aruba os 6.4 command line interface reference guide
TRANSCRIPT
-
ArubaOS 6.4Command-Line Interface
Referen
ceGuide
-
0511528-00v2 | February 2014 ArubaOS6.4 | ReferenceGuide
Copyright Information
2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks, ArubaWireless Networks, the registered Aruba theMobile Edge Company logo, ArubaMobility Management System,Mobile Edge Architecture, PeopleMove. Networks Must Follow, RFProtect, Green Island. All rights reserved.All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products includeOpen Source software code developed by third parties, including software codesubject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other OpenSource Licenses. Includes software fro Litech Systems Design. The IF-MAP client library copyright 2011 Infoblox,Inc. All rights reserved.This product includes software developed by Lars Fenneberg et al. TheOpen Source codeused can be found at this site
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminateother vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation forthis action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against itwith respect to infringement of copyright on behalf of those vendors.
Warranty
This hardware product is protected by an Aruba warranty. For more information, refer to the ArubaCare service andsupport terms and conditions.
-
ArubaOS6.4| ReferenceGuide The ArubaOSCommand-Line Interface | 3
The ArubaOS Command-Line Interface
The ArubaOS 6.4 command-line interface (CLI) allows you to configure andmanage your controllers. The CLI isaccessible from a local console connected to the serial port on the controllers or through a Telnet or Secure Shell(SSH) session from a remotemanagement console or workstation.
Telnet access is disabled by default. To enable Telnet access, enter the telnet CLI command from a serial connection oran SSH session, or in the WebUI navigate to the Configuration > Management > General page.
Whats New In ArubaOS 6.4
New CommandsThe following commands are introduced in the ArubaOS 6.4 command line interface.
Command Description
airgroup static mdns-record
Using this command, an administrator can add the mDNS staticrecords to cache in the following methods:
l Group mDNS static recordsl Individual mDNS static records
app lync traffic-control This command creates a traffic control profile that allows the controllerto recognize and prioritize a specific type of Lync traffic in order toapply QoS through the Lync Application Layer Gateway (ALG).
dpi This command configures Deep-Packet Inspection and the globalbandwidth contract for an application or application category for theAppRF feature.
iap trusted-branch-db This command configures an IAP-VPN branch as trusted.
pan active-profile This command activates a configured PAN profile.
pan profile This command is used to configure a PAN profile.
show aaa load-balance stat-istics
This command displays the load balancing statistics for RADIUS serv-ers.
show lldp interface This command displays the LLDP interfaces information.
show lldp neighbor This command displays information about LLDP peers.
show lldp statistics This command displays the LLDP statistics information.
show iap detailed-table This command displays the details of all the branches terminating atthe controller.
show pan active-profile This command displays the currently active PANprofile.
-
4 | The ArubaOSCommand-Line Interface ArubaOS6.4| ReferenceGuide
Command Description
show pan profile This command displays all configured PAN profiles.
show pan state This command displays the current status of associated PAN firewalls.
show pan statistics This command displays PAN profile statistics.
show sso idp-profile This command displays the configured SSO IDP profiles.
show ucc call-info cdrs This command displays the Call Detailed Report (CDR) statistics forUnified Communication and Collaboration (UCC).
show ucc client-info This command displays the UCC client status and CDR statistics.
show ucc configuration This command displays the UCC configuration in the controller.
show ucc statistics This command displays the UCC call statistics in the controller.
show ucc trace-buffer This command displays the UCC call message trace buffer for Lync,SCCP, and SIP ALGs. Events such as establishing voice, video,desktop sharing, and file transfer are recorded.
sso idp-profile This command creates an SSO profile.
wlan hotspot advert-isement-profile
This command configures a WLAN advertisement profile for an802.11u public access service provider.
wlan hotspot anqp-3gpp-nwk-profile
This profile defines information for a 3rd Generation PartnershipProject (3GPP) Cellular Network for hotspots that have roamingrelationships with cellular operators.
wlan hotspot anqp-domain-name-profile
This command defines the domain name to be sent in an AccessNetwork Query Protocol (ANQP) information element in a GenericAdvertisement Service (GAS) query response.
wlan hotspot anqp-ip-addr-avail-profile
This command defines available IP address types to be sent in aAccess network Query Protocol (ANQP) information element in aGeneric Advertisement Service (GAS) query response.
wlan hotspot anqp-nai-realm-profile
This command defines a Network Access Identifier (NAI) realm whoseinformation can be sent as an Access network Query Protocol (ANQP)information element in a Generic Advertisement Service (GAS) queryresponse.
wlan hotspot anqp-nwk-auth-profile
This command configures an ANQP Network Authentication profile todefine authentication type being used by the hotspot network.
wlan hotspot anqp-roam-cons-profile
This command configures the Roaming Consortium OI information tobe sent in an Access network Query Protocol (ANQP) information ele-ment in a Generic Advertisement Service (GAS) query response.
wlan hotspot anqp-venue-name-profile
This command defines venue information be sent in an Access net-work Query Protocol (ANQP) information element in a Generic Advert-isement Service (GAS) query response.
wlan hotspot h2qp-conn-cap-ability-profile
This command defines a Hotspot 2.0 Query Protocol (H2QP) profilethat advertises hotspot protocol and port capabilities.
-
Command Description
wlan hotspot h2qp-op-cl-profile
This command defines a Hotspot 2.0 Query Protocol (H2QP) profilethat defines the Operating Class to be sent in the ANQP IE.
wlan hotspot h2qp-oper-ator-friendly-name-profile
This command defines a Hotspot 2.0 Query Protocol (H2QP) operator-friendly name profile. The operator-friendly name configured in thisprofile is a free-form text field that can identify the operator and alsosomething about the location.
wlan hotspot h2qp-wan-met-rics-profile
This command creates a Hotspot 2.0 Query Protocol (H2QP) profilethat specifies the hotspot WAN status and link metrics.
wlan hotspot hs2-profile This command configures a hotspot profile for an 802.11u publicaccess service provider.
Modified CommandsThe following commands aremodified in ArubaOS 6.4.
Command Description
airgroup The dlna and mdns parameters are introduced.
aaa authentication captive-portal
The url-hash-key parameter is introduced.
aaa authentication viaauth-profile
The pan-integration parameter is introduced.
aaa authentication vpn The pan-integration parameter is introduced.
aaa profile The multiple-server-accounting and download-role parameters areintroduced.
The pan-integration parameter is introduced.
aaa server-group The load-balance parameter is introduced.
clear The lldp parameter is introduced.
The Server and User options are introduced under airgroup para-meter.
crypto dynamic-map The disable/enable parameters are introduced.
crypto isakmp policy The disable/enable and no parameters are introduced.
firewall The following parameters are added:l allow-stunl dpil stall-crash
ha The following parameters are introduced to support the highavailability inter-controller heartbeat, controller oversubscription andstate synchronization features.l heartbeat:l heartbeat-interval
ArubaOS6.4| ReferenceGuide The ArubaOSCommand-Line Interface | 5
-
6 | The ArubaOSCommand-Line Interface ArubaOS6.4| ReferenceGuide
Command Description
l heartbeat-thresholdl over-subscriptionl pre-shared-keyl state-sync
interface fastethernet |gigabitethernet
The lldp parameter is introduced.
interface vlan The dhcp parameter for configuring dynamic host configuration pro-tocol for IPv6 is introduced.
interface tunnel Tunnel destination ipv6, tunnel mode gre ipv6, tunnel source ipv6,parameters are introduced.
ip access-list session The redirect parameter is introduced under action. The app, andappcategory parameters are introduced under service.
ip igmp The ssm-range parameter is introduced.
ipv6 mld The ssm-range parameter is introduced.
ipv6 route The vlan parameter is introduced.
ntp server The IPv6 parameter is introduced.
phonehome The https parameter is introduced, allowing controllers to sendPhoneHome reports to an Activate server using HTTPS.
show airgroup The dlna and mdns parameters were introduced in the following com-mands:
l show airgroup blocked-queriesl show airgroup blocked-service-idl show airgroup internal-state statistics
The dlna, mdns , and verbose parameters were introduced in the fol-lowing commands:
l show airgroupservicel show airgroup serversl show airgroup users
The dlna, mdns , and static parameters were introduced in the fol-lowing command:
l show airgroup cache entries
show airgroupservice The dlna, mdns, and verbose parameters were introduced.
show app lync traffic-con-trol
The profile-name parameter is introduced.
show datapath The following parameters are introduced:l dpil session dpil session ipv6 dpil session session-id dpi
-
Command Description
show ipv6 interface The tunnel parameter is introduced in the output.
show ipv6 mld config The ssm-range parameter is introduced.
show ipv6 mld group The mode and age parameters are introduced.
show ntp peer The IPv6 parameter is introduced.
show ntp servers Flags indicating the status of the server, are introduced.
show ntp status The following parameters are introduced:l time since restartl packets receivedl packets processedl current versionl previous versionl declinedl access deniedl bad length or formatl bad authenticationl rate exceeded
show vrrp The ipv6, stats, and summary parameters are introduced.
snmp-server The IPv6 parameter is introduced.
user-role The following parameters are introduced:l bandwidth-contract appl bandwidth-contract appcategoryl bandwidth-contract excludel traffic-control-profilel sso
vrrp The IPv6 parameter is introduced.
web-server The idp-certificate parameter is introduced.
wlan ssid-profile The mfp-capable and mfp-required parameters are introduced.
