ArubaOS8.0.0.0 Command-LineInterface Guide Referenceh20628.(host)[mynode]#c? ccm-debug CentralizedConfigurationModuledebuginformation cd Changecurrentconfignode change-config-node

ArubaOS 8.0.0.0Command-Line Interface

Refe

renc

eG

uide

Revision 03 | August 2016 ArubaOS 8.0.0.0 | Reference Guide

Copyright Information

© Copyright 2016 Hewlett Packard Enterprise Development LP.

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General PublicLicense, and/or certain other open source licenses. A complete machine-readable copy of the source codecorresponding to such code is available upon request. This offer is valid to anyone in receipt of this informationand shall expire three years following the date of the final distribution of this product version by HewlettPackard Enterprise Company. To obtain such source code, send a check or money order in the amount of US$10.00 to:

Hewlett Packard Enterprise CompanyAttn: General Counsel3000 Hanover StreetPalo Alto, CA 94304USA

3 | ArubaOS 8.0.0.0 | Reference Guide

Revision HistoryThe following table lists the revisions of this document.

Revision Change Description

Revision 03 Added the priority and weight sub parameters under wired vlan uplink-id {link1|link2|link3|link4} in the uplink command

Revision 02 Updated the descriptions for the following parameters and the UsageGuidelines section of the dpi command page:

l custom-app

l global-bandwidth-contract app

l global-bandwidth-contract appcategory

l proto-bundle activate

Revision 01 Initial release

Table 1: Revision History

ArubaOS 8.0.0.0 | Reference Guide ArubaOS Command-Line Interface | 4

ArubaOS Command-Line Interface

The ArubaOS 8.0 Command-Line Interface (CLI) allows you to configure and manage Mobility Master andmanaged devices. The CLI is accessible from a local console connected to the serial port on the Mobility Masteror through a Telnet or Secure Shell (SSH) session from a remote management console or workstation.

Telnet access is disabled by default. To enable Telnet access, enter the telnet CLI command from a serial connectionor an SSH session, or in the WebUI navigate to the Configuration > System > Admin page.

About this GuideThis guide describes the ArubaOS 8.0.0.0 command syntax. The commands in this guide are listedalphabetically.

The following information is provided for each command:

l Command Syntax—The complete syntax of the command.

l Description—A brief description of the command.

l Syntax—A description of the command parameters, including license requirements for specific parametersif needed. The applicable ranges and default values, if any, are also included.

l Usage Guidelines—Information to help you use the command, including: prerequisites, prohibitions, andrelated commands.

l Example—An example of how to use the command.

l Command History—The version of ArubaOS in which the command was first introduced. Modifications andchanges to the command are also noted.

l Command Information—This table describes any licensing requirements, command modes and platformsfor which this command is applicable. For more information about available licenses, refer tothe Aruba Mobility Master Licensing Guide.

Connecting to the Mobility Master or Managed DeviceThis section describes how to connect to the Mobility Master/Managed Device to use the CLI.

Serial Port ConnectionThe serial port is located on the front panel of the managed device. Connect a terminal or PC/workstationrunning a terminal emulation program to the serial port on the managed device to use the CLI. Configure yourterminal or terminal emulation program to use the following communication settings.

Baud Rate Data Bits Parity Stop Bits Flow Control

9600 8 None 1 None

The Aruba 7200 Series controller supports baud rates between 9600 and 115200.

5 | ArubaOS Command-Line Interface ArubaOS 8.0.0.0 | Reference Guide

Telnet or SSH ConnectionTelnet or SSH access requires that you configure an IP address and a default gateway on MobilityMaster/Managed Device and connect the Mobility Master/Managed Device to your network. This is typicallyperformed when you run the initial setup on the Mobility Master/Managed Device, as described in the ArubaOS8.0.0.0 Quick Start Guide. In certain deployments, you can also configure a loopback address for the MobilityMaster/Managed Device; see interface loopback on page 509 for more information.

Configuration changes on Mobility MasterSome commands can only be issued when connected to Mobility Master. If you make a configuration changeon Mobility Master, all connected managed devices using that configuration will subsequently update theirsettings as well.

CLI AccessWhen you connect to the Mobility Master using the CLI, the system displays the login prompt. Log in using theadmin user account and the password you entered during the initial setup on the Mobility Master . Forexample:login as: [email protected]'s password:Last login: Sat Jun 25 01:17:11 2016 from 192.0.2.77

When you are logged in, the enable mode CLI prompt displays. For example:(host) [mynode] #

All show commands and certain management functions are available in the enable (also called “privileged”)mode.

Configuration commands are available in config mode. Move from enable mode to config mode by enteringconfigure terminal at the # prompt:(host) [mynode]# configure terminalEnter Configuration commands, one per line. End with CNTL/Z

When you are in basic config mode, (config) appears before the # prompt:(host) [mynode] (config) #

There are several other sub-command modes that allow users to configure individual interfaces, sub-interfaces,loopback addresses, GRE tunnels and cellular profiles. For details on the prompts and the available commands foreach of these modes, see Appendix A: Command Modes on page 2588.

Command HelpYou can use the question mark (?) to view various types of command help.

When typed at the beginning of a line, the question mark lists all the commands available in your current modeor sub-mode. A brief explanation follows each command. For example:(host) [mynode] #aaa ?authentication Authenticationinservice Bring authentication server into serviceipv6 Internet Protocol Version 6query-user Query Usertest-server Test authentication serveruser User commands

When typed at the end of a possible command or abbreviation, the question mark lists the commands thatmatch (if any). For example:

(host) [mynode] #c?ccm-debug Centralized Configuration Module debug informationcd Change current config nodechange-config-node Change current config nodeclear Clear configurationclock Append clock to cli outputcluster-debug Cluster Debugconfigure Configuration Commandscopy Copy Filescopy-provisioning-par.. Copy a provisioning-ap-list entry to provisioning-paramscrypto Configure IPSec, IKE, and CA

If more than one item is shown, type more of the keyword characters to distinguish your choice. However, ifonly one item is listed, the keyword or abbreviation is valid and you can press tab or the spacebar to advanceto the next keyword.

When typed in place of a parameter, the question mark lists the available options. For example:(host) [mynode] #write ?erase Erase and start from scratchmemory Write to memoryterminal Write to terminal

The indicates that the command can be entered without additional parameters. Any other parameters areoptional.

Command CompletionTo make command input easier, you can usually abbreviate each key word in the command. You need typeonly enough of each keyword to distinguish it from similar commands. For example:(host) [mynode] #configure terminal

could also be entered as:(host) [mynode] #con t

Three characters (con) represent the shortest abbreviation allowed for configure. Typing only c or cowouldnot work because there are other commands (like copy) which also begin with those letters. The configurecommand is the only one that begins with con.

As you type, you can press the spacebar or tab to move to the next keyword. The system then attempts toexpand the abbreviation for you. If there is only one command keyword that matches the abbreviation, it isfilled in for you automatically. If the abbreviation is too vague (too few characters), the cursor does notadvance and you must type more characters or use the help feature to list the matching commands.

Deleting Configuration SettingsUse theno command to delete or negate previously-entered configurations or parameters.

l To view a list of no commands, typeno at the enable or config prompt followed by the question mark. Forexample:(host) [mynode] (config) # no?

l To delete a configuration, use theno form of a configuration command. For example, the followingcommand removes a configured user role:(host) [mynode] (config) # no user-role

l To negate a specific configured parameter, use theno parameter within the command. For example, thefollowing commands delete the DSCP priority map for a priority map configuration:(host) [mynode] (config) # priority-map (host) [mynode] (config-priority-map) # no dscp priority high



Saving Configuration ChangesMobility Master has the running configuration images. The running-config holds the current controllerconfiguration, including all pending changes which have yet to be saved. To view the running-config, use thefollowing command:(host) [mynode]# show running-config

When you make configuration changes via the CLI, those changes affect the current running configurationonly. If the changes are not saved, they will be lost after the Mobility Master reboots. To save yourconfiguration changes so they are retained after the Mobility Master reboots, use the following command inthe enable or config mode:(host) ^[mynode]# write memorySaving Configuration...Saved Configuration

The running configuration can also be saved to a file or sent to a TFTP server for backup or transfer to anothersystem.

The ^ indicator appears between the (host) and [node] portions of the command prompt if the configurationcontains unsaved changes. ArubaOS includes the following command prompts:

l (host)^[mynode] – This indicates unsaved configuration.

l (host)*[mynode] – This indicates available crash information.

l (host) [mynode] – This indicates a saved configuration.

Commands That Reset the Mobility Master or APIf you use the CLI to modify a currently provisioned and running radio profile, those changes take placeimmediately; you do not reboot the Mobility Master or the AP for the changes to affect the current runningconfiguration. Certain commands, however, automatically force the Mobility Master or AP to reboot. You maywant to consider current network loads and conditions before issuing these commands, as they may cause amomentary disruption in service as the unit resets. Note also that changing the lms-ip parameter in an APsystem profile associated with an AP group will cause all APs in that AP group to reboot.

