Aruba OS 6.4 Command Line Interface Reference Guide

ArubaOS 6.4Command-Line Interface

Referen

ceGuide

0511528-00v2 | February 2014 ArubaOS6.4 | ReferenceGuide

Copyright Information

2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks, ArubaWireless Networks, the registered Aruba theMobile Edge Company logo, ArubaMobility Management System,Mobile Edge Architecture, PeopleMove. Networks Must Follow, RFProtect, Green Island. All rights reserved.All other trademarks are the property of their respective owners.

Open Source Code

Certain Aruba products includeOpen Source software code developed by third parties, including software codesubject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other OpenSource Licenses. Includes software fro Litech Systems Design. The IF-MAP client library copyright 2011 Infoblox,Inc. All rights reserved.This product includes software developed by Lars Fenneberg et al. TheOpen Source codeused can be found at this site

http://www.arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminateother vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation forthis action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against itwith respect to infringement of copyright on behalf of those vendors.

Warranty

This hardware product is protected by an Aruba warranty. For more information, refer to the ArubaCare service andsupport terms and conditions.

ArubaOS6.4| ReferenceGuide The ArubaOSCommand-Line Interface | 3

The ArubaOS Command-Line Interface

The ArubaOS 6.4 command-line interface (CLI) allows you to configure andmanage your controllers. The CLI isaccessible from a local console connected to the serial port on the controllers or through a Telnet or Secure Shell(SSH) session from a remotemanagement console or workstation.

Telnet access is disabled by default. To enable Telnet access, enter the telnet CLI command from a serial connection oran SSH session, or in the WebUI navigate to the Configuration > Management > General page.

Whats New In ArubaOS 6.4

New CommandsThe following commands are introduced in the ArubaOS 6.4 command line interface.

Command Description

airgroup static mdns-record

Using this command, an administrator can add the mDNS staticrecords to cache in the following methods:

l Group mDNS static recordsl Individual mDNS static records

app lync traffic-control This command creates a traffic control profile that allows the controllerto recognize and prioritize a specific type of Lync traffic in order toapply QoS through the Lync Application Layer Gateway (ALG).

dpi This command configures Deep-Packet Inspection and the globalbandwidth contract for an application or application category for theAppRF feature.

iap trusted-branch-db This command configures an IAP-VPN branch as trusted.

pan active-profile This command activates a configured PAN profile.

pan profile This command is used to configure a PAN profile.

show aaa load-balance stat-istics

This command displays the load balancing statistics for RADIUS serv-ers.

show lldp interface This command displays the LLDP interfaces information.

show lldp neighbor This command displays information about LLDP peers.

show lldp statistics This command displays the LLDP statistics information.

show iap detailed-table This command displays the details of all the branches terminating atthe controller.

show pan active-profile This command displays the currently active PANprofile.

4 | The ArubaOSCommand-Line Interface ArubaOS6.4| ReferenceGuide

Command Description

show pan profile This command displays all configured PAN profiles.

show pan state This command displays the current status of associated PAN firewalls.

show pan statistics This command displays PAN profile statistics.

show sso idp-profile This command displays the configured SSO IDP profiles.

show ucc call-info cdrs This command displays the Call Detailed Report (CDR) statistics forUnified Communication and Collaboration (UCC).

show ucc client-info This command displays the UCC client status and CDR statistics.

show ucc configuration This command displays the UCC configuration in the controller.

show ucc statistics This command displays the UCC call statistics in the controller.

show ucc trace-buffer This command displays the UCC call message trace buffer for Lync,SCCP, and SIP ALGs. Events such as establishing voice, video,desktop sharing, and file transfer are recorded.

sso idp-profile This command creates an SSO profile.

wlan hotspot advert-isement-profile

This command configures a WLAN advertisement profile for an802.11u public access service provider.

wlan hotspot anqp-3gpp-nwk-profile

This profile defines information for a 3rd Generation PartnershipProject (3GPP) Cellular Network for hotspots that have roamingrelationships with cellular operators.

wlan hotspot anqp-domain-name-profile

This command defines the domain name to be sent in an AccessNetwork Query Protocol (ANQP) information element in a GenericAdvertisement Service (GAS) query response.

wlan hotspot anqp-ip-addr-avail-profile

This command defines available IP address types to be sent in aAccess network Query Protocol (ANQP) information element in aGeneric Advertisement Service (GAS) query response.

wlan hotspot anqp-nai-realm-profile

This command defines a Network Access Identifier (NAI) realm whoseinformation can be sent as an Access network Query Protocol (ANQP)information element in a Generic Advertisement Service (GAS) queryresponse.

wlan hotspot anqp-nwk-auth-profile

This command configures an ANQP Network Authentication profile todefine authentication type being used by the hotspot network.

wlan hotspot anqp-roam-cons-profile

This command configures the Roaming Consortium OI information tobe sent in an Access network Query Protocol (ANQP) information ele-ment in a Generic Advertisement Service (GAS) query response.

wlan hotspot anqp-venue-name-profile

This command defines venue information be sent in an Access net-work Query Protocol (ANQP) information element in a Generic Advert-isement Service (GAS) query response.

wlan hotspot h2qp-conn-cap-ability-profile

This command defines a Hotspot 2.0 Query Protocol (H2QP) profilethat advertises hotspot protocol and port capabilities.

Command Description

wlan hotspot h2qp-op-cl-profile

This command defines a Hotspot 2.0 Query Protocol (H2QP) profilethat defines the Operating Class to be sent in the ANQP IE.

wlan hotspot h2qp-oper-ator-friendly-name-profile

This command defines a Hotspot 2.0 Query Protocol (H2QP) operator-friendly name profile. The operator-friendly name configured in thisprofile is a free-form text field that can identify the operator and alsosomething about the location.

wlan hotspot h2qp-wan-met-rics-profile

This command creates a Hotspot 2.0 Query Protocol (H2QP) profilethat specifies the hotspot WAN status and link metrics.

wlan hotspot hs2-profile This command configures a hotspot profile for an 802.11u publicaccess service provider.

Modified CommandsThe following commands aremodified in ArubaOS 6.4.

Command Description

airgroup The dlna and mdns parameters are introduced.

aaa authentication captive-portal

The url-hash-key parameter is introduced.

aaa authentication viaauth-profile

The pan-integration parameter is introduced.

aaa authentication vpn The pan-integration parameter is introduced.

aaa profile The multiple-server-accounting and download-role parameters areintroduced.

The pan-integration parameter is introduced.

aaa server-group The load-balance parameter is introduced.

clear The lldp parameter is introduced.

The Server and User options are introduced under airgroup para-meter.

crypto dynamic-map The disable/enable parameters are introduced.

crypto isakmp policy The disable/enable and no parameters are introduced.

firewall The following parameters are added:l allow-stunl dpil stall-crash

ha The following parameters are introduced to support the highavailability inter-controller heartbeat, controller oversubscription andstate synchronization features.l heartbeat:l heartbeat-interval



Command Description

l heartbeat-thresholdl over-subscriptionl pre-shared-keyl state-sync

interface fastethernet |gigabitethernet

The lldp parameter is introduced.

interface vlan The dhcp parameter for configuring dynamic host configuration pro-tocol for IPv6 is introduced.

interface tunnel Tunnel destination ipv6, tunnel mode gre ipv6, tunnel source ipv6,parameters are introduced.

ip access-list session The redirect parameter is introduced under action. The app, andappcategory parameters are introduced under service.

ip igmp The ssm-range parameter is introduced.

ipv6 mld The ssm-range parameter is introduced.

ipv6 route The vlan parameter is introduced.

ntp server The IPv6 parameter is introduced.

phonehome The https parameter is introduced, allowing controllers to sendPhoneHome reports to an Activate server using HTTPS.

show airgroup The dlna and mdns parameters were introduced in the following com-mands:

l show airgroup blocked-queriesl show airgroup blocked-service-idl show airgroup internal-state statistics

The dlna, mdns , and verbose parameters were introduced in the fol-lowing commands:

l show airgroupservicel show airgroup serversl show airgroup users

The dlna, mdns , and static parameters were introduced in the fol-lowing command:

l show airgroup cache entries

show airgroupservice The dlna, mdns, and verbose parameters were introduced.

show app lync traffic-con-trol

The profile-name parameter is introduced.

show datapath The following parameters are introduced:l dpil session dpil session ipv6 dpil session session-id dpi

Command Description

show ipv6 interface The tunnel parameter is introduced in the output.

show ipv6 mld config The ssm-range parameter is introduced.

show ipv6 mld group The mode and age parameters are introduced.

show ntp peer The IPv6 parameter is introduced.

show ntp servers Flags indicating the status of the server, are introduced.

show ntp status The following parameters are introduced:l time since restartl packets receivedl packets processedl current versionl previous versionl declinedl access deniedl bad length or formatl bad authenticationl rate exceeded

show vrrp The ipv6, stats, and summary parameters are introduced.

snmp-server The IPv6 parameter is introduced.

user-role The following parameters are introduced:l bandwidth-contract appl bandwidth-contract appcategoryl bandwidth-contract excludel traffic-control-profilel sso

vrrp The IPv6 parameter is introduced.

web-server The idp-certificate parameter is introduced.

wlan ssid-profile The mfp-capable and mfp-required parameters are introduced.

