration--Although devices are assigned to a group, the users can maintain devicespecific configuration such as radio, power, or uplink settings for an individual AP within a group. When the APs that are not pre-provisioned to any group join Aruba Central (on-premises), they are assigned to groups based on their current configuration. Table 31: Instant AP Provisioning APs with Default Configuration APs with Non-Default Configuration If an AP with factory default configuration joins Aruba Central (on-premises), it is automatically assigned to the default group or an existing group with similar configuration settings. The administrators can perform any of the following actions: n Manually assign them to an existing group. n Groups. If an AP with non-default or custom configuration joins Aruba Central (on-premises), it is automatically assigned to an unprovisioned group. The administrators can perform any of the following actions: n Groupsp for the device and preserve device configuration. n Move the device to an existing group and override the device configuration. Ensure that the conductor AP and member APs are assigned to the same group. You must convert the member AP to a standalone AP in order to move the member AP to another group independently Managing Groups | 157 In the following illustration, APs from three different geographical locations are grouped under California, Texas, and New York states. Each state has unique SSIDs and can support devices from multiple locations in a state. As shown in Figure 16, the California group has devices from different locations and has the same SSID, while devices in the other states/groups have different SSIDs. When a device with the factory default configuration connects to Aruba Central (on-premises), it is automatically assigned to the default group. If the device has a custom configuration, it is marked as unprovisioned. If you want to preserve the custom configuration, create a new group for the device. If you want to overwrite the custom configuration, you can assign the device to an existing group. Figure 16 AP provisioning Provisioning Switches Using UI-based Configuration Method Aruba Central (on-premises) allows switches to join UI groups only if the switches are running factory default configuration. Aruba Central (on-premises) assigns switches with a factory default configuration to the default group. The administrators can either move the switch to an existing group or create a new group. Aruba Central (on-premises) does not support UI-based configuration workflows for Aruba 5400R Switch Series and switch stacks. Aruba recommends that you assign these devices to template groups and provision them using configuration templates Aruba Central (on-premises) does not support moving Aruba 5400R Switch Series from the template group to a UI group. If Aruba 5400R Switch Series is pre-assigned to a UI group, the device is moved to an unprovisioned group after it joins Aruba Central (on-premises). Aruba Central (on-premises) allows the following configuration operations at the following levels for switches in a UI group: n Per group configuration-- Aruba Central (on-premises) allows you to maintain unique configuration settings for each group. However, these settings are applied to all devices within that group. For example, all switches within a group can have common VLAN settings. Aruba Central (on-premises) | User Guide 158 n Per Device Configuration--Although the Switches inherit group configuration, the users can maintain device-specific configuration, for example, ports or DHCP pools. Provisioning Devices Using Configuration Templates Aruba Central (on-premises) allows you to provision devices using UI-based or template-based configuration method. If you have groups with template-based configuration enabled, you can create a template with a common set of CLI scripts, configuration commands, and variables. Using templates, you can apply CLIbased configuration parameters to multiple devices in a group. If the template-based configuration method is enabled for a group, the UI configuration wizards for the devices in that group are disabled. Creating a Group with Template-Based Configuration Method To create a template group: 1. From the Network Operations app, filter Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Click (+) Add Group on the Groups table. The Add Group page is displayed. 5. Enter the name of the group. The group name can be a maximum of 32 single byte ASCII characters if you use the UI to create the names. However, if you are using an NB API, the character limit increases to 128. A group name supports all special characters excluding the ">" character. System-defined group names such as "default", "unprovisioned", and "global" are not allowed in group names. By default, Aruba Central enables the UI-based configuration. The template-based configuration is displayed only when you select devices in the Add group page. Use the toggle button to enable the Configure using templates. 6. Select the device type for which you want to create a template group: n Access points n Controllers n Switches 7. Click Next. By default the ArubaOS 8 architecture is applied for access points and controllers. 8. Select the switch type for the group. 9. Select the check box for Make these the preferred group settings optionally to save the architecture and persona settings of the current group for subsequent group creations. 10. Click Add. If the group is set as a template group, a configuration template is required for managing device configuration. Managing Groups | 159 Provisioning Devices Using Configuration Templates and Variable Definitions For information on configuration template, see the following topics: n Configuring APs Using Templates n Using Configuration Templates for AOS-Switch Management n Using Configuration Templates for AOS-CX Switch Management n Managing Variable Files Configuring APs Using Templates Templates in Aruba Central (on-premises) refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate access point (AP) deployments. To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba APs. For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled. To create a template for the APs in a template group, complete the following steps: 1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure APs in a template group are displayed. 4. In the Templates table, click + to add a new template. The Add Template window is displayed. 5. Under Basic Info, enter the following information: a. Template Name--Enter the template name. b. Model--Set the model parameter to ALL. c. Version--Set the model parameter to ALL. 6. Under Template, add the CLI script content. 7. Check the following guidelines before adding content to the template: n Ensure that the command text indentation matches the indentation in the running configuration. n The template allows multiple per-ap-settings blocks. The template must include the per-ap- settings %_sys_lan_mac% variable. The per-ap-settings block uses the variables for each AP. The general VC configuration uses variables for conductor AP to generate the final configuration from the provided template. Hence, Aruba recommends that you upload all variables for all devices in a cluster and change values as required for individual AP variables. n You can obtain the list of variables for per-ap-settings by using the show amp-audit command. The following example shows the list of variables for per-ap-settings. Aruba Central (on-premises) | User Guide 160 (Instant AP)# show amp-audit | begin per-ap per-ap-settings 70:3a:0e:cc:ee:60 hostname EE:60-335-24 rf-zone bj-qa ip-address 10.65.127.24 255.255.255.0 10.65.127.1 10.65.6.15 "" swarm-mode standalone wifi0-mode access wifi1-mode access g-channel 6+ 21 a-channel 140 26 uplink-vlan 0 g-external-antenna 0 a-external-antenna 0 ap1x-peap-user peap22 282eaf1077b8d898b91ec41b5da19895 The commands in the template are case-sensitive. IF ELSE ENDIF conditions are supported in the template. If the template text includes the if condition, % sign is required at the beginning and the end of the text. For example, %if guest%. The following example shows the template text with the IF ELSE ENDIF condition. wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes %else% opmode opensystem %endif% Templates also support nesting of the IF ELSE END IF condition blocks. The following example shows how to nest such blocks: %if condition1=true% routing-profile route 10.10.0.0 255.255.255.0 10.10.0.255 %if condition2=true% routing-profile route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else% routing-profile route 10.40.0.0 255.255.255.0 10.40.0.255 %if condition3=true% routing-profile route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile route 10.60.0.0 255.255.255.0 10.60.0.255 %endif% %endif% Managing Groups | 161 For profile configuration CLI text, for example, vlan, interface, access-list, ssid and so on, the first command must start with no white space. The subsequent local commands in given profile must start with at least one initial space (' ') or indented as shown in the following examples: Example 1 vlan 1 name "vlan1" no untagged 1-24 ip address dhcp-bootp exit Example 2 %if vlan_id1% vlan %vlan_id1% %if vlan_id1=1% ip address dhcp-bootp %endif% no untagged %_sys_vlan_1_untag_command% exit %endif% To comment out a line in the template text, use the pound sign (#). Any template text preceded by # is ignored when processing the template. To allow or restrict APs from joining the Instant Access Point (IAP) cluster, Aruba Central uses the _ sys_allowed_ap_ system-defined variable. Use this variable only when allowed APs configuration is enabled. For example, _sys_allowed_ap: "a_mac, b_mac, c_mac". Use this variable only once in the template. 8. Click OK. Using Configuration Templates for AOS-Switch Management Templates in Aruba Central (on-premises) refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple switches in a group and thus automate switch deployments. To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on AOSSwitch. For template-based provisioning, switches must be assigned to a template group. Creating a Group for Template-Based Configuration Unlike UI groups, template groups have minimal UI options and use the CLI commands to provision a device. Template groups allow you to automate switch deployments. For template-based provisioning, switches must be assigned to a group with template-based configuration method enabled. To manage devices using configuration templates, you can create a template group and assign devices. For more information, see Creating a Group and Assigning Devices to Groups. Aruba Central (on-premises) | User Guide 162 Creating a Configuration Template To create a configuration template for switches: 1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. The tabs to configure switches using templates is displayed. 4. Click the Templates tab. The Templates page is displayed. 5. Click + to add a new template. The Add Template window is displayed. 6. In the Basic Info tab, enter a name for the template in the Template Name field. 7. In the Device Type drop-down, select Aruba Switch. 8. Select the switch model and software version. You can specify any of the following combinations: n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions. n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version. n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model. n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions. 9. Select the manufacturing part number of the switch in the Part Number drop-down. n The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. n If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. n If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop- down, you can apply a template to both a standalone switch and stack. 10. Click Next. The Template tab is displayed. 11. Build a new template or import configuration information from a switch that is already provisioned in the template group. n To build a new template, add the switch command information in the Template text box. Ensure that the template text adheres to the guidelines listed in the Important Points to Note. n To import configuration text from a switch that is already provisioned in the template group: a. Click Import Configuration As Template. b. From the search box, select the switch from which you want to import the configuration. The imported configuration is displayed in the Template text box. c. If required, modify the configuration parameters. Ensure that the template text adheres to the guidelines listed in the Important Points to Note. Managing Groups | 163 n Importing configuration from an existing device in the template group allows you to quickly create a basic template. However, before applying the template to other switches in the group, ensure that the template text is variabilized as per your deployment requirements. For more information on variable definitions, see Managing Variable Files. n All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central (on-premises) to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates. For more information about using password commands, see the Configuring Username and Password Security chapter in the ArubaOS-Switch Access Security Guide. d. To view the variables present in the imported configuration template, click Show Variables List. The Variables in Template column is displayed. For more information on variables, see Managing Variable Files. e. To download the variables as a CSV or plain text file, click the download icon and select one of the following options: n Download .CSV n Download plain text (.txt) 12. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central (on-premises) with the new configuration. Important Points to Note Note the following points when adding configuration text to a template: n The CLI syntax in the switch template must be accurate. Aruba recommends that you validate the configuration syntax on the switch before adding it to the template text. n Ensure that the command text indentation matches the indentation in the running configuration. n The commands in the template are case-sensitive. The following example illustrates the case discrepancies that the users must avoid in templates and variable definitions. trunk E1-E4 trk1 trunk interface Trk1 dhcp-snooping trust exit trunk E1-E4 trk1 trunk switch-interconnect trk1 trunk E5-E6 trk2 trunk vlan 5 name "VLAN5" Aruba Central (on-premises) | User Guide 164 untagged Trk2 tagged Trk1 isolate-list Trk1 ip igmp forcedfastleave Trk1 ip igmp blocked Trk1 ip igmp forward Trk1 forbid Trk1 loop-protect Trk2 trunk E1-E4 trk1 trunk trunk E4-E5 trk2 trunk spanning-tree Trk1 priority 4 spanning-tree Trk2 admin-edge-port trunk A2-A4 trk1 trunk igmp fastlearn Trk1 trunk E4-E5 trk2 trunk ip source-binding 2 4.5.6.7 b05ada-96a4a0 Trk2 [no] ip source-binding trap OutOfResources snmp-server mib hpSwitchAuthMIB .. snmp-server mib hpicfMACsec unsecured-access .. [no] lldp config <P-PORT-LIST> dot1TlvEnable .. [no] lldp config <P-PORT-LIST> medTlvEnable .. no lldp config <P-PORT-LIST> medPortLocation.. [no] lldp config <P-PORT-LIST> dot3TlvEnable .. [no] lldp config <P-PORT-LIST> basicTlvEnable .. [no] lldp config <P-PORT-LIST> ipAddrEnable <lldp-ip> trunk-load-balance L4-based trunk-load-balance L3-based See also: Managing Variable Files. Best Practices Aruba recommends you to follow the below steps to use configuration templates in managing switches: 1. Configure the switch. 2. Add the switch to Aruba Central (on-premises). 3. Create the template, You can use Import template option to import an existing template created for switches. 4. Modify the template based on the user requirement. For example, addition or removal of variables. 5. Save the edited template. Managing Variable Files Aruba Central (on-premises) allows you to configure multiple devices in bulk using templates. However, in some cases, the configuration parameters may vary per device. To address this, Aruba Central (on-premises) Managing Groups | 165 identifies some customizable CLI parameters as variables and allows you to modify the definitions for these variables as per your requirements. You can download a sample file with variables for a template group or for the devices deployed in a template group, update the variable definitions, upload the file with the customized definitions, and apply these configuration changes in bulk. Downloading Sample Variables File The sample variables file includes a set of sample variables that the users can customize. You can download the sample variables file in the JSON or CSV format. To download a sample variables file: 1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select one of the following formats to download the sample variables file: n JSON--shows the file in JSON format. n CSV--Shows the variables in different columns. 6. Click Download Sample Variables File. The sample variables file is saved to your local directory. Modifying a Variable File The CSV file includes the following columns for which the variable definitions are mandatory: n _sys_serial--For serial number of the device n _sys_lan_mac--For MAC address of the device n modified--To indicate the modification status of the device. The value for this column is set to N in the sample variables file. When you edit a variable definition, set the modified column to Y to allow Aruba Central (on-premises) to parse the modified definition. n The CSV file must contain only one modified column with the value Y in each row where the variables are modified. n The modified column is not required when using JSON files to upload the variables. Following is an example format of the CSV file with the modified column. Predefined Variables for Aruba Switches The system defined variables in the sample variables files are indicated with _sys prefix. Aruba Central (on-premises) | User Guide 166 Table 32 lists the predefined variables for switches. Table 32: Predefined Variables Example Variable Name Description Variable Value _sys_gateway Populates gateway IP address. 10.22.159.1 _sys_hostname _sys_ip_address Maintains unique host name. Indicates the IP address of the device. HP-2920-48G-POEP 10.22.159.201 _sys_module_command Populates module lines module 1 type j9729a _sys_netmask Netmask of the device. 255.255.255.0 _sys_oobm_command Represents Out of Band Management (OOBM) block. oobm ip address dhcp-bootp exit _sys_snmpv3_engineid Populates engine ID. 00:00:00:0b:00:00:5c:b9:01:22:4c:00 _sys_stack_command Represents stack block stacking member 1 type "J9729A" mac-address 5cb901224c00 exit _sys_template_header Represents the first two lines of the configuration file. Ensure that this variable is the first line in the template. ; J9729A Configuration Editor; Created on release #WB.16.03.0003+ ; Ver #0f:3f.f3.b8.ee.34.79.3c.29.eb.9f.fc.f3.ff.37.ef:91 _sys_use_dhcp Indicates DHCP status 0 (true or false) of VLAN 1 _sys_vlan_1_untag_command _sys_vlan_1_tag_command Indicates untagged ports of VLAN 1 Indicates tagged ports of VLAN 1 1-28,A1-A2 28-48 The _sys_template_header_ and _sys_snmpv3 engineid are mandatory variables that must have the values populated, irrespective of their use in the template. If there is no value set for these variables, Aruba Central (on-premises) re-imports the values for these mandatory variables when it processes the running configuration of the device. Predefined Variables for APs For APs, the sample variables file includes the _sys_allowed_ap variable for which you can specify a value to allow new APs to join the AP cluster. Managing Groups | 167 Important Points to Note The following conditions apply to the variable files: n The variable names must be on the left side of condition and its value must be defined on the right side. For example, %if var=100% is supported and %if 100=var% is not supported. n The < or <= or > or >= operators should have only numeric integer value on the right side. The variables used in these 4 operations are compared as integer after flooring. For example, if any float value is set as %if dpi_value > 2.8%, it is converted as %if dpi_value > 2 for comparison. n The variable names should not include white space, and the & and % special characters. The variable names must match regular expression [a-zA-Z0-9_]. If the variables values with % are defined, ensure that the variable is surrounded by space. For example, wlan ssid-profile %ssid_name%. n The first character of the variable name must be an alphabet. Numeric values are not accepted. n The values defined for the variable must not include spaces. If quotes are required, they must be included as part of the variable value. For example, if the intended variable name is wlan ssid-profile "emp ssid", then the recommended format for the syntax is "wlan ssid-profile %ssid_name%" and variable as "ssid_name": "\"emp ssid\"". n If the configuration text has the percentage sign % in it--for example, "url "/portal/scope.cust5001098/Splash%20Profile%201/capture"--Aruba Central (on-premises) treats it as a variable when you save the template. To allow the use of percentage % as an escape character, use \" in the variable definition as shown in the following example: n Template text wlan external-captive-portal "Splash Profile 1_#guest#_" server naw1.cloudguest.central.arubanetworks.com port 443 url %url% n Variable "url": "\"/portal/scope.cust-5001098/Splash%20Profile%201/capture\"" n Aruba Central (on-premises) supports adding multiple lines of variables in AP configuration templates. If you want to add multiple lines of variables, you must add the HAS_MULTILINE_VARIABLE directive at the beginning of the template. n Example #define HAS_MULTILINE_VARIABLE 1 %if allowed_aps% %allowed_aps% %endif% n Variable "allowed_aps": "allowed-ap 24:de:c6:cb:76:4e\n allowed-ap ac:a3:1e:c5:db:d8\n allowed-ap 84:d4:7e:c4:8f:2c" Aruba Central (on-premises) | User Guide 168 For APs, you can configure a variable file with a set of values defined for a conductor AP in the network. When the variable file is uploaded, the configuration changes are applied to all AP devices in the cluster. Examples The following example shows the contents of a variable file in the JSON format for APs: { "CK0036968": { "_sys_serial": "CK0036968", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:7a", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_1" }, "CJ0219729": { "_sys_serial": "CJ0219729", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:cb:04:92", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "hostname": "Uber_2" }, "CK0112486": { "_sys_serial": "CK0112486", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c8:29:76", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_3" }, "CT0779001": { "_sys_serial": "CT0779001", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c5:c6:b0", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_4" Managing Groups | 169 }, "CM0640401": { "_sys_serial": "CM0640401", "ssid": "s1", "_sys_lan_mac": "84:d4:7e:c4:8f:2c", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_6" }, "CK0037015": { "_sys_serial": "CK0037015", "ssid": "s1", "_sys_lan_mac": "ac:a3:1e:c5:db:d8", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_7" }, "CK0324517": { "_sys_serial": "CK0324517", "ssid": "s1", "_sys_lan_mac": "f0:5c:19:c0:71:24", "vc_name": "test_config_CK0036968", "org": "Uber_org_test", "vc_dns_ip":"22.22.22.22", "zonename": "Uber_1", "uplinkvlan": "0", "swarmmode": "cluster", "md5_checksum": "ed8a67a3d1be58261640ca53f8fd3bb8", "hostname": "Uber_8" } } Figure 17 shows a sample variables file in the CSV format: Figure 17 Variables File in the CSV Format Aruba Central (on-premises) | User Guide 170 Uploading Variable Files To upload a variable file, complete the following steps: While uploading the variables file to Aruba Central (on-premises)in the CSV format, make sure to: n Choose the default language in Microsoft Excel as English (United States). n Add only one modified column in the CSV file with the value Y in each row where the variables are modified. 1. Ensure that the _sys_serial and _sys_lan_mac variables are defined with the serial number and MAC address of the devices, respectively. 2. In the Network Operations app, set the filter to one of the template groups under Groups. 3. Under Manage, click Devices > Switches. 4. Click the Config icon. 5. Click Variables. 6. Click Upload Variables File and select the variable file to upload. 7. Click Open. The contents of the variable file is displayed in the Variables table. 8. To search for a variable, specify a search term and click Search icon. 9. To download variable file with device-specific definitions, click the download icon in the Variables table Modifying Variables To modify variables without downloading a variable file, modifying the variable file, and uploading the customized variable file: 1. In the Network Operations app, set the filter to one of the template groups under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Click Variables. 5. Select a device and variable. 6. Modify the value and click Add to Modifications. 7. Click Save. Alternatively, to modify a single variable without downloading a variable file, modifying the variable file, and uploading the customized variable file: 1. In the Network Operations app, set the filter to one of the template groups under Groups. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. 4. Hover over a desired variable and click Edit. 5. Modify the value and click Save. 6. Click Save. Managing Groups | 171 Chapter 9 Managing APs Managing APs This section describes how to configure WLAN SSIDs, radio profiles, DHCP profiles, VPN routes, security and firewall settings, uplink interfaces, logging servers on access points (APs). APs offer an enterprise-grade networking solution with a simple setup. The WLAN solution with APs supports simplified deployment, configuration, and management of Wi-Fi networks. APs run the ArubaOS and Aruba Instant software that virtualizes ArubaMobility Controller capabilities on 802.11 APs and offers a feature-rich enterprise-grade Wi-Fi solution. In an Instant deployment scenario, only the first AP or the conductor AP that is connected to a provisioning network is configured. All other Instant APs in the same VLAN join the conductor AP inherit the configuration changes. The IAP clusters are configured through a common interface called Virtual Controller. A Virtual Controller represents the combined intelligence of the IAPs in a cluster. For more information on APs, see the following topics: n Configuring APs n Monitoring APs Configuring APs This section describes how to configure WLAN SSIDs, radio profiles, DHCP profiles, VPN routes, security and firewall settings, uplink interfaces, and logging servers on access points (APs). For more information on AP configuration, see the following topics: n Configuring Device Parameters n Configuring Network Profiles on Instant APs n Configuring Time-Based Services for Wireless Network Profiles n Configuring ARM and RF Parameters on IAPs n Configuring IDS Parameters on APs n Configuring Authentication and Security Profiles on IAPs n Configuring IAPs for VPN Services n Configuring DHCP Pools and Client IP Assignment Modes on IAPs n Configuring Services n Configuring Uplink Interfaces on IAPs n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Mapping IAP Certificates Aruba Central (on-premises) | User Guide 172 Provisioning APs The following figure illustrates the procedure for bringing up access points (APs) and configuring a basic WLAN setup. To view a detailed description of the tasks, click the task link in the flowchart. When you click a task in the flowchart, the linked topic opens in a pop-up window. After you browse through the topic, click outside the pop-up window to return to this page. Figure 18 Getting Started--APs Configuring APs Using Templates Templates in Aruba Central (on-premises) refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate access point (AP) deployments. Managing APs | 173 To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba APs. For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled. To create a template for the APs in a template group, complete the following steps: 1. In the Network Operations app, set the filter to one of the template group under Groups. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure APs in a template group are displayed. 4. In the Templates table, click + to add a new template. The Add Template window is displayed. 5. Under Basic Info, enter the following information: a. Template Name--Enter the template name. b. Model--Set the model parameter to ALL. c. Version--Set the model parameter to ALL. 6. Under Template, add the CLI script content. 7. Check the following guidelines before adding content to the template: n Ensure that the command text indentation matches the indentation in the running configuration. n The template allows multiple per-ap-settings blocks. The template must include the per-ap- settings %_sys_lan_mac% variable. The per-ap-settings block uses the variables for each AP. The general VC configuration uses variables for conductor AP to generate the final configuration from the provided template. Hence, Aruba recommends that you upload all variables for all devices in a cluster and change values as required for individual AP variables. n You can obtain the list of variables for per-ap-settings by using the show amp-audit command. The following example shows the list of variables for per-ap-settings. (Instant AP)# show amp-audit | begin per-ap per-ap-settings 70:3a:0e:cc:ee:60 hostname EE:60-335-24 rf-zone bj-qa ip-address 10.65.127.24 255.255.255.0 10.65.127.1 10.65.6.15 "" swarm-mode standalone wifi0-mode access wifi1-mode access g-channel 6+ 21 a-channel 140 26 uplink-vlan 0 g-external-antenna 0 a-external-antenna 0 ap1x-peap-user peap22 282eaf1077b8d898b91ec41b5da19895 The commands in the template are case-sensitive. IF ELSE ENDIF conditions are supported in the template. If the template text includes the if condition, % sign is required at the beginning and the end of the text. For example, %if guest%. The following example shows the template text with the IF ELSE ENDIF condition. Aruba Central (on-premises) | User Guide 174 wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes %else% opmode opensystem %endif% Templates also support nesting of the IF ELSE END IF condition blocks. The following example shows how to nest such blocks: %if condition1=true% routing-profile route 10.10.0.0 255.255.255.0 10.10.0.255 %if condition2=true% routing-profile route 10.20.0.0 255.255.255.0 10.20.0.255 %else% routing-profile route 10.30.0.0 255.255.255.0 10.30.0.255 %endif% %else% routing-profile route 10.40.0.0 255.255.255.0 10.40.0.255 %if condition3=true% routing-profile route 10.50.0.0 255.255.255.0 10.50.0.255 %else% routing-profile route 10.60.0.0 255.255.255.0 10.60.0.255 %endif% %endif% For profile configuration CLI text, for example, vlan, interface, access-list, ssid and so on, the first command must start with no white space. The subsequent local commands in given profile must start with at least one initial space (' ') or indented as shown in the following examples: Example 1 vlan 1 name "vlan1" no untagged 1-24 ip address dhcp-bootp exit Example 2 %if vlan_id1% vlan %vlan_id1% %if vlan_id1=1% ip address dhcp-bootp %endif% no untagged %_sys_vlan_1_untag_command% Managing APs | 175 exit %endif% To comment out a line in the template text, use the pound sign (#). Any template text preceded by # is ignored when processing the template. To allow or restrict APs from joining the Instant Access Point (IAP) cluster, Aruba Central uses the _ sys_allowed_ap_ system-defined variable. Use this variable only when allowed APs configuration is enabled. For example, _sys_allowed_ap: "a_mac, b_mac, c_mac". Use this variable only once in the template. 8. Click OK. Viewing APs Configuration Tabs Aruba Central (on-premises) now constantly displays the default tabs under the Show Advanced and Hide Advanced options in the Devices > Access Points page. When you click the Show Advanced or Hide Advanced option, a set of default configuration tabs are displayed. The respective default tabs under these two options are still displayed when you navigate out of the page, and visit the same page next time. Following are the default tabs displayed when you navigate to Devices > Access Points page and click the Config icon: n WLANs n Access Points n Radios When you click the Show Advanced option, the following tabs are displayed: n WLANs n Access Points n Radios n Interfaces n Security n VPN n Services n System n Configuration Audit To view the default tabs, click Hide Advanced. Configuring Device Parameters To configure device parameters on an access point (AP), complete the following steps: 1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. Aruba Central (on-premises) | User Guide 176 n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point. 2. Click the Config icon. The tabs to configure the APs are displayed. 3. Click the Access Points tab. The Access Points page is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Configure the parameters described below: Table 33: Access Points Configuration Parameters UI Parameters Description Basic Info Name Configures a name for the IAP. For IAPs running 8.7.0.0 or later versions, you can enter up to 128 ASCII or non-ASCII characters. For IAPs running 8.6.0.0 or earlier versions, you can enter up to 32 ASCII or non-ASCII characters. AP Zone RF Zone Swarm Mode Configures the IAP zone. For IAPs running firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple AP zones by adding zone names as comma separated values. Aruba recommends that you do not configure zones in both SSID and in the Per AP settings of an IAP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide. Allows you to create an RF zone for the AP. With RF zone, you can configure different power transmission settings for APs in different zones or sections of a deployment site. For example, you can configure power transmission settings to make Wi-Fi available only for the devices in specific areas of a store. You can also configure separate RF zones for the 2.4 GHz and 5 GHz radio bands for the IAPs in a cluster. For more information, see Configuring Radio Parameters. Aruba recommends that you configure RF zone for either individual AP or for the cluster. Any discrepancy in the RF zone names may lead to configuration errors. Allows you to set one of the following operation modes: n Cluster--Allows an IAP to operate in the cluster mode. When an Instant AP operates in the cluster mode, it can form a cluster with other virtual controller Instant APs in the same VLAN. n Standalone--Allows an IAP to operate in the standalone mode. When an Instant AP operates in the standalone mode, it cannot join Managing APs | 177 UI Parameters Description a cluster of Instant APs even if the Instant AP is in the same VLAN. n Single-AP--Allows an Instant AP to operate in the single AP mode. It is a type of Standalone AP deployment with additional security rules to prevent local access to AP management. In the single AP mode, the management access of the AP is exclusively reserved to the remote management platform and is facilitated through a secure tunnel between the AP and the management platform. The Local WebUI and SSH access to the AP through the uplink port is disabled. Additionally, the AP will not send or receive management frames such as mobility packets, roaming packets, and hierarchy beacons through the uplink port. NOTE: After changing the AP operation mode, ensure that you reboot the IAP. LACP Mode Preferred Conductor IP Address for Access Point Allows you to set one of the following LACP modes: n Active--Allows you to enable the LACP on an IAP. In this mode, both the ethernet ports on the Instant AP forms a static LAG. n Passive--Allows you to set the LACP on an IAP in a passive mode. n Disabled--Allows you to disable the LACP on an IAP. Turn on the toggle switch to provision the IAP as a conductor IAP. After provisioning the IAP as a conductor IAP, ensure that you reboot the AP. Select one of the following options: n Get IP Address from DHCP server--Allows IP to get an IP address from the DHCP server. By default, the IAPs obtain IP address from a DHCP server. n Static--You can also assign a static IP address to the IAP. To specify a static IP address for the IAP, complete the following steps: n Enter the new IP address for the IAP in the IP Address text-box. n Enter the subnet mask of the network in the Netmask text-box. n Enter the IP address of the DNS server in the DNS Server text-box. n Enter the domain name in the Domain Name text-box. You can configure up to two DNS servers separated by a comma. If the first DNS server goes down, the second DNS server takes control of resolving the domain name. Aruba Central (on-premises) | User Guide 178 UI Radio External Antenna Parameters Description Dual 5G Mode Select the Dual 5G Mode check-box to enable the dual 5G mode. In the Dual 5G Mode, the Mode remains as Access and is non-editable. The Dual 5G Mode is only supported on AP-344 and AP-345 running on Aruba InstantOS 8.3.0.0. For more information, see Configuring Dual 5 GHz Radio Bands on an IAP. Split Radio Select the Split Radio check-box to allow the radios of the IAP to operate in the tri-radio mode. The Split Radio is only supported on AP555 running on Aruba InstantOS 8.5.0.0. For more information, see About Tri-Radio Mode. Enable Radio Select the Enable Radio check-box under 2.4GHz Band and 5 GHz Band to enable and disable the radio. Mode From the Mode drop-down list, select any of the following options: n Access--In this mode, the IAP serves clients, while also monitoring for rogue IAPs in the background. n Monitor--In this mode, the IAP acts as a dedicated monitor, scanning all channels for rogue IAPs and clients. n Spectrum--In this mode, the IAP functions as a dedicated full- spectrum RF monitor, scanning all channels to detect interference, whether from the neighboring IAPs or from non-Wi-Fi devices such as microwaves and cordless phones. To get accurate monitoring details and statistics, it is highly recommended to reboot the IAPs once the IAPs are toggled from the 2.4 or 5 GHz mode to dual 5 GHz radio mode or vice-versa. The access, spectrum, and monitor mode of the radios of an access point is available for Foundation and Advanced licenses for APs. Adaptive radio management assigned You can configure a radio profile on an Instant AP either manually or by configuring the Adaptive radio management assigned option. Adaptive Radio Management (ARM) feature is enabled on Aruba Central by default. It automatically assigns appropriate channel and power settings for the IAPs. Administrator assigned You can also assign an administrator by using the Administrator assigned option and selecting the number of channels in the Channel drop-down list. In the Transmit Power field, enter the signal strength measured in dBm. Antenna Gain Enter the Antenna Gain values in dBi for the 2.4 GHz Antenna Gain and the 5 GHz Antenna Gain. For more information, see Configuring External Antenna Antenna Polarization Type From the Antenna Polarization Type drop-down list, select any of the following: n co-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be same. n cross-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be different. The integrated antenna of the wireless bridge sends a radio signal that is polarized in a particular direction. The receive sensitivity of the antenna is also higher for radio signals that have the same polarization. To maximize the performance of the wireless link, both antennas must be set to the same polarization direction. Managing APs | 179 UI Parameters Description Installation Installation Type Type Configure the Installation Type of the Instant AP. The Installation Type drop-down consists of the following options: n Default--Select this option to change the installation type to the default mode. n Indoor--Select this option to change the installation type to the indoor mode. n Outdoor--Select this option to change the installation type to the outdoor mode. The options in the Installation Type drop-down are listed based on the Instant AP model. Uplink Uplink Management VLAN The uplink traffic on Instant AP is carried out through a management VLAN. However, you can configure a non-native VLAN as an uplink management VLAN. After an Instant AP is provisioned with the uplink management VLAN, all management traffic sent from the Instant AP is tagged to the management VLAN. To configure a non-native uplink VLAN, click Uplink and specify the VLAN in Uplink Management VLAN. Eth0 Mode Allows you to change the Eth0 bridging mode in your wired network. The Eth0 Mode drop-down consists of the following options: n Uplink--Select this option to change the Eth0 bridging mode to the uplink port. n Downlink--Select this option to change the Eth0 bridging mode to the downlink port. Eth1 Mode Allows you to change the Eth1 bridging mode in your wired network. The Eth1 Mode drop-down consists of the following options: n Default--Select this option to change the Eth1 bridging mode to the default port. n Uplink--Select this option to change the Eth1 bridging mode to the uplink port. n Downlink--Select this option to change the Eth1 bridging mode to the downlink port. USB Port Enable the USB port if you do not want to use the cellular uplink or 3G/4G modem in your current network setup. PEAP User Create the PEAP user credentials for certificate based authentication. Enter the user name, password, and retype password in the Username, Password, and Retype Password field for creating the PEAP user. Aruba Central (on-premises) | User Guide 180 UI Mesh Parameters Description Mesh enable Select the Mesh enable check-box to allow mesh access points to form mesh network. The mesh feature ensures reliability and redundancy by allowing the network to continue operating even when an Instant AP is non-functional or if the device fails to connect to the network. For more information, see Aruba Mesh Network and Mesh IAP Clusterless mesh name Enter the name of mesh access points that do not belong to any cluster. The Clusterless mesh name field is disabled when the Mesh enable option is enabled. Clusterless mesh key Enter the key of the mesh access points that do not belong to any cluster. The Clusterless mesh key field is disabled when the Mesh enable option is enabled. Retype Re-enter the clusterless mesh key. The Retype is disabled when the Mesh enable option is enabled. Mesh mobility RSSI threshold Fast roaming is triggered on a mobility mesh point when the RSSI of the parent is lower than the threshold value. Enter the threshold value either in number between 10--50, high, or low. 6. Click Save Settings and then reboot the AP. Setting Country Code The initial Wi-Fi setup of an Instant Access Point (IAP) requires you to specify the country code for the country in which the IAP operates. This configuration sets the regulatory domain for the radio frequencies that the IAP uses. The available 20 MHz, 40 MHz, or 80 MHz channels are dependent on the specified country code. Country Code Configuration in Aruba Central (on-premises) from UI If you provision a new IAP without the country code, Aruba Central (on-premises) exhibits the following behavior: Table 34: IAP Provisioned To Aruba Central Country Code Configured at IAP No Country Code Configured in Group Yes Behavior The country code of the group is pushed to the newly added IAP. No No Aruba Central (on-premises) displays the Country Code not set. Config not updated message in Audit Trail. A notification is also displayed at the bottom of the main window to set the country code of the new IAP. To set the country code, perform the following actions: 1. Click Set Country Code now link on the notifications pane. The Set Country Code pop up is displayed. Managing APs | 181 Country Code Configured at IAP Country Code Configured in Group Behavior 2. In the Device(s) without country code table, click the edit icon. 3. Specify a country code from the Country Code drop-down list. 4. Click Save. If an IAP has a country code and joins Aruba Central (on-premises) using ZTP configuration, then the country code of the IAP is retained. In this case, Aruba Central (on-premises) will not push the group country code. Setting Country Code at a Group Level To set the country code of the IAP at the group level, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The default tabs to configure the virtual controller are displayed. 4. Click Show Advanced to view advanced configuration options. 5. Click the System tab. The System details page is displayed. 6. Expand the General accordion. 7. In the Set Country code for group drop-down list, select the country code for the IAP. 8. Click Save Settings and then reboot the IAP. n By default, the value corresponding to the Set Country code for group field is empty. This indicates that any IAP with different country codes can be a part of the group. n When the Set Country code for group field is set, the field cannot revert to the default value. When the country code of the group is changed, the country code of the already connected IAP also will be updated. Setting Country Code at a Device Level To set the country code of the IAP at the device level, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. In the Virtual Controller column, click the virtual controller link to navigate to the Access Points > List view of the virtual controller. Aruba Central (on-premises) | User Guide 182 When you click the virtual controller link in the Virtual Controller column, the dashboard context for the virtual controller is dispalyed. 4. Click the Config icon. The default tabs to configure the virtual controller are displayed. 5. Click Show Advanced to view advanced configuration options. 6. Click the System tab. The System details page is displayed. 7. Expand the General accordion. 8. In the Virtual Controller table, select a virtual controller and then click the edit icon. 9. In the Edit IP Address window, select the country code from the Country Code drop-down list. 10. Click Ok. 11. Click Save Settings and then reboot the IAP. n By default, the value corresponding to the Country code is the country code set at the group level which can be then modified at the device level from the drop-down list. The country code of the IAP will always be the most recently set country code at the group level or device level. n If there is a discrepancy in the country code configuration, Aruba Central (on-premises) displays it as an override in the Configuration Audit page. Country Code Configuration at Group Level from API Aruba Central (on-premises) provides an option to set and get the country code at group level through the APIs in API Gateway. To set or get the country code at group level through API, complete the following steps: 1. In the Account Home page, click API Gateway. The API Gateway page is displayed. 2. Click the Authorized Apps & Tokens tab and generate a token key. The token key is valid only for 2 hours from the time it was generated. 3. Download and copy the generated token. 4. In the All Published APIs window, click the url link listed under the Documentation column. The Central Network Management APIs page is displayed. 5. On the left navigation pane, select Configuration from the URL drop-down list. 6. Paste the token key in the Token field and press enter. 7. Click NB UI Group Configuration. The following options are displayed: n Set country code at group level ([PUT]/configuration/v1/country)--This API allows to set country code for multiple groups at once. Aruba Central (on-premises) currently allows country codes of up to 50 IAP device groups to be configured simultaneously. To set the country codes of multiple groups, enter the group names and country code as inputs corresponding to the groups Managing APs | 183 and country labels respectively in the script { "groups": [ "string" ], "country": "string" } within the set_ group_config_ country_ code text box. n Get country code set for group([GET]/configuration/v1/{group}/country)--This API allows to retrieve the country code set for a specific IAP group. To get the country code information of the IAP group, enter the name of the group for which the country code is being queried corresponding to the country label in the script { "country": "string"} within the group text box. The APIs for setting and retrieving country code information are not available for the IAP devices deployed in template groups. The following are the response messages displayed in the Set country code at group level and Get country code set for group sections: Table 35: Response Messages Set country code at group level Get country code set for group n 201 - Successful operation n 400 - Bad Request n 401 Unauthorized access, authentication required n 403 - Forbidden, do not have write access for group n 413 - Requestsize limit exceeded n 417 - Requestsize limit exceeded n 429 - API Rate limit exceeded n 500 - Internal Server Error n 503 - Service unavailable, configuration update in progress n 400 - Bad Request n 401 - Unauthorized access authentication required n 403 - Forbidden, do not have read access for group n 413 - Request-size limit exceeded n 417 - Request-size limit exceeded n 429 - API Rate limit exceeded n 500 - Internal Server Error n 503 - Service unavailable, configuration update in progress For further details on APIs, see https://app1-apigw.central.arubanetworks.com/swagger/central. Aruba Central (on-premises) | User Guide 184 Configuring Systems This section describes how to configure the General, Administrator, Time-Based Services, DHCP, Layer-3 Mobility, Enterprise Domains, Logging, SNMP, WISPr, Proxy, and Named VLAN Mapping parameters on an Instant Access Point (IAP). n Configuring System Parameters for an AP n Configuring Users Accounts for the IAP Management Interface n Configuring Mesh for Multiple Radios n Configuring Time-Based Services for Wireless Network Profiles n Configuring DHCP Pools and Client IP Assignment Modes on IAPs n Mobility and Client Management n Configuring Enterprise Domains n Configuring Syslog and TFTP Servers for Logging Events n Configuring SNMP Parameters n Supported Authentication Methods n Configuring HTTP Proxy on an IAP n Configuring VLAN Name and VLAN ID Configuring VLAN Name and VLAN ID Aruba Central (on-premises) allows you to map VLAN name to a VLAN ID for the ease of identifying the existing VLANs. To map a VLAN name to a VLAN ID, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Named VLAN Mapping accordion. 7. Click the + icon in the VLAN Name to VLAN ID Mapping pane. The VLAN Name to VLAN ID Mapping window is displayed. 8. In the VLAN Name to VLAN ID Mapping window, enter the VLAN Name and VLAN ID. 9. Click OK. The VLAN Name to VLAN ID Mapping table in the Named VLAN Mapping section lists all the mapped VLAN. You can find the Named VLAN Mapping feature applied in the following fields of corresponding UI pages of Aruba Central (on-premises): n The VLAN ID field in the VLANs tab, when for when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during WLAN SSID creation. For more information, see Managing APs | 185 Creating a Wireless Network Profile. n The VLAN ID field in the VLANs tab, when Custom for Instant AP Assigned and Static for External DHCP server assigned is selected during wired port profile creation. For more information, see Configuring Wired Port Profiles on Instant APs. n The Access rules page in the Interfaces > Access tab and the WLANs > Access tab, when you add rules for selected roles. Select VLAN Assignment as the rule type in the Access rules page to find the mapped VLAN name in the VLAN ID field. You can also map VLAN ID to a VLAN name when you customize the Client VLAN Assignment configuration in VLANs tab during network profile creation. For more information, see VLANs Parameters. Points to Remember n The maximum number of Named VLAN ID Mapping allowed in Aruba Central (on-premises) is 32. n VLAN mapping cannot be performed if the VLAN name does not exist. n The VLAN mapping record is deleted from the VLAN Name to VLAN ID Mapping table when the VLAN name is deleted. n You can only map a single VLAN id to a VLAN name. n The VLAN name field is not case-sensitive. Configuring External Antenna If the Instant Access Point (IAP) has external antenna connectors, you need to configure the transmit power of the system. The configuration must ensure that the system's EIRP is in compliance with the limit specified by the regulatory authority of the country in which the IAP is deployed. You can also measure or calculate additional attenuation between the device and antenna before configuring the antenna gain. To know, if the IAP device supports external antenna connectors, see the Installation Guide that is shipped along with the IAP device. EIRP and Antenna Gain The following formula can be used to calculate the EIRP limit related RF power based on selected antennas (Antenna Gain) and feeder (Coaxial Cable Loss): EIRP = Tx RF Power (dBm)+GA (dB) - FL (dB) The following table describes this formula: Table 36: Formula Variable Definitions Formula Element Description EIRP Limit specific for each country of deployment. Tx RF Power RF power measured at RF connector of the unit. GA Antenna gain FL Feeder loss Aruba Central (on-premises) | User Guide 186 Configuring Antenna Gain To configure antenna gain for IAPs with external connectors, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point. 2. Click the Config icon. The tabs to configure the APs are displayed. 3. Click the Access Points tab. The Access Points page is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click the External Antenna tab. 6. Enter the Antenna Gain values in dBi for the 2.4 GHz Antenna Gain and the 5 GHz Antenna Gain. 7. From the Antenna Polarization Type drop-down list, select any of the following: n co-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be same. n cross-polarization--Select this option for the polarization of both the transmitting and receiving antenna to be different. 8. Click Save Settings. After configuring the external antenna parameters, ensure that you reboot the IAP. Configuring ARM Features To configure the ARM features, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. Managing APs | 187 4. Click the Radios tab. The Radios details page is displayed. 5. Under RF > Adaptive Radio Management (ARM), the Client Control section displays the following components: n Band Steering Mode n Airtime Fairness Mode n ClientMatch n ClientMatch Calculating Interval n ClientMatch Neighbor Matching n ClientMatch Threshold n ClientMatch Key n Spectrum Load Balancing Mode 6. For Band Steering Mode, configure the following parameters. Table 37: Band Steering Mode Configuration Parameters Data pane item Description Prefer 5 GHz Enables band steering in the 5 GHz mode. On selecting this, the IAP steers the client to the 5 GHz band (if the client is 5 GHz capable), but allows the client connection on the 2.4 GHz band if the client persistently attempts for 2.4 GHz association. Force 5 Enforces 5 GHz band steering mode on the IAPs. GHz Balance Bands Allows the IAP to balance the clients across the two radios to best utilize the available 2.4 GHz bandwidth. This feature takes into account the fact that the 5 GHz band has more channels than the 2.4 GHz band, and that the 5 GHz channels operate in 40 MHz, while the 2.5 GHz band operates in 20 MHz. Disable Allows the clients to select the band to use. 7. For Airtime Fairness Mode, specify any of the following values. Table 38: Airtime Fairness Mode Configuration Parameters Data Pane Item Description Default Access Allows access based on client requests. When Airtime Fairness Mode is set to Default Access option, per user and per SSID bandwidth limits are not enforced. Fair Access Allocates air time evenly across all the clients. Preferred Access Sets a preference where 802.11n clients are assigned more air time than 802.11a/11g. The 802.11a/11g clients get more airtime than 802.11b. The ratio is 16:4:1. 8. For ClientMatch, configure the following parameters. Aruba Central (on-premises) | User Guide 188 Table 39: Client Match Configuration Parameters Data Pane Item Description Client Match Turn on the toggle switch to enable the Client Match feature on APs. When enabled, client count is balanced among all the channels in the same band. When Client Match is enabled, ensure that the Scanning option is enabled. For more information, see AP Control Configuration Parameters. NOTE: When Client Match is disabled, channels can be changed even when the clients are active on a BSSID. The Client Match option is disabled by default. ClientMatch Configures a value for the calculating interval of Client Match. The interval is specified in Calculating seconds and the default value is 3 seconds. You can specify a value within the range of 1- Interval 600. ClientMatch Neighbor Matching Configures the calculating interval of Client Match. This number takes into account the least similarity percentage to be considered as in the same virtual RF neighborhood of Client Match. You can specify a percentage value within the range of 20-100. The default value is 60%. ClientMatch Threshold Configures a Client Match threshold value. This threshold is the maximum difference allowed in the number of associated clients between channels, radios, or channel + radios. When the client load on an AP reaches or exceeds the threshold in comparison, Client Match is enabled on that AP. You can specify a value within range of 1-20. The default value is 5. ClientMatch Key Enables the Client Match feature to work across different standalone IAPs in the same management VLAN. All such standalone IAPs must be set with the same Client Match key. Client Match uses the wired layer 2 protocol to synchronize information exchanged between IAPs. Users have an option to configure the Client Match keys. IAPs verify if the frames that they broadcast contain a common Client Match key. IAPs that receive these frames verify if the sender belongs to the same network or if the sender and receiver both have the same Client Match key. You can specify a value within the range of 1 2147483646. Spectrum Load Balancing Mode Enables the Spectrum Load Balancing mode to determine the balancing strategy for Client Match. The following options are available: n Channel--Balances client count based on each channel. n Radio--Balances client count based on each radio. n Channel + Radio--Balances client count based on each channel and each radio. 9. Click Access Point Control, and configure the following parameters. Table 40: AP Control Configuration Parameters Data pane item Description Customize Valid Channels Allows you to select a custom list of valid 20 MHz and 40 MHz channels for 2.4 GHz and 5 GHz bands. By default, the AP uses valid channels as defined by the Country Code (regulatory domain). On selecting Customize Valid Channels, a list of valid channels for both 2.4 GHz and 5 GHz are displayed. The valid channel customization feature is disabled by default. Managing APs | 189 Data Description pane item The valid channels automatically show in the Static Channel Assignment pane Min Transmit Power Allows you to configure a minimum transmission power within a range of 3 to 33 dBm in 3 dBm increments. If the minimum transmission EIRP setting configured on an AP is not supported by the AP model, this value is reduced to the highest supported power setting. The default value for minimum transmit power is 18 dBm. Max Transmit Power Allows you to configure the maximum transmission power within a range of 3 to 33 dBm in 3 dBm increments. If the maximum transmission EIRP configured on an AP is not supported by the local regulatory requirements or AP model, the value is reduced to the highest supported power settings. Client Aware Allows ARM to control channel assignments for the IAPs with active clients. When the Client Match mode is disabled, an IAP may change to a more optimal channel, which disrupts current client traffic. The Client Aware option is enabled by default. Scanning Allows the IAP to dynamically scan all 802.11 channels within its 802.11 regulatory domain at regular intervals. This scanning report includes WLAN coverage, interference, and intrusion detection data. For Client Match configuration, ensure that Scanning is enabled. Wide Channel Bands Allows the administrators to configure 40 MHz channels in the 2.4 GHz and 5 GHz bands. 40 MHz channels are two 20 MHz adjacent channels that are bonded together. The 40 MHz channel effectively doubles the frequency bandwidth available for data transmission. For high performance, you can select 5 GHz. If the AP density is low, enable in the 2.4 GHz band. 80 MHz Support Enables or disables the use of 80 MHz channels on APs. This feature allows ARM to assign 80 MHz channels on APs with 5 GHz radios, which support a very high throughput. This setting is enabled by default. Only the APs that support 802.11ac can be configured with 80 MHz channels. 10. Click Channel Control, and configure the following parameters. Table 41: Channel Control Configuration Parameters Data pane item Description Backoff Time Allows you to configure the time within a range of 10 to 3600 seconds, when an IAP backs off after requesting a new channel or power. It can increase the time window of channel interference check, and the time window of power check. The default value for minimum back off time is 240 seconds. Free Channel Index Allows you to check the difference in threshold in the channel interference index between the new channel and the existing channel. An IAP only moves to a new channel if the new channel has a lower interference index value than the current channel. This parameter specifies the required difference between the two interference index values before the IAP moves to the new channel. The lower this value, the more likely the IAP moves to the new channel. It has a default value of 25. Aruba Central (on-premises) | User Guide 190 Data pane item Description Ideal Coverage Index Allows you to specify the ideal coverage index in the range of 2 to 20, which an IAP tries to achieve on its channel. The denser the IAP deployment, the lower this value should be. It has a default value of 10. Channel Quality Aware Arm Disable Allows ARM to ignore the internally calculated channel quality metric and initiates channel changes based on thresholds defined in the profile. ARM chooses the channel based on the calculated interference index value. The option Channel Quality Aware Arm Disable is disabled by default. Channel Quality Threshold Allows you to specify the channel quality percentage within a range of 0 to 100, below which ARM initiates a channel change. It has a default value of 70%. Channel Quality Wait Time Specifies the time that the channel quality is below the channel quality threshold value to initiate a channel change. It has a range of 1 to 3600 seconds, with a default value of 120 seconds. If current channel quality is below the specified channel quality threshold for this wait time period, ARM initiates a channel change. 11. Click Error Rate, and configure the following parameters. Table 42: Error Rate Configuration Parameters Data Pane Item Description Error Rate Configures the minimum percentage of errors in the channel that triggers a channel Threshold change. It has a range of 0 to 100 % with a default value of 70%. Error Rate Wait Time Configures the time that the error rate has to be at least equal to the error rate threshold to trigger a channel change. The error rate must be equal to or more than the error rate threshold to trigger a channel change. It has a range of 1 to 3600 seconds, with a default value of 90 seconds. 12. Click Save Settings. Configuring Radio Parameters To configure RF parameters for the 2.4 GHz and 5 GHz radio bands on an Instant Access Point (IAP), complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. Managing APs | 191 4. Click the Radios tab. The Radios details page is displayed. 5. Expand the Radio accordion in the RF dashboard. 6. Under 2.4 GHz band and 5 GHz band, configure the following parameters by clicking the + sign. Table 43: Radio Configuration Parameters Data Pane Item Description Zone Allows you to configure a zone per radio band for IAPs in a cluster. You can also configure an RF zone per IAP. NOTE: Aruba recommends that you configure RF zone for either individual AP or for the cluster. Any discrepancy in the RF zone names may lead to configuration errors. Legacy Only Turn on the Legacy Only toggle switch. When enabled, the IAP runs the radio in the non-802.11n mode. This option is disabled by default. 802.11d / 802.11h Turn on the 802.11d / 802.11h toggle switch. When enabled, the radios advertise their 802.11d (Country Information) and 802.11h (Transmit Power Control) capabilities. This option is disabled by default. Beacon Interval Configures the beacon period for the IAP in milliseconds. This indicates how often the 802.11 beacon management frames are transmitted by the AP. You can specify a value within the range of 60500. The default value is 100 milliseconds. Interference Immunity Level Configures the immunity level to improve performance in high-interference environments. The default immunity level is 2. n Level 0--No ANI adaptation. n Level 1--Noise immunity only. This level enables power-based packet detection by controlling the amount of power increase that makes a radio aware that it has received a packet. n Level 2--Noise and spur immunity. This level also controls the detection of OFDM packets, and is the default setting for the Noise Immunity feature. n Level 3--Level 2 settings and weak OFDM immunity. This level minimizes false detects on the radio due to interference, but may also reduce radio sensitivity. This level is recommended for environments with a high-level of interference related to 2.4 GHz appliances such as cordless phones. n Level 4--Level 3 settings, and FIR immunity. At this level, the AP adjusts its sensitivity to in-band power, which can improve performance in environments with high and constant levels of noise interference. n Level 5--The AP completely disables PHY error reporting, improving performance by eliminating the time the IAP spends on PHY processing. Increasing the immunity level makes the AP lose a small amount of range. Channel Switch Announcement Count Configures the number of channel switching announcements to be sent before switching to a new channel. This allows the associated clients to recover gracefully from a channel change. Aruba Central (on-premises) | User Guide 192 Table 43: Radio Configuration Parameters Data Pane Item Description Background Spectrum Monitoring Turn on the Background Spectrum Monitoring toggle switch. When enabled, the APs in the access mode continue with their normal access service to clients, while performing additional function of monitoring RF interference (from both neighboring APs and non Wi-Fi sources such as, microwaves and cordless phones) on the channel they are currently serving the clients. Customize ARM Power Range Configures a minimum (Min Power) and maximum (Max Power) power range value for the 2.4 GHz and 5 GHz band frequencies. The default value is 3 dBm. Unlike the configuration in the ARM profile, the transmit power of all radios in the Radio profile do not share the same configuration. Enable 11ac Turn on the Enable 11ac toggle switch. When enabled, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs. NOTE: If you want the 802.11ac IAPs to function as 802.11n IAPs, clear this check box to disable VHT on these devices. Smart antenna Turn on the Smart antenna toggle switch to combine an antenna array with a digital signal-processing capability to transmit and receive in an adaptive, spatially sensitive manner. ARM/WIDS Override When ARM/WIDS Override is disabled, the Instant AP will always process frames for WIDS. WIDS is an application that detects the attacks on a wireless network or wireless system. purposes even when it is heavily loaded with client traffic. When ARM/WIDS Override is enabled, the Instant AP will stop processing frames for WIDS. 7. Click Save Settings. Configuring Dual 5 GHz Radio Bands on an IAP Aruba Central (on-premises) provides an option to retrieve the radio numbers of Instant Access Point (IAP) through the APIs. It also provides an option to filter IAP details using radio numbers in the IAP monitoring dashboard. For regular IAPs with non-dual band, Central automatically assigns Radio 1 to 2.4 GHz band and Radio 0 to 5 GHz band respectively. To retrieve the radio numbers through API, complete the following steps: 1. In the Account Home page, click API Gateway. The API Gateway page is displayed. 2. Click the APIs tab. The token key is valid only for 2 hours from the time it was generated. 3. In the All Published APIs window, click the url link listed under the Documentation column. The Central Network Management APIs page is displayed. Managing APs | 193 4. On the left navigation pane, select Monitoring from the URL drop-down list. 5. Click API Reference > AP. The following APIs allow you to retrieve the radio number for the total number of clients connected: Table 44: APIs to Get Radio Number in APs API Description [GET]/monitoring/v1/aps/ {serial}/neighbouring_clients Allows you to filter data of neighbouring clients for a specific radio number in a given time period. When there is no radio number entered in the radio_number field, the API filters the data of neighbouring clients for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the data of neighboring clients for a specific radio number. [GET]/monitoring/v1/aps/rf_ summary Retrieves information on RF summary such as channel utilization and noise floor in positive, errors, drops for a given time period. This API can also be used to filter RF health statistics for a specific radio number in a given time period. When there is no radio number entered in the radio_number field, the API filters the RF health statistics for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the RF health statistics for a specific radio number. [GET]/monitoring/v1/aps/bandwith_ usage This API can also be used to filter out bandwidth usage data for a specific radio number in a given time period. When there is no radio number entered in the radio_number field, the API filters the bandwidth usage for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the bandwidth usage for a specific radio number. 6. On the left navigation pane, click API Reference > Client. The following APIs allow you to retrieve the radio number for the total number of clients connected: Table 45: APIs to Get Radio Number in Connected Clients API Description [GET]/monitoring/v1/clients/count This API is used to filter out the data for connected clients for a specific radio number of AP in a given time period. When there is no radio number entered in the radio_number field, the API filters the clients count for both radio 0 and radio 1. It is mandatory to provide the serial number of the AP to get the total count of clients for a specific radio number. For further details on APIs, see https://app1-apigw.central.arubanetworks.com/swagger/central. Support for Dual 5 GHz AP Aruba Central (on-premises) supports automatic opmode selection for dual 5 GHz AP. When the opmode is set to automatic, AirMatch determines whether to convert a radio in an AP to 5 GHz operation instead of the 2.4 GHz and 5 GHz dual band operation. Automatic is the default dual 5G mode where Airmatch detects what is an optimal mode for the radios dual band or dual 5G and updates the running opmode without requiring an AP reboot between the mode changes. Aruba Central (on-premises) | User Guide 194 Manual setting of dual band and dual 5G is possible and the manual setting overrides the automatic mode and explicitly enables or disables the dual 5G mode. In this scenario, the AP immediately switches to the specified mode without a reboot and AirMatch maintains the specified channel and power assignments in the specified mode. Automatic mode is not supported on AP-344. By default, AP-344 assumes the automatic mode to be the same as dual 5G disabled and operates in the dual band mode. To switch AP-344 to dual 5G mode, explicitly enable the dual 5G mode. The following procedure describes how to configure automatic opmode selection for dual 5 GHz AP: 1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point. 2. Click the Config icon. The tabs to configure the APs are displayed. 3. Click the Access Points tab. The Access Points page is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click the Radio tab. 6. Set Dual 5G Mode to Automatic. 7. Optionally, specify the manual channel by setting Channel Assignment to Manual. 8. Optionally, specify the transmit power by setting Transmit Power Assignment to Manual. 9. Click Save Settings. Configuring Intelligent Power Monitoring The Intelligent Power Monitoring (IPM) feature actively measures the power utilization of an access point (AP) and dynamically adapts to the power resources. IPM allows you to define the features that must be disabled to save power, allowing the APs to operate at a lower power consumption without hampering the performance of the related features. This feature constantly monitors the AP power consumption and adjusts the power saving IPM features within the power budget. IPM dynamically limits the power requirement of an AP as per the available power resources. IPM applies a sequence of power reduction steps as defined by the priority definition until the AP functions within the power budget. This happens dynamically as IPM constantly monitors the AP power consumption and applies the next power reduction step in the priority list if the AP exceeds the power threshold. To manage Managing APs | 195 this prioritization, you can create IPM policies to define a set of power reduction steps and associate them with a priority. The IPM policies, when applied to the AP, are based on IPM priorities, where the IPM policy can be configured to disable or reduce certain features in a specific sequence to reduce the AP power consumption below the power budget. IPM priority settings are defined by integer values, where the lower values have the highest priority and are implemented first. The Intelligent Power Monitoring feature is available only on APs running Aruba Instant OS 8.6.0.3. To configure Intelligent Power Monitoring, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the IPM accordion. 7. Select the IPM Activation check box to enable IPM. 8. Click the + icon in the IPM Power Reduction Steps With Priorities pane. The IPM Power Reduction Steps With Priorities window is displayed. 9. In the IPM Step Priority field, enter a value from 1 to 16 to define IPM priority. 10. From the IPM Step drop-down list, select a setting as described in the following table: Table 46: Intelligent Power Monitoring Step Parameters Parameters Description cpu_throttle_25 Reduces CPU frequency to 25% of normal. cpu_throttle_50 cpu_throttle_75 Reduces CPU frequency to 50% of normal. Reduces CPU frequency to 75% of normal. disable_alt_eth Disables the second Ethernet port. disable_pse Disables Power Sourcing Equipment (PSE). disable_usb Disables USB. radio_2ghz_chain_1 Reduces 2 GHz chains to 1x1. radio_2ghz_chain_2 Reduces 2 GHz chains to 2x2. radio_2ghz_chain_3 Reduces 2 GHz chains to 3x3. Aruba Central (on-premises) | User Guide 196 Parameters radio_2ghz_power_3dB radio_2ghz_power_6dB radio_5ghz_chain_1 radio_5ghz_chain_2 radio_5ghz_chain_3 radio_5ghz_power_3dB radio_5ghz_power_6dB Description Reduces 2 GHz radio power by 3 dB from the maximum value. Reduces 2 GHz radio power by 6 dB from the maximum value. Reduces 5 GHz chains to 1x1. Reduces 5 GHz chains to 2x2. Reduces 5 GHz chains to 3x3. Reduces 5 GHz radio power by 3 dB from the maximum value. Reduces 5 GHz radio power by 6 dB from the maximum value. 11. Click OK. The IPM Power Reduction Steps With Priorities table in the IPM section lists all the IPM settings. 12. Click Save Settings. 13. Reboot the IAP for changes to take effect. The following figure shows the IPM steps and priorities listed in the IPM Power Reduction Steps With Priorities table: Figure 19 IPM Steps and Priorities Setting a low-priority value for a power reduction step reduces the power level sooner than setting a highpriority value for a power reduction step. However, if the power reduction step is of the same type but different level, the smallest reduction should be allocated the lowest priority value so that the power reduction step takes place earlier. For example, the cpu_throttle_25 or radio_2ghz_power_3dB parameter should have a lower priority level than the cpu_throttle_50 or radio_2ghz_power_6dB, respectively, so that Intelligent Power Monitoring reduces the CPU throttle or power usage based on the priority list. Managing APs | 197 Points to Remember n By default, Intelligent Power Monitoring is disabled. n When enabled, IPM enables all IAP functionality initially. IPM then proceeds to shut down or restrict functionality if the power usage of the AP goes beyond the power budget of the IAP. Configuring System Parameters for an AP To configure system parameters for an access point (AP), complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the General accordion and configure the following parameters: Table 47: System Parameters Data Pane Item Description Virtual Controller This parameter configuration is only applicable for APs that operate in a cluster deployment environment. To configure the virtual controller name and IP address, click edit icon and update the name and IP address. The IP address serves as a static IP address for the multiAP network. When configured, this IP address is automatically provisioned on a shadow interface on the AP that takes the role of a virtual controller. The AP sends three ARP messages with the static IP address and its MAC address to update the network ARP cache. n Name--Name of the virtual controller. n IP address--IPv4 address configured for the virtual controller. The IPv4 address uses the 0.0.0.0 notation. n IPv6 address--IPv6 address configured for the virtual controller. You can configure IPv6 address for the virtual controller only if the Configuring System Parameters for an AP feature is enabled. IPv6 is the latest version of IP that is suitable for large-scale IP networks. IPv6 supports a 128-bit address to allow 2128, or approximately 3.4×1038 addresses while IPv4 supports only 232 addresses. The IP address of the IPv6 host is always represented as eight groups of four hexadecimal digits separated by colons. For example 2001:0db8:0a0b:12f0:0000:0000:0000:0001. However, the IPv6 notation can be abbreviated to compress one or more groups of zeroes or to compress leading or trailing zeroes; for example 2001:db8:a0b:12f0::0:0:1. Set Country code for group To configure a country code for the AP at the group level, select the country code from the Set Country code for group drop-down list. By default, no country code is configured for the AP device groups. Aruba Central (on-premises) | User Guide 198 Table 47: System Parameters Data Pane Item Description When a country code is configured for the group, it takes precedence over the country code setting configured t the device level. Timezone To configure a time zone, select a time zone from the Timezone drop-down list. If the selected timezone supports DST, the UI displays the "The selected country observes Daylight Savings Time" message. Preferred Band Assign a preferred band by selecting an appropriate option from the Preferred Band drop-down list. Reboot the AP after modifying the radio profile for changes to take effect. NTP Server To facilitate communication between various elements in a network, time synchronization between the elements and across the network is critical. Time synchronization allows you to: n Trace and track security gaps, network usage, and troubleshoot network issues. n Validate certificates. n Map an event on one network element to a corresponding event on another. n Maintain accurate time for billing services and similar. n NTP helps obtain the precise time from a server and regulate the local time in each network element. Connectivity to a valid NTP server is required to synchronize the AP clock to set the correct time. If NTP server is not configured in the AP network, an AP reboot may lead to variation in time data. By default, the AP tries to connect to pool.ntp.org to synchronize time. The NTP server can also be provisioned through the DHCP option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server pool.ntp.org is used if no NTP server is configured or provisioned through DHCP option 42. To configure an NTP server, enter the IP address or the URL of the NTP server and reboot the AP to apply the configuration changes. Virtual Controller Netmask Virtual Controller Virtual Controller DNS Virtual Controller VLAN This parameter configuration is only applicable for APs that operate in a cluster deployment environment. The IP configured for the virtual controller can be in the same subnet as AP or can be in a different subnet. Ensure that you configure the virtual controller VLAN, controller, and subnet mask details only if the virtual controller IP is in a different subnet. Ensure that virtual controller VLAN is not the same as native VLAN of the AP. DHCP Option 82 XML The DHCP Option 82 XML is not applicable for cloud APs. DHCP Option 82 XML can be customized to cater to the requirements of any ISP using the conductor AP. To facilitate customization using a XML definition, multiple parameters for Circuit ID and Remote ID options of DHCP Option 82 XML are introduced. The XML file is used as the input and is validated against an XSD file in the conductor AP. The format in the XML file is parsed and stored in the DHCP relay which is used to insert Option 82 related values in the DHCP request packets sent from the client to the server. From the drop-down list, select one of the following XML files: n default_dhcpopt82_1.xml n default_dhcpopt82_2.xml For more information, see Configuring DHCP Scopes on IAPs. Managing APs | 199 Table 47: System Parameters Data Pane Item Description Dynamic CPU Utilization APs perform various functions such as wired and wireless client connectivity and traffic flows, wireless security, network management, and location tracking. If an AP is overloaded, prioritize the platform resources across different functions. Typically, the APs manage resources automatically in real time. However, under special circumstances, if dynamic resource management needs to be enforced or disabled altogether, the dynamic CPU management feature settings can be modified. To configure dynamic CPU management, select any of the following options from Dynamic CPU Utilization. n Automatic--When selected, the CPU management is enabled or disabled automatically during run-time. This decision is based on real time load calculations taking into account all different functions that the CPU needs to perform. This is the default and recommended option. n Always Disabled in all APs--When selected, this setting disables CPU management on all APs, typically for small networks. This setting protects user experience. n Always Enabled in all APs--When selected, the client and network management functions are protected. This setting helps in large networks with high client density. Auto-Join Mode APs allowed for Auto-Join Mode When enabled, APs can automatically discover the virtual controller and join the network. The Auto-Join Mode feature is enabled by default. Displays the number of APs allowed for Auto-Join Mode. n Click View Allowed APs to view the details of AP allowed for Auto-Join mode. n Click Hide Allowed APs to hide the details of AP allowed for Auto-Join mode. When Auto-Join Mode is enabled, the APs are automatically discovered and are allowed to join the cluster. When the Auto-Join Mode is disabled on the AP, the list of allowed APs on Aruba Central may not be synchronized or up-to-date. In such cases, you can manually add a list of APs that can join the AP cluster in the Aruba Central UI. To manually add the list of allowed AP devices, complete the following steps: 1. Under View Allowed APs, click + in the Allowed APs pane. 2. In the Add Allowed AP window, enter the MAC address of the AP in the MAC Address field. 