Deprecated CommandsThe following commands were deprecated in ArubaOS 6.4:
Command Description
interface tunnel The checksum parameter is deprecated.
app lync traffic-control(deprecated)
This command is deprecated and replaced by app lync traffic-control.
About this GuideThis guide describes the ArubaOS 6.4 command syntax. The commands in this guide are listed alphabetically.
The following information is provided for each command:
ArubaOS6.4| ReferenceGuide The ArubaOSCommand-Line Interface | 7
-
8 | The ArubaOSCommand-Line Interface ArubaOS6.4| ReferenceGuide
l Command SyntaxThe complete syntax of the command.l DescriptionA brief description of the command.l SyntaxA description of the command parameters, including license requirements for specific parameters if
needed. The applicable ranges and default values, if any, are also included.l UsageGuidelinesInformation to help you use the command, including: prerequisites, prohibitions, and related
commands.l ExampleAn example of how to use the command.l CommandHistoryThe version of ArubaOS in which the commandwas first introduced. Modifications and
changes to the command are also noted.l Command InformationThis table describes any licensing requirements, commandmodes and platforms for
which this command is applicable. For more information about available licenses, see the Licenses chapter of theArubaOS 6.4 User Guide.
Connecting to the ControllerThis section describes how to connect to the controller to use the CLI.
Serial Port ConnectionThe serial port is located on the front panel of the controller. Connect a terminal or PC/workstation running a terminalemulation program to the serial port on the controller to use the CLI. Configure your terminal or terminal emulationprogram to use the following communication settings.
Baud Rate Data Bits Parity Stop Bits Flow Control
9600 8 None 1 None
The Aruba 7200 Series controller supports baud rates between 9600 and 115200.
Telnet or SSH ConnectionTelnet or SSH access requires that you configure an IP address and a default gateway on the controller and connectthe controller to your network. This is typically performed when you run the Initial Setup on the controller, asdescribed in the ArubaOS 6.4 Quick Start Guide. In certain deployments, you can also configure a loopback addressfor the controller; see interface loopback on page 377 for more information.
Configuration changes on Master ControllersSome commands can only be issued when connected to amaster controller. If youmake a configuration change onamaster controller, all connected local controllers will subsequently update their configurations as well. You canmanually synchronize all of the controllers at any time by saving the configuration on themaster controller.
CLI AccessWhen you connect to the controller using the CLI, the system displays its host name followed by the login prompt.Log in using the admin user account and the password you entered during the Initial Setup on the controller (thepassword displays as asterisks). For example:(host)User: adminPassword: *****
-
When you are logged in, the user mode CLI prompt displays. For example:(host) >
Usermode provides only limited access for basic operational testing such as running ping and traceroute.
Certain management functions are available in enable (also called privileged) mode. Tomove from user mode toenablemode requires you to enter an additional password that you entered during the Initial Setup (the passworddisplays as asterisks). For example:(host) > enablePassword: ******
When you are in enablemode, the > prompt changes to a pound sign (#):(host) #
Configuration commands are available in config mode. Move from enablemode to config mode by entering configureterminal at the # prompt:(host) # configure terminalEnter Configuration commands, one per line. End with CNTL/Z
When you are in basic config mode, (config) appears before the # prompt:(host) (config) #
There are several other sub- command modes that allow users to configure individual interfaces, subinterfaces,loopback addresses, GRE tunnels and cellular profiles. For details on the prompts and the available commands for eachof these modes, see Appendix A: Command Modes on page 1968.
Command HelpYou can use the questionmark (?) to view various types of command help.
When typed at the beginning of a line, the questionmark lists all the commands available in your current mode orsub-mode. A brief explanation follows each command. For example:(host) > ?
enable Turn on Privileged commandslogout Exit this session. Any unsaved changes are lost.ping Send ICMP echo packets to a specified IP address.traceroute Trace route to specified IP address.
When typed at the end of a possible command or abbreviation, the questionmark lists the commands that match (ifany). For example:(host) > c?
clear Clear configurationclock Configure the system clockconfigure Configuration Commandscopy Copy Files
If more than one item is shown, typemore of the keyword characters to distinguish your choice. However, if only oneitem is listed, the keyword or abbreviation is valid and you can press tab or the spacebar to advance to the nextkeyword.
When typed in place of a parameter, the questionmark lists the available options. For example:(host) # write ?erase Erase and start from scratchfile Write to a file in the file systemmemory Write to memory
ArubaOS6.4| ReferenceGuide The ArubaOSCommand-Line Interface | 9
-
10 | The ArubaOSCommand-Line Interface ArubaOS6.4| ReferenceGuide
terminal Write to terminal
The indicates that the command can be entered without additional parameters. Any other parameters areoptional.
Command CompletionTomake command input easier, you can usually abbreviate each key word in the command. You need type onlyenough of each keyword to distinguish it from similar commands. For example:(host) # configure terminal
could also be entered as:(host) # con t
Three characters (con) represent the shortest abbreviation allowed for configure. Typing only c or co would notwork because there are other commands (like copy) which also begin with those letters. The configure command isthe only one that begins with con.
As you type, you can press the spacebar or tab tomove to the next keyword. The system then attempts to expandthe abbreviation for you. If there is only one command keyword that matches the abbreviation, it is filled in for youautomatically. If the abbreviation is too vague (too few characters), the cursor does not advance and youmust typemore characters or use the help feature to list thematching commands.
Deleting Configuration SettingsUse the no command to delete or negate previously-entered configurations or parameters.
l To view a list of no commands, type no at the enable or config prompt followed by the questionmark. Forexample:(host) (config) # no?
l To delete a configuration, use the no form of a configuration command. For example, the following commandremoves a configured user role:(host) (config) # no user-role
l To negate a specific configured parameter, use the no parameter within the command. For example, the followingcommands delete the DSCP priority map for a priority map configuration:(host) (config) # priority-map (host) (config-priority-map) # no dscp priority high
Saving Configuration ChangesEach Aruba controller contains two different types of configuration images.
l The running-config holds the current controller configuration, including all pending changes which have yet to besaved. To view the running-config, use the following command:(host) # show running-config
l The startup config holds the configuration which will be used the next time the controller is rebooted. It containsall the options last saved using the write memory command. To view the startup-config, use the followingcommand:(host) # show startup-config
When youmake configuration changes via the CLI, those changes affect the current running configuration only. Ifthe changes are not saved, they will be lost after the controller reboots. To save your configuration changes so theyare retained in the startup configuration after the controller reboots, use the following command in enablemode:(host) # write memorySaving Configuration...
-
Saved Configuration
Both the startup and running configurations can also be saved to a file or sent to a TFTP server for backup or transferto another system.
Commands That Reset the Controller or APIf you use the CLI to modify a currently provisioned and running radio profile, those changes take place immediately;you do not reboot the controller or the AP for the changes to affect the current running configuration. Certaincommands, however, automatically force the controller or AP to reboot. Youmay want to consider current networkloads and conditions before issuing these commands, as they may cause amomentary disruption in service as theunit resets. Note also that changing the lms-ip parameter in an AP system profile associated with an AP group willcause all APs in that AP group to reboot.
Commands that Reset an AP Commands that Reset a Controller
l ap-regroupl ap-renamel apbootl provision-apl ap wired-ap-profile forward-mode {bridge|split-
tunnel|tunnel}l wlan virtual-ap {aaa-profile
|forward-mode {tunnel|bridge|split-tunnel|decrypt-tunnel}|ssid-profile |vlan ...}
l ap system-profile {bootstrap-threshold |lms-ip |}
l wlan ssid-profile {battery-boost|deny-bcast|essid|opmode|strict-svp |wepkey1 |wepkey2|wepkey3 |wepkey4 |weptxkey |wmm |wmm-be-dscp |wmm-bk-dscp|wmm-ts-min-inact-int |wmm-vi-dscp |wmm-vo-dscp |wpa-hexkey |wpa-passphrase }
l wlan dotllk {bcn-measurement-mode|dot11k-enable|force-dissasoc
l reload
Table 1: Reset Commands
Typographic ConventionsThe following conventions are used throughout this manual to emphasize important concepts:
Type Style Description
Italics This style is used to emphasize important terms and to markthe titles of books.
Boldface This style is used to emphasize command names andparameter options when mentioned in the text.
Commands This fixed-width font depicts command syntax andexamples of commands and command output.
Table 2: Text Conventions
ArubaOS6.4| ReferenceGuide The ArubaOSCommand-Line Interface | 11
-
12 | The ArubaOSCommand-Line Interface ArubaOS6.4| ReferenceGuide
Type Style Description
In the command syntax, text within angle bracketsrepresents items that you should replace with informationappropriate to your specific situation. For example:ping In this example, you would type ping at the system promptexactly as shown, followed by the IP address of the systemto which ICMP echo packets are to be sent. Do not type theangle brackets.
[square brackets] In the command syntax, items enclosed in brackets areoptional. Do not type the brackets.
{Item_A|Item_B} In the command examples, single items within curledbraces and separated by a vertical bar represent theavailable choices. Enter only one choice. Do not type thebraces or bars.