Deprecated CommandsThe following commands were deprecated in ArubaOS 6.4:

Command Description

interface tunnel The checksum parameter is deprecated.

app lync traffic-control(deprecated)

This command is deprecated and replaced by app lync traffic-control.

About this GuideThis guide describes the ArubaOS 6.4 command syntax. The commands in this guide are listed alphabetically.

The following information is provided for each command:



l Command SyntaxThe complete syntax of the command.l DescriptionA brief description of the command.l SyntaxA description of the command parameters, including license requirements for specific parameters if

needed. The applicable ranges and default values, if any, are also included.l UsageGuidelinesInformation to help you use the command, including: prerequisites, prohibitions, and related

commands.l ExampleAn example of how to use the command.l CommandHistoryThe version of ArubaOS in which the commandwas first introduced. Modifications and

changes to the command are also noted.l Command InformationThis table describes any licensing requirements, commandmodes and platforms for

which this command is applicable. For more information about available licenses, see the Licenses chapter of theArubaOS 6.4 User Guide.

Connecting to the ControllerThis section describes how to connect to the controller to use the CLI.

Serial Port ConnectionThe serial port is located on the front panel of the controller. Connect a terminal or PC/workstation running a terminalemulation program to the serial port on the controller to use the CLI. Configure your terminal or terminal emulationprogram to use the following communication settings.

Baud Rate Data Bits Parity Stop Bits Flow Control

9600 8 None 1 None

The Aruba 7200 Series controller supports baud rates between 9600 and 115200.

Telnet or SSH ConnectionTelnet or SSH access requires that you configure an IP address and a default gateway on the controller and connectthe controller to your network. This is typically performed when you run the Initial Setup on the controller, asdescribed in the ArubaOS 6.4 Quick Start Guide. In certain deployments, you can also configure a loopback addressfor the controller; see interface loopback on page 377 for more information.

Configuration changes on Master ControllersSome commands can only be issued when connected to amaster controller. If youmake a configuration change onamaster controller, all connected local controllers will subsequently update their configurations as well. You canmanually synchronize all of the controllers at any time by saving the configuration on themaster controller.

CLI AccessWhen you connect to the controller using the CLI, the system displays its host name followed by the login prompt.Log in using the admin user account and the password you entered during the Initial Setup on the controller (thepassword displays as asterisks). For example:(host)User: adminPassword: *****

When you are logged in, the user mode CLI prompt displays. For example:(host) >

Usermode provides only limited access for basic operational testing such as running ping and traceroute.

Certain management functions are available in enable (also called privileged) mode. Tomove from user mode toenablemode requires you to enter an additional password that you entered during the Initial Setup (the passworddisplays as asterisks). For example:(host) > enablePassword: ******

When you are in enablemode, the > prompt changes to a pound sign (#):(host) #

Configuration commands are available in config mode. Move from enablemode to config mode by entering configureterminal at the # prompt:(host) # configure terminalEnter Configuration commands, one per line. End with CNTL/Z

When you are in basic config mode, (config) appears before the # prompt:(host) (config) #

There are several other sub- command modes that allow users to configure individual interfaces, subinterfaces,loopback addresses, GRE tunnels and cellular profiles. For details on the prompts and the available commands for eachof these modes, see Appendix A: Command Modes on page 1968.

Command HelpYou can use the questionmark (?) to view various types of command help.

When typed at the beginning of a line, the questionmark lists all the commands available in your current mode orsub-mode. A brief explanation follows each command. For example:(host) > ?

enable Turn on Privileged commandslogout Exit this session. Any unsaved changes are lost.ping Send ICMP echo packets to a specified IP address.traceroute Trace route to specified IP address.

When typed at the end of a possible command or abbreviation, the questionmark lists the commands that match (ifany). For example:(host) > c?

clear Clear configurationclock Configure the system clockconfigure Configuration Commandscopy Copy Files

If more than one item is shown, typemore of the keyword characters to distinguish your choice. However, if only oneitem is listed, the keyword or abbreviation is valid and you can press tab or the spacebar to advance to the nextkeyword.

When typed in place of a parameter, the questionmark lists the available options. For example:(host) # write ?erase Erase and start from scratchfile Write to a file in the file systemmemory Write to memory



terminal Write to terminal

The indicates that the command can be entered without additional parameters. Any other parameters areoptional.

Command CompletionTomake command input easier, you can usually abbreviate each key word in the command. You need type onlyenough of each keyword to distinguish it from similar commands. For example:(host) # configure terminal

could also be entered as:(host) # con t

Three characters (con) represent the shortest abbreviation allowed for configure. Typing only c or co would notwork because there are other commands (like copy) which also begin with those letters. The configure command isthe only one that begins with con.

As you type, you can press the spacebar or tab tomove to the next keyword. The system then attempts to expandthe abbreviation for you. If there is only one command keyword that matches the abbreviation, it is filled in for youautomatically. If the abbreviation is too vague (too few characters), the cursor does not advance and youmust typemore characters or use the help feature to list thematching commands.

Deleting Configuration SettingsUse the no command to delete or negate previously-entered configurations or parameters.

l To view a list of no commands, type no at the enable or config prompt followed by the questionmark. Forexample:(host) (config) # no?

l To delete a configuration, use the no form of a configuration command. For example, the following commandremoves a configured user role:(host) (config) # no user-role

l To negate a specific configured parameter, use the no parameter within the command. For example, the followingcommands delete the DSCP priority map for a priority map configuration:(host) (config) # priority-map (host) (config-priority-map) # no dscp priority high

Saving Configuration ChangesEach Aruba controller contains two different types of configuration images.

l The running-config holds the current controller configuration, including all pending changes which have yet to besaved. To view the running-config, use the following command:(host) # show running-config

l The startup config holds the configuration which will be used the next time the controller is rebooted. It containsall the options last saved using the write memory command. To view the startup-config, use the followingcommand:(host) # show startup-config

When youmake configuration changes via the CLI, those changes affect the current running configuration only. Ifthe changes are not saved, they will be lost after the controller reboots. To save your configuration changes so theyare retained in the startup configuration after the controller reboots, use the following command in enablemode:(host) # write memorySaving Configuration...

Saved Configuration

Both the startup and running configurations can also be saved to a file or sent to a TFTP server for backup or transferto another system.

Commands That Reset the Controller or APIf you use the CLI to modify a currently provisioned and running radio profile, those changes take place immediately;you do not reboot the controller or the AP for the changes to affect the current running configuration. Certaincommands, however, automatically force the controller or AP to reboot. Youmay want to consider current networkloads and conditions before issuing these commands, as they may cause amomentary disruption in service as theunit resets. Note also that changing the lms-ip parameter in an AP system profile associated with an AP group willcause all APs in that AP group to reboot.

Commands that Reset an AP Commands that Reset a Controller

l ap-regroupl ap-renamel apbootl provision-apl ap wired-ap-profile forward-mode {bridge|split-

tunnel|tunnel}l wlan virtual-ap {aaa-profile

|forward-mode {tunnel|bridge|split-tunnel|decrypt-tunnel}|ssid-profile |vlan ...}

l ap system-profile {bootstrap-threshold |lms-ip |}

l wlan ssid-profile {battery-boost|deny-bcast|essid|opmode|strict-svp |wepkey1 |wepkey2|wepkey3 |wepkey4 |weptxkey |wmm |wmm-be-dscp |wmm-bk-dscp|wmm-ts-min-inact-int |wmm-vi-dscp |wmm-vo-dscp |wpa-hexkey |wpa-passphrase }

l wlan dotllk {bcn-measurement-mode|dot11k-enable|force-dissasoc

l reload

Table 1: Reset Commands

Typographic ConventionsThe following conventions are used throughout this manual to emphasize important concepts:

Type Style Description

Italics This style is used to emphasize important terms and to markthe titles of books.

Boldface This style is used to emphasize command names andparameter options when mentioned in the text.

Commands This fixed-width font depicts command syntax andexamples of commands and command output.

Table 2: Text Conventions



Type Style Description

In the command syntax, text within angle bracketsrepresents items that you should replace with informationappropriate to your specific situation. For example:ping In this example, you would type ping at the system promptexactly as shown, followed by the IP address of the systemto which ICMP echo packets are to be sent. Do not type theangle brackets.