3. Click Save. Allow IPv6 Management Uplink switch native VLAN Terminal Access Login Session Timeout Enables IPv6 address configuration for the virtual controller. You can configure an IPv6 address for a virtual controller IP only when Allow IPv6 Management feature is enabled. Allows you to specify a VLAN ID, to prevent the AP from sending tagged frames for clients connected on the SSID that uses the same VLAN as the native VLAN of the switch. By default, the AP considers the native VLAN of the upstream switch, to which it is connected, as the VLAN ID 1. When enabled, the users can access the AP CLI through SSH. Allows you to set a timeout for login session. Aruba Central (on-premises) | User Guide 200 Table 47: System Parameters Data Pane Item Description Console Access When enabled, the users can access AP through the console port. WebUI Access If an AP is connected to Aruba Central, you can use this option to disable AP Web UI access and any communication via HTTPS or SSH. If you enable this feature, you can manage the AP only from Aruba Central. Telnet Server When enabled, the users can start a Telnet session with the AP CLI. LED Display Enables or disables the LED display for all APs in a cluster. The LED display is always enabled during the AP reboot. Extended SSID Extended SSID is enabled by default in the factory default settings of APs. This disables mesh in the factory default settings. NOTE: For AP devices that support Aruba InstantOS 8.4.0.0 firmware versions and above, you can configure up to 14 SSIDs. By enabling Extended SSID, you can create up to 16 networks. Advanced Zone Turn on the Advanced Zone toggle switch to enable the advance zone. When the advanced-zone feature is enabled and a zone is already configured with 16 SSIDs, ensure to remove the zone from two WLAN SSID profiles if you want to disable extended SSID. Deny Inter User Bridging If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same AP on the same VLAN. When inter-user bridging is denied, the clients can connect to the Internet but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision. To disable inter-user bridging, turn off the Deny Inter User Bridging toggle switch. Deny Local Routing If you have security and traffic management policies defined in upstream devices, you can disable routing traffic between two clients connected to the same AP on different VLANs. When local routing is disabled, the clients can connect to the Internet but cannot communicate with each other, and the routing traffic between the clients is sent to the upstream device to make the forwarding decision. To disable local routing, move the slider to the right. Dynamic RADIUS Proxy If your network has separate RADIUS authentication servers (local and centralized servers) for user authentication, you may want to enable Dynamic RADIUS proxy to route traffic to a specific RADIUS server. When Dynamic RADIUS proxy is enabled, the IP address of the virtual controller is used for communication with external RADIUS servers. To enable Dynamic RADIUS Proxy, you must configure an IP address for the Virtual Controller and set it as a NAS client in the RADIUS server profile. Dynamic TACACS Proxy If you want to route traffic to different TACACS servers, enable Dynamic TACACS Proxy. When enabled, the AP cluster uses the IP address of the Virtual Controller for communication with external TACACS servers. If an IP address is not configured for the Virtual Controller, the IP address of the bridge interface is used for communication between the AP and TACACS servers. However, if a VPN tunnel exists between the Instant AP and TACACS server, the IP address of the tunnel interface is used. Cluster Security This parameter is required to be set only for APs that operate in a cluster deployment environment. Managing APs | 201 Table 47: System Parameters Data Pane Item Description Enables or disables the cluster security feature. When enabled, the control plane communication between the AP cluster nodes is secured. The Disallow Non-DTLS Members toggle switch appears. Turn on the toggle switch to allow member APs to join a DTLS enabled cluster. For secure communication between the cluster nodes, the Internet connection must be available, or at least a local NTP server must be configured. After enabling or disabling cluster security, ensure that the configuration is synchronized across all devices in the cluster, and then reboot the cluster. The Disallow Non-DTLS Members feature is only supported in AP devices supporting Aruba InstantOS 8.4.0.0 firmware versions and above. Low Assurance PKI Turn on the toggle switch to allow low assurance devices that use non-TPM chip, in the network. To enable the cluster security feature, turn on the Low Assurance PKI toggle switch. For more information on Low Assurance PKI, refer to Cluster Security section in Aruba Instant User Guide. The Low Assurance PKI toggle switch is supported in AP devices running Aruba InstantOS 6.5.3.0 firmware versions and later. URL Visibility Turn on the toggle switch to enable URL data logging for client HTTP and HTTPS sessions and allows APs to extract URL information and periodically log them on ALE for DPI and application analytics. 7. Click Save Settings. Enabling 802.1X Authentication on Uplink Ports of an AP If your network requires all wired devices to authenticate using PEAP or TLS protocol, you must enable 802.1X authentication type on uplink ports of an access points (AP), so that the APs are granted access only after completing the authentication as a valid client. To enable 802.1X authentication on uplink ports using PEAP or TLS protocol, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Expand the AP1X section. n To set PEAP based authentication, select PEAP in the AP1X Type drop-down list. If you select PEAP protocol, ensure that the PEAP User is configured on the uplink port by selecting an AP group and navigating to Uplink section in the Access Points tab. Aruba Central (on-premises) | User Guide 202 n To set TLS based authentication: a. Select TLS in the AP1X Type drop-down list. b. Select User in the Certificate Type drop-down list. 8. Select the Validate Server check-box to validate the server credentials using server certificate. Ensure that the server certificates for validating server credentials are available in the IAP database. 9. Click Save Settings. Configuring HTTP Proxy on an IAP If your network requires a proxy server for Internet access, ensure that you configure the HTTP proxy on the Instant Access Point (IAP) to download the image from the cloud server. After setting up the HTTP proxy settings, the IAP connects to the Activate server, Aruba Central (on-premises), or OpenDNS server through a secure HTTP connection. You can also exempt certain applications from using the HTTP proxy (configured on an IAP) by providing their host name or IP address under Exception. Aruba Central allows the user to configure HTTP proxy on an IAP. To configure HTTP proxy on IAP through Aruba Central (on-premises), complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Proxy accordion and specify the following: a. Enter the HTTP proxy server IP address in the Server text-box. b. Enter the port number in the Port text-box. 7. Click Save Settings. Aruba Central (on-premises) displays the Username, Password, and Retype Password fields under System > Proxy for IAPs running ArubaInstantOS 8.3.0.0. The IAPs running ArubaInstantOS 8.3.0.0 firmware require user credentials for proxy server authentication. Configuring Network Profiles on Instant APs This section describes the following procedures: n Configuring Wireless Network Profiles on IAPs n Configuring Wireless Networks for Guest Users on IAPs n Configuring Wired Port Profiles on Instant APs n Editing a Wireless Network Profile n Deleting a Network Profile Managing APs | 203 Configuring Wireless Network Profiles on IAPs You can configure up to 14 SSIDs. By enabling Extended SSID in the System > General accordion, you can create up to 16 networks. If more than 16 SSIDs are assigned to a zone and the extended zone option is disabled, an error message is displayed. This section describes the following topics: n Creating a Wireless Network Profile n Configuring VLAN Settings for Wireless Network n Configuring Security Settings for Wireless Network n Configuring ACLs for User Access to a Wireless Network n Viewing Wireless SSID Summary Creating a Wireless Network Profile To configure WLAN settings, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the WLANs tab, click +Add SSID. The Create a New Network pane is displayed. 6. In General tab, enter a name that is used to identify the network in the Name (SSID) text-box. Aruba Central (on-premises) | User Guide 204 1. Under Advanced Settings, configure the following parameters: Table 48: Advanced Settings Parameters Parameter Description Broadcast/Multicast Broadcast filtering Select any of the following values: n All--The IAP drops all broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols. n ARP--The IAP drops broadcast and multicast frames except DHCP and ARP, IGMP group queries, and IPv6 neighbor discovery protocols. Additionally, it converts ARP requests to unicast and sends frames directly to the associated clients. By default, the IAP is configured to ARP mode. n Unicast ARP Only--This option enables Instant AP to convert ARP requests to unicast frames thereby sending them to the associated clients. n Disabled--The IAP forwards all the broadcast and multicast traffic is forwarded to the wireless interfaces. DTIM Interval The DTIM Interval indicates the DTIM period in beacons, which can be configured for every WLAN SSID profile. The DTIM interval determines how often the IAP delivers the buffered broadcast and multicast frames to the associated clients in the power save mode. Range is 1 to 10 beacons. The default value is 1, which means the client checks for buffered data on the IAP at every beacon. You can also configure a higher DTIM value for power saving. Multicast Transmission Optimization Select the check-box if you want the IAP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients. When this option is enabled, multicast traffic can be sent up to a rate of 24 Mbps. The default rate for sending frames for 2.4 GHz is 1 Mbps and that for 5 GHz is 6 Mbps. This option is disabled by default. Dynamic Multicast Optimization (DMO) Select the check-box to allow IAP to convert multicast streams into unicast streams over the wireless link. Enabling DMO enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients. When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN. DMO channel utilization threshold Specify a value to set a threshold for DMO channel utilization. With DMO, the IAP converts multicast streams into unicast streams as long as the channel utilization does not exceed this threshold. The default value is 90% and the maximum threshold value is 100%. When the threshold is reached or exceeds the maximum value, the IAP sends multicast traffic over the wireless link. This option will be enabled only when Dynamic Multicast Optimization is enabled. Beacon Rate 2.4 GHz If the 2.4 GHz band is configured on an AP, specify the transmission rates from the 2.4 GHz drop-down list. By default, the transmission rate is set as 1 Mbps. The minimum transmission rate supported is 1 Mbps and the maximum transmission rate supported is 54 Mbps. Managing APs | 205 Parameter Description 5 GHz If the 5 GHz band is configured on an AP, specify the transmission rates from the 5 GHz drop-down list. By default, the transmission rate is set to 6 Mbps. The minimum transmission rate supported is 6 Mbps and the maximum transmission rate supported is 54 Mbps. Zone Zone Specify the zone for the SSID. If a zone is configured in the SSID, only the IAP in that zone broadcasts this SSID. If there are no IAPs in the zone, SSID is broadcast. If the IAP cluster has devices running IAP firmware versions 6.5.4.7 or later, and 8.3.0.0 or later, you can configure multiple AP zones by adding zone names as comma separated values. Aruba recommends that you do not configure zones in both SSID and in the device specific settings of an IAP. If the same zones are configured in SSID and Per AP settings, APs may broadcast the SSIDs, but if the SSIDs and Per AP settings have different zones configured, it may lead to a configuration error. For more information on AP zones, see Aruba Instant User Guide. Bandwidth Control Airtime Select this to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data. Specify the airtime percentage. Downstream Enter the downstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per User check-box. The bandwidth limit set in this method is implemented at the device level and not cluster level. Upstream Enter the upstream rates within a range of 1 to 65,535 Kbps for the SSID users. If the assignment is specific for each user, select the Per user check-box. The bandwidth limit set in this method is implemented at the device level and not cluster level. Each Radio Select this to specify an aggregate amount of throughput that each radio is allowed to provide for the connected clients. The value ranges from 1 through 65535. Enable 11n When this option is selected, there is no disabling of High-Throughput (HT) on 802.11n devices for the 5 GHz radio band. If HT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, HT is enabled on all SSIDs. If you want the 802.11ac IAPs to function as 802.11n IAPs, clear this check-box to disable VHT on these devices. Enable 11ac When this option is selected, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs. If you want the 802.11ac IAPs to function as 802.11n IAPs, clear this check-box to disable VHT on these devices. Enable 11ax When this option is selected, VHT is enabled on the 802.11ax devices. If VHT is enabled for a radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs. WiFi Multimedia Aruba Central (on-premises) | User Guide 206 Parameter Description Background Wifi Multimedia Share Allocates bandwidth for background traffic such as file downloads or print jobs. Specify the appropriate DSCP mapping values within a range of 063 for the background traffic in the corresponding DSCP mapping text-box. Enter up to 8 values with no white space and no duplicate single DHCP mapping value. Best Effort Wifi Multimedia Share Allocates bandwidth or best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS. Specify the appropriate DSCP mapping values within a range of 063 for the best effort traffic in the corresponding DSCP mapping text-box. Video Wifi Multimedia Share Allocates bandwidth for video traffic generated from video streaming. Specify the appropriate DSCP mapping values within a range of 063 for the video traffic in the corresponding DSCP mapping text-box. Voice Wifi Multimedia Share Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication. Specify the appropriate DSCP mapping values within a range of 063 for the voice traffic in the corresponding DSCP mapping text-box. In a non-WMM or hybrid environment, where some clients are not WMM-capable, you can allocate higher values for Best Effort Wifi Multimedia share and Voice Wifi Multimedia Share to allocate a higher bandwidth to clients transmitting best effort and voice traffic. Traffic Specification (TSPEC) Select this check-box to set if you want the TSPEC for the wireless network. The term TSPEC is used in wireless networks supporting the IEEE 802.11e Quality of Service standard. It defines a series of parameters, characteristics and Quality of Service expectations of a traffic flow. TSPEC Bandwidth Enter the bandwidth for the TSPEC. Spectralink Voice Protocol (SVP) Select this check-box to opt for SVP protocol. WiFi Multimedia Power Save (UAPSD) Select this check-box to enable WiFi Multimedia Power Save (U-APSD). The U-APSD is a power saving mechanism that is an optional part of the IEEE amendment 802.11e, QoS. Miscellaneous Band Select a value to specify the band at which the network transmits radio signals in the Band drop-down list. You can set the band to 2.4 GHz, 5 GHz, or All. The All option is selected by default. Content Filtering Select this check-box to route all DNS requests for the non-corporate domains to OpenDNS on this network. Primary Usage Based on the type of network profile, select one of the following options: Managing APs | 207 Parameter Description Mixed Traffic--Select this option to create an employee or guest network profile. The employee network is used by the employees in an organization and it supports passphrase-based or 802.1X-based authentication methods. Employees can access the protected data of an enterprise through the employee network after successful authentication. The guest network is created for guests, visitors, contractors, and any non-employee users who use the enterprise Wi-Fi network. The VC assigns the IP address for the guest clients. Captive portal or passphrase-based authentication methods can be set for this wireless network. Typically, a guest network is an unencrypted network. However, you can specify the encryption settings when configuring a guest network. Voice Only--Select this option to configure a network profile for devices that provide only voice services such as handsets or applications that require voice traffic prioritization. When a client is associated with the voice network, all data traffic is marked and placed into the high priority queue in QoS. Inactivity timeout Specify an interval for session timeout. If a client session is inactive for the specified duration, the session expires and the users are required to log in again. You can specify a value within the range of 603600 seconds. The default value is 1000 seconds. Hide SSID Select this check-box if you do not want the SSID to be visible to users. Disable Network Select this check-box if you want to disable the SSID. When selected, the SSID is disabled, but is not removed from the network. By default, all SSIDs are enabled. Max clients threshold Specify the maximum number of clients that can be configured for each BSSID on a WLAN. You can specify a value within the range of 0255. The default value is 64. Local Probe Request Threshold Select either automatic or manual to set the Local Probe Request Threshold. automatic: The local probe request threshold value changes to the recommended value provided by the AI insights to improve the performance for the indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value. manual: Specify a threshold value to limit the number of incoming probe requests. When a client sends a broadcast probe request frame to search for all available SSIDs, this option controls system response for this network profile and ignores probe requests, if required. Min RSSI for auth request Select either automatic or manual to set the minimum RSSI for authentication request. automatic: The minimum RSSI for authentication request value changes to the recommended value provided by the AI insights to improve the performance for the indoor Wi-Fi clients. Threshold values are evaluated weekly, and new recommendations will be updated automatically. To revert the applied AI insight recommended values, select manual and specify the threshold value. manual: Enter the minimum RSSI threshold for authentication requests. You can specify an RSSI value within the range of 0100 dB. Deauth inactive clients Select this option to allow the IAP to send a de-authentication frame to the inactive client and the clear client entry. Can be used without uplink Select this check-box if you do not want the SSID profile to use the uplink. Aruba Central (on-premises) | User Guide 208 Parameter Description Deny inter user bridging Disables bridging traffic between two clients connected to the same SSID on the same VLAN. When this option is enabled, the clients can connect to the Internet, but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision. Enable SSID when Select an option from the drop-down list and specify the time period. Disable SSID when Select an option from the drop-down list and specify the time period. Deny Intra VLAN Traffic Disables intra VLAN traffic to enable the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to controller traffic from clients to flow in the network. All other traffic from the client that is not destined to the controller or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. For more information, see Configuring Client Isolation. Management Frame Protection Turn on the Management Frames Protection toggle switch to provide high network security by maintaining data confidentiality of management frames. The Management Frame Protection (MFP) establishes encryption keys between the client and Instant AP using 802.11i framework. For more information, see Management Frames Protection. Fine Timing Measurement (802.11mc) Responder Mode Turn on the toggle switch to enable the fine timing measurement (802.11mc) responder mode. Time Range Profiles Time Range Profiles Ensure that the NTP server connection is active. Select a time range profile from the Time Range Profiles list and apply a status form the drop-down list. Click + New Time Range Profile to create a new time range profile. For more information, see Configuring Time-Based Services for Wireless Network Profiles. Configuring VLAN Settings for Wireless Network To configure VLANs settings for an SSID, complete the following steps: 1. In the VLANs tab, select any of the following options for Client IP Assignment:Instant AP assigned--When selected, the client obtains the IP address from the VC.External DHCP server assigned--When selected, the client obtains the IP address from the network. Managing APs | 209 2. Based on the type of client IP assignment mode selected, configure the following parameters: Table 49: VLANs Parameters Parameter Description Instant AP assigned When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multi-site wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on IAPs. If this option is selected, specify any of the following options in Client VLAN Assignment: n Internal VLAN--Assigns IP address to the client in the same subnet as the IAPs. By default, the client VLAN is assigned to the native VLAN on the wired network. n Custom--Allows you to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. When this option is selected, select the scope from the VLAN ID drop-down list. External DHCP server assigned When this option is selected, specify any of the following options in Client VLAN Assignment: n Static--In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. To show or hide the Named VLANs, click Show Named VLANs.Click the Show Named VLANs, to view the Named VLAN table. To add a new Named VLAN, complete the following steps: 1. Click +Add Named VLAN. The Add Named VLAN window is displayed. 2. Enter the VLAN Name and VLAN details, and then click OK. n Dynamic--Assigns the VLANs dynamically from a DHCP server. To add a new VLAN assignment rule, complete the following steps: 1. Click + Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed. 2. Enter the Attribute, Operator, String, and VLAN details, and then click OK. To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules window, and then click the delete icon. To show or hide the Named VLANs, click Show Named VLANs.Click the Show Named VLANs, to view the Named VLAN table. To add a new Named VLAN, complete the following steps: n Click + Add Named VLAN. The Add Named VLAN window is displayed. n Enter the VLAN Name and VLAN details, and then click OK. To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon. n Native VLAN--Assigns the client VLAN is assigned to the native VLAN. From Aruba Central (on-premises) 2.5.4, the Add Named VLAN window supports adding multiple VLAN IDs and VLAN range. 3. Click Next. Aruba Central (on-premises) | User Guide 210 Configuring Security Settings for Wireless Network To configure security settings for mixed traffic or voice network, complete the following steps: 1. In the Security tab, specify any one of the following options in the Security Level: n Enterprise--On selecting Enterprise security level, the authentication options applicable to the network are displayed. n Personal--On selecting Personal security level, the authentication options applicable to the personalized network are displayed. n Captive Portal--On selecting Captive Portal security level, the authentication options applicable to the captive portal is displayed. For more information on captive portal, see Configuring Wireless Networks for Guest Users on IAPs. n Open--On selecting Open security level, the authentication options applicable to an open network are displayed. The default security setting for a network profile is Personal. 2. Based on the security level specified, configure the following basic parameters: Table 50: Basic WLAN Security Parameters Data Pane Item Description Key Management For Enterprise security level, select an encryption key from Key Management dropdown list: n WPA-2 Enterprise--Select this option to use WPA-2 security. The WPA-2 Enterprise requires user authentication and requires the use of a RADIUS server for authentication. n WPA Enterprise--Select this option to use both WPA Enterprise. n Both (WPA-2 & WPA)--Select this option to use both WPA-2 and WPA security. n Dynamic- WEP with 802.1X--If you do not want to use a session key from the RADIUS Server to derive pairwise unicast keys, turn on the Use Session Key for LEAP toggle switch. This is required for old printers that use dynamic WEP through LEAP authentication. The Use Session Key for LEAP feature is Disabled by default. n WPA-3 Enterprise(CNSA)--Select this option to use WPA-3 security employing CNSA encryption. n WPA-3 Enterprise(CCM 128)--Select this option to use WPA-3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text. n WPA-3 Enterprise(GCM 256)--Select this option to use WPA-3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text. When WPA-2 Enterprise and Both (WPA2-WPA) encryption types are selected and if 802.1x authentication method is configured, OKC is enabled by default. If OKC is enabled, a cached PMK is used when the client roams to a new AP. This allows faster roaming of clients without the need for a complete 802.1x authentication. OKC roaming can be configured only for the Enterprise security level. For Personal security level, select an encryption key from Key Management dropdown list. Managing APs | 211 Data Pane Item Description For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 Personal keys, specify the following parameters: n Passphrase Format--Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters. n Passphrase--Enter a passphrase in n Retype--Retype the passphrase to confirm. For Static WEP, specify the following parameters: n WEP Key Size--Select an appropriate value for WEP key size from the drop-down list. Select an appropriate value from the Tx Key drop-down list. n WEP Key--Enter an appropriate WEP key. n Retype WEP Key--Retype the WEP key to confirm. For MPSK-AES, select a primary server from the drop-down list. For MPSK-LOCAL, select a Mpsk Local server from the drop-down list. For Captive Portal security level, select an encryption key from Key Management. For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 Personal keys, specify the following parameters: n Passphrase Format--Select a passphrase format. The options available are 8-63 alphanumeric characters and 64 hexadecimal characters. n Passphrase--Enter a passphrase in n Retype--Retype the passphrase to confirm. For Static WEP, specify the following parameters: n WEP Key Size--Select an appropriate value for WEP key size from the drop-down list. Select an appropriate value from the Tx Key drop-down list. n WEP Key--Enter an appropriate WEP key. n Retype WEP Key--Retype the WEP key to confirm. For information on configuring captive portal, see Configuring Wireless Networks for Guest Users on IAPs. For Open security level, the Key Management includes Open and Enhanced Open options. EAP offload This option is applicable to Enterprise security levels only. To terminate the EAP portion of 802.1X authentication on the Instant AP instead of the RADIUS server, turn on the EAP offload toggle switch. Enabling EAP offload can reduce network traffic to the external RADIUS server by terminating the authorization protocol on the Instant AP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the Instant AP acts as a relay for this exchange. When EAP Offload is enabled, the Instant AP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server. It can also reduce the number of exchange packets between the Instant AP and the authentication server. Instant supports the configuration of primary and backup authentication servers in an EAP termination-enabled SSID. If you are using LDAP for authentication, ensure that Instant AP termination is configured to support EAP. Authentication Server Configure the following parameters: n MAC Authentication--Turn on the MAC Authentication toggle switch to allow MAC address based authentication for Personal, Captive Portal, and Open security levels. Aruba Central (on-premises) | User Guide 212 Data Pane Item Users Description n Primary Server--Set a primary authentication server. The Primary Server option appears only for Enterprise security level, internal and external captive portal types. Select one of the following options from the drop-down list: n Internal Server--To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. n To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs. n Aruba Central allows you to configure an external RADIUS server, TACACS or LDAP server, and External Captive Portal for user authentication. n Secondary Server--To add another server for authentication, configure another authentication server. n Authentication Survivability--If an external server is configured for authentication, you can enable authentication survivability. Specify a value in hours for Cache Timeout to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours. By default, authentication survivability is disabled. n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring External Authentication Servers for APs. Click Users to add the users. The registered users of Employee type will be able to access the users of Enterprise network. To add a new user, click + Add User and enter the new user in the Add Userpane. The Primary Server option appears only for Enterprise security level, Internal Captive Portal, and External Captive Portal. 3. Based on the security level specified, specify the following parameters in the Advanced Settings section: Table 51: Advanced WLAN Security Parameters Data pane item Use Session Key for LEAP Description Turn on the toggle switch to use the session key for Lightweight Extensible Authentication Protocol. This option is available only for Enterprise level. Opportunistic Key Caching (OKC) Turn on the Opportunistic key caching (OKC) toggle switch to reduce the time needed for authentication. When OKC is used, multiple APs can share Pairwise Master Keys (PMKs) among themselves, and the station can roam to a new access points that has not visited before and reuse a PMK that was established with the current AP. OKC allows the station to roam quickly to an access point it has never authenticated to, without having to perform pre-authentication. OKC is available specifically on WPA2 SSIDs only. Managing APs | 213 Data pane item Description MAC Authentication for Enterprise Networks To enable MAC address based authentication for Personal and Open security levels, turn on the toggle switch to enable MAC Authentication. For Enterprise security level, the following options are available: n Perform MAC authentication before 802.1X--Select this to use 802.1X authentication only when the MAC authentication is successful. n MAC Authentication Fail-Through--On selecting this, the 802.1X authentication is attempted when the MAC authentication fails. n If MAC Authentication is enabled, configure the following parameters: n Delimiter Character--Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. n Uppercase Support--Turn on the toggle switch to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled. Reauth Interval Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. If the re-authentication interval is configured: On an SSID performing L2 authentication (MAC or 802.1X authentication): When reauthentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If reauthentication fails, the client retains the pre-authentication role. On an SSID performing both L2 and L3 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client. On an SSID performing only L3 authentication (captive portal authentication): When re-authentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through captive portal to regain access. Denylisting By default, this option is disabled. To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled. Enforce DHCP Enforces WLAN SSID on IAP clients. When DHCP is enforced: A layer-2 user entry is created when a client associates with an IAP. The client DHCP state and IP address are tracked. When the client obtains an IP address from DHCP, the DHCP state changes to complete. If the DHCP state is complete, a layer-3 user entry is created. When a client roams between the IAPs, the DHCP state and the client IP address is synchronized with the new IAP. Aruba Central (on-premises) | User Guide 214 Data pane item Description WPA3 Transition Enable this option to allow transition from WPA3 to WPA2 and vice versa. The WPA3 Transition appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level. Legacy Support Enable this option to allow backward compatibility of encryption modes in networks. The Legacy Support appears only when WPA3 is selected in the Key Management for Personal, Captive Portal, and Open level. Use IP for Calling Station ID Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed: n Called Station ID Type--Select any of the following options for configuring called station ID: o Access Point Group--Uses the VC ID as the called station ID. o Access Point Name--Uses the host name of the IAP as the called station ID. o VLAN ID--Uses the VLAN ID of as the called station ID. o IP Address--Uses the IP address of the IAP as the called station ID. o MAC address--Uses the MAC address of the IAP as the called station ID. n Called Station ID Include SSID--Appends the SSID name to the called station ID. NOTE: The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled. n Called Station ID Delimiter--Sets delimiter at the end of the called station ID. n Max Authentication Failures--Sets a value for the maximum allowed authentication failures. Delimiter Character Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. Uppercase Support Select this option to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled. Fast Roaming Enable the following fast roaming features as per your requirement: n 802.11k--Turn on the 802.11k toggle switch to enable 802.11k roaming. The 802.11k protocol enables IAPs and clients to dynamically measure the available radio resources. When 802.11k is enabled, IAPs and clients send neighbor reports, beacon reports, and link measurement reports to each other. n 802.11v--Turn on the 802.11v toggle switch to enable 802.11v based BSS transition. The 802.11v standard defines mechanisms for wireless network management enhancements and BSS transition management. It allows the client devices to exchange information about the network topology and RF environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam. n RRM Quiet IE--Configures a radio resource management IE profile elements advertised by an AP. Managing APs | 215 4. Click Next. Configuring ACLs for User Access to a Wireless Network You can configure up to 64 access rules for a wireless network profile. To configure access rules for a network, complete the following steps: 1. In the Access tab, turn on the Downloadable Role toggle switch to allow downloading of preexisting user roles. For more information, see Configuring Downloadable Roles. n The Downloadable Role feature is optional. n The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8. n At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs 2. Click the action corresponding to the server. The Edit Server page is displayed. Viewing Wireless SSID Summary In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Save Settings to complete the network profile creation and save the settings. Configuring Wireless Networks for Guest Users on IAPs Instant Access Points (IAPs) support the captive portal authentication method in which a webpage is presented to the guest users, when they try to access the Internet in hotels, conference centers, or Wi-Fi hotspots. The webpage also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well. The captive portal solution for an IAP cluster consists of the following: n The captive portal web login page hosted by an internal or external server. n The RADIUS authentication or user authentication against internal database of the AP. n The SSID broadcast by the IAP. The IAP administrators can create a wired or WLAN guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise Wi-Fi network. Administrators can also create guest accounts and customize the captive portal page with organizationspecific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URL through HTTP or HTTPS, the captive portal webpage prompts the user to authenticate with a user name and password. Splash Page Profiles Instant APs support the following types of splash page profiles: n Internal Captive portal--Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication: Aruba Central (on-premises) | User Guide 216 o Internal Authenticated--When Internal Authenticated is enabled, a guest user who is preprovisioned in the user database has to provide the authentication details. o Internal Acknowledged--When Internal Acknowledged is enabled, a guest user has to accept the terms and conditions to access the Internet. n External Captive portal--Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication. n Cloud Guest--Select this splash page to use the cloud guest profile configured through the Guest Management tab. n None--Select to disable the captive portal authentication. To create splash page profiles, see the following sections: n Creating a Wireless Network Profile for Guest Users n Configuring Wireless Networks for Guest Users on IAPs n Configuring an External Captive Portal Splash Page Profile n Associating a Cloud Guest Splash Page Profile to a Guest SSID n Associating a Cloud Guest Splash Page Profile to a Guest SSID n Configuring ACLs for Guest User Access n Configuring Captive Portal Roles for an SSID n Disabling Captive Portal Authentication Creating a Wireless Network Profile for Guest Users To create an SSID for guest users, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP.The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the WLANs page, click + Add SSID. The Create a New Network pane is displayed. 6. Under General, enter a network name in the Name (SSID) text-box. 7. If configuring a wireless guest profile, set the required WLAN configuration parameters described in Table 1. 8. Click Next. The VLANs details are displayed. 9. Under VLANs, select any of the following options for Client IP Assignment: Managing APs | 217 Table 52: VLANs Assignment Parameter Instant AP assigned External DHCP server assigned Description When this option is selected, the client obtains the IP address from the virtual controller. The virtual controller creates a private subnet and VLAN on the IAP for the wireless clients. The network address translation for all client traffic that goes out of this interface is carried out at the source. This setup eliminates the need for complex VLAN and IP address management for a multisite wireless network. For more information on DHCP scopes and server configuration, see Configuring DHCP Pools and Client IP Assignment Modes on IAPs. If this option is selected, specify any of the following options in Client VLAN Assignment: n Internal VLAN--Assigns IP address to the client in the same subnet as the IAPs. By default, the client VLAN is assigned to the native VLAN on the wired network. n Custom--Allows you to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. When this option is selected, select the scope from the VLAN ID drop-down list. When this option is selected, specify any of the following options in Client VLAN Assignment: n Static--In VLAN ID, specify a VLAN ID for a single VLAN(s). If a large number of clients need to be in the same subnet, you can select this option to configure VLAN pooling. VLAN pooling allows random assignment of VLANs from a pool of VLANs to each client connecting to the SSID. To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps: 1. Click +Add Named VLAN. The Add Named VLAN window is displayed. 2. Enter the VLAN Name and VLAN details, and then click OK. n Dynamic--Assigns the VLANs dynamically from a DHCP server. To add a new VLAN assignment rule, complete the following steps: 1. Click +Add Rule in the VLAN Assignment Rules window. The New VLAN Assignment Rule page is displayed. 2. Enter the Attribute, Operator, String, and VLAN details, and then click OK. To delete a VLAN assignment rule, select a rule in the VLAN Assignment Rules window, and then click the delete icon. To show or hide the Named VLANs, click Show Named VLANs. Click Show Named VLANs to view the Named VLAN table. To add a new Named VLAN, complete the following steps: 1. Click +Add Named VLAN. The Add Named VLAN window is displayed. 2. Enter the VLAN Name and VLAN details, and then click OK. To delete, select a Named VLAN in the Named VLAN table, and then click the delete icon. Aruba Central (on-premises) | User Guide 218 Parameter Description n Native VLAN--Assigns the client VLAN is assigned to the native VLAN. For more information, see Configuring VLAN Assignment Rule. Configuring an Internal Captive Portal Splash Page Profile To configure an internal captive portal profile, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon. 6. Under Security tab, in the Security Level, select Captive Portal and configure the following parameters: Table 53: Internal Captive Portal Configuration Parameters Parameter Description Captive Portal Type Select Internal from the drop-down list. Captive Portal Location Select Acknowledged or Authenticated from the drop-down list. Customize Captive Portal Under Splash Page, when Customize Captive Portal is clicked, use the editor to specify text and colors for the initial page that is displayed to the users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type (Authenticated or Acknowledged) for which you are customizing the splash page design. Complete the following steps to customize the splash page design. n Top banner title--Enter a title for the banner. n Header fill color--Specify a background color for the header. n Welcome text--To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters. n Policy text--To change the policy text, click the second square in the splash page, enter the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters. n Page fill color--To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. n Redirect URL--To redirect users to another URL, specify a URL in Redirect URL. Managing APs | 219 Table 53: Internal Captive Portal Configuration Parameters Parameter Description Encryption Key Management Advanced Settings Captive Portal Proxy Server IP Captive Portal Proxy Server Port MAC Authentication Reauth Interval Accounting n Logo image--To upload a custom logo, click Choose Fileto upload. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete Logo. To preview the captive portal page, click preview_splash_page. To configure a captive portal proxy server or global proxy server to match your browser configuration, enter the IP address and port number in the Captiveportal proxy server IP and Captive Portal Proxy Server Port fields. By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters: n Key Management--Specify an encryption and authentication key. n Passphrase format--Specify a passphrase format. n Passphrase--Enter a passphrase. n Retype--Retype the passphrase to confirm. Select Open or Enhanced Open from the drop-down list. Specify the IP address of the Captive Portal proxy server. Specify the port number of the Captive Portal proxy server. Configure the following parameters: n MAC Authentication--To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch. n Secondary Server--To add another server for authentication, configure another authentication server. n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring DHCP Server for Assigning IP Addresses to IAP Clients. To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs. Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. Select an accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client disconnects. This is applicable for WLAN SSIDs only. Aruba Central (on-premises) | User Guide 220 Table 53: Internal Captive Portal Configuration Parameters Parameter Description Denylisting If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. Max Authentication Failures If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. Enforce DHCP If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. WPA3 Transition If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. Called Station ID Include SSID If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. Uppercase Support If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. Disable if uplink type is To exclude uplink(s), expand Disable if uplink type is, and turn on the toggle switch for the uplink type(s). For example, Ethernet, Wi-Fi, and 3G/4G. 1. Click Save Settings. Configuring an External Captive Portal Splash Page Profile You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles and associate these profiles with an SSID or a wired profile. You can configure up to eight external captive portal profiles. When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNS and DHCP traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted. To configure an external captive portal profile, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. Managing APs | 221 5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon. 6. Under Security tab, in the Security Level, select Captive Portal. 7. Select the Splash Page type as External. 8. If required, configure a captive portal proxy server or a global proxy server to match your browser configuration by specifying the IP address and port number in the Captive Portal Proxy Server IP and Captive Portal Proxy Server Port fields. 9. Select a captive portal profile. To add a new profile, click + and configure the following parameters: Table 54: External Captive Portal Profile Configuration Parameters Data Pane Item Description Name Enter a name for the profile. Type Select any one of the following types of authentication: n Radius Authentication--Select this option to enable user authentication against a RADIUS server. n Authentication Text--Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication. IP or Hostname Enter the IP address or the host name of the external splash page server. URL Enter the URL of the external captive portal server. Port Enter the port number that is used for communicating with the external captive portal server. Use HTTPS Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected. Captive Portal Failure This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network. Server Offload Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server. Prevent Frame Overlay Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page. Automatic URL Allowlisting On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted. Auth Text If the External Authentication splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected. Redirect URL Specify a redirect URL if you want to redirect the users to another URL. 10. Click Save. 11. On the external captive portal splash page configuration page, specify encryption settings if required. 12. Specify the following authentication parameters under Advanced Settings: Aruba Central (on-premises) | User Guide 222 n MAC Authentication--To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch. n Primary Server--Sets a primary authentication server. o To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. o To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs. n Secondary Server--To add another server for authentication, configure another authentication server. n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. 13. If required, under Walled Garden, create a list of domains that are denylisted and also a allowlist of websites that the users connected to this splash page profile can access. 14. To exclude uplink, select an uplink type. 15. If MAC authentication is enabled, you can configure the following parameters: n Delimiter Character--Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. n Uppercase Support--Turn on the toggle switch to enable to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled. 16. Configure the Reauth Interval. Specify a value for Reauth Interval. When set to a value greater than zero, IAPs periodically re-authenticate all associated and authenticated clients. 17. If required, enable denylisting. Set a threshold for denylisting clients based on the number of failed authentication attempts. 18. Click Save Settings. Associating a Cloud Guest Splash Page Profile to a Guest SSID To use the Cloud Guest splash page profile for the guest SSID, ensure that the Cloud Guest splash Page profile is configured through the Guest Access app. To associate a Cloud Guest splash page profile to a guest SSID, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. Managing APs | 223 6. Click the Security tab. a. Under Splash Page, select Cloud Guest from the Captive Portal Type drop-down list. b. Select the splash page profile name from the Guest Captive Portal Profile list, and then click Next. c. To enable encryption, turn on the Encryption toggle switch and configure the following encryption parameters: d. Key Management--Specify an encryption and authentication key. e. Passphrase format--Specify a passphrase format. f. Passphrase--Enter a passphrase. g. Retype--Retype the passphrase to confirm. h. To exclude uplink, expand Disable if uplink type is and select an uplink type. For example, Ethernet, Wi-Fi, and 3G/4G. i. Click Next. 7. Click Save Settings. Configuring ACLs for Guest User Access To configure access rules for a guest network, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. 6. Click the Access tab. 7. Under Access rules, select any of the following types of access control: n Unrestricted--Select this to set unrestricted access to the network. n Network Based--Select Network Based to set common rules for all users in a network. By default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps: n Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields. n Click Save. n Role Based--Select Role Based to enable access based on user roles. For role-based access control, complete the following steps: 1. To create a user role: a. Click +Add Role in Role pane. b. Enter a name for the new role and click OK. 2. To create access rules for a specific user role: Aruba Central (on-premises) | User Guide 224 a. Click +Add Rule in Access Rules for Selected Roles, and select appropriate options for Rule Type, Service, Action, Destination, and Options fields. b. Click Save. 3. To create a role assignment rule: a. Under Role Assignment Rules, click +Add Role Assignment. The New Role Assignment Rule pane is displayed. b. Select appropriate options in Attribute, Operator, String, and Role fields. c. Click Save. 4. To assign pre-authentication role, select the Assign Pre-Authentication Role check-box and select a pre-authentication role from the drop-down list. 5. Click Save Settings. Configuring Captive Portal Roles for an SSID You can configure an access rule to enforce captive portal authentication for SSIDs with 802.1X authentication enabled. You can configure rules to provide access to an external captive portal, internal captive portal, so that some of the clients using this SSID can derive the captive portal role. The following conditions apply to the 802.1X and captive portal authentication configuration: n If captive portal settings are not configured for a user role, the captive portal settings configured for an SSID are applied to the client's profile. n If captive portal settings are not configured for a SSID, the captive portal settings configured for a user role are applied to the client's profile. n If captive portal settings are configured for both SSID and user role, the captive portal settings configured for a user role are applied to the profile of the client. To create a captive portal role for the Internal and External splash page types: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. 6. Click the Access tab. 7. Under Access rules, select Role Based. 8. Click +Add Rule in Access Rules for Selected Roles. 9. In the Add Rules window, specify the following parameters. Managing APs | 225 Table 55: Access Rule Configuration Parameters Data Pane Item Description Rule Type Select Captive Portal from the drop-down list. Splash Page Type Select a splash page type from the drop-down list. Internal If Internal is selected as Splash Page Type drop-down list, complete the following steps: n Top banner title--Enter a title for the banner. To preview the page with the new banner title, click Preview splash page. n Header fill color--Specify a background color for the header. n Welcome text--To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters. n Policy text--To change the policy text, click the second square in the splash page, enter the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters. n Page fill color--To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. n Redirect URL--To redirect users to another URL, specify a URL in Redirect URL. n Logo image--To upload a custom logo, click Choose Fileto upload. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete Logo. To preview the captive portal page, click preview_splash_page. External If External is selected as Splash Page Type drop-down list, complete the following steps: n Captive Portal Profile--Select a profile from the drop-down list. To create a profile, click the + icon and enter the following information in the External Captive Portal window. n Name n Authentication Type--From the drop-down list, select either RADIUS Authentication (to enable user authentication against a RADIUS server) or Authentication Text (to specify the authentication text to returned by the external server after a successful user authentication). n IP OR Hostname--Enter the IP address or the hostname of the external splash page server. n URL--Enter the URL for the external splash page server. n Port--Enter the port number for communicating with the external splash page server. n Captive Portal Failure--This field allows you to configure Internet access for the guest clients when the external captive portal server is not available. From the drop-down list, select Deny Internet to prevent clients from using the network, or Allow Internet to allow the guest clients to access Internet when the external captive portal server is not available. n Automatic URL Allowlisting--Turn on the toggle switch to enable or disable automatic allowlisting of URLs. On selecting this for the external captive portal authentication, the URLs allowed for the unauthenticated users to access are automatically allowlisted. The automatic URL allowlisting is disabled by default. Aruba Central (on-premises) | User Guide 226 Table 55: Access Rule Configuration Parameters Data Pane Item Description n Server offload--Turn on the toggle switch to offload the server. n Prevent Frame Overlay--Turn on the toggle switch to prevent frame overlay. n Use VC IP in Redirect URL--Turn on the toggle switch to use the virtual controller IP address as a redirect URL. n Auth TEXT--Indicates the authentication text returned by the external server after a successful user authentication. n Redirect URL--Specify a redirect URL to redirect the users to another URL. To edit a profile, click the edit icon and modify the parameters in the External Captive Portal window. 10. Click Save. The enforce captive portal rule is created and listed as an access rule. 11. Click Save Settings. The client can connect to this SSID after authenticating with user name and password. After the user logs in successfully, the captive portal role is assigned to the client. Disabling Captive Portal Authentication To disable captive portal authentication, perform the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select a guest SSID, and then click the edit icon. 6. Under Security tab, in the Security Level, select Captive Portal. 7. Under Splash Page, select None from the Captive Portal Type drop-down list. 8. Click Save Settings. Configuring Client Isolation Aruba Central (on-premises) supports the Client Isolation feature isolates clients from one another and disables all peer-to-peer communication within the network. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant Access Point (IAP). This feature enhances the security of the network and protects it from vulnerabilities. Client Isolation can only be configured through the CLI. When Client Isolation is configured, the IAP learns the IP, subnet mask, MAC, and other essential information of the gateway and the DNS server. A subnet table of trusted destinations is then populated with this information. Wired servers used in the network should be manually Managing APs | 227 configured into this subnet table to serve clients. The destination MAC of data packets sent by the client is validated against this subnet table and only the data packets destined to the trusted addresses in the subnet table are forwarded by the I AP. All other data packets are dropped. Client Isolation feature is supported only in IPv4 networks. This feature does not support AirGroup and affects Chromecast and Airplay services. Enabling Client Isolation Feature for Wireless Networks in Aruba Central (on-premises) To enable the Client Isolation feature, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the WLANs page, click +Add SSID. The Create a New Network page is displayed. 6. Click Advanced Settings and expand Miscellaneous. 7. Turn on the Deny Intra VLAN Traffic toggle switch. 8. Click Next. Management Frames Protection Aruba Central (on-premises) supports the Management Frame Protection (MFP) feature in networks that include Aruba Instant 8.5.0.0 firmware version and later. This feature protects networks against forged management frames spoofed from other devices that might otherwise disrupt a valid user session. The MFP increases the security by providing data confidentiality of management frames. MFP uses 802.11i framework that establishes encryption keys between the client and Instant AP. Enabling Management Frames Protection Feature for Wireless Networks in Aruba Central (on-premises) To enable the MFP feature, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. Aruba Central (on-premises) | User Guide 228 5. In the WLANspage, click +Add SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon. 6. In the General tab, click Advanced Settings. 7. Expand Miscellaneous. 8. Turn on the Management Frames Protection toggle switch to enable the MFP feature. 9. Click Next. 10. Click Save Settings. The MFP configuration is a per-SSID configuration. The MFP feature can be enabled only on WPA2-PSK and WPA2-Enterprise SSIDs. The 802.11r fast roaming option will not take effect when the MFP is enabled. Configuring Wired Networks for Guest Users on IAPs Instant Access Points (IAPs) support the captive portal authentication method in which a webpage is presented to the guest users, when they try to access the Internet in hotels, conference centres, or Wi-Fi hotspots. The webpage also prompts the guest users to authenticate or accept the usage policy and terms. Captive portals are used at Wi-Fi hotspots and can be used to control wired access as well. The captive portal solution for an IAP cluster consists of the following: n The captive portal web login page hosted by an internal or external server. n The RADIUS authentication or user authentication against internal database of the AP. n The SSID broadcast by the IAP. The IAP administrators can create a wired or WLAN guest network based on captive portal authentication for guests, visitors, contractors, and any non-employee users who can use the enterprise Wi-Fi network. Administrators can also create guest accounts and customize the captive portal page with organizationspecific logo, terms, and usage policy. With captive portal authentication and guest profiles, the devices associating with the guest SSID are assigned an initial role and are assigned IP addresses. When a guest user tries to access a URL through HTTP or HTTPS, the captive portal webpage prompts the user to authenticate with a user name and password. Splash Page Profiles IAPs support the following types of splash page profiles: n Internal Captive portal--Select this splash page to use an internal server for hosting the captive portal service. Internal captive portal supports the following types of authentication: o Internal Authenticated--When Internal Authenticated is enabled, a guest user who is preprovisioned in the user database has to provide the authentication details. o Internal Acknowledged--When Internal Acknowledged is enabled, a guest user has to accept the terms and conditions to access the Internet. n External Captive portal--Select this splash page to use an external portal on the cloud or on a server outside the enterprise network for authentication. n Cloud Guest--Select this splash page to use the cloud guest profile configured through the Guest Management tab. n None--Select to disable the captive portal authentication. For information on how to create splash page profiles, see the following sections: Managing APs | 229 n Creating a Wired Network Profile for Guest Users n Configuring an Internal Captive Portal Splash Page Profile n Configuring an External Captive Portal Splash Page Profile n Disabling Captive Portal Authentication Creating a Wired Network Profile for Guest Users To create a wired SSID for guest access, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Wired accordion. 7. To create a new wired SSID profile, click +Add Port Profile. The Create a New Network pane is displayed. 8. Under General, enter the following information: a. Name--Enter a name. b. ports--Select port(s) form the drop-down list. 9. Click Next to configure the VLANs settings. The VLANs details are displayed. 10. In the VLANs tab, select a type of mode from the Mode drop-down list. 11. Select any of the following options for Client IP Assignment: Table 56: VLANs Parameters Parameter Instant AP assigned Description Select this option to allow the Virtual Controller to assign IP addresses to the wired clients. When the Virtual Controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The Virtual Controller can also assign a guest VLAN to a wired client. If this option is selected, specify any of the following options in Client VLAN Assignment: n Default--When the client VLAN must be assigned to the native VLAN on the network. n Custom--To customize the client VLAN assignment to a specific VLAN, or a range of VLANs. External DHCP server assigned Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the New button to create a VLAN is displayed. Create a new VLAN if required. Aruba Central (on-premises) | User Guide 230 Configuring an Internal Captive Portal Splash Page Profile Managing APs | 231 To configure internal captive portal profile, complete the following steps: Aruba Central (on-premises) | User Guide 232 1. Open the guest SSID to edit and configure the following parameters in the Ports > Security page. Table 57: Internal Captive Portal Configuration Parameters Parameter Description Captive Portal Type Select any of the following from the drop-down list: n Internal - Authenticated--When Internal Authenticated is selected, the guest users are required to authenticate in the captive portal page to access the Internet. The guest users who are required to authenticate must already be added to the user database. n Internal - Acknowledged--When Internal Acknowledged is selected, the guest users are required to accept the terms and conditions to access the Internet. n External--When External is selected, the guest users are required to enter the proxy server details such as IP address and captive portal proxy server port details. Also enter the details in Walled Garden, and Advanced section. n Cloud Guest--When Cloud Guest is selected, the guest users are required to select the Guest Captive Portal Profile. n None--Select this option if you do not want to set any splash page. Captive Portal Location Select Acknowledged or Authenticated from the drop-down list. Splash Page Properties Policy text for which you are customizing the splash page design. Perform the following steps to customize the splash page design. n Top Banner Title--Enter a title for the banner. To preview the page with the new banner title, click Preview Splash Page. n Header fill color--Specify a background color for the header. n Welcome Text--To change the welcome text, click the first square box in the splash page, enter the required text in the Welcome Text box, and click OK. Ensure that the welcome text does not exceed 127 characters. n Policy Text--To change the policy text, click the second square in the splash page, enter the required text in the Policy Text box, and click OK. Ensure that the policy text does not exceed 255 characters. n Page Fill Color--To change the color of the splash page, click the Splash page rectangle and select the required color from the color palette. n Redirect URL--To redirect users to another URL, specify a URL in Redirect URL. n Logo Image--To upload a custom logo, click Upload, browse the image file, and click upload image. Ensure that the image file size does not exceed 16 KB. To delete an image, click Delete. To preview the captive portal page, click Preview splash page. To configure a captive portal proxy server or global proxy server to match your browser configuration, enter the IP address and port number in the Captive-portal proxy server IP and Captive Portal Proxy Server Port fields. Encryption By default, this field is disabled. Turn on the toggle switch to enable and configure the following encryption parameters: Managing APs | 233 Table 57: Internal Captive Portal Configuration Parameters Parameter Description n Key Management--Specify an encryption and authentication key. n Passphrase format--Specify a passphrase format. n Passphrase--Enter a passphrase and retype to confirm. Authentication Configure the following parameters: n MAC Authentication--To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch. n Secondary Server--To add another server for authentication, configure another authentication server. n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Configuring DHCP Server for Assigning IP Addresses to IAP Clients. To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs. Users Create and manage users in the captive portal network. Only registered users of type Guest Employee will be able to access this network. Advanced Settings > MAC To enable MAC address based authentication for Personal and Open Authentication security levels, turn on the MAC Authentication toggle switch. Advanced Settings > Reauth Interval Specify a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients. Advanced Settings > Denylisting If you are configuring a wireless network profile, turn on the Denylisting toggle switch to denylist clients with a specific number of authentication failures. This is applicable for WLAN SSIDs only. Advanced Settings > To exclude uplink, select an uplink type. Disable If Uplink Type Is 2. Click Save Settings. Configuring an External Captive Portal Splash Page Profile You can configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles in the Security > External Captive Portal data pane and associate these profiles with an SSID or a wired profile. You can also create a new captive portal profile under the Security tab of the WLAN wizard or a Wired Network pane. You can configure up to eight external captive portal profiles. When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the Aruba Central (on-premises) | User Guide 234 captive portal rule. The guest user role allows only DNS and DHCP traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted. To configure an external captive portal profile, complete the following steps: 1. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. The Create a New Network pane is displayed. 2. Under Security tab, in the Security Level, select Captive Portal and configure the following parameters under Splash Page: 3. Select the Splash Page type as External. 4. If required, configure a captive portal proxy server or a global proxy server to match your browser configuration by specifying the IP address and port number in the Captive Portal Proxy Server IP and Captive Portal Proxy Server Port fields. 5. Select a captive portal profile. To add a new profile, click + and configure the following parameters: Table 58: External Captive Portal Profile Configuration Parameters Data Pane Item Description Name Type Enter a name for the profile. Select any one of the following types of authentication: n Radius Authentication--Select this option to enable user authentication against a RADIUS server. n Authentication Text--Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication. IP or Hostname URL Enter the IP address or the host name of the external splash page server. Enter the URL of the external captive portal server. Port Enter the port number that is used for communicating with the external captive portal server. Use HTTPS Captive Portal Failure Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected. This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network. Server Offload Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server. Prevent Frame Overlay Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page. Automatic URL Allowlisting On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted. Managing APs | 235 Data Pane Item Auth Text Redirect URL Description If the External Authentication Splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected. Specify a redirect URL if you want to redirect the users to another URL. 6. Click Save. 7. On the external captive portal splash page configuration page, specify encryption settings if required. 8. Specify the following authentication parameters in Advanced Settings: n MAC Authentication--To enable MAC address based authentication for Personal and Open security levels, turn on the MAC Authentication toggle switch. n Primary Server--Sets a primary authentication server. o To use an internal server, select Internal server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. o To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs. n Secondary Server--To add another server for authentication, configure another authentication server. n Load Balancing--Turn on the toggle switch to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. 9. If required, under Walled Garden, create a list of domains that are denylisted and also an allowlist of websites that the users connected to this splash page profile can access. 10. To exclude uplink, select an uplink type. 11. If MAC authentication is enabled, you can configure the following parameters: n Delimiter Character--Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled. n Uppercase Support--Turn on the toggle switch to enable, to allow the IAP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled. 12. Configure the Reauth Interval. Specify a value for Reauth Interval. When set to a value greater than zero, IAPs periodically re-authenticate all associated and authenticated clients. 13. If required, enable denylisting. Set a threshold for denylisting clients based on the number of failed authentication attempts. 14. Click Save Settings. Configuring ACLs for Guest User Access To configure access rules for a guest network, complete the following steps: 1. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. The Create a New Network pane is displayed. 2. Click the Access tab. Aruba Central (on-premises) | User Guide 236 3. Under Access, select any of the following types of access control: n Unrestricted--Select this to set unrestricted access to the network. n Network Based--Select Network Based to set common rules for all users in a network. By default, Allow any to all destinations access rule is enabled. This rule allows traffic to all destinations. To define an access rule, complete the following steps: a. Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields. b. Click Save. n Role Based--Select Role Based to enable access based on user roles. For role-based access control: 1. Create a user role: a. Click New in Role pane. b. Enter a name for the new role and click OK 2. Create access rules for a specific user role: a. Click + and select appropriate options for Rule Type, Service, Action, Destination, and Options fields. b. Click Save. 3. Create a role assignment rule. a. Under Role Assignment Rule, click New. The New Role Assignment Rule pane is displayed. b. Select appropriate options in Attribute, Operator, String, and Role fields. c. Click Save. 4. Click Save Settings. Disabling Captive Portal Authentication To disable captive portal authentication, complete the following steps: 1. Under WLANs tab, in the Wireless SSIDs table, select a guest SSID and click the edit icon. The Create a New Network pane is displayed. 2. Click the Security tab. 3. Under Security, select None for Splash Page Type. 4. Click Save Settings. Configuring Wired Port Profiles on Instant APs If the wired clients must be supported on the Instant Access Points (IAPs), configure wired port profiles and assign these profiles to the ports of an IAP. The wired ports of an IAP allow third-party devices such as VoIP phones or printers (which support only wired port connections) to connect to the wireless network. You can also configure an ACL for additional security on the Ethernet downlink. To configure wired port profiles on IAP, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. Managing APs | 237 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Wired accordion. 7. To create a new wired port profile, click +Add Port Profile. The Create a New Network pane is displayed. Complete the configuration for each of the tabs in the Create a New Network page as described in the below sections: Configuring General Network Profile Settings To configure general network profile settings, complete the following steps in the General tab: 1. Under General, enter the following information: a. Name--Enter a name. b. ports--Select port(s) form the drop-down list. 2. Under Advanced Settings section, configure the following parameters: a. Speed/Duplex--Select the appropriate value from the Speed and Duplex drop-down list. Contact your network administrator if you need to assign speed and duplex parameters. b. Port Bonding--Turn on the Port Bonding toggle switch to enable port bonding. c. Power over Ethernet--Turn on the Power over Ethernet toggle switch to enable PoE. d. Admin Status--The Admin Status indicates if the port is up or down. e. Content Filtering--Turn on the Content Filtering toggle switch to ensure that all DNS requests to non-corporate domains on this wired port network are sent to OpenDNS. f. Uplink--Turn on the toggle switch to configure uplink on this wired port profile. If the Uplink toggle switch is turned on and this network profile is assigned to a specific port, the port is enabled as an uplink port. g. Spanning Tree--Turn on the toggle switch to enable STP on the wired port profile. STP ensures that there are no loops in any bridged Ethernet network and operates on all downlink ports, regardless of forwarding mode. STP does not operate on uplink ports and is supported only on IAPs with three or more ports. By default, STP is disabled on wired port profiles. h. Inactivity Timeout--Enter the time duration after which an inactive user needs to be disabled from the network. The user must undergo the authentication process to re-join the network. i. 802.3az--Turn on the toggle switch to enable, to support 802.3az Energy Efficient Ethernet (EEE) standard on the device. This option allows the device to consume less power during periods of low data activity. This setting can be enabled for provisioned APs or AP groups through the wired port network. If this feature is enabled for an AP group, APs in the group that do not support 802.3.az ignore this setting. This option is available for IAPs that support a minimum of Aruba Instant 8.4.0.0 firmware version. j. Deny Intra VLAN Traffic--Turn on the toggle switch to disable intra VLAN traffic. It enables the client isolation and disable all peer-to-peer communication. Client isolation disables inter-client communication by allowing only client to gateway traffic from clients to flow in the network. All other traffic from the client that is not destined to the gateway or configured servers will not be forwarded by the Instant AP. This feature enhances the security of the network and protects it from vulnerabilities. Aruba Central (on-premises) | User Guide 238 3. Click Next. The VLANs details page is displayed. Configuring VLAN Network Profile Settings To configure VLAN settings, complete the following steps in the VLANs tab: 1. Mode--Specify any of the following modes: n Access--Select this mode to allow the port to carry a single VLAN specified as the native VLAN. If the Access mode is selected, perform one of the following options: o If the Client IP Assignment is set to Virtual Controller Assigned, proceed to step 6. o If the Client IP Assignment is set to Network Assigned, specify a value for Access VLAN to indicate the VLAN carried by the port in the Access mode. n Trunk--Select this mode to allow the port to carry packets for multiple VLANs specified as allowed VLANs. If the Trunk mode is selected: n Specify the Allowed VLAN, enter a list of comma separated digits or ranges, for example 1, 2, 5, or 1-4, or all. The Allowed VLAN refers to the VLANs carried by the port in Access mode. n If the Client IP Assignment is set to Network Assigned, specify a value for Native VLAN. A VLAN that does not have a VLAN ID tag in the frames is referred to as Native VLAN. You can specify a value within the range of 1-4093. 2. Client IP Assignment--specify any of the following values: n Instant AP Assigned--Select this option to allow the virtual controller to assign IP addresses to the wired clients. When the virtual controller assignment is used, the source IP address is translated for all client traffic that goes through this interface. The virtual controller can also assign a guest VLAN to a wired client. In the Client VLAN Assignment section, select Default when the client VLAN must be assigned to the native VLAN on the network. Select Custom to customize the client VLAN assignment to a specific VLAN, or a range of VLANs. Click the Show Named VLANs section to view all the named VLANs mapped to VLAN ID. Click +Add Named VLAN and enter the VLAN Name and VLAN ID that is required to be mapped. Clicking OK populates the named VLAN in the VLAN Name to VLAN ID Mapping table. n External DHCP server Assigned--Select this option to allow the clients to receive an IP address from the network to which the Virtual Controller is connected. On selecting this option, the New button to create a VLAN is displayed. Create a new VLAN if required. 3. Click Next. The Security details page is displayed. Configuring Security Settings To configure security-specific settings, complete the following steps in the Security tab: 1. On the Security pane, select the following security options as per your requirement: n 802.1X Authentication--Set the toggle button to enable 802.1X Authentication. Configure the basic parameters such as the authentication server, and MAC Authentication Fail-Through. Select any of the following options for authentication server: n New--On selecting this option, an external RADIUS server must be configured to authenticate the users. For information on configuring an external server, see Configuring External Authentication Servers for APs. n Internal Server--If an internal server is selected, add the clients that are required to authenticate with the internal RADIUS server. Click the Users link to add the users. Managing APs | 239 n Load Balancing--Set the toggle button to enable, if you are using two RADIUS authentication servers, so that the load across the two RADIUS servers is balanced. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Authentication Servers. n MAC Authentication--To enable MAC authentication, enable the toggle button. The MAC authentication is disabled by default. n Captive Portal--Set the toggle button to enable captive portal authentication. For more information on configuring security on captive portal, see Configuring Wired Networks for Guest Users on IAPs. n Open--Set the toggle button to enable, to set security for open network. 2. Enable the Port Type Trusted option to connect uplink and downlink to a trusted port only. 3. In the Primary Server field, perform one of the following steps: n Internal Server--To use an internal server, select Internal Server and add the clients that are required to authenticate with the internal RADIUS Server. Click Users to add the users. To add a new server, click +. For information on configuring external servers, see Configuring External Authentication Servers for APs. n Secondary Server--To add another server for authentication, configure another authentication server. n Authentication Survivability--If an external server is configured for authentication, you can enable authentication survivability. Specify a value in hours for Cache Timeout to set the duration after which the authenticated credentials in the cache expires. When the cache expires, the clients are required to authenticate again. You can specify a value within range of 1 to 99 hours. and the default value is 24 hours. By default, authentication survivability is disabled. n Load Balancing--Set the toggle button to enable, if you are using two RADIUS authentication servers, to balance the load across these servers. For more information on the dynamic load balancing mechanism, see Dynamic Load Balancing between Authentication Servers. 4. MAC Authentication Fail-Thru--Set the toggle button to enable, to attempt 802.1X authentication is attempted when the MAC authentication fails. 5. Under the Advance Settings section, configure the following options: n Use IP for Calling Station ID--Set the toggle button to enable, to configure client IP address as calling station ID. n Called Station ID Type--Select one of the following options: n Access Point Group--Uses the VC ID as the called station ID. n Access Point Name--Uses the host name of the IAP as the called station ID. n VLAN ID--Uses the VLAN ID of as the called station ID. n IP Address--Uses the IP address of the IAP as the called station ID. n MAC address--Uses the MAC address of the IAP as the called station ID. The Called Station ID Type detail can be configured even if the Use IP for Calling Station ID is set to disabled. n Reauth Interval--Specify the interval at which all associated and authenticated clients must be re-authenticated. 6. Click Next. The Access pane is displayed. Aruba Central (on-premises) | User Guide 240 Configuring Access Settings To configure access-specific settings, complete the following steps: 1. In the Access tab, turn on the Downloadable Role toggle switch to allow downloading of preexisting user roles. or more information, see Configuring Downloadable Roles. n The Downloadable Role feature is optional. The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8. n At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs 2. Click the action corresponding to the server. The Edit Server page is displayed. The Edit Server page displays the radius server name. The Name field is non-editable. 3. Enter the CPPM username along with the CPPM authentication credentials for the radius server. 