Aruba S3500-24T User guide

Category
Software
Type
User guide
ArubaOS 7.4
Command-Line Interface
Reference Guide
0511454-00v3 | October 2015 ArubaOS 7.4 | Reference Guide
Copyright Information
© Copyright 2015 Hewlett Packard Enterprise Development LP
Open Source Code
This product includes code licensed under the GNU General Public License, the GNU Lesser General Public
License, and/or certain other open source licenses. A complete machine-readable copy of the source code
corresponding to such code is available upon request. This offer is valid to anyone in receipt of this information
and shall expire three years following the date of the final distribution of this product version by Hewlett-
Packard Company. To obtain such source code, send a check or money order in the amount of US $10.00 to:
Hewlett-Packard Company
Attn: General Counsel
3000 Hanover Street
Palo Alto, CA 94304
USA
Please specify the product and version for which you are requesting source code. You may also request a copy
of this source code free of charge at dl-gplquery@arubanetworks.com.
ArubaOS 7.4 | CLI Reference Guide ArubaOS Command-Line Interface | 3
ArubaOS Command-Line Interface
The ArubaOS 7.4 command-line interface (CLI) allows you to configure and manage your Mobility Access
Switch. The CLI is accessible from a local console connected to the serial port on the Mobility Access Switch or
through a Telnet or Secure Shell (SSH) session from a remote management console or workstation.
Telnet access is disabled by default. To enable Telnet access, enter the telnet CLI command from a serial connection
or an SSH session.
Whats New in ArubaOS 7.4
New Commands
The following commands are introduced in the ArubaOS 7.4 command line interface.
Command Description
arp Use this command to add static Address Resolution Pro-
tocol (ARP)entries to the ARP table.
crypto aruba-vpn Use this command to configure Aruba VPN tunnel.
device-group This command dynamically configures an interface
based on the type of device connected to it. It uses
LLDP to detect the type of device connected to an
interface and applies a device-group configuration (a
set of predefined configuration) on the interface
based on the device-type.
interface-profile ddns-profile Use this command to configure a Dynamic Domain
Name Server (DDNS) profile.
ip dhcp aruba-vpn-pool Use this command to configure Distributed DHCP
scope using the Aruba VPN pool profile.
ip nat pool Use this command to create a Network Address Trans-
lation (NAT) pool.
probe-profile Use this command to create a probe-profile for mon-
itoring L3 uplink status.
rogue-ap-containment Enable/disable and configure rogue AP containment
options.
set traceflags Use this command for setting trace flags for various
packet forwarding functions.
show aaa deny-inter-user-traffic roles Use this command to view the list of roles on which
deny-inter-user-traffic is enabled.
show ddns-client
Use this command to view the DDNS updates that are
sent to the server.
show device-group This command displays the device-group attached
interfaces.
4| ArubaOS Command-Line Interface ArubaOS 7.4 | CLI Reference Guide
Command Description
show device-group-config This command displays the device-group
configuration parameters.
show interface-profile ddns-profile Use this command to view the DDNS profile
configuration information.
show ip dhcp aruba-vpn-pool Use this command to view the details of the Aruba
VPN pool profiles configured on the Mobility Access
Switch.
show ip nat pool Use this command to view all the NAT pools
configured in the network.
show probe Use this command to view the probe status of the
interfaces where the probe profile is attached.
show probe-profile Use this command to view the details of the probe
profiles configured on the system.
show rogue-ap-containment Use this command to view the rogue AP containment
actions configured on the Mobility Access Switch.
Modified Commands
The following commands are modified in ArubaOS 7.4
Command Description
crypto-local ipsec-map The standby-interface vlan parameter is introduced to
configure a backup VPN interface.
interface vlan The following new parameters are introduced:
lddns-profile
lip nat outside
lip access-group session
lmetric
lprobe-profile
laruba-vpn-pool-profile
ip-profile The ipsec parameter is introduced under the controller-ip
command.
show datapath session The output includes Sand Nflags to indicate if source NAT
or destination NAT is performed on the session.
show interface-config vlan Introduced the following new parameters as part of this
show command:
lInterface description
lInterface DDNS profile
lProbe Profile
lmetric
lIP NAT Outside
lAruba VPN Pool profile
lEgress ACL
lSession ACL
show interface vlan Metric and Probe profile details are added to the output.