[square brackets] In the command syntax, items enclosed in brackets areoptional. Do not type the brackets.

{Item_A|Item_B} In the command examples, single items within curledbraces and separated by a vertical bar represent theavailable choices. Enter only one choice. Do not type thebraces or bars.

{ap-name }|{ipaddr }

Two items within curled braces indicate that bothparameters must be entered together. If two or more sets ofcurled braces are separated by a vertical bar, like in theexample to the left, enter only one choice Do not type thebraces or bars.

Command Line EditingThe system records your most recently entered commands. You can review the history of your actions, or reissue arecent command easily, without having to retype it.

To view items in the command history, use the up arrow key tomove back through the list and the down arrow key tomove forward. To reissue a specific command, press Enter when the command appears in the command history.You can even use the command line editing feature tomake changes to the command prior to entering it. Thecommand line editing feature allows you tomake corrections or changes to a commandwithout retyping. Table 1lists the editing controls. To use key shortcuts, press and hold the Ctrl button while you press a letter key.

Key Effect Description

Ctrl A Home Move the cursor to the beginning of the line.

Ctrl B or theleft arrow

Back Move the cursor one character left.

Ctrl D Delete Right Delete the character to the right of the cursor.

Ctrl E End Move the cursor to the end of the line.

Ctrl F or theright arrow

Forward Move the cursor one character right.

Ctrl K Delete Right Delete all characters to the right of the cursor.

Ctrl N or thedown arrow

Next Display the next command in the commandhistory.

Table 3: Line Editing Keys

Key Effect Description

Ctrl P orup arrow

Previous Display the previous command in the commandhistory.

Ctrl T Transpose Swap the character to the left of the cursor withthe character to the right of the cursor.

Ctrl U Clear Clear the line.

Ctrl W Delete Word Delete the characters from the cursor up to andincluding the first space encountered.

Ctrl X Delete Left Delete all characters to the left of the cursor.

Specifying Addresses and Identifiers in CommandsThis section describes addresses and other identifiers that you can reference in CLI commands.

Address/Identifier Description

IP address For any command that requires entry of an IP address to specify a network entity,use IPv4 network address format in the conventional dotted decimal notation (forexample, 10.4.1.258).

Netmask address For subnet addresses, specify a netmask in dotted decimal notation (for example,255.255.255.0).

Media Access Control(MAC) address

For any command that requires entry of a devices hardware address, use thehexadecimal format (for example, 00:05:4e:50:14:aa).

Service Set Identifier(SSID)

A unique character string (sometimes referred to as a network name), consistingof no more than 32 characters. The SSID is case-sensitive (for example, WLAN-01).

Basic Service SetIdentifier (BSSID)

This entry is the unique hard-wireless MAC address of the AP. A unique BSSIDapplies to each frequency 802.11a and 802.11gused from the AP. Use thesame format as for a MAC address.

Extended Service SetIdentifier (ESSID)

Typically the unique logical name of a wireless network. If the ESSID includesspaces, you must enclose the name in quotation marks.

Fast Ethernet orGigabit Ethernetinterface

Any command that references a Fast Ethernet or Gigabit Ethernet interfacerequires that you specify the corresponding port on the controller in the format/: is always 1, except when referring to interfaces on the 6000 controller.Forthe 6000controller, the four slots are allocated as follows:l Slot 0: Contains an Aruba Multi-Service Mobility Module Mark I.l Slot 1: Contains an Aruba Multi-Service Mobility Module Mark I.l Slot 2: Contains an Aruba Multi-Service Mobility Module Mark I.l Slot 3: Can contain either a Aruba Multi-Service Mobility Module Mark I or a

line card. refers to the network interfaces that are embedded in the front panel of the3000 Series controller, Aruba Multi-Service Mobility Module Mark I, or a line cardinstalled in the 6000 controller. Port numbers start at 0 from the left-most position.Use the show port status command to obtain the interface information currentlyavailable from a controller.

Table 4: Addresses and Identifiers



Contacting Aruba Networks

Website Support

Main Site http://www.arubanetworks.com

Support Site https://support.arubanetworks.com

Airheads Social Forums and KnowledgeBase

http://community.arubanetworks.com

North American Telephone 1-800-943-4526 (Toll Free)

1-408-754-1200

International Telephone http://www.arubanetworks.com/support-services/support-pro-gram/contact-support/

Support Email Addresses

Americas and APAC [email protected]

EMEA [email protected]

Wireless Security Incident ResponseTeam (WSIRT)

.

[email protected]

Table 5: Contact Information

aaa alias-group (deprecated)aaa alias-group

clone no ...set vlan condition essid|location equals set-value

DescriptionThis command configured an aaa alias with set of VLAN derivation rules that could speed up user rule derivationprocessing for deployments with a very large number of user derivation rules.

Command History

Version Description

ArubaOS 6.3 Command introduced.

ArubaOS 6.4 Command deprecated.

ArubaOS6.4| ReferenceGuide aaa alias-group (deprecated) | 15

16 | aaa authentication captive-portal ArubaOS6.4| ReferenceGuide

aaa authentication captive-portalaaa authentication captive-portal

apple-cna-bypassauth-protocol mschapv2|pap|chapblack-list clone default-guest-role default-role enable-welcome-pageguest-logonip-addr-in-redirection login-page logon-wait {cpu-threshold }|{maximum-delay }|{minimum-delay }logout-popup-windowmax-authentication-failures no ...protocol-httpredirect-pause redirect-url server-group show-acceptable-use-policyshow-fqdnsingle-sessionswitchip-in-redirection-url url-hash-key user-idle-timeoutuser-logonuser-vlan-in-redirection-url welcome-page white-list

DescriptionThis command configures a Captive Portal authentication profile.

Syntax

Parameter Description Range Default

apple-cna-bypass Enable this knob to bypass Apple CNAon iOS devices such as iPad, iPhone,and iPod. You need to perform CaptivePortal authentication from browser.

Name that identifies an instance of theprofile. The name must be 1-63characters.

default

authentication-protocolmschapv2|pap|chap

This parameter specifies the type ofauthentication required by this profile,PAP is the default authentication type

mschapv2

pap

chap

pap


black-list Name of an existing black list on anIPv4 or IPv6 network destination. Theblack list contains websites(unauthenticated) that a guest cannotaccess.Specify a netdestination host or subnetto add that netdestination to the captiveportal blacklist.If you have not yet defined anetdestination, use the CLI commandnetdestination to define a destinationhost or subnet before you add it to theblacklist.

clone Name of an existing Captive Portalprofile from which parameter values arecopied.

default-guest-role Role assigned to guest. guest

default-role Role assigned to the Captive Portaluser when that user logs in. When bothuser and guest logons are enabled, thedefault role applies to the user logon;users logging in using the guestinterface are assigned the guest role.

guest

enable-welcome-page

Displays the configured welcome pagebefore the user is redirected to theiroriginal URL. If this option is disabled,redirection to the web URL happensimmediately after the user logs in.

enabled/disabled

enabled

guest-logon Enables Captive Portal logon withoutauthentication.

enabled/disabled

disabled

ipaddr-in-redirection-url

Sends the controllers interface IPaddress in the redirection URL whenexternal captive portal servers are used.An external captive portal server candetermine the controller from which arequest originated by parsing theswitchip variable in the URL. Thisparameter requires the Public Accesslicense.

login-page URL of the page that appears for theuser logon. This can be set to any URL.

/auth/index.html

logon-wait Configure parameters for the logon waitinterval.

1-100 60%

cpu-threshold CPU utilization percentage abovewhich the logon wait interval is appliedwhen presenting the user with the logonpage.

1-100 60%

ArubaOS6.4| ReferenceGuide aaa authentication captive-portal | 17



maximum-delay Maximum time, in seconds, the user willhave to wait for the logon page to popup if the CPU load is high. This works inconjunction with the Logon wait CPUutilization threshold parameter.

1-10 10 seconds

minimum-delay Minimum time, in seconds, the user willhave to wait for the logon page to popup if the CPU load is high. This works inconjunction with the Logon wait CPUutilization threshold parameter.

1-10 5 seconds

logout-popup-window

Enables a pop-up window with theLogout link that allows the user to logout. If this option is disabled, the userremains logged in until the user timeoutperiod has elapsed or the stationreloads.

enabled/disabled

enabled

max-authentication-failures

Maximum number of authenticationfailures before the user is blacklisted.

0-10 0

no Negates any configured parameter.

protocol-http Use HTTP protocol on redirection to theCaptive Portal page. If you use thisoption, modify the captive portal policyto allow HTTP traffic.

enabled/disabled

disabled(HTTPS isused)

redirect-pause Time, in seconds, that the systemremains in the initial welcome pagebefore redirecting the user to the finalweb URL. If set to 0, the welcome pagedisplays until the user clicks on theindicated link.