Commands that Reset an AP Commands that Reset a MobilityMaster

l ap-regroup

l ap-rename

l apboot

l provision-ap

l ap wired-ap-profile forward-mode {bridge|split-tunnel|tunnel}

l wlan virtual-ap {aaa-profile |forward-mode {tunnel|bridge|split-tunnel|decrypt-tunnel} |ssid-profile |vlan...}

l ap system-profile {bootstrap-threshold |lms-ip |}

l wlan ssid-profile {battery-boost|deny-bcast|essid|opmode|strict-svp |wepkey1 |wepkey2 |wepkey3 |wepkey4|weptxkey |wmm |wmm-be-dscp |wmm-bk-dscp |wmm-ts-min-inact-int |wmm-vi-dscp |wmm-vo-dscp|wpa-hexkey |wpa-passphrase }

l wlan dotllk {bcn-measurement-mode|dot11k-enable|force-dissasoc

l reload

Table 2: Reset Commands

Typographic ConventionsThe following conventions are used throughout this manual to emphasize important concepts:

Type Style Description

Italics This style is used to emphasize important terms andto mark the titles of books.

Boldface This style is used to emphasize command namesand parameter options when mentioned in the text.

Commands This fixed-width font depicts command syntax andexamples of commands and command output.

In the command syntax, text within angle bracketsrepresents items that you should replace withinformation appropriate to your specific situation.For example:

ping

Table 3: Text Conventions



Type Style Description

In this example, you would type “ping” at the systemprompt exactly as shown, followed by the IP addressof the system to which ICMP echo packets are to besent. Do not type the angle brackets.

[square brackets] In the command syntax, items enclosed in bracketsare optional. Do not type the brackets.

{Item_A|Item_B} In the command examples, single items withincurled braces and separated by a vertical barrepresent the available choices. Enter only onechoice. Do not type the braces or bars.

{ap-name }|{ipaddr } Two items within curled braces indicate that bothparameters must be entered together. If two ormore sets of curled braces are separated by avertical bar, like in the example to the left, enter onlyone choice Do not type the braces or bars.

Command Line EditingThe system records your most recently entered commands. You can review the history of your actions, orreissue a recent command easily, without having to retype it.

To view items in the command history, use the up arrow key to move back through the list and the down arrowkey to move forward. To reissue a specific command, press Enter when the command appears in thecommand history. You can even use the command line editing feature to make changes to the command priorto entering it. The command line editing feature allows you to make corrections or changes to a commandwithout retyping. Table 4 lists the editing controls. To use key shortcuts, press and hold theCtrl button whileyou press a letter key.

Key Effect Description

Ctrl A Home Move the cursor to the beginning of the line.

Ctrl B or the left arrow Back Move the cursor one character left.

Ctrl D Delete Right Delete the character to the right of the cursor.

Ctrl E End Move the cursor to the end of the line.

Ctrl F or the right arrow Forward Move the cursor one character right.

Ctrl K Delete Right Delete all characters to the right of the cursor.

Ctrl N or the down arrow Next Display the next command in the commandhistory.

Table 4: Line Editing Keys

Key Effect Description

Ctrl P or up arrow Previous Display the previous command in thecommand history.

Ctrl T Transpose Swap the character to the left of the cursorwith the character to the right of the cursor.

Ctrl U Clear Clear the line.

Ctrl W Delete Word Delete the characters from the cursor up toand including the first space encountered.

Ctrl X Delete Left Delete all characters to the left of the cursor.

Specifying Addresses and Identifiers in CommandsThis section describes addresses and other identifiers that you can reference in CLI commands.

Address/Identifier Description

IP address For any command that requires entry of an IP address to specify a networkentity, use IPv4 network address format in the conventional dotted decimalnotation (for example, 10.4.1.258).

Netmask address For subnet addresses, specify a netmask in dotted decimal notation (forexample, 255.255.255.0).

Media AccessControl (MAC)address

For any command that requires entry of a device’s hardware address, use thehexadecimal format (for example, 00:05:4e:50:14:aa).

Service Set Identifier(SSID)

A unique character string (sometimes referred to as a network name),consisting of no more than 32 characters. The SSID is case-sensitive (forexample, WLAN-01).

Basic Service SetIdentifier (BSSID)

This entry is the unique hard-wireless MAC address of the AP. A unique BSSIDapplies to each frequency— 802.11a and 802.11g—used from the AP. Use thesame format as for a MAC address.

Extended ServiceSet Identifier (ESSID)

Typically the unique logical name of a wireless network. If the ESSID includesspaces, you must enclose the name in quotation marks.

Fast Ethernet orGigabit Ethernetinterface

Any command that references a Fast Ethernet or Gigabit Ethernet interfacerequires that you specify the corresponding port on the managed device inthe format //:

Use the show port status command to obtain the interface informationcurrently available from a managed device.

Table 5: Addresses and Identifiers



Contacting Support

Main Site arubanetworks.com

Support Site support.arubanetworks.com

Airheads Social Forums andKnowledge Base

community.arubanetworks.com

North American Telephone 1-800-943-4526 (Toll Free)

1-408-754-1200

International Telephone arubanetworks.com/support-services/contact-support/

Software Licensing Site licensing.arubanetworks.com

End-of-life Information arubanetworks.com/support-services/end-of-life/

Security Incident Response Team(SIRT)

Site: arubanetworks.com/support-services/security-bulletins/

Email: [email protected]

Table 6: Contact Information

http://www.arubanetworks.com/https://support.arubanetworks.com/http://community.arubanetworks.com/http://www.arubanetworks.com/support-services/contact-support/https://licensing.arubanetworks.com/http://www.arubanetworks.com/support-services/end-of-life/http://www.arubanetworks.com/support-services/security-bulletins/http://www.arubanetworks.com/support-services/security-bulletins/mailto:[email protected]

aaa alias-groupaaa alias-group

clone no ...set vlan condition essid|location equals set-value

DescriptionThis command configures a AAA alias with set of VLAN derivation rules that could speed up user rule derivationprocessing for deployments with a very large number of user derivation rules.

Syntax

Parameter Description

Name of the alias group.

clone Copy data from another alias group.

set vlan conditionessid|location equals set-value

Specify rules to derive role and VLAN.

Command History

Version Description

ArubaOS 8.0 Command introduced.

Command Information

Platforms Licensing Command Mode

All platforms Base operating system, exceptfor noted parameters.

Config mode on Mobility Master.

ArubaOS 8.0.0.0 | Reference Guide aaa alias-group | 12

13 | aaa auth-survivability ArubaOS 8.0.0.0 | Reference Guide

aaa auth-survivabilityaaa auth-survivability

cache-lifetimeenableserver-cert

DescriptionThis command configures Authentication Survivability on a managed device.

Syntax

Parameter Description Default

cache-lifetime This parameter specifies the lifetime in hours for thecached access credential in the local Survival Server. Whenthe specified cache-lifetime expires, the cached accesscredential is deleted from the managed device.

The valid range is from 1 to 72 hours.

24 hours

enable This parameter controls whether to use the Survival Serverwhen no other servers in the server group are in-service.

This parameter also controls whether to store the useraccess credential in the Survival Server when it isauthenticated by an external RADIUS or LDAP server in theserver group. Authentication Survivability is enabled ordisabled on each managed device.

NOTE: Authentication survivability will not activate if theAuthentication Server Dead Time is configured as 0

Disabled

server-cert This parameter allows you to view the name of the servercertificate used by the local Survival Server. The localSurvival Server is provided with a default server certificatefrom AOS. The customer server certificate must beimported into the managed device first, and then you canassign the server certificate to the local Survival Server.

NOTE: In the deployment environment, it is recommendedthat you switch to a customer server certificate.

—

Usage GuidelinesUse this command to configure authentication survivability on a managed device or Mobility Master.

Command History

Version Description


Command Information


All platforms Base operating system. Config mode on Mobility Master.

ArubaOS 8.0.0.0 | Reference Guide aaa auth-survivability | 14

15 | aaa auth-trace ArubaOS 8.0.0.0 | Reference Guide

aaa auth-traceaaa auth-trace

loglevel

DescriptionThis command sets parameters for debug tracing in AUTH (light weight tracing).

Syntax


loglevel Specify the loglevel of syslogs that will be included in the trace.

alert Trace all logs equal or higher than LOG_ALERT.

critical Trace all logs equal or higher than LOG_CRIT.

debug Trace all logs equal or higher than LOG_DEBUG.

emergency Trace all logs equal or higher than LOG_EMERG.

error Trace all logs equal or higher than LOG_ERR.

info Trace all logs equal or higher than LOG_INFO.

notice Trace all logs equal or higher than LOG_NOTICE.

warn Trace all logs equal or higher than LOG_WARN.