4. Click Ok. 5. Under Access Rules, configure the following access rule parameters: a. Select any of the following types of access control: n Role-based--Allows the users to obtain access based on the roles assigned to them. n Unrestricted--Allows the users to obtain unrestricted access on the port. n Network-based--Allows the users to be authenticated based on access rules specified for a network. b. If the Role-based access control is selected: Under Role, select an existing role for which you want to apply the access rules, or click New and add the required role. To add a new access rule, click Add Rule under Access Rules For Selected Roles. The default role with the same name as the network is automatically defined for each network. The default roles cannot be modified or deleted. Configure role assignment rules. To add a new role assignment rule, click New under Role Assignment Rules. Under New Role Assignment Rule: a. Select an attribute. b. Specify an operator condition. c. Select a role. d. Click Save. 6. Click Finish to create the wired port profile successfully. Configuring Network Port Profile Assignment To map the wired port profile to ethernet ports, complete the following steps: Managing APs | 241 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Wired accordion. The Wired Port Profiles page is displayed. 7. In the Port Profiles Assignments section, assign wired port profiles to Ethernet ports: a. Select a profile from the Ethernet 0/0drop down list. b. Select the profile from the Ethernet 0/1 drop down list. c. If the IAP supports Ethernet 2, Ethernet 3 and Ethernet 4 ports, assign profiles to these ports by selecting a profile from the Ethernet 0/2, Ethernet 0/3, and Ethernet 0/4 drop-down list respectively. 8. Click Save Settings. Viewing Wired Port Profile Summary In the Summary tab, the Network Summary page displays all the settings configured in the General, VLANs, Security, and Access tabs. Click Save Settings to complete the network profile creation and save the settings. Configuring Downloadable Roles Aruba Central (on-premises) allows you to download pre-existing user roles when you create network profiles. The Downloadable Role feature is available only for networks that include access points (APs) that run a minimum of Aruba Instant 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8. Aruba Instant and ClearPass Policy Manager include support for centralized policy definition and distribution. When ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. If the role is not defined on the IAP, the role attributes can also be downloaded automatically. In order to provide highly granular per-user level access, user roles can be created when a user has been successfully authenticated. During the configuration of a policy enforcement profile in ClearPass Policy Manager, the administrator can define a role that should be assigned to the user after successful authentication. In RADIUS authentication, when ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. If the role is not defined on the IAP, the role attributes can also be downloaded automatically. This feature supports roles obtained by the following authentication methods: Aruba Central (on-premises) | User Guide 242 n 802.1X (WLAN and wired users) n MAC authentication n Captive Portal This section describes the following topics: n ClearPass Policy Manager Certificate Validation for Downloadable Role n Enabling Downloadable Role Feature for Wireless Networks in Aruba Central n Enabling Downloadable Role Feature for Wired Networks in Aruba Central ClearPass Policy Manager Certificate Validation for Downloadable Role When a ClearPass Policy Manager server is configured as the domain for RADIUS authentication for downloading user roles, in order to validate the ClearPass Policy Manager customized CA, IAPs are required to publish the root CA for the HTTPS server to the well-known URL (http://<clearpassfqdn>/.wellknown/ aruba/clearpass/https-root.pem). The IAP must ensure that an FQDN is defined in the above URL for the RADIUS server and then attempt to fetch the trust anchor by using the RADIUS FQDN. Upon configuring the domain of the ClearPass Policy Manager server for RADIUS authentication along with a username and password, the IAP tries to retrieve the CA from the above well-known URL and store it in flash memory. However, if there is more than one ClearPass Policy Manager server configured for authentication, the CA must be uploaded manually. Enabling Downloadable Role Feature for Wireless Networks in Aruba Central To enable the Downloadable Role feature, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the WLANs tab, click + Add SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon. 6. In the Security tab, select the RADIUS server in Primary Server field. At least one radius server must be configured to apply the Downloadable User Roles feature. For more information on configuring radius server, see Authentication Servers for IAPs 7. Click Next. 8. The Access tab is displayed. 9. Turn on the Downloadable Role toggle switch to allow downloading of pre-existing user roles. The CPPM Settings table with Name, CPPM Username, and Actions columns related to the radius servers are displayed. Managing APs | 243 n The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba InstantOS 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8. n At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs 10. Click the action corresponding to the radius server listed in the CPPM Settings table. The Edit Server page is displayed. The Edit Server page displays the name of the radius server name. The Name field is non-editable. 11. Enter the following details: a. CPPM Username--Enter the ClearPass Policy Manager admin username. b. Password--Enter the password. c. Retype--Retype the password. 12. Click OK. Enabling Downloadable Role Feature for Wired Networks in Aruba Central To enable the Downloadable Role feature, perform the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed. 5. Click the Wired accordion. 6. Under Wired, click + Add Port Profile. To modify an existing profile, select the network that you want to edit in the Wired Port Profiles pane, and then click the edit icon. 7. In the Security tab, select the RADIUS server in Primary Server field. At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs 8. Click Next. 9. The Access tab is displayed. 10. Enable the Downloadable Role option to allow downloading of pre-existing user roles. The CPPM Settings table with Name, CPPM Username, and Actions columns related to the radius servers are displayed. Aruba Central (on-premises) | User Guide 244 n The Downloadable Role feature is available only for networks that include APs that run a minimum of Aruba InstantOS 8.4.0.0 firmware version with a minimum of ClearPass server version 6.7.8. n At least one radius server must be configured to apply the Downloadable Role feature. For more information on configuring radius server, see Authentication Servers for IAPs 11. Click the action corresponding to the radius server listed in the CPPM Settings table. The Edit Server page with the radius server name is displayed. The Edit Server page displays the radius server name. The Name field is non-editable. 12. Enter the following details: n CPPM Username--Enter the ClearPass Policy Manager admin username. n Password--Enter the password. n Retype--Retype the password. 13. Click OK. Editing a Wireless Network Profile To edit a network profile, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select the network that you want to edit, and then click the edit icon under the Actions column. 6. Modify the profile and click Save Settings. You can directly edit the SSID name under the Display Name column of the Wireless SSIDs table. Double-click the relevant SSID that you want to rename, and type the new name. Press Enter to complete the process Editing a Wired Port Profile To edit a network profile, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. Managing APs | 245 The tabs to configure access points are displayed. 4. Click Show Advanced, and click the Interfaces tab. The Interfaces details page is displayed. 5. Click the Wired accordion. 6. In the Wired Port Profiles pane, select the network that you want to edit, and then click the edit icon under the Actions column. 7. Modify the profile and click Save Settings. Deleting a Network Profile To delete a network profile, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select the network that you want to delete, and then click the delete icon under the Actions column. 6. Click Yes in the confirmation dialog box. Aruba Mesh Network and Mesh IAP Mesh Network Overview The mesh solution effectively expands and configures network coverage for outdoor and indoor enterprises in a wireless environment. The mesh network automatically reconfigures broken or blocked paths when traffic traverses across mesh Instant Access Point (IAP). This feature provides increased reliability by allowing the network to continue operating even when an IAP is non-functional or if the device fails to connect to the network. A mesh network requires at least one valid wired or 3G uplink connection. The mesh network must be provisioned by plugging into the wired network for the first time. Mesh IAPs The IAPs that are configured for mesh can either operate as mesh portals or as mesh points based on the uplink type. IAP as Mesh Portal Any provisioned IAP that has a valid wired or 3G uplink connection functions as a mesh portal. A mesh portal acts as a gateway between the wireless mesh network and the enterprise wired LAN. The mesh roles are automatically assigned based on the IAP configuration. The mesh portal can also act as a virtual controller. Aruba Central (on-premises) | User Guide 246 The mesh portal reboots after 5 minutes, when it loses its uplink connectivity to a wired network. IAP as Mesh Point The IAP without an ethernet link functions as a mesh point. The mesh point establishes an all-wireless path to the mesh portal and provides traditional WLAN services such as client connectivity, IDS capabilities, user role association, and QoS for LAN-to-mesh communication to the clients, and performs mesh backhaul or network connectivity. The mesh points authenticate to the mesh portal and establish a secured link using AES encryption. n A mesh point also supports LAN bridging by connecting any wired device to the downlink port of the mesh point. In the case of single ethernet port platforms such as Instant AP-105, you can convert the Eth0 uplink port to a downlink port by enabling Eth0 Bridging. n Redundancy is observed in a mesh network when two Instant APs have valid uplink connections, and most mesh points try to mesh directly with one of the two portals. There can be a maximum of eight mesh points per mesh portal in a mesh network. When mesh IAPs boot up, they detect the environment to locate and associate with their nearest neighbor. The mesh IAPs determine the best path to the mesh portal ensuring a reliable network connectivity. In a dual-radio, the 2.4 GHz radio is always used for client traffic, and the 5 GHz radio is always used for both mesh-backhaul and client traffic. Automatic Mesh Role Assignment Aruba Central (on-premises) supports enhanced role detection during IAP boot-up and IAP running time. When a mesh point discovers that the Ethernet 0 port link is up, it sends loop detection packets to check the availability of Ethernet 0 link. If the Ethernet 0 link is available, the mesh point reboots as a mesh portal. Else, the mesh point does not reboot. Mesh Role Detection during System Boot-Up If the ethernet link is down during Instant AP boot-up, the IAP acts as a mesh point. If the Ethernet link is up, the IAP continues to detect if the network is reachable in the following scenarios: n In a static IP address scenario, the IAP acts as a mesh portal if it successfully pings the controller. Otherwise, it acts as a mesh point. n In case of DHCP, the IAP acts as a mesh portal when it obtains the IP address successfully. Otherwise, it acts as a mesh point. n In case of IPv6, IAPs do not support the static IP address but only support DHCP for detection of network reachability. If the IAP has a 3G or 4G USB modem plugged, it always acts as a mesh portal. If the IAP is set to Ethernet 0 bridging, it always acts as a mesh point Managing APs | 247 Mesh Role Detection during System Running Time The mesh point uses the Loop Protection for Secure Jack Port feature to detect the loop when the ethernet is up. If the loop is detected, the Instant AP reboots. Otherwise, the Instant AP does not reboot and the mesh role continues to act as a mesh point. Setting up Instant Mesh Network To provision Instant APs as mesh Instant APs, complete the following steps: 1. Connect the Instant APs to a wired switch. 2. Ensure that the virtual controller key is synchronized and the country code is configured. 3. Ensure that a valid SSID is configured on the Instant AP. 4. If the Instant AP has a factory default SSID (SetMeUp or Instant SSID), delete the SSID. 5. If an Extended SSID is enabled on the virtual controller, disable Extended SSID in the System > General accordion and reboot the Instant AP cluster. 6. Disconnect the Instant APs that you want to deploy as mesh points from the switch, and place the Instant APs at a remote location. The Instant APs come up without any wired uplink connection and function as mesh points. The Instant APs with valid uplink connections function as mesh portals. Configuring Wired Bridging on Eth0 for Mesh Point Aruba Central (on-premises) supports wired bridging on the Eth0 port of an Instant AP. You can configure wired bridging, if the Instant AP is configured to function as a mesh point. To configure support for wired bridging on the Eth0 port of an Instant AP from Aruba Central (on-premises) UI, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point. 2. Click the Config icon. The tabs to configure the APs are displayed. 3. Click the Access Points tab. The Access Points table is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click the Uplink tab. Aruba Central (on-premises) | User Guide 248 6. To configure a non-native uplink VLAN, specify the management VLAN number in the Uplink Management VLAN text-box. 7. From the Eth0 Mode drop-down list, select any of the following: n Uplink--Select this option to change the Eth0 bridging mode to the uplink port. n Downlink--Select this option to change the Eth0 bridging mode to the downlink port. 8. Click Save Settings. After configuring the support for wired bridging on the Eth0 port of an Instant AP, ensure that you reboot the Instant AP. Mesh Cluster Function Aruba Central (on-premises) introduces the mesh cluster function for easy deployments of Instant APs. You can configure the ID, password, and also provision Instant APs to a specific mesh cluster. In a cluster-based scenario, you can configure unlimited mesh profiles in a network. When an Instant AP boots up, it attempts to find a mesh cluster configuration. The Instant AP fetches a pre-existing mesh cluster configuration, if any. Otherwise, it uses the default mesh configuration in which the SSID, password, and cluster name are generated by the virtual controller key. Instant APs that belong to the same mesh network can establish mesh links with each other. The Instant APs can establish a mesh link in a standalone scenario also. However, the network role election does not take place in a standalone environment. Users can set the same mesh cluster configuration to establish mesh links with other networks. For more information on mesh cluster configuration, refer to the Mesh Instant AP Configuration chapter of Aruba Instant User Guide. Configuring Mesh for Multiple Radios Mesh clusters are grouped and defined by a mesh cluster profile, which provides the framework of the mesh network. The mesh cluster profile contains the MSSID, authentication methods, security credentials, and cluster priority required for mesh points to associate with their neighbors and join the cluster. Associated mesh points store this information in flash memory. Although most mesh deployments require only a single mesh cluster profile, you can configure and apply multiple mesh cluster profiles to an individual AP. To configure a mesh for multiple radios, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Mesh accordion. 7. Select the radio band to deploy mesh network from the Mesh Band drop-down list. Managing APs | 249 8. Click + in the Mesh table. The Mesh pane is displayed. 9. Configure the following parameters: Table 59: Mesh Configuration Parameters Data pane item Description Name Name for the mesh cluster profile. Range: 832 characters Key Configures a WPA2 PSK or passphrase as the cluster key. Range: 864 characters Priority Configures the priority of the mesh cluster profile. If more than two mesh cluster profiles are configured, mesh points use this number to identify primary and backup profiles. The lower the number, the higher the priority. Range: 1--15 Opmode Configures the operation mode. Select WPA2 PSK or WPA3 SAE from the drop-down list. 10. Click OK. 11. Click Save Settings. Configuring ARM and RF Parameters on IAPs This section provides the following information: n ARM Overview n Configuring ARM Features n Configuring Radio Parameters ARM Overview ARM is a radio frequency management technology that optimizes WLAN performance even in the networks with highest traffic by dynamically and intelligently choosing the best 802.11 channel and transmitting power for each Instant Access Point (IAP) in its current RF environment. ARM works with all standard clients, across all operating systems, while remaining in compliance with the IEEE 802.11 standards. It does not require any proprietary client software to achieve its performance goals. ARM ensures low-latency roaming, consistently high performance, and maximum client compatibility in a multi-channel environment. By ensuring the fair distribution of available Wi-Fi bandwidth to mobile devices, ARM ensures that data, voice, and video applications have sufficient network resources at all times. ARM allows mixed 802.11a, b, g, n, and ac client types to inter operate at the highest performance levels. When ARM is enabled, an IAP dynamically scans all 802.11 channels within its 802.11 regulatory domain at regular intervals and sends reports on WLAN coverage, interference, and intrusion detection to the virtual controller. ARM computes coverage and interference metrics for each valid channel, chooses the best performing channel, and transmit power settings for each IAP RF environment. Each IAP gathers other metrics on its ARM-assigned channel to provide a snapshot of the current RF health state. IAPs support the following ARM features: Aruba Central (on-premises) | User Guide 250 n Channel or Power Assignment--Assigns channel and power settings for all the IAPs in the network according to changes in the RF environment. n Voice Aware Scanning--Improves voice quality by preventing an IAP from scanning for other channels in the RF spectrum during a voice call and by allowing an IAP to resume scanning when there are no active voice calls. n Load Aware Scanning--Dynamically adjusts the scanning behavior to maintain uninterrupted data transfer on resource intensive systems when the network traffic exceeds a predefined threshold. n Band Steering--Assigns the dual-band capable clients to the 5 GHz band on dual-band IAPs thereby reducing co-channel interference and increasing the available bandwidth for dual-band clients. n Client Match--Continually monitors the RF neighborhood of the client to support the ongoing band steering and load balancing of channels, and enhanced IAP reassignment for roaming mobile clients. When Client Match is enabled on 802.11n capable IAPs, the Client Match feature overrides any settings configured for the legacy band steering, station hand-off assist or load balancing features. The 802.11ac capable IAPs do not support the legacy band steering, station hand off or load balancing settings, so these IAPs must be managed using Client Match. n Airtime Fairness--Provides equal access to all clients on the wireless medium, regardless of client type, capability, or operating system to deliver uniform performance to all clients. For more information on ARM features supported by the APs, see the Aruba Instant User Guide. Configuring ARM Features To configure the ARM features, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click the Radios tab. The Radios details page is displayed. 5. Under RF > Adaptive Radio Management (ARM), the Client Control section displays the following components: n Band Steering Mode n Airtime Fairness Mode n ClientMatch n ClientMatch Calculating Interval n ClientMatch Neighbor Matching n ClientMatch Threshold n ClientMatch Key n Spectrum Load Balancing Mode 6. For Band Steering Mode, configure the following parameters. Managing APs | 251 Table 60: Band Steering Mode Configuration Parameters Data pane item Description Prefer 5 GHz Enables band steering in the 5 GHz mode. On selecting this, the IAP steers the client to the 5 GHz band (if the client is 5 GHz capable), but allows the client connection on the 2.4 GHz band if the client persistently attempts for 2.4 GHz association. Force 5 Enforces 5 GHz band steering mode on the IAPs. GHz Balance Bands Allows the IAP to balance the clients across the two radios to best utilize the available 2.4 GHz bandwidth. This feature takes into account the fact that the 5 GHz band has more channels than the 2.4 GHz band, and that the 5 GHz channels operate in 40 MHz, while the 2.5 GHz band operates in 20 MHz. Disable Allows the clients to select the band to use. 7. For Airtime Fairness Mode, specify any of the following values. Table 61: Airtime Fairness Mode Configuration Parameters Data Pane Item Description Default Access Allows access based on client requests. When Airtime Fairness Mode is set to Default Access option, per user and per SSID bandwidth limits are not enforced. Fair Access Allocates air time evenly across all the clients. Preferred Access Sets a preference where 802.11n clients are assigned more air time than 802.11a/11g. The 802.11a/11g clients get more airtime than 802.11b. The ratio is 16:4:1. 8. For ClientMatch, configure the following parameters. Table 62: Client Match Configuration Parameters Data Pane Item Description Client Match Turn on the toggle switch to enable the Client Match feature on APs. When enabled, client count is balanced among all the channels in the same band. When Client Match is enabled, ensure that the Scanning option is enabled. For more information, see AP Control Configuration Parameters. NOTE: When Client Match is disabled, channels can be changed even when the clients are active on a BSSID. The Client Match option is disabled by default. Aruba Central (on-premises) | User Guide 252 Data Pane Item Description ClientMatch Configures a value for the calculating interval of Client Match. The interval is specified in Calculating seconds and the default value is 3 seconds. You can specify a value within the range of 1- Interval 600. ClientMatch Neighbor Matching Configures the calculating interval of Client Match. This number takes into account the least similarity percentage to be considered as in the same virtual RF neighborhood of Client Match. You can specify a percentage value within the range of 20-100. The default value is 60%. ClientMatch Threshold Configures a Client Match threshold value. This threshold is the maximum difference allowed in the number of associated clients between channels, radios, or channel + radios. When the client load on an AP reaches or exceeds the threshold in comparison, Client Match is enabled on that AP. You can specify a value within range of 1-20. The default value is 5. ClientMatch Key Enables the Client Match feature to work across different standalone IAPs in the same management VLAN. All such standalone IAPs must be set with the same Client Match key. Client Match uses the wired layer 2 protocol to synchronize information exchanged between IAPs. Users have an option to configure the Client Match keys. IAPs verify if the frames that they broadcast contain a common Client Match key. IAPs that receive these frames verify if the sender belongs to the same network or if the sender and receiver both have the same Client Match key. You can specify a value within the range of 1 2147483646. Spectrum Load Balancing Mode Enables the Spectrum Load Balancing mode to determine the balancing strategy for Client Match. The following options are available: n Channel--Balances client count based on each channel. n Radio--Balances client count based on each radio. n Channel + Radio--Balances client count based on each channel and each radio. 9. Click Access Point Control, and configure the following parameters. Table 63: AP Control Configuration Parameters Data pane item Description Customize Valid Channels Allows you to select a custom list of valid 20 MHz and 40 MHz channels for 2.4 GHz and 5 GHz bands. By default, the AP uses valid channels as defined by the Country Code (regulatory domain). On selecting Customize Valid Channels, a list of valid channels for both 2.4 GHz and 5 GHz are displayed. The valid channel customization feature is disabled by default. The valid channels automatically show in the Static Channel Assignment pane Min Transmit Power Allows you to configure a minimum transmission power within a range of 3 to 33 dBm in 3 dBm increments. If the minimum transmission EIRP setting configured on an AP is not supported by the AP model, this value is reduced to the highest supported power setting. The default value for minimum transmit power is 18 dBm. Managing APs | 253 Data Description pane item Max Transmit Power Allows you to configure the maximum transmission power within a range of 3 to 33 dBm in 3 dBm increments. If the maximum transmission EIRP configured on an AP is not supported by the local regulatory requirements or AP model, the value is reduced to the highest supported power settings. Client Aware Allows ARM to control channel assignments for the IAPs with active clients. When the Client Match mode is disabled, an IAP may change to a more optimal channel, which disrupts current client traffic. The Client Aware option is enabled by default. Scanning Allows the IAP to dynamically scan all 802.11 channels within its 802.11 regulatory domain at regular intervals. This scanning report includes WLAN coverage, interference, and intrusion detection data. For Client Match configuration, ensure that Scanning is enabled. Wide Channel Bands Allows the administrators to configure 40 MHz channels in the 2.4 GHz and 5 GHz bands. 40 MHz channels are two 20 MHz adjacent channels that are bonded together. The 40 MHz channel effectively doubles the frequency bandwidth available for data transmission. For high performance, you can select 5 GHz. If the AP density is low, enable in the 2.4 GHz band. 80 MHz Support Enables or disables the use of 80 MHz channels on APs. This feature allows ARM to assign 80 MHz channels on APs with 5 GHz radios, which support a very high throughput. This setting is enabled by default. Only the APs that support 802.11ac can be configured with 80 MHz channels. 10. Click Channel Control, and configure the following parameters. Table 64: Channel Control Configuration Parameters Data pane item Description Backoff Time Allows you to configure the time within a range of 10 to 3600 seconds, when an IAP backs off after requesting a new channel or power. It can increase the time window of channel interference check, and the time window of power check. The default value for minimum back off time is 240 seconds. Free Channel Index Allows you to check the difference in threshold in the channel interference index between the new channel and the existing channel. An IAP only moves to a new channel if the new channel has a lower interference index value than the current channel. This parameter specifies the required difference between the two interference index values before the IAP moves to the new channel. The lower this value, the more likely the IAP moves to the new channel. It has a default value of 25. Ideal Coverage Index Allows you to specify the ideal coverage index in the range of 2 to 20, which an IAP tries to achieve on its channel. The denser the IAP deployment, the lower this value should be. It has a default value of 10. Aruba Central (on-premises) | User Guide 254 Data pane item Description Channel Quality Aware Arm Disable Allows ARM to ignore the internally calculated channel quality metric and initiates channel changes based on thresholds defined in the profile. ARM chooses the channel based on the calculated interference index value. The option Channel Quality Aware Arm Disable is disabled by default. Channel Quality Threshold Allows you to specify the channel quality percentage within a range of 0 to 100, below which ARM initiates a channel change. It has a default value of 70%. Channel Quality Wait Time Specifies the time that the channel quality is below the channel quality threshold value to initiate a channel change. It has a range of 1 to 3600 seconds, with a default value of 120 seconds. If current channel quality is below the specified channel quality threshold for this wait time period, ARM initiates a channel change. 11. Click Error Rate, and configure the following parameters. Table 65: Error Rate Configuration Parameters Data Pane Item Description Error Rate Configures the minimum percentage of errors in the channel that triggers a channel Threshold change. It has a range of 0 to 100 % with a default value of 70%. Error Rate Wait Time Configures the time that the error rate has to be at least equal to the error rate threshold to trigger a channel change. The error rate must be equal to or more than the error rate threshold to trigger a channel change. It has a range of 1 to 3600 seconds, with a default value of 90 seconds. 12. Click Save Settings. Configuring Radio Parameters To configure RF parameters for the 2.4 GHz and 5 GHz radio bands on an Instant Access Point (IAP), complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the Radios tab. The Radios details page is displayed. Managing APs | 255 5. Expand the Radio accordion in the RF dashboard. 6. Under 2.4 GHz band and 5 GHz band, configure the following parameters by clicking the + sign. Table 66: Radio Configuration Parameters Data Pane Item Description Zone Allows you to configure a zone per radio band for IAPs in a cluster. You can also configure an RF zone per IAP. NOTE: Aruba recommends that you configure RF zone for either individual AP or for the cluster. Any discrepancy in the RF zone names may lead to configuration errors. Legacy Only Turn on the Legacy Only toggle switch. When enabled, the IAP runs the radio in the non-802.11n mode. This option is disabled by default. 802.11d / 802.11h Turn on the 802.11d / 802.11h toggle switch. When enabled, the radios advertise their 802.11d (Country Information) and 802.11h (Transmit Power Control) capabilities. This option is disabled by default. Beacon Interval Configures the beacon period for the IAP in milliseconds. This indicates how often the 802.11 beacon management frames are transmitted by the AP. You can specify a value within the range of 60500. The default value is 100 milliseconds. Interference Immunity Level Configures the immunity level to improve performance in high-interference environments. The default immunity level is 2. n Level 0--No ANI adaptation. n Level 1--Noise immunity only. This level enables power-based packet detection by controlling the amount of power increase that makes a radio aware that it has received a packet. n Level 2--Noise and spur immunity. This level also controls the detection of OFDM packets, and is the default setting for the Noise Immunity feature. n Level 3--Level 2 settings and weak OFDM immunity. This level minimizes false detects on the radio due to interference, but may also reduce radio sensitivity. This level is recommended for environments with a high-level of interference related to 2.4 GHz appliances such as cordless phones. n Level 4--Level 3 settings, and FIR immunity. At this level, the AP adjusts its sensitivity to in-band power, which can improve performance in environments with high and constant levels of noise interference. n Level 5--The AP completely disables PHY error reporting, improving performance by eliminating the time the IAP spends on PHY processing. Increasing the immunity level makes the AP lose a small amount of range. Channel Switch Announcement Count Configures the number of channel switching announcements to be sent before switching to a new channel. This allows the associated clients to recover gracefully from a channel change. Background Spectrum Monitoring Turn on the Background Spectrum Monitoring toggle switch. When enabled, the APs in the access mode continue with their normal access service to clients, while performing additional function of monitoring RF interference (from both neighboring APs and non Wi-Fi sources such as, microwaves and cordless phones) on the channel they are currently serving the clients. Aruba Central (on-premises) | User Guide 256 Table 66: Radio Configuration Parameters Data Pane Item Description Customize ARM Power Range Configures a minimum (Min Power) and maximum (Max Power) power range value for the 2.4 GHz and 5 GHz band frequencies. The default value is 3 dBm. Unlike the configuration in the ARM profile, the transmit power of all radios in the Radio profile do not share the same configuration. Enable 11ac Turn on the Enable 11ac toggle switch. When enabled, VHT is enabled on the 802.11ac devices for the 5 GHz radio band. If VHT is enabled for the 5 GHz radio profile on an IAP, it is automatically enabled for all SSIDs configured on an IAP. By default, VHT is enabled on all SSIDs. NOTE: If you want the 802.11ac IAPs to function as 802.11n IAPs, clear this check box to disable VHT on these devices. Smart antenna Turn on the Smart antenna toggle switch to combine an antenna array with a digital signal-processing capability to transmit and receive in an adaptive, spatially sensitive manner. ARM/WIDS Override When ARM/WIDS Override is disabled, the Instant AP will always process frames for WIDS. WIDS is an application that detects the attacks on a wireless network or wireless system. purposes even when it is heavily loaded with client traffic. When ARM/WIDS Override is enabled, the Instant AP will stop processing frames for WIDS. 7. Click Save Settings. Configuring IDS Parameters on APs Aruba Central supports the IDS feature that monitors the network for the presence of unauthorized access points (APs). It also logs information about the unauthorized APs and clients, and generates reports based on the logged information. Rogue APs The IDS feature in the Aruba Central network enables you to detect rogue APs, interfering APs, and other devices that can potentially disrupt network operations. A rogue AP is an unauthorized AP plugged into the wired side of the network. An interfering AP is an AP seen in the RF environment, but it is not connected to the wired network. While the interfering AP can potentially cause RF interference, it is not considered a direct security threat, because it is not connected to the wired network. However, an interfering AP may be reclassified as a rogue AP. The built-in IDS scans for APs that are not controlled by the VC. These are listed and classified as either Interfering or Rogue, depending on whether they are on a foreign network or your network. Configuring Wireless Intrusion Detection and Protection Policies To configure a Wireless Intrusion Detection and Protection policy: 1. In the Network Operations app, set the filter to a group that contains at least one AP. 2. The dashboard context for the group is displayed. 3. Under Manage, click Devices > Access Points. 4. Click the Config icon. The tabs to configure access points is displayed. Managing APs | 257 5. Click Show Advanced. 6. Click Security. The Security details page is displayed. 7. Click the Wireless IDS/IPS accordion. The following three sections are displayed: n Detection n Protection n Firewall Settings You can configure the following options in the above mentioned sections: n Infrastructure Detection Policies--Specifies the policy for detecting wireless attacks on APs. n Client Detection Policies--Specifies the policy for detecting wireless attacks on clients. n Infrastructure Protection Policies--Specifies the policy for protecting APs from wireless attacks. n Client Protection Policies--Specifies the policy for protecting clients from wireless attacks. n Firewall Policies--Specifies the policies to set a firewall for a secured network access. n Containment Methods--Prevents unauthorized stations from connecting to your Aruba Central network. Each of these options contains several default levels that enable different sets of policies. An administrator can customize enable or disable these options accordingly. Detection The detection levels can be configured using the Detection section. The following levels of detection can be configured in the WIP Detection page: n High n Medium n Low n Off n Custom The following table describes the detection policies enabled in the Infrastructure Detection field. Table 67: Infrastructure Detection Policies Detection level Detection policy High n Detect Windows Bridge--Enables detection of Windows station bridging. n Signature Deassociation Broadcast--Configures signature matching for the deassociation broadcast frame type. n Signature Deauthentication Broadcast--Configures signature matching for the deauthentication broadcast frame type. n Detect AP Spoofing--Enables AP Spoofing detection. n Detect adhoc using VALID SSID--Enables detection of adhoc networks. n Detect malformed large duration--Enables detection of unusually large durations in frames. n Detect Overflow EAPOL key--Enables detection of overflow EAPOL key requests. n Detect Invalid Address Combination--Enables detection of invalid address combinations. n Detect AP Impersonation--Enables detection of AP impersonation. In AP impersonation Aruba Central (on-premises) | User Guide 258 Table 67: Infrastructure Detection Policies Detection level Detection policy attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP impersonation attacks can be done for man-in-the-middle attacks, a rogue AP attempting to bypass detection, or a honeypot attack. n Detect AP Flood--Enables detection of flooding with fake IAP beacons to confuse the legitimate users and to increase the amount of processing needed on client operating systems. n Detect Beacon Wrong Channel--Enables detection of beacons advertising the incorrect channel. n Detect ht Greenfield--Enables detection of high throughput devices advertising greenfield preamble capability. n Detect Overflow IE--Enables detection of overflow Information Elements (IE). n Detect RTS Rate Anomaly--Enables detection of rate anomalies. n Detect Malformed HT IE--Enables detection of malformed HT Information Elements (IE). n Detect CTS Rate Anomaly--Enables detection of CTS rate anomaly. n Detect Malformed Frame Auth--Enables detection of malformed authentication frames. n Detect invalid MAC OUI--Enables checking of the first three bytes of a MAC address, known as the organizationally unique identifier (OUI), assigned by the IEEE to known manufacturers. Often clients using a spoofed MAC address do not use a valid OUI and instead use a randomly generated MAC address. Enabling MAC OUI check triggers an alarm to be triggered if an unrecognized MAC address is in use. n Detect Malformed Association Request--Enables detection of malformed association requests. n Detect Bad WEP--Enables detection of WEP initialization vectors that are known to be weak and/or repeating. A primary means of cracking WEP keys is to capture 802.11 frames over an extended period of time and search for implementations that are still used by many legacy devices. n Detect Wireless Bridge--Enables detection of wireless bridging. n Detect HT 40 MHz intolerance--Enables detection of 802.11n 40 MHz intolerance setting when the stations and APs advertise 40 MHz intolerance. n Detect Valid SSID Misuse--Enables detection of interfering or neighbor APs using valid or protected SSIDs. n Detect Adhoc Network--Enables detection of adhoc networks. n Detect Client Flood--Enables detection of client flood attack. Medium n Detect Windows Bridge--Enables detection of Windows station bridging. n Signature Deassociation Broadcast--Configures signature matching for the deassociation broadcast frame type. n Signature Deauthentication Broadcast--Configures signature matching for the deauthentication broadcast frame type. n Detect AP Spoofing--Enables AP Spoofing detection. n Detect adhoc using VALID SSID--Enables detection of adhoc networks. n Detect malformed large duration--Enables detection of unusually large durations in frames. Low n Detect Windows Bridge--Enables detection of Windows station bridging. n Signature Deassociation Broadcast--Configures signature matching for the deassociation Managing APs | 259 Table 67: Infrastructure Detection Policies Detection level Detection policy Off Custom broadcast frame type. n Signature Deauthentication Broadcast--Configures signature matching for the deauthentication broadcast frame type. n Detect AP Spoofing--Enables AP Spoofing detection. All detection policies are disabled. Allows you to select custom detection policies. To select, click the check box of respective detection policy. The following table describes the detection policies enabled in the Client Detection field. Table 68: Client Detection Policies Detection level Detection policy High n Detect Valid Client Misassociation--Enables detection of misassociation between a valid client and an unsafe AP. This setting can detect the following misassociation types: o Misassociation to rogue AP o Misassociation to external AP o Misassociation to honeypot AP o Misassociation to adhoc AP o Misassociation to Hosted AP n Detect Hotspotter Attack--Enables detection of hotspot attacks. n Detect Power Save DOS Attack--Enables detection of Power Save DoS attack. n Detect Omerta Attack--Enables detection of Omerta attack. n Detect Disconnect Station--Enables a station disconnection attack. In a station disconnection, attacker spoofs the MAC address of either an active client or an active AP. The attacker then sends deauthenticate frames to the target device, causing it to lose its active association. n Detect unencrypted Valid --Enables detection of unencrypted valid clients. n Detect Block ACK Attack--Enables detection of attempts to reset traffic receive windows using the forged Block ACK Add messages. n Detect FATA-Jack--Enables detection of fatjack attacks. n Detect Rate Anomalies--Enables detection of rate anomalies. n Detect ChopChop Attack--Enables detection of ChopChop attack. n Detect EAP Rate Anomaly--Enables Extensible Authentication Protocol (EAP) handshake analysis to detect an abnormal number of authentication procedures on a channel and generate an alarm when this condition is detected. n Detect TKIP Replay Attack--Enables detection of TKIP replay attack. n Signature-Air Jack--Enables signature matching for the Air Jack frame type. n Signature-ASLEAP--Enables signature matching for the ASLEAP frame type. Medium n Detect Valid Client Misassociation--Enables detection of misassociation between a valid client and an unsafe AP. This setting can detect the following misassociation types: Aruba Central (on-premises) | User Guide 260 Detection level Detection policy o Misassociation to rogue AP o Misassociation to external AP o Misassociation to honeypot AP o Misassociation to adhoc AP o Misassociation to Hosted AP n Detect Hotspotter Attack--Enables detection of hotspot attacks. n Detect Power Save DOS Attack--Enables detection of Power Save DoS attack. n Detect Omerta Attack--Enables detection of Omerta attack. n Detect Disconnect Station--Enables a station disconnection attack. In a station disconnection, attacker spoofs the MAC address of either an active client or an active AP. The attacker then sends deauthenticate frames to the target device, causing it to lose its active association. n Detect unencrypted Valid --Enables detection of unencrypted valid clients. n Detect Block ACK Attack--Enables detection of attempts to reset traffic receive windows using the forged Block ACK Add messages. n Detect FATA-Jack--Enables detection of fatjack attacks. Low Off Custom Detect Valid Client Misassociation--Enables detection of misassociation between a valid client and an unsafe AP. This setting can detect the following misassociation types: n Misassociation to rogue AP n Misassociation to external AP n Misassociation to honeypot AP n Misassociation to adhoc AP n Misassociation to Hosted AP All detection policies are disabled. Allows you to select custom detection policies. To select, click the check box of respective detection policy. Protection The following levels of protection can be configured in the WIP Protection page: n Off n Low n High n Custom The following table describes the protection policies that are enabled in the Infrastructure Protection field. Table 69: Infrastructure Protection Policies Protection level Protection policy Off All protection policies are disabled Low n Protect SSID--Enforces policy where the valid/protected SSIDs are used only by valid APs. Managing APs | 261 Protection level Protection policy An offending AP is contained by preventing clients from associating to it. n Rogue Containment--Controls Rogue APs. When rogue APs are detected, they are not automatically disabled. This option automatically disables a rogue AP by preventing clients from associating to it. High n Protect SSID--Enforces policy where the valid/protected SSIDs are used only by valid APs. An offending AP is contained by preventing clients from associating to it. n Rogue Containment--Controls Rogue APs. When rogue APs are detected, they are not automatically disabled. This option automatically disables a rogue AP by preventing clients from associating to it. n Protect AP Impersonation--Enables protection from AP impersonation attacks. When AP impersonation is detected, both the legitimate and impersonating AP are disabled using a Denial of Service (DoS). n Protect from Adhoc Networks--Enables protection from adhoc networks. When adhoc networks are detected, they are disabled using a denial of service attack. Custom Allows you to select custom protection policies. To select, click the check box of respective protection policy. The following table describes the protection policies that are enabled in the Client Protection field. Table 70: Client Protection Policies Protection level Protection policy Off All protection policies are disabled Low Protect Valid Station--Enables protection of valid stations. When enabled valid stations are not allowed to connect to an invalid AP. High n Protect Valid Station--Enables protection of valid stations. When enabled valid stations are not allowed to connect to an invalid AP. n Protect Windows Bridge--Enables protection of a Windows station bridging. Custom Allows you to select custom protection policies. To select, click the check box of respective protection policy. Containment Methods You can enable wired and wireless containment measures to prevent unauthorized stations from connecting to your Aruba Central network. Aruba Central supports the following types of containment mechanisms: n Wired containment -- When enabled, APs generate ARP packets on the wired network to contain wireless attacks. n Wireless containment -- When enabled, the system attempts to disconnect all clients that are connected or attempting to connect to the identified AP. Aruba Central (on-premises) | User Guide 262 o None -- Disables all the containment mechanisms. o Deauthenticate only -- With deauthentication containment, the AP or client is contained by disrupting the client association on the wireless interface. o Tarpit containment -- With tarpit containment, the AP is contained by luring clients that are attempting to associate with it to a tarpit. The tarpit can be on the same channel or a different channel as the AP being contained. o Tarpit all stations--Enables wireless containment by tarpit for all stations. The FCC and some third parties have alleged that under certain circumstances, the use of containment functionality violates 47 U.S.C. §333. Before using any containment functionality, ensure that your intended use is allowed under the applicable rules, regulations, and policies. Aruba is not liable for any claims, sanctions, or other direct, indirect, special, consequential or incidental damages related to your use of containment functionality. Protection Against Wired Attacks In the Protection Against Wired Attacks section, enable the following options: n Drop Bad ARP--Drops the fake ARP packets. n Fix Malformed DHCP--Fixes the malformed DHCP packets. n ARP Poison Check--Triggers an alert on ARP poisoning caused by the rogue APs. Firewall Settings To configure firewall settings by specifying the policies for a secured network access, see Enabling ALG Protocols on IAPs on page 307 and Configuring Firewall Parameters for Wireless Network Protection. n For all subnets, a deny rule is created by default as the last rule. If at least one rule is configured, the deny all rule is applied to the upstream traffic by default. n Management access to the Instant AP is allowed irrespective of the inbound firewall rule. n The inbound firewall is not applied to traffic coming through the GRE tunnel. Configuring Time-Based Services for Wireless Network Profiles Aruba Central (on-premises) allows you to configure the availability of a WLAN SSID at a particular time of the day. You can now create a time range profile and assign it to a WLAN SSID, so that you can enable or disable access to the SSID and thus control user access to the network during a specific time period. Instant Access Points (IAPs) support the configuration of both absolute and periodic time range profiles. You can configure an absolute time range profile to execute during a specific time frame, or create a periodic profile to execute at regular intervals based on the periodicity specified in the configuration. This section describes the following topics: n Creating a Time Range Profile n Associating a Time Range Profile to an SSID n Associating a Time Range Profile to ACL Before You Begin Before you configure time-based services, ensure that the NTP server connection is active. Managing APs | 263 Creating a Time Range Profile To create a time range profile, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Time-Based Services accordion. 7. Click + in the Time Based Profiles table. The New Profile window for creating a time range profile is displayed. 8. Configure the parameters that are listed in the following table: Table 71: Time Range Profile Configuration Parameters Parameter Description Name Specify a name for the time range profile. Type Select the type of time range profile: n Periodic--Allows you configure a specific periodicity and recurrence pattern for a time range profile. n Absolute--Allows you to configure an absolute day and time range. Repeat Day Range Specify the frequency for the periodic time range profile: n Daily--Enables daily recurrence. n Weekly--Allows you define a specific time range with specific start and end days in a week. Absolute For an absolute time range profile, this field allows you to specify the start day and end day, both in mm/dd/yyyy format. You can also use the calendar to specify the start and end days. Periodic For a periodic time range profile, the following Day Range options are available: n For daily recurrence--If the Repeat option is set to Daily, this field allows you to select the following time ranges: o Monday--Sunday (All Days) o Monday--Friday (Weekdays) o Saturday--Sunday (Weekend) For example, if you set the Repeat option to Daily and then select Monday-- Friday (Weekday) for Day Range, and Start Time as 1 and End time as 2, the applied time range will be Monday to Friday from 1 am to 2 am; that is, on Monday at 3 am, the profile will not be applied or disabled. n For weekly occurrence--If the Repeat option is set to Weekly, this field Aruba Central (on-premises) | User Guide 264 Table 71: Time Range Profile Configuration Parameters Parameter Description Start Time allows you to select the start and end days of a week and time range. For example, if you set Start Day as Monday and End Day as Friday, and Start Time as 1 and End Time as 2, the applied time range profile is Monday 1 am to Friday 2 am every week; that is, on Monday at 3 am, the profile will be applied or enabled. Select the start time for the time range profile from the Hours and Minutes drop-down lists, respectively. End Time Select the end time for the time range profile from the Hours and Minutes drop-down lists, respectively. Visualization Graph for Time The Visualization graph (approximated to the hour) provides a visual display of the selected time range (Day Range, Start Time, and End Time) for periodic profiles. Associating a Time Range Profile to an SSID To apply a time range profile to an SSID, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select a network profile for which you want to apply the time range profile, and then click the edit icon. You can also add a time range profile when configuring an SSID. 6. In General, click Time Range Profiles under Advanced Settings. 7. In the Time Range Profiles section, enter the following information: n Select a time range profile from the Time Range Profile list. n Select a value from the Status drop-down list. n When a time range profile is enabled on SSID, the SSID is made available to the users for the configured time range. For example, if the specified time range is 12:00 to 13:00, the SSID becomes available only between 12 PM to 1 PM on a given day. n If a time range is disabled, the SSID becomes unavailable for the configured time range. For example, if configured time-range is 14:00 to 17:00, the SSID is made unavailable from 2 PM to 5 PM on a given day. Associating a Time Range Profile to ACL Aruba Central allows you to configure time-based services for specific ACL. To apply a time range profile to an access rule, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. Managing APs | 265 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. In the Roles accordion, click the edit icon listed for access rules under Access Rules For Selected Roles to which you want to apply the time range profile. The Access Rules page is displayed. 7. In the Options section, select the Time Range check-box and select the time range profile from the drop-down list. n When a time range profile is associated with an ACL, the configured time range is applied on all the WLAN SSID with the specific ACL. n If a time range is disabled or if the time range profile is deleted for an ACL, all WLAN SSID with the specific ACL will be able to access the network without any time constraint. 8. Click Save. For more information on time range configuration, see the Aruba Instant User Guide. Configuring Authentication and Security Profiles on IAPs This section describes the authentication and security parameters to configure on an Instant Access Point (IAP): n Supported Authentication Methods n Authentication Servers for IAPs n Denylisting IAP Clients n Configuring Network Service ACLs n Enabling ALG Protocols on IAPs n Configuring External Authentication Servers for APs n Configuring Role Derivation Rules for AP Clients n Configuring Firewall Parameters for Wireless Network Protection n Intra VLAN Traffic Allowlist n Configuring an MPSK Local Profile n Creating a Role Derivation Rules for AP Clients n Configuring User Roles for AP Clients n Configuring Firewall Parameters for Inbound Traffic n Firewall and ACL Rules n Configuring Roles and Policies on IAPs for User Access Control n Support for Multiple PSK in WLAN SSID n Configuring WPA3 Encryption Supported Authentication Methods Authentication is a process of identifying a user through a valid username and password. Clients can also be authenticated based on their MAC addresses. Aruba Central (on-premises) | User Guide 266 The authentication methods supported by the Instant Access Points (IAPs) managed through Aruba Central (on-premises) are described in the following sections. 802.1X Authentication 802.1X is a method for authenticating the identity of a user before providing network access to the user. The Aruba Central (on-premises) network supports internal RADIUS server and external RADIUS server for 802.1X authentication. For authentication purpose, the wireless client can associate to a NAS or RADIUS client such as a wireless IAP. The wireless client can pass data traffic only after successful 802.1X authentication. The NAS acts as a gateway to guard access to a protected resource. A client connecting to the wireless network first connects to the NAS. Configuring 802.1X Authentication for a Network Profile To configure 802.1X authentication for a wireless network profile, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select a network profile for which you want to enable 802.1X authentication, and then click the edit icon. You can directly edit the SSID name under the Display Name column in the Wireless SSIDs table. Double-click the relevant SSID that you want to rename, and type the new name. Press Enter to complete the process. 6. Under Security, for the Enterprise security level, select the preferred option from Key Management. 7. To terminate the EAP portion of 802.1X authentication on the IAP instead of the RADIUS server, set Termination to Enabled. For 802.1X authorization, by default, the client conducts an EAP exchange with the RADIUS server, and the AP acts as a relay for this exchange. When Termination is enabled, the IAP itself acts as an authentication server, terminates the outer layers of the EAP protocol, and only relays the innermost layer to the external RADIUS server. 8. Specify the type of authentication server to use. 9. Click Save Settings. MAC Authentication MAC authentication is used for authenticating devices based on their physical MAC addresses. MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses. Managing APs | 267 This authentication method is not recommended for scalable networks and the networks that require stringent security settings. MAC authentication can be used alone or it can be combined with other forms of authentication such as WEP authentication. Configuring MAC Authentication for a Network Profile To configure MAC authentication for a wireless profile, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the WLANs tab, select a network profile for which you want to enable MAC authentication and click the edit icon. 6. In Security, turn on the MAC Authentication toggle switch to enable Personal or Open security level. 7. Specify the type of authentication server to use. 8. Click Save Settings. MAC Authentication with 802.1X Authentication The administrators can enable MAC authentication for 802.1X authentication. MAC authentication shares all the authentication server configurations with 802.1X authentication. If a wireless or wired client connects to the network, MAC authentication is performed first. If MAC authentication fails, 802.1X authentication does not trigger. If MAC authentication is successful, 802.1X authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X authentication role. If 802.1X authentication fails, the client is assigned a deny-all role or mac-auth-only role. You can also configure the following authentication parameters for MAC+802.1X authentication: n MAC authentication only--Allows you to create a mac-auth-only role to allow role-based access rules when MAC authentication is enabled for 802.1X authentication. The mac-auth-only role is assigned to a client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication is successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients. n L2 authentication fall-through--Allows you to enable the l2-authentication-fallthrough mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled, 802.1X authentication is not allowed. The l2-authentication-fallthrough mode is disabled by default. Configuring MAC Authentication with 802.1X Authentication To configure MAC authentication with 802.1X authentication for wireless network profile, configure the following parameters: Aruba Central (on-premises) | User Guide 268 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the WLANs tab, select a network profile for which you want to enable MAC and 802.1X authentication and click the edit icon. 6. Turn on the Perform MAC Authentication Before 802.1X toggle switch to use 802.1X authentication only when the MAC authentication is successful. 7. Turn on the MAC Authentication Fail Through toggle switch to use 802.1X authentication even when the MAC authentication fails. 8. Click Save Settings. Captive Portal Authentication Captive portal authentication is used for authenticating guest users. For more information, see Configuring Wireless Networks for Guest Users on IAPs. MAC Authentication with Captive Portal Authentication The following conditions apply to a network profile with MAC authentication and Captive Portal authentication enabled: n If the captive portal splash page type is Internal-Authenticated or External-RADIUS Server, MAC authentication reuses the server configurations. n If the captive portal splash page type is Internal-Acknowledged or External-Authentication Text and MAC authentication is enabled, a server configuration page is displayed. n If the captive portal splash page type is None, MAC authentication is disabled. n The MAC authentication with captive portal authentication supports the mac-auth-only role. Configuring MAC Authentication with Captive Portal Authentication To configure the MAC authentication with captive portal authentication for a network profile, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP.The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the WLANs tab, select an existing wireless profile for which you want to enable MAC authentication with captive portal authentication, and then click the edit icon. 6. Under Access, specify the following parameters for a network with Role Based rules: a. Turn on the Enforce Machine Authentication toggle switch, when MAC authentication is enabled for captive portal. If the MAC authentication fails, the captive portal authentication role Managing APs | 269 is assigned to the client. b. For wireless network profile, turn on the Enforce MAC Auth Only Role toggle switch, when MAC authentication is enabled for captive portal. After successful MAC authentication, the MAC Auth Only role is assigned to the client. 7. Click Next. 802.1X Authentication with Captive Portal Authentication This authentication method allows you to configure different captive portal settings for clients on the same SSID. For example, you can configure an 802.1X SSID and create a role for captive portal access, so that some of the clients using the SSID derive the captive portal role. You can configure rules to indicate access to external or internal Captive portal, or none. For more information on configuring captive portal roles for an SSID with 802.1X authentication, see Configuring Wireless Networks for Guest Users on IAPs. WISPr Authentication WISPr authentication allows a smart client to authenticate on the network when they roam between wireless Internet service providers, even if the wireless hotspot uses an ISP with whom the client may not have an account. If a hotspot is configured to use WISPr authentication in a specific ISP and a client attempts to access the Internet at that hotspot, the WISPr AAA server configured for the ISP authenticates the client directly and allows the client to access the network. If the client only has an account with a partner ISP, the WISPr AAA server forwards the client's credentials to the partner ISPs WISPr AAA server for authentication. When the client is authenticated on the partner ISP, it is also authenticated on your hotspot own ISP as per their service agreements. The IAP assigns the default WISPr user role to the client when your ISP sends an authentication message to the IAP. IAPs support the following smart clients: n iPass n Boingo These smart clients enable client authentication and roaming between hotspots by embedding iPass Generic Interface Specification (GIS) redirect, authentication, and logoff messages within HTML messages that are sent to the IAP. Configuring WISPr Authentication To configure WISPr authentication, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. Aruba Central (on-premises) | User Guide 270 6. Click the WISPr accordion. 7. Under WISPr, configure the following parameters: n ISO Country Code--The ISO Country Code for the WISPr Location ID. n E.164 Area Code--The E.164 Area Code for the WISPr Location ID. n Operator Name--The operator name of the hotspot. n E.164 Country Code--The E.164 Country Code for the WISPr Location ID. n SSID/Zone--The SSID/Zone for the WISPr Location ID. n Location Name--Name of the hotspot location. If no name is defined, the name of the IAP, to which the user is associated, is used. 8. Click Save Settings. The WISPr RADIUS attributes and configuration parameters are specific to the RADIUS server used by your ISP for the WISPr authentication. Contact your ISP to determine these values. You can find a list of ISO and ITU country and area codes at the ISO and ITU websites (www.iso.org and http://www.itu.int). A Boingo smart client uses a NAS identifier in the format <CarrierID>_<VenueID> for location identification. To support Boingo clients, ensure that you configure the NAS identifier parameter in the RADIUS server profile for the WISPr server. Walled Garden On the Internet, a walled garden typically controls access to web content and services. The Walled garden access is required when an external captive portal is used. For example, a hotel environment where the unauthenticated users are allowed to navigate to a designated login page (for example, a hotel website) and all its contents. The users who do not sign up for the Internet service can view the allowed websites (typically hotel property websites). The website names must be DNS-based and support the option to define wildcards. When a user attempts to navigate to other websites that are not in the allowlist of the walled garden profile, the user is redirected to the login page. IAP supports Walled Garden only for the HTTP requests. For example, if you add yahoo.com in Walled Garden allowlist and the client sends an HTTPS request (https://yahoo.com), the requested page is not displayed and the users are redirected to the captive portal login page. In addition, a denylisted walled garden profile can also be configured to explicitly block the unauthenticated users from accessing some websites. Configuring Walled Garden Access To configure walled garden access, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. Managing APs | 271 6. Click the Walled Garden accordion. 7. To allow access to a specific set of websites, click + under Allowlist, enter the domain name in the window. This allows access to a domain while the user remains unauthenticated. Specify a POSIX regular expression (regex(7)). For example: n yahoo.com matches various domains such as news.yahoo.com, travel.yahoo.com and finance.yahoo.com n www.apple.com/library/test is a subset of www.apple.com site corresponding to path /library/test/* n favicon.ico allows access to /favicon.ico from all domains. 8. To deny users access to a domain, click + under Denylist, and enter the domain name in the window. This prevents the unauthenticated users from viewing specific websites. When a URL specified in the denylist is accessed by an unauthenticated user, IAP sends an HTTP 403 response to the client with an error message. 9. Click Save Settings. Authentication Servers for IAPs Based on the security requirements, you can configure internal or external RADIUS servers. This section describes the types of authentication servers and authentication termination, that can be configured for a network profile. External RADIUS Server In the external RADIUS server, the IP address of the Virtual Controller (VC) is configured as the NAS IP address. Aruba Central RADIUS is implemented on the VC, and this eliminates the need to configure multiple NAS clients for every Instant Access Points (IAPs) on the RADIUS server for client authentication. Aruba Central RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server. The RADIUS server responds to the authentication request with an Access-Accept or AccessReject message, and users are allowed or denied access to the network depending on the response from the RADIUS server. When you enable an external RADIUS server for the network, the client on the IAP sends a RADIUS packet to the local IP address. The external RADIUS server then responds to the RADIUS packet. Aruba Central (on-premises) supports the following external authentication servers: n RADIUS n LDAP To use an LDAP server for user authentication, configure the LDAP server on the VC, and configure user IDs and passwords. To use a RADIUS server for user authentication, configure the RADIUS server on the VC. RADIUS Server Authentication with VSA An external RADIUS server authenticates network users and returns to the IAP the VSA that contains the name of the network role for the user. The authenticated user is placed into the management role specified by the VSA. Internal RADIUS Server Each IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server option for the network, the client on the IAP sends a RADIUS packet to the local IP address. The Aruba Central (on-premises) | User Guide 272 internal RADIUS server listens and replies to the RADIUS packet. The following authentication methods are supported in the Aruba Central network: n EAP-TLS--The EAP-TLS method supports the termination of EAP-TLS security using the internal RADIUS server. The EAP-TLS requires both server and CA certificates installed on the IAP. The client certificate is verified on the virtual controller (the client certificate must be signed by a known CA), before the username is verified on the authentication server. n EAP-TTLS (MSCHAPv2)--The EAP-TTLS method uses server-side certificates to set up authentication between clients and servers. However, the actual authentication is performed using passwords. n EAP-PEAP (MSCHAPv2)--EAP-PEAP is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL / TLS tunnel between the client and the authentication server. Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure. n LEAP--LEAP uses dynamic WEP keys for authentication between the client and authentication server. To use the internal database of an AP for user authentication, add the names and passwords of the users to be authenticated. Aruba does not recommend the use of LEAP authentication because it does not provide any resistance to network attacks. RADIUS Communication over TLS (RadSec) RADIUS over TLS, also known as RadSec, is a RADIUS protocol that uses TLS protocol for end-to-end secure communication between the RADIUS server and IAP. RadSec wraps the entire RADIUS packet payload into a TLS stream. Enabling RadSec increases the level of security for authentication that is carried out across the cloud network. When configured, this feature ensures that the RadSec protocol is used for safely transmitting the authentication and accounting data between the IAP and the RadSec server. The following conditions applies to RadSec configuration: n The RADIUS packets go through the tunnel when TLS tunnel is established. n By default, the TCP port 2083 is assigned for RadSec. Separate ports are not used for authentication, accounting, and dynamic authorization changes. n Aruba Central supports dynamic CoA (RFC 3576) over RadSec and the RADIUS server uses an existing TLS connection opened by the IAP to send the request. n By default, the IAP uses its device certificate to establish a TLS connection with RadSec server. You can also upload your custom certificates on to IAP. For more information on uploading certificates, see Mapping IAP Certificates. Authentication Termination on IAP Aruba Central allows EAP termination for PEAP-Generic Token Card (PEAP-GTC) and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2 (PEAP-MSCHAPv2). PEAPGTC termination allows authorization against an LDAP server and external RADIUS server while PEAPMSCHAPv2 allows authorization against an external RADIUS server. This allows the users to run PEAP-GTC termination with their username and password to a local Microsoft Active Directory server with LDAP authentication. Managing APs | 273 n EAP-GTC--This EAP method permits the transfer of unencrypted usernames and passwords from client to server. The EAP-GTC is mainly used for one-time token cards such as SecureID and the use of LDAP or RADIUS as the user authentication server. You can also enable caching of user credentials on the IAP to an external authentication server for user data backup. n EAP-MSCHAPv2--This EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the back-end authentication server. Dynamic Load Balancing between Authentication Servers You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers. Load balancing of authentication servers ensures that the authentication load is split across multiple authentication servers and enables the IAPs to perform load balancing of authentication requests destined to authentication servers such as RADIUS or LDAP. The load balancing in IAP is performed based on the outstanding authentication sessions. If there are no outstanding sessions and if the rate of authentication is low, only primary server will be used. The secondary is used only if there are outstanding authentication sessions on the primary server. With this, the load balance can be performed across asymmetric capacity RADIUS servers without the need to obtain inputs about the server capabilities from the administrators. Configuring External Authentication Servers for APs You can configure an external RADIUS server, TACACS, and LDAP server for user authentication. You can configure guest network using External Captive Portal profile for external authentication. To configure a server, complete the following procedure: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. In the Authentication Server panel, click + to create a new server. Aruba Central (on-premises) | User Guide 274 1. Select any of the following server types and configure the parameters for your deployment scenario. Table 72: Authentication Server Configuration Type of Server Parameters RADIUS Name Name of the external RADIUS server. IP Address IP address or the FQDN of the external RADIUS server. Radsec Set Radsec to Enabled to enable secure communication between the RADIUS server and IAP by creating a TLS tunnel between the IAP and the server. If Radsec is enabled, the following configuration options are displayed: Radsec Port--Communication port number for RadSec TLS connection. By default, the port number is set to 2083. n NAS Identifier n NAS IP Address n Service Type Framed User n Query Status of RADIUS Servers (RFC 5997) n Dynamic Authorization Auth Port Authorization port number of the external RADIUS server. The default port number is 1812. Accounting Port Shared Key and Retype Shared Key Timeout The accounting port number used for sending accounting records to the RADIUS server. The default port number is 1813. Shared key for communicating with the external RADIUS server. The timeout duration for one RADIUS request. The IAP retries sending the request several times (as configured in the Retry count) before the user is disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds. The default value is 5 seconds. Retry Count The maximum number of authentication requests that can be sent to the server group by the IAP. You can specify a value within the range of 15. The default value is 3 requests. Dynamic Authorization To allow the APs to process RFC 3576-compliant CoA and disconnect messages from the RADIUS server, select this check box. Disconnect messages terminate the user session immediately, whereas the CoA messages modify session authorization attributes such as data filters. When you enable the Dynamic Authorization option, the AirGroup CoA Port field is displayed with the port number for sending Bonjour support CoA on a different port than on the standard CoA port. The default value is 5999. NAS IP Address Enter the IP address. For IAP-based cluster deployments, ensure that you enter the VC IP address as the NAS IP address. NAS Identifier Use this to configure strings for RADIUS attribute 32, NAS Identifier, to be sent with RADIUS requests to the RADIUS server. Managing APs | 275 Type of Server Parameters Dead Time Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the IAP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable. If Dynamic RADIUS Proxy (DRP) is enabled on the APs, configure the following parameters: n DRP IP--IP address to be used as source IP for RADIUS packets. n DRP MASK--Subnet mask of the DRP IP address. n DRP VLAN--VLAN in which the RADIUS packets are sent. Service Type Framed User Select any of the following check boxes to send the service type as Framed User in the access requests to the RADIUS server: n 802.1X--Changes the service type to frame for 802.1X authentication. n MAC--Changes the service type to frame for MAC authentication. n Captive Portal--Changes the service type to frame for Captive Portal authentication. Query Status of RADIUS Servers (RFC 5997) Select any of the following check boxes to detect the server status of the RADIUS server: Authentication--Select this check-box to ensure the IAP sends a status-server request to determine the actual state of the authentication server before marking the server as unavailable. Accounting--Select this check-box to ensure the IAP sends a status-server request to determine the actual state of the accounting server before marking the server as unavailable. LDAP Name Name of the LDAP server. IP Address IP address of the LDAP server. Auth Port Authorization port number of the LDAP server. The default port number is 389. Admin-DN A distinguished name for the admin user with read and search privileges across all the entries in the LDAP database (the admin user need not have write privileges, but the admin user must be able to search the database, and read attributes of other users in the database). Admin Password and Retype Admin Password Password for the admin user. Base-DN Distinguished name for the node that contains the entire user database. Filter The filter to apply when searching for a user in the LDAP database. The default filter string is (objectclass=*). Key Attribute The attribute to use as a key while searching for the LDAP server. For Active Directory, the value is sAMAccountName. Aruba Central (on-premises) | User Guide 276 Type of Server Parameters Timeout Timeout interval within a range of 130 seconds for one RADIUS request. The default value is 5. Retry Count The maximum number of authentication requests that can be sent to the server group. You can specify a value within the range of 15. The default value is 3. TACACS Name Name of the server. Shared Key and Retype Key The secret key to authenticate communication between the TACACS client and server. Auth Port The TCP IP port used by the server. The default port number is 49. Timeout A number between 1 and 30 seconds to indicate the timeout period for TACACS+ requests. The default value is 20 seconds. IP Address IP address of the server. Retry Count The maximum number of authentication attempts to be allowed. The default value is 3. Dead Time (in mins) Specify a dead time for authentication server in minutes. When two or more authentication servers are configured on the AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server is available if the server is marked as unavailable. Session Enable this option to allow the authorization of sessions. Authorization External Captive Portal--The external captive portal servers are used for authenticating guest users in a WLAN. Name Type IP or Hostname URL Port Enter a name for the profile. Select any one of the following types of authentication: n Radius Authentication--Select this option to enable user authentication against a RADIUS server. n Authentication Text--Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication. Enter the IP address or the host name of the external splash page server. Enter the URL of the external captive portal server. Enter the port number that is used for communicating with the external captive portal server. Managing APs | 277 Type of Server Parameters Use HTTPS Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected. Captive This field allows you to configure Internet access for the guest users when the external Portal Failure captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network. Server Offload Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server. Prevent Frame Overlay Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page. Automatic URL Allowlisting On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted. Auth Text If the External Authentication splash page is selected, specify the authentication text that is returned by the external server after successful authentication. This option is available only if Authentication Text is selected. Redirect URL Specify a redirect URL if you want to redirect the users to another URL. Dynamic Authorization Only Name Name of the server. IP Address IP address of the server. AirGroup CoA A port number for sending Bonjour support CoA on a different port than on the Port standard CoA port. The default value is 5999. Shared Key and Retype Key A shared key for communicating with the external RADIUS server. Change of Authorization(CoA) is a subset of Dynamic Authorization include disconnecting messages. 2. Click Save. To assign the authentication server to a network profile, select the newly added server when configuring security settings for a wireless or wired network profile. You can also add an external RADIUS server when configuring a WLAN SSID profile. Creating a Role Derivation Rules for AP Clients Aruba Central (on-premises) allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user role or VLAN to the clients connecting to an SSID or a wired profile. Creating a Role Derivation Rule You can configure rules for determining the role that is assigned for each authenticated client. Aruba Central (on-premises) | User Guide 278 When creating more than one role assignment rule, the first matching rule in the rule list is applied. To create a role assignment rule, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Click the Access tab. 7. Under Access rules, select Role Based to enable access based on user roles. 8. Under Role Assignment Rules, click +Add Role Assignment. In New Role Assignment Rule, define a match method by which the string in Operand is matched with the attribute value returned by the authentication server. 9. Select the attribute from the Attribute list that the rule it matches against. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options. For information on a list of RADIUS attributes, see RADIUS Server Authentication with VSA. 10. Select the operator from the Operator list. The following types of operators are supported: n contains--The rule is applied only if the attribute value contains the string specified in Operand. n Is the role--The rule is applied if the attribute value is the role. n equals--The rule is applied only if the attribute value is equal to the string specified in Operand. n not-equals--The rule is applied only if the attribute value is not equal to the string specified in Operand. n starts-with--The rule is applied only if the attribute value starts with the string specified in Operand. n ends-with--The rule is applied only if the attribute value ends with string specified in Operand. n matches-regular-expression--The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the mac-address-anddhcp-options attribute is selected in the Attribute list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for WLAN clients. 11. Enter the string to match in the String box. 12. Select the appropriate role from the Role list. 13. Click Save. Configuring VLAN Derivation Rules The users are assigned to a VLAN based on the attributes returned by the RADIUS server after users authenticate. To configure VLAN derivation rules for an SSID profile: Managing APs | 279 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Under VLANs, select Dynamic under Client VLAN Assignment. 7. Click +Add Rule to create a VLAN assignment rule. The New VLAN Assignment Rule window is displayed. In this window, you can define a match method by which the string in Operand is matched with the attribute values returned by the authentication server. 