1-60 10 seconds

redirect-url URL to which an authenticated user willbe directed. This parameter must be anabsolute URL that begins with eitherhttp:// or https://.

server-group Name of the group of servers used toauthenticate Captive Portal users. Seeaaa server-group on page 89.

show-fqdn Allows the user to see and select thefully-qualified domain name (FQDN) onthe login page. The FQDNs shown arespecified when configuring individualservers for the server group used withcaptive portal authentication.

enabled/disabled

disabled

show-acceptable-use-policy Show the acceptable use policy pagebefore the logon page.

enabled/disabled

disabled

single-session Allows only one active user session at atime.

disabled


switchip-in-redirection-url Sends the controllers IP address in theredirection URL when external captiveportal servers are used. An externalcaptive portal server can determine thecontroller from which a requestoriginated by parsing the switchipvariable in the URL.

enabled/disabled

disabled

url-hash-key Issue this command to hash theredirection URL using the specified key.

disabled

user-idle-timeout The user idle timeout for this profile.Specify the idle timeout value for theclient in seconds. Valid range is 30-15300 in multiples of 30 seconds.Enabling this option overrides theglobal settings configured in the AAAtimers. If this is disabled, the globalsettings are used.

disabled

user-logon Enables Captive Portal withauthentication of user credentials.

enabled/disabled

enabled

user-vlan-in-redirection-url

Add the user VLAN in the redirectionURL. This parameter requires thePublic Access license.

enableddisabled

disabled

user-vlan-redirection-url Sends the users VLAN ID in theredirection URL when external captiveportal servers are used.

welcome-page URL of the page that appears afterlogon and before redirection to the webURL. This can be set to any URL.

/auth/welcome.html

white-list Name of an existing white list on anIPv4 or IPv6 network destination. Thewhite list contains authenticatedwebsites that a guest can access. If youhave not yet defined a netdestination,use the CLI command netdestination todefine a destination host or subnetbefore you add it to the whitelist

Usage GuidelinesYou can configure the Captive Portal authentication profile in the base operating system or with the Next GenerationPolicy Enforcement Firewall (PEFNG) license installed. When you configure the profile in the base operatingsystem, the name of the profile must be entered for the initial role in the AAA profile. Also, when you configure theprofile in the base operating system, you cannot define the default-role.

ExampleThe following example configures a Captive Portal authentication profile that authenticates users against thecontrollers internal database. Users who are successfully authenticated are assigned the auth-guest role.

To create the auth-guest user role shown in this example, the PEFNG licensemust be installed in the controller.aaa authentication captive-portal guestnet

default-role auth-guestuser-logon

ArubaOS6.4| ReferenceGuide aaa authentication captive-portal | 19


no guest-logonserver-group internal

Command History

Version Description


ArubaOS 6.0 The max-authentication-failures parameter no longer requires a license.

ArubaOS 6.1 The sygate-on-demand, black-list and white-list parameters were added.

ArubaOS 6.2 the auth-protocol parameter was added, and the user-chap parameter wasdeprecated.

ArubaOS 6.3 The user-idle-timeout parameter was introduced.

ArubaOS 6.4 The url-hash-key parameter was introduced.

Command Information

Platforms Licensing Command Mode

All platforms Base operating system, exceptfor noted parameters

Config mode on master controllers

aaa authentication dot1xaaa authentication dot1x {|countermeasures}

ca-cert cert-cn-lookupclearclone delete-keycacheeapol-logoffenforce-suite-b-128enforce-suite-b-192framed-mtu heldstate-bypass-counter ignore-eap-id-matchignore-eapolstart-afterauthenticationmachine-authentication blacklist-on-failure|{cache-timeout }|enable|{machine-default-role }|{user-default-role }

max-authentication-failures max-requests multicast-keyrotationno ...opp-key-cachingreauth-max reauth-server-termination-actionreauthenticationserver {server-retry |server-retry-period }server-cert termination {eap-type }|enable|enable-token-caching|{inner-eap-type (eap-gtc|eap-mschapv2)}|{token-caching-period }timer {idrequest_period }|{mkey-rotation-period }|{quiet-period }|{reauth-period }|{ukey-rotation-period }|{wpa-groupkey-delay }|{wpa-key-period }|wpa2-key-delay tls-guest-accesstls-guest-role unicast-keyrotationuse-session-keyuse-static-keyvalidate-pmkidvoice-awarewep-key-retries wep-key-size {40|128}wpa-fast-handoverwpa-key-retries xSec-mtu

DescriptionThis command configures the 802.1X authentication profile.

Syntax


Name that identifies an instance of the profile.The name must be 1-63 characters.

default

ArubaOS6.4| ReferenceGuide aaa authentication dot1x | 21

22 | aaa authentication dot1x ArubaOS6.4| ReferenceGuide


clear Clear the Cached PMK, Role and VLANentries. This command is available in enablemode only.

countermeasures Scans for message integrity code (MIC)failures in traffic received from clients. If thereare more than 2 MIC failures within 60seconds, the AP is shut down for 60 seconds.This option is intended to slow down anattacker who is making a large number offorgery attempts in a short time.

disabled

ca-cert CA certificate for client authentication. The CAcertificate needs to be loaded in the controller.

cert-cn-lookup If you use client certificates for userauthentication, enable this option to verify thatthe certificate's common name exists in theserver. This parameter is disabled by default.

delete-keycache Delete the key cache entry when the userentry is deleted.

disabled

eapol-logoff Enables handling of EAPOL-LOGOFFmessages.

disabled

enforce-suite-b-128 Configure Suite-B 128 bit or more securitylevelauthentication enforcement

disabled

enforce-suite-b-192 Configure Suite-B 192 bit or more securitylevelauthentication enforcement

disabled

framed-mtu Sets the framed MTU attribute sent to theauthentication server.

500-1500

1100

heldstate-bypass-counter

(This parameter is applicable when 802.1Xauthentication is terminated on the controller,also known as AAA FastConnect.) Number ofconsecutive authentication failures which,when reached, causes the controller to notrespond to authentication requests from aclient while the controller is in a held stateafter the authentication failure. Until thisnumber is reached, the controller responds toauthentication requests from the client evenwhile the controller is in its held state.

0-3 0

ignore-eap-id-match

Ignore EAP ID during negotiation. disabled

ignore-eapolstart-afterauthentication

Ignores EAPOL-START messages afterauthentication.

disabled

machine-authentication (For Windows environments only) Theseparameters set machine authentication:NOTE: This parameter requires the PEFNGlicense.


blacklist-on-failure Blacklists the client if machine authenticationfails.

disabled

cache-timeout The timeout, in hours, for machineauthentication.

1-1000 24 hours(1 day)

enable Select this option to enforce machineauthentication before user authentication. Ifselected, either the machine-default-role orthe user-default-role is assigned to the user,depending on which authentication issuccessful.

disabled

machine-default-role Default role assigned to the user aftercompleting only machine authentication.

guest

user-default-role Default role assigned to the user after 802.1Xauthentication.

guest


Number of times a user can try to login withwrong credentials after which the user isblacklisted as a security threat. Set to 0 todisable blacklisting, otherwise enter a non-zero integer to blacklist the user after thespecified number of failures.

0-5 0(disabled)

max-requests Maximum number of times ID requests aresent to the client.

1-10 5

multicast-keyrotation

Enables multicast key rotation disabled


opp-key-caching Enables a cached pairwise master key (PMK)derived with a client and an associated AP tobe used when the client roams to a new AP.This allows clients faster roaming without a full802.1X authentication.NOTE: Make sure that the wireless client (the802.1X supplicant) supports this feature. If theclient does not support this feature, the clientwill attempt to renegotiate the key whenever itroams to a new AP. As a result, the keycached on the controller can be out of syncwith the key used by the client.

enabled

reauth-max Maximum number of reauthenticationattempts.

1-10 3

reauth-server-termination-action

Specifies the termination-action attribute fromthe server.

reauthentication Select this option to force the client to do a802.1X reauthentication after the expiration ofthe default timer for reauthentication. (Thedefault value of the timer is 24 hours.) If theuser fails to reauthenticate with validcredentials, the state of the user is cleared.

disabled




If derivation rules are used to classify 802.1X-authenticated users, then the reauthenticationtimer per role overrides this setting.

reload-cert Reload Certificate for 802.1X termination. Thiscommand is available in enable mode only.

server Sets options for sending authenticationrequests to the authentication server group.

server-retry Maximum number of authentication requeststhat are sent to server group.