Usage GuidelinesUse this command to set the parameters for debug tracing in AUTH (light weight tracing) on the MobilityMaster.

Command History

Version Description


Command Information



aaa authentication captive-portalaaa authentication captive-portal

apple-cna-bypassauth-protocol mschapv2|pap|chapblack-list clone default-guest-role default-role enable-welcome-pageguest-logonip-addr-in-redirection login-page logon-wait {cpu-threshold }|{maximum-delay }|{minimum-delay }logout-popup-windowmax-authentication-failures no ...protocol-httpproxy port redirect-pause redirect-url server-group show-acceptable-use-policyshow-fqdnsingle-sessionswitchip-in-redirection-url url-hash-key user-idle-timeoutuser-logonuser-vlan-in-redirection-url welcome-page white-list

DescriptionThis command configures a Captive Portal authentication profile.

Syntax

Parameter Description Range Default

Name that identifies an instanceof the profile. The name must be1-63 characters.

— “default”

apple-cna-bypass Enable this knob to bypass AppleCNA on iOS devices such as iPad,iPhone, and iPod. You need toperform Captive Portalauthentication from browser.

— —

authentication-protocolchap|mschapv2|pap

This parameter specifies the typeof authentication required by thisprofile, PAP is the defaultauthentication type.

mschapv2

pap

pap

ArubaOS 8.0.0.0 | Reference Guide aaa authentication captive-portal | 16

17 | aaa authentication captive-portal ArubaOS 8.0.0.0 | Reference Guide


chap

black-list Name of an existing black list onan IPv4 or IPv6 networkdestination. The black list containswebsites (unauthenticated) that aguest cannot access.

Specify a netdestination host orsubnet to add that netdestinationto the captive portal blacklist.

If you have not yet defined anetdestination, use the CLIcommand netdestination to definea destination host or subnetbefore you add it to the blacklist.

— —

clone Name of an existing Captive Portalprofile from which parametervalues are copied.

— —

default-guest-role Role assigned to guest. — guest

default-role Role assigned to the Captive Portaluser when that user logs in. Whenboth user and guest logons areenabled, the default role applies tothe user logon; users logging inusing the guest interface areassigned the guest role.

— guest

enable-welcome-page

Displays the configured welcomepage before the user is redirectedto their original URL. If this optionis disabled, redirection to the webURL happens immediately afterthe user logs in.

enabled/disabled

enabled

guest-logon Enables Captive Portal logonwithout authentication.

enabled/disabled

disabled

ipaddr-in-redirection-url

Sends the Mobility Master’sinterface IP address in theredirection URL when externalcaptive portal servers are used.An external captive portal servercan determine the Mobility Masterfrom which a request originatedby parsing the ‘switchip’ variable inthe URL. This parameter requiresthe Public Access license.

— —


login-page URL of the page that appears forthe user logon. This can be set toany URL.

— /auth/index.html

logon-wait Configure parameters for thelogon wait interval.

1-100 60%

cpu-threshold CPU utilization percentage abovewhich the logon wait interval isapplied when presenting the userwith the logon page.

1-100 60%

maximum-delay Maximum time, in seconds, theuser will have to wait for the logonpage to pop up if the CPU load ishigh. This works in conjunctionwith the Logon wait CPU utilizationthreshold parameter.

1-10 10 seconds

minimum-delay Minimum time, in seconds, theuser will have to wait for the logonpage to pop up if the CPU load ishigh. This works in conjunctionwith the Logon wait CPU utilizationthreshold parameter.

1-10 5 seconds

logout-popup-window

Enables a pop-up window with theLogout link that allows the user tolog out. If this option is disabled,the user remains logged in untilthe user timeout period haselapsed or the station reloads.

enabled/disabled

enabled

max-authentication-failures

Maximum number ofauthentication failures before theuser is blacklisted.

0-10 0

no Negates any configuredparameter.

— —

protocol-http Use HTTP protocol on redirectionto the Captive Portal page. If youuse this option, modify the captiveportal policy to allow HTTP traffic.

enabled/disabled

disabled(HTTPS is used)

proxy Update IP address of the proxyhost.

— —




redirect-pause Time, in seconds, that the systemremains in the initial welcomepage before redirecting the userto the final web URL. If set to 0, thewelcome page displays until theuser clicks on the indicated link.

1-60 10 seconds

redirect-url URL to which an authenticateduser will be directed. Thisparameter must be an absoluteURL that begins with either http://or https://.

— —

server-group Name of the group of serversused to authenticate CaptivePortal users. See aaa server-group on page 104.

— —

show-fqdn Allows the user to see and selectthe fully-qualified domain name(FQDN) on the login page. TheFQDNs shown are specified whenconfiguring individual servers forthe server group used with captiveportal authentication.

enableddisabled

disabled

single-session Allows only one active usersession at a time.

— disabled

show-acceptable-use-policy Show the acceptable use policypage before the login page.

enableddisabled

disabled

switchip-in-redirection-url Sends the managed device’s IPaddress in the redirection URLwhen external captive portalservers are used. An externalcaptive portal server candetermine the managed devicefrom which a request originatedby parsing the ‘switchip’ variable inthe URL.

enableddisabled

disabled

url-hash-key Issue this command to hash theredirection URL using the specifiedkey.

— disabled

user-idle-timeout The user idle timeout for thisprofile. Specify the idle timeoutvalue for the client in seconds.Valid range is 30-15300 inmultiples of 30 seconds. Enablingthis option overrides the globalsettings configured in the AAAtimers. If this is disabled, theglobal settings are used.

— disabled


user-logon Enables Captive Portal withauthentication of user credentials.

enableddisabled

enabled

user-vlan-in-redirection-url

Add the user VLAN in theredirection URL. This parameterrequires the Public Access license.

enabled

disabled

disabled

welcome-page URL of the page that appears afterlogon and before redirection tothe web URL. This can be set toany URL.

— /auth/welcome.html

white-list Name of an existing white list onan IPv4 or IPv6 networkdestination. The white list containsauthenticated websites that aguest can access. If you have notyet defined a netdestination, usethe CLI command netdestinationto define a destination host orsubnet before you add it to thewhitelist.

— —

Usage GuidelinesYou can configure the Captive Portal authentication profile in the base operating system or with the NextGeneration Policy Enforcement Firewall (PEFNG) license installed. When you configure the profile in the baseoperating system, the name of the profile must be entered for the initial role in the AAA profile. Also, when youconfigure the profile in the base operating system, you cannot define the default-role.

ExampleThe following example configures a Captive Portal authentication profile that authenticates users against theMobility Master’s internal database. Users who are successfully authenticated are assigned the auth-guest role.

To create the auth-guest user role shown in this example, the PEFNG license must be installed in the MobilityMaster.(host)[mynode] (config) #aaa authentication captive-portal guestnet

(host) [mynode] (Captive Portal Authentication Profile "guestnet") #default-role auth-guest(host) [mynode] (Captive Portal Authentication Profile "guestnet") #user-logon(host) [mynode] (Captive Portal Authentication Profile "guestnet") #no guest-logon(host) [mynode] (Captive Portal Authentication Profile "guestnet") #server-group internal

Command History

Version Description




Command Information


All platforms Base operating system, exceptfor noted parameters.


aaa authentication dot1xaaa authentication dot1x {|countermeasures}

ca-cert cert-cn-lookupclearclone delete-keycacheeapol-logoffenforce-suite-b-128enforce-suite-b-192framed-mtu heldstate-bypass-counter ignore-eap-id-matchignore-eapolstart-afterauthenticationkey-cache clearmachine-authentication blacklist-on-failure|{cache-timeout }|enable|{machine-default-role }|{user-default-role }

max-authentication-failures max-requests multicast-keyrotationno ...opp-key-cachingreauth-max reauth-server-termination-actionreauthenticationreload-certserver {server-retry |server-retry-period }server-cert termination {eap-type }|enable|enable-token-caching|{inner-eap-type (eap- gtc|eap-mschapv2)}|{token-caching-period }timer {idrequest_period }|{keycache-tmout }|{mkey-rotation-period}|{quiet-period }|{reauth-period }|{ukey-rotation-period}|{wpa- groupkey-delay }|{wpa-key-period }|wpa2-key-delay

tls-guest-accesstls-guest-role unicast-keyrotationuse-session-keyuse-static-keyvalidate-pmkidwep-key-retries wep-key-size {40|128}wpa-fast-handoverwpa-key-retries xSec-mtu

DescriptionThis command configures the 802.1X authentication profile.

ArubaOS 8.0.0.0 | Reference Guide aaa authentication dot1x | 22

23 | aaa authentication dot1x ArubaOS 8.0.0.0 | Reference Guide

Syntax


Name that identifies an instance ofthe profile. The name must be 1-63characters.