{ap-name }|{ipaddr }
Two items within curled braces indicate that bothparameters must be entered together. If two or more sets ofcurled braces are separated by a vertical bar, like in theexample to the left, enter only one choice Do not type thebraces or bars.
Command Line EditingThe system records your most recently entered commands. You can review the history of your actions, or reissue arecent command easily, without having to retype it.
To view items in the command history, use the up arrow key tomove back through the list and the down arrow key tomove forward. To reissue a specific command, press Enter when the command appears in the command history.You can even use the command line editing feature tomake changes to the command prior to entering it. Thecommand line editing feature allows you tomake corrections or changes to a commandwithout retyping. Table 1lists the editing controls. To use key shortcuts, press and hold the Ctrl button while you press a letter key.
Key Effect Description
Ctrl A Home Move the cursor to the beginning of the line.
Ctrl B or theleft arrow
Back Move the cursor one character left.
Ctrl D Delete Right Delete the character to the right of the cursor.
Ctrl E End Move the cursor to the end of the line.
Ctrl F or theright arrow
Forward Move the cursor one character right.
Ctrl K Delete Right Delete all characters to the right of the cursor.
Ctrl N or thedown arrow
Next Display the next command in the commandhistory.
Table 3: Line Editing Keys
-
Key Effect Description
Ctrl P orup arrow
Previous Display the previous command in the commandhistory.
Ctrl T Transpose Swap the character to the left of the cursor withthe character to the right of the cursor.
Ctrl U Clear Clear the line.
Ctrl W Delete Word Delete the characters from the cursor up to andincluding the first space encountered.
Ctrl X Delete Left Delete all characters to the left of the cursor.
Specifying Addresses and Identifiers in CommandsThis section describes addresses and other identifiers that you can reference in CLI commands.
Address/Identifier Description
IP address For any command that requires entry of an IP address to specify a network entity,use IPv4 network address format in the conventional dotted decimal notation (forexample, 10.4.1.258).
Netmask address For subnet addresses, specify a netmask in dotted decimal notation (for example,255.255.255.0).
Media Access Control(MAC) address
For any command that requires entry of a devices hardware address, use thehexadecimal format (for example, 00:05:4e:50:14:aa).
Service Set Identifier(SSID)
A unique character string (sometimes referred to as a network name), consistingof no more than 32 characters. The SSID is case-sensitive (for example, WLAN-01).
Basic Service SetIdentifier (BSSID)
This entry is the unique hard-wireless MAC address of the AP. A unique BSSIDapplies to each frequency 802.11a and 802.11gused from the AP. Use thesame format as for a MAC address.
Extended Service SetIdentifier (ESSID)
Typically the unique logical name of a wireless network. If the ESSID includesspaces, you must enclose the name in quotation marks.
Fast Ethernet orGigabit Ethernetinterface
Any command that references a Fast Ethernet or Gigabit Ethernet interfacerequires that you specify the corresponding port on the controller in the format/: is always 1, except when referring to interfaces on the 6000 controller.Forthe 6000controller, the four slots are allocated as follows:l Slot 0: Contains an Aruba Multi-Service Mobility Module Mark I.l Slot 1: Contains an Aruba Multi-Service Mobility Module Mark I.l Slot 2: Contains an Aruba Multi-Service Mobility Module Mark I.l Slot 3: Can contain either a Aruba Multi-Service Mobility Module Mark I or a
line card. refers to the network interfaces that are embedded in the front panel of the3000 Series controller, Aruba Multi-Service Mobility Module Mark I, or a line cardinstalled in the 6000 controller. Port numbers start at 0 from the left-most position.Use the show port status command to obtain the interface information currentlyavailable from a controller.
Table 4: Addresses and Identifiers
ArubaOS6.4| ReferenceGuide The ArubaOSCommand-Line Interface | 13
-
14 | The ArubaOSCommand-Line Interface ArubaOS6.4| ReferenceGuide
Contacting Aruba Networks
Website Support
Main Site http://www.arubanetworks.com
Support Site https://support.arubanetworks.com
Airheads Social Forums and KnowledgeBase
http://community.arubanetworks.com
North American Telephone 1-800-943-4526 (Toll Free)
1-408-754-1200
International Telephone http://www.arubanetworks.com/support-services/support-pro-gram/contact-support/
Support Email Addresses
Americas and APAC [email protected]
EMEA [email protected]
Wireless Security Incident ResponseTeam (WSIRT)
.
Table 5: Contact Information
-
aaa alias-group (deprecated)aaa alias-group
clone no ...set vlan condition essid|location equals set-value
DescriptionThis command configured an aaa alias with set of VLAN derivation rules that could speed up user rule derivationprocessing for deployments with a very large number of user derivation rules.
Command History
Version Description
ArubaOS 6.3 Command introduced.
ArubaOS 6.4 Command deprecated.
ArubaOS6.4| ReferenceGuide aaa alias-group (deprecated) | 15
-
16 | aaa authentication captive-portal ArubaOS6.4| ReferenceGuide
aaa authentication captive-portalaaa authentication captive-portal
apple-cna-bypassauth-protocol mschapv2|pap|chapblack-list clone default-guest-role default-role enable-welcome-pageguest-logonip-addr-in-redirection login-page logon-wait {cpu-threshold }|{maximum-delay }|{minimum-delay }logout-popup-windowmax-authentication-failures no ...protocol-httpredirect-pause redirect-url server-group show-acceptable-use-policyshow-fqdnsingle-sessionswitchip-in-redirection-url url-hash-key user-idle-timeoutuser-logonuser-vlan-in-redirection-url welcome-page white-list
DescriptionThis command configures a Captive Portal authentication profile.
Syntax
Parameter Description Range Default
apple-cna-bypass Enable this knob to bypass Apple CNAon iOS devices such as iPad, iPhone,and iPod. You need to perform CaptivePortal authentication from browser.
Name that identifies an instance of theprofile. The name must be 1-63characters.
default
authentication-protocolmschapv2|pap|chap
This parameter specifies the type ofauthentication required by this profile,PAP is the default authentication type
mschapv2
pap
chap
pap
-
Parameter Description Range Default
black-list Name of an existing black list on anIPv4 or IPv6 network destination. Theblack list contains websites(unauthenticated) that a guest cannotaccess.Specify a netdestination host or subnetto add that netdestination to the captiveportal blacklist.If you have not yet defined anetdestination, use the CLI commandnetdestination to define a destinationhost or subnet before you add it to theblacklist.
clone Name of an existing Captive Portalprofile from which parameter values arecopied.
default-guest-role Role assigned to guest. guest
default-role Role assigned to the Captive Portaluser when that user logs in. When bothuser and guest logons are enabled, thedefault role applies to the user logon;users logging in using the guestinterface are assigned the guest role.
guest
enable-welcome-page
Displays the configured welcome pagebefore the user is redirected to theiroriginal URL. If this option is disabled,redirection to the web URL happensimmediately after the user logs in.
enabled/disabled
enabled
guest-logon Enables Captive Portal logon withoutauthentication.
enabled/disabled
disabled
ipaddr-in-redirection-url
Sends the controllers interface IPaddress in the redirection URL whenexternal captive portal servers are used.An external captive portal server candetermine the controller from which arequest originated by parsing theswitchip variable in the URL. Thisparameter requires the Public Accesslicense.
login-page URL of the page that appears for theuser logon. This can be set to any URL.
/auth/index.html
logon-wait Configure parameters for the logon waitinterval.
1-100 60%
cpu-threshold CPU utilization percentage abovewhich the logon wait interval is appliedwhen presenting the user with the logonpage.
1-100 60%
ArubaOS6.4| ReferenceGuide aaa authentication captive-portal | 17
-
18 | aaa authentication captive-portal ArubaOS6.4| ReferenceGuide
Parameter Description Range Default
maximum-delay Maximum time, in seconds, the user willhave to wait for the logon page to popup if the CPU load is high. This works inconjunction with the Logon wait CPUutilization threshold parameter.
1-10 10 seconds
minimum-delay Minimum time, in seconds, the user willhave to wait for the logon page to popup if the CPU load is high. This works inconjunction with the Logon wait CPUutilization threshold parameter.
1-10 5 seconds
logout-popup-window
Enables a pop-up window with theLogout link that allows the user to logout. If this option is disabled, the userremains logged in until the user timeoutperiod has elapsed or the stationreloads.
enabled/disabled
enabled
max-authentication-failures
Maximum number of authenticationfailures before the user is blacklisted.
0-10 0
no Negates any configured parameter.
protocol-http Use HTTP protocol on redirection to theCaptive Portal page. If you use thisoption, modify the captive portal policyto allow HTTP traffic.
enabled/disabled
disabled(HTTPS isused)
redirect-pause Time, in seconds, that the systemremains in the initial welcome pagebefore redirecting the user to the finalweb URL. If set to 0, the welcome pagedisplays until the user clicks on theindicated link.