0-3 3

server-retry-period Server group retry interval, in seconds. 5-65535

5seconds

server-cert Server certificate used by the controller toauthenticate itself to the client.

termination Sets options for terminating 802.1Xauthentication on the controller.

eap-type The Extensible Authentication Protocol (EAP)method, either EAP-PEAP or EAP-TLS.

eap-peap/eap-tls

eap-peap

enable Enables 802.1X termination on the controller. disabled

enable-token-caching

If you select EAP-GTC as the inner EAPmethod, you can enable the controller tocache the username and password of eachauthenticated user. The controller continues toreauthenticate users with the remoteauthentication server, however, if theauthentication server is not available, thecontroller will inspect its cached credentials toreauthenticate users.

disabled

inner-eap-type eap-gtc|eap-mschapv2

When EAP-PEAP is the EAP method, one ofthe following inner EAP types is used:EAP-Generic Token Card (GTC): Describedin RFC 2284, this EAP method permits thetransfer of unencrypted usernames andpasswords from client to server. The mainuses for EAP-GTC are one-time token cardssuch as SecureID and the use of LDAP orRADIUS as the user authentication server.You can also enable caching of usercredentials on the controller as a backup to anexternal authentication server.EAP-Microsoft Challenge AuthenticationProtocol version 2 (MS-CHAPv2): Describedin RFC 2759, this EAP method is widelysupported by Microsoft clients.

eap-gtc/eap-mschapv2

eap-mschapv2

token-caching-period

If you select EAP-GTC as the inner EAPmethod, you can specify the timeout period, inhours, for the cached information.

(any) 24 hours


timer Sets timer options for 802.1X authentication:

idrequest-period

Interval, in seconds, between identity requestretries.

1-65535

5seconds

mkey-rotation-period

Interval, in seconds, between multicast keyrotation.

60-864000

1800seconds

quiet-period Interval, in seconds, following failedauthentication.

1-65535

30seconds

reauth-period Interval, in seconds, between reauthenticationattempts, or specify server to use the server-provided reauthentication period.

60-864000

86400seconds(1 day)

ukey-rotation-period

Interval, in seconds, between unicast keyrotation.

60-864000

900seconds

wpa-groupkey-delay

Interval, in milliseconds, between unicast andmulticast key exchanges.

0-2000 0 ms(nodelay)

wpa-key-period

Interval, in milliseconds, between each WPAkey exchange.

1000-5000

1000 ms

wpa2-key-delay

Set the delay between EAP-Success andunicast key exchange.

1-2000 0 ms(nodelay)

tls-guest-access Enables guest access for EAP-TLS users withvalid certificates.

disabled

tls-guest-role User role assigned to EAP-TLS guest.NOTE: This parameter requires the PEFNGlicense.

guest

unicast-keyrotation Enables unicast key rotation. disabled

use-session-key Use RADIUS session key as the unicast WEPkey.

disabled

use-static-key Use static key as the unicast/multicast WEPkey.

disabled

validate-pmkid This parameter instructs the controller to checkthe pairwise master key (PMK) ID sent by theclient. When this option is enabled, the clientmust send a PMKID in the associate orreassociate frame to indicate that it supportsOKC or PMK caching; otherwise, full 802.1Xauthentication takes place. (This feature isoptional, since most clients that support OKCand PMK caching do not send the PMKID intheir association request.)

disabled

voice-aware Enables rekey and reauthentication forVoWLAN clients.NOTE: The Next Generation Policy EnforcedFirewall license must be installed.

enabled




wep-key-retries Number of times WPA/WPA2 key messagesare retried.

1-5 3

wep-key-size Dynamic WEP key size, either 40 or 128 bits. 40 or128

128 bits

wpa-fast-handover Enables WPA-fast-handover. This is onlyapplicable for phones that support WPA andfast handover.

disabled

wpa-key-retries Set the number of times WPA/WPA2 KeyMessages are retried. The supported range is1-10 retries, and the default value is 3.

1-10 3

xSec-mtu Sets the size of the MTU for xSec. 1024-1500

1300bytes

Usage GuidelinesThe 802.1X authentication profile allows you to enable and configuremachine authentication and 802.1X terminationon the controller (also called AAA FastConnect).

In the AAA profile, specify the 802.1X authentication profile, the default role for authenticated users, and the servergroup for the authentication.

ExamplesThe following example enables authentication of the users client device before user authentication. If machineauthentication fails but user authentication succeeds, the user is assigned the restricted guest role:aaa authentication dot1x dot1x

machine-authentication enablemachine-authentication machine-default-role computermachine-authentication user-default-role guest

The following example configures an 802.1X profile that terminates authentication on the controller, where the userauthentication is performed with the controllers internal database or to a backend non-802.1X server:aaa authentication dot1x dot1x

termination enable

Command History

Version Description


ArubaOS 6.1 The cert-cn-lookup, enforce-suite-b-128 and enforce-suite-b-192 parameterswere introduced.

ArubaOS 6.3.1.2 The delete-keycache parameter was introduced.

Command Information


All platforms Base operating system. Thevoice-aware parameter requiresthe PEFNG license



28 | aaa authenticationmac ArubaOS6.4| ReferenceGuide

aaa authentication macaaa authentication mac

case upper|lowerclone delimiter {colon|dash|none}max-authentication-failures no ...reauthenticationtimer reauth period {|server}

DescriptionThis command configures theMAC authentication profile.

Syntax


Name that identifies an instance of the profile.The name must be 1-63 characters.

default

case The case (upper or lower) used in the MACstring sent in the authentication request. Ifthere is no delimiter configured, the MACaddress in lower case is sent in the formatxxxxxxxxxxxx, while the MAC address inupper case is sent in the formatXXXXXXXXXXXX.

upper|lower

lower

clone Name of an existing MAC profile from whichparameter values are copied.

delimiter Delimiter (colon, dash, or none) used in theMAC string.

colon|dash|none

none


Number of times a client can fail toauthenticate before it is blacklisted. A value of0 disables blacklisting.

0-10 0(disabled)


reauthentication Use this parameter to enable or disable reau-thentication.

Disabled

timer reauth period - Specifies the period betweenreauthentication attempts in seconds.

server - Specifies the server provided reau-thentication interval.

60-864000seconds

86400seconds(1 day)

Usage GuidelinesMAC authentication profile configures authentication of devices based on their physical MAC address. MAC-basedauthentication is often used to authenticate and allow network access through certain devices while denying accessto all other devices. Users may be required to authenticate themselves using other methods, depending upon thenetwork privileges.

ExampleThe following example configures aMAC authentication profile to blacklist client devices that fail to authenticate.aaa authentication mac mac-blacklist

max-authentication-failures 3

Command History

Release Modification

ArubaOS 3.0 Command introduced

ArubaOS 3.3.1.8 The max-authentication-failures parameter was allowed in the base operatingsystem. In earlier versions of ArubaOS, the max-authentication-failuresparameter required the Wireless Intrusion Protection license

ArubaOS 6.3 The reauthentication and timer reauth period parameters were introduced.

Command Information


All platforms Base operating system Config mode on master controllers

ArubaOS6.4| ReferenceGuide aaa authenticationmac | 29

30 | aaa authenticationmgmt ArubaOS6.4| ReferenceGuide

aaa authentication mgmtaaa authentication mgmt

default-role {guest-provisioning|location-api-mgmt|network-operations|no-access|read-only|root}enableno ...server-group

DescriptionThis command configures authentication for administrative users.

Syntax


default-role Select a predefined management role toassign to authenticated administrativeusers:

default

default Default superuser role

guest-provisioning Guest provisioning role

location-api-mgmt Location API role

network-operations Network operations role

no-access No commands are accessible for this role

read-only Read-only role

enable Enables authentication for administrativeusers.

enabled|disabled

disabled

mchapv2 Enable MSCHAPv2 enabled|disabled

disabled


server-group Name of the group of servers used toauthenticate administrative users. See aaaserver-group on page 89.

default

Usage GuidelinesIf you enable authentication with this command, users configured with themgmt-user commandmust beauthenticated using the specified server-group.

You can configure themanagement authentication profile in the base operating system or with the PEFNG licenseinstalled.

ExampleThe following example configures amanagement authentication profile that authenticates users against thecontrollers internal database. Users who are successfully authenticated are assigned the read-only role.

aaa authentication mgmtdefault-role read-onlyserver-group internal

Command History



ArubaOS 3.2 The network-operations role was introduced.

ArubaOS 3.3 The location-api-mgmt role was introduced.

Command Information



ArubaOS6.4| ReferenceGuide aaa authenticationmgmt | 31

32 | aaa authentication-server internal ArubaOS6.4| ReferenceGuide

aaa authentication-server internalaaa authentication-server internal use-local-switch

DescriptionThis command specifies that the internal database on a local controller be used for authenticating clients.

Usage GuidelinesBy default, the internal database in themaster controller is used for authentication. This command directsauthentication to the internal database on the local controller where you run the command.

Command HistoryThis commandwas available in ArubaOS 3.0.