— “default”

clear Clear the Cached PMK, Role andVLAN entries. This command isavailable in enable mode only.

— —

countermeasures Scans for message integrity code(MIC) failures in traffic received fromclients. If there are more than 2 MICfailures within 60 seconds, the AP isshut down for 60 seconds. Thisoption is intended to slow down anattacker who is making a largenumber of forgery attempts in ashort time.

— disabled

ca-cert CA certificate for clientauthentication. The CA certificateneeds to be loaded in the MobilityMaster.

— —

ca-cert-name Name of the CA certificate. — —

cert-cn-lookup If you use client certificates for userauthentication, enable this option toverify that the certificate's commonname exists in the server. Thisparameter is disabled by default.

— —

delete-keycache Delete the key cache entry when theuser entry is deleted.

— disabled

eapol-logoff Enables handling of EAPOL-LOGOFFmessages.

— disabled

enforce-suite-b-128 Configure Suite-B 128 bit or moresecurity level

authentication enforcement

disabled

enforce-suite-b-192 Configure Suite-B 192 bit or moresecurity level

authentication enforcement

disabled

framed-mtu Sets the framed MTU attribute sentto the authentication server.

500-1500

1100


heldstate-bypass-counter

(This parameter is applicable when802.1X authentication is terminatedon the Mobility Master, also knownas AAA FastConnect.) Number ofconsecutive authentication failureswhich, when reached, causes theMobility Master to not respond toauthentication requests from a clientwhile the Mobility Master is in a heldstate after the authentication failure.Until this number is reached, theMobility Master responds toauthentication requests from theclient even while the Mobility Masteris in its held state.

0-3 0

ignore-eap-id-match

Ignore EAP ID during negotiation. — disabled

ignore-eapolstart-afterauthentication

Ignores EAPOL-START messagesafter authentication.

— disabled

key-cache clear Clears the Cached PMK, Role andVLAN

— —

machine-authentication (For Windows environments only)These parameters set machineauthentication:

NOTE: This parameter requires thePEFNG license.

blacklist-on-failure Blacklists the client if machineauthentication fails.

— disabled

cache-timeout The timeout, in hours, for machineauthentication.

1-1000 24 hours(1 day)

enable Select this option to enforcemachine authentication before userauthentication. If selected, either themachine-default-role or the user-default-role is assigned to the user,depending on which authenticationis successful.

— disabled

machine-default-role

Default role assigned to the userafter completing only machineauthentication.

— guest

user-default-role

Default role assigned to the userafter 802.1X authentication.

— guest





Number of times a user can try tologin with wrong credentials afterwhich the user is blacklisted as asecurity threat. Set to 0 to disableblacklisting, otherwise enter a non-zero integer to blacklist the userafter the specified number offailures.

0-5 0(disabled)

max-requests Maximum number of times IDrequests are sent to the client.

1-10 5

multicast-keyrotation

Enables multicast key rotation — disabled

no Negates any configured parameter. — —

opp-key-caching Enables a cached pairwise masterkey (PMK) derived with a client andan associated AP to be used whenthe client roams to a new AP. Thisallows clients faster roaming withouta full 802.1X authentication.

NOTE: Make sure that the wirelessclient (the 802.1X supplicant)supports this feature. If the clientdoes not support this feature, theclient will attempt to renegotiate thekey whenever it roams to a new AP.As a result, the key cached on themanaged device can be out of syncwith the key used by the client.

— enabled

reauth-max Maximum number ofreauthentication attempts.

1-10 3

reauth-server-termination-action

Specifies the termination-actionattribute from the server.

reauthentication Select this option to force the clientto do a 802.1X reauthentication afterthe expiration of the default timerfor reauthentication. (The defaultvalue of the timer is 24 hours.) If theuser fails to reauthenticate with validcredentials, the state of the user iscleared.

If derivation rules are used toclassify 802.1X-authenticated users,then the reauthentication timer perrole overrides this setting.

— disabled


reload-cert Reload Certificate for 802.1Xtermination. This command isavailable in enable mode only.

— —

server Sets options for sendingauthentication requests to theauthentication server group.

server-retry Maximum number of authenticationrequests that are sent to servergroup.

0-5 3

server-retry-period Server group retry interval, inseconds.

2-65535 5seconds

server-cert Server certificate used by themanaged device to authenticateitself to the client.

— —

termination Sets options for terminating 802.1Xauthentication on the manageddevice.

eap-type The Extensible AuthenticationProtocol (EAP) method, either EAP-PEAP or EAP-TLS.

eap-peap/eap-tls

eap-peap

enable Enables 802.1X termination on themanaged device.

— disabled

enable-token-caching

If you select EAP-GTC as the innerEAP method, you can enable theMobility Master to cache theusername and password of eachauthenticated user. The MobilityMaster continues to reauthenticateusers with the remote authenticationserver, however, if theauthentication server is notavailable, the Mobility Master willinspect its cached credentials toreauthenticate users.

— disabled

inner-eap-typeeap-gtc|eap-mschapv2

When EAP-PEAP is the EAP method,one of the following inner EAP typesis used:

eap-gtc/eap-mschapv2

eap-mschapv2




EAP-Generic Token Card (GTC):Described in RFC 2284, this EAPmethod permits the transfer ofunencrypted usernames andpasswords from client to server. Themain uses for EAP-GTC are one-timetoken cards such as SecureID andthe use of LDAP or RADIUS as theuser authentication server. You canalso enable caching of usercredentials on the Mobility Masteras a backup to an externalauthentication server.

EAP-Microsoft ChallengeAuthentication Protocol version 2(MS-CHAPv2): Described in RFC2759, this EAP method is widelysupported by Microsoft clients.

token-caching-period

If you select EAP-GTC as the innerEAP method, you can specify thetimeout period, in hours, for thecached information.

(any) 24 hours

timer Sets timer options for 802.1Xauthentication:

idrequest-period

Interval, in seconds, between identityrequest retries.

1-65535 5seconds

keycache-tmout Set the per BSSID PMKSA cacheinterval. Cache is deleted within 2hours of the interval.

1-2000(hours)

8 hours

mkey-rotation-period

Interval, in seconds, betweenmulticast key rotation.

60-864000

1800seconds

quiet-period Interval, in seconds, following failedauthentication.

1-65535 30seconds

reauth-period Interval, in seconds, betweenreauthentication attempts, or specifyserver to use the server-providedreauthentication period.

60-864000

86400seconds(1 day)

ukey-rotation-period

Interval, in seconds, between unicastkey rotation.

60-864000

900seconds

wpa-groupkey-delay

Interval, in milliseconds, betweenunicast and multicast keyexchanges.

0-2000 0 ms(no delay)


wpa-key-period

Interval, in milliseconds, betweeneach WPA key exchange.

10-5000 1000 ms

wpa2-key-delay

Set the delay between EAP-Successand unicast key exchange.

1-2000 0 ms(no delay)

tls-guest-access Enables guest access for EAP-TLSusers with valid certificates.

— disabled

tls-guest-role User role assigned to EAP-TLS guest.

NOTE: This parameter requires thePEFNG license.

— guest

unicast-keyrotation Enables unicast key rotation. — disabled

use-session-key Use RADIUS session key as theunicast WEP key.

— disabled

use-static-key Use static key as theunicast/multicast WEP key.

— disabled

validate-pmkid This parameter instructs the MobilityMaster to check the pairwise masterkey (PMK) ID sent by the client. Whenthis option is enabled, the clientmust send a PMKID in the associateor reassociate frame to indicate thatit supports OKC or PMK caching;otherwise, full 802.1X authenticationtakes place. (This feature is optional,since most clients that support OKCand PMK caching do not send thePMKID in their association request.)

— disabled

wep-key-retries Number of times WPA/WPA2 keymessages are retried.

1-3 2

wep-key-size Dynamic WEP key size, either 40 or128 bits.

40 or128

128 bits

wpa-fast-handover Enables WPA-fast-handover. This isonly applicable for phones thatsupport WPA and fast handover.

— disabled

wpa-key-retries Set the number of times WPA/WPA2Key Messages are retried. Thesupported range is 1-10 retries, andthe default value is 3.

1-10 3

xSec-mtu Sets the size of the MTU for xSec. 1024-1500

1300bytes



Usage GuidelinesThe 802.1X authentication profile allows you to enable and configure machine authentication and 802.1Xtermination on the Mobility Master (also called “AAA FastConnect”).

In the AAA profile, specify the 802.1X authentication profile, the default role for authenticated users, and theserver group for the authentication.