1-60 10 seconds
redirect-url URL to which an authenticated user willbe directed. This parameter must be anabsolute URL that begins with eitherhttp:// or https://.
server-group Name of the group of servers used toauthenticate Captive Portal users. Seeaaa server-group on page 89.
show-fqdn Allows the user to see and select thefully-qualified domain name (FQDN) onthe login page. The FQDNs shown arespecified when configuring individualservers for the server group used withcaptive portal authentication.
enabled/disabled
disabled
show-acceptable-use-policy Show the acceptable use policy pagebefore the logon page.
enabled/disabled
disabled
single-session Allows only one active user session at atime.
disabled
-
Parameter Description Range Default
switchip-in-redirection-url Sends the controllers IP address in theredirection URL when external captiveportal servers are used. An externalcaptive portal server can determine thecontroller from which a requestoriginated by parsing the switchipvariable in the URL.
enabled/disabled
disabled
url-hash-key Issue this command to hash theredirection URL using the specified key.
disabled
user-idle-timeout The user idle timeout for this profile.Specify the idle timeout value for theclient in seconds. Valid range is 30-15300 in multiples of 30 seconds.Enabling this option overrides theglobal settings configured in the AAAtimers. If this is disabled, the globalsettings are used.
disabled
user-logon Enables Captive Portal withauthentication of user credentials.
enabled/disabled
enabled
user-vlan-in-redirection-url
Add the user VLAN in the redirectionURL. This parameter requires thePublic Access license.
enableddisabled
disabled
user-vlan-redirection-url Sends the users VLAN ID in theredirection URL when external captiveportal servers are used.
welcome-page URL of the page that appears afterlogon and before redirection to the webURL. This can be set to any URL.
/auth/welcome.html
white-list Name of an existing white list on anIPv4 or IPv6 network destination. Thewhite list contains authenticatedwebsites that a guest can access. If youhave not yet defined a netdestination,use the CLI command netdestination todefine a destination host or subnetbefore you add it to the whitelist
Usage GuidelinesYou can configure the Captive Portal authentication profile in the base operating system or with the Next GenerationPolicy Enforcement Firewall (PEFNG) license installed. When you configure the profile in the base operatingsystem, the name of the profile must be entered for the initial role in the AAA profile. Also, when you configure theprofile in the base operating system, you cannot define the default-role.
ExampleThe following example configures a Captive Portal authentication profile that authenticates users against thecontrollers internal database. Users who are successfully authenticated are assigned the auth-guest role.
To create the auth-guest user role shown in this example, the PEFNG licensemust be installed in the controller.aaa authentication captive-portal guestnet
default-role auth-guestuser-logon
ArubaOS6.4| ReferenceGuide aaa authentication captive-portal | 19
-
20 | aaa authentication captive-portal ArubaOS6.4| ReferenceGuide
no guest-logonserver-group internal
Command History
Version Description
ArubaOS 3.0 Command introduced.
ArubaOS 6.0 The max-authentication-failures parameter no longer requires a license.
ArubaOS 6.1 The sygate-on-demand, black-list and white-list parameters were added.
ArubaOS 6.2 the auth-protocol parameter was added, and the user-chap parameter wasdeprecated.
ArubaOS 6.3 The user-idle-timeout parameter was introduced.
ArubaOS 6.4 The url-hash-key parameter was introduced.
Command Information
Platforms Licensing Command Mode
All platforms Base operating system, exceptfor noted parameters
Config mode on master controllers
-
aaa authentication dot1xaaa authentication dot1x {|countermeasures}
ca-cert cert-cn-lookupclearclone delete-keycacheeapol-logoffenforce-suite-b-128enforce-suite-b-192framed-mtu heldstate-bypass-counter ignore-eap-id-matchignore-eapolstart-afterauthenticationmachine-authentication blacklist-on-failure|{cache-timeout }|enable|{machine-default-role }|{user-default-role }
max-authentication-failures max-requests multicast-keyrotationno ...opp-key-cachingreauth-max reauth-server-termination-actionreauthenticationserver {server-retry |server-retry-period }server-cert termination {eap-type }|enable|enable-token-caching|{inner-eap-type (eap-gtc|eap-mschapv2)}|{token-caching-period }timer {idrequest_period }|{mkey-rotation-period }|{quiet-period }|{reauth-period }|{ukey-rotation-period }|{wpa-groupkey-delay }|{wpa-key-period }|wpa2-key-delay tls-guest-accesstls-guest-role unicast-keyrotationuse-session-keyuse-static-keyvalidate-pmkidvoice-awarewep-key-retries wep-key-size {40|128}wpa-fast-handoverwpa-key-retries xSec-mtu
DescriptionThis command configures the 802.1X authentication profile.
Syntax
Parameter Description Range Default
Name that identifies an instance of the profile.The name must be 1-63 characters.
default
ArubaOS6.4| ReferenceGuide aaa authentication dot1x | 21
-
22 | aaa authentication dot1x ArubaOS6.4| ReferenceGuide
Parameter Description Range Default
clear Clear the Cached PMK, Role and VLANentries. This command is available in enablemode only.
countermeasures Scans for message integrity code (MIC)failures in traffic received from clients. If thereare more than 2 MIC failures within 60seconds, the AP is shut down for 60 seconds.This option is intended to slow down anattacker who is making a large number offorgery attempts in a short time.
disabled
ca-cert CA certificate for client authentication. The CAcertificate needs to be loaded in the controller.
cert-cn-lookup If you use client certificates for userauthentication, enable this option to verify thatthe certificate's common name exists in theserver. This parameter is disabled by default.
delete-keycache Delete the key cache entry when the userentry is deleted.
disabled
eapol-logoff Enables handling of EAPOL-LOGOFFmessages.
disabled
enforce-suite-b-128 Configure Suite-B 128 bit or more securitylevelauthentication enforcement
disabled
enforce-suite-b-192 Configure Suite-B 192 bit or more securitylevelauthentication enforcement
disabled
framed-mtu Sets the framed MTU attribute sent to theauthentication server.
500-1500
1100
heldstate-bypass-counter
(This parameter is applicable when 802.1Xauthentication is terminated on the controller,also known as AAA FastConnect.) Number ofconsecutive authentication failures which,when reached, causes the controller to notrespond to authentication requests from aclient while the controller is in a held stateafter the authentication failure. Until thisnumber is reached, the controller responds toauthentication requests from the client evenwhile the controller is in its held state.
0-3 0
ignore-eap-id-match
Ignore EAP ID during negotiation. disabled
ignore-eapolstart-afterauthentication
Ignores EAPOL-START messages afterauthentication.
disabled
machine-authentication (For Windows environments only) Theseparameters set machine authentication:NOTE: This parameter requires the PEFNGlicense.
-
Parameter Description Range Default
blacklist-on-failure Blacklists the client if machine authenticationfails.
disabled
cache-timeout The timeout, in hours, for machineauthentication.
1-1000 24 hours(1 day)
enable Select this option to enforce machineauthentication before user authentication. Ifselected, either the machine-default-role orthe user-default-role is assigned to the user,depending on which authentication issuccessful.
disabled
machine-default-role Default role assigned to the user aftercompleting only machine authentication.
guest
user-default-role Default role assigned to the user after 802.1Xauthentication.
guest
max-authentication-failures
Number of times a user can try to login withwrong credentials after which the user isblacklisted as a security threat. Set to 0 todisable blacklisting, otherwise enter a non-zero integer to blacklist the user after thespecified number of failures.
0-5 0(disabled)
max-requests Maximum number of times ID requests aresent to the client.
1-10 5
multicast-keyrotation
Enables multicast key rotation disabled
no Negates any configured parameter.
opp-key-caching Enables a cached pairwise master key (PMK)derived with a client and an associated AP tobe used when the client roams to a new AP.This allows clients faster roaming without a full802.1X authentication.NOTE: Make sure that the wireless client (the802.1X supplicant) supports this feature. If theclient does not support this feature, the clientwill attempt to renegotiate the key whenever itroams to a new AP. As a result, the keycached on the controller can be out of syncwith the key used by the client.
enabled
reauth-max Maximum number of reauthenticationattempts.
1-10 3
reauth-server-termination-action
Specifies the termination-action attribute fromthe server.
reauthentication Select this option to force the client to do a802.1X reauthentication after the expiration ofthe default timer for reauthentication. (Thedefault value of the timer is 24 hours.) If theuser fails to reauthenticate with validcredentials, the state of the user is cleared.
disabled
ArubaOS6.4| ReferenceGuide aaa authentication dot1x | 23
-
24 | aaa authentication dot1x ArubaOS6.4| ReferenceGuide
Parameter Description Range Default
If derivation rules are used to classify 802.1X-authenticated users, then the reauthenticationtimer per role overrides this setting.
reload-cert Reload Certificate for 802.1X termination. Thiscommand is available in enable mode only.
server Sets options for sending authenticationrequests to the authentication server group.
server-retry Maximum number of authentication requeststhat are sent to server group.