Command Information


All platforms Base operating system Config mode on master or localcontrollers

aaa authentication-server ldapaaa authentication-server ldap

admin-dn admin-passwd allow-cleartextauthport base-dn clone enablefilter host key-attribute max-connection no ...preferred-conn-type ldap-s|start-tls|clear-texttimeout

DescriptionThis command configures an LDAP server.

Starting from ArubaOS 6.4, a maximum of 128 LDAP servers can be configured on the controller.

Syntax


Name that identifies the server.

admin-dn Distinguished name for the admin user who hasread/search privileges across all of the entries inthe LDAP database (the user does not need writeprivileges but should be able to search thedatabase and read attributes of other users in thedatabase).

admin-passwd

Password for the admin user.

allow-cleartext Allows clear-text (unencrypted) communication withthe LDAP server.

enabled|disabled

disabled

authport Port number used for authentication. Port 636 willbe attempted for LDAP over SSL, while port 389 willbe attempted for SSL over LDAP, Start TLSoperation and clear text.

1-65535 389

base-dn Distinguished Name of the node which contains theentire user database to use.

clone Name of an existing LDAP server configurationfrom which parameter values are copied.

enable Enables the LDAP server.

ArubaOS6.4| ReferenceGuide aaa authentication-server ldap | 33

34 | aaa authentication-server ldap ArubaOS6.4| ReferenceGuide


filter Filter that should be applied to search of the user inthe LDAP database. The default filter string is(objectclass=*).

(objectclass=*)

host IP address of the LDAP server, in dotted-decimalformat.

key-attribute

Attribute that should be used as a key in search forthe LDAP server. For Active Directory, the value issAMAccountName.

sAMAccountName

max-connection Maximum number of simultaneous non-admin con-nections to an LDAP server.


preferred-conn-type Preferred connection type. The default order ofconnection type is:1. ldap-s2. start-tls3. clear-textThe controller will first try to contact the LDAPserver using the preferred connection type, and willonly attempt to use a lower-priority connection typeif the first attempt is not successful.NOTE: You enable the allow-cleartext optionbefore you select clear-text as the preferredconnection type. If you set clear-text as thepreferred connection type but do not allow clear-text, the controller will only use ldap-s or start-tls tocontact the LDAP server.

ldap-sstart-tlsclear-text

ldap-s

timeout Timeout period of a LDAP request, in seconds. 1-30 20 seconds

Usage GuidelinesYou configure a server before you can add it to one or more server groups. You create a server group for a specifictype of authentication (see aaa server-group on page 89).

ExampleThe following command configures and enables an LDAP server:aaa authentication-server ldap ldap1

host 10.1.1.243base-dn cn=Users,dc=1m,dc=corp,dc=comadmin-dn cn=corp,cn=Users,dc=1m,dc=corp,dc=comadmin-passwd abc10key-attribute sAMAccountNamefilter (objectclass=*)enable

Command HistoryThis commandwas available in ArubaOS 3.0.

Command Information



ArubaOS6.4| ReferenceGuide aaa authentication-server ldap | 35

36 | aaa authentication-server radius ArubaOS6.4| ReferenceGuide

aaa authentication-server radiusaaa authentication-server radius

acctport authport clone enablehost |key mac-delimiter [colon|dash | none | oui-nic]mac-lowercasenas-identifier nas-ip nas-ip6 no ...retransmit service-type-framed-usersource-interface vlan ip6addr timeout use-ip-for-calling-stationuse-md5

DescriptionThis command configures a RADIUS server.

Starting from ArubaOS 6.4, a maximum of 128 RADIUS servers can be configured on the controller.

Syntax



acctport Accounting port on the server. 1-65535 1813

authport Authentication port on the server 1-65535 1812

clone Name of an existing RADIUS serverconfiguration from which parametervalues are copied.

enable Enables the RADIUS server.

host Identify the RADIUS server either by itsIP address or fully qualified domainname.

IPv4 of the RADIUS server.

Fully qualified domain name (FQDN) ofthe RADIUS server. The maximumsupported length is 63 characters.


key Shared secret between the controllerand the authentication server. Themaximum length is 128 characters.

mac-delimiter [colon|dash | none| oui-nic]

Send MAC address with user-defineddelimiter.

none

mac-lowercase Send MACaddresses as lowercase.

nas-identifier Network Access Server (NAS) identifierto use in RADIUS packets.

nas-ip NAS IP address to send in RADIUSpackets.You can configure a global NAS IPaddress that the controller uses forcommunications with all RADIUSservers. If you do not configure a server-specific NAS IP, the global NAS IP isused. To set the global NAS IP, enterthe ip radius nas-ip command.

nas-ip6 NAS IPv6 address to send in RADIUSpackets.You can configure a global NAS IPv6address that the controller uses forcommunications with all RADIUSservers. If you do not configure a server-specific NAS IPv6, the global NAS IPv6is used. To set the global NAS IPv6,enter the ipv6 radius nas-ip6 command.


retransmit Maximum number of retries sent to theserver by the controller before theserver is marked as down.

0-3 3

service-type-framed-user Send the service-type as FRAMED-USER instead of LOGIN-USER. Thisoption is disabled by default

dis-abled

source-interface vlan ip6addr

This option associates a VLAN interfacewith the RADIUS server to allow theserver-specific source interface tooverride the global configuration.l If you associate a Source Interface

(by entering a VLAN number) with aconfigured server, then the sourceIP address of the packet will be thatinterfaces IP address.

l If you do not associate the SourceInterface with a configured server(leave the field blank), then the IPaddress of the global SourceInterface will be used.

l If you want to configure an IPv6address for the Source Interface,

ArubaOS6.4| ReferenceGuide aaa authentication-server radius | 37

38 | aaa authentication-server radius ArubaOS6.4| ReferenceGuide


specify the IPv6 address for theip6addr parameter.

timeout Maximum time, in seconds, that thecontroller waits before timing out therequest and resending it.

1-30 5seconds

use-ip-for-calling-station Use an IP address instead of a MACaddress for calling station IDs. Thisoption is disabled by default.

disabled

use-md5 Use MD5 hash of cleartext password. disabled


ExampleThe following command configures and enables a RADIUS server:aaa authentication-server radius radius1

host 10.1.1.244key qwERtyuIOpenable

Command History

Version Modification


ArubaOS 6.0 RADIUS server can be identified by its qualified domain name (FQDN).

ArubaOS 6.1 The source-interface parameter was added.

ArubaOS 6.3 l The mac-delimiter parameter was introduced.l The enable-ipv6 and nas-ip6 parameters were introduced. An IPv6 host

address can be specified for the host parameter.l The ipv6 addr parameter was added.

Command Information



aaa authentication-server tacacsaaa authentication-server tacacs

clone enablehost key no ...retransmit session-authorizationtcp-port timeout

DescriptionThis command configures a TACACS+ server.

Starting from ArubaOS 6.4, a maximum of 128 TACACS servers can be configured on the controller.

Syntax



clone Name of an existing TACACS server configurationfrom which parameter values are copied.

enable Enables the TACACS server.

host IPv4 of the TACACS server.

key Shared secret to authenticate communicationbetween the TACACS+ client and server.


retransmit Maximum number of times a request is retried. 0-3 3

session-authorization

Enables TACACS+ authorization.Session-authorization turns on the optional authorizationsession for admin users.

disabled

tcp-port TCP port used by the server. 1-65535 49

timeout Timeout period of a TACACS request, in seconds. 1-30 20 seconds


ExampleThe following command configures, enables a TACACS+ server and enables session authorization:

ArubaOS6.4| ReferenceGuide aaa authentication-server tacacs | 39

40 | aaa authentication-server tacacs ArubaOS6.4| ReferenceGuide

aaa authentication-server tacacs tacacs1clone defaulthost 10.1.1.245key qwERtyuIOpenablesession-authorization

Command History

Version Description


ArubaOS 6.0 session-authorization parameter was introduced.

Command Information



aaa authentication-server windowsaaa authentication-server windows

clone domain enablehost no

DescriptionThis command configures a windows server for stateful-NTLM authentication.

Syntax

Parameter Description

Name of the windows server. You will use this name when you add thewindows server to a server group.

clone Name of a Windows Server from which you want to make a copy.

domain The Windows domain for the authentication server.

enable Enables the Windows server.

host IP address of the Windows server.

no Delete command.

Usage GuidelinesYoumust define aWindows server before you can add it to one or more server groups. You create a server group fora specific type of authentication (see aaa server-group on page 89). Windows servers are used for stateful-NTLMauthentication.

ExampleThe following command configures and enables a windows server:aaa authentication-server windows IAS_1

host 10.1.1.245enable

Command HistoryThis commandwas available in ArubaOS 3.4.1

Command Information



ArubaOS6.4| ReferenceGuide aaa authentication-server windows | 41

42 | aaa authentication stateful-dot1x ArubaOS6.4| ReferenceGuide

aaa authentication stateful-dot1xaaa authentication stateful-dot1x

default-role enableno ...server-group timeout

DescriptionThis command configures 802.1X authentication for clients on non-Aruba APs.