ExamplesThe following example enables authentication of the user’s client device before user authentication. If machineauthentication fails but user authentication succeeds, the user is assigned the restricted “guest” role:(host) [mynode] (config) #aaa authentication dot1x dot1x(host) [mynode] (802.1X Authentication Profile "dot1x") machine-authentication enable(host) [mynode] (802.1X Authentication Profile "dot1x") machine-authentication machine-default-role computer(host) [mynode] (802.1X Authentication Profile "dot1x") machine-authentication user-default-role guest

The following example configures an 802.1X profile that terminates authentication on the managed device,where the user authentication is performed with the managed device’s internal database or to a “backend”non-802.1X server:(host) [mynode] (config) #aaa authentication dot1x dot1x(host) [mynode] (802.1X Authentication Profile "dot1x") #termination enable

Command History

Version Description


Command Information


All platforms Base operating system. Thevoice-aware parameterrequires the PEFNG license


aaa authentication macaaa authentication mac

case upper|lowerclone delimiter {colon|dash|none}max-authentication-failures no ...reauthenticationtimer reauth period {|server}

DescriptionThis command configures the MAC authentication profile.

Syntax


Name that identifies an instance of theprofile. The name must be 1-63 characters.

— “default”

case The case (upper or lower) used in the MACstring sent in the authentication request. Ifthere is no delimiter configured, the MACaddress in lower case is sent in the formatxxxxxxxxxxxx, while the MAC address inupper case is sent in the formatXXXXXXXXXXXX.

upperlower

lower

clone Name of an existing MAC profile fromwhich parameter values are copied.

— —

delimiter Delimiter (colon, dash, none, oui-nic) usedin the MAC string.

colondashnone

oui-nic

none


Number of times a client can fail toauthenticate before it is blacklisted. A valueof 0 disables blacklisting.

0-10 0(disabled)


reauthentication Use this parameter to enable or disablereauthentication.

Disabled

timer reauth period|server

specifies the period betweenreauthentication attempts in seconds. Theserver parameter specifies the server-provided reauthentication interval.

60-864000seconds

86400seconds (1day)

ArubaOS 8.0.0.0 | Reference Guide aaa authentication mac | 30

31 | aaa authentication mac ArubaOS 8.0.0.0 | Reference Guide

Usage GuidelinesMAC authentication profile configures authentication of devices based on their physical MAC address. MAC-based authentication is often used to authenticate and allow network access through certain devices whiledenying access to all other devices. Users may be required to authenticate themselves using other methods,depending upon the network privileges.

ExampleThe following example configures a MAC authentication profile to blacklist client devices that fail toauthenticate.

(host) [mynode] (config) #aaa authentication mac mac-blacklist(host) [mynode] (MAC Authentication Profile "mac-blacklist") #max-authentication-failures 3

Command History

Release Modification


Command Information


All platforms Base operating system Config mode on Mobility Master.

aaa authentication mgmtaaa authentication mgmt

default-role {guest-provisioning|location-api-mgmt|network-operations|no-access|read-only|root}enableno ...server-group

DescriptionThis command configures authentication for administrative users.

Syntax


default-role Select a predefined management role toassign to authenticated administrativeusers:

— default

ap-provisioning AP provisioning role. — —

guest-provisioning Guest provisioning role. — —

location-api-mgmt Location API management role. — —

nbapi-mgmt NBAPI management role. — —

network-operations Network operator role. — —

read-only Read-only role. — —

root Default role/superuser role. — —

enable Enables authentication foradministrative users.

enabled|disabled

disabled

mchapv2 Enable MSCHAPv2. enabled|disabled

disabled


server-group Name of the group of servers used toauthenticate administrative users. Seeaaa server-group on page 104.

— default

Usage GuidelinesIf you enable authentication with this command, users configured with themgmt-user command must beauthenticated using the specified server-group.

ArubaOS 8.0.0.0 | Reference Guide aaa authentication mgmt | 32

33 | aaa authentication mgmt ArubaOS 8.0.0.0 | Reference Guide

You can configure the management authentication profile in the base operating system or with the PEFNGlicense installed.

ExampleThe following example configures a management authentication profile that authenticates users against theMobility Master’s internal database. Users who are successfully authenticated are assigned the read-only role.aaa authentication mgmt

default-role read-onlyserver-group internal

Command History



Command Information



aaa authentication-server internalaaa authentication-server internal use-local-switch

DescriptionThis command specifies that the internal database on a managed device be used for authenticating clients.

Usage GuidelinesBy default, the internal database in the Mobility Master is used for authentication. This command directsauthentication to the internal database on the local managed device where you run the command.

Command History

Version Description


Command Information


All platforms Base operating system Config mode on Mobility Master ormanaged devices.

ArubaOS 8.0.0.0 | Reference Guide aaa authentication-server internal | 34

aaa authentication-server ldapaaa authentication-server ldap

admin-dn admin-passwd allow-cleartextauthport base-dn clone enablefilter host key-attribute max-connection no ...preferred-conn-type ldap-s|start-tls|clear-texttimeout

DescriptionThis command configures an LDAP server.

A maximum of 128 LDAP servers can be configured on the Mobility Master.

Syntax


Name that identifies the server. — —

admin-dn Distinguished name for the admin userwho has read/search privileges across allof the entries in the LDAP database (theuser does not need write privileges butshould be able to search the database andread attributes of other users in thedatabase).

— —

admin-passwd Password for the admin user. — —

allow-cleartext Allows clear-text (unencrypted)communication with the LDAP server.

enabled|disabled

disabled

authport Port number used for authentication. Port636 will be attempted for LDAP over SSL-LDAPs, while port 389 will be attemptedfor SSL over LDAP, Start TLS operation andclear text.

1-65535

389

base-dn Distinguished name of the node whichcontains the entire user database to use.

— —

ArubaOS 8.0.0.0 | Reference Guide aaa authentication-server ldap | 35

36 | aaa authentication-server ldap ArubaOS 8.0.0.0 | Reference Guide


chase-referrals Chase referrals anonymously.

clone Name of an existing LDAP serverconfiguration from which parametervalues are copied.

— —

enable Enables the LDAP server. —

filter Filter that should be applied to search ofthe user in the LDAP database. The defaultfilter string is (objectclass=*).

— (objectclass=*)

host IP address of the LDAP server, in dotted-decimal format.

— —

key-attribute Attribute that should be used as a key insearch for the LDAP server. For PAP, thevalue is sAMAccountName. For EAP-TLStermination the value isuserPrincipalName.

— sAMAccountName

max-connection Maximum number of simultaneous non-admin connections to an LDAP server.

— —


preferred-conn-type Preferred connection type. The defaultorder of connection type is:

1. ldap-s

2. start-tls

3. clear-text

The Mobility Master will first try to contactthe LDAP server using the preferredconnection type, and will only attempt touse a lower-priority connection type if thefirst attempt is not successful.

NOTE: You enable the allow-cleartextoption before you select clear-text as thepreferred connection type. If you set clear-text as the preferred connection type butdo not allow clear-text, the Mobility Masterwill only use ldap-s or start-tls to contactthe LDAP server.

ldap-s

start-tls

clear-text

ldap-s

timeout Timeout period of a LDAP request, inseconds.

1-30 20 seconds

Usage GuidelinesYou configure a server before you can add it to one or more server groups. You create a server group for aspecific type of authentication (see aaa server-group on page 104).

ExampleThe following command configures and enables an LDAP server:(host) [mynode] (config) #aaa authentication-server ldap ldap1(host)[mynode] (LDAP Server "ldap1") #host 10.1.1.243(host)[mynode] (LDAP Server "ldap1") #base-dn cn=Users,dc=1m,dc=corp,dc=com(host)[mynode] (LDAP Server "ldap1") #admin-dn cn=corp,cn=Users,dc=1m,dc=corp,dc=com(host)[mynode] (LDAP Server "ldap1") #admin-passwd abc10(host)[mynode] (LDAP Server "ldap1") #key-attribute sAMAccountName(host)[mynode] (LDAP Server "ldap1") #filter (objectclass=*)(host)[mynode] (LDAP Server "ldap1") #enable

Command History

Version Modification


Command Information



ArubaOS 8.0.0.0 | Reference Guide aaa authentication-server ldap | 37

38 | aaa authentication-server radius ArubaOS 8.0.0.0 | Reference Guide

aaa authentication-server radiusaaa authentication-server radius

acctport authport called-station-id type

{ap-group | ap-macaddr | ap-name | ipaddr | macaddr | vlan-id}[delimiter {colon | dash | none}] [include-ssid {enable |disable}]

clone cppm username password enableenable-ipv6enable-radsechost |key mac-delimiter [colon | dash | none | oui-nic]mac-lowercasenas-identifier nas-ip nas-ip6 noradsec-client-cert-name radsec-port radsec-trusted-cacert-name radsec-trusted-servercert-name retransmit service-type-framed-usersource-interface vlan ip6addr timeout use-ip-for-calling-stationuse-md5

DescriptionThis command configures a RADIUS server.