0-3 3
server-retry-period Server group retry interval, in seconds. 5-65535
5seconds
server-cert Server certificate used by the controller toauthenticate itself to the client.
termination Sets options for terminating 802.1Xauthentication on the controller.
eap-type The Extensible Authentication Protocol (EAP)method, either EAP-PEAP or EAP-TLS.
eap-peap/eap-tls
eap-peap
enable Enables 802.1X termination on the controller. disabled
enable-token-caching
If you select EAP-GTC as the inner EAPmethod, you can enable the controller tocache the username and password of eachauthenticated user. The controller continues toreauthenticate users with the remoteauthentication server, however, if theauthentication server is not available, thecontroller will inspect its cached credentials toreauthenticate users.
disabled
inner-eap-type eap-gtc|eap-mschapv2
When EAP-PEAP is the EAP method, one ofthe following inner EAP types is used:EAP-Generic Token Card (GTC): Describedin RFC 2284, this EAP method permits thetransfer of unencrypted usernames andpasswords from client to server. The mainuses for EAP-GTC are one-time token cardssuch as SecureID and the use of LDAP orRADIUS as the user authentication server.You can also enable caching of usercredentials on the controller as a backup to anexternal authentication server.EAP-Microsoft Challenge AuthenticationProtocol version 2 (MS-CHAPv2): Describedin RFC 2759, this EAP method is widelysupported by Microsoft clients.
eap-gtc/eap-mschapv2
eap-mschapv2
token-caching-period
If you select EAP-GTC as the inner EAPmethod, you can specify the timeout period, inhours, for the cached information.
(any) 24 hours
-
Parameter Description Range Default
timer Sets timer options for 802.1X authentication:
idrequest-period
Interval, in seconds, between identity requestretries.
1-65535
5seconds
mkey-rotation-period
Interval, in seconds, between multicast keyrotation.
60-864000
1800seconds
quiet-period Interval, in seconds, following failedauthentication.
1-65535
30seconds
reauth-period Interval, in seconds, between reauthenticationattempts, or specify server to use the server-provided reauthentication period.
60-864000
86400seconds(1 day)
ukey-rotation-period
Interval, in seconds, between unicast keyrotation.
60-864000
900seconds
wpa-groupkey-delay
Interval, in milliseconds, between unicast andmulticast key exchanges.
0-2000 0 ms(nodelay)
wpa-key-period
Interval, in milliseconds, between each WPAkey exchange.
1000-5000
1000 ms
wpa2-key-delay
Set the delay between EAP-Success andunicast key exchange.
1-2000 0 ms(nodelay)
tls-guest-access Enables guest access for EAP-TLS users withvalid certificates.
disabled
tls-guest-role User role assigned to EAP-TLS guest.NOTE: This parameter requires the PEFNGlicense.
guest
unicast-keyrotation Enables unicast key rotation. disabled
use-session-key Use RADIUS session key as the unicast WEPkey.
disabled
use-static-key Use static key as the unicast/multicast WEPkey.
disabled
validate-pmkid This parameter instructs the controller to checkthe pairwise master key (PMK) ID sent by theclient. When this option is enabled, the clientmust send a PMKID in the associate orreassociate frame to indicate that it supportsOKC or PMK caching; otherwise, full 802.1Xauthentication takes place. (This feature isoptional, since most clients that support OKCand PMK caching do not send the PMKID intheir association request.)
disabled
voice-aware Enables rekey and reauthentication forVoWLAN clients.NOTE: The Next Generation Policy EnforcedFirewall license must be installed.
enabled
ArubaOS6.4| ReferenceGuide aaa authentication dot1x | 25
-
26 | aaa authentication dot1x ArubaOS6.4| ReferenceGuide
Parameter Description Range Default
wep-key-retries Number of times WPA/WPA2 key messagesare retried.
1-5 3
wep-key-size Dynamic WEP key size, either 40 or 128 bits. 40 or128
128 bits
wpa-fast-handover Enables WPA-fast-handover. This is onlyapplicable for phones that support WPA andfast handover.
disabled
wpa-key-retries Set the number of times WPA/WPA2 KeyMessages are retried. The supported range is1-10 retries, and the default value is 3.
1-10 3
xSec-mtu Sets the size of the MTU for xSec. 1024-1500
1300bytes
Usage GuidelinesThe 802.1X authentication profile allows you to enable and configuremachine authentication and 802.1X terminationon the controller (also called AAA FastConnect).
In the AAA profile, specify the 802.1X authentication profile, the default role for authenticated users, and the servergroup for the authentication.
ExamplesThe following example enables authentication of the users client device before user authentication. If machineauthentication fails but user authentication succeeds, the user is assigned the restricted guest role:aaa authentication dot1x dot1x
machine-authentication enablemachine-authentication machine-default-role computermachine-authentication user-default-role guest
The following example configures an 802.1X profile that terminates authentication on the controller, where the userauthentication is performed with the controllers internal database or to a backend non-802.1X server:aaa authentication dot1x dot1x
termination enable
Command History
Version Description
ArubaOS 3.0 Command introduced.
ArubaOS 6.1 The cert-cn-lookup, enforce-suite-b-128 and enforce-suite-b-192 parameterswere introduced.
ArubaOS 6.3.1.2 The delete-keycache parameter was introduced.
-
Command Information
Platforms Licensing Command Mode
All platforms Base operating system. Thevoice-aware parameter requiresthe PEFNG license
Config mode on master controllers
ArubaOS6.4| ReferenceGuide aaa authentication dot1x | 27
-
28 | aaa authenticationmac ArubaOS6.4| ReferenceGuide
aaa authentication macaaa authentication mac
case upper|lowerclone delimiter {colon|dash|none}max-authentication-failures no ...reauthenticationtimer reauth period {|server}
DescriptionThis command configures theMAC authentication profile.
Syntax
Parameter Description Range Default
Name that identifies an instance of the profile.The name must be 1-63 characters.
default
case The case (upper or lower) used in the MACstring sent in the authentication request. Ifthere is no delimiter configured, the MACaddress in lower case is sent in the formatxxxxxxxxxxxx, while the MAC address inupper case is sent in the formatXXXXXXXXXXXX.
upper|lower
lower
clone Name of an existing MAC profile from whichparameter values are copied.
delimiter Delimiter (colon, dash, or none) used in theMAC string.
colon|dash|none
none
max-authentication-failures
Number of times a client can fail toauthenticate before it is blacklisted. A value of0 disables blacklisting.
0-10 0(disabled)
no Negates any configured parameter.
reauthentication Use this parameter to enable or disable reau-thentication.
Disabled
timer reauth period - Specifies the period betweenreauthentication attempts in seconds.
server - Specifies the server provided reau-thentication interval.
60-864000seconds
86400seconds(1 day)
Usage GuidelinesMAC authentication profile configures authentication of devices based on their physical MAC address. MAC-basedauthentication is often used to authenticate and allow network access through certain devices while denying accessto all other devices. Users may be required to authenticate themselves using other methods, depending upon thenetwork privileges.
-
ExampleThe following example configures aMAC authentication profile to blacklist client devices that fail to authenticate.aaa authentication mac mac-blacklist
max-authentication-failures 3
Command History
Release Modification
ArubaOS 3.0 Command introduced
ArubaOS 3.3.1.8 The max-authentication-failures parameter was allowed in the base operatingsystem. In earlier versions of ArubaOS, the max-authentication-failuresparameter required the Wireless Intrusion Protection license
ArubaOS 6.3 The reauthentication and timer reauth period parameters were introduced.
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master controllers
ArubaOS6.4| ReferenceGuide aaa authenticationmac | 29
-
30 | aaa authenticationmgmt ArubaOS6.4| ReferenceGuide
aaa authentication mgmtaaa authentication mgmt
default-role {guest-provisioning|location-api-mgmt|network-operations|no-access|read-only|root}enableno ...server-group
DescriptionThis command configures authentication for administrative users.
Syntax
Parameter Description Range Default
default-role Select a predefined management role toassign to authenticated administrativeusers:
default
default Default superuser role
guest-provisioning Guest provisioning role
location-api-mgmt Location API role
network-operations Network operations role
no-access No commands are accessible for this role
read-only Read-only role
enable Enables authentication for administrativeusers.
enabled|disabled
disabled
mchapv2 Enable MSCHAPv2 enabled|disabled
disabled
no Negates any configured parameter.
server-group Name of the group of servers used toauthenticate administrative users. See aaaserver-group on page 89.
default
Usage GuidelinesIf you enable authentication with this command, users configured with themgmt-user commandmust beauthenticated using the specified server-group.
You can configure themanagement authentication profile in the base operating system or with the PEFNG licenseinstalled.
ExampleThe following example configures amanagement authentication profile that authenticates users against thecontrollers internal database. Users who are successfully authenticated are assigned the read-only role.
-
aaa authentication mgmtdefault-role read-onlyserver-group internal
Command History
Release Modification
ArubaOS 3.0 Command introduced
ArubaOS 3.2 The network-operations role was introduced.
ArubaOS 3.3 The location-api-mgmt role was introduced.
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master controllers
ArubaOS6.4| ReferenceGuide aaa authenticationmgmt | 31
-
32 | aaa authentication-server internal ArubaOS6.4| ReferenceGuide
aaa authentication-server internalaaa authentication-server internal use-local-switch
DescriptionThis command specifies that the internal database on a local controller be used for authenticating clients.
Usage GuidelinesBy default, the internal database in themaster controller is used for authentication. This command directsauthentication to the internal database on the local controller where you run the command.
Command HistoryThis commandwas available in ArubaOS 3.0.
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master or localcontrollers
-
aaa authentication-server ldapaaa authentication-server ldap
admin-dn admin-passwd allow-cleartextauthport base-dn clone enablefilter host key-attribute max-connection no ...preferred-conn-type ldap-s|start-tls|clear-texttimeout
DescriptionThis command configures an LDAP server.