8. Select an attribute from the Attribute list. 9. Select an operator from the Operator list. The following types of operators are supported: n contains--The rule is applied only if the attribute value contains the string specified in Operand. n equals--The rule is applied only if the attribute value is equal to the string specified in Operand. n not-equals--The rule is applied only if the attribute value is not equal to the string specified in Operand. n starts-with--The rule is applied only if the attribute value starts with the string specified in Operand. n ends-with--The rule is applied only if the attribute value ends with string specified in Operand. n matches-regular-expression--The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the mac-address-anddhcp-options attribute is selected in the Attribute list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for the WLAN clients. 10. Enter the string to match in the String field. 11. Select the appropriate VLAN ID from VLAN. Ensure that all other required parameters are configured. 12. Click OK. Configuring Users Accounts for the IAP Management Interface You can configure RADIUS or TACACS authentication servers to authenticate and authorize the management users of an Instant Access Point (IAP). The authentication servers determine if the user has access to administrative interface. The privilege level for different types of management users is defined on the RADIUS or TACACS server. The IAPs map the management users to the corresponding privilege level and provide access to the users based on the attributes returned by the RADIUS or TACACS server. In Aruba Central (on-premises), the IAP management user passwords are stored and displayed as hash instead of plain text. The hash-mgmt-user command is enabled by default on the IAPs provisioned in the template and UI groups. If a pre-configured IAP joins Aruba Central and is moved to a new group, Aruba Central uses the hash-mgmt-user configuration settings and discards mgmt-user configuration settings, if any, on the IAP. In other words, Aruba Central hashes management user passwords irrespective of the management user configuration settings running on an IAP. Aruba Central (on-premises) | User Guide 280 To configure authentication parameters for local admin, read-only, and guest management administrator account settings, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. Managing APs | 281 6. Click the Administrator accordion and configure the following parameters: Table 73: Configuration Parameters for the IAP Users Type of the User Authentication Options Steps to Follow Client Control Internal In the Authentication drop-down list, select Internal if you want to specify a single set of user credentials. If using an internal authentication server: 1. In Username and Password, enter a username and password. 2. In Retype Password, retype the password to confirm. Authentication Server Authentication Server with fallback to Internal In the Authentication drop-down list, select the RADIUS or TACACS authentication servers. You can also create a new server by selecting New from the Authentication server drop-down list. In the Authentication drop-down list, select Authentication server w/ fallback to internal option if you want to use both internal and external servers. When enabled, the authentication switches to Internal if there is no response from the RADIUS server (RADIUS server timeout). To use this option, select the authentication servers and configure the user credentials for internal server based authentication. 1. In Username and Password, enter a username and password. 2. In Retype Password, retype the password to confirm. View Only Load Balancing TACACS Accounting If two servers are configured, the users can use them in the primary or backup mode, or load balancing mode. To enable load balancing, select Enabled from the Load balancing drop-down list. For more information on load balancing, see Authentication Servers for IAPs. If a TACACS server is selected, enable TACACS accounting to report management commands, if required. To configure a user account with the read-only privileges: 1. In Username and Password, enter a username and password. 2. In Retype Password, retype the password to confirm. Guest Registration Only To configure a guest user account with the read-only privileges: 1. In Username and Password, enter a username and password. 2. In Retype Password, retype the password to confirm. 7. Click Save Settings. Aruba Central (on-premises) | User Guide 282 Configuring Guest and Employee User Profiles on IAPs The local database of an Instant Access Point (IAP) consists of a list of guest and employee users. The addition of a user involves specifying a login credentials for a user. The login credentials for these users are provided outside the Aruba Central system. A guest user can be a visitor who is temporarily using the enterprise network to access the Internet. However, if you do not want to allow access to the internal network and the Intranet, you can segregate the guest traffic from the enterprise traffic by creating a guest WLAN and specifying the required authentication, encryption, and access rules. An employee user is the employee who is using the enterprise network for official tasks. You can create employee WLANs, specify the required authentication, encryption and access rules and allow the employees to use the enterprise network. The user database is also used when an IAP is configured as an internal RADIUS server. The local user database of APs can support up to 512 user entries except IAP-92 and IAP-93. IAP-92 and IAP-93 supports only 256 user entries. If there are already 512 users, IAP-92 and IAP-93 will not be able to join the cluster. To configure users, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click User For Internal Server. 7. In the Users pane, click the + icon. 8. In the Add User window, enter the following information, and then click OK. n In the Username text-box, enter a username. n In the Password text-box, enter the password. n In the Retype text-box, retype the password to confirm. n In the Type drop-down list, select a type of user from the drop-down list. 9. To edit a user settings: a. In the Users pane, select the username to edit. b. Click the edit icon to modify the user settings. c. Click OK. 10. To delete a user: a. In the Users pane, select the username to delete. b. Click the delete icon. c. Click OK. 11. To delete all users, select Delete All in the Users pane, and then click Yes. Managing APs | 283 Deleting a user only removes the user record from the user database, and will not disconnect the online user associated with the username. Firewall and ACL Rules The Aruba Central (on-premises) firewall provides identity-based controls to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using the Aruba Central (on-premises) firewall, you can enforce network access policies that define access to the network, areas of the network that users may access, and the performance thresholds of various applications. Aruba Central (on-premises) supports a role-based stateful firewall. Aruba Central (on-premises) firewall recognizes flows in a network and keeps track of the state of sessions. The Aruba Central (on-premises) firewall manages packets according to the first rule that matches packet. The firewall logs on the Instant Access Points (IAPs) are generated as syslog messages. The Aruba Central (on-premises) firewall also supports the Application Layer Gateway (ALG) functions such as SIP, Vocera, Alcatel NOE, and Cisco Skinny protocols. ACL Rules You can use Access Control List (ACL) rules to either permit or deny data packets passing through the IAP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses. You can create access rules to allow or block data packets that match the criteria defined in an access rule. You can create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to an IP address through the firewall. The IAP clients are associated with user roles, which determine the client's network privileges and the frequency at which clients re-authenticate. Aruba Central (on-premises) supports the following types of ACLs: n ACLs that permit or deny traffic based on the source IP address of the packet. n ACLs that permit or deny traffic based on source or destination IP address, or source or destination port number. You can configure up to 64 access control rules for a firewall policy. Configuring Network Address Translation Rules Network Address Translation (NAT) is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and private (local network), which allows translation of private network IP addresses to a public address space. Aruba Central (on-premises) supports the NAT mechanism to allow a routing device to use the translation tables to map the private addresses into a single IP address and packets are sent from this address, so that they appear to originate from the routing device. Similarly, if the packets are sent to the private IP address, the destination address is translated as per the information stored in the translation tables of the routing device. Aruba Central (on-premises) | User Guide 284 Support for Multiple PSK in WLAN SSID Aruba Central (on-premises) allows you to configure multiple PSK (MPSK) in WLAN network profiles that include APs running a minimum of Aruba InstantOS 8.4.0.0 firmware version and later. MPSK enhances the WPA2 PSK mode by allowing device-specific or group-specific passphrases, which are generated by ClearPass Policy Manager and sent to the Instant Access Point (IAP). WPA2 PSK-based deployments generally consist of a single passphrase configured as part of the WLAN SSID profile. This single passphrase is applicable for all clients that associate with the SSID. Starting from Aruba InstantOS 8.4.0.0, multiple PSKs in conjunction with ClearPass Policy Manager are supported for WPA and WPA2 PSK-based deployments. Every client connected to the WLAN SSID can have its own unique PSK. A MPSK passphrase requires MAC authentication against a ClearPass Policy Manager server. The MPSK passphrase works only with wpa2-psk-aes encryption and not with any other PSK-based encryption. The Aruba-MPSK-Passphrase radius VSA is added and the ClearPass Policy Manager server populates this VSA with the encrypted passphrase for the device. The workflow is as follows: 1. A user registers the device on a ClearPass Policy Manager guest-registration or device-registration webpage and receives a device-specific or group-specific passphrase. 2. The device associates with the SSID using wpa2-psk-aes encryption and uses MPSK passphrase. 3. The IAP performs MAC authentication of the client against the ClearPass Policy Manager server. On successful MAC authentication, the ClearPass Policy Manager returns Access-Accept with the VSA containing the encrypted passphrase. 4. The IAP generates a PSK from the passphrase and performs 4-way key exchange. 5. If the device uses the correct per-device or per-group passphrase, authentication succeeds. If the ClearPass Policy Manager server returns Access-Reject or the client uses incorrect passphrase, authentication fails. 6. The IAP stores the MPSK passphrase in its local cache for client roaming. The cache is shared between all the IAPs within a single cluster. The cache can also be shared with standalone IAPs in a different cluster provided the APs belong to the same multicast VLAN. Each IAP first searches the local cache for the MPSK information. If the local cache has the corresponding MPSK passphrase, the IAP skips the MAC authentication procedure, and provides access to the client. When multiple PSK is enabled on the wireless SSID profile, make sure that MAC authentication is not configured for RADIUS authentication. Multiple PSK and MAC authentication are mutually exclusive and follows a special procedure which does not require enabling MAC authentication in the WLAN SSID manually. Also, ensure that the RADIUS server configured for the wireless SSID profile is not an internal server. Points to Remember The following configurations are mutually exclusive with MPSK for the WLAN SSID profile and does not require to be configured manually: n MPSK and MAC authentication n MPSK and Denylisting n MPSK and internal RADIUS server Configuring Multiple PSK for Wireless Networks To configure multiple PSK for wireless networks, complete the following steps: Managing APs | 285 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click WLANs tab. The WLANs detail page is displayed. 5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon. 6. Click the Security tab. 7. Select Personal from the Security Level. The authentication options applicable to the Enterprise network are displayed. 8. From the Key Management drop-down list, select the MPSK-AES option. 9. From the Primary Server drop-down list, select a server. The radius server selected from the list is the CPPM server. 10. Click Save Settings. Enabling MPSK Local for Wireless Networks To configure MPSK Local for wireless networks, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click WLANs tab. The WLANs detail page is displayed. 5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon. 6. Click the Security tab. 7. Select Personal from the Security Level. The authentication options applicable to the personal network are displayed. 8. From the Key Management drop-down list, select the Mpsk Local option. 9. From the Mpsk Local drop-down list, select an MPSK Local profile. MPSK Local feature is supported for Aruba InstantOS 8.7.0.0 or later versions. You cannot select an MPSK Local profile from the Mpsk Local drop-down list if the AP version is less than 8.7.0.0. 10. Click Save Settings. Aruba Central (on-premises) | User Guide 286 Configuring an MPSK Local Profile MPSK Local allows the user to configure 24 PSKs per SSID locally on the device. These local PSKs would serve as an extension of the base MPSK functionality. Configuring a MPSK Local Profile To configure an MPSK Local profile, complete the following steps 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Mpsk Local accordion. 7. In the MPSK Local window, click + and enter a name for the MPSK Local profile. 8. To create an MPSK Local passphrase, enter the following information in the Mpsk Local Passphrase window: a. Name--Enter a name. b. Passphrase--Enter a passphrase. c. Retype Passphrase--Retype the passphrase to confirm. 9. Click OK. 10. In the Mpsk Local Passphrase window, select the MPSK Local passphrase name created in the previous step, and then click OK. 11. Click Save Settings. Configuring WPA3 Encryption Aruba Central (on-premises) supports WPA3 encryption for security profiles in SSID creation for networks that include access points (APs) running Aruba InstantOS 8.4.0.0 firmware version and above. The WPA3 security provides robust protection with unique encryption per user session thereby ensuring a highly secured connection even on a public Wi-Fi hotspot. The following are the WPA3 encryptions based on the Enterprise, Personal, or Open network types: n WPA-3 Enterprise when the security level is Enterprise. n WPA-3 Personal when the security level is Personal. n Enhanced Open when the security level is Open. WPA3 Enterprise WPA3-Enterprise enforces top secret security standards for an enterprise Wi-Fi in comparison to secret security standards. Top secret security standards includes: n Deriving at least 384-bit PMK/MSK using Suite B compatible EAP-TLS. n Securing pairwise data between STA and authenticator using AES-GCM-256. Managing APs | 287 n Securing group addressed data between STA and authenticator using AES-GCM-256. n Securing group addressed management frames using BIP-GMAC-256. Aruba Instant supports WPA3-Enterprise only in non-termination 802.1X and tunnel-forward modes. WPA3Enterprise compatible 802.1x authentication occurs between STA and CPPM. WPA3-Enterprise advertises or negotiates the following capabilities in beacons, probes response, or 802.11 association: n AKM Suite Selector as 00-0F-AC:12 n Pairwise Cipher Suite Selector as 00-0F-AC:9 n Group data cipher suite selector as 00-0F-AC:9 n Group management cipher suite (MFP) selector as 00-0F-AC:12 If WPA3-Enterprise is enabled, STA is successfully associated only if it uses one of the four suite selectors for AKM selection, pairwise data protection, group data protection, and group management protection. If a STA mismatches any one of the four suite selectors, the STA association fails. To configure WPA3 for enterprise security, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click WLANs tab. The WLANs detail page is displayed. 5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table, and then click the edit icon. 6. Click the Security tab. 7. Select Enterprise from the Security Level. The authentication options applicable to the Enterprise network are displayed. 8. Select one of the following from the Key Management drop-down list: n WPA-3 Enterprise(GCM 256)--Select this option to use WPA-3 security employing GCM encryption operation mode limited to encrypting 256 bits of plain text. n WPA-3 Enterprise(CCM 128)--Select this option to use WPA-3 security employing CCM encryption operation mode limited to encrypting 128 bits of plain text. 9. Click Save Settings. Configuring WPA3 for Personal Security To configure WPA3 for personal security, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. Aruba Central (on-premises) | User Guide 288 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click WLANs tab. The WLANs detail page is displayed. 5. Click +Add SSID to create a new SSID. To modify an existing SSID, select a wireless SSID from the Wireless SSIDs table and then click the edit icon. 6. Click the Security tab. 7. Select Personal from the Security Level. The authentication options applicable to the Personal network are displayed. 8. Select WPA-3 Personal from the Key Management drop-down list. 9. Click Save Settings. Intra VLAN Traffic Allowlist The Intra VLAN Traffic Allowlist is a global allowlist for all WLAN SSIDs and wired networks configured with the feature. For servers to serve the network, you must add them to the Intra VLAN Traffic Allowlist using their IP or MAC address. When you configure wired servers with their IP address or MAC address, the Instant Access Point (IAP) allows client traffic to the destination MAC addresses. Configuring a Wired Server with the IP Address To configure a wired server with the IP address, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Intra VLAN Traffic Allowlist accordion. 7. In the Wired Server IP window, click + and enter the IP address of the server. 8. Click OK. 9. Click Save Settings. To edit a wired server, select the IP address of the wired server in the Wired Server IP window, and then click the edit icon. To delete a wired server, select the IP address of the wired server in the Wired Server IP window, and then click the delete icon. Configuring a Wired Server with the MAC Address To configure a wired server with the MAC address, complete the following steps: Managing APs | 289 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Intra VLAN Traffic Allowlist accordion. 7. In the Wired Server MAC window, click + and enter the MAC address of the server. 8. Click OK. 9. Click Save Settings. To edit a wired server, select the IP address of the wired server in the Wired Server MAC window, and then click the edit icon. To delete a wired server, select the IP address of the wired server in the Wired Server MAC window, and then click the delete icon. Mapping IAP Certificates When an Instant Access Points (IAPs) joins a group that does not have a certificate, the IAPs existing certificate is retained. When an IAP joins a group that already has a certificate, the certificate of the IAP is overwritten by the group certificate. To map an IAP certificate name to a specific certificate type or category, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Expand the Certificate Usage accordion. 7. To map a certificate, for each usage type under Usage Type, select the suitable certificate from the Certificate drop-down list: n Certificate Authority--To verify the identity of a client. n Authentication Server--To verify the identity of the server to a client. n Captive Portal--To verify the identity of internal captive portal server. n Radsec use EST Server--Turn on the Radsec use EST Server toggle switch to allow EST certificates to be used in RADSEC applications. Aruba Central (on-premises) | User Guide 290 n To enable Radsec use EST Server, you must enable EST Activate in EST Profile. n If Radsec use EST Server is enabled, RadSec and RadSec Certificate Authority will not be available in Certificate Usage. n RadSec--To verify the identity of the TLS server. n RadSec Certificate Authority--To verify the authentication between the IAP and the TLS server. n Clearpass--To verify the identity of the ClearPass server. n AP1X CA--Sets the CA certificate used for 802.1X authentication. n AP1X Client Cert--Sets the certificate used for 802.1X authentication. 8. Click Save Settings. To enable certificates for the Cloud Guest Service, contact the Aruba Central support team. Configuring an EST Profile EST supports automatic enrollment of certificates with the EST Server. The certificates can now be enrolled or re-enrolled automatically by configuring an EST profile on the AP. Certificate enrollment with EST allows you to use your own PKI instead of the factory or self-signed certificates available on the AP. This enables you to have maximum visibility and control over the management of the PKI used and can address any issues related to security in a scaled environment. To configure an EST profile, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Expand the Certificate Usage > EST Profile accordion. 7. Configure the following parameters: n EST Activate--Activates the EST profile. n EST CA Certificate--Sets the EST CA Certificate from the drop-down list. n Server Name/IP Address--Hostname of the EST server. n Server Port--Indicates the port value of the EST server. The default value is 443. n Arbitrary Label--Sets an arbitrary label for the EST URI to distinguish it from the other EST profiles running on the EST server. n Arbitrary Label Enrollment--Sets an arbitrary enrollment label for EST URL. n Arbitrary Label Reenrollment--Sets an arbitrary re-enrollment label for EST URL. n Challenge Password--Sets a challenge password used in CSR. Managing APs | 291 n Retype Challenge Password--Retype challenge password used in CSR. n Trust Anchor--Denotes the server's trust anchor. n Organizational Unit Name--Sets the organizational unit name. n Username--Sets a username for the EST Client. n Password--Sets a password for the EST Client. n Retype Password--Retype password for the EST Client. 8. Click Save Settings. Configuring Roles and Policies on IAPs for User Access Control Instant Access Points (IAPs) support identity-based access control to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using the IAP firewall policies, you can enforce network access policies to define access to the network, areas of the network that the user may access, and the performance thresholds of various applications. IAPs supports a role-based stateful firewall. In other words, Instant firewall can recognize flows in a network and keep track of the state of sessions. The firewall logs on the IAPs are generated as syslog messages. The firewall feature also supports ALG functions such as SIP, Vocera, Alcatel NOE, and Cisco Skinny protocols. ACL Rules You can use ACL rules to either permit or deny data packets passing through the IAP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses. You can create access rules to allow or block data packets that match the criteria defined in an access rule. You can create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to an IP address through the firewall. The IAP clients are associated with user roles, which determine the client's network privileges and the frequency at which clients re-authenticate. IAP supports the following types of ACLs: n ACLs that permit or deny traffic based on the source IP address of the packet. n ACLs that permit or deny traffic based on source or destination IP address, or source or destination port number. You can configure up to 64 access control rules for a firewall policy. Configuring Network Address Translation Rules NAT is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and private (local network), which allows translation of private network IP addresses to a public address space. IAP supports the NAT mechanism to allow a routing device to use the translation tables to map the private addresses into a single IP address and packets are sent from this address, so that they appear to originate from the routing device. Similarly, if the packets are sent to the private IP address, the destination address is translated as per the information stored in the translation tables of the routing device. For more information, see: Aruba Central (on-premises) | User Guide 292 n Configuring Network Service ACLs n Configuring ACLs for Deep Packet Inspection n Configuring User Roles for AP Clients n Configuring Role Derivation Rules for AP Clients n Configuring Firewall Parameters for Inbound Traffic Configuring Network Service ACLs To configure access rules for network services, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Roles accordion. 7. Under Access Rules For Selected Roles, click + to add a new rule. The Access Rule window is displayed. 8. Under Rule Type, select Access Control. 9. To configure access to applications or application categories, select a service category from the following list: n Network n App Category n Application n Web Category n Web Reputation 10. Based on the selected service category, configure the following parameters: Table 74: Access Rule Configuration Parameters Data Pane Item Description Rule Type Select a rule type from the list, for example Access Control. Service Select a service from the list of available services. You can allow or deny access to any or all of the following services based on your requirement: n Any--Access is allowed or denied to all services. n CUSTOM--Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID. Managing APs | 293 Table 74: Access Rule Configuration Parameters Data Pane Item Description If TCP and UDP uses the same port, ensure that you configure separate access rules to permit or deny access. Action Select any of following attributes: n Select Allow to allow access users based on the access rule. n Select Deny to deny access to users based on the access rule. n Select Destination-NAT to allow the changes to destination IP address. n Select Source-NAT to allow changes to the source IP address. Destination Select a destination option. You can allow or deny access to any the following destinations based on your requirements. n To all destinations--Access is allowed or denied to all destinations. n To a particular server--Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server. n Except to a particular server--Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server. n To a network--Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network. n Except to a network--Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. n To a Domain Name--Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box. n To AP IP--Traffic to the specified IAP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP Network--Traffic to the specified IAP network is allowed. After selecting this option, specify the domain name in the IP text box. n To conductor IP--Traffic to the specified conductor IAP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box. Log Select Log to create a log entry when this rule is triggered. The Aruba Central firewall supports firewall based logging. Firewall logs on the IAPs are generated as security logs. Denylist Select Denylist to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as Auth failure denylist time on the Denylisting tab of the Security window. Classify Media Select Classify Media to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NAT traffic and the traffic is marked as follows: n Video: Priority 5 (Critical) n Voice: Priority 6 (Internetwork Control) Disable Scanning Select Disable Scanning to disable ARM scanning when this rule is triggered. The selection of the Disable Scanning applies only if ARM scanning is enabled. DSCP TAG Select DSCP TAGto specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0 to 63. Aruba Central (on-premises) | User Guide 294 Table 74: Access Rule Configuration Parameters Data Pane Item Description 802.1p priority Select 802.1p priority to specify an 802.1 priority. Specify a value between 0 and 7. Time Range Select this check-box to allow a specific user to access the network for a specific time range. You can select the time range profile from the drop-down list that appears when the Time Range check box is selected. 11. Click Save Settings. Configuring ACLs for Deep Packet Inspection To configure ACL rules for a user role for Deep Packet Inspection (DPI), complete the following procedure: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Under Roles, select the role for which you want to configure access rules. 7. Under Access Rules For Selected Roles, click + to add a new rule. The Access Rule window is displayed. 8. Under Rule Type, select Access Control. 9. To configure access to applications or application categories, select a service category from the following list: n Network n App Category n Application n Web Category n Web Reputation 10. Based on the selected service category, configure the following parameters: Managing APs | 295 Table 75: Access Rule Configuration Parameters Service category Description App Category Select the application categories to which you want to allow or deny access. Application Select the applications to which you want to allow or deny access. Application Throttling Application throttling allows you to set a bandwidth limit for an application and application categories. For example, you can limit the bandwidth rate for video streaming applications such as YouTube or Netflix, or assign a low bandwidth to high risk sites. To specify a bandwidth limit: n Select the Application Throttling check box. n Specify the Downstream and Upstream rates in Kbps per user. Action Select one of the following actions: n Destination-NAT--Translation of the destination IP address of a packet entering the network. n Source-NAT--Used by internal users to access the internet. n Allow--Select Allow to allow access users based on the access rule. n Deny--Select Deny to deny access to users based on the access rule. Destination Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements. n To all destinations-- Access is allowed or denied to all destinations. n To a particular server--Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server. n Except to a particular server--Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server. n To a network--Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network. n Except to a network--Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. n To a Domain Name--Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box. n To AP IP--Traffic to the specified IAP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP Network--Traffic to the specified IAP network is allowed. After selecting this option, specify the domain name in the IP text box. n To conductor IP--Traffic to the specified conductor IAP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box. Log Select this check box if you want a log entry to be created when this rule is triggered. Aruba Central supports firewall based logging. Firewall logs on the IAPs are generated as security logs. Aruba Central (on-premises) | User Guide 296 Table 75: Access Rule Configuration Parameters Service category Description Denylist Select the Denylist check-box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as Auth failure denylist time on the Denylisting tab of the Security window. . Classify Media Select the Classify Media check box to classify and tag media on https traffic as voice and video packets. Disable Scanning Select Disable Scanning check box to disable ARM scanning when this rule is triggered. The selection of the Disable Scanning applies only if ARM scanning is enabled. DSCP Tag Select this check box to add a DSCP tag to the rule. DSCP is an L3 mechanism for classifying and managing network traffic and providing QoS on the network. To assign a higher priority, specify a higher value. 802.1p priority Select this check box to enable 802.1p priority. 802.1p priority is an L2 protocol for traffic prioritization to manage QoS on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value. Time Range Select this check box to enable user to access network for a specific time period. You can select the time range profile from the drop-down list that appears when the Time Range check box is selected.. 11. Click Save. Configuring ACLs on APs for Website Content Classification You can configure web policy enforcement on an access point (AP) to block certain categories of websites based on your organization specifications by defining ACL rules. To configure ACLs for website content classification, follow the below procedure: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. 6. Under Roles, select the role to modify. 7. Under Access Rules For Selected Roles, click + to add a new rule. The Access Rule window is displayed. 8. Under Rule Type, select Access Control. 9. To set an access policy based on web categories: a. Under Service, select Web Category. b. Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option. Managing APs | 297 c. Under Action, select Allow or Deny. d. Click Save. 10. To filter access based on the security ratings of the website: a. Select Web Reputation under Service. b. Move the slider to select a specific web reputation value to deny access to websites with a reputation value lower than or equal to the configured value or to permit access to websites with a reputation value higher than or equal to the configured value. The following options are available: n Trustworthy WRI > 81--These are well known sites with strong security practices and may not expose the user to security risks. There is a very low probability that the user will be exposed to malicious links or payloads. n Low Risk WRI 61-80--These are benign sites and may not expose the user to security risks. There is a low probability that the user will be exposed to malicious links or payloads. n Moderate WRI 41-60--These are generally benign sites, but may pose a security risk. There is some probability that the user will be exposed to malicious links or payloads. n Suspicious WRI 21-40--These are suspicious sites. There is a higher than average probability that the user will be exposed to malicious links or payloads. n High Risk WRI < 20--These are high risk sites. There is a high probability that the user will be exposed to malicious links or payloads. c. Under Action, select Allow or Deny as required. 11. To set a bandwidth limit based on web category or web reputation score, select the Application Throttling check box and specify the downstream and upstream rates in Kbps. For example, you can set a higher bandwidth for trusted sites and a low bandwidth rate for high risk sites. 12. If required, select the following check boxes: n Denylist --Select this check box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as Auth Failure Denylist Time on the Denylisting pane of the Security window. For more information, see Denylisting IAP Clients. n Disable Scanning--Select Disable scanning check box to disable ARM scanning when this rule is triggered. The selection of the Disable scanning applies only if ARM scanning is enabled, For more information, see Configuring Radio Parameters. n DSCP Tag--Select this check box to add a DSCP tag to the rule. DSCP is an L3 mechanism for classifying and managing network traffic and providing QoS on the network. To assign a higher priority, specify a higher value. n 802.1p priority--Select this check box to enable 802.1p priority. 802.1p priority is an L2 protocol for traffic prioritization to manage QoS on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value. 13. Click Save to save the rules. 14. Click Save Settings in the Roles pane to save the changes to the role for which you defined ACL rules. Configuring User Roles for AP Clients Every client in the Aruba Central (on-premises) network is associated with a user role, which determines the client's network privileges, the frequency of re-authentication, and the applicable bandwidth contracts. The user role configuration on an Instant Access Point (IAP) involves the following procedures: n Creating a User Role n Configuring User Roles for AP Clients Aruba Central (on-premises) | User Guide 298 Creating a User Role To create a user role, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Roles accordion. 7. In the Roles pane, click +. 8. In the Add Role window, enter a name for the new role in Roles, and then click OK. You can also create a user role when configuring wireless profile. For more information, see Configuring Wireless Network Profiles on IAPs. Assigning Bandwidth Contracts to User Roles The administrators can manage bandwidth utilization by assigning maximum bandwidth rates, or bandwidth contracts to user roles. The administrator can assign a bandwidth contract configured in Kbps to upstream (client to the IAP) or downstream (IAP to clients) traffic for a user role. The bandwidth contract will not be applicable to the user traffic on the bridged out (same subnet) destinations. For example, if clients are connected to an SSID, you can restrict the upstream bandwidth rate allowed for each user to 512 Kbps. By default, all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic. The assigned bandwidth will be served and shared among all the users. You can also assign bandwidth per user to provide every user a specific bandwidth within a range of 1 to 65535 Kbps. If there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed. To assign bandwidth contracts to a user role, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Roles accordion. 7. Create a user role or select an existing role. Managing APs | 299 8. In the Access Rues For Selected Roles pane, click +. 9. In the Access Rule window, select Bandwidth Contract under Rule Type. 10. Specify the downstream and upstream rates in Kbps. If the assignment is specific for each user, select Per User. 11. Click Save. Associate the user role to a WLAN SSID or wired profile. You can also create a user role and assign bandwidth contracts while configuring an SSID. Configuring Role Derivation Rules for AP Clients Aruba Central (on-premises) allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user role or VLAN to the clients connecting to an SSID or a wired profile. Creating a Role Derivation Rule You can configure rules for determining the role that is assigned for each authenticated client. When creating more than one role assignment rule, the first matching rule in the rule list is applied. To create a role assignment rule, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Click the Access tab. 7. Under Access rules, select Role Based to enable access based on user roles. 8. Under Role Assignment Rules, click +Add Role Assignment. In New Role Assignment Rule, define a match method by which the string in Operand is matched with the attribute value returned by the authentication server. 9. Select the attribute from the Attribute list that the rule it matches against. The list of supported attributes includes RADIUS attributes, dhcp-option, dot1x-authentication-type, mac-address, and mac-address-and-dhcp-options. 10. Select the operator from the Operator list. The following types of operators are supported: n contains--The rule is applied only if the attribute value contains the string specified in Operand. n Is the role--The rule is applied if the attribute value is the role. n equals--The rule is applied only if the attribute value is equal to the string specified in Operand. n not-equals--The rule is applied only if the attribute value is not equal to the string specified in Operand. n starts-with--The rule is applied only if the attribute value starts with the string specified in Operand. n ends-with--The rule is applied only if the attribute value ends with string specified in Operand. Aruba Central (on-premises) | User Guide 300 n matches-regular-expression--The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the mac-address-anddhcp-options attribute is selected in the Attribute list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for WLAN clients. 11. Enter the string to match in the String box. 12. Select the appropriate role from the Role list. 13. Click Save. Configuring VLAN Assignment Rule To configure VLAN assignment rules for an SSID profile: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Click the Access tab. 7. Select the access rule from Access rules. 8. In the Access Rules For Selected Roles, click + Add Rule to add a new rule. The Access Rule page is displayed. The VLAN Assignment option is also listed in the Access Rule page when you create or edit a rule for wired port profiles in the Ports > Create a New Network > Access tab. 9. From the Rule Type drop-down list, select VLAN Assignment option. 10. Enter the VLAN ID in the VLAN ID field under Service section. Alternatively, you can select the VLAN ID or the VLAN name from the drop-down list provided next to the VLAN ID field. 11. Click Save. Configuring VLAN Derivation Rules The users are assigned to a VLAN based on the attributes returned by the RADIUS server after users authenticate. To configure VLAN derivation rules for an SSID profile: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. Managing APs | 301 4. Click the WLANs tab. The WLANs details page is displayed. 5. In the Wireless SSIDs table, select a network profile and then click the edit icon. 6. Under VLANs, select Dynamic under Client VLAN Assignment. 7. Click + Add Rule to create a VLAN assignment rule. The New VLAN Assignment Rule window is displayed. In this window, you can define a match method by which the string in Operand is matched with the attribute values returned by the authentication server. 8. Select an attribute from the Attribute list. 9. Select an operator from the Operator list. The following types of operators are supported: n contains--The rule is applied only if the attribute value contains the string specified in Operand. n equals--The rule is applied only if the attribute value is equal to the string specified in Operand. n not-equals--The rule is applied only if the attribute value is not equal to the string specified in Operand. n starts-with--The rule is applied only if the attribute value starts with the string specified in Operand. n ends-with--The rule is applied only if the attribute value ends with string specified in Operand. n matches-regular-expression--The rule is applied only if the attribute value matches the regular expression pattern specified in Operand. This operator is available only if the mac-address-anddhcp-options attribute is selected in the Attribute list. The mac-address-and-dhcp-options attribute and matches-regular-expression are applicable only for the WLAN clients. 10. Enter the string to match in the String field. 11. Select the appropriate VLAN ID from VLAN. Ensure that all other required parameters are configured. 12. Click OK. Configuring Firewall Parameters for Wireless Network Protection To configure firewall settings, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Wireless IDS/IPS accordion. 7. Under Firewall Settings, turn on the toggle switch to enable SIP, VOCERA, ALCATEL NOE, Auto Topology Rules, Restrict Corporate Access, and CISCO Skinny protocols. 8. Under Protection, in the Protection Against Wired Attacks section, enable the following options: Aruba Central (on-premises) | User Guide 302 n Drop Bad ARP--Drops the fake ARP packets. n Fix Malformed DHCP--Fixes the malformed DHCP packets. n ARP Poison Check--Triggers an alert on ARP poisoning caused by the rogue APs. Configuring Management Subnets You can configure subnets to ensure that the IAP management is carried out only from these subnets. When the management subnets are configured, Telnet, SSH, and UI access is restricted to these subnets only. To configure management subnets, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Wireless IDS/IPS accordion. 7. Click Firewall Settings. 8. Under Management Subnets pane, to add a new management subnet, complete the following steps: a. Enter the subnet address in Subnet. b. Enter the subnet mask in Mask. c. Click Add. 9. Click Save Settings. Configuring Custom Redirection URLs for IAP Clients You can create a list of URLs to redirect users to when they access the blocked websites. You can define an access rule to use these redirect URLs and assign the rule to a user role in the WLAN network. Creating a List of Error Page URLs To create a list of error page URLs, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. Managing APs | 303 6. Under Custom Blocked Page URL, click + and enter the URL to block. 7. Repeat the procedure to add more URLs. You can add up to 8 URLs to the list of blocked web pages. 8. Click OK. Configuring ACL Rules to Redirect Users to a Specific URL To configure ACL rules to redirect users to a specific URL, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Under Roles, select the role for which you want to configure access rules. 7. Click + in the Access Rules section. 8. In the New Rule Window, select the rule type as Blocked Page URL. 9. Select the URLs from the existing list of custom redirect URLs. To add a new URL, click +. 10. Click Save. Configuring Firewall Parameters for Inbound Traffic Instant Access Points (IAPs) support an enhanced inbound firewall for the traffic that flows into the network through the uplink ports of an IAP. To configure the firewall rules, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Wireless IDS/IPS accordion. 7. Click Firewall Settings. 8. In the Access Rule section, click the + icon. The Inbound Firewall page is displayed. 9. In the Inbound Firewall page, enter the following information: Aruba Central (on-premises) | User Guide 304 Table 76: Inbound Firewall Rule Configuration Parameters Parameter Description Service Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement: n Any--Access is allowed or denied to all services. n Custom--Customize the access based on available options such as TCP, UDP, and other options. If you select the TCP or UDP options, enter appropriate port numbers. If the Other option is selected, ensure that an appropriate ID is entered. Action Select any of following actions: n Select Allow to allow user access based on the access rule. n Select Deny to deny user access based on the access rule. n Select Destination-NAT to allow making changes to the destination IP address and the port. Select Source-NAT to allow making changes to the source IP address. The destination NAT and source NAT actions apply only to the network services rules. Source Select any of the following options: n From all sources--Traffic from all sources is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. n From a particular host--Traffic from a particular host is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the host. n From a network--Traffic from a particular network is either allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask of the source network. Destination Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements. n To all destinations--Traffic for all destinations is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. n To a particular server--Traffic to a specific server is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address of the destination server. n Except to a particular server--Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server. n To a network--Traffic to the specified network is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the IP address and netmask for the destination network. n Except to a network--Access is allowed or denied to networks other than the specified network. After selecting this option, specify Managing APs | 305 Parameter Description the IP address and netmask of the destination network. n To a Domain name--Traffic to the specified domain is allowed, denied, or the IP address is translated at the source or the destination as defined in the rule. After selecting this option, specify the domain name in the Domain Name text box. n To AP IP--Traffic to the specified IAP is allowed. After selecting this option, specify the domain name in the IP text box. n To AP Network--Traffic to the specified IAP network is allowed. After selecting this option, specify the domain name in the IP text box. n To conductor IP--Traffic to the specified conductor IAP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box. Log Denylist Classify Media Disable scanning DSCP TAG 802.1p priority Select the Log check box if you want a log entry to be created when this rule is triggered. Instant supports firewall-based logging function. Firewall logs on the Instant APs are generated as security logs. Select the Denylist check box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified in the Auth failure denylist time on the Denylisting tab of the Security window. Select the Classify Media check box to classify and tag media on HTTPS traffic as voice and video packets. Select Disable scanning check box to disable ARM scanning when this rule is triggered. The selection of Disable scanning applies only if ARM scanning is enabled. Select the DSCP TAG check box to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0 63. To assign a higher priority, specify a higher value. Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value. 10. Click Ok. 11. Click Save Settings. For all subnets, a deny rule is created by default as the last rule. If at least one rule is configured, the deny all rule is applied to the upstream traffic by default. The inbound firewall is not applied to traffic coming through the GRE tunnel. Configuring Restricted Access to Corporate Network You can configure restricted corporate access to block unauthorized users from accessing the corporate network. When restricted corporate access is enabled, corporate access is blocked from the uplink port of conductor IAP, including clients connected to a member IAP. To configure restricted corporate access, complete the following steps: Aruba Central (on-premises) | User Guide 306 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Wireless IDS/IPS accordion. 7. Click Firewall Settings. 8. To restrict corporate access, turn on the Restrict Corporate Access toggle switch. 9. Click Save Settings. Enabling ALG Protocols on IAPs To configure ALG protocols on Instant Access Points (IAPs), complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Wireless IDS/IPS accordion. 7. Under Firewall Settings, set the toggle button against the corresponding protocol to enable SIP, VOCERA, ALCATEL NOE, Auto Topology Rules, Restrict Corporate Access, and CISCO Skinny protocols. 8. Click Save Settings. When the protocols for the ALG are disabled, the changes do not take effect until the existing user sessions have expired. Reboot the IAP and the client, or wait a few minutes for changes to take effect. Denylisting IAP Clients The client denylisting denies connection to the denylisted clients. When a client is denylisted, it is not allowed to associate with an Instant Access Point (IAP) in the network. If a client is connected to the network when it is denylisted, a deauthentication message is sent to force client disconnection. Denylisting Clients Manually Manual denylisting adds the MAC address of a client to the denylist. These clients are added into a permanent denylist. These clients are not allowed to connect to the network unless they are removed from Managing APs | 307 the denylist. To add a client to the denylist manually, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Denylisting accordion. 7. Under Manual Denylisting, click + and enter the MAC address of the client to be denylisted. 8. Click OK. 9. Click Save Settings. To delete a client from the manual denylist, select the MAC Address of the client under the Manual Denylisting, and then click the delete icon. For the denylisting to take effect, you must enable the denylisting option when you create or edit the WLAN SSID profile. Go to WLANs > Security > Advanced Settings and enable the Denylisting option. For more information, see Configuring Wireless Network Profiles on IAPs. Denylisting Clients Dynamically The clients can be denylisted dynamically when they exceed the authentication failure threshold or when a denylisting rule is triggered as part of the authentication process. When a client takes time to authenticate and exceeds the configured failure threshold, it is automatically denylisted by an IAP. In session firewall based denylisting, an ACL rule automates denylisting. When the ACL rule is triggered, it sends out denylist information and the client is denylisted. To configure the denylisting duration, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Security tab. The Security page is displayed. 6. Click the Denylisting accordion. Aruba Central (on-premises) | User Guide 308 7. Under Dynamic Denylisting, enter the following information: a. For Auth Failure Denylist Time, enter the duration after which the clients that exceed the authentication failure threshold must be denylisted. b. For Policy Enforcement Failure Rule Denylisted Time, enter the duration after which the clients can be denylisted due to an ACL rule trigger. 8. Click Save Settings. n You can configure a maximum number of authentication failures by the clients, after which a client must be denylisted. For more information on configuring maximum authentication failure attempts, see Configuring Wireless Network Profiles on IAPs. n To enable session-firewall-based denylisting, select the Denylist check box in the Access Rule page during the WLAN SSID profile creation. For more information, see Configuring Network Service ACLs. Configuring IAPs for VPN Services This section describes the following VPN configuration procedures: n IAP VPN Overview n Configuring IAPs for VPN Tunnel Creation n Configuring Routing Profiles for IAP VPN Configuring IAPs for VPN Tunnel Creation Instant Access Point (IAP) supports the configuration of tunneling protocols such as GRE, IPsec, and L2TPv3. This section describes the procedure for configuring VPN host settings on an IAP to enable communication with a controller in a remote location: n Configuring IPsec VPN Tunnel n Configuring Automatic GRE VPN Tunnel n Configuring a GRE VPN Tunnel n Configuring an L2TPv3 VPN Tunnel IAP VPN Overview As Instant Access Point (IAP) use a virtual controller architecture, the IAP network does not require a physical controller to provide the configured WLAN services. However, a physical controller is required for terminating VPN tunnels from the IAP networks at branch locations or data centers, where the Aruba controller acts as a VPN Concentrator. When the VPN is configured, the IAP acting as the virtual controller creates a VPN tunnel to Aruba Mobility Controller in your corporate office. The controller acts as a VPN endpoint and does not supply the IAP with any configuration. The VPN features are recommended for: n Enterprises with many branches that do not have a dedicated VPN connection to the corporate office. n Branch offices that require multiple APs. n Individuals working from home, connecting to the VPN. Managing APs | 309 Supported VPN Protocols IAPs support the following VPN protocols for remote access: Table 77: VPN Protocols VPN Protocol Description Aruba IPsec IPsec is a protocol suite that secures IP communications by authenticating and encrypting each IP packet of a communication session. You can configure an IPsec tunnel to ensure that to ensure that the data flow between the networks is encrypted. However, you can configure a split-tunnel to encrypt only the corporate traffic. When IPsec is configured, ensure that you add the IAP MAC addresses to the allowlist database stored on the controller or an external server. IPsec supports Local, L2, and L3 modes of IAP-VPN operations. NOTE: The IAPs support IPsec only with Aruba Controllers. Layer-2 (L2) GRE L2TP GRE is a tunnel protocol for encapsulating multicast, broadcast, and L2 packets between a GRE-capable device and an endpoint. IAPs support the configuration of L2 GRE (Ethernet over GRE) tunnel with an Aruba Controller to encapsulate the packets sent and received by the IAP. You can use the GRE configuration for L2 deployments when there is no encryption requirement between the Instant AP and controller for client traffic. IAPs support two types of GRE configuration: n Manual GRE--The manual GRE configuration sends unencrypted client traffic with an additional GRE header and does not support failover. When manual GRE is configured on the IAP, ensure that the GRE tunnel settings are enabled on the controller. n Aruba GRE--With Aruba GRE, no configuration on the controller is required except for adding the IAP MAC addresses to the allowlist database stored on the controller or an external server. Aruba GRE reduces manual configuration when Per-AP Tunnel configuration is required and supports failover between two GRE endpoints. IAPs support manual and Aruba GRE configuration only for L2 mode of operations. Aruba GRE configuration is supported only with Aruba Controllers. The L2TP version 3 feature allows IAP to act as L2TP Access Concentrator (LAC) and tunnel all wireless clients L2 traffic from AP to LNS. In a centralized L2 model, the VLAN on the corporate side are extended to remote branch sites. Wireless clients associated with IAP gets the IP address from the DHCP server running on LNS. For this, AP has to transparently allow DHCP transactions through the L2TPv3 tunnel. Configuring IPsec VPN Tunnel An IPsec tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPsec tunnel to the controller secures corporate data. You can configure an IPsec tunnel from virtual controller using Aruba Central (on-premises). To configure an IPsec tunnel from virtual controller, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. Aruba Central (on-premises) | User Guide 310 4. Click Show Advanced. 5. Click the VPN tab. The VPN page is displayed. 6. Click the Controller accordion. 7. In the Protocol drop-down list, select Aruba IPsec. 8. In the Primary host field, enter the IP address or FQDN for the main VPN/IPsec endpoint. 9. In the Backup host field, enter the IP address or FQDN for the backup VPN/IPsec endpoint. This entry is optional. When you enter the primary host IP address and backup host IP address, other fields are displayed. 10. Specify the following parameters. a. Select the Preemption check-box to allow the VPN tunnel to switch back to the primary host when it becomes available again. This step is optional. If Preemption is enabled, specify a value in seconds for Hold time. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold-time. The default value for Hold time is 600 seconds. b. Select the Fast Failover check-box to allow the IAP to create a backup VPN tunnel to the controller along with the primary tunnel, and maintain both the primary and backup tunnels separately. When fast failover is enabled and if the primary tunnel fails, the IAP can switch the data stream to the backup tunnel. This reduces the total failover time to less than one minute. c. Specify a value in seconds for Secs Between Test Packets. Based on the configured frequency, the IAP can verify if an active VPN connection is available. The default value is 5 seconds, which means that the IAP sends one packet to the controller every 5 seconds. d. Enter a value for Max Allowed Test Packet Loss to define a number for lost packets, after which the IAP can determine that the VPN connection is unavailable. The default value is 2. e. Select the Reconnect User On Failover check-box to disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary. f. Specify a value in seconds for Reconnect Time On Failover to configure an interval for which wired and wireless users are disconnected during a VPN tunnel switch. By default, the reconnection duration is set to 60 seconds. The Reconnect Time on Failover field is displayed only when Reconnect User On Failover is enabled. g. From the Branch Name drop-down list, select the branch name. When the IPsec tunnel configuration is completed, the packets that are sent from and received by an IAP are encrypted. 11. Click Save Settings. You will be unable to upload the self-signed certificate from Aruba Central. You must upload the self-signed certificate to Aruba Activate followed by the AP reboot procedure. When the AP contacts Aruba Activate, the Aruba Activate informs the AP about the self-signed AP certificate that is required to be downloaded. The AP then installs a new certificate before connecting to Aruba Central. For more information, see Aruba Activate User Guide. Configuring Automatic GRE VPN Tunnel In Aruba Central (on-premises), you can configure an Instant Access Point (IAP) to automatically set up a GRE tunnel from the IAP to the controller. Managing APs | 311 To configure an IAP to automatically set up a GRE tunnel, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the VPN tab. The VPN page is displayed. 6. Click the Controller accordion. 7. In the Protocol drop-down list, select Aruba GRE. 8. In the Primary host field, enter the IP address or FQDN for the main VPN/IPsec endpoint. 9. In the Backup host field, enter the IP address or FQDN for the backup VPN/IPsec endpoint. This entry is optional. When you enter the primary host IP address and backup host IP address, other fields are displayed. 10. Specify the following parameters: a. Select the Preemption check-box to allow the VPN tunnel to switch back to the primary host when it becomes available again. This step is optional. If Preemption is enabled, specify a value in seconds for Hold time. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold time. The default value for Hold time is 600 seconds. b. Select the Fast Failover check-box to allow the IAP to create a backup VPN tunnel to the controller along with the primary tunnel, and maintain both the primary and backup tunnels separately. If the primary tunnel fails, the IAP can switch the data stream to the backup tunnel. This reduces the total failover time to less than one minute. c. Select the Reconnect User On Failover to disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary, d. Specify a value in seconds for Reconnect Time On Failover to configure an interval for which wired and wireless users are disconnected during a VPN tunnel switch. By default, the reconnection duration is set to 60 seconds. e. Specify a value in seconds for Seconds Between Test Packets. Based on the configured frequency, the IAP can verify if an active VPN connection is available. The default value is 5 seconds, which means that the IAP sends one packet to the controller every 5 seconds. f. Enter a value for Max Allowed Test Packet Loss to define a number for lost packets, after which the IAP can determine that the VPN connection is unavailable. The default value is 2. g. Select the Per-AP-Tunnel check-box to create a GRE tunnel from each IAP to the VPN/GRE Endpoint rather than the tunnels created just from the conductor IAP. When enabled, the traffic to the corporate network is sent through a Layer-2 GRE tunnel from the IAP itself and need not be forwarded through the conductor IAP. h. From the Branch Name drop-down list, select the branch name. 11. Click Save Settings. Aruba Central (on-premises) | User Guide 312 Configuring a GRE VPN Tunnel You can also manually configure a GRE tunnel by configuring the GRE tunnel parameters on the Instant Access Point (IAP) and controller. This procedure describes the steps involved in the manual configuration of a GRE tunnel from virtual controller by using Aruba Central (on-premises). During the manual GRE setup, you can either use the virtual controller IP or the IAP IP to create the GRE tunnel at the controller side depending upon the following IAP settings: n If a virtual controller IP is configured and if Per-AP tunnel is disabled, the virtual controller IP is used to create the GRE tunnel. n If a virtual controller IP is not configured or if Per-AP tunnel is enabled, the IAP IP is used to create the GRE tunnel. To configure the GRE tunnel manually, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the VPN tab. The VPN page is displayed. 6. Click the Controller accordion. 7. In the Protocol drop-down list, select Manual GRE. 8. Specify the following parameters: a. Host--Enter the IPv4 or IPv6 address or FQDN for the main VPN/GRE tunnel. b. Backup Host--(Optional) Enter the IPv4 or IPv6 address or FQDN for the backup VPN/GRE tunnel. You can edit this field only after you enter the IP address or FQDN in the Host field. c. Reconnect User On Failover--When you enter the host IP address and backup host IP address, this field appears. Select this check-box to disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary. To disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary, select the Reconnect User On Failover. d. Reconnect Time On Failover--If you select the Reconnect User On Failover check-box, this field appears. To configure an interval for which wired and wireless users must be disconnected during a VPN tunnel switch, specify a value within a range of 30-90 seconds. By default, the reconnection duration is set to 60 seconds. e. GRE Type--Enter a value for the parameter. f. GRE Mtu--Specify a size for the GRE MTU within the range of 10241500. After GRE encapsulation, if packet length exceeds the configured MTU, IP fragmentation occurs. The default MTU size is 1300. g. Per-AP-Tunnel--The administrator can enable this option to create a GRE tunnel from each IAP to the VPN/GRE endpoint rather than the tunnels created just from the conductor IAP. When enabled, the traffic to the corporate network is sent through a Layer-2 GRE tunnel from the IAP Managing APs | 313 itself and need not be forwarded through the conductor IAP. By default, the Per-AP tunnel option is disabled. h. Branch Name--Select the branch name from the Branch Name drop-down list. 9. When the GRE tunnel configuration is completed on both the IAP and Controller, the packets sent from and received by an IAP are encapsulated, but not encrypted. Configuring an L2TPv3 VPN Tunnel The Layer 2 Tunneling Protocol version 3 (L2TPv3) feature allows Instant Access Point (IAP) to act as L2TP Access Concentrator (LAC) and tunnel all wireless clients L2 traffic from AP to LNS. In a centralized L2 model, the VLAN on the corporate side are extended to remote branch sites. Wireless clients associated with IAP gets the IP address from the DHCP server running on LNS. For this, AP has to transparently allow DHCP transactions through the L2TPv3 tunnel. To configure an L2TPv3 tunnel by using Aruba Central (on-premises), complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the VPN tab. The VPN page is displayed. 6. Click the Controller accordion. 7. In the Protocol drop-down list, select L2TPv3. 8. To configure a tunnel profile, complete the following steps: a. Turn on the Enable Tunnel Profile toggle switch. b. Enter the profile name in the Profile Name text-box. c. Enter the primary server IP address in the Primary Peer Address text-box. d. Enter the remote end backup tunnel IP address in the Backup Peer Address text-box. This is an optional field and is required only when backup server is configured. e. Enter the peer UDP port numbers in the Peer UDP Port text-box. The default value is 1701. f. Enter the local UDP port numbers in the Local UDP Port text-box. The default value is 1701. g. Enter the interval in the Hello Interval text-box at which the hello packets are sent through the tunnel. The default value is 60 seconds. h. Select the message digest as MD5 or SHA from the Message Digest Type drop-down list for message authentication. i. Enter a shared key in the Shared Key text-box for the message digest. This key should match with the tunnel end point shared key. j. Ensure that Checksum check-box is enabled. k. Specify a tunnel MTU value in the MTU check-box. The default value is 1460. 9. To configure a session profile, complete the following steps: a. Turn on the Enable Session Profile toggle switch. b. Enter the session profile name. Aruba Central (on-premises) | User Guide 314 c. Enter the tunnel profile name where the session will be associated. d. Configure the tunnel IP address with the corresponding network mask and VLAN ID. This is required to reach an AP from a corporate network. For example, SNMP polling. e. Select the cookie length and enter a cookie value corresponding to the length. By default, the cookie length is not set. f. From the Branch Name drop-down list, select the branch name. 10. Click Save Settings. Configuring Routing Profiles for IAP VPN Aruba Central (on-premises) can terminate a single VPN connection on Aruba Mobility Controller. The routing profile defines the corporate subnets which need to be tunneled through IPsec. You can configure routing profiles to specify a policy based on routing into the VPN tunnel. 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. 3. Click the Config icon. The tabs to configure the access points are displayed. 4. Click Show Advanced, and click the VPN tab. The VPN details page is displayed. 5. Click the Routing accordion. 6. Click + in the Routing pane. The New Route page with the route parameters is displayed. 7. Update the following parameters: n Destination--Specify the destination network that is reachable through the VPN tunnel. This defines the IP or subnet that must reach through the IPsec tunnel. Traffic to the IP or subnet defined here will be forwarded through the IPsec tunnel. n Netmask--Specify the subnet mask to the destination defined for Destination. n Gateway--Specify the gateway to which traffic must be routed. In this field, enter one of the following based on the requirement: o The controller IP address on which the VPN connection will be terminated. If you have a primary and backup host, configure two routes with the same destination and netmask, but ensure that the gateway is the primary controller IP for one route and the backup controller IP for the second route. o The "tunnel" string if you are using the IAP in Local mode during local DHCP configuration. n Metric--Specify the best optimal path for routing traffic. A value of 1 indicates the best path, 15 indicates the worst path, and 16 indicates that the destination is unreachable on the route. 8. Click OK. 9. Click Save Settings. Managing APs | 315 Configuring DHCP Pools and Client IP Assignment Modes on IAPs This section provides the following information: n Configuring DHCP Scopes on IAPs n Configuring DHCP Server for Assigning IP Addresses to IAP Clients Configuring DHCP Scopes on IAPs The Virtual Controller (VC) supports the following types of DHCP address assignments: n Configuring DHCP Scopes on IAPs n Configuring DHCP Scopes on IAPs n Configuring DHCP Scopes on IAPs Configuring Distributed DHCP Scopes Aruba Central (on-premises) allows you to configure the DHCP address assignment for the branches connected to the corporate network through VPN. You can configure the range of DHCP IP addresses used in the branches and the number of client addresses allowed per branch. You can also specify the IP addresses that must be excluded from those assigned to clients, so that they are assigned statically. Aruba Central (on-premises) supports the following distributed DHCP scopes: n Distributed, L2--In this mode, the VC acts as the DHCP server, but the default gateway is in the data center. Based on the number of clients specified for each branch, the range of IP addresses is divided. Based on the IP address range and client count configuration, the DHCP server in the VC controls a scope that is a subset of the complete IP Address range for the subnet distributed across all the branches. This DHCP Assignment mode is used with the L2 forwarding mode. n Distributed, L3--In this mode, the VC acts as the DHCP server and the default gateway. Based on the number of clients specified for each branch, the range of IP addresses is divided. Based on the IP address range and client count configuration, the DHCP server in the VC is configured with a unique subnet and a corresponding scope. To configure distributed DHCP scopes such as Distributed, L2 or Distributed, L3, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the DHCP accordion. 7. To configure distributed DHCP scope, click + under Distributed DHCP Scopes. The New Distributed DHCP Scopes pane is displayed. 8. Based on the type of distributed DHCP scope, configure the following parameters: Aruba Central (on-premises) | User Guide 316 Table 78: Distributed DHCP Scope Configuration Parameters Data pane item Description Name Enter a name for the DHCP scope. Type Select any of the following options: n Distributed, L2--On selecting Distributed, L2, the VC acts as the DHCP Server but the default gateway is in the data center. Traffic is bridged into VPN tunnel. n Distributed, L3--On selecting Distributed, L3, the VC acts as both DHCP Server and default gateway. Traffic is routed into the VPN tunnel. VLAN Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile. Netmask If Distributed, L2 is selected for type of DHCP scope, specify the subnet mask. The subnet mask and the network determine the size of subnet. Default Router If Distributed, L2 is selected for type of DHCP scope, specify the IP address of the default router. DNS Server If required, specify the IP address of a DNS server. Domain Name If required, specify the domain name. Lease Time Specify a lease time for the client in minutes. IP Address Range Specify a range of IP addresses to use. To add another range, click the + icon. You can specify up to four different ranges of IP addresses. n For Distributed, L2 mode, ensure that all IP ranges are in the same subnet as the default router. On specifying the IP address ranges, a subnet validation is performed to ensure that the specified ranges of IP address are in the same subnet as the default router and subnet mask. The configured IP range is divided into blocks based on the configured client count. n For Distributed, L3 mode, you can configure any dis-contiguous IP ranges. The configured IP range is divided into multiple IP subnets that are sufficient to accommodate the configured client count. You can allocate multiple branch IDs (BID) per subnet. The Instant Access Point (IAP) generates a subnet name from the DHCP IP configuration, which the controller can use as a subnet identifier. If static subnets are configured in each branch, all of them are assigned the with BID 0, which is mapped directly to the configured static subnet. DHCP Reservation Displays the total number of DHCP reservations. Click the number to view the list of DHCP reservations. You can configure DHCP reservation only on virtual controllers. From the filter bar, select a virtual controller and click the + icon to configure DHCP reservation. Specify the following details: n MAC--Specify the MAC address of the device for which the IP address has to be reserved. n IP--Specify the IP address that has to be reserved for the MAC address. The IP address should be in the IP address range. NOTE: Aruba Central allows you to configure a maximum of 32 DHCP reservations. Managing APs | 317 Table 78: Distributed DHCP Scope Configuration Parameters Data pane item Description To delete a DHCP reservation, click the delete icon. Option Specify the type and a value for the DHCP option. You can configure the organizationspecific DHCP options supported by the DHCP server. For example, 176, 242, 161, and so on. To add multiple DHCP options, click the + icon. You can add up to eight DHCP options. 9. Click Next. The Branch Size tab is displayed. Specify the number of clients to use per branch. The client count configured for a branch determines the use of IP addresses from the IP address range defined for a DHCP scope. For example, if 20 IP addresses are available in an IP address range configured for a DHCP scope and a client count of 9 is configured, only a few IP addresses (in this example, 9) from this range will be used and allocated to a branch. The IAP does not allow the administrators to assign the remaining IP addresses to another branch, although a lower value is configured for the client count. 10. Click Next. The Static IP tab is displayed. Specify the number of first and last IP addresses to reserve in the subnet. 11. Click Finish. Configuring a Centralized DHCP Scope The centralized DHCP scope supports L2 and L3 clients. When a centralized DHCP scope is configured: n The virtual controller does not assign an IP address to the client and the DHCP traffic is directly forwarded to the DHCP Server. n For L2 clients, the virtual controller bridges the DHCP traffic to the controller over the VPN/GRE tunnel. The IP address is obtained from the DHCP server behind the controller serving the VLAN/GRE of the client. This DHCP assignment mode also allows you to add the DHCP option 82 to the DHCP traffic forwarded to the controller. n For L3 clients, the virtual controller acts as a DHCP relay agent that forwards the DHCP traffic to the DHCP server located behind the controller in the corporate network and reachable through the IPsec tunnel. The centralized L3 VLAN IP is used as the source IP. The IP address is obtained from the DHCP server. To configure a centralized DHCP scope, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. Aruba Central (on-premises) | User Guide 318 5. Click the System tab. The System page is displayed. 6. Click the DHCP accordion. 7. To configure centralized DHCP scopes, click + under Centralized DHCP Scopes. The New Centralized DHCP Scope data pane is displayed. 8. Based on type of centralized DHCP scope, configure the following parameters: Table 79: DHCP mode configuration parameters Data pane item Name Description Enter a name for the DHCP scope. Type Select one of the following options: n Centralized, Layer-2 n Centralized, Layer-3 VLAN Specify a VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile. Split Tunnel Enable the split tunnel function if you want allow a VPN user to access a public network and a local LAN or WAN network at the same time through the same physical network connection. For example, a user can use a remote access VPN software client connecting to a corporate network using a home wireless network. When the split tunnel function is enabled, the user can connect to file servers, database servers, mail servers, and other servers on the corporate network through the VPN connection. When the user connects to resources on the Internet (websites, FTP sites, and so on), the connection request goes directly to the gateway provided by the home network. The split DNS functionality intercepts DNS requests from clients for noncorporate domains (as configured in Enterprise Domains list) and forwards to the IAP's own DNS server. When split tunnel is disabled, all the traffic including the corporate and the Internet traffic is tunneled irrespective of the routing profile specifications. If the GRE tunnel is down and when the corporate network is not reachable, the client traffic is dropped. DHCP Relay Select the DHCP Relay check box to allow the IAPs to intercept the broadcast packets and relay DHCP requests. Helper Address Enter the IP address of the DHCP server. VLAN IP Field is applicable only if you select Centralized, Layer-3. Specify the VLAN IP address of the DHCP relay server. VLAN Mask Field is applicable only if you select Centralized, Layer-3. Specify the VLAN subnet mask of the DHCP relay server. Option 82 Select one of the following options: n None--If you have configured the DHCP Option 82 XML file, the ALU option scope is disabled in the drop-down list. To enable ALU, set the drop-down list to None and delete the DHCP Option 82 XML file. To enable the XML option, select None from the drop-down list and select the XML file from the DHCP Option 82 Managing APs | 319 Table 79: DHCP mode configuration parameters Data pane item Description XML drop-down list. n ALU--ALU option is disabled if an XML file is selected from the DHCP Option 82 XML drop-down list in the System > General pane. Select ALU to enable DHCP Option 82 to allow clients to send DHCP packets with the Option 82 string. The Option 82 string is available only in the Alcatel (ALU) format. The ALU format for the Option 82 string consists of the following: n Remote Circuit ID; X AP-MAC; SSID; SSID-Type n Remote Agent; X IDUE-MAC n XML--XML option is enabled only if an XML file is selected from the DHCP Option 82 XML drop-down list in the System > General pane. Alternatively, to enable the XML option, select None from the drop-down list and select the XML file from the DHCP Option 82 XML drop-down list. For information related to XML files, see Configuring System Parameters for an AP 9. Click Save Settings. The following table describes the behavior of the DHCP Relay Agent and Option 82 in the IAP. Table 80: DHCP Relay and Option 82 DHCP Relay Option 82 Behavior Enabled Enabled Enabled Disabled DHCP packet relayed with the ALU-specific Option 82 string DHCP packet relayed without the ALUspecific Option 82 string Disabled Enabled DHCP packet not relayed, but broadcast with the ALU-specific Option 82 string Disabled Disabled DHCP packet not relayed, but broadcast without the ALU-specific Option 82 string Configuring Local DHCP Scopes You can configure the following types of local DHCP scopes on an IAP: n Local--In this mode, the VC acts as both the DHCP Server and default gateway. The configured subnet and the corresponding DHCP scope are independent of subnets configured in other IAP clusters. The VC assigns an IP address from a local subnet and forwards traffic to both corporate and non-corporate destinations. The network address is translated appropriately and the packet is forwarded through the IPsec tunnel or through the uplink. This DHCP assignment mode is used for the NAT forwarding mode. n Local, L2--In this mode, the VC acts as a DHCP server and the gateway is located outside the IAP. n Local, L3--In this mode, the VC acts as a DHCP server and default gateway, and assigns an IP address from the local subnet. The IAP routes the packets sent by clients on its uplink. This DHCP assignment mode is used with the L3 forwarding mode. To configure a new local DHCP scope, complete the following steps: Aruba Central (on-premises) | User Guide 320 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the DHCP accordion. 7. To configure local DHCP scopes, click + under Local DHCP Scopes. The New DHCP Scopes data pane is displayed. 8. Based on type of local DHCP scope, configure the following parameters: Table 81: Local DHCP Configuration Parameters Data pane item Description Name Enter a name for the DHCP scope. Type Select any of the following options: n Local--On selecting Local, the DHCP server for local branch network is used for keeping the scope of the subnet local to the IAP. In the NAT mode, the traffic is forwarded through the uplink. n Local, L2--On selecting Local, L2, the VC acts as a DHCP server and a default gateway in the local network is used. n Local, L3--On selecting Local, L3, the VC acts as a DHCP server and gateway. VLAN Enter the VLAN ID. To use this subnet, ensure that the VLAN ID specified here is assigned to an SSID profile. Network Specify the network to use. Netmask Excluded Address DHCP Reservation Specify the subnet mask. The subnet mask and the network determine the size of subnet. Specify a range of IP addresses to exclude. You can add up to two exclusion ranges. Based on the size of the subnet and the value configured for Excluded address, the IP addresses either before or after the defined range are excluded. Displays the total number of DHCP reservations. Click the number to view the list of DHCP reservations. You can configure DHCP reservation only on virtual controllers. From the filter bar, select a virtual controller and click the + icon to configure DHCP reservation. Specify the following details: n MAC--Specify the MAC address of the device for which the IP address has to be reserved. n IP--Specify the IP address that has to be reserved for the MAC address. The IP address should be in the IP address range. Managing APs | 321 Table 81: Local DHCP Configuration Parameters Data pane item Description NOTE: Aruba Central allows you to configure a maximum of 32 DHCP reservations. To delete a DHCP reservation, click the delete icon. Default Router Enter the IP address of the default router. DNS Server Enter the IP address of a DNS server. Domain Name Enter the domain name. Lease Time Enter a lease time for the client in minutes. DHCP Relay Select the DHCP Relay check box to allow the IAPs to intercept the broadcast packets and relay DHCP requests. Helper Address Enter the IP address of the DHCP server. Option Specify the type and a value for the DHCP option. You can configure the organizationspecific DHCP options supported by the DHCP server. To add multiple DHCP options, click the + icon. 9. Click Save Settings. Configuring DHCP Server for Assigning IP Addresses to IAP Clients The DHCP server is a built-in server, used for networks in which clients are assigned IP address by the Virtual Controller (VC). You can customize the DHCP pool subnet and address range to provide simultaneous access to more number of clients. The largest address pool supported is 2048. The default size of the IP address pool is 512. n When the DHCP server is configured and if the Client IP assignment parameter for an SSID profile is set to Virtual Controller Assigned, the virtual controller assigns the IP addresses to the WLAN or wired clients. By default, the Instant Access Point (IAP) automatically determines a suitable DHCP pool for Virtual Controller Assigned networks. n The IAP typically selects the 172.31.98.0/23 subnet. If the IP address of the IAP is within the 172.31.98.0/23 subnet, the IAP selects the 10.254.98.0/23 subnet. However, this mechanism does not avoid all possible conflicts with the wired network. If your wired network uses either 172.31.98.0/23 or 10.254.98.0/23, and you experience problems with the Virtual Controller Assigned networks after upgrading to Aruba Central, manually configure the DHCP pool by following the steps described in this section. To configure a domain name, DNS server, and DHCP server for client IP assignment, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. Aruba Central (on-premises) | User Guide 322 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the DHCP accordion. 