Starting with ArubaOS 6.4, a maximum of 128 RADIUS servers can be configured on the controller.

Syntax



acctport Accounting port on the server. 1-65535 1813

authport Authentication port on the server 1-65535 1812

called-station-id type{ap-group | ap-macaddr | ap-name|ipaddr | macaddr | vlan-id}

Configure this parameter to besent with the RADIUS attributeCalled Station ID forauthentication and accountingrequests.

— macaddr


The called-station-id parametercan be configured to include APgroup, AP MAC address, APname, Mobility Master IP, MobilityMaster MAC address, or uservlan.

The default value is MobilityMaster MAC address.

clone Name of an existing RADIUSserver configuration from whichparameter values are copied.

— —

cppm username password

Configure the ClearPass PolicyManager username andpassword. The Mobility Masterauthenticating to ClearPass PolicyManager is enhanced to useconfigurable username andpassword instead of supportpassword. The support passwordis vulnerable to attacks as theserver certificate presented byClearPass Policy Manager serveris not validated.

— —

enable Enables the RADIUS server. — —

enable-ipv6 Enables the RADIUS server inIPv6 mode.

— —

enable-radsec Enables RadSec for RADIUS datatransport over TCP and TLS.

— —

host Identify the RADIUS server eitherby its IP address or fully qualifieddomain name.

— —

IPv4 or IPv6 address of theRADIUS server.

— —

Fully qualified domain name(FQDN) of the RADIUS server. Themaximum supported length is 63characters.

— —

ArubaOS 8.0.0.0 | Reference Guide aaa authentication-server radius | 39



key Shared secret between theMobility Master and theauthentication server. Themaximum length is 128characters.

— —

mac-delimiter[colon | dash | none | oui-nic]

Send MAC address with user-defined delimiter.

— none

mac-lowercase Send MAC addresses aslowercase.

— —

nas-identifier Network Access Server (NAS)identifier to use in RADIUSpackets.

— —

nas-ip The NAS IP address to be sent inRADIUS packets from that server.If you define a local NAS IP settingusing this command and alsodefine a global NAS IP using thecommand ip radius nas-ip , the global NAS IP addresstakes precedence.

— —

nas-ip6 NAS IPv6 address to send inRADIUS packets.

You can configure a “global” NASIPv6 address that the MobilityMaster uses for communicationswith all RADIUS servers. If you donot configure a server-specificNAS IPv6, the global NAS IPv6 isused. To set the global NAS IPv6,enter the ipv6 radius nas-ip6 command.

— —

no Negates any configuredparameter.

— —

radsec-client-cert

Configures a RadSec clientcertificate on the RADIUS serverto identify and authenticateclients.

— —

radsec-port Designates a RadSec port forRADIUS data transport.

1-65535 2083

radsec-trusted-cacert-name

Designates a Certificate Authorityto sign RadSec certificates.

— —

radsec-trusted-servercert-name

Designates a trusted RadSecserver certificate.

— —


retransmit Maximum number of retries sentto the server by the MobilityMaster before the server ismarked as down.

0-3 3

service-type-framed-user Send the service-type asFRAMED-USER instead of LOGIN-USER. This option is disabled bydefault.

— disabled

source-interface vlan ip6addr

This option associates a VLANinterface with the RADIUS serverto allow the server-specificsource interface to override theglobal configuration.

l If you associate a SourceInterface (by entering a VLANnumber) with a configuredserver, then the source IPaddress of the packet will bethat interface’s IP address.

l If you do not associate theSource Interface with aconfigured server (leave thefield blank), then the IPaddress of the global SourceInterface will be used.

l If you want to configure anIPv6 address for the SourceInterface, specify the IPv6address for the ip6addrparameter.

— —

timeout Maximum time, in seconds, thatthe Mobility Master waits beforetiming out the request andresending it.

1-30 5 seconds

use-ip-for-calling-station Use an IP address instead of aMAC address for calling stationIDs. This option is disabled bydefault.

— disabled

use-md5 Use MD5 hash of cleartextpassword.

— disabled


ExampleThe following command configures and enables a RADIUS server:(host) [mynode] (config) #aaa authentication-server radius radius

ArubaOS 8.0.0.0 | Reference Guide aaa authentication-server radius | 41


(host) [mynode] (RADIUS Server "radius") #host 10.1.1.244(host) [mynode] (RADIUS Server "radius") #key qwERtyuIOp(host) [mynode] (RADIUS Server "radius") #enable

Command History



Command Information



aaa authentication-server tacacsaaa authentication-server tacacs

clone enablehost key no ...retransmit session-authorizationtcp-port timeout

DescriptionThis command configures a TACACS+ server.

A maximum of 128 TACACS servers can be configured on the Mobility Master.

Syntax



clone Name of an existing TACACS serverconfiguration from which parameter valuesare copied.

— —

enable Enables the TACACS server. —

host IPv4 or IPv6 address of the TACACS server. — —

key Shared secret to authenticatecommunication between the TACACS clientand server.

— —


retransmit Maximum number of times a request isretried.

0-3 3

session-authorization Enables TACACS+ authorization. Session-authorization turns on the optionalauthorization session for admin users.

— disabled

tcp-port TCP port used by the server. 1-65535 49

timeout Timeout period of a TACACS request, inseconds.

1-30 20 seconds

ArubaOS 8.0.0.0 | Reference Guide aaa authentication-server tacacs | 43

44 | aaa authentication-server tacacs ArubaOS 8.0.0.0 | Reference Guide


ExampleThe following command configures, enables a TACACS+ server and enables session authorization:(host) [mynode] (config) #aaa authentication-server tacacs tacacs1(host) [mynode] (TACACS Server "tacacs1")clone default(host) [mynode] (TACACS Server "tacacs1")host 10.1.1.245(host) [mynode] (TACACS Server "tacacs1")key qwERtyuIOp(host) [mynode] (TACACS Server "tacacs1")enable(host) [mynode] (TACACS Server "tacacs1")session-authorization

Command History

Version Description


Command Information



aaa authentication-server windowsaaa authentication-server windows

clone domain enablehost no

DescriptionThis command configures a windows server for stateful-NTLM authentication.

Syntax


Name of the windows server. You will use this name when you add thewindows server to a server group.

clone Name of a Windows Server from which you want to make a copy.

domain The Windows domain for the authentication server.

enable Enables the Windows server.

host IP address of the Windows server.

no Delete command.

Usage GuidelinesYou must define a Windows server before you can add it to one or more server groups. You create a servergroup for a specific type of authentication (see aaa server-group on page 104). Windows servers are used forstateful-NTLM authentication.

ExampleThe following command configures and enables a windows server:(host) [mynode] (config) #aaa authentication-server windows IAS_1(host) [mynode] (Windows Server "IAS_1") #host 10.1.1.245(host) [mynode] (Windows Server "IAS_1") #enable

Command History

Version Description


ArubaOS 8.0.0.0 | Reference Guide aaa authentication-server windows | 45

46 | aaa authentication-server windows ArubaOS 8.0.0.0 | Reference Guide

Command Information



aaa authentication stateful-dot1xaaa authentication stateful-dot1x

default-role enableno ...server-group timeout

DescriptionThis command configures 802.1X authentication for clients on non-Aruba APs.

Syntax


default-role Role assigned to the 802.1X user upon login.

NOTE: The PEFNG license must be installed.

— guest

enable Enables 802.1X authentication for clients onnon-Aruba APs. Use no enable to disablestateful 8021.X authentication.

— enabled


server-group Name of the group of RADIUS servers used toauthenticate the 802.1X users. See aaaserver-group on page 104.

— —

timeout Timeout period, in seconds. 1-20 10 seconds

Usage GuidelinesThis command configures 802.1X authentication for clients on non-Aruba APs. The Mobility Master maintainsuser session state information for these clients.

ExampleThe following command assigns the employee user role to clients who successfully authenticate with the servergroup corp-rad:aaa authentication stateful-dot1x

default-role employeeserver-group corp-rad

Command History



ArubaOS 8.0.0.0 | Reference Guide aaa authentication stateful-dot1x | 47

48 | aaa authentication stateful-dot1x ArubaOS 8.0.0.0 | Reference Guide

Command Information



aaa authentication stateful-dot1x clearaaa authentication stateful-dot1x clear

DescriptionThis command clears automatically-created control path entries for 802.1X users on non-Aruba APs.

SyntaxNo parameters.

Usage GuidelinesRun this command after changing the configuration of a RADIUS server in the server group configured with theaaa authentication stateful-dot1x command. This causes entries for the users to be created in the controlpath with the updated configuration information.

Command History

Version Description


Command Information


All platforms Base operating system Enable mode on Mobility Master.