Command Description
show ip interface brief The output parameters are modified to include the Probe
column indicating the probe status of all the interfaces being
ping probed.
show rights The Deny inter-user traffic status information is added to
the output.
user-role The deny-inter-user-traffic parameter was introduced.
Enabling this on a user-role denies the traffic between
users with that role.
vlan-profile igmp-snooping-profile The v3 parameter is added under snooping and
snooping-proxy commands.
ArubaOS 7.4 | CLI Reference Guide ArubaOS Command-Line Interface | 5
About this Guide
This guide describes the ArubaOS 7.4 command syntax. The commands in this guide are listed alphabetically.
The following information is provided for each command:
lCommand Syntax—The complete syntax of the command.
lDescription—A brief description of the command.
lSyntax—A description of the command parameters, including license requirements for specific parameters
if needed. The applicable ranges and default values, if any, are also included.
lUsage Guidelines—Information to help you use the command, including: prerequisites, prohibitions, and
related commands.
lExample—An example of how to use the command.
lCommand History—The version of ArubaOS in which the command was first introduced. Modifications and
changes to the command are also noted.
lCommand Information—This table describes the command modes and platforms for which this command
is applicable.
Connecting to the Mobility Access Switch
This section describes how to connect to the Mobility Access Switch to use the CLI.
Serial Port Connection
The serial port is located on the front panel of the Mobility Access Switch. Connect a terminal or
PC/workstation running a terminal emulation program to the serial port on the Mobility Access Switch to use
the CLI. Configure your terminal or terminal emulation program to use the following communication settings.
Baud Rate Data Bits Parity Stop Bits Flow Control
9600 8 None 1 None
Telnet or SSH Connection
Telnet or SSH access requires that you configure an IP address and a default gateway on the Mobility Access
Switch and connect the Mobility Access Switch to your network. This is typically performed when you run the
Initial Setup on the Mobility Access Switch, as described in the ArubaOS 7.4 Quick Start Guide.
CLI Access
When you connect to the Mobility Access Switch using the CLI, the system displays its host name followed by
the login prompt. Log in using the admin user account and the password you entered during the Initial Setup
on the Mobility Access Switch. For example:
(host)
User: admin
Password: *****
When you are logged in, the user mode CLI prompt displays. For example:
(host) >
User mode provides only limited access for basic operational testing such as running ping and traceroute.
ArubaOS 7.4 | CLI Reference Guide | 6
7| ArubaOS 7.4 | CLI Reference Guide
Certain management functions are available in enable (also called privileged) mode. To move from user mode
to enable mode requires you to enter an additional password (also called privileged mode password) that you
entered during the Initial Setup. For example:
(host) > enable
Password: ******
When you are in enable mode, the > prompt changes to a pound sign (#):
(host) #
Configuration commands are available in config mode. Move from enable mode to config mode by entering
configure terminal at the # prompt:
(host) # configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
When you are in basic config mode, (config) appears before the # prompt:
(host) (config) #
Command Help
You can use the question mark (?) to view various types of command help.
When typed at the beginning of a line, the question mark lists all the commands available in your current mode
or sub-mode. A brief explanation follows each command. For example:
(host) > ?
enable Turn on Privileged commands
exit Exit this session. Any unsaved changes are lost.
help Help on CLI command line processing and a
Description of the interactive help system
logout Exit this session. Any unsaved changes are lost.
ping Send ICMP echo packets to the specified ip address.
tracepath Trace path to the specified IPv6 address.
traceroute Trace route to the specified ip address.
When typed at the end of a possible command or abbreviation, the question mark lists the commands that
match (if any). For example:
(host) > c?
clear Clear configuration or statistics
clock Configure the system clock
configure Configuration Commands
copy Copy Files
crypto Configure IPSec, IKE, and CA
If more than one item is shown, type more of the keyword characters to distinguish your choice. However, if
only one item is listed, the keyword or abbreviation is valid and you can press tab or the spacebar to advance
to the next keyword.