7. Click DHCP For WLANs and enter the following information: a. Enter the domain name of the client in Domain Name. b. Enter the IP addresses of the DNS servers in DNS Server. To add another DNS server, click the + icon. c. Enter the duration of the DHCP lease in Lease Time. Select Minutes, Hours, or Days for the lease time from the list next to Lease Time. The default lease time is 0. d. Enter the network name in the Network box. e. Enter the mask name in the Mask box. f. Select the DHCP Relay check box to allow the IAPs to intercept the broadcast packets and relay DHCP requests. g. Enter the IP address of the DHCP server in the Helper Address. 8. Click Save Settings. To provide simultaneous access to more than 512 clients, use the Network and Mask fields to specify a larger range. While the network (prefix) is the common part of the address range, the mask (suffix) specifies how long the variable part of the address range is. Configuring Services This section describes how to configure AirGroup, location services, Lawful Intercept, OpenDNS, and Firewall services. n Configuring AirGroup Services on page 323 n Configuring an IAP for RTLS Support n Configuring an IAP for ALE Support n Managing BLE Beacons n Configuring OpenDNS Credentials on IAPs n Configuring CALEA Server Support on IAPs n Configuring IAPs for Palo Alto Networks Firewall Integration n Configuring XML API Interface n Enabling Application Visibility on Instant APs n Enabling Application Visibility on Campus APs Configuring AirGroup Services AirGroup is a zero configuration networking protocol that enables service discovery, address assignment, and name resolution for desktop computers, mobile devices, and network services. It is designed for flat, single-subnet IP networks such as wireless networking at home. Managing APs | 323 Bonjour can be installed on computers running Microsoft Windows and is supported by the new networkcapable printers. Bonjour uses multicast DNS (mDNS) to locate devices and the services offered by these devices. The AirGroup solution supports both wired and wireless devices. Wired devices that support Bonjour services are part of AirGroup when connected to a VLAN that is terminated on the Virtual Controller. In addition to the mDNS protocol, Instant Access Points (IAPs) also support UPnP, and DLNA enabled devices. DLNA is a network standard derived from UPnP, which enables devices to discover the services available in a network. DLNA also provides the ability to share data between the Windows or Android-based multimedia devices. All the features and policies applicable to mDNS are extended to DLNA to ensure full interoperability between compliant devices. AirGroup Features AirGroup provides the following features: n Send unicast responses to mDNS queries and reduces mDNS traffic footprint. n Ensure cross-VLAN visibility and availability of AirGroup devices and services. n Allow or block AirGroup services for all users. n Allow or block AirGroup services based on user roles. n Allow or block AirGroup services based on VLANs. For more information on AirGroup solution, see Aruba Instant User Guide. AirGroup Services Bonjour supports zero-configuration services. The services are pre-configured and are available as part of the factory default configuration. The administrator can also enable or disable any or all services. The following services are available for IAP clients: n AirPlay -- Apple AirPlay allows wireless streaming of music, video, and slide shows from your iOS device to Apple TV and other devices that support the AirPlay feature. n AirPrint -- Apple AirPrint allows you to print from an iPad, iPhone, or iPod Touch directly to any AirPrint compatible printer. n iTunes-- The iTunes service is used by iTunes Wi-Fi sync and iTunes home-sharing applications across all Apple devices. n RemoteMgmt-- Use this service for remote login, remote management, and FTP utilities on Apple devices. n Sharing-- Applications such as disk sharing and file sharing, use the service ID that are part of this service on one or more Apple devices. n Chat-- The iChat® (Instant Messenger) application on Apple devices uses this service. n ChromeCast--The ChromeCast service allows you to use a ChromeCast device to play audio or video content on a high-definition television by streaming content through Wi-Fi from the Internet or local network. n DLNA Media--Applications such as Windows Media Player use this service to browse and play content on a remote device. n DLNA Print--This service is used by printers that support DLNA. Aruba Central (on-premises) | User Guide 324 To enable AirGroup services: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab. The Services page is displayed. 5. Click the AirGroup accordion. 6. Select the AirGroup check-box. The mDNS (Bonjour) and SSDP (DLNA/UPNP) check-boxes are selected by default. Select at least mDNS (Bonjour) or SSDP (DLNA/UPNP) to proceed further. Optionally, select the Guest Bonjour Multicast check-box to allow guest users to use the Bonjour services that are enabled in a guest VLAN. When Guest Bonjour Multicast is enabled, the Bonjour devices are visible only in the guest VLAN and AirGroup does not discover or enforce policies in guest VLAN. 7. Under the AirGroup Settings sub-accordion, select the check-box against one or more AirGroup services listed in AirGroup Services. n Optionally, when enabling an AirGroup service, define disallowed roles. The disallowed roles are not allowed to use the specific AirGroup service. To disallow roles: 1. Click Edit against Disallowed Roles. 2. Move the roles from the Available pool to the Selected pool. 3. Click Ok. n Optionally, when enabling an AirGroup service, define disallowed VLANs. The disallowed VLANs are not allowed to use the specific AirGroup service. To disallow VLANs: 1. Click Edit against Disallowed VLANs. 2. Type the VLANs in Enter comma-separated list of VLAN IDs. Separate multiple VLANs with a comma. 3. Click Ok. n Optionally, configure and enable a new AirGroup service. If defined, disallowed roles or VLANs are not allowed to use the new AirGroup service. To configure and enable a new AirGroup service: 1. Click Add New Service. 2. Type the service name in Service Name. Use alphanumeric characters. 3. Type a service ID in Service ID. Use + to add additional service IDs. n Sample service ID: urn:schemas-upnp-org:service:RenderingControl:1 or _sleep-proxy._ udp. 1. Click Ok. 2. Select the check-box against the new AirGroup service. n Optionally, under ClearPass Settings sub-accordion, configure the parameters listed in Table 83. Managing APs | 325 Table 82: AirGroup Services Mode AirGroup Across Mobility Domains AirPrint Enable AirPlay iTunes Remote Management Sharing Chat Googlecast Description AirGroup service availability in inter cluster domains. Wireless printing between AirPrint capable devices and AirPrint compatible printers. Wireless streaming of music, video, or slide shows from AirPlay capable devices and AirPlay compatible devices. iTunes service for home-sharing applications. Remote login, remote management, or FTP utilities on compatible devices. Applications like disk sharing or file sharing on compatible devices. Instant messenger application between compatible devices. Wireless streaming of audio or video content from the Internet or local network on a HDTV through a Chromecast device. Aruba Central (on-premises) | User Guide 326 Mode DIAL AmazonTV DLNA Print DLNA Media Allow All Description Wireless streaming between DIAL compatible devices likes devices like Roku, Chromecast, or FireTV. Wireless playing of content from the Internet or local network on a HDTV through a FireTV device. Wireless printing between DLNA capable devices and DLNA compatible printers. Wireless browsing or playing audio or video content by applications like Windows Media Player on remote devices. All AirGroup services. Table 83: ClearPass Settings Mode ClearPass Policy Manager Server 1 Enforce ClearPass Registration Description Specify the ClearPass Policy Manager server to use. Select one from the dropdown or define a new ClearPass Policy Manager server. Specify is ClearPass registration should be enforced. 8. Click Save Settings. Configuring an IAP for RTLS Support Aruba Central supports the real time tracking of devices. With the help of the RTLS, the devices can be monitored in real time or through history. To configure RTLS, complete the following steps: Managing APs | 327 1. In the Network Operations app, use the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services. The Services page is displayed. 5. Click Real Time Locating System > Aruba. 6. Select Aruba RTLS to send the RFID tag information to the Aruba RTLS server. 7. Click 3rd Party and select Aeroscout to send reports on the stations to a third-party server. 8. In the IP/FQDN and Port field, specify the IP address and port number of the RTLS server, to which location reports must be sent. 9. In the Passphrase field, enter the passphrase required for connecting to the RTLS server. 10. Retype the passphrase in the Retype Passprahrse field. 11. Specify the update interval within the range of 660 seconds in the Update every field. The default interval is 30 seconds. 12. If 3rd Party is selected, specify the IP address and port number of the 3rd party server. 13. Select Include Unassociated Stations to send reports on the stations that are not associated to any Instant AP. 1. Click Save Settings. Configuring an IAP for ALE Support ALE is designed to gather client information from the network, process it and share it through a standard API. The client information gathered by ALE can be used for analyzing a client's Internet behavior for business such as shopping preferences. ALE includes a location engine that calculates the associated and unassociated device location every 30 seconds by default. For every device on the network, ALE provides the following information through the Northbound API: n Client user name n IP address n MAC address n Device type n Application firewall data, showing the destinations and applications used by associated devices. n Current location n Historical location n ALE requires the access point (AP) placement data to be able to calculate location for the devices in a network. ALE with Aruba Central Aruba Central supports Analytics and Location Engine (ALE). The ALE server acts as a primary interface to all third-party applications and the IAP sends client information and all status information to the ALE server. To integrate IAP with ALE, the ALE server address must be configured on an IAP. If the ALE sever is configured with a host name, the Virtual Controller performs a mutual certificated-based authentication with ALE server, before sending any information. Aruba Central (on-premises) | User Guide 328 Enabling ALE support on an IAP To configure an IAP for ALE support: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab. The Services page is displayed. 5. Click the Real Time Locating System accordion. 6. Click Aruba, and then select Analytics & Location. 7. Specify the ALE server name or IP address. 8. Specify the reporting interval within the range of 660 seconds. The IAP sends messages to the ALE server at the specified interval. The default interval is 30 seconds. 9. Click Save Settings. Managing BLE Beacons Instant Access Points (IAPs) support Aruba BLE devices, such as BT-100 and BT-105, which are used for location tracking and proximity detection. The BLE devices can be connected to an IAP and are managed by a cloud-based Beacon Management Console. The BLE Beacon Management feature allows you to configure parameters for managing the BLE beacons and establishing secure communication with the Beacon Management Console. Support for BLE Asset Tracking IAP assets can be tracked using BLE tags, IAP beacons scan the network. When a tag is detected, the IAP sends a beacon with information about the tag including the MAC address and RSSI of the tag to the Virtual Controller. To manage beacons and configure BLE operation mode, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab. The Services page is displayed. 5. Click the Real Time Locating System accordion. 6. Click Aruba. 7. Select Manage BLE Beacons to manage the BLE devices using BMC. a. Enter the authorization token in Authorization token. The authorization token is a text string of 1255 characters used by the BLE devices in the HTTPS header when communicating with the BMC. This token is unique for each deployment. b. Enter the server URL in Endpoint URL. The BLE data is sent to the server URL for monitoring. 8. Select any of the following options from BLE Operation Mode drop-down list: Managing APs | 329 Table 84: BLE Operation Modes Mode Description beaconing The built-in BLE chip in the IAP functions as an iBeacon combined with the beacon management functionality. disabled The built-in BLE chip of the IAP is turned off. The BLE operation mode is set to Disabled by default. dynamicconsole The built-in BLE chip of the IAP functions in the beaconing mode and dynamically enables access to IAP console over BLE when the link to LMS is lost. persistent- The built-in BLE chip of the IAP provides access to the IAP console over BLE and also console operates in the Beaconing mode. 9. To configure BLE web socket management server, enter the URL of BLE web socket management server in BLE Asset Tag Mgmt Server(wss). 10. Select BLE Asset Tag Mgmt Server(https) to configure BLE HTTPS management server. a. Enter the URL of BLE HTTPS management server in Server URL. b. Enter the authorization token in Authorization token. c. Enter the location ID in Location ID. 11. Click Save Settings. Configuring OpenDNS Credentials on IAPs Instant Access Points (IAPs) use the OpenDNS credentials to provide enterprise-level content filtering. To configure OpenDNS credentials: 1. In the Network Operations app, use the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services. The Services page is displayed. 5. Click the OpenDNS accordion. 6. Enter the Username and Password. 7. Click Save Settings. Configuring CALEA Server Support on IAPs LI allows the Law Enforcement Agencies to perform an authorized electronic surveillance. Depending on the country of operation, the ISPs are required to support LI in their respective networks. In the United States, Service Providers are required to ensure LI compliance based on CALEA specifications. Aruba Central supports CALEA integration with an Instant Access Point (IAP) in a hierarchical and flat topology, mesh IAP network, the wired and wireless networks. Enable this feature only if lawful interception is authorized by a law enforcement agency. For more information on the communication and traffic flow from an IAP to CALEA server, see Aruba Instant User Guide. Aruba Central (on-premises) | User Guide 330 To enable an IAP to communicate with the CALEA server, complete the following steps: n Creating a CALEA Profile n Creating ACLs for CALEA Server Support Creating a CALEA Profile To create a CALEA profile, complete the following steps: 1. In the Network Operations app, set the filter to a group that contains at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services tab. The Services page is displayed. 5. Click the CALEA accordion. 6. Specify the following parameters: n IP address-- Specify the IP address of the CALEA server. n Encapsulation type-- Specify the encapsulation type. The current release of Aruba Central supports GRE only. n GRE type-- Specify the GRE type. n MTU-- Specify a size for the MTU within the range of 68--1500. After GRE encapsulation, if packet length exceeds the configured MTU, IP fragmentation occurs. The default MTU size is 1500. fragmentation occurs. The default MTU size is 1500. 7. Click Save Settings. Creating ACLs for CALEA Server Support To create an access rule for CALEA, complete the following steps: 1. In the Network Operations app, use the filter to select a group or a device. 2. If you select a group, perform the following steps: a. Under Manage, click Devices > Access Points. b. Click the Config icon. The tabs to configure the group is displayed. 3. If you select a device, under Manage, click Devices. 4. Click Show Advanced, and click Security tab. The Security page is displayed. 5. Click the Roles accordion. 6. Under Access Rules for Selected Roles, click + icon. The New Rule window is displayed. 7. Set the Rule Type to CALEA. 8. Click Save. 9. Create a role assignment rule if required. 10. Click Save Settings. Configuring IAPs for Palo Alto Networks Firewall Integration Instant Access Points (IAPs) maintains the network (such as mapping IP address) and user information for its clients in the network. To integrate the IAP network with a third-party network, you can enable an IAP to provide this information to the third-party servers. Managing APs | 331 To integrate an IAP with a third-party network, you must add a global profile. This profile can be configured on an IAP with information such as IP address, port, user name, password, firewall enabled or disabled status. Configuring an IAP for Network Integration To configure an IAP for network integration: 1. In the Network Operations app, use the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed. 4. Click Show Advanced, and click Services. The Services page is displayed. 5. Click the Network Integration accordion. 6. Select Enable to enable PAN firewall. 7. Specify the Username and Password. Ensure that you provide user credentials of the PAN firewall administrator. 8. Re-enter the password in Retype. 9. Enter the PAN firewall IP Address. 10. Enter the port number within the range of 1--65535. The default port is 443. 11. Enter the client domain in Client Domain. 12. Click Save Settings. Enabling Application Visibility on Instant APs To view application usage metrics for WLAN clients, enable the Application Visibility service on Instant APs. To enable the Application Visibility feature, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select an AP group in the filter: a. Set the filter to a group containing at least one AP. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. n To select an AP in the filter: a. Set the filter to Global or a group containing at least one AP. b. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. d. Under Manage, click Devices > Access Point. 2. Click the Config icon. The tabs to configure the APs are displayed. 3. Click Show Advanced. 4. Click the Services tab. The Services page is displayed. 5. Expand the AppRF accordion. Aruba Central (on-premises) | User Guide 332 6. Select any of the following options for Deep Packet Inspection: n All--Performs deep packet inspection on client traffic to application, application categories, website categories, and websites with a specific reputation score. n App--Performs deep packet inspection on client traffic to applications and application categories. n WebCC--Performs deep packet inspection on client traffic to specific website categories and websites with specific reputation ratings. n None--Disables deep packet inspection. 7. Click Save Settings. Enabling Application Visibility on Campus APs To enable Application Visibility feature on Campus APs, you must configure DPI classification and firewall visibility feature on the managed device. The managed devices running ArubaOS 8.x.x.x send sessions telemetry periodically to the Aruba Central (on-premises) management server by using the AMON protocol. The following command enables DPI classification on the managed device. (host) [mynode](config) #firewall dpi The following command enables policy enforcement firewall visibility feature on the managed device. (host) [mynode] (config) #firewall-visibility The following command configures management server profile on the managed device and sends firewall session messages to the Aruba Central (on-premises) management server. (host) [mynode](config) #mgmt-server profile <name> (host) [mynode](Mgmt Config profile "<name>") #sessions-enable The following command displays whether the sessions are enabled in the default-amp management server configuration profile. Ensure that the profile name is same as the profile used for connecting to the Aruba Central (on-premises) management server. (host) [mynode] (config) #show mgmt-server profile default-ampMgmt Config profile "default-amp" (Predefined (changed)) -------------------------------------------------------- Parameter Value --------- ----- Stats Enabled Stats_Ext Disabled Generic_amon Enabled Tag Enabled Sessions Enabled Managing APs | 333 Monitored Info - Add/Update Disabled You cannot enable the Application Visibility feature on Campus APs using Aruba Central (on-premises) WebUI. You must configure Application Visibility feature using ArubaOS WebUI. For more information on the WebUI steps and the output displayed for the CLI commands, see the following documents at the Aruba Support site: n ArubaOS CLI Reference Guide n ArubaOS User Guide Enabling Application Visibility at Client and Site Level To enable Application Visibility feature at client or site level for Campus APs, the firewall visibility sessions telemetry must be grouped based on the same BSSID, and sent to Aruba Central (on-premises) server. The following command enables grouping of firewall visibility sessions telemetry based on the same BSSID on managed devices. (host) [mynode] (config) #firewall-visibility feed sort-by-bssid (host) [mynode] (config) #write memory The following command displays whether BSSID-based grouping of firewall visibility sessions telemetry is enabled on the managed devices. (host) [mynode] #show firewall-visibility status Firewall Visiblity Status: enabled Sort by Bssid Status: sorting enabled: Enabled sort by bssid needed: Enabled This feature is supported in the following ArubaOS release versions: n ArubaOS 8.6.0.17 n ArubaOS 8.7.1.9 n ArubaOS 8.10.0.0 and later versions Aruba Central (on-premises) | User Guide 334 Enabling AirSlice on APs Aruba AirSlice, based on IEEE 802.11ax standard, is similar to 5G network slicing architecture which allows network operators to build virtual networks tailored for specific application requirements. AirSlice allows network operators to monitor applications used by clients. AirSlice supports multiple services such as gaming, IoT, voice, video, and so on. AirSlice is available for all clients; however, 802.11ax clients have enhanced benefits due to efficient uplink and downlink traffic scheduling mechanism. The AirSlice feature is available for only Advanced access points (APs) licenses. For devices that have Advanced licenses, the AirSlice feature provides custom-applications prioritization with visibility, configuration, and supports unlimited applications. For customers with legacy licenses, the Aruba AirSlice feature is allow listed till the expiry of the legacy licenses. AirSlice is supported only on 550 Series and 530 Series APs running Aruba InstantOS 8.7.0.0 and later version. You must enable Deep Packet Inspection before configuring AirSlice. AirSlice support is available only for the following applications: n Zoom n Slack n Skype n WebEx n GoToMeeting Online Meeting n Microsoft Office 365 n Dropbox n Amazon Web Services/Cloudfront CDN n GitHub n Microsoft Teams n ALG Wi-fi Calling To enable AirSlice, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Services tab. The Services page is displayed. 6. Expand the AppRF accordion. 7. Select App from the Deep Packet Inspection drop-down list. 8. Enable the Application Monitoring toggle switch. 9. Enable the AirSlice Policy toggle switch. 10. Click Save Settings. Managing APs | 335 Configuring XML API Interface The XML API interface allows Instant Access Points (IAPs) to communicate with an external server. The communication between IAP and an external server through XML API Interface includes the following steps: n An API command is issued in the XML format from the server to the virtual controller. n The virtual controller processes the XML request and identifies where the client is and sends the command to the correct member IAP. n Once the operation is completed, the virtual controller sends the XML response to the XML server. n The administrators can use the response and take appropriate action to suit their requirements. The response from the virtual controller is returned using the predefined formats. To configure XML API for servers, complete the following steps: 1. In the Network Operations app, set the filter to select a group or a device. 2. Under Manage, click Devices > Access Points. 3. Click the Config icon. The tabs to configure access points is displayed 4. Click Show Advanced, and click Services. The Services page is displayed. 5. Go to Network Integration > XML API Server Configuration. 6. Click + to add a new XML API server. 7. Enter a name for the XML API server in the Name text box. 8. Enter the IP address of the XML API server in the IP Address text box. 9. Enter the subnet mask of the XML API server in the Mask text box. 10. Enter a passcode in the Passphrase text box, to enable authorized access to the XML API Server. 11. Re-enter the passcode in the Retype Passphrase box. 12. To add multiple entries, repeat the procedure. 13. Click Add. 14. Click Save Settings. 15. To edit or delete the server entries, use the Edit and Delete buttons, respectively. For information on adding an XML API request, see Aruba Instant User Guide. Client Match Client Match is an Aruba Central service which helps to improve the experience of wireless clients. Client match identifies wireless clients that are not getting the required level of service at the AP to which they are currently associated and intelligently steers them to an access point (AP) radio that can provide better service and thereby improves user experience. Steer Types Client match periodically checks the health of current association of the clients and determines if a sticky steer or band steer should be considered. Sticky Steer Sticky clients tend to stay associated to an AP despite deteriorating signal levels. Client match continuously monitors the RSSI of sticky clients while they are associated to an AP, and if needed, move them to a radio that would offer better experience. This prevents clients from remaining associated to an AP with less than ideal RSSI, which can cause poor connectivity and reduce performance for other clients associated with that AP. Aruba Central (on-premises) | User Guide 336 Band Steer Dual-band clients can associate with a 2.4 GHz radio or 5 GHz radio. In band steer, client match moves dualband clients from the 2.4 GHz radio to the 5 GHz radio of the same AP. Steering Methods After determining the steer type, client match determines the best neighbor radio to steer the client to and orchestrates the client steer by sending action messages to the APs to carry out the steer. The way client match steers the clients depends on whether the clients are 802.11v-capable. Steering for 802.11v-capable Client To steer 802.11v-capable clients, client match triggers the AP to send out an 802.11v BSS transition management request to the client and waits for a response. Steering for Non-802.11v-capable Client To steer non-802.11v-capable clients, client match triggers all neighboring AP radios (except the intended destination) to block the client from associating for 5 seconds. 2 seconds after that, the AP to which the client is currently associated sends an 802.11 deauthentication management frame to the client. When the client tries to re-associate, only the intended AP radio allows the client to associate with it. Monitoring Client Match in Aruba Central To view client match events in Aruba Central: 1. In the Network Operations app, set the filter to Global. 2. Under Analyze, click Alerts & Events > Events. 3. Click Click here for advanced filtering. 4. Select Client Match Steer. 5. Click Filter. 6. Hover over the required event. Configuring Uplink Interfaces on IAPs This section provides the following information: n Uplink Interfaces n Uplink Preferences and Switching Uplink Interfaces Aruba Central (on-premises) supports 3G and 4G USB modems, and the Wi-Fi uplink to provide access to the corporate network. By default, the AP-318, AP-374, AP-375, and AP-377 access points (APs) have Eth1 as the uplink port and Eth0 as the downlink port. Aruba recommends you not to upgrade the mentioned access points to 8.5.0.0 and 8.5.0.1 firmware versions as the upgrade process changes the uplink from Eth1 to Eth0 port thereby making the devices non-reachable. The following types of uplinks are supported on Aruba Central: n 3G/4G Uplink n Ethernet Uplink Managing APs | 337 n Wi-Fi Uplink 3G/4G Uplink Aruba Central (on-premises) supports the use of 3G/4G USB modems to provide the Internet back haul to Aruba Central (on-premises). The 3G/4G USB modems can be used to extend client connectivity to places where an Ethernet uplink cannot be configured. This enables the IAPs to automatically choose the available network in a specific region. Types of Modems Aruba Central (on-premises) supports the following three types of 3G modems: n True Auto Detect--Modems of this type can be used only in one country and for a specific ISP. The parameters are configured automatically and hence no configuration is necessary. n Auto-detect + ISP/country--Modems of this type require the user to specify the Country and ISP. The same modem is used for different ISPs with different parameters configured for each of them. n No Auto Detect--Modems of this type are used only if they share the same Device-ID, Country, and ISP details. You need to configure different parameters for each of them. These modems work with Aruba Central when the appropriate parameters are configured. Table 85: 4G Supported Modem Modem Type Supported 4G Modem True Auto Detect n Pantech UML290 n Ether-lte When UML290 runs in auto detect mode, the modem can switch from 4G network to 3G network or vice-versa based on the signal strength. To configure the UML290 for the 3G network only, manually set the USB type to pantech-3g. To configure the UML290 for the 4G network only, manually set the 4G USB type to pantech-lte. Configuring Cellular Uplink Profiles To configure 3G or 4G uplinks using Aruba Central, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Uplink accordion. Aruba Central (on-premises) | User Guide 338 7. Under 3G/4G, perform any of the following steps: n To configure a 3G or 4G uplink automatically, select the Country and ISP. The parameters are automatically populated. n To configure a 3G or 4G uplink manually, perform the following steps: a. Select the country from the Country drop-down list. b. Select the service protocol from the ISP drop-down list. c. Enter the type of the 3G/4G modem driver type: n For 3G--Enter the type of 3G modem in the USB Type text box. n For 4G--Enter the type of 4G modem in the 4G USB Type text box. a. Enter the device ID of modem in the USB DEV text box. b. Enter the TTY port of the modem in the USB TTY text box. c. Enter the parameter to initialize the modem in the USB INIT text box. d. Enter the parameter to dial the cell tower in the USB Dial text box. e. Enter the parameter used to switch a modem from the storage mode to modem mode in the USB Mode Switch text box. f. Select the USB authentication type from the USB Auth Type drop-down list. g. Enter the username used to dial the ISP in the USB User text box. h. Enter the password used to dial the ISP in the USB Password text box. 8. Click Save Settings. 9. Reboot the IAP for changes to affect. Ethernet Uplink The Ethernet 0 port on an IAP is enabled as an uplink port by default. The Ethernet uplink supports the following: n PPPoE n DHCP n Static IP You can use PPPoE for your uplink connectivity in a single AP deployment. Uplink redundancy with the PPPoE link is not supported. When the Ethernet link is up, it is used as a PPPoE or DHCP uplink. After the PPPoE settings are configured, PPPoE has the highest priority for the uplink connections. The IAP can establish a PPPoE session with a PPPoE server at the ISP and get authenticated using PAP or the CHAP. Depending upon the request from the PPPoE server, either the PAP or the CHAP credentials are used for authentication. After configuring PPPoE, reboot the IAP for the configuration to take effect. The PPPoE connection is dialed after the AP comes up. The PPPoE configuration is checked during IAP boot and if the configuration is correct, Ethernet is used for the uplink connection. When PPPoE is used, do not configure Dynamic RADIUS Proxy and IP address of the VC. An SSID created with default VLAN is not supported with PPPoE uplink You can also configure an alternate Ethernet uplink to enable uplink failover when an Ethernet port fails. Managing APs | 339 Configuring PPPoE Uplink Profile To configure PPPoE settings, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Under PPPoE, configure the following parameters: a. Enter the PPPoE service name provided by your service provider in the Service Name. b. In the CHAP Secret and Retype CHAP Secret fields, enter the secret key used for CHAP authentication. You can use a maximum of 34 characters for the CHAP secret key. c. To set a local interface for the PPPoE uplink connections, select a value from Local Interface. The selected DHCP scope is used as a local interface on the PPPoE interface and the Local, L3 DHCP gateway IP address as its local IP address. When configured, the local interface acts as an unnumbered PPPoE interface and allocated the entire Local, L3 DHCP subnet to the clients. d. Enter the user name for the PPPoE connection in the User field. e. In the Password and Retype Password fields, enter a password for the PPPoE connection and confirm it. The options in Local Interface are displayed only if a Local, L3 DHCP scope is configured on the IAP. 8. Click Save Settings. 9. Reboot the IAP. Wi-Fi Uplink The Wi-Fi uplink is supported for all IAP models, except 802.11ac APs. Only the conductor IAP uses the Wi-Fi uplink. The Wi-Fi allows uplink to open, PSK-CCMP, and PSK-TKIP SSIDs. Important Points n For single radio IAPs, the radio serves wireless clients and Wi-Fi uplink. n For dual radio IAPs, both radios can be used to serve clients but only one of them can be used for Wi-Fi uplink. When Wi-Fi uplink is in use, the client IP is assigned by the internal DHCP server. Aruba Central (on-premises) | User Guide 340 Configuring a Wi-Fi Uplink Profile The following configuration conditions apply to the Wi-Fi uplink: n To bind or unbind the Wi-Fi uplink on the 5 GHz band, reboot the IAP. n If Wi-Fi uplink is used on the 5 GHz band, mesh is disabled. The two links are mutually exclusive. To provision an IAP with Wi-Fi Uplink, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Under Wi-Fi, enter the name of the wireless network that is used for Wi-Fi uplink in the Name(SSID) box. 8. From Band, select the band in which the VC currently operates. The following options are available: n 2.4 GHz (default) n 5 GHz 9. From Key Management drop-down list, select the type of key for uplink encryption and authentication. n When WPA Personal or WPA-2 Personal key management type is selected, the passphrase options are available for configuration. a. Select a passphrase format from the Passphrase Format drop-down list. The following passphrase options are available: n 8 - 63 alphanumeric characters n 64 hexadecimal characters Ensure that the hexadecimal password string is exactly 64 digits in length. b. Enter a PSK passphrase in Passphrase text box. n When WPA Enterprise or WPA-2 Enterprise key management type is selected, the 802.1x authentication options are available for configuration. a. From the WiFi1X drop-down list, select 802.1x authentication protocol to be used: n Specify the certificate type to be used by selecting Cert TPM or Cert User. n If PEAP authentication type is selected, enter the user credentials in the Username and Password text box. b. Toggle the Validate Server button to enable or disable server certificate verification by the AP. 10. Click Save Settings and reboot the IAP. Managing APs | 341 If the uplink wireless router uses mixed encryption, WPA-2 Personal or WPA-2 Enterprise is recommended for Wi-Fi uplink. Uplink Preferences and Switching This section describes the following topics: n Enforcing Uplinks n Setting an Uplink Priority n Enabling Uplink Pre-emption Enforcing Uplinks The following conditions apply to the uplink enforcement: n When an uplink is enforced, the Instant Access Points (IAP) uses the specified uplink regardless of uplink pre-emption configuration and the current uplink status. n When an uplink is enforced and multiple Ethernet ports are configured and uplink is enabled on the wired profiles, the IAP tries to find an alternate Ethernet link based on the priority configured. n When no uplink is enforced and pre-emption is not enabled, and if the current uplink fails, the IAP tries to find an available uplink based on the priority configured. n When no uplink is enforced and pre-emption is enabled, and if the current uplink fails, the IAP tries to find an available uplink based on the priority configured. If current uplink is active, the IAP periodically tries to use a higher priority uplink and switches to the higher priority uplink even if the current uplink is active. To enforce a specific uplink on an IAP, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Expand the Uplink accordion. 7. Under Management > Enforce Uplink, select the type of uplink from the drop-down list. If Ethernet uplink is selected, the Port field is displayed. 8. Specify the Ethernet interface port number. 9. Click Save Settings. The selected uplink is enforced on the IAP. Setting an Uplink Priority To set an uplink priority, complete the following steps: Aruba Central (on-premises) | User Guide 342 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Under Management > Uplink Priority List, select the uplink to increase or decrease the priority. By default, the Eth0 uplink is set as a high priority uplink. 8. Click Save Settings. The selected uplink is prioritized over other uplinks. Enabling Uplink Pre-emption The following configuration conditions apply to uplink pre-emption: n Pre-emption can be enabled only when no uplink is enforced. n When pre-emption is disabled and the current uplink fails, the IAP tries to find an available uplink based on the uplink priority configuration. n When pre-emption is enabled and if the current uplink is active, the IAP periodically tries to use a higher priority uplink, and switches to a higher priority uplink even if the current uplink is active. To enable uplink pre-emption, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Under Management, ensure that the Enforce Uplink is set to None. 8. Select the Pre-emption check-box. 9. Specify value for Pre-emption Interval. 10. Click Save Settings. Switching Uplinks based on the Internet Availability You can configure Aruba Central to switch uplinks based on the Internet availability. Managing APs | 343 When the uplink switchover based on Internet availability is enabled, the IAP continuously sends ICMP packets to some well-known Internet servers. If the request is timed out due to a bad uplink connection or uplink interface failure, and the Internet is not reachable from the current uplink, the IAP switches to a different connection. To configure uplink switching, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the Interfaces tab. The Interfaces page is displayed. 6. Click the Uplink accordion. 7. Under Management, specify a value for Failover Internet IP. 8. Select the Internet Failover check-box. 9. Specify values for Failover Internet Packet Send Frequency, Failover Internet Packet Lost Count, and Internet Check Count. 10. Click Save Settings. n By default, the conductor AP sends the ICMP packets to 8.8.8.8 IP address only if the out-of-service operation based on Internet availability (internet-down state) is configured on the SSID. You can use Failover Internet IP as an alternative to the default option to configure an IP address to which the AP must send AP packets, and verify if the Internet is reachable when the uplink is down. n When Internet Failover is enabled, the IAP ignores the VPN status, although uplink switching based on VPN status is enabled. Configuring Preferred Uplink on AP-318 and 370 Series APs The AP-318 and 370 Series APs have an ethernet port for Eth0 and a fibreport for Eth1. Either of these ports can be configured as the uplink port as required. By default, Eth1 port is configured as the uplink for these AP platforms. All functionality of the Eth0 port is supported by Eth1 port with exception to the following: n Eth0 bridging feature is not supported when the Eth1 port is configured as preferred uplink. n If LACP is enabled, the Eth1 port cannot be configured as the preferred uplink. By default, the AP-318, AP-374, AP-375, and AP-377IAPs have Eth1 as the uplink port and Eth0 as the downlink port. Aruba recommends you not to upgrade the mentioned access points to 8.5.0.0 and 8.5.0.1 firmware versions as the upgrade process changes the uplink from Eth1 to Eth0 port thereby making the devices nonreachable Aruba Central (on-premises) | User Guide 344 Configuring Enterprise Domains In a typical Instant Access Point (IAP) deployment without tunneling, all DNS requests from a client are forwarded to the client's DNS server by default. However, if an IAP is configured for tunneling, the IAP-VPN enables split DNS by default, and the DNS behavior for both the clients on the IAP network is determined by the enterprise domain settings. The enterprise domain setting on the IAP specifies the domains for which DNS resolution must be forwarded to the default DNS server of the client. For example, if the enterprise domain is configured for arubanetworks.com, the DNS resolution for host names in the arubanetworks.com domain is forwarded to the default DNS server of the client. The DNS resolution for host names in all other domains is forwarded to the local DNS server of the IAP. In a full-tunnel mode, all DNS traffic is forwarded over IPSec tunnel to DNS server of the client regardless of the enterprise domain configuration. If an asterisk is configured in the enterprise domain list instead of a domain name, then all DNS requests are forwarded to the default DNS server of the client. Split DNS functionality is supported for IAP-VPN scenarios only. To configure an enterprise domain, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Enterprise Domains accordion. 7. Click + in the Enterprise Domains pane, and enter a name in the New Domain Name window. 8. Click OK. 9. Click Save Settings. To delete an enterprise domain, select the domain in the Enterprise Domains pane, and then click the delete icon. Configuring SNMP Parameters This section describes the following topics: n Configuring SNMP Parameters n Configuring SNMP Parameters n Configuring SNMP Parameters SNMP Configuration Parameters Aruba Central (on-premises) supports SNMPv1, SNMPv2c, and SNMPv3 for reporting purposes only. An Instant Access Point (IAP) cannot use SNMP to set values in an Aruba system. Managing APs | 345 You can configure the following parameters for an IAP: Table 86: SNMP Parameters Data Pane Item Description Community Strings for SNMPV1 and SNMPV2 An SNMP Community string is a text string that acts as a password, and is used to authenticate messages sent between the virtual controller and the SNMP agent. If you are using SNMPv3 to obtain values from the IAP, you can configure the following parameters: Name A string representing the name of the user. Authentication Protocol An indication of whether messages sent on behalf of this user can be authenticated, and if so, the type of authentication protocol used. This can take one of the two values: n MD5--HMAC-MD5-96 Digest Authentication Protocol n SHA--HMAC-SHA-96 Digest Authentication Protocol Authentication protocol password If messages sent on behalf of this user can be authenticated, the (private) authentication key for use with the authentication protocol. This is a string password for MD5 or SHA depending on the choice above. Privacy protocol An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol which is used. This takes the value DES (CBC-DES Symmetric Encryption). Privacy protocol password If messages sent on behalf of this user can be encrypted/decrypted with DES, the (private) privacy key for use with the privacy protocol. Configuring Community String for SNMP This section describes the procedure for configuring SNMPv1, SNMPv2, and SNMPv3 community strings in Aruba Central. Creating Community strings for SNMPv1 and SNMPv2 using Aruba Central To create community strings for SNMPv1 and SNMPv2, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the SNMP accordion. 7. Under SNMP, click + to add a new community string. 8. In the New SNMP window, enter a name for the community string. Aruba Central (on-premises) | User Guide 346 9. Click OK. 10. To delete a community string, select the string in the SNMP pane, and then click the delete icon. Creating community strings for SNMPv3 using Aruba Central To create community strings for SNMPv3, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the SNMP accordion. 7. Under User for SNMPV3, click + to add a new community string for SNMPv3. 8. In the New SNMPv3 User window, enter the following information: a. In the Auth protocol drop-down list, select the type of authentication protocol. b. In the Password text-box, enter the authentication password and retype the password in the Retype Password text-box. c. In the Privacy protocol drop-down list, select the type of privacy protocol. d. In the Password text-box, enter the privacy protocol password and retype the password in the Retype Password text box. e. Click OK. 9. To edit the details for a particular user, select the user, and then click the edit icon. 10. To delete a particular user, select the user, and then click the delete icon. Configuring SNMP Trap Receivers Aruba Central (on-premises) supports the configuration of external trap receivers. Only the Instant AP acting as the VC generates traps. The OID of the traps is 1.3.6.1.4.1.14823.2.3.3.1.200.2.X. To configure SNMP traps, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the SNMP accordion. 7. Under SNMP Traps Receivers, click + to add a new community string for SNMP Traps Receivers. Managing APs | 347 8. In the New SNMP Trap Receiver window, enter the following information: a. In the IP Address text-box, enter the IP address of the new SNMP Trap Receiver. b. In the Version drop-down list, select the SNMP version, such as v1, v2c, v3. The version specifies the format of traps generated by the access point. c. In the Community/Username text-box, specify the community string for SNMPv1 and SNMPv2c traps and a username for SNMPv3 traps. d. In the Port text-box, enter the port to which the traps are sent. The default value is 162. e. In the Inform drop-down list, select Yes or No. When enabled, traps are sent as SNMP INFORM messages. It is applicable to SNMPv3 only. The default value is Yes. f. Click OK. Configuring Syslog and TFTP Servers for Logging Events This section describes the following topics: n Configuring Syslog Server on IAPs n Configuring TFTP Dump Server IAPs Configuring Syslog Server on IAPs To specify a syslog server for sending syslog messages to the external servers, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Logging accordion. 7. In the Servers section, enter the IP address of the syslog server in the Syslog Server text-box. 8. Click Syslog Facility Levels, and enter the required logging level from the drop-down in each of the fields. Syslog facility is an information field associated with a syslog message. It is an application or operating system component that generates a log message. The IAP supports the following syslog facilities: n Syslog Level--Detailed log about syslog levels. n AP-Debug--Detailed log about the AP device. n Network--Log about change of network, for example, when a new IAP is added to a network. n Security--Log about network security, for example, when a client connects using wrong password. n System--Log about configuration and system status. n User--Important logs about client. n User-Debug--Detailed log about client. Aruba Central (on-premises) | User Guide 348 n Wireless--Log about radio. Table 87 describes the logging levels in order of severity, from the most severe to the least. Table 87: Logging Levels Logging level Description Emergency Panic conditions that occur when the system becomes unusable. Alert Any condition requiring immediate attention and correction. Critical Any critical condition such as a hard drive error. Error Error conditions. Warning Warning messages. Notice Significant events of a non-critical nature. The default value for all syslog facilities. Information Messages of general interest to system users. Debug Messages containing information useful for debugging. 9. Click Save Settings. Configuring TFTP Dump Server IAPs To configure a TFTP server for storing core dump files, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Logging accordion. 7. In the Servers section, enter the IP address of the TFTP server in the TFTP Dump Server text-box. 8. Click Save Settings. Mobility and Client Management This section provides the following information on Layer-3 Mobility for Instant Access Points (IAPs) clients: n Mobility and Client Management n Mobility and Client Management Managing APs | 349 Layer-3 Mobility IAPs form a single Aruba Central (on-premises) network when they are in the same Layer-2 (L2) domain. As the number of clients increase, multiple subnets are required to avoid broadcast overhead. In such a scenario, a client must be allowed to roam away from the Aruba Central (on-premises) network to which it first connected (home network) to another network supporting the same WLAN access parameters (foreign network) and continue its existing sessions. Layer-3 (L3) mobility allows a client to roam without losing its IP address and sessions. If WLAN access parameters are the same across these networks, clients connected to IAPs in a given Aruba Central (onpremises) network can roam to IAPs in a foreign Aruba Central (on-premises) network and continue their existing sessions using their IP addresses. You can configure a list of Virtual Controller IP addresses across which L3 mobility is supported. Home Agent Load Balancing Home Agent Load Balancing is required in large networks where multiple tunnels might terminate on a single border or lobby AP and overload it. When load balancing is enabled, the VC assigns the home AP for roamed clients by using a round robin policy. With this policy, the load for the APs acting as Home Agents for roamed clients is uniformly distributed across the IAP cluster. Configuring L3 Mobility Domain To configure a mobility domain, you have to specify the list of all Aruba Central (on-premises) networks that form the mobility domain. To allow clients to roam seamlessly among all the APs, specify the VC IP for each foreign subnet. You may include the local Aruba Central (on-premises) or VC IP address, so that the same configuration can be used across all Aruba Central (on-premises) networks in the mobility domain. Aruba recommends that you configure all client subnets in the mobility domain. When client subnets are configured: n If a client is from a local subnet, it is identified as a local client. When a local client starts using the IP address, the L3 roaming is terminated. n If the client is from a foreign subnet, it is identified as a foreign client. When a foreign client starts using the IP address, the L3 roaming is set up. n To configure a Layer-3 Mobility domain, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one AP. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Config icon. The tabs to configure the APs are displayed. 4. Click Show Advanced. 5. Click the System tab. The System page is displayed. 6. Click the Layer-3 Mobility accordion. 7. Turn on the Home Agent Load Balancing toggle switch. By default, home agent load balancing is disabled. Aruba Central (on-premises) | User Guide 350 8. Under IP Address, click +, and enter an IP address name in the New IP Address window, and then click OK. Repeat Step 7 to add the IP addresses of all VCs that form the L3 mobility domain. 9. Under Subnets, click +, and specify the following: a. Enter the client subnet in the IP Address box. b. Enter the mask in the Subnet Mask box. c. Enter the VLAN ID in the home network in the VLAN ID box. d. Enter the home VC IP address for this subnet in the Virtual Controller IP box. 10. Click OK. Renaming an AP You can change the name of an access point (AP) provisioned in Aruba Central. The AP can be online or offline. When you rename an AP or a VC, the AP or VC does not reboot, and the client traffic is not affected. The new name must be a character string of upto 32 ASCII or non-ASCII characters, including spaces. To rename an AP, complete the following steps: 1. In the Network Operations app, select one of the following options: To select a group in the filter: a. Set the filter to one of the options under Groups. Ensure that the filter selected contains at least one active access point. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. To select an access point in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name. The dashboard context for the access point is displayed. d. Under Manage, click Device > Access Point. 2. Click the Config icon. The tabs to configure access points are displayed. 3. Click the Access Points tab. The Access Points table is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Under Basic Info, modify the AP or VC name in the Name field. 6. Click Save Settings. The AP name is updated on the AP immediately. It may take up to 1 minute for the new AP name to get reflected in Aruba Central (on-premises). Renaming an AP depends on various privileges and access permissions that are assigned to each user to make configuration changes. Managing APs | 351 Monitoring APs The access point (AP) dashboard enables you to manage, configure, monitor and troubleshoot APs provisioned and managed through Aruba Central (on-premises). For a list of all the available menu items in the AP dashboard, see The Access Point Dashboard. The AP Health Bar provides a snapshot of the overall health of the APs configured in Aruba Central (onpremises). For more information, see Health Bar Dashboard for Access Point. The AP Foundation license is applicable for Access Point Monitoring. Monitoring APs in Summary View The access point (AP) Summary page provides all the metrics about the health, status, and clients information associated with the AP provisioned and managed in Aruba Central (on-premises). Viewing the AP Summary Page To navigate to the AP Summary page, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Summary icon. The AP Summary page is displayed. The AP Summary page displays the following information: n Access Points--Displays the overall usage metrics for the APs provisioned in your Aruba Central (onpremises) account. Consists of the following tabs: o Usage--Displays the incoming and outgoing data traffic detected on the APs. o Clients--Displays the number of clients connected to an AP over a specific time period. o Bandwidth Usage Per Network--Displays the incoming and outgoing traffic for all APs per SSID over a specific duration. o Client Count Per Network--Displays the number of clients connected to an AP per SSID over a specific time period. n Radios--Displays the channel distribution and power distribution metrics for the AP radios. For more information on radios in the summary view, see Monitoring Radios in Summary View. You can change the time range for the AP Summary page by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. Monitoring Radios in Summary View The Radios tab in the access point (AP) Summary page displays the channel distribution, power distribution, channel changes, and power changes metrics for the radios provisioned and managed in Aruba Central (onpremises). When you click the Radios tab, the 2.4 GHz and 5 GHz tabs are displayed. Aruba Central (on-premises) | User Guide 352 Viewing the Radios Summary Page To navigate to the Radios Summary page, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP.The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click the Summary icon.The AP Summary page is displayed. 4. Click the Radios tab. When you click the Radios tab, it displays the following information: n Radios--Click the Radios tab to display the graphs related to channel distribution and power distribution. n 2.4 GHz--Click the 2.4 GHz tab to display the graphs related to channel distribution and power distribution for 2.4 GHz radios. n 5 GHz--Click the 5 GHz tab to display the graphs related to channel distribution and power distribution for 5 GHz and 5 GHz (Secondary) radios. The tri-radio feature is available only for AP-555. In the 5 GHz tab, the Radio 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode. You can change the time range for the AP Summary page by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. When you click the Radios, 2.4 GHz, and 5 GHz tab, the Radios tab provides the following information: Radios The Radios section displays the channel distribution and power distribution graphs for the radios. Channel Distribution From the drop-down list, select Channel Distribution to display information on the frequency, at which each of the channels of the radio operate. Figure 20 Channel Distribution Managing APs | 353 Power Distribution From the drop-down list, select Power Distribution to display the power distributed across each of the radios. Figure 21 Power Distribution Channel Changes The Channel Changes graph displays the number of channel changes that has occurred in the radios. Figure 22 Channel Changes Power Changes The Power Changes graph indicates the power change by each of the radios, from ARM to AirMatch EIRP. Aruba Central (on-premises) | User Guide 354 Figure 23 Power Changes Monitoring APs in List View The access point (AP) List page provides information associated with the APs and radios provisioned and managed in Aruba Central (on-premises). The AP List page is available for Foundation and Advanced licenses for APs. The AP List page displays the following sections: n Access Points Table n Monitoring APs in List View n Monitoring APs in List View n Monitoring APs in List View Viewing the AP List Page To navigate to the AP List page, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. The AP List page displays the following information: n Access Points--Displays the total number of APs. When you click the Access Points tab, it provides information about all APs in the Access Points table. Managing APs | 355 n Online--Displays the total number of online APs. When you click the Online tab, it provides information about the online APs in the Access Points table. n Offline--Displays the total number of offline APs. When you click the Offline tab, it provides information about the offline APs in the Access Points table. n Radios--Displays the total number of radios. When you click the Radios tab, it provides information about all radios in the Radios table. o 2.4 GHz--Displays the total number of 2.4 GHz radios. When you click the 2.4 GHz tab, it provides information about 2.4 GHz radios in the Radios table. o 5 GHz--Displays the total number of active 5 GHz and 5 GHz (Secondary) radios. When you click the 5 GHz tab, it provides information about 5 GHz and 5 GHz (Secondary) radios in the Radios table. o 6 GHz--Displays the total number of 6 GHz radios. When you click the 6 GHz tab, it provides information about 6 GHz radios in the Radios table. n The tri-radio feature is available only for AP-555. In the 5 GHz tab, the Radio 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode. n 6 GHz radios is only supported for devices with 6 GHz capability. Access Points Table The Access Points table displays the following information: n Device Name--Name of the AP. n Status--Displays the operational status of the AP. The status is as follows: o Online--Indicates that the AP is online. o Offline--Indicates that the AP is offline. o Online--Indicates that the AP is operating under thermal management. For more information, see Thermal Shutdown Support in IAP. n IP Address--IP address of the AP. n Model--The model number of the AP. n Serial--The serial number of the device. n Firmware Version--The firmware version running on the AP. n Clients--Clients connected to the AP. n Alerts--Opens alerts related to APs. n MAC Address--MAC address of the AP. n Controller--The name of the controller. n Secondary Controller--The name of the secondary controller. n Config Status--The configuration changes associated with the AP. The Config Status column is not supported in the exported CSV file. n Group--Group to which the AP belongs. n Labels--Labels associated with the AP. If multiple labels are associated with the AP, hover over the label link to view all the labels. Aruba Central (on-premises) | User Guide 356 n Site--The site to which the device belongs. n Uptime--Time since when the device is operational. The Uptime column is not applicable for offline devices and remains blank for all the devices in the Offline page. n Last Seen--The last active time and date of the device. The Last Seen column is not applicable for online devices and remains blank for all the devices in the Online page. n Public IP--IP address logged by servers when the device is connected through internet connection. n Persona--Displays the type of role of the AP. For example, CAP and IAP. n LLDP Neighbor--Displays the name of the LLDP neighbor. Click the LLDP Neighbor name to view the switch details page, if the switch is managed by Aruba Central (on-premises). n LLDP Port--Displays the port number of LLDP neighbor. n AI Insights--The number of insights generated for the AP in the last three hours. The AI Insights column is not supported in the exported CSV file. n Note--Displays the information captured in the Note parameter, in the AP Details section. The search filter allows you to search for exact and partial text search with prefix. The text search with suffix is not supported. n Zone--Zone to which the AP belongs. Zone details are displayed in the column only for APs with firmware version ArubaOS 8.7.0.0 or later. n From Aruba Central (on-premises) 2.5.4 release, LLDP Neighbor and LLDP Port details are also available for Campus APs and not only Instant APs. n A search filter is provided only for the Device Name, IP Address, Model, Serial, MAC Address, Controller, Secondary Controller, Group, Labels, Site, LLDP Neighbor, Note, andone columns. The and icons allow you to sort the Device Name, IP Address, Serial, MAC Address, Controller, and Zone columns in an ascending and descending order. n By default, the AP List table displays the Device Name, Status, IP Address, Model, Serial, and Firmware Version. You can customize the view of AP List table with additional columns such as the Clients, Alerts, MAC Address, Controller, Secondary Controller, Config Status, Group, Labels, Site, Uptime, Last Seen, Public IP, Persona, LLDP Neighbor, LLDP Port, AI Insights, Note, and Zone. These additional columns can be selected by clicking the icon provided at the right corner of the table that displays the AP list. Click the Reset to default button provided in the drop-down list to reset the AP List with default columns only. To autofit the columns, click the icon and select Autofit columns. To download the .csv file of the AP list table, click the icon. If the table contains unicode value, you must use a UTF-8 enabled software to view the contents. To view the file in Microsoft Excel 2007 spreadsheet software, perform the following steps to view table with unicode values: 1. Open the Microsoft Excel 2007 software. 2. Click on the Data menu bar option. 3. Click on the From Text icon. 4. Browse to the location of the file that you want to import. 5. Select the file name and click Import. 6. The Text Import wizard is displayed. Managing APs | 357 7. Select the file type. For .csv format, select the Delimited option. 8. Select the 65001: Unicode (UTF-8)option from the drop-down list that is displayed next to the File origin. 9. Click Next. The Text ImportWizard-Step 1 of 3 page is displayed. 10. Place a check mark next to the delimiter such as the comma or full stop that was used in the file you wish to import into Microsoft Excel 2007. 11. The Data Preview window displays the data based on the selected delimiter. 12. Click Next. The Text ImportWizard-Step 3 of 3 page is displayed. Select the appropriate data format for each column that you want to import. Importing one or more columns is optional. 13. Click Finish to import the data into Microsoft Excel 2007. Deleting an Offline AP To delete an offline AP, see . Rebooting an AP To reboot an AP, see Rebooting an AP in the List View Radios Table When you click the Radios, 2.4 GHz, 5 GHz, and 6 GHz tab on the Radios list page, the respective tables with the following columns are displayed: n Access Point--Name of the AP. The online radios are displayed with a green dot and offline radios are displayed with a red dot. n Radio MAC Address--The MAC address of the radios connected to the AP. n Band--The type of radio band. For example, 2.4 GHz, 5 GHz, and 5 GHz (Secondary), and 6 GHz. n The tri-radio feature is available only for AP-555. In the Band column, the Radio 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode. n 6 GHz Band is only supported for devices with 6 GHz capability. n Bandwidth--The bandwidth of data transferred through the radios. n Channel--Channels assigned for the radios. n Utilization (%)--The percentage of time (normalized to 255) that the channels of the radios are sensed to be busy. The AP uses either the physical or the virtual carrier sense mechanism to sense a busy channel. This percentage not only depends on the data bits transferred but also with the transmission overhead that makes use of the channel. n Channel Changes--Displays the number of channel changes that has occurred in an AP. When you click the number, the Channel Changes pop-up window is displayed, that provides the following information: o Event Time--Displays the time period when the channel change occurred, in the format of days- hours-minutes. Aruba Central (on-premises) | User Guide 358 o Reason--Displays the reason for the channel change. o From Channel--Displays the channel number from which the channel change occurred. o To Channel--Displays the channel number to which the channel change occurred. o Band--The type of radio band. For example, 2.4 GHz, 5 GHz, and 5 GHz (Secondary), and 6 GHz. o Access Point--Name of the AP. n Power (dBm)--The transmit power of the radios measured in decibels. n Power Changes--Displays the number of power changes that has occurred in an AP. When you click the number, the Power Changes pop-up window is displayed, that provides the following information: o Event Time--Displays the time period when the power change occurred, in the format of days- hours-minutes. o Reason--Displays the reason for the power change. o From Power (dBm)--Displays the transmit power from which the power change occurred. o To Power (dBm)--Displays the transmit power to which the power change occurred. o Band--The type of radio band. For example, 2.4 GHz, 5 GHz, and 5 GHz (Secondary), and 6 GHz. o Access Point--Name of the AP. n Noise Floor (dBm)--The noise at the radio receivers of the radios. Along with the thermal noise, Noise Floor may be affected by certain types of interference sources, though not all interference types result in increased noise floor. Noise Floor value may vary depending on the noise introduced by components used in the computer or client device. n A search filter is provided only for the Access Point column. n If the Radios list has at least one IAP that supports the 6 GHz radio band, then the 6 GHz tab will be available on the Radios list page. Deleting an Offline AP To delete an offline access point (AP), complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. In the Access Points table, hover over the offline AP that you want to delete. 4. Click the delete icon. To delete multiple offline APs, select the offline APs that you want to delete and click the delete icon. 5. Click Delete in the confirmation dialog box. Rebooting an AP in the List View You can reboot an Instant Access Point, Campus Access Point, or Remote Access Point using the Aruba Central (on-premises) UI. Managing APs | 359 For information about how to reboot an AP in the Details page, see Rebooting an AP in the List View and Rebooting an AP in the Details Page. To reboot an access point (AP), complete the following steps: 1. In the Network Operations app, set the filter to one of the options under groups, labels, or sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. You can reboot only the APs that are in the online status (active). 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. In the Access Points table, hover over the AP that you want to reboot. 4. Click the reboot icon. To reboot multiple online APs, select the APs that are in online status and click the reboot icon. 5. Click Reboot in the confirmation dialog box. Thermal Shutdown Support in IAP ArubaAP-555 and AP-535 Instant Access Point (IAP) devices are equipped with an internal thermal sensor. The sensor initiates a shutdown when the operating temperature crosses the temperature threshold recommended for an Instant AP. When an IAP operates under thermal management, all the radios are in Disabled mode in the AP Health Bar. n In swarm mode, the thermal shutdown support is as follows: n In swarm mode, when the member IAP operates beyond the recommended temperature threshold, the Virtual AP profile is disabled. Once the member IAP attains the optimum temperature again, it reboots with the Recovery from Thermal Management Mode message, and then reconnects with the virtual controller. This process of reboot and reconnection is executed for five times. If the connection between the member IAP and the virtual controller does not restore after five times, the member IAP remains in the shutdown state until it is manually turned on. n In swarm mode, when the conductor IAP operates beyond the recommended temperature threshold, it reboots with the Reboot due to Thermal Management message. Once the conductor IAP attains the optimum temperature again, it turns into a member IAP, reboots with the Recovery from Thermal Management Mode message, and then reconnects with the virtual controller. This process of reboot and reconnection is executed for five times. If the connection between the member IAP and the virtual controller does not restore after five times, the member IAP remains in the shutdown state until it is manually turned on. n In swarm mode, when the conductor IAP operates beyond the recommended temperature threshold and the number of IAPs is one in the swarm scale, the Virtual AP profile is disabled. Once the conductor IAP attains the optimum temperature again, it reboots with the Recovery from Thermal Management Mode message. This process of reboot is executed for five times. If the conductor IAP does not reboot after five times, the conductor IAP remains in the shutdown state until it is manually turned on. n In standalone mode, when the IAP operates beyond the recommended temperature threshold, the Virtual AP profile is disabled. Once the IAP attains the optimum temperature again, it reboots with the Aruba Central (on-premises) | User Guide 360 Recovery from Thermal Management Mode message. This process of reboot is executed for five times. If the IAP does not reboot after five times, it remains in the shutdown state until it is manually turned on. Thermal Shutdown Events To view the thermal shutdown events, complete the following steps: 1. In the Network Operations app, select one of the following options: To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points. c. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 2. Under Analyze, click Alerts & Events. The Alerts & Events page is displayed in the List view. 3. Click the Events tab. A list of events is displayed in the Events table. When the thermal shutdown feature is either enabled or disabled in an IAP, the Events table displays the following details: n The Event Type column includes the AP Thermal Shutdown type which can be used to filter thermal shutdown events. n The Description column includes the status of the thermal shutdown feature in the IAP. For example, Thermal management enabled or Thermal management disabled. In Aruba Central (on-premises), the thermal shutdown feature is supported on IAPs running Aruba Instant 8.6.0.0 or later versions. About Tri-Radio Mode Aruba Central (on-premises) offers tri-radio mode support in ArubaAP-555, a flagship 802.11ax access point (AP). In tri-radio mode or split 5 GHz mode, the 8x8 5 GHz radio is split into two independent 4x4 5 GHz radios. In the split 5 GHz Mode, Radio 5 GHz Secondary operates on channels from 36 to 64 and Radio 5 GHz operates on channels from 100 to 165. To enable tri-radio, go to Access Points > Radio in the AP configuration dashboard, and select the Split Radio check-box. The split 5 GHz radio can operate in the following modes: n Access n Monitor n Spectrum Enabling Tri-Radio Mode To enable the tri-radio mode, complete the following steps: Managing APs | 361 1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to one of the options under Groups. Ensure that the filter selected contains at least one active access point. The dashboard context for the group is displayed. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. n To select an access point in the filter: a. Set the filter to Global. b. Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. c. Click an access point listed under Device Name. The dashboard context for the access point is displayed. d. Under Manage, click Devices > Access Point. 2. Click the Config icon. The tabs to configure access points are displayed. 3. Click the Access Points tab. The Access Points page is displayed. 4. To edit an AP, select an AP in the Access Points table, and then click the edit icon. 5. Click Radio. 6. Select the Split Radio check-box. 7. Click Save Settings. Tri-Radio Events To view the tri-radio events, complete the following steps: 1. In the Network Operations app, select one of the following options: To select a group, label, site, or all devices in the filter, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. The dashboard context for the selected filter is displayed. To select a device in the filter: a. Set the filter to Global. b. Under Manage, click Devices, and then click Access Points. c. A list of APs is displayed in the List view. d. Click an AP listed under Device Name.The dashboard context for the AP is displayed. 2. Under Analyze, click Alerts & Events.The Alerts & Events page is displayed in the List view. 3. Click the Events tab. A list of events is displayed in the Events table. When the tri-radio mode is either enabled or disabled in an AP, the Events table displays the following details: n The Event Type column includes the AP Tri-Radio type which can be used to filter tri-radio events. n The Description column includes the status of the tri-radio mode in AP. Aruba Central (on-premises) | User Guide 362 In Aruba Central (on-premises), the tri-radio feature is available only on AP-555 running Aruba Instant 8.6.0.0 or later versions. By default, the AP-555 operates in dual radio mode. Access Point > Overview > Summary In the access point (AP) dashboard, the Summary tab displays the device details, network information, radio details including the topology of clients connected to each radio, and the health status of the AP in the network. The Summary tab displays the following sections: n Device n Network n Radios n Data Path n Health Status n WLANS n Actions n Go Live Viewing the Overview > Summary Tab To navigate to the Summary tab in the AP dashboard, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The Summary tab is displayed. To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the Summary tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. Device The Device section displays all or some of the following details: n AP Model--The AP hardware model. n Country Code--Country code in which the AP operates. n MAC--MAC address of the AP. n Serial Number--Serial number of the AP. n Uptime--Time since when the AP is operational. n Last Reboot Reason--The reason for the latest rebooting of AP. Managing APs | 363 n Firmware Version--The firmware version running on the AP. If the device is running an older firmware version, this field prompts the user to upgrade to the latest firmware version along with the link to the Maintenance > Firmware page. n Configuration Status--Displays the configuration status and the timestamp of the last device configuration changes. n Band Selection--Displays the operating band of the AP. The supported bands are Dual Band, Dual 5 GHz, Tri-Radio, or Tri Band. n Power Draw--The power utilized by the device in watts (W) or kilowatts (kW). n Power Negotiation--The power in watts (W) negotiated on the ethernet port of the device in a wired network. n Recommended Power--The recommended power in watts (W) negotiated on the ethernet port of the device in a wired network. n Controller--The name of the controller. n Secondary Controller--The name of the secondary controller. n Group--The group to which the AP belongs. Click the group name to go to the Overview > Summary page for that group. When an AP belongs to an unprovisioned group, the hyperlink to the unprovisioned group is disabled n Labels--The labels associated with the AP. You can also add a new label to the AP by clicking the edit icon. To view all the labels associated with a device, hover your mouse over the Labels column. n LEDs on Access Point--Enables the blinking of LEDs on the AP to identify the location. Click Blink LED to enable the blinking of LEDs on the AP. The default blinking time is set to 5 minutes and it stops automatically after 5 minutes. To stop the blinking, click Stop Blinking. n Site--The site to which the AP belongs. Click the site name to go to the Overview > Site Health page for that site. n Location--The currently configured physical location of an AP. Location detail is displayed only for APs with firmware version ArubaOS 8.9.0.0 or later. n Contact--The currently configured contact of an AP. For example, E-mail ID, or contact number. Contact detail is displayed only for APs with firmware version ArubaOS 8.9.0.0 or later. n Note--When you click the edit icon, a text-box is displayed. It allows you to add information that can be used as reference. For example, AP location, and upgrade information. Network The Network section displays information of the network and interfaces to which the AP is connected. Along with the network profile name, the following fields are displayed in the Network section: n ETH0--Displays the status of the ETH0 network. n Speed (Mbps)/Duplex--The speed of the network measured in Mbps. This field also indicates whether the network has a full-duplex or half-duplex communication. n VLAN--The number of VLAN connections associated with the network. o LLDP Details--Click the LLDP Details link to view the ETH0 LLDP details. The pop-up window displays the Neighbor Name, Neighbor MAC, Neighbor Port, and Neighbor VLAN details. n ETH1--Displays the status of the ETH1 network. n Speed (Mbps)/Duplex--The speed of the network measured in Mbps. This field also indicates whether the network has a full-duplex or half-duplex communication. Aruba Central (on-premises) | User Guide 364 n VLAN--The number of VLAN connections associated with the network. o LLDP Details--Click the LLDP Details link to view the ETH1 LLDP details. The pop-up window displays the Neighbor Name, Neighbor MAC, Neighbor Port, and Neighbor VLAN details. n Current Uplink--The current uplink connection on the AP. n Uplink connected to--The switch name to which the AP is connected. Click this link to view the switch details page, if the switch is managed by Aruba Central (on-premises). o Port--The port number of the switch to which the AP is connected. n IP Address--IP address of the AP. n Public IP Address--IP address logged by servers when the AP device is connected through internet connection. n DNS Name Servers--The server that has a directory of domain names and their associated IP addresses. n Default Gateway--A 32 bit value that is used to uniquely identify the device on a public network. n NTP Server--Displays information about the NTP Server. From Aruba Central (on-premises) 2.5.4 release, LLDP Details feature is supported for Campus APs as well. Radios The Radios section displays the following information related to Radio 2.4 GHz, Radio 5 GHz, Radio 5 GHz Secondary, and Radio 6 GHz: n Mode--The type of mode for the radios. For example, Client Access, Monitor, and Spectrum. n Status--Displays the operational status of the radios connected to the AP. The status is as follows: o Up--Indicates that the radio is online. o Down--Indicates that the radio is offline. o Down - Thermal shutdown--Indicates that the radio is offline as the AP is operating under thermal management. For more information, see Thermal Shutdown Support in IAP. n Radio MAC Address--The MAC address of the radios connected to the AP. n Channel--The channels assigned to the radios. n Power--The transmit power of the radios. n Type--The type of wireless LAN used for the radios. n Clients--The number of clients connected to the AP. n Wireless Networks--The number of SSIDs configured in the network. n Antenna--The type of antennae. For example, internal and external. n Spatial Stream--Displays the number of spatial streams. By default, the spatial stream value for Radio 5 GHz is 8x8. When tri-radio mode is enabled, the spatial stream values for Radio 5 GHz and Radio 5 GHz (Secondary) is 4x4. n When the AP radios are set to spectrum scan mode, the Channel and Power values are empty. n The tri-radio feature is available only for AP-555. In the Radios section, the Radio 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode n The 6 GHz radio band is only supported for devices with 6 GHz capability. Managing APs | 365 Data Path The Data Path section displays the topology of the clients connected to each of the radios of the AP, which in turn is connected to switches or gateways through VLAN. When you hover over the upstream device in the data path topology, a pop-up displays the Name, Serial Number, and Port details of the upstream devices. PORT shows the number of ports available in the AP that also includes USB ports. CLIENTS connected to the PORT in the data path shows the number of wired clients connected to the port. Figure 24 Data Path n The tri-radio feature is available only for AP-555. In the Data Path section, the 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode. n In the Data Path section, the 6 GHz radio band is only supported for devices with 6 GHz capability. Health Status The Health Status trend graph indicates the health status of the device in the network for the time selected in the time range filter. When you hover over the graph, you can view information such as date and time, Health Status, Noise Floor, CPU, Memory, Channel Utilization (Radio 1), Channel Utilization (Radio 2), and Channel Utilization (Radio 3). In the Health Status graph, the Poor Health Limit text indicates the poor health limit of the device in the network. Aruba Central (on-premises) | User Guide 366 Figure 25 Health Status n In the Health Status graph, the Channel Utilization (Radio 3) data is available if the tri-radio mode is enabled or if 6 GHz radio is available. For more information, see About Tri-Radio Mode. n The tri-radio feature is available only for AP-555. n The 6 GHz radio band is only supported for devices with 6 GHz capability. WLANS The WLANS table provides a list of all the SSIDs configured for the AP. Figure 26 WLANS The WLANS table provides the following information: n Name--Displays the name of the SSID. In the WLANS table, the Type, VLANs, and Security values are empty. Click to expand an SSID in the WLANS table. When you expand an SSID in the WLANS table, you can view the following information for 2.4 GHz, 5 GHz, 5 GHz (Secondary), and 6 GHz radios: n BSSID--Displays the MAC address of the radio. n Radio Type--Dispalys the type of radio. n Clients--Dispalys the number of connected clients. Click to download the .csv file of the WLANS table. Managing APs | 367 n In the .csv file of the WLANS table, the 5 GHz (Secondary) columns are available only if the tri-radio mode is enabled. n The tri-radio feature is available only for AP-555. In the WLANS table, the 5 GHz (Secondary) data is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode. n The 6 GHz radio band is only supported for devices with 6 GHz capability. Actions The Actions drop-down list contains the following options: n Reboot AP--Reboots the AP point. For more information, see Rebooting an AP in the List View and Rebooting an AP in the Details Page. n Reboot Swarm--Reboots the AP cluster. For more information, see Rebooting an IAP Cluster . n Tech Support--Enables the administrator to generate a tech support dump required for troubleshooting the AP. For more information, see Tech Support for an IAP . Go Live Aruba Central (on-premises) supports live monitoring of IAPs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central (on-premises) allows you to monitor live data of an AP updated at every 5 seconds. For more information, see Enabling Live IAP Monitoring. Access Point > Overview > AI Insights In the access point (AP) dashboard, the AI Insights tab displays information on AP performance issues such as excessive channel changes, excessive reboots, airtime utilization, and memory utilization. Viewing Access Points > AI Insights To navigate to the AI Insights tab in the AP dashboard, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points.A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. In the AP dashboard context, click the AI Insights tab. The Insights page is displayed. 