Starting from ArubaOS 6.4, a maximum of 128 LDAP servers can be configured on the controller.
Syntax
Parameter Description Range Default
Name that identifies the server.
admin-dn Distinguished name for the admin user who hasread/search privileges across all of the entries inthe LDAP database (the user does not need writeprivileges but should be able to search thedatabase and read attributes of other users in thedatabase).
admin-passwd
Password for the admin user.
allow-cleartext Allows clear-text (unencrypted) communication withthe LDAP server.
enabled|disabled
disabled
authport Port number used for authentication. Port 636 willbe attempted for LDAP over SSL, while port 389 willbe attempted for SSL over LDAP, Start TLSoperation and clear text.
1-65535 389
base-dn Distinguished Name of the node which contains theentire user database to use.
clone Name of an existing LDAP server configurationfrom which parameter values are copied.
enable Enables the LDAP server.
ArubaOS6.4| ReferenceGuide aaa authentication-server ldap | 33
-
34 | aaa authentication-server ldap ArubaOS6.4| ReferenceGuide
Parameter Description Range Default
filter Filter that should be applied to search of the user inthe LDAP database. The default filter string is(objectclass=*).
(objectclass=*)
host IP address of the LDAP server, in dotted-decimalformat.
key-attribute
Attribute that should be used as a key in search forthe LDAP server. For Active Directory, the value issAMAccountName.
sAMAccountName
max-connection Maximum number of simultaneous non-admin con-nections to an LDAP server.
no Negates any configured parameter.
preferred-conn-type Preferred connection type. The default order ofconnection type is:1. ldap-s2. start-tls3. clear-textThe controller will first try to contact the LDAPserver using the preferred connection type, and willonly attempt to use a lower-priority connection typeif the first attempt is not successful.NOTE: You enable the allow-cleartext optionbefore you select clear-text as the preferredconnection type. If you set clear-text as thepreferred connection type but do not allow clear-text, the controller will only use ldap-s or start-tls tocontact the LDAP server.
ldap-sstart-tlsclear-text
ldap-s
timeout Timeout period of a LDAP request, in seconds. 1-30 20 seconds
Usage GuidelinesYou configure a server before you can add it to one or more server groups. You create a server group for a specifictype of authentication (see aaa server-group on page 89).
ExampleThe following command configures and enables an LDAP server:aaa authentication-server ldap ldap1
host 10.1.1.243base-dn cn=Users,dc=1m,dc=corp,dc=comadmin-dn cn=corp,cn=Users,dc=1m,dc=corp,dc=comadmin-passwd abc10key-attribute sAMAccountNamefilter (objectclass=*)enable
Command HistoryThis commandwas available in ArubaOS 3.0.
-
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master controllers
ArubaOS6.4| ReferenceGuide aaa authentication-server ldap | 35
-
36 | aaa authentication-server radius ArubaOS6.4| ReferenceGuide
aaa authentication-server radiusaaa authentication-server radius
acctport authport clone enablehost |key mac-delimiter [colon|dash | none | oui-nic]mac-lowercasenas-identifier nas-ip nas-ip6 no ...retransmit service-type-framed-usersource-interface vlan ip6addr timeout use-ip-for-calling-stationuse-md5
DescriptionThis command configures a RADIUS server.
Starting from ArubaOS 6.4, a maximum of 128 RADIUS servers can be configured on the controller.
Syntax
Parameter Description Range Default
Name that identifies the server.
acctport Accounting port on the server. 1-65535 1813
authport Authentication port on the server 1-65535 1812
clone Name of an existing RADIUS serverconfiguration from which parametervalues are copied.
enable Enables the RADIUS server.
host Identify the RADIUS server either by itsIP address or fully qualified domainname.
IPv4 of the RADIUS server.
Fully qualified domain name (FQDN) ofthe RADIUS server. The maximumsupported length is 63 characters.
-
Parameter Description Range Default
key Shared secret between the controllerand the authentication server. Themaximum length is 128 characters.
mac-delimiter [colon|dash | none| oui-nic]
Send MAC address with user-defineddelimiter.
none
mac-lowercase Send MACaddresses as lowercase.
nas-identifier Network Access Server (NAS) identifierto use in RADIUS packets.
nas-ip NAS IP address to send in RADIUSpackets.You can configure a global NAS IPaddress that the controller uses forcommunications with all RADIUSservers. If you do not configure a server-specific NAS IP, the global NAS IP isused. To set the global NAS IP, enterthe ip radius nas-ip command.
nas-ip6 NAS IPv6 address to send in RADIUSpackets.You can configure a global NAS IPv6address that the controller uses forcommunications with all RADIUSservers. If you do not configure a server-specific NAS IPv6, the global NAS IPv6is used. To set the global NAS IPv6,enter the ipv6 radius nas-ip6 command.
no Negates any configured parameter.
retransmit Maximum number of retries sent to theserver by the controller before theserver is marked as down.
0-3 3
service-type-framed-user Send the service-type as FRAMED-USER instead of LOGIN-USER. Thisoption is disabled by default
dis-abled
source-interface vlan ip6addr
This option associates a VLAN interfacewith the RADIUS server to allow theserver-specific source interface tooverride the global configuration.l If you associate a Source Interface
(by entering a VLAN number) with aconfigured server, then the sourceIP address of the packet will be thatinterfaces IP address.
l If you do not associate the SourceInterface with a configured server(leave the field blank), then the IPaddress of the global SourceInterface will be used.
l If you want to configure an IPv6address for the Source Interface,
ArubaOS6.4| ReferenceGuide aaa authentication-server radius | 37
-
38 | aaa authentication-server radius ArubaOS6.4| ReferenceGuide
Parameter Description Range Default
specify the IPv6 address for theip6addr parameter.
timeout Maximum time, in seconds, that thecontroller waits before timing out therequest and resending it.
1-30 5seconds
use-ip-for-calling-station Use an IP address instead of a MACaddress for calling station IDs. Thisoption is disabled by default.
disabled
use-md5 Use MD5 hash of cleartext password. disabled
Usage GuidelinesYou configure a server before you can add it to one or more server groups. You create a server group for a specifictype of authentication (see aaa server-group on page 89).
ExampleThe following command configures and enables a RADIUS server:aaa authentication-server radius radius1
host 10.1.1.244key qwERtyuIOpenable
Command History
Version Modification
ArubaOS 3.0 Command introduced.
ArubaOS 6.0 RADIUS server can be identified by its qualified domain name (FQDN).
ArubaOS 6.1 The source-interface parameter was added.
ArubaOS 6.3 l The mac-delimiter parameter was introduced.l The enable-ipv6 and nas-ip6 parameters were introduced. An IPv6 host
address can be specified for the host parameter.l The ipv6 addr parameter was added.
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master controllers
-
aaa authentication-server tacacsaaa authentication-server tacacs
clone enablehost key no ...retransmit session-authorizationtcp-port timeout
DescriptionThis command configures a TACACS+ server.
Starting from ArubaOS 6.4, a maximum of 128 TACACS servers can be configured on the controller.
Syntax
Parameter Description Range Default
Name that identifies the server.
clone Name of an existing TACACS server configurationfrom which parameter values are copied.
enable Enables the TACACS server.
host IPv4 of the TACACS server.
key Shared secret to authenticate communicationbetween the TACACS+ client and server.
no Negates any configured parameter.
retransmit Maximum number of times a request is retried. 0-3 3
session-authorization
Enables TACACS+ authorization.Session-authorization turns on the optional authorizationsession for admin users.
disabled
tcp-port TCP port used by the server. 1-65535 49
timeout Timeout period of a TACACS request, in seconds. 1-30 20 seconds
Usage GuidelinesYou configure a server before you can add it to one or more server groups. You create a server group for a specifictype of authentication (see aaa server-group on page 89).
ExampleThe following command configures, enables a TACACS+ server and enables session authorization:
ArubaOS6.4| ReferenceGuide aaa authentication-server tacacs | 39
-
40 | aaa authentication-server tacacs ArubaOS6.4| ReferenceGuide
aaa authentication-server tacacs tacacs1clone defaulthost 10.1.1.245key qwERtyuIOpenablesession-authorization
Command History
Version Description
ArubaOS 3.0 Command introduced.
ArubaOS 6.0 session-authorization parameter was introduced.
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master controllers
-
aaa authentication-server windowsaaa authentication-server windows
clone domain enablehost no
DescriptionThis command configures a windows server for stateful-NTLM authentication.
Syntax
Parameter Description
Name of the windows server. You will use this name when you add thewindows server to a server group.
clone Name of a Windows Server from which you want to make a copy.
domain The Windows domain for the authentication server.
enable Enables the Windows server.
host IP address of the Windows server.
no Delete command.
Usage GuidelinesYoumust define aWindows server before you can add it to one or more server groups. You create a server group fora specific type of authentication (see aaa server-group on page 89). Windows servers are used for stateful-NTLMauthentication.
ExampleThe following command configures and enables a windows server:aaa authentication-server windows IAS_1
host 10.1.1.245enable
Command HistoryThis commandwas available in ArubaOS 3.4.1
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master controllers
ArubaOS6.4| ReferenceGuide aaa authentication-server windows | 41
-
42 | aaa authentication stateful-dot1x ArubaOS6.4| ReferenceGuide
aaa authentication stateful-dot1xaaa authentication stateful-dot1x
default-role enableno ...server-group timeout
DescriptionThis command configures 802.1X authentication for clients on non-Aruba APs.