When typed in place of a parameter, the question mark lists the available options. For example:
(host) # write ?
dhcp-snoop-database
erase Erase configuration
memory Write to memory
terminal Write to terminal
The <cr> indicates that the command can be entered without additional parameters. Any other parameters are
optional.
Command Completion
To make command input easier, you can usually abbreviate each key word in the command. You need type
only enough of each keyword to distinguish it from similar commands. For example:
(host) # configure terminal
could also be entered as:
(host) # con t
Three characters (con) represent the shortest abbreviation allowed for configure. Typing only cor co would
not work because there are other commands (like copy) which also begin with those letters. The configure
command is the only one that begins with con.
As you type, you can press the spacebar or tab to move to the next keyword. The system then attempts to
expand the abbreviation for you. If there is only one command keyword that matches the abbreviation, it is
filled in for you automatically. If the abbreviation is too vague (too few characters), the cursor does not
advance and you must type more characters or use the help feature to list the matching commands.
Deleting Configuration Settings
Use the no command to delete or negate previously-entered configurations or parameters.
lTo view a list of no commands, type no at the enable or config prompt followed by the question mark. For
example:
(host) (config) # no?
lTo delete a configuration, use the no form of a configuration command. For example, the following
command removes a configured user role:
(host) (config) # no user-role <name>
lTo negate a specific configured parameter, use the no parameter within the command. For example, the
following commands delete the VLAN configuration on a user-role:
(host) (config) #user-role <name>
(host) (config-role) #no vlan 1
Saving Configuration Changes
Each Aruba Mobility Access Switch contains two different types of configuration images.
lThe running-config holds the current Mobility Access Switch configuration, including all pending changes
which have yet to be saved. To view the running-config, use the following command:
(host) # show running-config
lThe startup config holds the configuration which will be used the next time the Mobility Access Switch is
rebooted. It contains all the options last saved using the write memory command. To view the startup-
config, use the following command:
(host) # show startup-config
When you make configuration changes via the CLI, those changes affect the current running configuration
only. If the changes are not saved, they will be lost after the Mobility Access Switch reboots. To save your
configuration changes so they are retained in the startup configuration after the Mobility Access Switch
reboots, use the following command in enable mode:
(host) # write memory
Saving Configuration...
Saved Configuration
Both the startup and running configurations can also be saved to a file or sent to a TFTP server for backup or
transfer to another system.
ArubaOS 7.4 | CLI Reference Guide | 8
9| ArubaOS 7.4 | CLI Reference Guide
Reloading the Mobility Access Switch
When you execute the reload command, the Mobility Access Switch prompts you to save the configuration if
there are any changes in the running configuration. Reloading the Mobility Access Switch causes a momentary
disruption in service as the unit resets.
Conventions
The following conventions are used throughout this manual to emphasize important concepts:
Type Style Description
Italics
This style is used to emphasize important terms and to mark the titles of books.
System items This fixed-width font depicts the following:
lSample screen output
lSystem prompts
lFilenames, software devices, and specific commands when mentioned in the text
Commands In the command examples, this bold font depicts text that you must type exactly as
shown.
<
Arguments
> In the command examples, italicized text within angle brackets represents items that
you should replace with information appropriate to your specific situation. For example:
#send <text message>
In this example, you would type “send” at the system prompt exactly as shown, followed
by the text of the message you wish to send. Do not type the angle brackets.
[Optional] Command examples enclosed in brackets are optional. Do not type the brackets.
{Item A |
Item B}
In the command examples, items within curled braces and separated by a vertical bar
represent the available choices. Enter only one choice. Do not type the braces or bars.
Table 1: Typographical Conventions
The following informational icons are used throughout this guide:
Indicates helpful suggestions, pertinent information, and important things to remember.
Indicates a risk of damage to your hardware or loss of data.
Indicates a risk of personal injury or death.
Command Line Editing
The system records your most recently entered commands. You can review the history of your actions, or
reissue a recent command easily, without having to retype it.