5. To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the AI Insights tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. AI Insights are displayed for the time range selected. Select the time range from the Time Range Filter ( ) to filter reports. Aruba Central (on-premises) | User Guide 368 AI Insights Categories AI Insights are categorized in high, medium, and low priorities depending on the number of occurrences. n Red--High priority n Orange--Medium priority n Yellow--Low priority AI Insights listed in the dashboard are sorted from high priority to low priority. The AI Insights dashboard displays a report of network events that could possibly affect the quality of the overall network performance. Each insight report provides specific details on the occurrences of these events for ease in debugging. For more information, see The AI Insights Dashboard The AP Insights page displays the following insights: n Clients with High Wi-Fi Security Key-Exchange Failures n Clients with High 802.1X Authentication Failures n Clients with DHCP Server Connection Problems n Clients with High Number of MAC Authentication Failures n Clients with High Number of Wi-Fi Association Failures n Clients with Captive Portal Authentication Problems Access Point > Overview > Floor Plan In the access point (AP) dashboard, the Floor Plan tab provides information regarding the current location of the Instant Access Point (IAP). Viewing the Overview > Floor Plan Tab To navigate to the Floor Plan tab in the AP dashboard, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. In the AP dashboard context, click the Floor Plan tab. The Floor Plan tab is displayed. To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the Floor Plan tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. The Floor Plan tab displays a sitemap and the floor plan showing the current location of the IAP . The sitemap is derived from the Visual RF application, if Visual RF service is enabled for the Aruba Central (onpremises) account. You can also edit the location of the IAP device by clicking the edit icon provided next to the address in the Floor Plan tab. Managing APs | 369 Actions The Actions drop-down list contains the following options: n Reboot AP--Reboots the AP. For more information, see Rebooting an AP in the Details Page and Rebooting an AP in the List View. n Reboot Swarm--Reboots the AP cluster. For more information, see Rebooting an IAP Cluster . n Tech Support--Enables the administrator to generate a tech support dump required for troubleshooting the AP. For more information, see Tech Support for an IAP . Go Live Aruba Central (on-premises) supports live monitoring of IAPs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central (on-premises) allows you to monitor live data of an AP updated at every 5 seconds. For more information, see Enabling Live IAP Monitoring. Access Point > Overview > Performance In the access point (AP) dashboard, the Performance tab displays the size of data transmitted through the AP. Viewing the Overview > Performance Tab To navigate to the Performance tab in the AP dashboard, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under groups, labels, or sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. In the AP dashboard context, click the Performance tab. The Performance tab is displayed. To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the Performance tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. The Performance tab provides the following details: n Throughput The Throughput graph indicates the size of data sent to and received by the device in bits per second for the wired or wireless networks. For example, Eth 0 or Eth 1 wired network profiles and specific SSIDs of wireless networks. You can also view data for all the wireless SSIDs by selecting All SSIDS from the drop-down list. You can view the overall data usage measured in bytes in the Overall Usage field. n Clients The Clients graph indicates the number of clients connected to the device for the wired, wireless, or radio network profiles for a selected time range in the time range filter. For example, wired for wired network profile, specific SSID or All SSIDs for wireless network profile, and 2.4 GHz, 5 GHz, or 2.4 GHz&5 GHz for radio network profile. You can select a specific network profile from the drop-down list provided in the Clients section to view the date, time and number of clients connected. Aruba Central (on-premises) | User Guide 370 When you hover over the Throughput and Clients graphs, it displays specific data for the selected timestamp. Actions The Actions drop-down list contains the following options: n Reboot AP--Reboots the AP. For more information, see Rebooting an AP in the Details Page on page 378 and Rebooting an AP in the List View on page 665. n Reboot Swarm--Reboots the AP cluster. For more information, see Rebooting an IAP Cluster . n Tech Support--Enables the administrator to generate a tech support dump required for troubleshooting the AP. For more information, see Tech Support for an IAP . Go Live Aruba Central (on-premises) supports live monitoring of IAPs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central (on-premises) allows you to monitor live data of an AP updated at every 5 seconds. For more information, see Enabling Live IAP Monitoring. Access Point > Overview > RF In the access point (AP) dashboard, the RF tab provides details corresponding to 2.4 GHz, 5 GHz, 5 GHz (secondary), and 6 GHz radios of the AP. Starting from Aruba Instant 8.9.0.0, the Wi-Fi 6E standard is supported that introduces 6 GHz radio band for few IAPs. The 6 GHz radio band provides greater efficiency, higher throughput, and increased levels of security to address bandwidth challenges. The 6 GHz radio band also provides wider channels up to 160 MHz for dense environments and large number of IoT devices. The Wi-Fi 6E IAPs support 2.4 GHz, 5 GHz, and 6 GHz radio bands simultaneously, allowing client devices to switch seamlessly between the three radio bands. The Wi-Fi 6E IAPs are supported with Enhanced Open and WPA3 encryption methods only. AP-635 and AP-655 IAPs are Wi-Fi 6E IAPs that support 6 GHz radio band, in addition to 2.4 GHz and 5 GHz radio bands. Viewing the Overview > RF Tab To navigate to the RF tab in the AP dashboard, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under groups, labels, or sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. In the AP dashboard context, click the RF tab. The RF tab is displayed. To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the RF tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. Managing APs | 371 You can hover over the graph to view more information. You can select or clear an option in each graph to filter the data displayed on the graph. For example, if you uncheck the box corresponding to Receiving and Non-Wifi interference in the Channel Utilization graph, only Transmitting data is displayed on the graph. The RF tab provides the following details corresponding to 2.4 GHz and 5 GHz, and 6 GHz radio channels of the AP: Channel Utilization The Channel Utilization graph indicates the percentage of channel utilization for the selected time range from the time range filter. The channel utilization information is categorized as follows: n Transmitting: The percentage of channel currently being transmitted. n Receiving: The percentage of channel currently being received. n Non-Wifi Interference: The percentage of channel currently being used by non-Wi-Fi interferers. Total Utilization is the sum of Transmitting, Receiving, and Non-Wifi interference, which indicates the total percentage of channel utilization for the selected time range. The following figure displays the channel utilization graph for 2.4 GHz radio channel: Figure 27 Channel Utilization Graph Noise Floor The Noise Floor graph indicates the noise floor detected in the network to which the device belongs. Frames - 802.11 The Frames - 802.11 line graph indicates the trend of frames transmitted through the network. The frames can be one of the following types: Drops, Errors, and Retries. The graph indicates the status of data frames that were dropped, encountered errors, retried to be transferred, in a wireless network. You can see the graph in percentage or frames/sec. Only Campus APs and Remote APs support the Issues & Transmitted Frames and Issue % filter options. Select one of the following option from the drop-down: n Issues & Transmitted Frames--Select to view the trend value for transmitted frames along with retries, errors, and drops in frames per second n Issue %--Select to view the trend value for retries, errors, and drops in percentage. Aruba Central (on-premises) | User Guide 372 Figure 28 Frames - 802.11 Graph Radio Errors The Radio Errors graph indicates the Total Packets, Physical Errors, and MAC Errors in packets per second. Only Campus APs and Remote APs support the Physical Errors, and MAC Errors options. Figure 29 Radio Errors Graph Channel Quality The Channel Quality graph indicates the quality of channel in percentage. n When you hover over the Channel Utilization, Noise Floor, Frames - 802.11, and Channel Quality graphs, it displays specific data for the selected timestamp. n The tri-radio feature is available only for AP-555. In the RF tab, the Radio 5 GHz (Secondary) tab is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode. n The 6 GHz radio band is only supported for devices with 6 GHz capability. Actions The Actions drop-down list contains the following options: n Reboot AP--Reboots the AP. For more information, see Rebooting an AP in the Details Page. n Reboot Swarm--Reboots the AP cluster. For more information, see Rebooting an IAP Cluster . n Tech Support--Enables the administrator to generate a tech support dump required for troubleshooting the AP. For more information, see Tech Support for an IAP . Go Live Aruba Central (on-premises) supports live monitoring of IAPs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central (on-premises) allows you to monitor live data of an AP updated at every 5 seconds. For more information, see Enabling Live IAP Monitoring. Managing APs | 373 Access Point > Overview > Spectrum In the access point (AP) dashboard, the Spectrum tab provides details for all Wifi and non-Wifi devices associated to each radio. When the radios of Instant Access Point (IAP) are set to spectrum scan mode, the IAP functions as a dedicated full-spectrum RF monitor, scanning all channels to detect interference from neighboring IAPs or interfering devices such as microwaves and cordless phones. To enable the spectrum scan feature on a specific radio of an AP, see Access Points Configuration Parameters. The spectrum scan feature is available only on IAP devices running Aruba Instant 8.5.0.1 firmware version and later. When the spectrum scan feature is enabled, the Instant AP does not provide services to clients. The Spectrum tab displays the following sections: n Channel Utilization and Quality n Interfering Devices n Actions n Go Live Viewing the Overview > Spectrum Tab To navigate to the Spectrum tab in the AP dashboard, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. In the AP dashboard context, click the Spectrum tab. The Spectrum tab is displayed. To exit the AP dashboard, click the back arrow on the filter. You can change the time range for the Spectrum tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. Channel Utilization and Quality Click the Chart icon to view the Channel Utilization and Quality details corresponding to 2.4 GHz and 5 GHz radios of the AP. Click the 2.4 GHz and 5 GHz tabs on the Channel Utilization and Quality label to view the Channel Utilization and Quality graphs for the radios. n Channel Utilization--The Channel Utilization graph indicates the percentage of channel utilization for the Available, Interference, and Wi-Fi Utilization categories associated to 2.4 GHz and 5 GHz radios. You can view the following channel metrics when you hover over the Channel Utilization bar graph: Aruba Central (on-premises) | User Guide 374 Table 88: Channel Utilization Metrics Metrics Description Channel The channel number of the radio. Available The percentage of the channel currently available for use. Interference The percentage of the channel currently being used by interfering devices. Microwave The percentage of the channel currently being used by microwaves. Common residential microwave ovens with a single magnetron are classified as a Microwave. These types of microwave ovens may be used in cafeterias, break rooms, dormitories, and similar environments. Some industrial, healthcare, or manufacturing environments may also have other equipment that functions like a microwave and may also be classified as a Microwave device. Bluetooth The percentage of the channel currently being used by bluetooth devices. Any device that uses the Bluetooth protocol to communicate in the 2.4 GHz band is classified as a Bluetooth device. Bluetooth uses a frequency hopping protocol. Cordless Phone The percentage of the channel currently being used by cordless phones. Wi-Fi Utilization The percentage of the channel currently being used by Wi-Fi devices. n Quality--The Quality graph display the channel quality corresponding to each of the WiFi and non-WiFi devices connected to the radios. When you hover over the Quality bar graph, the following channel metrics are displayed: Table 89: Channel Quality Metrics Metrics Description Channel The channel number of the radio. Quality Current relative quality of the channel. Known APs Number of valid Instant APs identified on the radio channel. Unknown APs Number of invalid or rogue Instant APs identified on the radio channel. Max AP Signal Signal strength of the Instant AP that has the maximum signal strength on a channel in dBm. Max Signal strength of the non-Wi-Fi device that has the highest signal strength Interference in dBm. Max AP SSID The network SSID with maximum APs. Max AP BSSID The network SSID with maximum APs. SNIR The measure of SNIR detected in the network in dB. Managing APs | 375 Metrics Description Noise Floor The noise at the radio receivers of the radios. Interfering Devices Table 90: Interfering Devices Table Metrics Description Type Device type. This parameter can be any of the following: n Audio FF (fixed frequency) n Bluetooth n Cordless base FH (frequency hopper) n Cordless phone FF (fixed frequency) n Cordless network FH (frequency hopper) n Generic FF (fixed frequency) n Generic FH (frequency hopper) n Generic interferer n Microwave n Microwave inverter n Video n Xbox ID ID number assigned to the device by the spectrum monitor. Spectrum monitors assign a unique spectrum ID per device type. Central Center frequency of the signal sent from the device. Frequency Bandwidth Channel bandwidth used by the device in KHz. Affected Channels Radio channels affected by the wireless device. Signal Strength Strength of the signal sent from the device measured in dBm. Duty Cycle The device duty cycle. This value represents the percent of time the device broadcasts a signal. First Seen Time at which the device was first detected. Last Seen Time at which the device status was updated. Click the List icon to view Interfering Devices details detected by the spectrum scanner. The page displays a table with following details of interfering devices: The data displayed in the Spectrum tab is refreshed every 15 seconds. Aruba Central (on-premises) displays the last recorded data for 30 minutes, if the device turns offline. Actions The Actions drop-down list contains the following options: Aruba Central (on-premises) | User Guide 376 n Reboot AP--Reboots the AP. For more information, see Rebooting an AP in the Details Page on page 378 and Rebooting an AP in the List View on page 665. n Reboot Swarm--Reboots the AP cluster. For more information, see Rebooting an IAP Cluster . n Tech Support--Enables the administrator to generate a tech support dump required for troubleshooting the AP. For more information, see Tech Support for an IAP . Go Live Aruba Central (on-premises) supports live monitoring of IAPs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central (on-premises) allows you to monitor live data of an AP updated at every 5 seconds. For more information, see Enabling Live IAP Monitoring. Access Point > Security > VPN The VPN tab provides information on VPN connections associated with the virtual controller along with information on the tunnels and the data usage through each of the tunnels. Viewing the Security > VPN Tab To navigate to the VPN tab, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. Under Manage, click Security > VPN. The VPN tab is displayed. You can change the time range for the VPN tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. The VPN tab provides the following information: n VPNC Tunnels Summary--The section displays information on tunnels with the following details: o Total--Total tunnels established. o Up--Number of tunnels currently active. o Down--Number of tunnels currently inactive. o Peers--Number of peer tunnels currently active. The Tunnel table displays information on tunnels with the following columns: o Tunnel--The type of the tunnels used in the VPN. For example, primary, secondary, or backup. o Status--The status of the tunnel. o Source--The source address of the tunnel. o Destination--The destination address of the tunnel. n Throughput Usage Per VPN--The Throughput Usage Per VPN graph indicates the successful data usage per VPN in Mbps for the primary or backup tunnel selected from the drop-down list. The Managing APs | 377 Throughput Usage Per VPN displays a linear graph of sent and received data in the virtual private network. n The Gateway tab provides information on the gateways to which the AP is connected. The tab displays the following details: n Tunnels Summary--The section displays information on tunnels with the following details: Rebooting an AP in the Details Page You can reboot an Instant Access Point, Campus Access Point, or Remote Access Point using the Aruba Central (on-premises) UI. For information about how to reboot an AP in the List view, see Rebooting an AP in the List View. To reboot, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under groups, labels, or sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. In the Actions drop-down list, click Reboot AP. A Reboot dialog box is displayed. 5. Click Reboot to reboot the AP. The AP dashboard takes approximately a minute to update the interface status, after the AP is rebooted and reconnected to Aruba Central (on-premises). Rebooting an IAP Cluster You can reboot an Instant Access Point (IAP) cluster using the Aruba Central (on-premises) UI. To reboot an IAP cluster, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. In the Actions drop-down list, click Reboot Swarm. A Reboot dialog box is displayed. 5. Click Yes to reboot the AP cluster. Aruba Central (on-premises) | User Guide 378 The AP dashboard takes less than a minute to update the interface status, after the VC is rebooted and reconnected to Aruba Central (on-premises). Tech Support for an IAP In Aruba Central (on-premises) UI, the administrators can generate a tech support dump required for troubleshooting the Instant Access Point (IAP). To generate a tech support dump for an IAP, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. In the Actions drop-down list, click Tech Support. The Commands page is displayed. In the Commands page, the Device Type and Available Devices fields are automatically selected. The AP Tech Support Dump command is automatically selected in the Selected Commands pane. 5. Click Run. The output is displayed in the Device Output section. For more information, see Advanced Device Troubleshooting. Enabling Live IAP Monitoring Aruba Central (on-premises) supports live monitoring of Instant APs that support Aruba Instant 8.4.0.0 firmware version and above. Aruba Central (on-premises) allows you to monitor live data of an AP updated at every 5 seconds. Enabling and Disabling Go Live To enable and disable the live monitoring of an AP, complete the following steps: n In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active access point.The dashboard context for the selected filter is displayed. n Under Manage, click Devices > Access Points. A list of access points is displayed in the List view. n Click an access point listed under Device Name.The dashboard context for the access point is displayed. n Click the Go Live button to start live monitoring of the AP. n Click the Stop Live button to exit live monitoring of the AP. Managing APs | 379 The Go Live feature is not applicable for offline Instant APs. The Go Live button remains grayed-out for all the APs that are not associated with Instant AP devices running Aruba Instant 8.4.0.0 firmware version and above Aruba Central (on-premises) allows you to monitor live data for 15 minutes. After this time period, Aruba Central (on-premises) redirects to the AP dashboard in a non-live mode to display the monitoring details for the time selected in the Time Range Filter. For more information on AP dashboard in a non-live mode, see Access Point > Overview > Summary. AP Details in Go Live Mode When you click the Go Live button, the page displays live graphs based on noise floor, frames, and channel quality of the neighboring RF devices for 15 minutes, until you select Stop Live button. The page displays Noise Floor, Frames, and Channel Quality live graphs for Radio 2.4 GHz, Radio 5 GHz, Radio 5 GHz Secondary, and Radio 6 GHz. Important Information n The Go Live feature is not applicable for offline APs. n Aruba Central allows you to monitor live data for 15 minutes. After this time period, Aruba Central redirects to the AP dashboard in a non-live mode to display the monitoring details for the time selected in the Time Range Filter. For more information on AP dashboard in a non-live mode, see Access Point > Overview > Summary. n In Go Live mode, AP dashboard updates and displays data at every 5 seconds. n The tri-radio feature is available only for AP-555. In the Go Live page, the Radio 5 GHz (Secondary) tab is available only if the tri-radio mode is enabled. For more information, see About Tri-Radio Mode. n The Radio 6 GHz band is only supported for devices with 6 GHz capability. n The time range selected in the Time Range Filter is not applicable when the Go Live button is enabled. n You can monitor live data for multiple APs simultaneously on different tabs. Replacing an Access Point Aruba Central (on-premises) now supports Campus AP, Remote AP, and Instant Access Point replacement workflow. You can now replace the APs from the AP dashboard in the Aruba Central (on-premises) WebUI. Navigate to Manage > Overview > Summary page to replace the AP. Before you Replace a Campus AP or Remote AP Following are the important points to consider before you replace a Campus AP or Remote AP: n The device that has to be replaced must be offline. n The model number of the old AP and the new AP can be different. The AP that replaces another AP need not be of the same model. n The old AP must be a licensed device, and ensure to have an additional license available because the new AP will procure a license during replacement. n The new AP must be part of the device inventory. n After the AP is replaced, the new AP gets licensed and inherits the Group, Label, and Site parameters along with floor plan from the old device. n The new AP does not inherit any configuration from the old AP. Aruba Central (on-premises) | User Guide 380 n After the AP is replaced, the old AP is removed from: o Device inventory o Monitoring view, if associated o Visual RF if the AP is associated with the Visual RF floor plan o Site, Label, and Group, if associated n The new AP replaces the old AP in the VisualRF floor plan if the old AP was associated with the VisualRF floor plan. n The old AP is deleted from the monitoring view only after the validation process is complete. This validation process takes about 15 minutes. Before you Replace an Instant AP Following are the important points to consider before you replace an Instant Access Point: n The device that has to be replaced must be offline. n The model number of the old AP and the new AP must be the same. For example, an AP-505 must be replaced with an AP-505 only. n The new AP must be part of the device inventory. n Subscription must be assigned for the new AP. n If the AP that is going to be replaced is a member, the new AP automatically inherits the configuration from the leader of the group. n If the AP that is going to be replaced is a leader, the new AP does not automatically become the leader. Although the replacement procedure ensures that the new AP inherits the configuration settings, a new leader is elected after the new AP joins the cluster. n After the AP is replaced, the new AP inherits the Group, Label, Site parameters, firmware version, and device name from the old device. n The old AP is deleted from the monitoring view only after the validation process is complete. This validation process takes 15 minutes. n After the device is replaced, the old AP is not removed from the device inventory. The AP can be reused in the future. Replacing an AP from the Summary Page To replace an AP from the summary page, complete the following steps: 1. In the Network Operations app, set the filter to Global. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click Offline to view a list of offline APs in the Access Points table. 4. In the Device Name column, click the AP that you want to replace. The Overview > Summary page is displayed in the AP dashboard. 5. In the Actions drop-down list, click Replace Device. 6. In the Replace Device pop-up window, click Replace. 7. In the Replace Access Point page, perform the following steps: a. Select a replacement AP and click Next. b. Verify the attributes and click Next. Managing APs | 381 Table 91: Parameters for Campus AP and Remote AP Parameters Description Device name The device name of the new AP. Serial number The serial number for each AP is a unique value. The serial number reflects the value of the new AP. Subscription assigned The new AP is assigned the same subscription as the old one. For example, if the old AP had a Foundation license, the new AP is assigned the same Foundation license. Model number The model number of the new AP. Group name The group name that is inherited from the old AP. Site assigned The site that is inherited from the old AP. Label(s) assigned The label(s) that is inherited from the old AP. Table 92: Parameters for an Instant Access Point Parameters Description Device name The name that is inherited from the old AP. Serial number The serial number for each AP is a unique value. The serial number reflects the value of the new AP. Subscription assigned The same subscription is assigned to the new AP. For example, if the old AP had a Foundation license, the new AP is assigned the same Foundation license. Model number The model number is inherited from the old AP. Group name The group name that is inherited from the old AP. Site assigned The site that is inherited from the old AP. Firmware version Firmware version is displayed as Unknown for the new AP. However, after the new AP is connected and the configuration in synchronized, the firmware is upgraded to the same version as the old device. In the Confirmation page, the following warning is displayed: This is an irreversible operation. Do you want to proceed with the device replacement? c. In the Confirmation page, review the old and new device details and click Replace. d. In the Request Accepted pop-up window, click Done to continue the workflow. 8. In the Access Point Details page, a progress bar displays the device replacement status. Hover over the progress bar to view more details. Aruba Central (on-premises) | User Guide 382 9. Optionally, hover over the progress bar and click Terminate if you wish you to discontinue replacing the device. If the device replacement process fails, click Terminate to end the procedure and retry. 10. Connect the new AP. The status in the progress bar changes to Device replacement in progress. Hover over the progress bar to view more details. If the firmware upgrade fails for an Instant Access Point, Aruba Central automatically retries one more time. If the firmware upgrade fails for the second time, the Firmware Updated status changes to Failed. You can manually upgrade the firmware. For more information, see Upgrading Device Firmware. 11. Navigate to the AP Summary page of the new device. a. In the Network Operations app, set the filter to Global. The dashboard context for the selected filter is displayed. b. Under Manage, click Devices > Access Points. A list of AP is displayed in the List view. c. Click Online to view a list of online APs in the Access Points table. d. In the Device Name column, click the new AP. The Overview > Summary page is displayed in the AP dashboard. e. In the Device section, you can view the following details: n AP Model n Country Code n MAC Address n Serial Number n Last Seen n Last Reboot Reason n Firmware version n Configuration Status n Band Selection n Power Negotiation n Group n Labels n Site 12. The Audit Trail page displays all the logs generated during the device replacement process. To view the logs, set the filter to Global. Under Analyze, click Audit Trail. The Audit Trail table is displayed. Replacing APs in Bulk Aruba Central (on-premises) now allows you to perform bulk replacement of Campus APs and Remote APs in the WebUI. You can replace the APs in bulk by using one of the following pages available under Network Operations app: n Manage> Overview > Device Replacement under Sites filter. For more information, see Bulk Replacement from the Device Replacement Page. Managing APs | 383 n Manage Sites under Maintain > Organization > Network Structure > Sites. For more information, see Bulk Replacement from the Manage Sites Page. Important Points Following are the important points to consider when replacing APs in bulk: n You can replace only the APs that are offline. n The model number of the old APs and the new APs can be different. n Bulk replacement of APs is applicable to Campus APs and Remote APs only. n You cannot rename APs by using Device Replacement or Manage Sites page. To rename APs, see Renaming an AP. n The old APs must be licensed devices. Also, ensure to have additional licenses available because the new APs will procure licenses during replacement. n The new APs must be part of the device inventory, and must be licensed in Aruba Central (on-premises). n After the APs are replaced, the new APs inherit the Group, Label, Site, and Visual RF parameters along with licenses from the old APs. n After the APs are replaced, the old APs are removed from: o Device inventory o Monitoring view, if associated o Visual RF, if the APs are associated with the Visual RF floor plan o Site, Label, and Group, if associated n The new APs replace the old or faulty APs that were associated with the VisualRF floor plan. n Bulk replacement of APs is an irreversible process. After the APs are replaced in bulk, you cannot revert to the old APs. Bulk Replacement from the Device Replacement Page To replace APs in bulk by using the Device Replacement page, complete the following steps: 1. In the Network Operations app, set the filter to one of the relevant options under Sites. The dashboard context for the selected site is displayed. 2. Under Manage, click Overview > Device Replacement. The Bulk Device Replacement page is displayed. 3. Select the number of offline APs under Devices table that you want to replace, and click the icon. The Replace Devices page is displayed. You can select a maximum of 30 offline devices from the Devices table for bulk replacement. 4. In the Devices table, select the serial number of the new AP from the New Device drop-down list. In the Confirmation page, the following warning is displayed-- This is an irreversible operation. Do you want to proceed with the device replacement? Aruba Central (on-premises) | User Guide 384 5. Click Replace. The Replacement Status pop-up window is displayed. The Replacement Status pop-up window displays the The replacement request has been accepted message for each of the newly replaced APs. 6. Click Done. The In Progress Devices table under Bulk Device Replacement displays the parameters of the new devices as described in Table 93. Table 93: In Progress Devices Parameters Parameters Description Faulty device The faulty serial number of the previous AP. serial New device serial The serial number for each AP is a unique value. The serial number reflects the value of the new AP. License assignment The status of the license assigned to the new AP. Group assignment The status of the group name inherited from the old AP. Site assignment The status of the site that is inherited from the old AP. Labels assignment The status of the labels that are inherited from the old AP. Status The bulk device replacement status. The following figure displays three offline APs that are selected for replacement in the Bulk Device Replacement page . Figure 30 Bulk Device Replacement The following figure displays the Replace Devices page where serial number of the new APs are selected for replacement from the New Device drop-down list. Managing APs | 385 Figure 31 Replace Devices Bulk Replacement from the Manage Sites Page To replace APs in bulk by using the Manage Sites page, complete the following steps: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Sites tile. The Manage Sites page is displayed. 4. From the list of sites, select the site whose APs you want to replace. 5. Click the icon. The Replace Offline Devices pop-up window is displayed. 6. Click Replace. The Bulk Device Replacement page under Manage > Overview > Device Replacement is displayed. 7. Select the number of offline APs under Devices table that you want to replace, and click the icon. The Replace Devices page is displayed. You can select a maximum of 30 offline devices from the Devices table for bulk replacement. 8. In the Devices table, select the serial number of the new AP from the New Device drop-down list. In the Confirmation page, the following warning is displayed-- This is an irreversible operation. Do you want to proceed with the device replacement? 9. Click Replace. The Replacement Status pop-up window is displayed. Aruba Central (on-premises) | User Guide 386 The Replacement Status pop-up window displays the The replacement request has been accepted message for each of the newly replaced APs. 10. Click Done. The following figure displays the Replace Offline Devices pop-up window under Manage Sites page. Figure 32 Manage Sites Access Point > Clients > Clients In the access point (AP) dashboard, the Clients tab displays details of all the clients connected to a specific AP. Viewing the Access Point > Clients > Clients Tab To navigate to the Clients tab in the AP dashboard, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. Under Manage, click Clients. The Clients page is displayed in the List view. To exit the Clients dashboard, click the back arrow on the filter. You can change the time range for the Clients tab by clicking the time range filter and selecting one of the available options: 3 hours, 1 day, 1 week, 1 month, and 3 months. For more information, see All Clients. Managing APs | 387 Access Point > Alerts & Events > Alerts & Events In the access point (AP) dashboard, the Alerts & Events tab displays details of the alerts and events generated for the AP. Viewing the Access Point > Alerts & Events > Alerts & Events Tab To navigate to the Alerts & Events tab in the AP dashboard, complete the following steps: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active AP. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Access Points. A list of APs is displayed in the List view. 3. Click an AP listed under Device Name. The dashboard context for the AP is displayed. 4. Under Analyze, click Alerts & Events. The Alerts & Events page is displayed in the List view. To exit the Alerts & Events dashboard, click the back arrow on the filter. For more information, see Alerts & Events. You can also configure and enable certain categories of AP alerts. For more information, see Access Point Alerts. Live Events Aruba Central (on-premises) allows you to troubleshoot issues related to Instant APs (IAPs) and IAP wireless clients. The Live Events feature is similar to client live troubleshooting, but in this case, we can enable live events at the Instant Access Point level. Currently, users can subscribe to Radio, VPN, and Spectrum events. The IAP must be running Aruba InstantOS 8.5.0.0 or later versions to support this feature. Live Events is not supported on single-node deployments. Troubleshooting an IAP Aruba Central allows you to troubleshoot issues related to an IAP in real-time for detailed analysis. To troubleshoot an IAP at the device level, perform the following steps: 1. In the Network Operations app, select an IAP from the Device list. The dashboard context for the selected IAP is displayed. 2. Under Analyze, click Live Events. The Live Events page is displayed. The live monitoring session starts automatically. The status of the troubleshooting is displayed every minute. The troubleshooting session runs for a duration of 15 minutes. You can stop live troubleshooting at any point by clicking Stop Troubleshooting to go back to the historical view. After the live troubleshooting session ends, the details of the events are displayed in the Live Events table. Aruba Central (on-premises) | User Guide 388 Live Events Details The following details are captured and displayed in the Live Events table: n Occurred On--Displays the timestamp of the event. Use the filter option to filter the events by date or time. n Category--Displays the category of the event. Use the filter option to filter the events by category. n Description--Displays a description of the event. Use the filter option to filter the events based on description. You can download the list of live events to a CSV file for offline analysis. To download live events, click the Download CSV icon on the Live Events table. Managing APs | 389 Chapter 10 Managing AOS-CX Switches Managing AOS-CX Switches AOS-CX is a modern and fully programmable operating system built using a database-centric design, which ensures higher availability and dynamic software process changes for reduced downtime. In addition to robust hardware reliability, the AOS-CX operating system includes additional software elements not available with traditional systems, including: n Automated visibility to help IT organizations scale n Simplified programmability n Faster resolution with network insights n High availability n Ease of roll-back to previous configurations The AOS-CX operating system is a modular, database-centric operating system. Every aspect of the switch configuration and state information is modeled in the AOS-CX switch configuration and state database, including configuration information, status of all features, and network analytics. The AOS-CX operating system also includes a time series database, which acts as a built-in network record. The time series database makes the data seamlessly available to Aruba Network Analytics Engine agents that use rules that evaluate network conditions over time. Aruba Central (on-premises) offers a cloud-based management platform for managing AOS-CX infrastructure. It simplifies switch management with flexible configuration options, monitoring dashboards, and troubleshooting tools. n Getting Started with AOS-CX Deployments n Provisioning Factory Default AOS-CX Switches n Provisioning Pre-Configured AOS-CX Switches n Using Configuration Templates for AOS-CX Switch Management n Configuring AOS-CX Switches in UI Groups n Configuration Workflow for AOS-CX Switches in UI Groups n Caveats for Using AOS-CX Switches in Aruba Central (on-premises) n Managing an AOS-CX VSF Stack Aruba Central (on-premises) | User Guide 390 Getting Started with AOS-CX Deployments Before you get started with your onboarding and provisioning operations, browse through the list of Supported AOS-CX Switch Platforms in Aruba Central (on-premises). Provisioning Workflow The following sections list the steps required for provisioning AOS-CX switches in Aruba Central (onpremises). Provisioning a Factory Default AOS-CX Switch Like most Aruba devices, AOS-Switches support ZTP. Switches with factory default configuration have very basic configuration for all ports in VLAN-1. You must manually add either the serial number, MAC address, or part number of the new factory default switch in Aruba Central (on-premises). When the switch identifies Aruba Central (on-premises) as its management entity, it connects to Aruba Central (on-premises). To manage AOS-CX switches from Aruba Central (on-premises), you must onboard the switches to the device inventory and assign a valid subscription. For step-by-step instructions, see Provisioning Factory Default AOS-CX Switches. Provisioning a Pre-configured or Locally-Managed AOS-CX Switch Pre-configured switches have customized configuration; for example, an additional VLAN or static IP address configured on the default. Aruba Central (on-premises) management service is enabled by default on AOS-CX switches. When the switch is powered on, it identifies Aruba Central (on-premises) as its management entity and connects to Aruba Central (on-premises). To manage AOS-CX switches from Aruba Central (on-premises), you must onboard the switches to the device inventory and assign a valid subscription. For step-by-step instructions, see Provisioning Pre-Configured AOS-CX Switches. Managing AOS-CX Switches | 391 Group Assignment Aruba Central (on-premises) supports provisioning AOS-CX switches in template groups. Template groups allow you to configure devices using CLI-based configuration templates. The following figure illustrates the group assignment workflow in Aruba Central (on-premises): Figure 33 Group Assignment-AOS-CX Switches Moving AOS-CX Switches Between Groups AOS-CX switches can also be moved between groups in Aruba Central (on-premises). When moving switches from an unprovisioned, template, or UI group to another UI group, the existing switch configuration can be retained by selecting the Retain CX-Switch Configuration check box on the Move Devices page. If the configuration on the device and the group are different, Aruba Central (on-premises) retains the device configuration as device overrides. Consider the following points when selecting this check box: n When moving the switches to the UI group, all supported UI group configurations except the following, if present at the group-level for the destination group, are applied to the switches: o System Properties--Only the device administrator password, if configured in the group, is updated on the switch. o Authentication (MAC and 802.1X) o Spanning Tree (Loop Prevention) o HTTP Proxy o User-based tunneling o Logging servers Aruba Central (on-premises) | User Guide 392 o SNMP o Port interfaces n If any group configuration has dependent configuration, then the dependent configuration will not be applied to the device. For example, any LAG configuration that is present at the group-level (not at the device level) will be applied. However, the port configuration in a LAG will not be applied, as port configuration is a dependent configuration of LAGs. n Device-level RADIUS and TACACS server configuration will be retained, if present. And also any new group-level configuration will be applied. However, if any retained device configuration conflicts with group-level configuration, then group-level configuration takes precedence, and those conflicting configuration will be replaced. AOS-CX Switch Configuration Aruba Central (on-premises) supports managing AOS-CX switches configuration using configuration templates and UI group configuration. When an AOS-CX switch is connected to Aruba Central (on-premises) and managed using the Network Operations app, Aruba Central (on-premises) becomes the single source of configuration for the switch. In the Aruba Central (on-premises) Manged mode, the switch cannot be configured using any of the other switch configuration interfaces, such as the switch CLI, REST APIs, NBAPIs, and SNMP. You can use any configuration options available in Aruba Central (on-premises) to configure the AOS-CX switches in the Managed mode. You can use the MultiEdit mode on the UI to run commands on the switch through Aruba Central (on-premises). For information, see Using MultiEdit View for AOS-CX. The Aruba Central (on-premises) Manged mode is applicable to AOS-CX switches running the firmware version 10.07 or later, and to those switches that have been added to an Aruba Central (on-premises) group. This mode is not applicable to switches in the unprovisioned state. Configuration Using Templates Aruba Central (on-premises) supports managing AOS-CX switches configuration using configuration templates. Ensure that you assign the AOS-CX switches to a template group. When initially onboarding an AOS-CX switch to Aruba Central (on-premises), you must manually create the template for the switch in a group, along with the password in plaintext format. You can use the output of the show running-config command to create the template. You can also add variables to use the same template for onboarding multiple AOS-CX switches. For more information on managing AOS-CX switches in Aruba Central (on-premises) using templates, see Using Configuration Templates for AOS-CX Switch Management. Configuration Using UI Groups Aruba Central (on-premises) supports managing AOS-CX switches configuration using UI groups. You can configure AOS-CX switches that are added to a UI group, using the UI options and MultiEdit mode. You can pre-configure groups in the absence of switches. For more information on managing AOS-CX switches in Aruba Central (on-premises) using UI group configuration, see Configuring AOS-CX Switches in UI Groups. Managing AOS-CX Switches | 393 AOS-CX Stack Configuration Aruba Central (on-premises) supports managing AOS-CX switch stacks configuration using UI group configuration and templates. For more information on managing AOS-CX switch stacks in Aruba Central (on-premises) using UI group configuration, see Configuring AOS-CX VSF Stacks Using UI Groups. For more information on managing AOS-CX switch stacks in Aruba Central (on-premises) using templates, see Using Configuration Templates for AOS-CX Switch Management. AOS-CX Switch Monitoring To view the operation status of switches and health of wired access network: 1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites. For all devices, set the filter to Global. Ensure that the filter selected contains at least one active switch. The dashboard context for the selected filter is displayed. 2. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. 3. a. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. For more information, see Monitoring Switches and Switch Stacks. To view AOS-CX switches in the monitoring pages, you must create a template configuration for the switch with the password in plaintext. See Using Configuration Templates for AOS-CX Switch Management. Viewing VSX Details Aruba Central (on-premises) displays information about VSX configuration of AOS-CX switches. For more information, see Switch > VSX. Viewing Topology Map In Aruba Central (on-premises), the Topology tab in the site dashboard provides a graphical representation of the site including the network layout, details of the devices deployed and health of the WAN uplinks and tunnels. Aruba Central (on-premises) supports AOS-CX switches to be displayed in the Topology tab. For more information, see Monitoring Sites in the Topology Tab. To view AOS-CX switches in the topology map, you must create a template configuration for the switch with the password in plaintext. See Using Configuration Templates for AOS-CX Switch Management. Troubleshooting and Diagnostics If you are unable to view all details of the AOS-CX switch, then maybe the template configuration was not applied correctly, the password was missing in the template configuration, or the password was not in plaintext. See the audit trail to check the status of the switch. The audit trail should show the device onboarded message for the switch serial number followed by the configuration push and login successful Aruba Central (on-premises) | User Guide 394 messages. For more information on troubleshooting AOS-CX switch onboarding issues, see Troubleshooting AOS-CX Switch Onboarding Issues. Configuration Status The Configuration Audit page under Network Operations > Device(s) > Switches in the Aruba Central (on-premises) UI displays errors in configuration sync, template configuration, and a list of configuration overrides. For more information, see Viewing Audit Trail. The Configuration Status page under Network Operations > Device(s) > Switches in the Aruba Central (on-premises) UI displays errors in configuration sync, templates, and a list of configuration overrides. For more information, see Using Configuration Status on AOS-CX. Troubleshooting Tools To troubleshoot AOS-CX switches remotely, use the tools available under Network Operations > Analyze > Tools. For more information, see Using Troubleshooting Tools. Actions Drop-down You can also reboot, connect to the remote console of the switch, or generate a tech support dump for troubleshooting the device, by using the tools available under the Actions drop-down. The Actions dropdown is available in the switch monitoring pages. The Actions tab displays the various options available for remote administration of the switch. The following options are available: n Reboot--Reboots the switch. See Rebooting Switches. n Tech Support--Allows the administrators to generate a tech support dump for troubleshooting the device. See Troubleshooting Aruba Switches. n Console--Opens the remote console for a CLI session through SSH. Ensure that you allow SSH over port 443. The default user ID is admin, but you can edit and customize the user ID. This custom user ID must be mapped to the device. See Opening Remote Console for Switch. For AOS-CX 8320 and 8325 switch series, you must enable SSH server on the default VRF. Add the ssh server vrf default code to the template. If the Copy and Paste function from the keyboard shortcut keys (CTRL+C and CTRL+V) do not work in your web browser, use the Copy and Paste functions available under the menu options in the web browser. Caveats for Using AOS-CX Switches in Aruba Central (on-premises) The following sections provide details on the caveats to be noted when onboarding, configuring, monitoring, and troubleshooting AOS-CX switches using Aruba Central (on-premises). Monitor-only mode is not supported for the AOS-CX switches in the UI or template groups. You can add the AOS-CX switches to the UI or template groups to configure, monitor, and troubleshoot the AOS-CX switches. Plaintext Password Override after Migrating from Version 2.5.3 to 2.5.4 After upgrading Aruba Central (on-premises) to version 2.5.4, for security reasons, any plaintext passwords, previously configured directly or using variables in the AOS-CX switch template, are hidden and displayed as asterisk (*) symbols. The plaintext passwords, previously configured in the template, directly or using variables, will work as expected; however, these plaintext passwords, displayed as asterisk (*) symbols, will Managing AOS-CX Switches | 395 not work if you copy them to a new template. You must re-enter the plaintext passwords in the new template for the template to work correctly. Onboarding The following limitations should be taken into consideration when onboarding AOS-CX switches in Aruba Central (on-premises): n ZTP does not work on inline data ports for AOS-CX 8320 and 8325 switch series. The following is an example configuration for onboarding AOS-CX 8320 and 8325 switch series to Aruba Central (onpremises): interface 1/1/1 no shutdown no routing interface vlan 1 ip address <IP-ADDRESS/MASK> ip route 0.0.0.0/0 <IP-GATEWAY> ip dns server-address <DNS-SERVER> https-server vrf default ztp force-provision n After the erase startup-config command is executed on the AOS-CX switches, the switches do not onboard to Aruba Central (on-premises). It is recommended to execute the erase all zeroize command, instead of the erase startup-config command. n When an AOS-CX switch is first onboarded to Aruba Central (on-premises), Aruba Central (on-premises) must perform the following actions, before it can perform events such as rebooting the switch and upgrading the firmware: o Login to the switch using the password provided in the template configuration o Apply the template to the switch n Only DHCP-based ZTP is supported on Aruba Central (on-premises) for AOS-CX. Activate-based ZTP is not supported. n FQDN or hostname for Aruba Central (on-premises) server is not supported. You must provide only the IP address. n The Aruba Central (on-premises) URI that is received as part of DHCP option is not persistent across reboots. You must include the Aruba Central (on-premises) URI configuration when applying the template configuration to avoid connectivity issues after initial onboarding using the DHCP option. Applying Template The following limitations should be taken into consideration when applying the template to AOS-CX switches in Aruba Central (on-premises): n You must configure the admin password in the template configuration only in plaintext. The format of the password configuration command must be user admin group administrators password plaintext <string>. n If the template for AOS-CX switches contains % in the configuration, Aruba Central (on-premises) will not save the configuration. Aruba Central (on-premises) | User Guide 396 Although the % character is allowed in AOS-CX switches, for example in banners, the same is not allowed in Aruba Central (on-premises). In Aruba Central (on-premises), the % character is reserved for variables. n The maximum number of lines supported in the configuration template is 84000. Beyond this limit, Aruba Central (on-premises) will not apply the template to the AOS-CX switch. n Onboarding an AOS-CX switch with 10.05 firmware to Aruba Central, using the Import Configuration as Template option on the Add Template window, fails to import the configuration and displays an error message. In this case, you must manually create the template for the switch using the output of the show running-config command. You can successfully import the configuration as a template for an AOS-CX switch with 10.05 firmware, only when the switch is part of a template group and the config-sync status is in-sync. To import the configuration as template when onboarding an AOS-CX switch, without the error message, you must upgrade the switch to 10.06 firmware. Configuring AOS-CX VSF Stack The following are the VSF stacking limitations of AOS-CX switches in Aruba Central (on-premises): These limitations apply only when the switches are running AOS-CX 10.06 or earlier firmware versions. Aruba Central (on-premises) supports only a few functions related to Aruba CX switch stack, such as onboarding a stack to Aruba Central (on-premises) and replacing member switches having the same model and part number, through template configuration. All other stacking related functions, such as creating a stack, deleting, or adding a new member to the stack, must be performed offline, that is, outside Aruba Central (on-premises). These stacking related functions must be performed before or after onboarding the stack to Aruba Central (on-premises) depending on the function. For example, you must create a stack offline before onboarding the stack to Aruba Central (on-premises). For more information, see Managing an AOS-CX VSF Stack. AOS-CX VSF Stack Related Functions Not Supported on Aruba Central (on-premises) The following stack related functions are not supported on Aruba Central (on-premises): n Creating a new stack n Adding a new member to an existing stack n Deleting a member from the stack n Replacing a member with different part number n Modifying standby member ID n Adding, deleting, and modifying VSF links Using AOS-CX VSX The following limitations apply when configuring VSX or viewing VSX data for AOS-CX switches in Aruba Central (on-premises): n Enabling VSX synchronization using template configuration in Aruba Central (on-premises) is not recommended. By enabling VSX synchronization, the peer switch might get into an unknown configuration state. n Last synced data is not displayed on the VSX page, in Aruba Central (on-premises), if VSX synchronization is not enabled. Managing AOS-CX Switches | 397 Managing Firmware Upgrade n To upgrade an AOS-CX switch in Aruba Central (on-premises), a WAN connection with a minimum speed of 2 Mbps is required. The upgrade activity will time out after a period of 60 minutes. n Uploading AOS-CX switch images to Aruba Central (on-premises) server for firmware upgrade fails. Troubleshooting The following are the limitations while troubleshooting AOS-CX switches in Aruba Central (on-premises): n For AOS-CX 8320 and 8325 switch series, to use the remote console feature, you must enable SSH server on the VRF that the switch uses to connect to Aruba Central (on-premises). You must add one of the following commands in the template: o If the switch is connecting to Aruba Central (on-premises) using the inline default VRF, add ssh server vrf default to the template. o If the switch is connecting to Aruba Central (on-premises) using the OOBM management VRF, add ssh server vrf mgmt to the template. n The Chassis Locate option, in the Analyze > Tools > Device Check tab, is not displayed for AOS-CX 8320 and 8325 switch series. n When an AOS-CX switch is in the Aruba Central (on-premises) Managed mode, and at any instant both device-generated automatic changes are detected and there are any pending changes in Aruba Central (on-premises), then Aruba Central (on-premises) discards the pending changes and absorbs the device changes. Device-generated changes can be any of the following physical modifications: o Adding or removing a VSF stack member o Adding or removing a line card in the chassis o Enabling VSX-sync when VSX enabled devices are managed by Aruba Central. To view details of the changes that were discarded by Aruba Central (on-premises), check the Audit Trail details. Monitoring In the monitoring pages in Aruba Central (on-premises), the IP address for the connected wired clients on AOS-CX switches might not be displayed if the Client IP tracker is not enabled on the switch. To enable Client IP tracker, perform one of following steps: n Using Template--Add the client track ip command to the template at the device and VLAN level. n Using MultiEdit mode--Add the client track ip command in the MultiEdit mode at the device and VLAN level. For more information, see Switch > Clients > Clients. For more information on client track ip command, see the IP Client Tracker chapter in the AOS-CX IP Routing Guide. Provisioning Factory Default AOS-CX Switches Switches that run default configuration either after shipped from a factory or a factory reset are referred to as factory default switches. This topic describes the steps for provisioning factory default switches in Aruba Central (on-premises). Aruba Central (on-premises) | User Guide 398 n Step 1: Onboard the AOS-CX Switch to Aruba Central (on-premises) n Step 2: Assign the AOS-CX Switch to a Group n Step 3: Connect the AOS-CX Switch to Aruba Central (on-premises) n Step 4: Provision the AOS-CX Switch to a Group n Step 5: Verify the Configuration Status Step 1: Onboard the AOS-CX Switch to Aruba Central (on-premises) Log in to Aruba Central (on-premises) and onboard the switch. Step 2: Assign the AOS-CX Switch to a Group Before assigning a group, determine if the switch must be provisioned in a UI or template group. By default, Aruba Central (on-premises) assigns the factory default switches to default group. You can create a new group and assign switch to the new group. For more information on creating a group, see Creating a Group. To assign a device to a group from the Account Home page: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed 2. Select the device that you want to assign to a group. 3. Click Assign Group. The Assign a Group to the Selected Devices window is displayed. 4. Select the group to which you want to assign. 5. Click Assign Device(s). To assign a device to a group from the Network Operations app: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. From the list of devices, select the switches to assign. 5. Click the Move devices icon. The Move Devices page is displayed. 6. Select the Destination Group from the drop-down list. 7. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. Managing AOS-CX Switches | 399 Step 3: Connect the AOS-CX Switch to Aruba Central (on-premises) Switches with factory default configuration have very basic configuration for all ports in VLAN-1 that is required for obtaining an IP address and automatic provisioning (ZTP). For ZTP, switches must have a valid IP address, DNS, and NTP configuration. You must manually add either the serial number, MAC address, or part number of the factory default switch in Aruba Central (on-premises) Step 4: Provision the AOS-CX Switch to a Group When the switch connects to Central, if it is already added to the device inventory and is assigned a subscription in Aruba Central (on-premises), Aruba Central (on-premises) assigns it to a pre-assigned group. If there is no pre-assigned group, Aruba Central (on-premises) moves the device to the default group. Based on your configuration requirements, you create a template group and assign the switch. The following figure illustrates the provisioning step required for each group type. Figure 34 AOS-CX Switch Provisioning Steps Per Group Type If the switch is assigned to a new UI group, you can modify the configuration of switches using the UI menu options under the Network Operations app > Manage > Devices > Switches. For more information, see Configuring AOS-CX Switches in UI Groups. Provisioning AOS-CX Switches in Template Groups After assigning the switch to a template group, create a new configuration template. To create a configuration template: 1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. The tabs to configure switches using templates is displayed. 4. Click the Templates tab. The Templates page is displayed. Aruba Central (on-premises) | User Guide 400 5. Click + to add a new template. The Add Template window is displayed. 6. In the Basic Info tab, enter a name for the template in the Template Name field. 7. In the Device Type drop-down, select Aruba CX. 8. Select the switch model and software version. You can specify any of the following combinations: n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions. n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version. n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model. n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions. 9. Select the manufacturing part number of the switch in the Part Number drop-down. n The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. n If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. n If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop- down, you can apply a template to both a standalone switch and stack. 10. Click Next. The Template tab is displayed. 11. Build a new template by adding the output of the show running-config from the switch CLI in the Template text box. Ensure that the template text adheres to the guidelines listed in Important Points to Note. n You must manually create the template for the AOS-CX switch in a group, along with the password in plaintext format. You can use the output of the show running-config command to create the template. You can also add variables to use the same template for onboarding multiple AOS-CX switches. For more information on variables, see Managing Variable Files. n All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central (on-premises) to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates. n For AOS-CX switches, you must configure the password only in plaintext. Also, the format of password must be user admin group administrators password plaintext <string>. 12. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central (on-premises) with the new configuration. Step 5: Verify the Configuration Status To verify the configuration status: Managing AOS-CX Switches | 401 1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. The tabs to configure switches using templates is displayed. n To verify the configuration status for the template group, click Configuration Audit. The Configuration Audit dashboard displays the number of devices with template and configuration synchronization errors. n To view configuration errors for a specific device, select a switch from the filter bar. The Configuration Audit dashboard displays the number of template and configuration synchronization errors for the device. 4. To view template errors, click View Template Errors. 5. To view configuration synchronization errors, click View Details under Configuration Status. 6. To compare running configuration and pending changes, click View under Config Comparsion Tool. Provisioning Pre-Configured AOS-CX Switches Unlike factory default switches, locally managed switches and the switches with custom configuration require one touch provisioning. On AOS-CX switches, Aruba Central (on-premises) is enabled, by default, as their management platform, and therefore the switches connect to Aruba Central (on-premises) automatically. To onboard a locally-managed or a pre-configured AOS-CX switch to Aruba Central (on-premises), follow one of the following options: n Connect the AOS-CX switch directly to Aruba Central (on-premises). Aruba recommends that you use this option if you want to preserve the current configuration running on the switch. For more information on this procedure, see the workflows described in this topic. To manually connect the switch to Aruba Central (on-premises), you must configure the Aruba Central (onpremises) URL on the switch. Execute the following commands in the switch CLI: config terminal aruba-central <Aruba Central (on-premises) URL> vrf mgmt exit Aruba does not recommend to manually provision the URL in a cloud deployment. n Reset the switch configuration and use ZTP to provision the switch. You must first create a backup of the configuration, then reset the switch using the erase all zeroize command in the CLI. This initiates ZTP on the switch, enabling the switch to obtain the IP address from the option 43 sent by the DHCP server and then connect to Aruba Central (on-premises). Aruba Central (on-premises) supports provisioning AOS-CX switches using one of the following methods: n Pre-provisioning--In this workflow, a switch is added to the device inventory and assigned a group in Aruba Central (on-premises) before it connects to Aruba Central (on-premises). n See Workflow 1--Pre-Provisioning an AOS-CX Switch. n Onboarding connected switches--In this workflow, Aruba Central (on-premises) onboards the switch that Aruba Central (on-premises) | User Guide 402 attempts to connect and then assigns a group. n See Workflow 2--Provisioning an AOS-CX Switch On-Demand. The following figure illustrates provisioning procedure for a pre-configured switch. Figure 35 Provisioning Workflow for Pre-Configured AOS-CX Switches Workflow 1--Pre-Provisioning an AOS-CX Switch The pre-provisioning workflow includes the following steps: n Step 1: Onboard the AOS-CX Switch to Aruba Central (on-premises) n Step 2: Assign the AOS-CX Switch to a Group n Step 3: Provision the AOS-CX Switch to a Group n Step 4: Verify the Configuration Status Step 1: Onboard the AOS-CX Switch to Aruba Central (on-premises) To onboard AOS-CX switches to the device inventory in Aruba Central (on-premises), complete the following steps: n Add switches to Aruba Central n Assign Subscriptions Managing AOS-CX Switches | 403 Step 2: Assign the AOS-CX Switch to a Group AOS-CX switches can be provisioned in a template group only. If you want to preserve the existing configuration on the switch, Aruba recommends that you create a new group for the switch. For more information on creating a group, see Creating a Group. To assign a device to a group from the Account Home page: 1. In the Account Home page, under Global Settings, click Device Inventory. The Device Inventory page is displayed 2. Select the device that you want to assign to a group. 3. Click Assign Group. The Assign a Group to the Selected Devices window is displayed. 4. Select the group to which you want to assign. 5. Click Assign Device(s). To assign a device to a group from the Network Operations app: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. From the list of devices, select the switches to assign. 5. Click the Move devices icon. The Move Devices page is displayed. 6. Select the Destination Group from the drop-down list. 7. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. Step 3: Provision the AOS-CX Switch to a Group When the switch connects to Aruba Central (on-premises), Aruba Central (on-premises) automatically assigns it to the pre-assigned group. The following figure illustrates the provisioning steps for each group type. Aruba Central (on-premises) | User Guide 404 Figure 36 Switch Provisioning Steps Per Group Type If the switch is assigned to a new UI group, you can modify the configuration of switches in a group using the UI menu options under the Network Operations app > Manage > Device(s) > Switches. For more information, see Configuring AOS-CX Switches in UI Groups. You can also move switches to a UI group. When moving switches from an unprovisioned, template, or UI group to another UI group, the existing switch configuration can be retained by selecting the Retain CXSwitch Configuration check box on the Move Devices page. For more information, see Moving AOS-CX Switches Between Groups. If you have assigned the switch to a template group, you can import the existing configuration to a new configuration template and apply this template to other devices in the group. To create a configuration template using the existing configuration on the switch: 1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. The tabs to configure switches using templates is displayed. 4. Click the Templates tab. The Templates page is displayed. 5. Click + to add a new template. The Add Template window is displayed. 6. In the Basic Info tab, enter a name for the template in the Template Name field. 7. In the Device Type drop-down, select Aruba CX. 8. Select the switch model and software version. You can specify any of the following combinations: n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions. Managing AOS-CX Switches | 405 n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version. n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model. n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions. 9. Select the manufacturing part number of the switch in the Part Number drop-down. n The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. n If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. n If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop- down, you can apply a template to both a standalone switch and stack. 10. Click Next. The Template tab is displayed. 11. Build a new template by adding the output of the show running-config from the switch CLI in the Template text box. Ensure that the template text adheres to the guidelines listed in Important Points to Note. n You must manually create the template for the AOS-CX switch in a group, along with the password in plaintext format. You can use the output of the show running-config command to create the template. You can also add variables to use the same template for onboarding multiple AOS-CX switches. For more information on variables, see Managing Variable Files. n All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central (on-premises) to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates. n For AOS-CX switches, you must configure the password only in plaintext. Also, the format of password must be user admin group administrators password plaintext <string>. n For AOS-CX switches, the password configured in the template must match the password configured on the switch. Aruba Central (on-premises) cannot override the password that is configured on the switch. 12. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central (on-premises) with the new configuration. Step 4: Verify the Configuration Status To verify the configuration status: 1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Switches. Aruba Central (on-premises) | User Guide 406 3. Click the Config icon. The tabs to configure switches using templates is displayed. n To verify the configuration status for the template group, click Configuration Audit. The Configuration Audit dashboard displays the number of devices with template and configuration synchronization errors. n To view configuration errors for a specific device, select a switch from the filter bar. The Configuration Audit dashboard displays the number of template and configuration synchronization errors for the device. 4. To view template errors, click View Template Errors. 5. To view configuration synchronization errors, click View Details under Configuration Status. 6. To compare running configuration and pending changes, click View under Config Comparsion Tool. Workflow 2--Provisioning an AOS-CX Switch On-Demand To dynamically provision switches on-demand, complete the following steps: n Step 1: Add the AOS-CX Switch to Aruba Central (on-premises) n Step 2 Assign a Subscription to the AOS-CX Switch n Step 3: Provision the AOS-CX Switch to a Group n Step 4: Verify the Configuration Status Step 1: Add the AOS-CX Switch to Aruba Central (on-premises) Add the switch to the Aruba Central (on-premises) device inventory. For more information, see Onboarding Devices. Step 2 Assign a Subscription to the AOS-CX Switch To allow Aruba Central (on-premises) to manage the switch, ensure that a valid subscription is assigned to the switch. Step 3: Provision the AOS-CX Switch to a Group If the switch has a valid subscription assigned, Aruba Central (on-premises) marks the switch as unprovisioned. To preserve the switch configuration, move it to a new template group. To move the device to a UI group: 1. In the Network Operations app, set the filter to Global. 2. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 3. Click the Groups tile. The Groups page is displayed. 4. Select the device. 5. Click Import configuration. Aruba Central (on-premises) imports the switch configuration to the new group. You can also modify the configuration of switches in a group using the UI menu options under the Network Operations app > Manage > Devices > Switches. For more information, see Configuring AOS-CX Switches in UI Groups. To move the device to a template group: Managing AOS-CX Switches | 407 1. Create a template group. 2. In the Network Operations app, set the filter to Global. 3. Under Maintain, click Organization. By default, the Network Structure tab is displayed. 4. Click the Groups tile. The Groups page is displayed. 5. Select the AOS-CX switch from a group. 6. Click the Move devices icon. The Move Devices page is displayed. 7. Select the Destination Group from the drop-down list. 8. Click Move. The selected devices are moved to the destination group. These devices will adopt the destination group configuration. 9. To build a new configuration template: a. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the Config icon. The tabs to configure switches using templates is displayed. d. Click the Templates tab. The Templates page is displayed. e. Click + to add a new template. The Add Template window is displayed. f. In the Basic Info tab, enter a name for the template in the Template Name field. g. In the Device Type drop-down, select Aruba CX. h. Select the switch model and the software version to which you want to apply the new template. You can specify any of the following combinations: n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions. n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version. n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model. n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions. i. Select the manufacturing part number of the switch in the Part Number drop-down. n The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. n If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. n If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop-down, you can apply a template to both a standalone switch and stack. j. Click Next. The Template tab is displayed. Aruba Central (on-premises) | User Guide 408 k. Build a new template by adding the output of the show running-config from the switch CLI in the Template text box. Ensure that the template text adheres to the guidelines listed in the Important Points to Note. n You must manually create the template for the AOS-CX switch in a group, along with the password in plaintext format. You can use the output of the show running-config command to create the template. You can also add variables to use the same template for onboarding multiple AOS-CX switches. For more information on variables, see Managing Variable Files. n All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central (on-premises) to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates. n For AOS-CX switches, you must configure the password only in plaintext. Also, the format of password must be user admin group administrators password plaintext <string>. n For AOS-CX switches, the password configured in the template must match the password configured on the switch. Aruba Central (on-premises) cannot override the password that is configured on the switch. l. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central (on-premises) with the new configuration. Step 4: Verify the Configuration Status To verify the configuration status: 1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. The tabs to configure switches using templates is displayed. n To verify the configuration status for the template group, click Configuration Audit. The Configuration Audit dashboard displays the number of devices with template and configuration synchronization errors. n To view configuration errors for a specific device, select a switch from the filter bar. The Configuration Audit dashboard displays the number of template and configuration synchronization errors for the device. 4. To view template errors, click View Template Errors. 5. To view configuration synchronization errors, click View Details under Configuration Status. 6. To compare running configuration and pending changes, click View under Config Comparsion Tool. Managing AOS-CX Switches | 409 Using Configuration Templates for AOS-CX Switch Management Templates in Aruba Central (on-premises) refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple switches in a group and thus automate switch deployments. n To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on AOS-CX switches. n The vsf member 1 line must be present in the configuration template for stackable AOS-CX switches running 10.07 or later versions. This is required to apply configuration to the switches. In case, if a template is applied to the switch that does not contain the vsf member 1 line, then the switch will be zeroized. Creating a Group for Template-Based Configuration For template-based provisioning, switches must be assigned to a group with template-based configuration method enabled. For more information, see Creating a Group and Assigning Devices to Groups. The Import Configuration As Template feature is supported only on AOS-CX switches running firmware version 10.06 or later. Creating a Configuration Template To create a configuration template for switches: 1. In the Network Operations app, set the filter to a template group. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Switches. 3. Click the Config icon. The tabs to configure switches using templates is displayed. 4. Click the Templates tab. The Templates page is displayed. 5. Click + to add a new template. The Add Template window is displayed. 6. In the Basic Info tab, enter a name for the template in the Template Name field. 7. In the Device Type drop-down, select Aruba CX. 8. Select the switch model and software version. You can specify any of the following combinations: n ALL for both Model and Version--To apply the template to all switch models and all supported switch software versions. n ALL for Model and a software version for Version--To apply the template to all switch models running the selected software version. Aruba Central (on-premises) | User Guide 410 n ALL for Version and a switch model for Model--To apply the template to a switch model and all software versions supported by the selected switch model. n A switch model and a software version--To apply the template to a specific switch model and the software version. The template created for a switch model and a software version takes precedence over the template that is created for all platforms and versions. 