Syntax


default-role Role assigned to the 802.1X user upon login.NOTE: The PEFNG license must be installed.

guest

enable Enables 802.1X authentication for clients on non-Aruba APs. Use no enable to disable stateful8021.X authentication.

enabled


server-group

Name of the group of RADIUS servers used toauthenticate the 802.1X users. See aaa server-group on page 89.

timeout Timeout period, in seconds. 1-20 10 seconds

Usage GuidelinesThis command configures 802.1X authentication for clients on non-Aruba APs. The controller maintains user sessionstate information for these clients.

ExampleThe following command assigns the employee user role to clients who successfully authenticate with the servergroup corp-rad:aaa authentication stateful-dot1x

default-role employeeserver-group corp-rad

Command HistoryThis commandwas introduced in ArubaOS 3.0.

Command Information



aaa authentication stateful-dot1x clearaaa authentication stateful-dot1x clear

DescriptionThis command clears automatically-created control path entries for 802.1X users on non-Aruba APs.

SyntaxNo parameters.

Usage GuidelinesRun this command after changing the configuration of a RADIUS server in the server group configured with the aaaauthentication stateful-dot1x command. This causes entries for the users to be created in the control path with theupdated configuration information.

Command HistoryThis commandwas introduced in ArubaOS 3.0.

Command Information


All platforms Base operating system Enable mode on master controllers

ArubaOS6.4| ReferenceGuide aaa authentication stateful-dot1x clear | 43

44 | aaa authentication stateful-ntlm ArubaOS6.4| ReferenceGuide

aaa authentication stateful-ntlmaaa authentication stateful-ntlm

clonedefault-role enableserver-group timeout

DescriptionThis command configures stateful NT LAN Manager (NTLM) authentication.

Syntax


clone Create a copy of an existing stateful NTLM profile

default-role Select an existing role to assign to authenticatedusers.

guest


server-group

Name of a server group. default

timeout Amount of time, in seconds, before the requesttimes out.

1-20seconds

10seconds

Usage GuidelinesNT LAN Manager (NTLM) is a suite of Microsoft authentication and session security protocols. You can use astateful NTLM authentication profile to configure a controller to monitor the NTLM authenticationmessages betweenclients and an authentication server. The controller can then use the information in the Server Message Block (SMB)headers to determine the client's username and IP address, the server IP address and the client's currentauthentication status. If the client successfully authenticates via an NTLM authentication server, the controller canrecognize that the client has been authenticated and assign that client a specified user role. When the user logs off orshuts down the client machine, the user will remain in the authenticated role until the users authentication is agedout.

The Stateful NTLM Authentication profile requires that you specify a server group which includes the serversperforming NTLM authentication, and a default role to be assigned to authenticated users. For details on defining awindows server used for NTLM authentication, see aaa authentication-server windows.

ExampleThe following example configures a stateful NTLM authentication profile that authenticates clients via the servergroup Windows1. Users who are successfully authenticated are assigned the guest2 role.aaa authentication stateful-ntlm

default-role guest2server-group Windows1

Command HistoryCommand introduced in ArubaOS 3.4.1

Command Information



ArubaOS6.4| ReferenceGuide aaa authentication stateful-ntlm | 45

46 | aaa authentication via auth-profile ArubaOS6.4| ReferenceGuide

aaa authentication via auth-profileaaa authentication via auth-profile

auth-protocol {mschapv2|pap}cert-cn-lookupclone default-role desc max-authentication-failures nopan-integrationradius-accounting rfc-3576-server server-group

DescriptionThis command configures the VIA authentication profile.

Syntax

Parameter Description Default

auth-protocol {mschapv2|pap} Authentic-ation pro-tocol supportfor VIAauthen-tication;MSCHAPv2or PAP

PAP

cert-cn-lookup Check cer-tificate com-mon nameagainst AAAserver.

Enable-d

clone Name of anexistingprofile fromwhichconfigurationvalues arecopied.

-

default-role Name of thedefault VIAauthentication profile.

-

desc Descriptionof this profileforreference.

-


max-authentication-failures Number oftimes VIAwill promptuser to logindue toincorrectcredentials.After themaximumauthentication attemptsfailures VIAwill exit.

3

pan-integration Requires IPmapping atPalo AltoNetwork.

-

radius-accounting Server groupfor RADIUSaccounting.

-

rfc-3576-server Configuresthe RFC3576 server.

-

server-group Server groupagainstwhich theuser isauthenticated.

-

Usage GuidelinesUse this command to create VIA authentication profiles and associate user roles to the authentication profile.

Example(host) (config) #aaa authentication via auth-profile default(host) (VIA Authentication Profile "default") #auth-protocol mschapv2(host) (VIA Authentication Profile "default") #default-role example-via-role(host) (VIA Authentication Profile "default") #desc "Default VIA Authentication Profile"(host) (VIA Authentication Profile "default") #server-group "via-server-group"

Command History

Version Description


ArubaOS 6.3 The auth-protocol parameter was added.

ArubaOS6.4| ReferenceGuide aaa authentication via auth-profile | 47

48 | aaa authentication via auth-profile ArubaOS6.4| ReferenceGuide

Command Information



aaa authentication via connection-profileaaa authentication via connection-profile

admin-logoff-scriptadmin-logon-scriptallow-user-disconnectallow-whitelist-trafficauth_domain_suffixauth-profile auth_doman_suffixauto-launch-supplicantauto-loginauto-upgradebanner-message-reappear-timeout client-loggingclient-netmask client-wlan-profile position clonecontrollers-load-balancecsec-gateway-url csec-http-ports dns-suffix-list domain-pre-connectenable-csecenable-fipsenable-supplicantext-download-url ike-policy ikev2-policyikev2-protoikev2authipsec-cryptomap map number ipsecv2-cryptomaplockdown-all-settingsmax-reconnect-attempts minimizedmax-timeout minimizednosave-passwordsserversplit-tunnelingsuiteb-cryptosupport-emailtunneluser-idle-timeoutvalidate-server-certwhitelistwindows-credentials

DescriptionThis command configures the VIA connection profile.

ArubaOS6.4| ReferenceGuide aaa authentication via connection-profile | 49

50 | aaa authentication via connection-profile ArubaOS6.4| ReferenceGuide

Syntax


admin-logoff-script Enables VIAlogoff script. Disabled

admin-logon-script Enables VIA logon script. Disabled

allow-user-disconnect Enable or disable users to disconnect theirVIA sessions.

Enabled

allow-whitelist-traffic If enabled, this feature will block networkaccess until the VIA VPN connection isestablished.

Disabled

auth_domain_suffix Enables a domain suffix on VIA Authentic-ation, so client credentials are sent asdomainname\username instead of just user-name.

auto-launch-supplicant Allows you to connect automatically to aconfigured WLAN network.

Disabled

auth-profile This is the list of VIA authentication profilesthat will be displayed to users in the VIAclient.

admin-logoff-script Specify the name of the script that must beexecuted when the VIA connection isdisconnected. The script must reside on theuser / client system.

admin-logon-script Specify the name of the script that must beexecuted when the VIA connection isestablished. The script must reside on theuser / client system.

auto-login Enable or disable VIA client to auto loginand establish a secure connection to thecontroller.

Enabled

auto-upgrade Enable or disable VIA client toautomatically upgrade when an updatedversion of the client is available on thecontroller.

Enabled

banner-message-reappear-timeout Timeout value, in minutes, after which theuser session will end and the VIA Loginbanner message reappears.

1440minutes

client-logging Enable or disable VIA client to auto loginand establish a secure connection to thecontroller.

Enabled

client-netmask The network mask that has to be set on theclient after the VPN connection isestablished.

255.255.255.255


client-wlan-profile

A list of VIA client WLAN profiles that needsto be pushed to the client machines thatuse Windows Zero Config (WZC) toconfigure or manage their wirelessnetworks.

position

clone Create a copy of connection profile from ananother VIA connection profile.

controllers-load-balance Enable this option to allow the VIA client tofailover to the next available selected ran-domly from the list as configured in the VIAServers option. If disabled, VIA will failoverto the next in the sequence of ordered list ofVIA Servers.

Disabled

server l Address: This is the public IP address orthe DNS hostname of the VIA controller.Users will connect to remote serverusing this IP address or the hostname.

l Internal IP Address: This is the IPaddress of any of the VLAN interface IPaddresses belongs to this controller.

l Description: This is a human-readabledescription of the controller.

addr



ext-download-url End users will use this URL to downloadVIA on their computers.

ike-policy List of IKE policies that the VIA Client has touse to connect to the controller.

ikev2-policy List of IKE V2 policies that the VIA Clienthas to use to connect to the controller

ikev2-proto Enable this to use IKEv2 protocol toestablish VIA sessions.