To view items in the command history, use the up arrow key to move back through the list and the down arrow
key to move forward. To reissue a specific command, press Enter when the command appears in the
command history. You can even use the command line editing feature to make changes to the command prior
to entering it. The command line editing feature allows you to make corrections or changes to a command
without retyping. Table 1 lists the editing controls. To use key shortcuts, press and hold the Ctrl button while
you press a letter key.
Key Effect Description
Ctrl A Home Move the cursor to the beginning of the line.
Ctrl B or the
left arrow
Back Move the cursor one character left.
Ctrl D Delete Right Delete the character to the right of the cursor.
Ctrl E End Move the cursor to the end of the line.
Ctrl F or the
right arrow
Forward Move the cursor one character right.
Ctrl K Delete Right Delete all characters to the right of the cursor.
Ctrl N or the
down arrow
Next Display the next command in the command
history.
Ctrl P or
up arrow
Previous Display the previous command in the command
history.
Ctrl T Transpose Swap the character to the left of the cursor with
the character to the right of the cursor.
Ctrl U Clear Clear the line.
Ctrl W Delete Word Delete the characters from the cursor up to and
including the first space encountered.
Ctrl X Delete Left Delete all characters to the left of the cursor.
Table 2:
Line Editing Keys
Contacting Support
Website Support
Main Site http://www.arubanetworks.com
Support Site https://support.arubanetworks.com
Airheads Social Forums and Knowledge
Base
https://community.arubanetworks.com
North American Telephone 1-800-943-4526 (Toll Free)
1-408-754-1200
Table 3: Contact Information
ArubaOS 7.4 | CLI Reference Guide | 10
11 | ArubaOS 7.4 | CLI Reference Guide
Website Support
International Telephone http://www.arubanetworks.com/support-services/support-
program/contact-support
Software Licensing Site https://licensing.arubanetworks.com/
End-of-Support Information http://www.arubanetworks.com/support-services/end-of-life-
products/
Security Incident Response Team (SIRT) http://www.arubanetworks.com/support-services/security-
bulletins/
Support Email Addresses
Americas, EMEA, and APAC support@arubanetworks.com
Security Incident Response Team (SIRT) sirt@arubanetworks.com
aaa authentication captive-portal
aaa authentication captive-portal <profile-name>
clone <source-profile>
default-guest-role <role>
default-role <role>
enable-welcome-page
guest-logon
ip-addr-in-redirection-url <ip-addr>
login-page <url>
logon-wait {cpu-threshold <percent>}|{maximum-delay <seconds>}|{minimum-delay <secs>}
logout-popup-window
max-authentication-failures <max-authentication-failures>
no ...
protocol-http
redirect-pause <secs>
server-group <group-name>
show-acceptable-use-policy
show-fqdn
single-session
switchip-in-redirection-url <ipaddr>
use-chap
user-logon
user-vlan-in-redirection-url <ipaddr>
welcome-page <url>
white-list <white-list>
Description
This command configures a Captive Portal authentication profile.
Syntax
Parameter Description Range Default
<profile-name> Name that identifies an instance
of the profile. The name must be
1-63 characters.
— default
clone Name of an existing Captive
Portal profile from which
parameter values are copied.
— —
default-guest-role Role assigned to guest. guest
default-role <role> Role assigned to the Captive
Portal user upon login. When
both user and guest logon are
enabled, the default role applies
to the user logon; users logging
in using the guest interface are
assigned the guest role.
— guest
enable-welcome-
page
Displays the configured welcome
page before the user is
redirected to their original URL. If
this option is disabled,
redirection to the web URL
happens immediately after the
user logs in.
enabled/
disabled
enabled
ArubaOS 7.4 | CLI Reference Guide aaa authentication captive-portal | 12
13 | aaa authentication captive-portal ArubaOS 7.4 | CLI Reference Guide
Parameter Description Range Default
guest-logon Enables Captive Portal logon
without authentication.
enabled/
disabled
disabled
ip-addr-in-redirection-url Sends IP address of one of the
interface in the redirection URL
when external captive portal
servers are used.
— disabled
login-page <url> URL of the page that appears for
the user logon. This can be set to
any URL.