ArubaOS 8.0.0.0 | Reference Guide aaa authentication stateful-dot1x clear | 49

50 | aaa authentication stateful-kerberos ArubaOS 8.0.0.0 | Reference Guide

aaa authentication stateful-kerberosaaa authentication stateful-kerberos

clonedefault-role noserver-group timeout

DescriptionThis command configures stateful Kerberos authentication.

Syntax


clone Create a copy of an existing statefulKerberos profile

— —

default-role Select an existing role to assign toauthenticated users.

— guest


server-group Name of a server group. — default

timeout Amount of time, in seconds, before therequest times out.

1-20seconds

10seconds

Example(host) [mynode] (config) #aaa authentication stateful-kerberos default(host) [mynode] (Stateful Kerberos Authentication Profile "default") #default-role guest(host) [mynode] (Stateful Kerberos Authentication Profile "default") #timeout 10(host) [mynode] (Stateful Kerberos Authentication Profile "default") #server-group internal

Command History



Command Information



aaa authentication stateful-ntlmaaa authentication stateful-ntlm

clonedefault-role enablenoserver-group timeout

DescriptionThis command configures stateful NT LAN Manager (NTLM) authentication.

Syntax


clone Create a copy of an existing stateful NTLMprofile

— —

default-role Select an existing role to assign toauthenticated users.

— guest

enable Enables stateful ntlm authenticationprofile for clients. Use no enable todisable stateful ntlm authentication.

— enabled


server-group Name of a server group. — default

timeout Amount of time, in seconds, before therequest times out.

1-20seconds

10seconds

Usage GuidelinesNT LAN Manager (NTLM) is a suite of Microsoft authentication and session security protocols. You can use astateful NTLM authentication profile to configure a controller to monitor the NTLM authentication messagesbetween clients and an authentication server. The controller can then use the information in the ServerMessage Block (SMB) headers to determine the client's username and IP address, the server IP address and theclient's current authentication status. If the client successfully authenticates via an NTLM authenticationserver, the controller can recognize that the client has been authenticated and assign that client a specified userrole. When the user logs off or shuts down the client machine, the user will remain in the authenticated roleuntil the user’s authentication is aged out.

The Stateful NTLM Authentication profile requires that you specify a server group which includes the serversperforming NTLM authentication, and a default role to be assigned to authenticated users. For details ondefining a windows server used for NTLM authentication, see aaa authentication-server windows.

ArubaOS 8.0.0.0 | Reference Guide aaa authentication stateful-ntlm | 51

52 | aaa authentication stateful-ntlm ArubaOS 8.0.0.0 | Reference Guide

ExampleThe following example configures a stateful NTLM authentication profile that authenticates clients via theserver group “Windows1.” Users who are successfully authenticated are assigned the “guest2” role.(host) [mynode] (config) #aaa authentication stateful-ntlm ntlm1(host) [mynode] (Stateful NTLM Authentication Profile "ntlm1") #default-role guest2(host) [mynode] (Stateful NTLM Authentication Profile "ntlm1") #server-group Windows1

Command History



Command Information



aaa authentication via auth-profileaaa authentication via auth-profile

auth-protocol {mschapv2|pap}cert-cn-lookupclone default-role desc max-authentication-failures nopan-integrationradius-accounting rfc-3576-server server-group

DescriptionThis command configures the VIA authentication profile.

Syntax


auth-protocol {mschapv2|pap} Authenticationprotocolsupport forVIAauthentication; MSCHAPv2or PAP

PAP

cert-cn-lookup Checkcertificatecommonname againstAAA server.

Enabled

clone Name of anexistingprofile fromwhichconfigurationvalues arecopied.

—

default-role Name of thedefault VIAauthenticationprofile.

—

desc Description ofthis profile forreference.

—

ArubaOS 8.0.0.0 | Reference Guide aaa authentication via auth-profile | 53

54 | aaa authentication via auth-profile ArubaOS 8.0.0.0 | Reference Guide


max-authentication-failures Number oftimes VIA willprompt userto login due toincorrectcredentials.After themaximumauthenticationattemptsfailures VIAwill exit.

0

pan-integration Requires IPmapping atPalo AltoNetwork.

—

radius-accounting Server groupfor RADIUSaccounting.

—

rfc-3576-server Configuresthe RFC 3576server.

—

server-group Server groupagainst whichthe user isauthenticated.

—

Usage GuidelinesUse this command to create VIA authentication profiles and associate user roles to the authentication profile.

Example(host) [mynode] (config) #aaa authentication via auth-profile default(host) [mynode] (VIA Authentication Profile "default") #auth-protocol mschapv2(host) [mynode] (VIA Authentication Profile "default") #default-role example-via-role(host) [mynode] (VIA Authentication Profile "default") #desc "Default VIA AuthenticationProfile"(host) [mynode] (VIA Authentication Profile "default") #server-group "via-server-group"

Command History

Version Description


Command Information



ArubaOS 8.0.0.0 | Reference Guide aaa authentication via auth-profile | 55

56 | aaa authentication via connection-profile ArubaOS 8.0.0.0 | Reference Guide

aaa authentication via connection-profileaaa authentication via connection-profile

admin-logoff-scriptadmin-logon-scriptallow-user-disconnectallow-whitelist-trafficauth-profileauth_domain_suffixauto-launch-supplicantauto-loginauto-upgradebanner-message-reappear-timeout block-dest-trafficblock-destination-traffic-selectorclient-loggingclient-netmaskclient-wlan-profile position clone controllers-load-balancecsec-gateway-url csec-http-ports dn-profiledns-suffix-list domain-pre-connectDPC-generate-profileenable-csecenable-fipsenable-supplicantext-download-url ike-policy ikev2-policyikev2-protoikev2authipsec-cryptomap map number ipsecv2-cryptomaplockdown-all-settingsmax-reconnect-attempts max-timeout minimizednoocsp-respondersave-passwordsserversplit-tunnelingsuiteb-cryptosupport-emailtunneluser-idle-timeoutvalidate-server-certwhitelistwindows-credentials

DescriptionThis command configures the VIA connection profile.

Syntax


admin-logoff-script Enables VIA logoff script. Disabled

admin-logon-script Enables VIA logon script. Disabled

allow-user-disconnect Enable or disable users todisconnect their VIAsessions.

Enabled

allow-whitelist-traffic If enabled, this featurewill block network accessuntil the VIA VPNconnection is established.

Disabled

auth-profile This is the list of VIAauthentication profilesthat will be displayed tousers in the VIA client.

—

auth_domain_suffix Enables a domain suffixon VIA Authentication, soclient credentials are sentas domainname\usernameinstead of just username.

—

auto-launch-supplicant Allows you to connectautomatically to aconfigured WLANnetwork.

Disabled

auto-login Enable or disable VIAclient to auto login andestablish a secureconnection to thecontroller.

Enabled

auto-upgrade Enable or disable VIAclient to automaticallyupgrade when anupdated version of theclient is available on thecontroller.

Enabled

banner-message-reappear-timeout Timeout value, inminutes, after which theuser session will end andthe VIA Login bannermessage reappears.

1440 minutes

block-destination-traffic-selector-ON Turn ON feature to blockDestination Traffic .

—

ArubaOS 8.0.0.0 | Reference Guide aaa authentication via connection-profile | 57



block-dest-traffic-address Destination Trafficselector.

—

client-logging Enable or disable VIAclient to auto login andestablish a secureconnection to thecontroller.

Enabled

client-netmask The network mask thathas to be set on the clientafter the VPN connectionis established.

255.255.255.255

client-wlan-profile A list of VIA client WLANprofiles that needs to bepushed to the clientmachines that useWindows Zero Config(WZC) to configure ormanage their wirelessnetworks.

—

clone Create a copy ofconnection profile froman another VIAconnection profile.

—

controllers-load-balance Enable this option to allowthe VIA client to failover tothe next availableselected randomly fromthe list as configured inthe VIA Servers option. Ifdisabled, VIA will failoverto the next in thesequence of ordered listof VIA servers.

Disabled

csec-gateway-url Specify the contentsecurity service providersURL here. You mustprovide a fully qualifieddomain name.

—

csec-http-ports Specify the ports(separated by comma)that will be monitored bythe content securityservice provider. Do notadd space before or afterthe comma.

—

dn-profileCN | ORG | OU | Country

Configure VIA dn profile. —


dns-suffix-list The DNS suffix list(comma separated) thathas be set on the clientonce the VPN connectionis established.

None

domain-preconnect Enable this option to allowusers with lost or expiredpasswords to establish aVIA connection tocorporate network. Thisoption authenticates theuser’s device andestablishes a VIAconnection that allowsusers to reset credentialsand continue withcorporate access.

Enabled

dpc-generate-profile Optionally enablegenerating commonprofile in DPC is enabled.

—

enable-csec Use this option to enablethe content securityservice.