9. Select the manufacturing part number of the switch in the Part Number drop-down. n The Part Number drop-down is displayed only if you select a switch model in the Model drop-down. n If you select a specific switch model and part number, you can apply the template to a standalone switch and not to a stack. n If you select All in the Model drop-down, or if you select a switch model and All in the Part Number drop- down, you can apply a template to both a standalone switch and stack. 10. Click Next. The Template tab is displayed. 11. Build a new template by adding the output of the show running-config from the switch CLI in the Template text box. Ensure that the template text adheres to the guidelines listed in the Important Points to Note. n You must manually create the template for the AOS-CX switch in a group, along with the password in plaintext format. You can use the output of the show running-config command to create the template. You can also add variables to use the same template for onboarding multiple AOS-CX switches. For more information on variables, see Managing Variable Files. n All switch templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central (on-premises) to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates. n For AOS-CX switches, you must configure the password only in plaintext. Also, the format of password must be user admin group administrators password plaintext <string>. 12. Click Save. After you apply the configuration template, switches reboot and reconnect to Aruba Central (on-premises) with the new configuration. Important Points to Note Note the following points when adding configuration text to a template: n The CLI syntax in the switch template must be accurate. Aruba recommends that you validate the configuration syntax on the switch before adding it to the template text. n Ensure that the command text indentation matches the indentation in the running configuration. n The commands in the template are case-sensitive and cannot contain the % character. In the template- based configuration, the % character is reserved and is used to denote variables. Managing AOS-CX Switches | 411 n The following example illustrates the case discrepancies that the users must avoid in the template text: ssh server vrf default ssh server vrf mGmt vsf member 1 type jl660ab vlan 1 spanning-tree interface Mgmt no shutdown ip dhcp interface 1/1/1 no shutdown no routing vlan access 1 interface 1/1/2 no shutdown no routing vlan access 1 interface 1/1/3 no shutdown no routing vlan access 1 interface 1/1/4 no shutdown no routing vlan access 1 interface 1/1/5 no shutdown no routing vlan access 1 interface 1/1/6 no shutdown no routing vlan access 1 interface 1/1/7 no shutdown no routing vlan access 1 interface 1/1/8 no shutdown no routing vlan access 1 interface 1/1/9 no shutdown no routing vlan access 1 interface vlan 1 ip dhcp ! ! ! ! ! https-server vrf default https-server vrf MGMT Aruba Central (on-premises) | User Guide 412 Configuring AOS-CX Switches in UI Groups You can configure AOS-CX switches that are added to a UI group, using the UI options and MultiEdit mode. You can pre-configure groups in the absence of switches. You can configure 4100i, 6100, 6200, 6300, 8320, 8325, 8360 Switch Series using UI options, MultiEdit mode, and templates. You can configure 6405, 6410, and 8400 Switch Series using only templates. To configure AOS-CX switches using templates, see Using Configuration Templates for AOS-CX Switch Management. The UI options and MultiEdit mode are available only when the AOS-CX switches are added to a UI group. The UI options and MultiEdit mode are not available when the AOS-CX switches are added to a template group. To configure or view the properties of AOS-CX switches that are added to UI groups, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a UI group in the filter: a. Set the filter to a UI group. The dashboard context for the UI group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the AOS-CX switch configuration dashboard. n To select a switch: a. Set the filter to Global or a UI group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. The following table describes the different configuration pages and their functions. Table 94: Configuring AOS-CX Switches Provisioned in UI Groups Feature Description Properties Edit system property settings such as contact, location, time zone, and administrator password. You can also select the VRF to be used and add the DNS and NTP servers. See Configuring System Properties on AOS-CX. HTTP Proxy Configure to enhance security for device management. An IP address can be made a proxy for all HTTP connections. See Configuring HTTP Proxy on AOS-CX. SNMP Add, edit, or delete the following: n SNMP v2c communities n SNMP v3 users n Trap notifications for SNMP v2c and v3 Managing AOS-CX Switches | 413 Feature Description See Configuring SNMP on AOS-CX. Logging Add, edit, or delete logging servers to view event logs from the AOS-CX switches. Configure FQDN or IP address, log severity level, and the VRF to be used for each of the logging servers. Also configure the global level debug log severity. See Configuring Logging Servers for AOS-CX. Administrator Add, edit, or delete server groups to be used for authentication, authorization, and accounting. You must also configure the protocol required to enable connection to these server groups. See Configuring AAA for AOS-CX. Source Interface Add, modify, or delete source interface configuration for Central and User-based tunneling interfaces for AOS-CX switches. See Configuring Source Interface for AOS-CX. Stacking Create stack, add stack members, modify VSF link, change the secondary conductor, delete stack and delete stack members. See Configuring AOS-CX VSF Stacks Using UI Groups. Static Routing Add, edit, or delete static routes manually and configure destination IP addresses and next hop values, VRF, and the administrative distance. You can add different static routes for different VRFs on the switch. See Configuring Static Routing on AOS-CX. Ports & Link Aggregations View and edit port settings such as description, VLAN mode, speed duplex, routing, and the operational status of the port. Add, edit, or delete LAGs by combining different ports and configuring the speed duplex, VLAN mode, aggregation mode, and the operational status of the LAG. See Configuring Ports and LAGs on AOS-CX. Authentication Servers Add, edit, or view the RADIUS and TACACS servers for authentication. Add settings such as FQDN or IP address of the servers, authentication port number, response timeout, retry count, and the VRF to be used when communicating with the servers. See Configuring Authentication Servers on AOS-CX. Authentication View or edit details about 802.1X and MAC authentication methods. Configure the precedence order and other parameters such as reauthentication timeout, cached reauthentication timeout, and quiet period. See Configuring Authentication on AOS-CX. Access Control View or add access policies and rules to permit or deny passage of traffic. See Configuring Access Control on AOS-CX. User-Based Tunneling Enable to use GRE to tunnel ingress traffic on a switch interface to a gateway. For further processing, provide a centralized security policy using per-user authentication and access control to ensure consistent access and permissions. See Configuring User-Based Tunneling for AOS-CX. Client Roles Configure to allow administrators to assign network access to clients. The network admin can create configuration profiles (roles) and associate them to clients. See Configuring Client Roles for AOS-CX. VLANs Add, edit, delete, or view VLANs, and associated parameters such as type of IP assignment, operational status, IP address of the DHCP relay. See Configuring VLANs on AOS-CX. Aruba Central (on-premises) | User Guide 414 Feature Loop Prevention Description Enable or disable loop protection and spanning tree protocol, and associated parameters such as the mode and priority. Enable or disable various MSTP moderelated settings such as BPDU filter, BPDU protection, admin edge, and root guard. See Configuring Loop Prevention on AOS-CX. 2. To enable MultiEdit mode, move the MultiEdit toggle switch to the on position. The Device-Level Configuration page is displayed with the list of devices displayed in the Devices table. At the device level, the Devices table lists only the switch that you have selected. Also, a pop-up is displayed on the bottom-right corner of the page with the options View Config, Edit Config, and Express Config. Search for a switch by entering a search query in the Contextual Search Engine field. For more information about search queries, see Using Device Search on AOS-CX. The following table describes the options available in the MultiEdit mode of configuring AOS-CX switches. Table 95: Configuring AOS-CX Switches Provisioned in UI Groups using the MultiEdit Mode Feature Description MultiEdit View and edit configuration on the AOS-CX switches using the CLI syntax. You can also apply predefined set of configuration settings such as NAE to the switches. See Using MultiEdit View for AOS-CX. View Config View configuration of AOS-CX switches and find differences in the configuration across switches. See Viewing Configuration Using MultiEdit on AOS-CX. Edit Config Edit configuration for one or more AOS-CX switches in the MultiEdit mode. Edit the entire configuration in a familiar looking CLI with syntax checking, colorization, and command completion. See Editing Configuration Using MultiEdit on AOS-CX. Express Config Apply predefined set of configuration settings such as NAE scripts and device profile to a single or multiple switches. See Express Configuration Using MultiEdit on AOS-CX. Device Search Search for AOS-CX switches in the Devices table, in the MultiEdit mode, using search queries such as device attributes, wildcard characters, Boolean operators, and by grouping characters. See Using Device Search on AOS-CX. 3. To view configuration status, pending changes, and local overrides on the switches, click Configuration Status. This page allows you to commit the pending changes in a configuration. At the device level, this page allows you to change the auto-commit state of the switch. For more information, see Using Configuration Status on AOS-CX. Managing AOS-CX Switches | 415 Multiple Browser Tab Support You can open multiple browser tab sessions of the same Aruba Central (on-premises) instance with different switch group or device pages opened simultaneously. For example, you can open the group configuration of a switch in one browser tab and the device-level configuration of a switch in another browser tab. Aruba Central (on-premises) stores the data from the different browser tabs separately. However, if you edit the configuration of one AOS-CX switch in the MultiEdit mode in two different browser tab sessions, and try to save the configuration one after the other, the following events occur: 1. The configuration that you save first in the editor in any of the two browser tabs is saved on the switch. 2. When you try to save the configuration in the editor in the other browser tab, Aruba Central (onpremises) displays a warning that the configuration has been changed outside the current editor. 3. If you ignore the warning and continue to save the configuration, Aruba Central (on-premises) overwrites the changes saved earlier with the current changes. Configuration Workflow for AOS-CX Switches in UI Groups The following workflow explains the process to configure AOS-CX switches using UI options. Figure 37 UI Configuration Workflow for AOS-CX Switches Aruba Central (on-premises) | User Guide 416 Workflow Steps 1. Provision an AOS-CX switch to a UI group in Aruba Central (on-premises). See Getting Started with AOS-CX Deployments. When you add AOS-CX switches to a UI group, you can configure them using the following options: n Various UI options n MultiEdit mode 2. Configure the switch using the different configuration options available on the UI. You can add, edit, or delete configurations using the UI options. See Configuring AOS-CX Switches in UI Groups. 3. Configure the switch in the MultiEdit mode--The MuliEdit mode offers a CLI syntax-based configuration functionality for AOS-CX switches. You can view or edit the running configuration on the switch or apply express configuration. See Using MultiEdit View for AOS-CX. n Edit Config--Edit switch configuration using the CLI syntax. You can edit the configuration of switches. After you edit the configuration, you can view the difference between the running configuration and the edited configuration in the same window. See Editing Configuration Using MultiEdit on AOS-CX. n Express Config--Apply a predefined set of configuration settings to switches using this option for device profile and NAE configurations. See Express Configuration Using MultiEdit on AOS-CX. n View Config--View the running configuration on the switch using this option. The changes made on the UI options, Edit Config, or the Express Config pages will appear on this page only if the Auto-Commit state is on or if the changes are committed manually. See Viewing Configuration Using MultiEdit on AOS-CX. 4. Depending on the Auto-Commit state of the switch, you can either view the configuration changes immediately or commit the changes first and then view the configuration changes. n If the Auto-Commit state is on, Aruba Central (on-premises) applies the configuration changes immediately to the switch. You can view the configuration on the View Config page in the MultiEdit mode. n If the Auto-Commit state is off, you must manually commit changes to the switch and then view the configuration. See Using Configuration Status on AOS-CX. 5. When the Auto-Commit state is off, check whether there are any pending changes to be applied to the switch, in the Configuration Status page. Commit any pending configuration changes to the switch and view the updated configuration. Managing Configuration Overrides Aruba Central (on-premises) supports two levels of configuration hierarchy: n Group-level--When you add a switch to a group, or move a switch from one group to, another, the switch inherits the configuration of the group. Any configuration changes made at the group-level are applied to the devices in the group. You can also pre-configure groups before adding switches. Only configurations that are supported at the group-level are applied to the devices. The configurations that are supported only at the device-level are preserved. Managing AOS-CX Switches | 417 n Device-level--Any modifications made at the device-level override the configurations inherited from the group. Local overrides are those modifications that you make on a particular device in a group. Once a local override exists on a device, then any configuration changes performed at the group level will not be applied or inherited to that device. Configuration overrides are applicable to only those parameters, which are present at both group and device levels. Managing Passwords for Groups and Devices using UI groups In Aruba Central (on-premises), you can set a password for UI groups when creating a new group. This group password is used to onboard the AOS-CX switches to the group. The group password must match with the device password to onboard the device successfully to the group. For more information, see Groups. You can use the Properties page to change the administrator password for groups and devices. If you set different password at the device-level, then the device can no longer be managed at the group-level. For more information, Configuring System Properties on AOS-CX. If you upgrade Aruba Central (on-premises) from earlier versions to the latest version, the administrator password is considered blank. Aruba Central (on-premises) prompts the user to specify an administrator password for the devices in the group. You cannot make any configuration update until a new password is set. Configuring System Properties on AOS-CX From the Properties page, you can view or configure system property settings such as contact, location, timezone, administrator username, and administrator password for AOS-CX switches. In addition, you can select management VRF or default VRF, and configure DNS and NTP servers for the selected VRF. To edit system properties, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click System > Properties. The Edit Properties page is displayed. Aruba Central (on-premises) | User Guide 418 3. Edit the following properties: Table 96: Switches Properties Name Description Value Name Name of the switch. This field is available only at the device level. You can enter up to a maximum of 32 characters including letters, numbers, and special characters, except question mark (?) and double quotes ("). Contact Contact details for the switch. Name, Email address, or phone number. You can enter up to a maximum of 128 characters including letters, numbers, and special characters, except question mark (?) and double quotes ("). Location Location of the switch. You can enter up to a maximum of 128 characters including letters, numbers, and special characters, except question mark (?) and double quotes (") For example: Portland, Oregon. Timezone The time zone corresponding to the location of the switch. Time zone selected from the drop-down. VRF The VRF to be used for communicating Default or Management OOBM with DNS and NTP servers. NOTE: Management VRF is not supported NOTE: If you change the VRF setting, then on the AOS-CX 4100i and 6100 switch the existing DNS and NTP server settings series. will be removed. DNS servers The IP address of DNS servers for the selected VRF. Click + to add another DNS server. You can add up to three servers. IPv4 address or IPv6 address NTP servers The IP address of NTP servers for the selected VRF. Click + to add another NTP server. You can add up to three servers. IPv4 address or IPv6 address Administrator The password for the administrator password username. NOTE: To manage devices in the group, the password must be same at group and device-levels. You can enter up to a maximum of 32 characters including letters, numbers, and special characters except question mark (?) and double quotes ("). 4. Click Save. Configuring HTTP Proxy on AOS-CX HTTP proxy enhances security for device management. An IP address can be made a proxy for all HTTP connections. If your network requires a proxy server for Internet access, ensure that you configure the HTTP proxy on AOS-CX switch to download the image from the cloud server. After setting up the HTTP Managing AOS-CX Switches | 419 proxy settings, the AOS-CX switch connects to Aruba Central (on-premises) or OpenDNS server through a secure HTTP connection. To configure HTTP proxy on the AOS-CX switch, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the AOS-CX switch configuration dashboard. 2. Click System > HTTP Proxy. The Edit HTTP Proxy page is displayed. The Ports table displays the following information: Table 97: HTTP Proxy parameters Parameter Description FQDN or IP address FQDN or IPv4 address of the HTTP proxy location. Port Port number of the switch. Value IPv4 address in the x.x.x.x format or FQDN of the proxy location. Default value used for port is 80. VRF VRF on which the system is configured. Default and Management. 3. To save the changes, click SAVE. Configuring SNMP on AOS-CX Simple Network Management Protocol (SNMP) SNMP is a TCP/IP standard protocol for managing devices on IP networks. It is used mostly in network management systems to monitor network-attached devices for events that require administrative attention. From the SNMP page, you can perform the following actions: n Enable or disable SNMP on the switch n Select the VRF on which you want to configure SNMP n Configure SNMP versions v2c or v3 n Configure communities and traps For more information, see the following topics: n Configuring SNMPv2c on AOS-CX n Configuring SNMPv3 on AOS-CX Configuring SNMPv2c on AOS-CX You can configure SNMPv2c community settings and trap destinations through the UI. To configure SNMPv2c on switch, complete the following steps: Aruba Central (on-premises) | User Guide 420 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click System > SNMP. The SNMP page is displayed. 3. Enable SNMP on the switch by moving the SNMP toggle to the on position. 4. Select the VRF on which you want to configure SNMP by selecting one or both of the following check boxes under Enable SNMP on the selected VRF: n Default VRF n Management VRF Management VRF is not supported on the AOS-CX 4100i and 6100 switch series. 5. Select v2c from the SNMP drop-down. The Read Community and Trap Destination tables are displayed. Adding an SNMP Community You can add SNMP communities to restrict access to the switch from the SNMP management stations. The default community name is Public. To add an SNMP community, complete the following steps: 1. In the Read Community table, click the + add icon. A new row is added in the table. 2. Type the name of the community in the new row. You can enter up to a maximum of 32 characters including letters, numbers, and special characters. 3. Click Save. Editing an SNMP community To edit an SNMP community, point to the row for the SNMP community, and click the edit icon. You can edit an SNMP community name only before saving it to Aruba Central (on-premises). If the SNMP community is saved, then it cannot be edited. Managing AOS-CX Switches | 421 Deleting an SNMP Community To delete an SNMP community, point to the row for the SNMP community, and click the delete icon. If you delete an SNMP community, trap destinations that belong to the community will also get deleted. Adding a Trap Destination You can add trap destinations to send notifications to SNMP management stations. When adding a trap destination, you cannot edit the SNMP toggle switch and the Enable SNMP on the selected VRF options. To add a trap destination, complete the following steps: 1. In the Trap Destination table, click the + add icon. A new row is added in the table. 2. Configure the following parameters: n IP Address--Enter a valid IPv4 or IPv6 address of the SNMP host. n VRF--Select the available VRF on the switch from the drop-down. n Community--Select the name of the community from the drop-down. 3. Click Save. Editing a Trap Destination To edit a trap destination, point to the row for the trap destination, and click the edit icon. You can edit only the community name. Deleting a Trap Destination To delete a trap destination, point to the row for the trap destination, and click the delete icon. Configuring SNMPv3 on AOS-CX SNMPv3 provides a secured access to SNMP management stations using authentication and privacy protocols. You can add SNMPv3 user and configure notification settings using UI groups. To configure SNMPv3 on switch, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group containing at least one switch. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. Aruba Central (on-premises) | User Guide 422 c. Click a switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The tabs to configure the switch is displayed. 2. Click System > SNMP. The SNMP page is displayed. 3. Enable SNMP service on the switch by moving the SNMP toggle to the on position. 4. Select the VRF on which you want to configure SNMP by selecting one or both of the following check boxes under Enable SNMP on the selected VRF: n Default VRF n Management VRF Management VRF is not supported on the AOS-CX 4100i and 6100 switch series. 5. Select v3 from the SNMP drop-down. The User and Trap Destination tables are displayed. Adding an SNMPv3 User You can add SNMPv3 users to provide secured access to SNMP management stations. To add an SNMPv3 user, complete the following steps: 1. In the Users table, click the + add icon. A new row is added in the table. 2. Configure the following parameters: n Name--Enter the name of the SNMPv3 user. n Authentication Mode--Select either md5 (Message Digest) or sha (Secure Hash Algorithm) as the authentication mode to provide secured access to the user. After selecting the authentication mode, enter the authentication password. The password must be 8 to 32 characters long, and can contain alphabets, numbers, and special characters. n Privacy Mode--Select aes (Advanced Encryption Standard) or des (Data Encryption Standard) as the privacy mode to provide secured access to the user. After selecting the privacy mode, enter the privacy password. The password must be 8 to 32 characters long, and can contain alphabets, numbers, and special characters. 3. Click Save. Editing an SNMPv3 User To edit an SNMPv3 user, point to the row for the user, and click the edit icon. You can edit an SNMPv3 user only before saving it to Aruba Central (on-premises). If the user is saved to Aruba Central (on-premises), then it cannot be edited. Deleting an SNMPv3 User To delete an SNMPv3 user, point to the row for the user, and click the delete icon. If you delete the user, then the trap destination where the user is added will also get deleted. Managing AOS-CX Switches | 423 Adding a Trap Destination You can add trap destinations to send notifications to SNMP management stations. When adding a trap destination, you cannot edit the SNMP toggle switch and the Enable SNMP on the selected VRF options. To add a trap destination, complete the following steps: 1. In the Trap Destination table, click the + add icon. A new row is added in the table. 2. Configure the following parameters: n IP Address--Enter a valid IPv4 or IPv6 address of the SNMP host. n VRF--Select the available VRF on the switch from the drop-down. n Name--Select the user to whom the notifications should be sent. 3. Click Save. Editing a Trap Destination To edit a trap destination, point to the row for the trap destination, and click the edit icon. You can only edit the user name. Deleting a Trap Destination To delete a trap destination, point to the row for the trap destination, and click the delete icon. Configuring Logging Servers for AOS-CX Logging allows you to add syslog servers where the event log messages related to the AOS-CX switches are saved. For each of the syslog server you add, you can configure the severity of the event logs to be saved on these servers. You can also configure the severity level for the debug logs by configuring the severity at the global level. However, you must add a minimum of one syslog server to configure the global severity level. To configure logging servers, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the AOS-CX switch configuration dashboard. n To select a switch: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. Aruba Central (on-premises) | User Guide 424 2. Click System > Logging. The Logging page is displayed. 3. Select the debug syslog severity level at the global level from the Level drop-down. This severity level is applied to the debug logs that are saved on the syslog servers. You must add a minimum of one event syslog server before configuring the global severity level. 4. In the Logging Servers table, click the + add icon to add a logging server and configure the following parameters in the Add Logging Server page: Table 98: Logging Server Parameters Parameters Description Value FQDN or IP address FQDN hostname or IP address of the logging server. IPv4 address in the x.x.x.x format or hostname of the server. Level Severity level of the events that the logging server must log. Following severity levels are supported: n Emergency n Critical n Alert n Error n Warning n Notice n Information n Debug VRF VRF on which the Default or Management. logging server is configured. NOTE: Management VRF is not supported on the AOS-CX 4100i and 6100 switch series. 5. Click Apply and then click Save. 6. To edit parameters of a logging server, select the row in the Logging Servers table and click the edit icon. The Edit Logging Server page is displayed. You can edit only the event log severity level and the VRF. 7. Click Apply and then click Save. 8. To delete the syslog server, select the row in the Logging Servers table and click the delete icon. 9. Click OK in the confirmation pop-up and then click Save. Configuring AAA for AOS-CX Authentication, Authorization, and Accounting (AAA) is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. From the Administrator page, you can configure the following AAA properties: n Authentication using TACACS, RADIUS, and local server groups. n Authorization using TACACS and local server groups. n Accounting using TACACS, RADIUS, and local server groups. To configure AAA properties for AOS-CX switches, complete the following steps: Managing AOS-CX Switches | 425 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click System > Administrator. The Administrator page is displayed with Authentication, Authorization, and Accounting tables. 3. You can configure Authentication, Authorization and Accounting from the respective tables. n To configure Authentication, click + in the Authentication table and configure the following parameters. Table 99: Authentication Parameters Name Description Value Protocol The type of protocol to enable connection to the server groups for authentication. You can add one or more protocols by clicking + in the Authentication table. Console, Default, HTTPS Server, and SSH. Server Groups The list of server groups to be used for authentication. You can select one server group at a time. To add the next server group, click + either in the protocol row or any of the server group rows. The server groups are accessed in the top-down order. You can rearrange the order by dragging the server group to a different position using the drag-and-drop icon. TACACS, RADIUS, and Local. n To configure Authorization, click + in the Authorization table and configure the following Aruba Central (on-premises) | User Guide 426 parameters. Table 100: Authorization parameters Name Description Value Protocol The type of protocol to enable connection to the server groups for authorization. You can add one or more protocols by clicking + in the Authorization table. Console, Default, and SSH. Server Groups The list of server groups to be used for authorization. You can select one server group at a time. To add the next server group, click + either in the protocol row or any of the server group rows. The server groups are accessed in the top-down order. You can rearrange the order by dragging the server group to a different position using the drag-and-drop icon. TACACS, Local, and None. n To configure Accounting, click + in the Accounting table and configure the following parameters. Table 101: Accounting Parameters Name Description Value Protocol The type of protocol to enable connection to the server groups for accounting. You can add one or more protocols by clicking + in the Accounting table. Console, Default, HTTPS Server, and SSH. Server Groups The list of server groups to be used for accounting. You can select one server group at a time. To add the next server group, click + either in the protocol row or any of the server group rows. The server groups are accessed in the top-down order. You can rearrange the order by dragging the server group to a different position using the drag-and-drop icon. TACACS, RADIUS, and Local. 4. Click Save. Deleting AAA properties To delete Authentication, Authorization, or Accounting, point to the row for the AAA property in the respective tables, and click the delete icon. Configuring Source Interface for AOS-CX Source interface allows you to configure a single source interface for a service so that all traffic routed through the switch is sent with the same IP address. The IP address is configured on the ports, LAGs, or VLANs at the device level. Managing AOS-CX Switches | 427 You can add, modify, or delete source interface configuration in Aruba Central (on-premises). At the group level, Aruba Central (on-premises) allows you to configure only the port or LAG information for the interface. However, at the device level, you can also configure VLANs and IP address for the interface. Aruba Central (on-premises) supports only Central and User-based tunneling source interfaces in the UI. However, in the MultiEdit mode, you can configure source interfaces for other protocols such as, DNS, NTP, and PTP. The source interfaces that you add in the MultiEdit mode (other than Central and User-based tunneling) will not appear in the Source Interface page at the device level. When you downgrade a switch from AOS-CX 10.07.0020 (with Central as source interface) to an earlier firmware version where source interface is not supported, Aruba Central does not allow the configuration to sync and displays a configuration conflict. In such instances, you must delete the conflicting source interface configuration for Aruba Central to sync the configuration. Table 102: Supported AOS-CX Switch Series Switch Platform Supported Source Interfaces 10.05, 10.06 10.07 AOS-CX 4100i -N/ASwitch Series -N/A- AOS-CX 6100 -N/ASwitch Series AOS-CX 6200 Switch Series n User-based tunneling only n IP address, VLAN configuration only AOS-CX 6300 User-based tunneling only Switch Series n Central only n IP address, VLAN configuration only n Central and User-based tunneling n IP address, VLAN configuration only Central and User-based tunneling 10.08 n Central and User-based tunneling n IP address, VLAN configuration only -N/A- -N/A- -N/A- AOS-CX 8320 -N/ASwitch Series AOS-CX 8325 -N/ASwitch Series AOS-CX 8360 -N/ASwitch Series Central only Central only Central only -N/A-N/A-N/A- Aruba Central (on-premises) | User Guide 428 To add a source interface, you must configure the following at the device level: n Enable routing for ports and LAGs. n Configure an IP address for the ports, LAGs, and VLANs. Adding a Source Interface To add a source interface, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click System > Source Interface. The Source Interface page is displayed with a list of source interfaces that are configured. 3. In the Source Interface table, click the + add icon to add a source interface and configure the following parameters in the Create Source Interface page. When both Central and User-based tunneling source interfaces are added for a switch, the + add icon is disabled. Table 103: Configuring and Viewing Source Interface Parameters Name Description Value Interface The interface or the service name. You can configure only two interfaces at any given time. Central or User-based tunneling Port/LAG Type of interface you want to configure. The name of this field is applicable only at the group level. At the device level, the field name is Port/LAG/VLAN/Address. n At the group level--Port or LAG n At the device level--Port, LAG, VLAN, or Address Managing AOS-CX Switches | 429 Name Description Value Port name Port number for the source interface. Applicable when you select Port in the Port/LAG drop-down at the group level or Port/LAG/VLAN/Address drop-down at the device level. Select a port from the drop-down. NOTE: n At the group level--Only the ports that have routing enabled at the group level are available in this drop-down. n At the device level--Only the ports that have routing enabled and IP address configured on the ports at the device level are listed in this drop-down. LAG name LAG name for the source interface. Applicable when you select Port in the Port/LAG drop-down at the group level or Port/LAG/VLAN/Address drop-down at the device level. Select a LAG from the drop-down. NOTE: n At the group level--Only the LAGs that have routing enabled at the group level are available in this drop-down. n At the device level--Only the LAGs that have routing enabled and IP address configured on the LAGs at the device level are listed in this drop-down. VLAN ID VLAN ID for the source interface. NOTE: n Available only at the device level. n Applicable when you select VLAN in the Port/LAG/VLAN/Address drop-down at the device level. Select a VLAN from the drop-down. NOTE: n Only the VLANs that have an IP address configured at the device level are listed in this drop-down. n The IP address must be a static IP address. DHCP server is not supported. Address IP address for the source interface. IPv4 address NOTE: n Available only at the device level. n Applicable when you select Address in the Port/LAG/VLAN/Address drop-down at the device level. VRF Type of VRF for the source interface. Default or Management NOTE: You can configure the User-based tunneling interface only on the Default VRF. NOTE: Management VRF is not supported on the AOS-CX 4100i and 6100 switch series. 4. Click Save. The source interface information is displayed in the Source Interface table. Aruba Central (on-premises) | User Guide 430 Editing a source interface To edit a source interface, point to the row for the source interface, and click the select only one source interface at a time for editing. edit icon. You can n When editing the Central interface, you cannot edit the interface type. n When editing the User-based tunneling interface, you cannot edit the interface type and the VRF. Deleting a source interface To delete a source interface, point to the row for the source interface, and click the delete icon. Deleting source interface at device level and modifying configuration at group level will not add the source interface again on the device. You can select only one source interface at a time for deleting. Deleting the user-based tunneling source interface disables all configurations that depend on this source interface, for example, Dynamic Segmentation, Client Roles. Configuring Static Routing on AOS-CX Static routes provide a means for restricting and troubleshooting routed traffic flows. In small networks, static routes provide the simplest and most reliable configuration for routing. Static routes are manually configured in the routing table. For each static route, you can configure the destination and next hop IP addresses to route the packets, VRF, and the administrative distance. You can add static routes only for the management and default VRFs. The following are the maximum number of static routes (IPv4 and IPv6) that are supported on AOS-CX switches. n AOS-CX 4100i, 6100 switch series--512 n AOS-CX 6200 switch series--2048 n AOS-CX 6300, 8360 switch series--65536 n AOS-CX 8320 switch series--163796 n AOS-CX 8325 switch series--29696 AOS-CX 6400 and 8400 switch series are not supported in Aruba Central (on-premises) UI configuration. To add static routes on AOS-CX switches, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX icon to view the AOS-CX switch configuration dashboard. n To select a switch: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. Managing AOS-CX Switches | 431 c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click Routing > Static Routing. The Static Routing page is displayed. 3. In the Static Routing table, click the + add icon to add a static route and configure the following parameters in the Create Static Route page. When the maximum number of routes are added for a switch, the + add icon is disabled. Table 104: Static Route Parameters Parameters Description Destination A valid network or device IP address with subnet mask. Next Hop VRF Address of the next node in the route. VRF on which the static route is configured. Distance The administrative distance helps routers determine the best route when there are multiple routes to the destination. A lower value is recommended. Value IPv4 or IPv6 address. n IPv4 address in the x.x.x.x/M format, where x is an integer from 0 to 255, and /M is the subnet mask. n IPv6 address in the xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/M format, where x is a hexadecimal number from 0 to F, and /M is the subnet mask. n IPv4 or IPv6 address without the subnet mask. n Port number or LAG name that has routing enabled. Default or Management. When you select Management, you can configure only the Next Hop field. NOTE: n When you configure a static route with the Management VRF, the configured Next Hop address is updated as the default gateway of the OOBM interface when the address mode of the OOBM interface is configured as static IP. n Management VRF is not supported on the AOS-CX 4100i and 6100 switch series. The default administrative distance for static IP routes is 1, but can be configured to any value in the range 1 to 255. Aruba Central (on-premises) | User Guide 432 If the administrative distance is set to a lower value for static routes, switches use the static IP routes as the best route for routing traffic. For example, if the administrative distance for a static route is set to 20 and for an OSPF-based route is set to its default value, 110, then the switch choose the static route as the best route for routing traffic. 4. Click Save. Configuring Ports and LAGs on AOS-CX Link aggregation group (LAG) bundles multiple physical Ethernet links into one logical link. Link aggregation has the following benefits: n Increased bandwidth beyond the limits of single link. In an aggregate link, traffic is distributed across the member ports. n Improved link reliability. The member ports dynamically back up one another. When a member port fails, its traffic is automatically switched to other member ports. From the Ports and Link Aggregation page, you can view all the ports, configure LAGs, and modify port settings for AOS-CX switches using UI groups. Following are the maximum number of LAGs that are supported on AOS-CX switches: n AOS-CX 4100i, 6100 switch series--8 n AOS-CX 6200 switch series--32 n AOS-CX 6300 switch series--256 n AOS-CX 8320, 8360 switch series--54 n AOS-CX 8325 switch series--128 AOS-CX 6400 and 8400 switch series are not supported in Aruba Central (on-premises) UI configuration. Adding a LAG To add a LAG, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. Managing AOS-CX Switches | 433 d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click Interfaces > Ports & Link Aggregations. The Ports & Link Aggregations page is displayed with the list of ports configured on the switch. In the device view, all access ports are shown by default. Click the filter in the Name column to select All Uplink Ports or All Access Ports. You can also search for a port using the port name. 3. In the Ports & Link Aggregations table, click the + add icon to add a Lag. The Add Lag window is displayed. When the maximum number of LAGs are added for a switch, the + add icon is disabled. 4. Configure the following parameters: Table 105: Link Aggregation Parameters Name Description Name Name of the LAG. Description Description of the LAG. Port Members Speed Duplex The switch port members for the LAG. The speed and duplex configuration for the client traffic. NOTE: Speed Duplex is shown or hidden depending on the value in Port Members field Value Name starting with the string lag. Example: lag1, Lag23, LAG123. A maximum of 64 characters including letters, numbers, and special characters, except question mark (?) and double quotes ("). Select from the drop-down list. Select from the drop-down list. Routing Indicates whether routing is enabled. If routing is enabled at the device level, then specify the IP address with subnet mask for the destination network. Format: (x.x.x.x/x). NOTE: If Routing is enabled at the device level, then port authentication configuration is reset on all the selected ports. Toggle the switch to on or off position. VLAN Mode The operational mode of VLAN. This field is available only when Routing is disabled. In the access mode , port carries traffic only for the VLAN to which it is assigned. In the trunk mode, a port can carry traffic for multiple VLANs. trunk or access For access mode, an Access VLAN can be specified. Aruba Central (on-premises) | User Guide 434 Name Description Value For trunk mode, the Native VLAN and Allowed VLANs can be configured. You can enter multiple Allowed VLANs by specifying the range of VLANs or VLANs separated by comma. For example, 1-7 or 55, 56, 57. NOTE: To specify the VLANs here, you must have already added the VLANs in the VLAN configuration page. See Configuring VLANs on AOS-CX. Admin Up The operational status of the LAG. If the check box is selected, then the LAG can receive and transmit data as long as a cable is connected and no physical or operational problems exists. Select the check box to enable. Aggregation Mode The operational mode of link aggregation control protocol (LACP). LACP operates in these two modes: n LACP active--When the LACP is operating in active mode on either end of a link, both ports can send Protocol Data Units (PDUs). The active LACP initiates an LACP connection by sending LACPDUs. n LACP passive--When the LACP is operating in passive mode on a local member port and its peer port, both ports cannot send PDUs. The passive LACP will wait for the remote end to initiate the link. None, LACP active, or LACP passive. 5. Click Add. The configured parameters are displayed in the Ports & Link Aggregations table. Editing a LAG To edit a LAG, point to the row for the LAG, and click the edit icon. You can edit only one LAG at a time. Deleting a LAG To delete a LAG, point to row for the LAG, and click the delete icon. Editing Ports settings You can edit port settings by selecting one or more ports. If ports selected have different values configured, then changes made will be deployed on all the selected ports. If a port is added to a LAG, then the port will not be displayed in the Ports and Link Aggregation table. To edit ports, complete the following steps: Managing AOS-CX Switches | 435 1. In the Ports & Link Aggregations table, select one or more ports you want to edit and click the edit icon. The Edit Ports window is displayed. n To edit a single port, click the edit icon on the corresponding row. n To edit multiple ports, select the rows you want to edit and click the edit icon in the <number of ports> item(s) selected window at the right bottom of the page. n In the device view, all ports are shown by default. Click the filter in the Name column to select All Uplink Ports or All Access Ports. You can also search for a port using the port name. 2. Edit the following parameters: Table 106: Ports Parameters Name Description Value Description Description of the ports. When multiple ports are selected, then you can provide the same description for all the selected ports by selecting a set same value for all ports check box. You can also provide different descriptions by clicking on the individual port fields. A maximum of 64 characters including alphabets and numbers. Special characters are not allowed. Speed Duplex Routing The speed and duplex configuration for the client traffic. Select from the drop-down list. By default, Speed Duplex is set to Auto. Indicates whether routing is enabled. If routing is enabled at the device level, then specify the IP address with subnet mask for the destination network. Format: (x.x.x.x/x), whereas IP address is not required at the group level. Toggle the switch to on or off position. NOTE: If Routing is enabled at the device level, then port authentication configuration is reset on all the selected ports. VLAN Mode The operational mode of VLAN. This field is available only when Routing is disabled. By default, a port is in access mode and carries traffic only for the VLAN to which it is assigned. In trunk mode, a port can carry traffic for multiple VLANs. NOTE: This option is not visible for VSF ports. trunk or access For access mode, an Access VLAN can be specified. For trunk mode, the Native VLAN and Allowed VLANs can be configured. You can enter multiple Allowed VLANs by specifying the range of VLANs or VLANs separated by comma. For example, 1-7 or 55, 56, 57. Admin Up The operational status of the port. If the check box is selected, then the port can send and receive data as long as a cable is connected and no physical or operational problems exist. Select the check box to enable. 3. Click Save. Aruba Central (on-premises) | User Guide 436 Editing OOBM Port You can edit the Out of Band Management (OOBM) port at the device level. To edit the OOBM port, complete the following steps: 1. Select the OOBM port and click the edit icon. The Edit Port OOBM page is displayed. 2. Edit the following parameters: n IP assignment--Method of IP assignment as Static or DHCP. Enter the IP address for IP assignment if the selected method is Static. n Admin UP--Operational status of the port. If the check box is selected, then the port can send and receive data as long as a cable is connected and no physical or operational problems exists. 3. Click Save. Configuring Authentication Servers on AOS-CX From the Server groups page, you can configure RADIUS or TACACS authentication servers to authenticate and authorize the users of an AOS-CX switch. The authentication servers determine if the user has access to the administrative interface. When moving AOS-CX switches from an unprovisioned, template, or UI group to another UI group, you can retain the existing switch configuration by selecting the Retain CX-Switch Configuration check box on the Move Devices page. Device-level RADIUS and TACACS server configuration will be retained, if present. And also any new group-level configuration will be applied. However, if any retained device configuration conflicts with group-level configuration, then group-level configuration takes precedence, and those conflicting configuration will be replaced. To configure authentication servers on a switch, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click Security > Authentication Servers. The Authentication Servers page is displayed with number of RADIUS and TACACS servers that are configured on the switch. Managing AOS-CX Switches | 437 Configuring a RADIUS Server on AOS-CX To configure a RADIUS server, complete the following steps: 1. In the Authentication Servers table, point to the RADIUS server row and click the edit icon. The RADIUS servers page is displayed with the list of RADIUS servers configured on the switch. 2. To add a RADIUS server, click the + add icon. The Add RADIUS window is displayed. 3. Configure the following parameters: Table 108: RADIUS Parameters Name Description Value FQDN or IP address The IP address or fully qualified domain name of the RADIUS server. Shared secret The encryption key to be used during authentication sessions with the specified RADIUS server. You can enter up to a maximum of 32 characters including letters, numbers, and special characters, except question mark (?) and double quotes ("). Authentication The authentication port number for Port the specified server. Range: 1-65535 Default: 1812 Timeout (secs) The number of seconds to wait for a response from the RADIUS server before trying the next RADIUS server. Range: 1-60 Default: 5 VRF The VRF to be used for Default and Management communicating with the RADIUS server. NOTE: Management VRF is not supported on the AOS-CX 4100i and 6100 switch series. Retry Count The number of retry attempts for contacting the specified RADIUS server. Range: 0-5 Default: 1 4. Click Apply. The added server is displayed in the RADIUS servers page. The server that was added first is accessed first, and if necessary, the second server is accessed second, and so on. You can rearrange the order by dragging the server to a different position using the drag-and-drop icon. 5. Click Save. Configuring TACACS Server on AOS-CX To configure a TACACS server, complete the following steps: 1. In the Authentication Servers table, point to the TACACS server row and click the edit icon. The TACACS servers page is displayed with the list of TACACS servers configured on the switch. 2. To add a TACACS server, click the + add icon. The Add TACACS window is displayed. Aruba Central (on-premises) | User Guide 438 3. Configure the following parameters: Table 109: TACACS Parameters Name Description Value FQDN or IP address The IP address or fully qualified domain name of the TACACS server. Shared secret The encryption key to be used during authentication sessions with the specified TACACS server. You can enter up to a maximum of 32 characters including letters, numbers, and special characters, except question mark (?) and double quotes ("). Authentication The authentication port number for Port the specified TACACS server. Range: 1-65535 Default: 49 Timeout (secs) The number of seconds to wait for a response from the TACACS server before trying the next TACACS server. Range: 1-60 Default: 5 VRF The VRF to be used for Default and Management communicating with the TACACS server. NOTE: Management VRF is not supported on the AOS-CX 4100i and 6100 switch series. 4. Click Apply. The added server is displayed in the TACACS servers page. The server that was added first is accessed first, and if necessary, the second server is accessed second, and so on. You can rearrange the order by dragging the server to a different position using the drag-and-drop icon. 5. Click Save. Configuring Authentication on AOS-CX Aruba Central (on-premises) supports the following authentication methods for AOS-CX switches: n 802.1X Authentication--Used for authenticating the identity of a user before providing network access. 802.1x o Supplicant: Device that tries to access the LAN. o Authenticator: A network device, such as an Ethernet switch that authenticates the supplicant. o Authentication Server: Typically a host running software supporting the RADIUS and EAP protocols that provides an authentication service to the authenticator. n MAC Authentication--Used for authenticating devices based on their physical MAC addresses. For MAC authentication, the MAC address of a machine must match an approved list of MAC addresses defined on the RADIUS server. You must configure at least one RADIUS server to use 802.1X or MAC authentication. To configure authentication at port level, complete the following steps: Managing AOS-CX Switches | 439 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click Security > Authentication. The Authentication page is displayed. 3. Under the MAC authentication, select one of the following modes to communicate with RADIUS servers. n PAP (Password Authentication Protocol) n CHAP (Challenge-Handshake Authentication Protocol) At the global level, 802.1X Authentication uses the EAP (Extensible Authentication Protocol) mode to communicate with the RADIUS server. 4. In the Ports table, select one or more ports for which you want to configure authentication, and click the edit icon. The Edit Ports page is displayed. 5. Configure the following parameters: Table 110: Configuring Authentication Name Description Value Authentication The method of authentication. Select any one of the following authentication methods: n None--Disables authentication. By default, the authentication is disabled. n 802.1X--Enables 802.1X method for authentication. n MAC--Enables MAC method for authentication n 802.1X, then MAC--Enables both 802.1X Aruba Central (on-premises) | User Guide 440 Name Description Value and MAC authentication methods and sets the precedence to 802.1X authentication. n MAC, then 802.1X--Enables both 802.1X and MAC authentication methods and sets the precedence to MAC authentication. n Concurrent--Enables both 802.1X and MAC authentication methods to start simultaneously for faster onboarding process. You can select 802.1X or MAC authentication from the Priority dropdown menu. Default priority for concurrent is 802.1X followed by MAC authentication. Client Limit The maximum number of clients to be allowed on the port. Enter up to a maximum of 256 clients. Default: 1 Following are the maximum clients supported on switches: n AOS-CX 4100i, 6100, 6200, switch series--32 n AOS-CX 6300 switch series--256 At the group level, the maximum clients supported is 256. NOTE: n Port access authentication is not supported on AOS-CX 8320, 8325, and 8360 switch series. n AOS-CX 6400 and 8400 switch series are not supported in Aruba Central (onpremises) UI configuration. Reauthentication Timeout The time (in seconds) that the switch enforces on a client to reauthenticate. The client remains authenticated while the reauthentication occurs. By default, this field is disabled and the default value is displayed. To edit the default value, select the check box and specify the value. Default: 3600 seconds Managing AOS-CX Switches | 441 Name Description Value Cached Reauthentication Timeout The time (in seconds) when cached re-authentication is allowed on the port. By default, this field is disabled and the default value is displayed. To edit the default value, select the check box and specify the value. Default: 30 seconds Quiet Period The time (in seconds) during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails. Default: 60 seconds 6. Click Apply. The authentication parameters are displayed in the Ports table. 7. Click Save. Configuring Access Control on AOS-CX Access control allows you to permit or deny traffic based on network addresses, protocols, service ports, and other packet attributes. An Access policy defines a set of rules based on network traffic addressing and uses these rules to permit or deny the passage of traffic through the switch. The permit action allows the traffic to continue through the switch and the deny action causes the traffic to be discarded (dropped). From the Access Control page, you can add access policies and set different rules for the access policies using UI groups. Adding an Access Policy You can add access policies by defining traffic rules. A policy can be applied to an individual front plane port, a Link Aggregation Group (LAG) interface, or a VLAN. The following are the maximum number of policies that are supported on AOS-CX switches. n AOS-CX 4100i, 6100 switch series--512 n AOS-CX 6200, 6300 switch series--4000 n AOS-CX 8320 switch series--16000 n AOS-CX 8325, 8360 switch series--4000 AOS-CX 6400 and 8400 switch series are not supported in Aruba Central (on-premises) UI configuration. To add an access policy, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the switch configuration dashboard. Aruba Central (on-premises) | User Guide 442 n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click Security > Access Control. The Access Control page is displayed with the name of the policy. 3. In the Access Control table, click the + add icon to add a policy. The Add policy page is displayed. When the maximum number of policies are added for a switch, the + add icon is disabled. 4. Configure the following parameters. Table 111: Access Policy Parameters Name Description Value Name The name of the access policy. A maximum of 64 characters including letters, numbers, and special characters, except question mark (?) and double quotes ("). Direction The traffic direction for Ports and LAGs. The available directions are: n Inbound--Controls the incoming traffic on the selected ports or LAGs. n Outbound--Controls the outgoing traffic on the selected ports or LAGs. Inbound or Outbound Ports & LAGs The ports and LAGs on which the policy is applied. Select a value from the dropdown. Direction The traffic direction for VLANs. The available directions are: n Inbound--Controls the incoming traffic on the layer 2 interface VLANs. n Outbound--Controls the outgoing traffic on the layer 2 interface VLANs. n Routed Inbound--Controls the incoming traffic on the layer 3 interface VLANs. n Routed Outbound--Controls the outgoing traffic on the layer 3 interface VLANs. Inbound, Outbound, Routed Inbound, or Routed Outbound. Managing AOS-CX Switches | 443 Name VLANs Description The VLANs on which the policy is applied. The list of layer 2 and layer 3 interface VLANs are displayed based on the Direction selection. Value Select one or more VLANs from the drop-down list. 5. Click Apply. The Access Control table is displayed with the number of ports & LAGs, and VLANs configured on inbound and outbound traffic. Editing an Access Policy To edit a policy, point to the row for the policy, and click the edit icon. Deleting an Access Policy To delete a policy, point to the row for the policy, and click the delete icon. Adding a Rule for Policy You can add access rules for a policy to either allow or deny the traffic passing through the switch. The following are the maximum number of rules that are supported on AOS-CX switches. n AOS-CX 4100i, 6100 switch series--4096 n AOS-CX 6200, 6300 switch series--8000 n AOS-CX 8320 switch series--32000 n AOS-CX 8325, 8360 switch series--4000 AOS-CX 6400 and 8400 switch series are not supported in Aruba Central (on-premises) UI configuration. To add a access rule, complete the following steps: 1. In the Access Control table, select the policy for which you want to add a rule by clicking on the policy. The Policy Rules page is displayed. 2. In the <Policy name> Rules table, click the + add icon to add a rule. The Add rule for policy "<policy name">page is displayed. n After adding the first rule, the + add icon in the <Policy name> Rules table is disabled. To add more rules to the same policy, click the + add icon present in the row corresponding to the rule after which you want to add the next rule. n When the maximum number of rules are added for a switch series, the + add icon is disabled. Aruba Central (on-premises) | User Guide 444 3. Configure the following parameters. Table 112: Access Rules Parameters Name Description Value Action The action for the traffic passing through the switch. Permit or Deny Description Description for the rule. A maximum of 256 characters including letters, numbers, and special characters, except question mark (?) and double quotes ("). Source type The type of source for which you want to apply a policy. Any, Network, or Host. If you select Network, enter the IP address and Mask . If you select Host, enter the IP address. Destination The type of destination for which you want to type apply a policy. Any, Network, or Host. If you select Network, enter the IP address and Mask . If you select Host, enter the IP address. Protocol The type of data transfer protocol. If you select SCTP, TCP, or UDP the Source port and Destination port fields are displayed. Protocol types: Any, AH, ESP, GRE, ICMP, IGMP, IP, OSPF, PIM, SCTP, TCP, and UDP. Source Port The port numbers of source. You can specify a single port in the Source Port field or range of ports in the Source Port and Source Port Max fields. For example, if you want to specify the source port range as 1 to 7, then specify 1 in the Source Port field and 7 in the Source Port Max field. An integer Source Port Max The end port number in the range of source ports. This field is applicable only if you want to configure a range of source ports. An integer Destination Port The port numbers of destination. You can specify a single port in the Destination Port or range of ports in the Destination Port and Destination Port Max fields. For example, if you want to specify port range as 1 to 7, then specify 1 in the Destination Port field and 7 in the Destination Port Max field. An integer Destination Port Max The end port number in the range of destination ports. This field is applicable only if you want to configure a range of destination ports. An integer 4. To create another rule , select Stay and create another check box and add a new rule. Managing AOS-CX Switches | 445 5. Click Apply. The new rules are displayed in the Policy Rules table. By default, the rules are sequenced in the order in which they are added. You can rearrange the sequence by dragging the rule to the position you want using the drag-and -drop icon. 6. Click Save. Editing a Rule To edit a rule, point to the row for the rule, and click the edit icon. Deleting a Rule To delete a rule, point to the row for the rule, and click the delete icon. Configuring User-Based Tunneling for AOS-CX User-based tunneling (UBT) uses GRE to tunnel ingress traffic on a switch interface to a gateway for further processing. User-based tunneling enables a switch to provide a centralized security policy, using per-user authentication and access control to ensure consistent access and permissions. User-based tunneling is supported on the following switches: n AOS-CX 6300 F and M switch series n AOS-CX 6400 switch series For provisioning User-based tunnel, the following configurations are necessary: n All devices need to be Day 0 provisioned n Underlay network is connected and reachability established n All devices in the underlay and topology is clearly identified To configure user-based tunnel, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click Security > Dynamic Segmentation to view the switch configuration dashboard. Aruba Central (on-premises) | User Guide 446 3. Toggle the User based tunneling switch to on position. The toggle switch is disabled by default. Enabling this toggle, shows a warning message on how to configure the User-based tunnel. 4. Enter Primary controller IP address and Backup controller IP address. Make sure that primary and backup IP address are different. 5. Enter the VLAN ID under Client VLAN only when you select the Reserved option. 6. In the Source interface drop-down, select Add new source interface. The Edit Source Interface window is displayed. Configure the following parameters. If a user-based tunnel source interface is already added in the Source Interface page, it will appear in the drop-down. For more information about source interface, see Configuring Source Interface for AOSCX. Table 113: New Source Interface Parameters Name Description Value Interface The interface or the service name. By default, only User-based tunneling is selected in the Dynamic Segmentation page. User-based tunneling Port/LAG Type of interface you want to configure. The name of this field is applicable only at the group level. At the device level, the field name is Port/LAG/VLAN/Address. n At the group level--Port or LAG n At the device level--Port, LAG, VLAN, or Address Port name Port number for the source interface. Applicable when you select Port in the Port/LAG drop-down at the group level or Port/LAG/VLAN/Address drop-down at the device level. Select a port from the drop-down. NOTE: n At the group level--Only the ports that have routing enabled at the group level are available in this drop-down. n At the device level--Only the ports that have routing enabled and IP address configured on the ports at the device level are listed in this drop-down. LAG name LAG name for the source interface. Applicable when you select Port in the Port/LAG drop-down at the group level or Port/LAG/VLAN/Address drop-down at the device level. Select a LAG from the drop-down. NOTE: n At the group level--Only the LAGs that have routing enabled at the group level are available in this drop-down. n At the device level--Only the LAGs that have routing enabled and IP address configured on the LAGs at the device level are listed in this drop-down. Managing AOS-CX Switches | 447 Name Description Value VLAN ID VLAN ID for the source interface. Select a VLAN from the drop-down. NOTE: n Available only at the device level. n Applicable when you select VLAN in the Port/LAG/VLAN/Address drop-down at the device level. NOTE: n Only the VLANs that have an IP address configured at the device level are listed in this drop-down. n The IP address must be a static IP address. DHCP server is not supported. Address IP address for the source interface. IPv4 address NOTE: n Available only at the device level. n Applicable when you select Address in the Port/LAG/VLAN/Address dropdown at the device level. VRF The VRF to be used for communicating with Default DNS and NTP servers. 7. Click Save, Configuring Client Roles for AOS-CX You can assign network access to clients using client roles. The network admin can create configuration profiles (roles) and associate them to clients. Client roles allow you to create and manage roles and attributes for the network. To create a client role, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX icon to view the switch configuration dashboard. 2. Click Client Roles. 3. Under Client Roles table, click the + add icon to create a new role. Configure the following parameters. Table 114: Client Roles Parameters Name Description Name Name of the role. Value This is a mandatory parameter. Aruba Central (on-premises) | User Guide 448 Name Description Value This parameter supports letters, numbers, and special characters. VLAN mode VLAN mode of the role. Access or Trunk Default value is Access. VLAN VLAN ID of the role. Default value is 1. Authentication mode Trust mode Select either MD5 (Message Digest) or SHA (Secure Hash Algorithm) as the authentication mode to provide secured access to the user. Trust mode for the role. Reauthentication period The time (in seconds) after which the switch enforces on a client to reauthenticate. The client remains authenticated while the reauthentication occurs. Client-Mode or Device-Mode Default value is Client-Mode. None, DSCP, or COS Default value is None. Default value is 30 seconds. PoE priority PoE priority configured on the port. Critical, High, or Low. Default value is Low. STP admin edge Enable or disable STP admin edge port for port the role. By default STP admin edge port is enabled. User-based tunnel Enable or disable user-based tunneling for the role. NOTE: n To enable user-based tunnel for a client role, user-based tunneling must be enabled in Dynamic Segmentation. n If User-based tunnel is enabled for a role and if User-based tunnel feature is disabled in the Dynamic Segmentation page, then User-based tunnel for the role is disabled automatically. Move the toggle switch to the on position to enable. By default, it is disabled. Gateway cluster Name of the gateway cluster zone. NOTE: By default, the cluster zone name is default. You cannot change the gateway cluster name. Gateway Role Name of the gateway role for the client role. This parameter supports letters, numbers, and special characters. 4. Click Save. You cannot edit client roles. Managing AOS-CX Switches | 449 Deleting Client Roles To delete a client role, point to the row for the role, and click the delete icon. Configuring VLANs on AOS-CX VLANs are primarily used to provide network segmentation at layer 2. VLANs enable the grouping of users by logical function instead of physical location. VLANs make managing bandwidth usage within networks possible by: n Allowing grouping of high-bandwidth users on low-traffic segments n Organizing users from different LAN segments according to their need for common resources and individual protocols n Improving traffic control at the edge of networks by separating traffic of different protocol types n Enhancing network security by creating subnets to control in-band access to specific network resources From VLANs page, you can add VLANs and manage VLAN settings such as name, description, admin status, and IP assignment for AOS-CX switches. For AOS-CX 6200 and 6300 switch series, VLAN 1 (DEFAULT_VLAN_1) is associated with all interfaces on the switch. The DHCP assignment of IP address is available only on the default VLAN. You can add only one VLAN at a time. Adding a VLAN To add a VLAN, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a switch group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the switch configuration dashboard. n To select a switch in the filter: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click Bridging > VLANs. The VLANs page is displayed with a list of VLANs. 3. In the VLANs table, click the + add icon to add a VLAN and configure the following parameters. When the maximum number of VLANs are added for a switch, the + add icon is disabled. Aruba Central (on-premises) | User Guide 450 Table 115: Configuring and Viewing VLAN Parameters Name Description ID The VLAN ID number. Value Following are the different ranges for the VLANs supported on switches: n AOS-CX 4100i, 6100 switch series--2 to 512 n AOS-CX 6200 switch series--2 to 2048 n AOS-CX 6300 and 8360 switch series--2 to 4094 n AOS-CX 8320 and 8325 switch series--2 to 4040 At the group level, the maximum VLANs supported is 4094 NOTE: AOS-CX 6400 and 8400 switch series are not supported in Aruba Central (on-premises) UI configuration. Name The name of the VLAN. Only letters (a-z) and numbers (0-9) are allowed. Description The description of the VLAN. Letters, numbers, and special characters are allowed except question mark (?) and double quotes ("). Admin UP The operational status of the VLAN. The VLAN can forward packets only when the check box is selected. Select the check box to enable. Voice The VLAN support for voice. Select the check box to enable. IP Assignment The method of IP assignment. The options to enter the IP address is displayed only when you select Static. This field is available only at the device level. Static, DHCP, or None Default: None NOTE: The DHCP option is available only for the default VLAN on AOS-CX 6100, 6200, and 6300 switch series. IP Address The IP address with subnet mask for IP assignment. This field is enabled only when you select Static from the IP address assignment drop-down and available only at the device level. IPv4 address or IPv6 address with subnet mask Format: (x.x.x.x/x). DHCP Relay The IP address of the DHCP relay server. This field is enabled only when you select DHCP or Static from the IP address assignment dropdown and available only at the device level. IPv4 address Managing AOS-CX Switches | 451 Name Description Value NOTE: n AOS-CX 6100 and 6200 switch series-- DHCP relay is not supported n AOS-CX 6300 switch series--DHCP relay is available only on the default VLAN 4. Click Add. The VLAN information is displayed in the VLANs table. Editing a VLAN To edit a VLAN, point to the row for the VLAN, and click the edit icon. You can select only one VLAN at a time for editing. You cannot edit the name of the default VLAN and admin status. Deleting a VLAN To delete a VLAN, point to the row for the VLAN, and click the delete icon. Deleting VLAN at device level and modifying configuration at group level will not add the VLAN again on the device. You can select only one VLAN at a time for deleting. You cannot delete the default VLAN. Configuring Loop Prevention on AOS-CX Loop prevention provides protection against infinite loops by transmitting loop protocol packets out of the switch ports. You can enable loop prevention by configuring one of the following methods: n Loop protection at the interface level (ports, LAGs). Loop protection at the interface level: o can find loops by sending loop protection packets on each port or LAG on which loop protection is enabled. o is useful when spanning tree protocols cannot prevent loops at the edge of the network. o can be used to find loops in untagged layer 2 links and on tagged VLANs. o can be configured either when the spanning tree protocol is configured on the interfaces or not. n Spanning tree protocol at both global and interface level. Spanning tree protocols such as MSTP and RPVST help prevent loops in networks by blocking redundant links. Loop protection and spanning tree are always disabled by default on AOS-CX switches. To configure loop protection and spanning tree for switches provisioned in the UI groups, complete the following steps: Aruba Central (on-premises) | User Guide 452 1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the AOS-CX switch configuration dashboard. n To select a switch: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click Bridging > Loop Prevention. The Loop Prevention page is displayed. The Ports table displays the following information: Table 116: Information in the Ports Table Column Description Number Port number or the name of the LAG. Description Description of the port or LAG interface that you configure on the Ports & Link Aggregations page. LAG Members List of port numbers that are grouped to form the LAG. Loop Protection Displays whether loop protection is enabled or disabled for that interface. 3. To enable spanning tree, move the Spanning Tree toggle switch to the on position. Configure the following parameters: n Mode--Select MSTP from the drop-down list. You can configure various MSTP parameters for the ports in the switches. You cannot select RPVST from the Mode drop-down. To configure RPVST mode for spanning tree, you must use Edit Config in the MultiEdit mode and configure using the CLI commands. However, after configuring the mode as RPVST, if you want to change the mode to MSTP, you can select MSTP in the Mode drop-down. n Priority--Priority of the UI group. At the group level, the priority is listed in multiples of 4096. A range from 0 to 61440 is supported. The default value is 32768. 4. To configure MSTP parameters for ports, select the row(s) in the Ports table and click the edit icon. The Loop Prevention page is displayed with the following parameters. Managing AOS-CX Switches | 453 Table 117: MSTP Parameters for Ports and LAGs Parameters Description Loop Protection Move the toggle switch to enable or disable loop protection on the interfaces. Spanning Tree Priority A number used to identify the root bridge in an STP instance. The priority is listed in multiples of 16 in the drop-down. The priority ranges from 0 to 240. The default priority is 128. The switch with the lowest value has the highest priority and is considered the root bridge. A higher numerical value means a lower priority; thus, the highest priority is 0. BPDU Protection Security feature used to protect the active STP topology by preventing manipulated BPDU packets from entering the STP domain. Select the check box to enable BPDU protection on the interface. BPDU Filter Enables control of STP participation for each port. The feature can be used to exclude specific ports from becoming part of STP operations. A port or LAG with the BPDU filter enabled ignores incoming BPDU packets and stays locked in the STP forwarding state. Select the check box to enable BPDU filter on the interface. Admin-Edge Configures the interface in the forwarding state. Select the check box to enable Admin edge on the interface. NOTE: If Admin edge is not configured on the switch, the default port type is adminnetwork. Root Guard Configures the interface to prevent from being configured as a root port when it receives superior STP BPDUs. Select the check box to enable root guard on the interface. 5. To save the changes, click Apply. Using MultiEdit View for AOS-CX This section describes the configuration and viewing procedures for the AOS-CX switches in the MultiEdit mode. MultiEdit mode configuration is applicable only at the device level and allows configuring a single or multiple switches using the CLI syntax. To configure or view details of the switches provisioned in UI groups, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the AOS-CX switch configuration dashboard. Aruba Central (on-premises) | User Guide 454 n To select a switch: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. To enable MultiEdit mode, move the MultiEdit toggle switch to the on position. The Device-Level Configuration page is displayed with the list of devices displayed in the Devices table. At the device level, the Devices table lists only the switch that you have selected. Also, a pop-up is displayed on the bottom-right corner of the page with the options View Config, Edit Config, and Express Config. 3. Search for a switch by entering a search query in the Contextual Search Engine field. For more information about search queries, see Using Device Search on AOS-CX. The following table describes the columns in the Devices table. Table 118: Columns in the Devices Table in the MultiEdit Mode Column Function Name Name of the AOS-CX switch. Firmware Version Firmware version installed on the switch. Config Modified Timestamp when the configuration on the switch was last modified. Status Status of the switch, whether Online or Offline. Config Status Status of the configuration sync between Aruba Central (on-premises) and the switch. n Sync--Configuration is in sync between Aruba Central (on-premises) and the switch. n Not in sync (Connection error)--Configuration is not in sync due to a connection error. n Not in sync (Modified outside Central)--Configuration is not in sync because configuration was modified outside Aruba Central (on-premises). n Not in sync (Pushing config)--Configuration is not in sync because Aruba Central (on-premises) is still pushing configuration to the switch. NAE Status Consolidated status of the NAE agents running on the switch. Following are the supported values: n Critical--The agent has encountered a critical error during execution. n Major--The agent has encountered a major error during execution. n Minor--The agent has encountered a minor error during execution. n Normal--The agent is actively monitoring network conditions and handling events. Managing AOS-CX Switches | 455 Column Function n Disabled--The agent is disabled. n Unknown--The agent status is unknown. MAC Address MAC address of the switch. IP Address IP address of the switch. Serial Serial number of the switch. Model Model number of the switch. The MultiEdit mode provides an option to view or edit switch configuration or apply predefined configurations to the switches. n Viewing Configuration Using MultiEdit on AOS-CX n Editing Configuration Using MultiEdit on AOS-CX n Express Configuration Using MultiEdit on AOS-CX Using Device Search on AOS-CX In the MultiEdit mode, the Contextual Search Engine allows you to filter a set of AOS-CX switches using search queries. The search queries can contain one or more search terms in the format, label:value. For example: model:6300F, where model is the label and 6300F is the value. When a search query contains a list of terms, by default, all terms are required to match. For example, the search query "model:8400 currentfirmware:10.04.0001" will return only 8400 switches running 10.04.0001 firmware. The filtered switch details are displayed in the Devices table. The search queries can contain the following information: n Device attributes--Attributes that denote the device details such as the model and current-firmware. n Wildcard characters--Asterisk (*) and question mark (?) are allowed in search queries. n Boolean operators--For complex queries, you can use the boolean operators AND, OR, NOT, + (the plus sign), and - (the minus sign). n Grouping characters--Multiple search terms with logical operators can be grouped using parenthesis (). You must use quotes (" ") for any strings with spaces and for the default, running-config, and startup-config search. A default search is specified by entering quoted text instead of a label:value search term. The default search runs the search against the running configurations of the devices. For example, entering "ntp server172.16.0.100" searches for that string in the running configuration of all managed devices in the MultiEdit mode. Multiple search terms can be used in a query and can be combined using logical operators. Searching for Devices To access Contextual Search Engine and perform search, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one switch. The dashboard context for the group is displayed. 2. Under Manage, click Devices > Switches. 3. Click the Config icon to view the switch configuration dashboard. Aruba Central (on-premises) | User Guide 456 4. Slide the MultiEdit toggle switch to the on position to enable MultiEdit mode. The Devices table displays the list of devices in the selected group. 5. Hover over the values in the table cells to view the labels that can be used in the search query. For example, if you hover over a cell in the Status column, a pop-up is displayed with the label that can be used in the search term and an example. 