Syntax
Parameter Description Range Default
default-role Role assigned to the 802.1X user upon login.NOTE: The PEFNG license must be installed.
guest
enable Enables 802.1X authentication for clients on non-Aruba APs. Use no enable to disable stateful8021.X authentication.
enabled
no Negates any configured parameter.
server-group
Name of the group of RADIUS servers used toauthenticate the 802.1X users. See aaa server-group on page 89.
timeout Timeout period, in seconds. 1-20 10 seconds
Usage GuidelinesThis command configures 802.1X authentication for clients on non-Aruba APs. The controller maintains user sessionstate information for these clients.
ExampleThe following command assigns the employee user role to clients who successfully authenticate with the servergroup corp-rad:aaa authentication stateful-dot1x
default-role employeeserver-group corp-rad
Command HistoryThis commandwas introduced in ArubaOS 3.0.
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master controllers
-
aaa authentication stateful-dot1x clearaaa authentication stateful-dot1x clear
DescriptionThis command clears automatically-created control path entries for 802.1X users on non-Aruba APs.
SyntaxNo parameters.
Usage GuidelinesRun this command after changing the configuration of a RADIUS server in the server group configured with the aaaauthentication stateful-dot1x command. This causes entries for the users to be created in the control path with theupdated configuration information.
Command HistoryThis commandwas introduced in ArubaOS 3.0.
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Enable mode on master controllers
ArubaOS6.4| ReferenceGuide aaa authentication stateful-dot1x clear | 43
-
44 | aaa authentication stateful-ntlm ArubaOS6.4| ReferenceGuide
aaa authentication stateful-ntlmaaa authentication stateful-ntlm
clonedefault-role enableserver-group timeout
DescriptionThis command configures stateful NT LAN Manager (NTLM) authentication.
Syntax
Parameter Description Range Default
clone Create a copy of an existing stateful NTLM profile
default-role Select an existing role to assign to authenticatedusers.
guest
no Negates any configured parameter.
server-group
Name of a server group. default
timeout Amount of time, in seconds, before the requesttimes out.
1-20seconds
10seconds
Usage GuidelinesNT LAN Manager (NTLM) is a suite of Microsoft authentication and session security protocols. You can use astateful NTLM authentication profile to configure a controller to monitor the NTLM authenticationmessages betweenclients and an authentication server. The controller can then use the information in the Server Message Block (SMB)headers to determine the client's username and IP address, the server IP address and the client's currentauthentication status. If the client successfully authenticates via an NTLM authentication server, the controller canrecognize that the client has been authenticated and assign that client a specified user role. When the user logs off orshuts down the client machine, the user will remain in the authenticated role until the users authentication is agedout.
The Stateful NTLM Authentication profile requires that you specify a server group which includes the serversperforming NTLM authentication, and a default role to be assigned to authenticated users. For details on defining awindows server used for NTLM authentication, see aaa authentication-server windows.
ExampleThe following example configures a stateful NTLM authentication profile that authenticates clients via the servergroup Windows1. Users who are successfully authenticated are assigned the guest2 role.aaa authentication stateful-ntlm
default-role guest2server-group Windows1
Command HistoryCommand introduced in ArubaOS 3.4.1
-
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master controllers
ArubaOS6.4| ReferenceGuide aaa authentication stateful-ntlm | 45
-
46 | aaa authentication via auth-profile ArubaOS6.4| ReferenceGuide
aaa authentication via auth-profileaaa authentication via auth-profile
auth-protocol {mschapv2|pap}cert-cn-lookupclone default-role desc max-authentication-failures nopan-integrationradius-accounting rfc-3576-server server-group
DescriptionThis command configures the VIA authentication profile.
Syntax
Parameter Description Default
auth-protocol {mschapv2|pap} Authentic-ation pro-tocol supportfor VIAauthen-tication;MSCHAPv2or PAP
PAP
cert-cn-lookup Check cer-tificate com-mon nameagainst AAAserver.
Enable-d
clone Name of anexistingprofile fromwhichconfigurationvalues arecopied.
-
default-role Name of thedefault VIAauthentication profile.
-
desc Descriptionof this profileforreference.
-
-
Parameter Description Default
max-authentication-failures Number oftimes VIAwill promptuser to logindue toincorrectcredentials.After themaximumauthentication attemptsfailures VIAwill exit.
3
pan-integration Requires IPmapping atPalo AltoNetwork.
-
radius-accounting Server groupfor RADIUSaccounting.
-
rfc-3576-server Configuresthe RFC3576 server.
-
server-group Server groupagainstwhich theuser isauthenticated.
-
Usage GuidelinesUse this command to create VIA authentication profiles and associate user roles to the authentication profile.
Example(host) (config) #aaa authentication via auth-profile default(host) (VIA Authentication Profile "default") #auth-protocol mschapv2(host) (VIA Authentication Profile "default") #default-role example-via-role(host) (VIA Authentication Profile "default") #desc "Default VIA Authentication Profile"(host) (VIA Authentication Profile "default") #server-group "via-server-group"
Command History
Version Description
ArubaOS 5.0 Command introduced.
ArubaOS 6.3 The auth-protocol parameter was added.
ArubaOS6.4| ReferenceGuide aaa authentication via auth-profile | 47
-
48 | aaa authentication via auth-profile ArubaOS6.4| ReferenceGuide
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master or localcontrollers
-
aaa authentication via connection-profileaaa authentication via connection-profile
admin-logoff-scriptadmin-logon-scriptallow-user-disconnectallow-whitelist-trafficauth_domain_suffixauth-profile auth_doman_suffixauto-launch-supplicantauto-loginauto-upgradebanner-message-reappear-timeout client-loggingclient-netmask client-wlan-profile position clonecontrollers-load-balancecsec-gateway-url csec-http-ports dns-suffix-list domain-pre-connectenable-csecenable-fipsenable-supplicantext-download-url ike-policy ikev2-policyikev2-protoikev2authipsec-cryptomap map number ipsecv2-cryptomaplockdown-all-settingsmax-reconnect-attempts minimizedmax-timeout minimizednosave-passwordsserversplit-tunnelingsuiteb-cryptosupport-emailtunneluser-idle-timeoutvalidate-server-certwhitelistwindows-credentials
DescriptionThis command configures the VIA connection profile.
ArubaOS6.4| ReferenceGuide aaa authentication via connection-profile | 49
-
50 | aaa authentication via connection-profile ArubaOS6.4| ReferenceGuide
Syntax
Parameter Description Default
admin-logoff-script Enables VIAlogoff script. Disabled
admin-logon-script Enables VIA logon script. Disabled
allow-user-disconnect Enable or disable users to disconnect theirVIA sessions.
Enabled
allow-whitelist-traffic If enabled, this feature will block networkaccess until the VIA VPN connection isestablished.
Disabled
auth_domain_suffix Enables a domain suffix on VIA Authentic-ation, so client credentials are sent asdomainname\username instead of just user-name.
auto-launch-supplicant Allows you to connect automatically to aconfigured WLAN network.
Disabled
auth-profile This is the list of VIA authentication profilesthat will be displayed to users in the VIAclient.
admin-logoff-script Specify the name of the script that must beexecuted when the VIA connection isdisconnected. The script must reside on theuser / client system.
admin-logon-script Specify the name of the script that must beexecuted when the VIA connection isestablished. The script must reside on theuser / client system.
auto-login Enable or disable VIA client to auto loginand establish a secure connection to thecontroller.
Enabled
auto-upgrade Enable or disable VIA client toautomatically upgrade when an updatedversion of the client is available on thecontroller.
Enabled
banner-message-reappear-timeout Timeout value, in minutes, after which theuser session will end and the VIA Loginbanner message reappears.
1440minutes
client-logging Enable or disable VIA client to auto loginand establish a secure connection to thecontroller.
Enabled
client-netmask The network mask that has to be set on theclient after the VPN connection isestablished.
255.255.255.255
-
Parameter Description Default
client-wlan-profile
A list of VIA client WLAN profiles that needsto be pushed to the client machines thatuse Windows Zero Config (WZC) toconfigure or manage their wirelessnetworks.
position
clone Create a copy of connection profile from ananother VIA connection profile.
controllers-load-balance Enable this option to allow the VIA client tofailover to the next available selected ran-domly from the list as configured in the VIAServers option. If disabled, VIA will failoverto the next in the sequence of ordered list ofVIA Servers.
Disabled
server l Address: This is the public IP address orthe DNS hostname of the VIA controller.Users will connect to remote serverusing this IP address or the hostname.
l Internal IP Address: This is the IPaddress of any of the VLAN interface IPaddresses belongs to this controller.
l Description: This is a human-readabledescription of the controller.
addr
-
52 | aaa authentication via connection-profile ArubaOS6.4| ReferenceGuide
Parameter Description Default
ext-download-url End users will use this URL to downloadVIA on their computers.
ike-policy List of IKE policies that the VIA Client has touse to connect to the controller.
ikev2-policy List of IKE V2 policies that the VIA Clienthas to use to connect to the controller
ikev2-proto Enable this to use IKEv2 protocol toestablish VIA sessions.