— /auth/index.
html
logon-wait Configure parameters for the
logon wait interval
1-100 60%
cpu-threshold <percent> CPU utilization percentage above
which the Logon wait interval is
applied when presenting the
user with the logon page.
1-100 60%
maximum-delay <seconds> Maximum time, in seconds, the
user will have to wait for the
logon page to pop up if the CPU
load is high. This works in
conjunction with the Logon wait
CPU utilization threshold
parameter.
1-10 10 seconds
minimum-delay <secs> Minimum time, in seconds, the
user will have to wait for the
logon page to pop up if the CPU
load is high. This works in
conjunction with the Logon wait
CPU utilization threshold
parameter.
1-10 5 seconds
logout-popup-
window
Enables a pop-up window with
the Logout link for the user to
logout after logon. If this is
disabled, the user remains
logged in until the user timeout
period has elapsed or the station
reloads.
enabled/
disabled
enabled
max-authentication-failures The number of authentication
failures before the user is
blacklisted.
0-10 0
no Negates any configured
parameter.
— —
protocol-http Use HTTP protocol on redirection
to the Captive Portal page. If you
use this option, modify the
captive portal policy to allow
HTTP traffic.
enabled/
disabled
disabled (HTTPS is
used)
Parameter Description Range Default
redirect-pause <secs> Time, in seconds, that the system
remains in the initial welcome
page before redirecting the user
to the final web URL. If set to 0,
the welcome page displays until
the user clicks on the indicated
link.
1-60 10 seconds
server-group <group-name> Name of the group of servers
used to authenticate Captive
Portal users.
— —
show-acceptable-use-policy Show the acceptable use policy
page before the logon page.
enabled/
disabled
disabled
show-fqdn Allows the user to see and select
the fully-qualified domain name
(FQDN) on the login page. The
FQDNs shown are specified
when configuring individual
servers for the server group
used with captive portal
authentication.
enabled/
disabled
disabled
single-session Allows only one active user
session at a time.
— disabled
switchip-in-redirection-url Sends the Mobility Access
Switch’s IP address in the
redirection URL when external
captive portal servers are used.
An external captive portal server
can determine the Mobility
Access Switch from which a
request originated by parsing the
‘switchip’ variable in the URL.
enabled/
disabled
disabled
use-chap Use CHAP protocol. You should
not use this option unless
instructed to do so by an Aruba
representative.
enabled/
disabled
disabled (PAP is
used)
user-logon Enables Captive Portal with
authentication of user
credentials.
enabled/
disabled
enabled
user-vlan-in-redirection-url Sends VLAN ID of the user in the
redirection URL when external
captive portal servers are used.
— —
welcome-page <url> URL of the page that appears
after logon and before
redirection to the web URL. This
can be set to any URL.
— /auth/welcome.html
white-list <white-list> Name of an existing white list on
an IPv4 or IPv6 network
destination. The white list
contains authenticated websites
that a guest can access.
— —
ArubaOS 7.4 | CLI Reference Guide aaa authentication captive-portal | 14
15 | aaa authentication captive-portal ArubaOS 7.4 | CLI Reference Guide
Usage Guidelines
Use this command to create a captive portal profile on a Mobility Access Switch.
Example
The following example configures a Captive Portal authentication profile that authenticates users against the
Mobility Access Switch’s internal database. Users who are successfully authenticated are assigned the auth-
guest role.
To create a captive portal profile:
(host)(config)#aaa authentication captive-portal cp-profile
(host)(Captive Portal Authentication Profile "cp-profile") #default-role guest
(host)(Captive Portal Authentication Profile "cp-profile") #server-group cp-srv
To attach a captive portal profile to the user role:
(host)(config) #user-role cp-first
(host)(config-role) #captive-portal cp-profile
To designate the user role created as the initial role of the AAA profile:
(host)(config) #aaa profile cp_aaa
(host) (AAA Profile "cp_aaa") #initial-role cp-first
To apply the configured AAA profile to the interface:
(host)(config) #interface gigabitethernet 0/0/0
aaa-profile cp_aaa no trusted port
Command History
Release Modification
ArubaOS 7.2 This command was introduced.