—

enable-fips Enable the VIA (FederalInformation ProcessingStandard) FIPS module soVIA checks for FIPScompliance duringstartup.

Disabled

enable-supplicant If enabled, VIA starts inbSec mode using L2 suite-b cryptography. Thisoption is disabled bydefault.

Disabled

ext-download-url End users will use thisURL to download VIA ontheir computers.

—

ike-policy List of IKE policies that theVIA Client has to use toconnect to the controller.

—

ikev2-policy List of IKE V2 policies thatthe VIA Client has to useto connect to thecontroller.

—




ikev2-proto Enable this to use IKEv2protocol to establish VIAsessions.

Disabled

ikev2auth Use this option to set theIKEv2 authenticationmethod. By default usercertificate is used forauthentication. The othersupported methods areEAP-MSCHAPv2, EAP-TLS.The EAP authentication isdone on an externalRADIUS server.

UserCertificates

ipsec-cryptomap List of IPsec crypto mapsthat the VIA client uses toconnect to the controller.These IPsec Crypto Mapsare configured in the CLIusing the crypto-localipsec-map command.

—

ipsecv2-cryptomap List of IPsec V2 cryptomaps that the VIA clientuses to connect to thecontroller.

—

lockdown-all-settings Allows you to lockdown alluser configured settings.

Disabled

max-reconnect-attempts The maximum number ofre-connection attemptsby the VIA client due toauthentication failures.

3

max-timeout value The maximum time(minutes) allowed beforethe VIA session isdisconnected.

1440 min

minimized Use this option to keepthe VIA client on aMicrosoft Windowsoperating systemminimized to system tray.

—

ocsp-responder OSCP Cert Verification. —

enable Enable/Disable OCSP Certverification.

—


fallback Action taken when OCSPCert verification result isunknown.

—

save-passwords Enable or disable users tosave passwords enteredin VIA.

Enabled

server Configure VIA servers. —

addr This is the public IPaddress or the DNShostname of the VIAcontroller. Users willconnect to remote serverusing this IP address orthe hostname.

—



tunnel address A list of networkdestination (IP addressand netmask) that the VIAclient will tunnel throughthe controller. All othernetwork destinations willbe reachable directly bythe VIA client. Entertunneled IP address andits netmask.

—

address —

netmask —

user-idle-timeout The user idle timeout forthis profile. Specify theidle timeout value for theclient in seconds. Validrange is 30-15300 inmultiples of 30 seconds.Enabling this optionoverrides the globalsettings configured in theAAA timers. If this isdisabled, the globalsettings are used.

Disabled

validate-server-cert Enable or disable VIAfrom validating the servercertificate presented bythe controller.

Enabled

whitelist addr Specify a hostname or IPaddress and networkmask to define a whitelistof users allowed toaccess the network if theallow-whitelist-trafficoption is enabled.

—

addr Host name of IP addressof a client

—

netmask Netmask, in dotteddecimal format

—

description (Optional) description ofthe client

—

windows-credentials Enable or disable the useof the Windowscredentials to login to VIA.If enabled, the SSO(Single Sign-on) featurecan be utilized by remoteusers to connect tointernal resources.

Enabled

Usage GuidelinesIssue this command to create a VIA connection profile. A VIA connection profile contains settings required byVIA to establish a secure connection to the controller. You can configure multiple VIA connection profiles. A VIAconnection profile is always associated to a user role and all users belonging to that role will use the configuredsettings. If you do not assign a VIA connection profile to a user role, the default connection profile is used.

ExampleThe following example shows a simple VIA connection profile:(host) [mynode] (config) #aaa authentication via connection-profile "via"(host) [mynode] (VIA Connection Profile "via") #server addr 202.100.10.100 internal-ip10.11.12.13 desc "VIA Primary" position 0(host) [mynode] (VIA Connection Profile "via") #auth-profile "default" position 0(host) [mynode] (VIA Connection Profile "via") #tunnel address 10.0.0.0 netmask 255.255.255.0(host) [mynode] (VIA Connection Profile "via") #split-tunneling(host) [mynode] (VIA Connection Profile "via") #windows-credentials(host) [mynode] (VIA Connection Profile "via") #client-netmask 255.0.0.0(host) [mynode] (VIA Connection Profile "via") #dns-suffix-list mycorp.com(host) [mynode] (VIA Connection Profile "via") #dns-suffix-list example.com(host) [mynode] (VIA Connection Profile "via") #support-email [email protected]

Command History



Command Information




64 | aaa authentication via global-config ArubaOS 8.0.0.0 | Reference Guide

aaa authentication via global-configaaa authentication via global-config

nossl-fallback-enable

DescriptionThe global config option allows to you to enable SSL fallback mode. If the SSL fallback mode is enabled the VIAclient will use SSL to create a secure connection.

Syntax


no Disable SSL fallback option. —

ssl-fallback-enable Use this option to enable an SSL fallbackconnection.

Disabled

Example(host) [mynode] (config) #aaa authentication via global-config

Command History



Command Information


All platforms Base operating system Config mode on Mobility Master ormanaged devices.

aaa authentication via web-authaaa authentication via web-auth default

auth-profile position clone no

DescriptionA VIA web authentication profile contains an ordered list of VIA authentication profiles. The web authenticationprofile is used by end users to login to the VIA download page (https:///via) fordownloading the VIA client. Only one VIA web authentication profile is available. If more than one VIAauthentication profile is configured, users can view this list and select one during the client login.

Syntax


auth-profile The name of the VIA authentication profile —

position The position of the profile to specify the order ofselection.

—

clone Duplicate an existing authentication profile. —

Example(host) [mynode] (config) #aaa authentication via web-auth default(host) [mynode] (VIA Web Authentication "default") #auth-profile default position 0

Command History



Command Information



ArubaOS 8.0.0.0 | Reference Guide aaa authentication via web-auth | 65

66 | aaa authentication vpn ArubaOS 8.0.0.0 | Reference Guide

aaa authentication vpnaaa authentication vpn

cert-cn-lookupclone default-role export-routemax-authentication-failures no ...pan-integrationradius-accountingserver-group user-idle-timeout

DescriptionThis command configures VPN authentication settings.

Syntax


There are three VPN profiles: default,default-rap or default-cap.

This allows users to use different AAAservers for VPN, RAP and CAP clients.

NOTE: The default and default-rapprofiles are configurable. The default-capprofile is not configurable and ispredefined with the default settings.

—

cert-cn-lookup If you use client certificates for userauthentication, enable this option to verifythat the certificate's common name existsin the server. This parameter is enabled bydefault in the default-cap and default-rapVPN profiles, and disabled by default on allother VPN profiles.

—

clone Copies data from another VPNauthentication profile. Source is the profilename from which the data is copied.

—

default-role Role assigned to the VPN user upon login.

NOTE: This parameter requires the PolicyEnforcement Firewall for VPN Users (PEFV)license.

guest

export-route Exports a VPN IP address as a route to theexternal world. See the show ip ospfcommand to view the link-stateadvertisement (LSA) types that aregenerated.

enabled


max-authentication-failures Maximum number of authenticationfailures before the user is blacklisted. Thesupported range is 1-10 failures. A value of0 disables blacklisting.

NOTE: This parameter requires theRFProtect license.

0 (disabled)

no Negates any configured parameter. —

pan-integration Require IP mapping at Palo Alto Networksfirewalls.

disabled

radius-accounting Configure server group forRADIUS accounting

—

server-group Name of the group of servers used toauthenticate VPN users. See aaa server-group on page 104.

internal

user-idle-timeout The user idle timeout for this profile.Specify the idle timeout value for the clientin seconds. Valid range is 30-15300 inmultiples of 30 seconds. Enabling thisoption overrides the global settingsconfigured in the AAA timers. If this isdisabled, the global settings are used.

—

Usage GuidelinesThis command configures VPN authentication settings for VPN, RAP and CAP clients.Use the vpdn groupcommand to configure Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) or a Point-to-Point Tunneling Protocol (PPTP) VPN connection. (See vpdn group l2tp on page 2429.)

ExampleThe following command configures VPN authentication settings for the default-rap profile:(host) [mynode] (config) #aaa authentication vpn default-rap(host) [mynode] (VPN Authentication Profile "default-rap")default-role guest(host) [mynode] (VPN Authentication Profile "default-rap")clone default(host) [mynode] (VPN Authentication Profile "default-rap")max-authentication-failures 0(host) [mynode] (VPN Authentication Profile "default-rap")server-group vpn-server-group

The following message appears when a user tries to configure the non-configurable default-cap profile:(host) [mynode] (config) #aaa authentication vpn default-capPredefined VPN Au

Documents

ArubaOS8.0.0.0 Command-LineInterface Guide Referenceh20628.(host)[mynode]#c? ccm-debug CentralizedConfigurationModuledebuginformation cd Changecurrentconfignode change-config-node