Disabled
ikev2auth Use this option to set the IKEv2authentication method. By default usercertificate is used for authentication. Theother supported methods are EAP-MSCHAPv2, EAP-TLS. The EAPauthentication is done on an externalRADIUS server.
UserCertificates
ipsec-cryptomap List of IPsec crypto maps that the VIA clientuses to connect to the controller. TheseIPsec Crypto Maps are configured in theCLI using the crypto-local ipsec-map command.
map
number
ipsecv2-cryptomap List of IPSec V2 crypto maps that the VIAclient uses to connect to the controller.
lockdown-all-settings Allows you to lockdown all user configuredsettings.
Disabled.
max-reconnect-attempts
The maximum number of re-connectionattempts by the VIA client due toauthentication failures.
3
max-timeout value The maximum time (minutes) allowedbefore the VIA session is disconnected.
1440 min
minimized Use this option to keep the VIA client on aMicrosoft WIndows operating systemminimized to system tray.
save-passwords Enable or disable users to save passwordsentered in VIA.
Enabled
server Configure VIAservers.
split-tunneling Enable or disable split tunneling.l If enabled, all traffic to the VIA tunneled
networks will go through the controllerand the rest is just bridged directly onthe client.
l If disabled, all traffic will flow through thecontroller.
off
-
Parameter Description Default
suiteb-crypto Use this option to enable Suite-Bcryptography. See RFC 4869 for moreinformation about Suite-B cryptography.
Disabled
support-email The support e-mail address to which VIAusers will send client logs.
None
tunnel address A list of network destination (IP address andnetmask) that the VIA client will tunnelthrough the controller. All other networkdestinations will be reachable directly bythe VIA client. Enter tunneled IP addressand its netmask.
address
netmask
user-idle-timeout The user idle timeout for this profile. Specifythe idle timeout value for the client inseconds. Valid range is 30-15300 inmultiples of 30 seconds. Enabling thisoption overrides the global settingsconfigured in the AAA timers. If this isdisabled, the global settings are used.
disabled
validate-server-cert Enable or disable VIA from validating theserver certificate presented by thecontroller.
Enabled
whitelist addr Specify a hostname or IP address and net-work mask to define a whitelist of usersallowed to access the networkif the allow-whitelist-traffic option is enabled
addr Host name of IPaddress of a client
netmask Netmask, in dotted decimal format
description (Optional) description of the client
windows-credentials Enable or disable the use of the Windowscredentials to login to VIA. If enabled, theSSO (Single Sign-on) feature can beutilized by remote users to connect tointernal resources.
Enabled
Usage GuidelinesIssue this command to create a VIA connection profile. A VIA connection profile contains settings required by VIA toestablish a secure connection to the controller. You can configuremultiple VIA connection profiles. A VIA connectionprofile is always associated to a user role and all users belonging to that role will use the configured settings. If youdo not assign a VIA connection profile to a user role, the default connection profile is used.
ExampleThe following example shows a simple VIA connection profile:(host) (config) #aaa authentication via connection-profile "via"(host) (VIA Connection Profile "via") #server addr 202.100.10.100 internal-ip 10.11.12.13 desc"VIA Primary" position 0(host) (VIA Connection Profile "via") #auth-profile "default" position 0(host) (VIA Connection Profile "via") #tunnel address 10.0.0.0 netmask 255.255.255.0(host) (VIA Connection Profile "via") #split-tunneling
ArubaOS6.4| ReferenceGuide aaa authentication via connection-profile | 53
-
54 | aaa authentication via connection-profile ArubaOS6.4| ReferenceGuide
(host) (VIA Connection Profile "via") #windows-credentials(host) (VIA Connection Profile "via") #client-netmask 255.0.0.0(host) (VIA Connection Profile "via") #dns-suffix-list mycorp.com(host) (VIA Connection Profile "via") #dns-suffix-list example.com(host) (VIA Connection Profile "via") #support-email [email protected]
Command History
Release Modification
ArubaOS 5.0 Command introduced
ArubaOS 6.1 The following commands were introduced:l admin-logon-scriptl admin-logoff-scriptl ikev2-policyl ikev2-protol ikev2-authl ipsecv2-cryptol minimizedl suiteb-crypto
ArubaOS 6.1.3.2 The auth_domain_suffix parameter was introduced.
ArubaOS 6.2 The following commands were introduced:l allow-whitelist-trafficl banner-message-reappear-timeoutl controllers-load-balancingl enable-fipsl enable-supplicantl whitelist
ArubaOS 6.3 The user-idle-timeout parameter was introduced.
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master or localcontrollers
-
aaa authentication via global-configaaa authentication via global-config
nossl-fallback-enable
DescriptionThe global config option allows to you to enable SSL fallback mode. If the SSL fallback mode is enabled the VIAclient will use SSL to create a secure connection.
Syntax
Parameter Description Default
no Disable SSL fallback option
ssl-fallback-enable Use this option to enable an SSL fallback connection. Disabled
Example(host) (config) #aaa authentication via global-config
Command HistoryCommand introduced in 5.0
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master or localcontrollers
ArubaOS6.4| ReferenceGuide aaa authentication via global-config | 55
-
56 | aaa authentication via web-auth ArubaOS6.4| ReferenceGuide
aaa authentication via web-authaaa authentication via web-auth default
auth-profile position clone no
DescriptionA VIA web authentication profile contains an ordered list of VIA authentication profiles. The web authenticationprofile is used by end users to login to the VIA download page (https:///via) for downloading theVIA client. Only one VIA web authentication profile is available. If more than one VIA authentication profile isconfigured, users can view this list and select one during the client login.
Syntax
Parameter Description Default
auth-profile The name of the VIA authentication profile
position The position of the profile to specify the order ofselection.
clone Duplicate an existing authentication profile.
Example(host) (config) #aaa authentication via web-auth default(host) (VIA Web Authentication "default") #auth-profile default position 0
Command HistoryCommand introduced in 5.0
Command Information
Platforms Licensing Command Mode
All platforms Base operating system Config mode on master or localcontrollers
-
aaa authentication vpnaaa authentication vpn
cert-cn-lookupclone default-role export-routemax-authentication-failures no ...pan-integrationradius-accountingserver-group user-idle-timeout
DescriptionThis command configures VPN authentication settings.
Syntax
Parameter Description Default
There are three VPN profiles: default, default-rap ordefault-cap.This allows users to use different AAA servers forVPN, RAP and CAP clients.NOTE: The default and default-rap profiles areconfigurable. The default-cap profile is notconfigurable and is predefined with the defaultsettings.
cert-cn-lookup If you use client certificates for user authentication,enable this option to verify that the certificate'scommon name exists in the server. This parameter isenabled by default in the default-cap and default-rapVPN profiles, and disabled by default on all otherVPN profiles.
clone Copies data from another VPN authentication profile.Source is the profile name from which the data iscopied.
default-role Role assigned to the VPN user upon login.NOTE: This parameter requires the PolicyEnforcement Firewall for VPN Users (PEFV) license.
guest
export-route Exports a VPN IP address as a route to the externalworld. See the show ip ospf command to view thelink-state advertisement (LSA) types that are gen-erated.
enabled
max-authentication-failures
Maximum number of authentication failures beforethe user is blacklisted. The supported range is 1-10failures. A value of 0 disables blacklisting.NOTE: This parameter requires the RFProtectlicense.
0 (disabled)
no Negates any configured parameter.
ArubaOS6.4| ReferenceGuide aaa authentication vpn | 57
-
58 | aaa authentication vpn ArubaOS6.4| ReferenceGuide
Parameter Description Default
pan-integration Require IP mapping at Palo Alto Networks firewalls. disabled
radius-accounting < Configure server group for RADIUSaccounting
server-group Name of the group of servers used to authenticateVPN users. See aaa server-group on page 89.
internal
user-idle-timeout The user idle timeout for this profile. Specify the idletimeout value for the client in seconds. Valid range is30-15300 in multiples of 30 seconds. Enabling thisoption overrides the global settings configured in theAAA timers. If this is disabled, the global settings areused.
Usage GuidelinesThis command configures VPN authentication settings for VPN, RAP and CAP clients.Use the vpdn groupcommand to configure Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) or a Point-to-PointTunneling Protocol (PPTP) VPN connection. (See vpdn group l2tp on page 1840.)
ExampleThe following command configures VPN authentication settings for the default-rap profile:aaa authentication vpn default-rap
default-role guestclone defaultmax-authentication-failures 0server-group vpn-server-group
The followingmessage appears when a user tries to configure the non-configurable default-cap profile:(host) (config) #aaa authentication vpn default-capPredefined VPN Authentication Profile "default-cap" is not editable
Command History
Version Description
ArubaOS 3.0 Command introduced.
ArubaOS 5.0 The default-cap and default-rap profiles were introduced.
ArubaOS 6.1 The cert-cn-lookup parameter was introduced.
ArubaOS 6.3 The user-idle-timeout parameter was introduced.
ArubaOS 6.3.1 The export-route parameter was introduced.
-
Command Information
Platforms Licensing Command Mode
All platforms Base operating system, exceptfor noted parameters.The default-role parameterrequires the Policy EnforcementFirewall for VPN Users (PEFV)license.
Config mode on master controllers
ArubaOS