6. In the Contextual Search Engine field, enter a search query, and click Search & Filter to filter a set of switches. The Devices table lists the devices that match the search query. Device Attributes The following table lists the field names that can be used in the search query as device attributes. Table 119: List of Field Names Field Name Definition Example active-image Active image location active-image:primary chassis Name of the chassis if available chassis:1 config-auto-commit Configuration auto commit state config-auto-commit:On config-auto-commit:Off config-failurereasons Reason for configuration failure when the configuration-state is "Not in sync" config-failure-reasons:"Connection error" config-failure-reasons:"Configuration conflicts" config-failure-reasons:"Internal error" config-failure-reasons:"Modified outside Central" config-failure-reasons:"Initial group config pending" config-failure-reasons:"Pushing config" config-failure-reasons:"Connection error with pending changes" config-failure-reasons:"Auto commit off" configuration-state Configuration sync state configuration-state:Sync current-firmware Current firmware version current-firmware:10.02.0001 default-image Default image location default-image:secondary fabric-card Name of the fabric cards, if available fabric-card:1\/1 firmware-version Firmware version on the device firmware-version:FL.10.1 hw-serial ip-address label last-sync-time Serial number of attached hardware hw-serial:TW0989W Management IP address ip-address:172.16.0.100 Label assigned to the device label:Floor1 Last time when configuration in central and device are in sync last-sync-time:2020-08-27 last-sync-time:2020-08-27T19 last-sync-time:2020-08-27T19:01:20Z last-sync-time:[2020-08-27T19:01:20Z TO *] last-sync-time:[2020-08-27 TO 2020-08-28] last-sync-time:[2020-08-27T20 TO 2020-08-27T23] Managing AOS-CX Switches | 457 Field Name line-card local-override mac-address managementmodule manufacturer model nae-status name part-number power-supply primary-version product-name product-number running-config running-configmodified running-deployedby Definition Example last-sync-time:[2020-08-27T19:00:00 TO 2020-0827T23:00:00] last-sync-time:[2020-08-27T11:30:00Z TO 2020-0827T23:00:00Z] Name of the line cards, if available line-card:1\/1 Device local override is enabled or not local-override:Yes local-override:No Base MAC address mac-address:e7c7dc-32f000 Name of the management module, if available management-module:1\/1 Manufacturer name manufacturer:Aruba Model number model:6300F NAE status of the switch nae-status:normal The devices user-defined name name:cx_6300F_ERIA000001 Product names of the device and attached hardware part-number:JL635A Name of the power-supply, if available power-supply:1\/1 Primary image version primary-version:GL.10.11 Product names of the device and attached hardware product-name:"8325 Mgmt Mod" Product number of the device product-number:8325 Contents of the running running-config:"ospf" configuration (this is the default search field) Date and time of latest running configuration change running-config-modified:2020-08-27 running-config-modified:2020-08-27T19 running-config-modified:2020-08-27T19:01:20Z running-config-modified:[2020-08-27T19:01:20Z TO *] running-config-modified:[2020-08-27 TO 2020-08-28] running-config-modified:[2020-08-27T20 TO 2020-0827T23] running-config-modified:[2020-08-27T19:00:00 TO 2020-08-27T23:00:00] running-config-modified:[2020-08-27T11:30:00Z TO 2020-08-27T23:00:00Z] User who deployed running configuration running-deployed-by:system Aruba Central (on-premises) | User Guide 458 Field Name secondary-version serial site startup-config startup-configmodified startup-deployedby status system-contact system-location Definition Example Secondary image version secondary-version:GL.10.11 Serial number serial:SGIA000001 Site assigned to the device site:"Santa Clara" Contents of the start-up configuration startup-config:"ntp server 192.168.0.7" Date and time of latest start-up configuration change startup-config-modified:2020-08-27 startup-config-modified:2020-08-27T19 startup-config-modified:2020-08-27T19:01:20Z startup-config-modified:[2020-08-27T19:01:20Z TO *] startup-config-modified:[2020-08-27 TO 2020-08-28] startup-config-modified:[2020-08-27T20 TO 2020-0827T23] startup-config-modified:[2020-08-27T19:00:00 TO 2020-08-27T23:00:00] startup-config-modified:[2020-08-27T11:30:00Z TO 2020-08-27T23:00:00Z] User who deployed start-up configuration startup-deployed-by:system Device status status:Online status:Offline SNMP system contact system-contact:JohnSmith SNMP system location system-location:Zurich Wildcard Characters Wildcard characters are used in search queries to match one or more other characters. The valid wildcard characters are asterisk (*) and question mark (?). Use asterisk (*) to match multiple characters in a search query. For example, the search query Serial:SG* will return all the devices starting with SG, such as SG0010223, SG0110224, SG1110225, and so on. Use question mark (?) to match a single character in a search query . For example, the search query Serial:SG001022? will return all the devices starting with SG001022 series replacing the last digit, such as SG0010221, SG0010222, SG0010223, and so on. Search queries with wildcard characters must be used without quotes. For example: Serial:SG*. Reserved Characters Reserved characters are used for performing operations in search queries. For example, the plus (+) and minus (-) symbols are used as Boolean operators. Parenthesis () is used to group search queries. Reserved characters include + - && || ! ( ) { } [ ] ^ " ~ * ? : \. If reserved characters appear in searches, then they must be preceded by an escape character such as a backslash (\). If the search terms are enclosed in quotes, then you need not add a backslash (\) before the reserved characters. For example, system-location:"santaclara(office)". If the search terms are not enclosed in quotes, then you must add a backslash (\) before the reserved characters. For example, systemlocation:santaclara\(office\). Managing AOS-CX Switches | 459 Operators The following table lists the operators that can be used in search queries. Table 120: List of Operators Operator Example Result AND model:8400 AND currentfirmware:10.04.000 Returns all 8400 model switches running the 10.04.000 firmware version. OR model:8400 OR current- Returns all 8400 model switches, all the switches running firmware:10.04.000 10.04.000 firmware version, or both. NOT model:8400 NOT currentfirmware:10.04.000 Returns all 8400 model switches, but not switches running 10.04.000 firmware version. + (Includes) model:8400 + runningconfig:"access-list ip hvac_ segmentation" Returns all 8400 model switches that contain the ACL named "hvac_segmentation" in their running configuration. (Excludes) model:8400 - runningconfig:"access-list ip hvac_ segmentation" Returns 8400 model switches that do not have the ACL named "hvac_segmentation" in their running configuration. ( ) (Grouping) (model:8400 OR model:6300) AND NOT currentfirmware:10.04.0001 Returns all 8400 and 6300 model switches that are not running firmware version 10.04.000. Sample Queries The following table lists some sample queries that can be used as search queries. Table 121: List of Sample Queries Query Result "ospf" Switches that contain the string "ospf" in their running configuration file. model:8400 currentfirmware:10.04.0001 Model 8400 switches running firmware version 10.04.0001. model:8400 -currentfirmware:10.04.0001 All 8400 switches that are not running version 10.04.0001. (model:8400 OR model:6300) AND NOT currentfirmware:10.04.0001 All 8400 and 6300 switches that are not running version 10.04.0001. model:6300 -runningconfig:"access-list ip hvac_ segmentation" Model 6300 switches that do not have the ACL named "hvac_segmentation" in their running configuration. hostname-AUS-05-.* Devices with a hostname matching the regular expression. For example, in a deployment where host names are encoded as ( <site>-<building>-<floor><number>). site:Aruba* Devices with the Ssite name starting with Aruba. Aruba Central (on-premises) | User Guide 460 Viewing Configuration Using MultiEdit on AOS-CX View configuration of switches and find differences in the configuration across switches in the MultiEdit mode. To view switch configuration in the MultiEdit mode, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the AOS-CX switch configuration dashboard. n To select a switch: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. To enable MultiEdit mode, move the MultiEdit toggle switch to the on position. The Device-Level Configuration page is displayed with the list of devices displayed in the Devices table. At the device level, the Devices table lists only the switch that you have selected. Also, a pop-up is displayed on the bottom-right corner of the page with the options View Config, Edit Config, and Express Config. Go to step 6. 3. Search for a switch by entering a search query in the Contextual Search Engine field. For more information about search queries, see Using Device Search on AOS-CX. 4. In the Devices table, select one or more switches by clicking the corresponding rows. A pop-up is displayed on the bottom-right corner of the page with the options View Config, Edit Config, and Express Config. 5. To view the configuration of switches, click View Config. n If you select a single switch, the View Configuration page is displayed. The running switch configuration is displayed in the Configuration window. n If you select multiple switches, the View Multi-Device Configuration page is displayed with the following panes: o Devices--Lists the selected switch names. Select the switches for which you want to view the configuration by selecting the corresponding check box. o Configuration--Displays the aggregate running configuration of all selected switches. The following features are supported in the view page: Managing AOS-CX Switches | 461 n Configuration that is same across all switches is displayed as normal text. n Differences in configuration is displayed as one of the following: o Highlighted parameters (in green)--When parameter value differs across switches. Hover over the parameter to view the list of switches that have this parameter. o Entire line differences--Entire line differences are displayed by highlighting the lines along with a description mentioning the switch name that has this line in the configuration. When more than one switch contains this line, a summary of the number of switches is displayed. For example, 2/7 is displayed if two out of seven switches that are selected contain this line in the configuration. To view the list of switches, hover over this summary. To view the values of these parameters, right click on the parameter. The View Parameters pane is displayed. If the parameter is already configured on a switch, the value is displayed. Else, N/A is displayed. Editing Configuration Using MultiEdit on AOS-CX Edit configuration for one or more switches in the MultiEdit mode. Edit the entire configuration in a familiar looking CLI with syntax checking, colorization, and command completion. To edit and review switch configuration in the MultiEdit mode, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the AOS-CX switch configuration dashboard. n To select a switch: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. To enable MultiEdit mode, move the MultiEdit toggle switch to the on position. The Device-Level Configuration page is displayed with the list of devices displayed in the Devices table. At the device level, the Devices table lists only the switch that you have selected. Also, a pop-up is displayed on the bottom-right corner of the page with the options View Config, Edit Config, and Express Config. Go to step 6. 3. Search for a switch by entering a search query in the Contextual Search Engine field. For more information about search queries, see Using Device Search on AOS-CX. Aruba Central (on-premises) | User Guide 462 4. In the Devices table, select one or multiple switches by clicking the corresponding rows. A pop-up is displayed on the bottom-right corner of the page with the options View Config, Edit Config, and Express Config. 5. To edit the configuration of switches, click Edit Config. n If you select a single switch, the Edit Configuration page is displayed. n If you select multiple switches, the Edit Multi-Device Configuration page is displayed with the following panes: o Devices--Lists the selected switch names. Select the switches for which you want to edit the configuration by clicking the row corresponding to the switches. o Configuration--Displays the aggregate running configuration of all switches. In both the pages, the following views are available: n Editor View--Displays the aggregate running configuration on the switches in the Configuration pane. Edit the configuration in this view. When editing multiple switches, the Devices pane is also displayed. Select the check box for the switches you want to edit. The following features are supported in the Editor View: o Configuration that is same across all switches is displayed as normal text. o Differences in configuration is displayed as one of the following: l Highlighted parameters (in green)--When parameter value differs across switches. Hover over the parameter to view the list of switches that have this parameter. l Entire line differences--Entire line differences are displayed by highlighting the lines along with a description mentioning the switch name that has this line in the configuration. When more than one switch contains this line, a summary of the number of switches is displayed. For example, 2/7 is displayed if two out of seven switches that are selected contain this line in the configuration. To view the list of switches, hover over this summary. To modify the values of these parameters, right-click the parameter. The Modify Parameters pane is displayed. a. If the parameter is already configured on a switch, you can modify the value. Otherwise, N/A is displayed for the value and it cannot be modified. b. If you want to apply the same value to all selected switches, select the Set same value for all devices check box. c. To save the changes, click Save Changes in the Modify Parameters pane. Clicking Save at the bottom of the Editor View discards the changes made in the Modify Parameters pane. o Command completion and help text are available by pressing the CTRL+SPACE key combination. An inline drop-down is displayed with the available commands or parameters within commands. To insert a command or parameter, select an option and press TAB. o Syntax errors are marked (in red) directly under the incorrect text. o If a command line is not inserted in the correct position, the line is automatically moved to the correct position in the configuration. Managing AOS-CX Switches | 463 For example, if the configuration contains information for VLAN IDs 1 to 3, and you are adding VLAN 4 after VLAN 1 in the configuration, the editor moves the VLAN 4 command line after VLAN 3. n Diff View--Displays the difference between changes made in the Editor View and the running configuration on a switch. In this view, two panes, Running and Candidate, are displayed. When viewing details of multiple switches, select a switch from the drop-down. o The Running pane displays the running configuration on the switch. o The Candidate pane highlights the changes made in the Editor View in addition to displaying the running configuration on the switch. You cannot edit the switch configuration in this view. 6. Edit the configuration in the Editor View, and click Save. Configuration Drift Warning in Edit Config When you edit the configuration of the same AOS-CX switch, in the MultiEdit mode, in two different browser tab sessions, and try to save the configuration one after the other, the following events occur: 1. The configuration that you save first in the editor in any of the two browser tabs is saved on the switch. 2. When you try to save the configuration in the editor in the other browser tab, Aruba Central (onpremises) displays a warning that the configuration has been changed outside the current editor. 3. If you ignore the warning and continue to save the configuration, Aruba Central (on-premises) overwrites the changes saved earlier with the current changes. If you save any changes in the MultiEdit mode and the changes do not reflect on the switch, check the Audit Trail details for any errors in the configuration sync. Commands Not Supported in the MultiEdit Mode The following table lists the AOS-CX switch commands that are not supported and details about how they function in the MultiEdit mode in Aruba Central (on-premises). It is recommended to use these commands in the MultiEdit Edit Config page with caution. Table 122: AOS-CX Commands Not Supported in The MultiEdit Mode Command Caution When Editing or Deleting Command configuration-lockout Users must not delete this command. If this line is deleted in Aruba Central (on-premises), then: n Aruba Central (on-premises) Managed mode is disabled and changes can be made outside of Aruba Central (on-premises). n Changes made using NAE, REST APIs, or the switch CLI will be absorbed into Aruba Central (on-premises), hence causing a local override. The switch template will be deleted and replaced by the switch configuration. vsx in switches running AOSCX 10.06 or earlier versions vsx-sync in sub-contexts Users can add, edit, delete this command . However, VSX peer switch must be managed as a separate device in Aruba Central (on-premises). Users must not add, edit, or delete this command in Aruba Central (onpremises). n Aruba Central (on-premises) Managed mode is disabled and chanAruba Central (on-premises)ges can be made outside of Aruba Central (onpremises). Aruba Central (on-premises) | User Guide 464 Command Caution When Editing or Deleting Command n Configuration on the peer switch is modified. vsf member <n> if all switches are running AOS-CX 10.07 or later versions Users must not delete this command. n In case this command is deleted from the member, the member restarts and resets the configuration. n In case this command is deleted from the conductor, then Aruba Central (on-premises) loses connectivity with the stack. type <jnumber> Users must not delete or edit this command. n In case this command is deleted or edited on the member, the member restarts and resets the configuration. n In case this command is deleted or edited on the conductor, then Aruba Central (on-premises) loses connectivity with the stack. Show commands (for example, show running-config, show interface brief) N/A These commands do not appear in the running configuration of a switch and hence will not be visible in the MultiEdit mode (View Config or Edit Config). Action commands (for example, ping, boot system, erase) N/A These commands do not appear in the running configuration of a switch and hence will not be visible in the MultiEdit mode (View Config or Edit Config). Commands used to reset entities to defaults (for example, no bfd, no vrf, no router ospf, default interface <IFRANGE>) N/A These commands do not appear in the running configuration of a switch and hence will not be visible in the MultiEdit mode (View Config or Edit Config). Configuration context switching commands (for example, interface 1/1/1-1/1/5) N/A These commands do not appear in the running configuration of a switch and hence will not be visible in the MultiEdit mode (View Config or Edit Config). Express Configuration Using MultiEdit on AOS-CX Express configuration provides a way to efficiently apply a predefined set of configuration settings to switches. Each set of configuration settings can contain settings for Network Analytics Engine (NAE) or device profile features. To apply express configuration, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the AOS-CX switch configuration dashboard. Managing AOS-CX Switches | 465 n To select a switch: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. To enable MultiEdit mode, move the MultiEdit toggle switch to the on position. The Device-Level Configuration page is displayed with the list of devices displayed in the Devices table. At the device level, the Devices table lists only the switch that you have selected. Also, a pop-up is displayed on the bottom-right corner of the page with the options View Config, Edit Config, and Express Config. Go to step 6. 3. Search for a switch by entering a search query in the Contextual Search Engine field. For more information about search queries, see Using Device Search on AOS-CX. 4. In the Devices table, select one or more switches by clicking the corresponding rows. A pop-up is displayed on the bottom-right corner of the page with options View Config, Edit Config, or Express Config. 5. Click Express Config. The Express Config (N) window is displayed. Where N represents the number of switches selected. 6. Select the required feature from the drop-down. The following features are supported: n Device Profile n Network Analytics Engine 7. Configure the following parameters corresponding to the selected feature: Table 123: Device Profile Parameters Name Description Value Enable Enables or disables the device profile configuration on the Select or clear the check switches. box. Profile Name Name of the device profile. This field is pre-configured and cannot be edited. VLAN Mode VLAN mode for the device profile. Depending on the VLAN mode, configure one of the following: n Access: o Access vlan--ID of the access VLAN. n Trunk: o Native vlan--ID of the native VLAN. o Allowed vlan list--Single or a range of allowed VLAN IDs. Integer in the range 1 to 4094. Aruba Central (on-premises) | User Guide 466 Name Description PoE Priority PoE priority for the device. Allow Jumbo frames Enables or disables processing of jumbo frames by the switches. Value Low, High, Critical Select or clear the check box. Table 124: Network Analytics Engine Parameters Name Description NAE Script Name Name of the NAE script. You can also configure the agent parameters. The following NAE scripts are supported: n software_device_health_monitor.1.6--Monitors overall software device health. n hardware_device_health_monitor.1.6--Monitors overall hardware device health. n application_health_monitor.1.1--Monitors application health using TCP SYN and ACK packets, and VoIP IP SLA sessions. n network_health_monitor.1.3--Monitors overall network health of device. n stp_health_monitor.3.1--Monitors health of ports that are involved in spanning tree protocol. 8. Click Save. You can view the express configuration that you apply in the Configuration Status page if the AutoCommit state is off, or in the View Config page if the Auto-Commit state is on. For more information on viewing the pending changes, local overrides, and the configuration status, see Using Configuration Status on AOS-CX. Using Configuration Status on AOS-CX Aruba Central (on-premises) provides an audit dashboard for reviewing configuration changes for the AOSCX switches provisioned in UI groups. The Configuration Status page displays the configuration status of the switches, pending changes, and local overrides present in the AOS-CX switches. It also provides options to push uncommitted changes to the switches. To view and commit the configuration changes, complete the following steps: 1. In the Network Operations app, select one of the following options: n To select a group in the filter: a. Set the filter to a group. The dashboard context for the group is displayed. b. Under Manage, click Devices > Switches. c. Click the AOS-CX or Config icon to view the AOS-CX switch configuration dashboard. n To select a switch: a. Set the filter to Global or a group containing at least one switch. b. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. c. Click an AOS-CX switch under Device Name. The dashboard context for the switch is displayed. Managing AOS-CX Switches | 467 d. Under Manage, click Device. The AOS-CX UI configuration page is displayed. 2. Click Configuration Status. The Configuration Status page is displayed with details about the configuration status of AOS-CX switches. The page displays the following information at the group and device levels: n At the group level: o Auto-commit Changes State section--Click a number to view corresponding results filtered in the Auto Commit State column in the Switches table. l Devices auto-commit state--Count of switches that have the auto-commit state on and off. o Configuration Issues section--Click a number to view corresponding results filtered in the Config Status column in the Switches table. l Pending changes--Count of switches that have configuration changes that are pending commitment to the switch. l Configuration errors--Count of switches for which errors in the pending configuration caused an attempted commit to fail. In the Config Status column, click the link corresponding to the status to view the pending changes in a configuration or the Error - Configuration conflicts link to view any issues in a pending configuration. For more information, see Viewing and Committing Configuration Issues and Pending Changes at the Group Level. o Local Overrides section--Click a number to view corresponding results filtered in the Local Overrides column in the Switches table. l Switches with overrides--Count of switches that have device level configuration changes. l Switches without overrides--Count of switches that do not have device level configuration changes. n At the device level: o Auto-commit Changes State section--Enable or disable the auto-commit mode by moving the toggle switch to the on or off position. l Toggle switch in the on position--Displays a message that the configuration changes will be committed to the device immediately. l Toggle switch in the off position--Displays a message that the configuration changes will not be committed to the device immediately. o Configuration State Issues section--Displays a message defining the status of configuration on the switch. For a list of all status messages, see the description of the Config Status column in Table 125. Click the Pending Changes link to view the pending changes in a configuration or the Error Configuration conflicts link to view any issues in a pending configuration. For more information, see Viewing and Committing Configuration Issues and Pending Changes at the Group Level. o Overrides section--Displays a message to indicate whether there are any overrides in the switch configuration at the device level or not. 3. Click the number in the sections to apply the corresponding filter in the Switches table. The Switches table displays the following information: Aruba Central (on-premises) | User Guide 468 The Switches table appears only at the group level. Table 125: Details in the Switches Tables Column Description Name Name of the switch. Auto Commit State Status of the auto commit option for the switch. Config Status Status of switch configuration between the device and Aruba Central (onpremises). The following statuses are available: n Error - Configuration conflicts n Error - Internal error n Error - Login pending n Error - Modified outside Central n Offline n Pending changes n Pending changes - Offline n Pending group configuration n Synchronized n Synchronizing Local Indicates whether any overrides exist in the switches. Overrides Value On, Off Yes, No Viewing and Committing Configuration Issues and Pending Changes at the Group Level To view and commit configuration issues and pending changes in AOS-CX switches at the group level, complete the following steps: 1. To view the pending changes in a configuration click the link corresponding to the following statuses in the Config Status column for the switch: n Error - Internal error n Error - Modified outside Central n Pending changes n Pending changes - Offline n Synchronizing The Pending Configuration Changes window is displayed for that switch. This window displays the running and pending configurations of the switch and lets you review the changes made in configuration. 2. Click one of the following buttons depending on the status: n Click Commit Now--Displayed only when the user has modify permissions for the group, and when auto-commit state is off and there are pending changes but no errors. Click this button to push the pending changes to the switch. n Click Close--Click this button to close the Pending Configuration Changes window without modifying the switch configuration. Managing AOS-CX Switches | 469 3. To view issues with a pending configuration, click the Error - Configuration conflicts link in the Config Status column for the switch. The Configuration Conflicts window is displayed for that switch. This window displays a description for each error and the line number in the configuration file where the error has occurred. The line number displayed in the Configuration Conflicts window might not be same as in the configuration editor. You must look for the correct line in the editor by searching the command where the error occurs. 4. Click Close. Viewing and Committing Configuration Issues and Pending Changes at the Device Level To view and commit configuration issues and pending changes in AOS-CX switches at the device level, complete the following steps: 1. To view the pending changes in a configuration click the Pending Changes link in the Configuration State Issues section. The Pending Configuration Changes window is displayed for that switch. This window displays the running and pending configurations of the switch and lets you review the changes made in configuration. If the pending changes do not have any errors, the Commit Now button is displayed, both in the Configuration State Issues section and in the Pending Configuration Changes window. 2. Click Commit Now to push the pending changes to the switch. 3. To view issues with a pending configuration, click the Error - Configuration conflicts link in the Configuration State Issues section. The Configuration Conflicts window is displayed for that switch. This window displays a description for each error and the line number in the configuration file where the error has occurred. The line number displayed in the Configuration Conflicts window might not be same as in the configuration editor. You must look for the correct line in the editor by searching the command where the error occurs. 4. Click Close. Managing an AOS-CX VSF Stack A switch stack is a set of switches that are interconnected through stacking ports. By default, the first member in a stack becomes conductor. You must configure the standby conductor manually and there is no default standby conductor. All the switches in the stack other than the conductor and standby conductor become members. The following table lists the AOS-CX switches that support stacking. Aruba Central (on-premises) | User Guide 470 Table 126: AOS-CX Switch Stacking Support Switch Platform Maximum Number of Stack Members Minimum Supported Version Recommended Version Supported Stack Type Supported Configuration Group Type for Stacking (UI / Template) AOS-CX 6200 8 Switch Series 10.05.0060 10.07.0030 VSF UI and Template AOS-CX 6300 10 Switch Series 10.05.0060 10.07.0030 VSF UI and Template AOS-CX 6300 10 Switch Series [JL762A] Back 2 Front Power Supply SKU only 10.06.0001 10.07.0030 VSF UI and Template For more information on topology and configuration of switch stacks, see the AOS-CX Virtual Switching Framework (VSF) Guide for the respective switch series. Supported Switch Stacking Functions The following table lists the functions supported in Aruba Central (on-premises), using UI and template configurations, based on the switch firmware versions. Table 127: Supported Stacking Functions Firmware Versions Functions Supported in Aruba Central 10.06 and earlier n Onboarding pre-configured AOS-CX stack n Pushing switch configuration from Aruba Central using UI options, MultiEdit, or templates n Rebooting a conductor NOTE: This will reboot the entire stack. 10.07 and later n Onboarding pre-configured AOS-CX stack n Pushing switch configuration from Aruba Central using UI options, MultiEdit, or templates n Creating a stack n Adding a stack member n Removing a stack member n Modifying VSF links n Changing the secondary member n Rebooting a conductor NOTE: This will reboot the entire stack. The other stacking related configurations such as replacing a conductor, replacing a standby conductor, and replacing a stack member must be performed offline, that is, outside Aruba Central. The changes are reflected in Aruba Central. Managing AOS-CX Switches | 471 For information on these configurations, see the AOS-CX Virtual Switching Framework (VSF) Guide for the respective switch series and the ArubaOS-CX VSF Best Practices document. General Recommendations The following are the general recommendations to note when configuring an AOS-CX switch stack: n To maximize available VSF link bandwidth, use the following Direct Attach Copper (DAC) cables for VSF links: o AOS-CX 6300 Switch Series: 50G o AOS-CX 6200 Switch Series: 10G n All VSF link ports in a stack must operate at the same speed (10G, 25G, or 50G). n For maximum stack resiliency, the conductor and secondary conductor should be the same switch models with redundant power supplies connected to different circuits. This is required to minimize the probability that a single-source power failure will disable both the stack conductor and standby. n A secondary member must always be defined to assume the VSF standby role. n The out-of-band management (OOBM) ports on the conductor and secondary conductor must be connected to each other, either directly or through a dedicated management network. This is required to utilize the VSF split detection, which must always be enabled. Monitoring AOS-CX Switch Stacks See Monitoring Switches and Switch Stacks. Viewing AOS-CX Switch Stacks in Site Topology See Monitoring Sites in the Topology Tab. This section contains the following topics: n Onboarding AOS-CX VSF Stack to Aruba Central (on-premises) n Configuring AOS-CX VSF Stacks Using UI Groups n Configuring AOS-CX VSF Stacks Using Template Groups n Replacing an AOS-CX VSF Stack Member n Removing an AOS-CX VSF Stack Member Using UI n Changing an AOS-CX VSF Stack to Standalone Switches on page 490 n Monitoring AOS-CX Switch Stacks Onboarding AOS-CX VSF Stack to Aruba Central (on-premises) The following figure illustrates the provisioning steps for each group type for a VSF stack. Aruba Central (on-premises) | User Guide 472 Figure 38 Stack Provisioning Steps Per Group Type When moving a pre-configured stack to a UI group, Aruba Central configuration at the group level will overwrite configuration on the switch. Before moving a pre-configured stack to a UI group in Aruba Central, if you want to preserve any group-level configuration that is present on the stack, you must configure them at the group level in Aruba Central. However, since multiple stacks can be managed using the same UI group, if you do not want any particular configuration on some stacks, you must delete them at the device level in Aruba Central. For example, if you want to preserve the VLANs 20, 30 on stack1 and VLANs 40, 50 on stack2, then you must configure VLANs 20, 30, 40, and 50 at the group level in Aruba Central. After moving the stacks to the UI group, you must delete VLANs 40, 50 on stack1 and VLANs 20, 30 on stack2. n Configurations supported at the group level for a stack--SNMP, Logging, Administrator, Access Control, VLANs, and other features available at the group level n Configurations supported only at the device level for a stack--Ports & Link Aggregations, Authentication Servers, Authentication, Access Control, VLANs, Loop Prevention, and Static Routing To onboard an AOS-CX VSF stack to Aruba Central (on-premises), complete the following steps: 1. Setup the switch stack using the Aruba CX mobile application or the CLI. This step must be performed outside Aruba Central (on-premises). For information , see ArubaOS-CX VSF Best Practices. Although this document is created for Aruba CX 6300 switches, it is also applicable to Aruba 6200 switches. Managing AOS-CX Switches | 473 If you want to create a new stack with devices that are already present in Aruba Central (on-premises), you must first disconnect and delete all these devices from Aruba Central (on-premises) and then convert them as conductor, standby, and members. For information about deleting offline switches from Aruba Central (on-premises), see Deleting an Offline Switch. 2. Add and subscribe the conductor, standby conductor, and all members in the AOS-CX stack to Aruba Central (on-premises). The other members are optional to be added to Aruba Central (on-premises). For information on adding and subscribing devices, see Onboarding Devices. 3. Create a template group or UI group for the AOS-CX VSF stack in Aruba Central (on-premises). In the template group, all user-defined template variables for the conductor and standby devices should contain the same values, to ensure template consistency after a stack failover event. For information on variables for template-based configuration, see Managing Variable Files. 4. Assign the stack members to the template group from any of the following pages: n Device Inventory page under Global Settings in Account Home. n Groups page under Maintain > Organization in the Network Operations app. For more information on assigning a stack, see Assigning Devices to Groups. You can move a stack across different UI groups or template groups. 5. To push switch configurations to the conductor and members in the AOS-CX VSF stack from Aruba Central (on-premises), use one of the following ways: n Template group--Create a configuration template in the template group for the AOS-CX VSF stack in one of the following ways: o Copy the details of the show running config command of the AOS-CX VSF stack from the conductor and paste it in the template. Ensure to update the password in plaintext. o Use the Import Configuration As Template option. The switches must be running AOS-CX 10.06 or a later version. n UI group--Use UI options and MultiEdit mode in the AOS-CX switch configuration dashboard. Before moving the stack to a UI group in Aruba Central (on-premises), save the output of the show running config command from the conductor. This is required to restore or apply any configuration that might be lost because of group-level overwrite of configuration. You can apply this configuration after moving the stack to the UI group using the Edit Config option in the MultiEdit mode. The UI options and MultiEdit mode are available only when the AOS-CX VSF stacks are added to a UI group. For more information, see Configuring AOS-CX Switches in UI Groups. Aruba Central (on-premises) | User Guide 474 n In Aruba Central (on-premises), select the serial number of the conductor switch to push switch configuration to the conductor, standby conductor, and all members in the stack. n Port-specific configurations such as Ports & Link Aggregations, Authentication Servers, Authentication, Access Control, VLANs, Loop Prevention, and Static Routing can be configured on stack members only at the device level. n It is not recommended to perform any stacking-related configurations, such as setting up a stack, using the MultiEdit mode. 6. To make stack-topology changes, use one of the following ways: n Template group--Update the configuration template in the template group for the AOS-CX VSF stack. n UI group--Use the VSF Stacking page in the AOS-CX configuration dashboard. The UI options are available only at the group-level. This step is applicable only for the switches running AOS-CX 10.07 or later firmware versions. Configuring AOS-CX VSF Stacks Using UI Groups You can create VSF stacks, add stack members, modify VSF links, change standby conductor and remove stack members through the UI. Stacks can be configured only at the group-level. To create and manage stacks through the UI, ensure that the following prerequisites are met: n All switches in the VSF stack are added to the device inventory and assigned with a license. n All switches in the VSF stack are set to the factory default configuration. n All switches in the VSF stack are running 10.07 or later firmware versions. n All switches in the VSF stack are of the same switch series. Stacks cannot be created with a mixed set of switches. The stacks must be made up of either only 6200 or only 6300 switches. n Members in the VSF stack other than the conductor should not have an uplink connectivity. Otherwise, auto-stacking will not work. n Before creating a stack, only the conductor must be moved to the UI group. All other stack members will be automatically moved to the UI group once the stack is created. n For auto-stacking to work, the switches should be connected in the direction of the higher denomination port to the lower denomination port. The following ports are reserved for auto-stacking: o 24-port switch models-- Ports 25 and 26 o 48-port switch models-- Ports 49 and 50 For more information on auto-stacking configuration, refer to the AOS-CX Virtual Switching Framework (VSF) Guide. For more information, see the following topics: n Creating an AOS-CX VSF Stack Using UI n Adding a Stack Member Using UI n Modifying VSF Links Using UI Managing AOS-CX Switches | 475 n Changing the Standby Conductor Using UI n Removing an AOS-CX VSF Stack Member Using UI Creating an AOS-CX VSF Stack Using UI In Aruba Central (on-premises), you can create a create a VSF stack by selecting and configuring the conductor switch through the UI. Before creating a stack, you must physically connect the members of the stack in the chain or ring topology on the ports reserved for auto-stacking. For auto-stacking to work, the members should be connected in the direction of the higher denomination port to the lower denomination port. The following ports are reserved for auto-stacking: n 24-port switch models-- Ports 25 and 26 n 48-port switch models-- Ports 49 and 50 Auto-stacking peer discovery is a uni-directional process. It starts with the VSF link containing the higher denomination VSF port. Member discovery starts on the higher-numbered port for each member in line. For a three-member stack in the ring topology, use the following connection example for auto-stacking to work: n Connect port 50 of member 1 to port 49 of member 2 n Connect port 50 of member 2 to port 25 of member 3 n Connect port 26 of member 3 to port 49 of member 1 For more information on auto-stacking configuration, refer to the AOS-CX Virtual Switching Framework (VSF) Guide. The stack can be created only at the group-level. To create an AOS-CX VSF stack, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one switch. 2. Under Manage, click Devices > Switches. 3. Click the AOS-CX or Config icon to view the switch configuration dashboard. 4. 4. Click System > Stacking. The VSF Stacking page is displayed with a list of stacks. 5. In the VSF Stacking table, click + to create a stack. The Create VSF Stack page is displayed. 6. Configure the following parameters: Table 128: Create VSF Stack Parameters Description Value Switch Series The switch platform for the VSF Stack. 6200 or 6300 Conductor The Conductor switch in a Stack, Select the switch from the drop-down. Aruba Central (on-premises) | User Guide 476 Parameters Description Value Link 1 port (s) One or more port numbers for the first VSF link separated by commas. Following are the default port values: n 24-port switch models--25 n 48-port switch models--49 Link 2 port (s) One or more port numbers for the second VSF link separated by commas. Following are the default port values: n 24-port switch models--26 n 48-port switch models--50 Split Mode detect Indicates whether VSF split detection mode is enabled. If this is enabled, during a split, the fragment that has the conductor becomes the active fragment and keeps its front plane (non-VSF) interfaces up and running. The other fragment becomes inactive and all non-VSF interfaces on the inactive fragment are brought down to avoid network disruption. Select the check box to enable or disable. NOTE: It is recommended to enable this field during the stack creation. Also, ensure that the conductor and standby conductor are connected to the management interface. 7. Click Save. The new stack is displayed in the Stacking table with the conductor switch. The stack creation may take up to 10 minutes. You can use the Configuration Audit page to verify the status of a stack formation. To monitor switch stacks and troubleshoot any stack-related errors, select the conductor switch of stack from the Devices list and navigate to the LAN > Ports tab. For more information, see Monitoring AOS-CX Switch Stacks. Editing the Conductor To edit the conductor, point to the row for the conductor, and click the You can only edit the following parameters: edit icon. n Split Mode detect This parameter is available only for the conductor. n Link 1 Port(s) and Link 2 Port(s) For more information on changing the VSF links, see Modifying VSF Links Using UI. Removing a Stack To remove a stack, point to the stack you want to remove and click the Stacking page, you can delete a stack only in the following scenarios: delete icon. In the VSF Managing AOS-CX Switches | 477 n If there is only one member in a stack. n If all other stack members except conductor are down. Stacks cannot be deleted when the status of members are online. To remove a stack with more than one member, it is recommended to remove individual members, one at a time, starting from the last member in the stack. For more information, see Removing an AOS-CX VSF Stack Member Using UI. n Deleting the stack from the VSF Stacking page will remove the VSF stacking configuration from the conductor. Once the stack is deleted, the conductor will reboot and move to the unprovisioned group as a standalone device. n Conductor member cannot be deleted as an individual member. Adding a Stack Member Using UI In Aruba Central (on-premises), you can add and configure the members through the UI. Before adding a stack member, it is recommended to navigate to the Switch> LAN > Ports tab in the switch dashboard, to see whether there are any errors in the stack. For more information, see Monitoring AOS-CX Switch Stacks. If you are onboarding a pre-configured stack or if the stack is formed through auto-stacking, then you do not need to add the stack through the UI. Aruba Central (on-premises) will automatically sync the configuration done on the switch and display the members in the VSF Stacking table. To add a switch to stack as a new member, complete the following steps: 1. In the Network Operations app, set the filter to a group containing at least one switch. 2. Under Manage, click Devices > Switches. 3. Click the AOS-CX or Config icon to view the switch configuration dashboard. 4. 4. Click System > Stacking. The VSF Stacking page is displayed with a list of stacks. 5. Expand the stack for which you want to add a member. The table is displayed with the list of members for that particular stack. 6. To add a stack member, point to the row for the stack and click + in the VSF Stacking table. The Add Stack Member page is displayed. 7. Configure the following parameters: Table 129: Add member Parameters Description Value Member ID The identification number of the member in the stack. This field is auto-generated and the value is incremented by 1. Integer Aruba Central (on-premises) | User Guide 478 Parameters Standby conductor Switch Series Device Link 1 Port(s) Link 2 Port(s) Description Value The standby conductor of the stack. By default, secondary member will be selected as the Standby conductor. The switch platform of the member. This field is auto-generated and switch mode is displayed based on the selection of conductor. The stacking cannot be done with a mixed set of switches. The stack must be made up of only 6200 or only 6300 switches. 6200 or 6300 The device model of the switch. Select from the drop-down. One or more port numbers for the first VSF link separated by commas. Following are the default port values: n 24-port switch models-- 25 n 48-port switch models-- 49 One or more port numbers for the second VSF link separated by commas. Following are the default port values: n 24-port switch models-- 26 n 48-port switch models-- 50 8. Click Save. The newly added member is displayed in the VSF Stacking table. It may take up to 10 minutes for the new member to join the stack. Expand the stack to see the member and its status. You can use the Configuration Audit page to verify the status of stack formation and the Ports tab in the switch dashboard to monitor and troubleshoot switch stacks. For more information, see Monitoring AOS-CX Switch Stacks. Editing a Stack Member To edit a stack member, point to row for the member you want to edit and click the edit icon. You can only edit the following parameters: n Standby conductor n Link 1 Port(s) and Link 2 Port(s) For more information, see Changing the Standby Conductor Using UI and Modifying VSF Links Using UI. Modifying VSF Links Using UI You can modify VSF ports in the VSF links through the UI only when the admin status in the Ports & Link Aggregations page and operational status in the switch details page for the VSF link ports are down. To change the VSF links in the VSF stack, complete the following steps: Managing AOS-CX Switches | 479 1. Set the filter to Global or the group containing the stack. 2. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. 3. Select the conductor switch of the stack for which you want to modify the links and navigate to the Ports & Link Aggregations page. 4. Select the VSF ports that you want to modify and click the edit icon. 5. In the Edit Ports page, clear the Admin Up check box to shut down the port. 6. Remove the physical VSF links from the port that need to be modified. 7. Reconnect the physical links to the port as required. 8. At the group level, navigate to the VSF Stacking page and expand the stack and point to the member for which you want to modify the links, and click the edit icon. 9. In the Edit Stack Member window, modify the VSF links as required. You cannot edit the VSF links when the ports are up. Both Link 1 port(s) and Link 2 port(s) should not be modified at the same time. Otherwise, the stack might break. Before modifying VSF links, power down all non-standby members that are connected to the member you are going to modify. This prevents the members from getting into the recovery mode, after multiple reboots, when they get disconnected. Changing the Standby Conductor Using UI You can change the standby conductor in the stack through the UI. To change the standby conductor in the VSF stack, complete the following steps: 1. In the VSF Stacking page, expand the stack for which you want to change the secondary conductor. 2. Point to the row for the member for which you want to select as Standby conductor and click the edit icon. 3. In the Edit Stack Member page, select the standby conductor check box. A confirmation window is displayed. 4. Click OK. Both the existing standby conductor and the new standby conductor will go for a reboot. After rebooting, the selected member will join the stack as the new standby conductor. 5. Click Save. Removing an AOS-CX VSF Stack Member Using UI You can remove a member from the AOS-CX VSF stack in Aruba Central (on-premises) only when the member is offline. It involves completing procedures both inside and outsideAruba Central (on-premises). The procedure will vary based on the switches firmware versions. Switches running AOS-CX 10.07 or later versions If your switches running AOS-CX 10.07 or later versions, complete the following procedure: 1. Shut down the member in the stack. 2. Disconnect the physical VSF links for the member. Otherwise, the switch will reboot and join the stack again through auto-stacking. Aruba Central (on-premises) | User Guide 480 3. Reconnect the physical links as desired. 4. In Aruba Central (on-premises), navigate to the VSF Stacking page and complete the following steps: a. Expand the stack for which you want to delete the member. b. Point to the row for the member you want to delete and click the delete icon. A confirmation window is displayed. c. Click Delete. The member will be removed from the VSF Stacking table. n The removed member must be reset to the factory-default configuration before connecting back to Aruba Central (on-premises) again. n Conductor member cannot be deleted as an individual member. Switches running AOS-CX 10.6 or earlier versions If your switches running AOS-CX 10.06 or earlier versions, complete the following procedure: 1. Disable Aruba Central (on-premises) from the switch CLI. You must execute these commands only on the conductor of the stack. switch# configure switch(config)# aruba-central switch(config-aruba-central)# disable 2. Wait for the stack to display as offline in the List view. It may take up to five minutes for the stack to appear offline in Aruba Central (on-premises). 3. Delete the stack from the template group or UI group in Aruba Central (on-premises). See Deleting an Offline Switch. 4. Remove the member from the VSF stack in the switch CLI by running the following commands: For example, in a three-member stack, run the following commands to remove member 3. switch# configure switch(config)# no vsf member 3 The specified switch will be unconfigured and rebooted Do you want to continue (y/n)? y n When a member (other than the conductor) is removed from the stack, then the member reboots as a standalone switch and the configuration resets to factory default. The stack will remain with the conductor and other remaining members. n However, when the conductor itself is removed from the stack, then the conductor reboots as a standalone switch and its configuration resets to factory default, and the standby takes the role of the conductor in the stack. 5. Disconnect the physical VSF links for the member. Managing AOS-CX Switches | 481 6. In the case of template group, update the template in template group Aruba Central (on-premises) with the configuration from the remaining stack. 7. Enable Aruba Central (on-premises) from the switch CLI. If this does not work, run the https-server session close all command. switch(config-aruba-central)# enable OR switch# https-server session close all 8. In the case of UI group, after enabling Aruba Central, complete the following steps: Before moving the stack to a UI group in Aruba Central, save the output of the show running config command from the conductor. This is required to restore or apply any configuration that might be lost because of group-level overwrite of configuration. You can apply this configuration after moving the stack to the UI group using the Edit Config option in the MultiEdit mode. a. Move the stack to the UI group. b. Paste the running configuration of the conductor, which you copied before moving the stack to the UI group, in the MultiEdit mode using the Edit Config option. c. Save the running configuration. 9. Add and subscribe the remaining members in the AOS-CX stack to Aruba Central (on-premises). Configuring AOS-CX VSF Stacks Using Template Groups You can create VSF stacks, add stack members, remove stack members, modify VSF links, and change standby conductor through the template. To create and manage stacks through the UI, ensure that the following prerequisites are met: n All the switches in the VSF stack are added to the device inventory and assigned with a valid subscription. n All the switches in the VSF stack are set to the factory default configuration. n All the switches in the VSF stack are running 10.07 or later firmware versions. n All the switches in the VSF stack are of the same switch series. n Members in the VSF stack other than the conductor should not have uplink connectivity. Otherwise, auto-stacking will not work. n The vsf member 1 line must be present in the configuration template for stackable AOS-CX switches running 10.07 or later versions. This is required to apply configuration to the switches. Also, the vsf member 1 line cannot be removed from the template. For more information, see the following topics: n Creating an AOS-CX Stack Using Template n Adding a Stack Member Using Template n Modifying VSF Links Using Template n Changing the Standby Conductor Using Template Aruba Central (on-premises) | User Guide 482 n Removing a Stack Member Using Template n Removing a Stack Using Template Creating an AOS-CX Stack Using Template In Aruba Central (on-premises), you can create stacks through the template. Before creating a stack, you must physically connect the members of the stack in the chain or ring topology on the ports reserved for auto-stacking. For auto-stacking to work, the members should be connected in the direction of the higher denomination port to the lower denomination port. The following ports are reserved for auto-stacking: n 24-port switch models-- Ports 25 and 26 n 48-port switch models-- Ports 49 and 50 Auto-stacking peer discovery is a uni-directional process. It starts with the VSF link containing the higher denomination VSF port. Member discovery starts on the higher-numbered port for each member in line. For a three-member stack in the ring topology, use the following connection example for auto-stacking to work: n Connect port 50 of member 1 to port 49 of member 2 n Connect port 50 of member 2 to port 25 of member 3 n Connect port 26 of member 3 to port 49 of member 1 For more information on VSF configuration, refer to the AOS-CX Virtual Switching Framework (VSF) Guide. To create a stack using the template, complete the following steps: 1. In Aruba Central (on-premises), assign the switches to the template from any of the following pages: n Device Inventory page under Global Settings in Account Home. n Groups page under Maintain > Organization, in the Network Operations app. For more information on assigning a stack, see Assigning Devices to Groups. 2. Create a configuration template in the template group for the AOS-CX VSF stack. The following example shows the sample VSF configuration template snippet for a three-member stack. It is recommended to configure the VSF split-detection method in the template during stack creation. Also, ensure that the conductor and standby conductor are connected to the management interface. If the split-detection method is configured, during a split, the fragment that has the conductor becomes the active fragment and keeps its front plane (non-VSF) interfaces up and running. The other fragment becomes inactive and all non-VSF interfaces on the inactive fragment are brought down to avoid network disruption. vsf split-detect mgmt vsf secondary-member 2 vsf member 1 type jl660a link 1 1/1/26 link 2 1/1/25 vsf member 2 type jl664a link 1 2/1/25 Managing AOS-CX Switches | 483 link 2 2/1/26 vsf member 3 type jl664a link 1 3/1/25 link 2 3/1/26 3. Save the template. 4. Connect the uplink to the switch that should act as the conductor. The switch will connect to Aruba Central (on-premises) as a standalone device and will be added to the assigned template group. Once the switch is added to the template group, Aruba Central (on-premises) pushes the template group configuration to the switch. After the configuration is pushed, starting with the second switch, each switch in the stack reboots automatically and joins the stack one after another. Each member may take up to 10 minutes to join the stack. If the switch is not assigned to any group, then the switch will be added to the default group or unprovisioned group. The factory default switch is added to the default group and non-factory default switch will be added to the unprovisioned group. You can verify the serial number of the switch once it is onboarded and move the switch to the template group as required. 5. Verify the status of the stack formation using switch monitoring pages. For more information, see Switch > Overview > Summary and Monitoring AOS-CX Switch Stacks. Adding a Stack Member Using Template In Aruba Central (on-premises), you can add and configure the members through the template. Before adding a stack member, it is recommended to navigate to the stack faceplate in the Switch> LAN > Ports tab of the switch dashboard, to see whether there are any errors in the stack. For more information, see Monitoring AOS-CX Switch Stacks. To add a stack member through the template, complete the following steps: 1. In Aruba Central (on-premises), add the member to the device inventory and assign a valid license. Make sure that the new member does not have an uplink connectivity to Aruba Central (onpremises). 2. In Aruba Central (on-premises), update the template with the VSF configuration and interface configurations of the new member. For example, if you want to add the third member to a twomember VSF stack, add the third-member VSF configuration to the template, as shown in the following snippet: vsf member 3 type jl664a link 1 3/1/25 link 2 3/1/26 3. Save the template. Once the configuration is pushed to the conductor, the new member will go for a reboot and join the stack. 4. Physically connect the members to the ports reserved for auto-stacking on the switch interfaces. The member should be connected in the direction of the higher denomination port to the lower denomination port. The member may take up to 10 minutes to join the stack. Aruba Central (on-premises) | User Guide 484 5. Verify the status of the member addition using switch monitoring pages. For more information, see Switch > Overview > Summaryand Monitoring AOS-CX Switch Stacks. Modifying VSF Links Using Template You can modify VSF links through the template only when the VSF interfaces of all the switches in the stack are in the shutdown state. To modify VSF links using the template, complete the following steps: 1. In the Aruba Central (on-premises) template, use a variable to hold the shutdown state of the VSF interfaces for all switches in the stack. 2. Push the template with the interfaces state variables changed to shutdown for the device and wait for the links to go down. 3. Change the links in the template as required. 4. Change the state to no shutdown in the template variable for the switches in the stack and save the template. Changing the Standby Conductor Using Template To change the standby conductor using the template, update vsf secondary-member <ID> line in the Aruba Central (on-premises) template. For example, if you want to change the standby conductor from member 2 to member 3 in the stack, update member ID in the line from vsf secondary-member 2 to vsf secondarymember 3 and save the template. Both the existing standby conductor and the new standby conductor are rebooted. After rebooting, member 3 joins the stack as the new standby conductor. The earlier standby conductor becomes a member of the stack. Removing a Stack Member Using Template You can remove a stack member using the template. It involves completing procedures both in Aruba Central (on-premises) and on the switch directly. To remove a stack member using the template, complete the following steps: 1. Shut down the member in the stack. 2. Disconnect the physical VSF links from the member you want to remove. 3. Reconnect the physical links of remaining members in the stack in the ring or chain topology. 4. In the Aruba Central (on-premises) template, delete the VSF configuration and interface configurations of the member. 5. Save the template. Once the configuration is pushed to the conductor, the member will be removed from the stack. 6. Verify the status of the member deletion using switch monitoring pages. For more information, see Switch > Overview > Summary and Monitoring AOS-CX Switch Stacks. Member 1 in the stack cannot be removed from the template. Removing a Stack Using Template You can remove a stack member using the template. It involves completing procedures both in Aruba Central (on-premises) and on the switch directly. To remove a stack using the template, complete the following steps: Managing AOS-CX Switches | 485 1. In Aruba Central (on-premises), set the Auto Commit State to OFF in the Configuration Audit page. 2. Shut down all the members in the stack. 3. Remove all the physical VSF links from the members of the stack. 4. Run the erase all zeroize command on the switch CLI for all the switches in the stack. This causes the switches to reboot, rollback to factory defaults, and connect back to Aruba Central (on-premises) as standalone devices. 5. In Aruba Central (on-premises), set the Auto Commit State to ON in the Configuration Audit page. Once the configuration is pushed, the stack will be removed from Aruba Central (on-premises). Replacing an AOS-CX VSF Stack Member You can replace either the conductor, standby, or any other member of the stack with the same part number or different part number. These configurations must be performed directly on the switch and switch CLI, outside Aruba Central (on-premises). The configurations performed directly on the switch are synced in Aruba Central (on-premises). n Switches Running AOS-CX 10.07 or Later Versions o Same Part number l Replacing the Conductor l Replacing the Standby or Other Members o Different Part Number l Replacing the Conductor l Replacing the Standby or Other Members n Switches running AOS-CX 10.06 or earlier versions o Replacing the Conductor o Replacing the Standby or Other Members Switches Running AOS-CX 10.07 or Later Versions The new replacement switch must be in the factory-default configuration and running the same firmware version. Also, ensure that the new switch is added and licensed in Aruba Central (on-premises). Same Part number The following section describes the procedures for replacing the conductor, standby, or any other member with the same part number: Replacing the Conductor To replace the conductor in the VSF stack, complete the following steps: 1. Shut down the conductor member in the stack. 2. Wait for the standby member to become the conductor. 3. Replace the conductor switch. 4. Move the VSF link from the old conductor to the new conductor. 5. Power up the new conductor switch. 6. Switchover to the new conductor in the switch CLI. Aruba Central (on-premises) | User Guide 486 7. Verify the status of the stack in the switch monitoring pages. For more information, see Switch > Overview > Summary and Monitoring AOS-CX Switch Stacks. Replacing the Standby or Other Members To replace the standby or any other member of the VSF stack, complete the following procedure: 1. Shut down the member in the stack. 2. Replace the old member and renumber the new member using the vsf renumber-to command. For example, if the member ID of the old member was 2, renumber the new VSF member to 2. 3. Move the VSF link DAC cable from the old member to the new member. 4. Verify the status of the stack in the switch monitoring pages. For more information, see Switch > Overview > Summary and Monitoring AOS-CX Switch Stacks. Different Part Number The following section describes the procedures for replacing the conductor, standby, or any other member with the different part number: In case of template groups, the following actions are required: n Before replacing any stack member, set the Auto Commit State to OFF in the Configuration Audit page. n After replacing any stack member: 1. In Aruba Central (on-premises), update the template with the new VSF configuration. 2. Set the Auto Commit State to ON in the Configuration Audit page. Replacing the Conductor To replace the conductor in the VSF stack, complete the following steps: 1. If Aruba Central (on-premises) support mode is disabled, run the following command in the switch console to enable Aruba Central (on-premises) support mode: aruba-central support-mode 2. Power off the conductor. The standby conductor will take over as conductor. Make sure Aruba Central (on-premises) is updated with this failover change. 3. Remove the VSF links from the old conductor. 4. Delete the old conductor from the VSF stack in the switch CLI using the no vsf member <MEMBER-ID>. All configuration associated with the member, as well as the subsystems and interfaces of the member will also be removed. 5. Replace the conductor and wait for the member to come up. 6. Configure the new conductor in the switch CLI using the vsf member <MEMBER-ID> command. 7. Connect the VSF links to the new conductor. 8. Switchover to the new conductor in the switch CLI. Managing AOS-CX Switches | 487 9. In the case of template group, update the template in Aruba Central (on-premises) with the new part number and interface configurations of the new conductor. 10. In the switch console, run the following command to disable Aruba Central support mode: no aruba-central support-mode 11. Verify the status of the stack in the switch monitoring pages. For more information, see Switch > Overview > Summary and Monitoring AOS-CX Switch Stacks. Replacing the Standby or Other Members To replace the standby or any other member of the VSF stack, complete the following procedure: 1. If Aruba Central (on-premises) support mode is disabled, run the following command in the switch console to enable Aruba Central (on-premises) support mode: aruba-central support-mode 2. Reset the replacement member with the factory-default configuration. 3. Shut down the member in the stack. 4. Delete the member from the VSF stack in the switch CLI using the no vsf member <MEMBER-ID> . All configuration associated with the member, as well as the subsystems and interfaces of the member will also be removed. 5. Renumber the VSF member using the vsf renumber-to command. For example, if the member ID of the old member was 2, renumber the new VSF member to 2. 6. Move the VSF link DAC cable from the old member to the new member. 7. In the case of template group, update the template in Aruba Central (on-premises) with the new part number and interface configurations of the new member. 8. In the switch console, run the following command to disable Aruba Central support mode: no aruba-central support-mode 9. Verify the status of the stack in the switch monitoring pages. For more information, see Switch > Overview > Summary and Monitoring AOS-CX Switch Stacks. Switches running AOS-CX 10.06 or earlier versions The following section describes the procedures for replacing the conductor, standby, or any other member with the same or different part number: Replacing the Conductor To replace the conductor in the VSF stack, complete the following steps: 1. Power off the conductor. The standby conductor will take over as conductor. Make sure Aruba Central (on-premises) is updated with this failover change. 2. Remove the VSF links from the old conductor. Aruba Central (on-premises) | User Guide 488 3. Disable Aruba Central (on-premises) from the switch CLI. switch# configure switch(config)# aruba-central switch(config-aruba-central)# disable 4. Wait for the standby member to become the conductor. 5. If you are replacing the conductor with a different part number, delete the old conductor from the VSF stack in the switch CLI using the no vsf member <MEMBER-ID>. All configuration associated with the member, as well as the subsystems and interfaces of the member will also be removed. 6. Replace the member and wait for the member to come up. 7. Configure the new member and the VSF links to the new member. 8. In the case of template groups, update the template in Aruba Central (on-premises) with the new part number and the interface configurations of the new conductor. 9. Enable Aruba Central (on-premises) from the switch CLI. If this does not work, run the https-server session close all command. switch(config-aruba-central)# enable OR switch# https-server session close all 10. Switchover to the new conductor in the switch CLI. 11. Verify the status of the stack in the switch monitoring pages. For more information, see Switch > Overview > Summary and Monitoring AOS-CX Switch Stacks. Replacing the Standby or Other Members To replace the standby or any other member of the VSF stack, complete the following procedure: 1. Reset the replacement member with the factory-default configuration. 2. Disable Aruba Central (on-premises) from the switch CLI. switch# configure switch(config)# aruba-central switch(config-aruba-central)# disable 3. Shut down the member in the stack. 4. If you are replacing the member with a different part number, delete the member from the VSF stack in the switch CLI using the no vsf member <MEMBER-ID>. All configuration associated with the member, as well as the subsystems and interfaces of the member will also be removed. 5. Configure the new member and the VSF links to the new member. 6. Renumber the VSF member using the vsf renumber-to command. For example, if the member ID of the old member was 2, renumber the new VSF member to 2. 7. Move the VSF link DAC cable from the old member to the new member. Managing AOS-CX Switches | 489 8. In the case of template groups, update the template in Aruba Central (on-premises) with the new part number and the interface configurations of the new member. 9. Enable Aruba Central (on-premises) from the switch CLI. If this does not work, run the https-server session close all command. switch(config-aruba-central)# enable OR switch# https-server session close all 10. Verify the status of the stack in the switch monitoring pages. For more information, see Switch > Overview > Summary and Monitoring AOS-CX Switch Stacks. Changing an AOS-CX VSF Stack to Standalone Switches You can change an AOS-CX VSF stack in Aruba Central (on-premises) to standalone switches. It involves completing procedures both in Aruba Central (on-premises) and the switch CLI. Using the VSF Stacking page UI, you can only change the conductor switch to standalone switch. To change an AOS-CX VSF stack in Aruba Central (on-premises) to standalone switches, complete the following procedure: 1. Make a note of the serial numbers of switches that are part of the stack. 2. Disable Aruba Central (on-premises) from the switch CLI. switch# configure switch(config)# aruba-central switch(config-aruba-central)# disable 3. Wait for the stack to display as offline in the List view. 4. Delete the stack from Aruba Central (on-premises). See Deleting an Offline Switch. 5. Run the erase all zeroize command on the switch CLI of the conductor. This causes the switches to will reboot, rollback to factory defaults, and function as standalone switches. The switches will be added to the default group. You can verify the serial number of the switches once they are onboarded and move the switches to template or UI group as required. The password for AOS-CX switch will be SERIALNUM_central, until the switches are moved to template or UI group and custom password is set. For more information on passwords, see the Password Requirements for Template-Based Configuration section in the Using Configuration Templates for AOSCX Switch Management topic. Aruba Central (on-premises) | User Guide 490 Monitoring AOS-CX Switch Stacks In the switch dashboard, the Ports tab for a switch stack displays the faceplate of all the switches that are part of the stack. This allows you to manage, configure, monitor, and troubleshoot switch stacks that are provisioned and managed through Aruba Central (on-premises). To navigate to the Ports tab in the Switch dashboard, complete the following steps: 1. Set the filter to Global or the group containing the stack. 2. Under Manage, click Devices > Switches. A list of switches is displayed in the List view. 3. Select the conductor switch of the stack from the devices list and navigate to the LAN > Ports tab. The Ports tab is displayed with the faceplate of all the switches that are part of the stack. For more information, see Switch > LAN > Ports. The following figure shows a four-member stack with the conductor, standby, and members with their corresponding ports and connections: Figure 39 Switch Stack Faceplate Stack-Related Errors The switch stack faceplate displays the following configuration and connection errors related to the stack. You can monitor and troubleshoot these errors from the Ports tab: n Auto-join eligibility error n VSF link errors n Cabling error n Incompatible switch firmware error In some cases, there can be multiple VSF errors associated with one VSF link. However, the faceplate displays only one error at a time. In such cases, you need to fix one error to see another error. For example, if the VSF link has both auto-join eligibility error and cabling error, only the auto-join eligibility error is displayed first. Once the auto-join eligibility error is resolved, the cabling error is displayed. Managing AOS-CX Switches | 491 The faceplate will not be displayed when an auto-join eligibility or cabling error occurs on any interface connected to an existing member. The only exception is the peer-timeout error. This is because there is no peer MAC for peer-timeout error. Hence, it cannot be determined whether the peer connected to the interface is already a member of the stack. Auto-Join Eligibility Error The auto-join eligibility error is displayed in the Ports faceplate when the conductor or any of the member switches running AOS-CX 10.07 or later firmware versions in the stack do not have a factory default configuration. Member connected to Aruba Central (on-premises) If the member is connected to Aruba Central (on-premises), then click the reset icon in the faceplate. The RESOLVE AUTO-JOIN window is displayed with a message to reboot the non-factory switch with the default configuration and join the stack. Click Continue . The switch reboots and joins the stack. The following error and recommendation are displayed in the faceplate. Error Invalid stack configuration/connection Recommendation Reset the switch configuration and reboot Member not connected to Aruba Central (on-premises) If the member is not connected to Aruba Central (on-premises), then the reset icon in the faceplate is disabled. In this case, execute vsf force-autojoin command through the switch CLI to resolve this error. The following error and recommendation are displayed in the faceplate. Error Invalid stack configuration/connection Recommendation Configure vsf force-auto-join on the switch The force auto-join will not work if the switch contains any existing VSF configuration. In this case, execute the erase all zeroize command from the switch CLI. This causes the switch to reboot, rollback to factory-default configuration and join the stack if there is no other auto-join error. For more information, refer to the AOS-CX Virtual Switching Framework (VSF) Guide. Figure 40 Auto-Join Eligibility Error Aruba Central (on-premises) | User Guide 492 VSF Link Errors The VSF link errors are displayed in the switch stack faceplate when there are any issues between VSF links. The faceplate displays a red-warning symbol to help you identify the type of link error in the switch stacks. You can hover over the warning symbol to identify the interfaces that are disconnected. The following VSF link errors can be identified from the face plate: n Broken Link--The broken link error is displayed when a link between the two VSF members is down. n No peer interface--The no peer interface error is displayed when there is connection issue between some of interfaces between the two members. Figure 41 VSF Link Errors Cabling Error The cabling error is displayed in the switch stack faceplate when stack cables are connected incorrectly. For auto-stacking to work, all the stack members must be connected using the following auto-stacking reserved VSF link ports: n 24-port switch models-- Ports 25 and 26 n 48-port switch models-- Ports 49 and 50 Auto-stacking peer discovery is a uni-directional process. It starts with the VSF link containing the higher denomination VSF port. Member discovery starts on the higher-numbered port for each member in line. For a three-member stack in the ring topology, use the following connection example for auto-stacking to work: n Connect port 50 of member 1 to port 49 of member 2 n Connect port 50 of member 2 to port 25 of member 3 n Connect port 26 of member 3 to port 49 of member 1 The following error and recommendation are displayed in the faceplate: Error Invalid stack configuration/connection Recommendation Follow best practices for cabling For more information on cabling, see the AOS-CX Virtual Switching Framework (VSF) Guide Managing AOS-CX Switches | 493 Figure 42 Cabling Error Incompatible Switch Firmware Error The incompatible switch firmware error is displayed in the faceplate when the switch trying to join the stack is running the firmware prior to AOS-CX 10.07 version. To resolve this error, you need to upgrade the switch to a compatible firmware offline, outside Aruba Central (on-premises). The following error and recommendation are displayed in the faceplate: Error Incompatible switch firmware/product type Recommendation Upgrade the switch to a compatible firmware Figure 43 Incompatible Switch Firmware Error Aruba Central (on-premises) | User Guide 494 Chapter 11 Configuring AOS-Switches Configuring AOS-Switches AOS-Switches enable secure, role-based network access for wired users and devices, independent of their location or application. AOS-Switches can also operate as a wired access point when deployed with an Aruba Mobility Controller. As a wired access point, users and their devices are authenticated and assigned a unique role by the Mobility Controller. These roles are applied irrespective of whether the user is a Wi-Fi client, or is connected to a port on the switch. The use of switches allows an enterprise workforce to have consistent and secure access to network resources based on the type of users, client devices, and connection method used. Local firmware upgrade is not supported for switches due to a known issue. Aruba Central (on-premises) supports provisioning switches in UI and template groups. Aruba Central (onpremises) supports basic configuration options in the UI. The users can also assign switches to template groups and use configuration templates and variables to manage switches from Aruba Central (onpremises). See the following topics for more information on managing AOS-Switches in Aruba Central (on-premises): n Using Configuration Templates for AOS-Switch Management n Configuring AOS-Switches in UI Groups n AOS-Switch Stack Getting Started with AOS-Switch Deployments Before you get started with your onboarding and provisioning operations, browse through the list of AOSSwitches supported in Aruba Central (on-premises). Provisioning Workflow The following sections list the steps required for provisioning switches in Aruba Central (on-premises). Provisioning a Factory Default AOS-Switch Like most Aruba devices, AOS-Switches support ZTP. Switches with factory default configuration have very basic configuration for all ports in VLAN-1. You must manually add either the serial number, MAC address, or part number of the new factory default switch in Aruba Central (on-premises). When the switch identifies Aruba Central (on-premises) as its management entity, it connects to Aruba Central (on-premises). To manage switches from Aruba Central (on-premises), you must onboard the switches to the device inventory and assign a valid subscription. For step-by-step instructions, see Provisioning Factory Default AOS-Switches. Provisioning a Pre-configured or Locally-Managed Switch Pre-configured switches have customized configuration; for example, an additional VLAN or static IP address configured on the default. Aruba Central (on-premises) | User Guide 495 Unlike factory default switches, locally managed switches and the switches with custom configuration require one touch provisioning. These switches do not automatically identify Aruba Central (on-premises) as their management platform, therefore you must manually enable the Aruba Central (on-premises) management service on these switches to allow them to connect to Aruba Central (on-premises). For step-by-step instructions, see Provisioning Pre-Configured AOS-Switches. Group Assignment Aruba Central (on-premises) supports provisioning switches in one of the following types of groups: n UI group--Allows you to customize and manage device parameters using the UI workflows, that is, the menu options and knobs available under Network Operations. n Template Group--Allows you to configure devices using CLI-based configuration templates. AOS-Switch Configuration and Management Aruba Central (on-premises) supports managing switch configuration using UI workflows or configuration templates. Based on your configuration requirements, ensure that you assign switches to either UI group or template group. For more information on managing switches in Aruba Central (on-premises), see the following topics: Configuring AOS-Switches | 496 n Using Configuration Templates for AOS-Switch Management n Configuring AOS-Switches in UI Groups AOS-Switch Switch Monitoring To view the operation status of switches and health of wired access network: 1. In the Network Operations app, use the filter to select a group that has switches. 2. Under Manage, click Devices > Switches. For more information, see Monitoring Switches and Switch Stacks. Troubleshooting and Diagnostics The Configuration Audit page under Network Operations > Device(s) > Switches in the Aruba Central (on-premises) UI displays errors in configuration sync, templates, and a list of configuration overrides. For more information, see Verifying Device Configuration Status. To troubleshoot switches remotely, use the troubleshooting tool available under Network Operations > Analyze > Tools. For more information, see Using Troubleshooting Tools. Provisioning Factory Default AOS-Switches Switches that run default configuration either after shipped from a factory or a factory reset are referred to as factory default switches. This topic describes the steps for provisioning factory default switches in Aruba Central (on-premises). n Step 1: Onboard the AOS-Switch to Aruba Central (on-premises) n Step 2: Assign the AOS-Switch to a Group n Step 3: Connect the AOS-Switch to Aruba Central (on-premises) n Step 4: Provision the AOS-Switch to a Group n Step 5: Verify the Configuration Status Step 1: Onboard th