Disabled

ikev2auth Use this option to set the IKEv2authentication method. By default usercertificate is used for authentication. Theother supported methods are EAP-MSCHAPv2, EAP-TLS. The EAPauthentication is done on an externalRADIUS server.

UserCertificates

ipsec-cryptomap List of IPsec crypto maps that the VIA clientuses to connect to the controller. TheseIPsec Crypto Maps are configured in theCLI using the crypto-local ipsec-map command.

map

number

ipsecv2-cryptomap List of IPSec V2 crypto maps that the VIAclient uses to connect to the controller.

lockdown-all-settings Allows you to lockdown all user configuredsettings.

Disabled.

max-reconnect-attempts

The maximum number of re-connectionattempts by the VIA client due toauthentication failures.

3

max-timeout value The maximum time (minutes) allowedbefore the VIA session is disconnected.

1440 min

minimized Use this option to keep the VIA client on aMicrosoft WIndows operating systemminimized to system tray.

save-passwords Enable or disable users to save passwordsentered in VIA.

Enabled

server Configure VIAservers.

split-tunneling Enable or disable split tunneling.l If enabled, all traffic to the VIA tunneled

networks will go through the controllerand the rest is just bridged directly onthe client.

l If disabled, all traffic will flow through thecontroller.

off


suiteb-crypto Use this option to enable Suite-Bcryptography. See RFC 4869 for moreinformation about Suite-B cryptography.

Disabled

support-email The support e-mail address to which VIAusers will send client logs.

None

tunnel address A list of network destination (IP address andnetmask) that the VIA client will tunnelthrough the controller. All other networkdestinations will be reachable directly bythe VIA client. Enter tunneled IP addressand its netmask.

address

netmask

user-idle-timeout The user idle timeout for this profile. Specifythe idle timeout value for the client inseconds. Valid range is 30-15300 inmultiples of 30 seconds. Enabling thisoption overrides the global settingsconfigured in the AAA timers. If this isdisabled, the global settings are used.

disabled

validate-server-cert Enable or disable VIA from validating theserver certificate presented by thecontroller.

Enabled

whitelist addr Specify a hostname or IP address and net-work mask to define a whitelist of usersallowed to access the networkif the allow-whitelist-traffic option is enabled

addr Host name of IPaddress of a client

netmask Netmask, in dotted decimal format

description (Optional) description of the client

windows-credentials Enable or disable the use of the Windowscredentials to login to VIA. If enabled, theSSO (Single Sign-on) feature can beutilized by remote users to connect tointernal resources.

Enabled

Usage GuidelinesIssue this command to create a VIA connection profile. A VIA connection profile contains settings required by VIA toestablish a secure connection to the controller. You can configuremultiple VIA connection profiles. A VIA connectionprofile is always associated to a user role and all users belonging to that role will use the configured settings. If youdo not assign a VIA connection profile to a user role, the default connection profile is used.

ExampleThe following example shows a simple VIA connection profile:(host) (config) #aaa authentication via connection-profile "via"(host) (VIA Connection Profile "via") #server addr 202.100.10.100 internal-ip 10.11.12.13 desc"VIA Primary" position 0(host) (VIA Connection Profile "via") #auth-profile "default" position 0(host) (VIA Connection Profile "via") #tunnel address 10.0.0.0 netmask 255.255.255.0(host) (VIA Connection Profile "via") #split-tunneling

ArubaOS6.4| ReferenceGuide aaa authentication via connection-profile | 53


(host) (VIA Connection Profile "via") #windows-credentials(host) (VIA Connection Profile "via") #client-netmask 255.0.0.0(host) (VIA Connection Profile "via") #dns-suffix-list mycorp.com(host) (VIA Connection Profile "via") #dns-suffix-list example.com(host) (VIA Connection Profile "via") #support-email [email protected]

Command History



ArubaOS 6.1 The following commands were introduced:l admin-logon-scriptl admin-logoff-scriptl ikev2-policyl ikev2-protol ikev2-authl ipsecv2-cryptol minimizedl suiteb-crypto

ArubaOS 6.1.3.2 The auth_domain_suffix parameter was introduced.

ArubaOS 6.2 The following commands were introduced:l allow-whitelist-trafficl banner-message-reappear-timeoutl controllers-load-balancingl enable-fipsl enable-supplicantl whitelist


Command Information



aaa authentication via global-configaaa authentication via global-config

nossl-fallback-enable

DescriptionThe global config option allows to you to enable SSL fallback mode. If the SSL fallback mode is enabled the VIAclient will use SSL to create a secure connection.

Syntax


no Disable SSL fallback option

ssl-fallback-enable Use this option to enable an SSL fallback connection. Disabled

Example(host) (config) #aaa authentication via global-config

Command HistoryCommand introduced in 5.0

Command Information



ArubaOS6.4| ReferenceGuide aaa authentication via global-config | 55

56 | aaa authentication via web-auth ArubaOS6.4| ReferenceGuide

aaa authentication via web-authaaa authentication via web-auth default

auth-profile position clone no

DescriptionA VIA web authentication profile contains an ordered list of VIA authentication profiles. The web authenticationprofile is used by end users to login to the VIA download page (https:///via) for downloading theVIA client. Only one VIA web authentication profile is available. If more than one VIA authentication profile isconfigured, users can view this list and select one during the client login.

Syntax


auth-profile The name of the VIA authentication profile

position The position of the profile to specify the order ofselection.

clone Duplicate an existing authentication profile.

Example(host) (config) #aaa authentication via web-auth default(host) (VIA Web Authentication "default") #auth-profile default position 0

Command HistoryCommand introduced in 5.0

Command Information



aaa authentication vpnaaa authentication vpn

cert-cn-lookupclone default-role export-routemax-authentication-failures no ...pan-integrationradius-accountingserver-group user-idle-timeout

DescriptionThis command configures VPN authentication settings.

Syntax


There are three VPN profiles: default, default-rap ordefault-cap.This allows users to use different AAA servers forVPN, RAP and CAP clients.NOTE: The default and default-rap profiles areconfigurable. The default-cap profile is notconfigurable and is predefined with the defaultsettings.

cert-cn-lookup If you use client certificates for user authentication,enable this option to verify that the certificate'scommon name exists in the server. This parameter isenabled by default in the default-cap and default-rapVPN profiles, and disabled by default on all otherVPN profiles.

clone Copies data from another VPN authentication profile.Source is the profile name from which the data iscopied.

default-role Role assigned to the VPN user upon login.NOTE: This parameter requires the PolicyEnforcement Firewall for VPN Users (PEFV) license.

guest

export-route Exports a VPN IP address as a route to the externalworld. See the show ip ospf command to view thelink-state advertisement (LSA) types that are gen-erated.

enabled


Maximum number of authentication failures beforethe user is blacklisted. The supported range is 1-10failures. A value of 0 disables blacklisting.NOTE: This parameter requires the RFProtectlicense.

0 (disabled)


ArubaOS6.4| ReferenceGuide aaa authentication vpn | 57

58 | aaa authentication vpn ArubaOS6.4| ReferenceGuide


pan-integration Require IP mapping at Palo Alto Networks firewalls. disabled

radius-accounting < Configure server group for RADIUSaccounting

server-group Name of the group of servers used to authenticateVPN users. See aaa server-group on page 89.

internal

user-idle-timeout The user idle timeout for this profile. Specify the idletimeout value for the client in seconds. Valid range is30-15300 in multiples of 30 seconds. Enabling thisoption overrides the global settings configured in theAAA timers. If this is disabled, the global settings areused.

Usage GuidelinesThis command configures VPN authentication settings for VPN, RAP and CAP clients.Use the vpdn groupcommand to configure Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) or a Point-to-PointTunneling Protocol (PPTP) VPN connection. (See vpdn group l2tp on page 1840.)

ExampleThe following command configures VPN authentication settings for the default-rap profile:aaa authentication vpn default-rap

default-role guestclone defaultmax-authentication-failures 0server-group vpn-server-group

The followingmessage appears when a user tries to configure the non-configurable default-cap profile:(host) (config) #aaa authentication vpn default-capPredefined VPN Authentication Profile "default-cap" is not editable

Command History

Version Description


ArubaOS 5.0 The default-cap and default-rap profiles were introduced.

ArubaOS 6.1 The cert-cn-lookup parameter was introduced.


ArubaOS 6.3.1 The export-route parameter was introduced.

Command Information


All platforms Base operating system, exceptfor noted parameters.The default-role parameterrequires the Policy EnforcementFirewall for VPN Users (PEFV)license.


ArubaOS

Technology

Aruba OS 6.4 Command Line Interface Reference Guide