Command Information
Platforms Licensing Command Mode
Mobility Access Switch Base operating system Configuration Mode (config)
aaa authentication dot1x
aaa authentication dot1x <profile-name>
ca-cert <certificate>
cert-cn-lookup
clone <profile>
eapol-logoff
framed-mtu <mtu>
heldstate-bypass-counter <number>
ignore-eap-id-match
ignore-eapolstart-afterauthentication
machine-authentication blacklist-on-failure|{cache-timeout <hours>}|enable|
{machine-default-role <role>}|{user-default-role <role>}
max-authentication-failures <number>
max-requests <number>
no ...
reauth-max <number>
reauthentication
server {server-retry <number>|server-retry-period <seconds>}
server-cert <certificate>
termination {eap-type <type>}|enable|enable-token-caching|{inner-eap-type (eap-gtc|eap-
mschapv2)}|{token-caching-period <hours>}
timer {idrequest_period <seconds>}|quiet-period <seconds>}|{reauth-period <seconds>}
tls-guest-access
tls-guest-role <role>
Description
This command configures the 802.1X authentication profile.
Syntax
Parameter Description Range Default
<profile> Name that identifies an
instance of the profile. The
name must be 1-63 characters.
— “default
ca-cert <certificate> This command creates the CA
certificate.
The <certificate> parameter is
the name of the certificate,
which must be loaded on the
switch.
— disabled
cert-cn-lookup Checks certificate common
name against AAA server. — —
clone Name of existing 802.1X profile
from which parameters are
copied.
— —
delay-eap-success Introduces a delay of one
second in sending the
EAPSuccess message to the
client after it completes the
802.1X authentication to
ensure that the clients obtain
an IP address in the correct
VLAN.
— disabled
ArubaOS 7.4 | CLI Reference Guide aaa authentication dot1x | 16
17 | aaa authentication dot1x ArubaOS 7.4 | CLI Reference Guide
Parameter Description Range Default
deny-dhcp Denies DHCPrequests from
the clients till the dot1x
authentication is complete to
ensure that the 802.1X clients
obtain the correct IPaddresses
in the correct VLANs/subnets.
— disabled
eapol-logoff Enables handling of EAPOL-
LOGOFF messages.
— disabled
framed-mtu <MTU> Use this command to set the
framed MTU attribute that is
sent to the authentication
server.
500-1500 1100
heldstate-bypass-counter <hs-counter> Use this command to set the
maximum number of times a
station can send bad user
credentials and avoid going to
held state by sending an
EAPOL-Start.
0-3 0
ignore-eap-id-
match
Use this command to ignore
EAP ID during negotiation.
— disabled
ignore-eapol
start-afterauthentication
Use this command to ignore
EAPOL-START messages after
authentication.
— disabled
machine-authentication (For Windows environments
only) These parameters set
machine authentication:
blacklist-on-failure Blacklists the client if machine
authentication fails.
— disabled
cache-timeout <hours> Use this command to blacklist
the station if machine
authentication fails.
1-1000 24 hours
(1 day)
enable Select this option to enforce
machine authentication before
user authentication. If selected,
either the machine-default-role
or the user-default-role is
assigned to the user,
depending on which
authentication is successful.
— disabled
machine-default-role <role> Default role assigned to the
user after completing only
machine authentication.
— guest
user-default-role <role> Default role assigned to the
user after 802.1X
authentication.
— guest
Parameter Description Range Default
max-authentication-failures <number> Number of times a user can try
to login with wrong credentials
after which the user is
blacklisted as a security threat.
Set to 0 to disable blacklisting,
otherwise enter a non-zero
integer to blacklist the user
after the specified number of
failures.
0-5 0
(disabled)
max-requests <number> Sets the maximum number of
times ID requests are sent to
the client.
1-10 3
multicast-key
rotation
Enables multicast key rotation disabled
no Negates any configured
parameter.
— —
reauth-max <number> Maximum number of
reauthentication attempts.
1-10 3
reauthentication Select this option to force the
client to do a 802.1X
reauthentication after the
expiration of the default timer
for reauthentication. (The
default value of the timer is 24
hours.) If the user fails to
reauthenticate with valid
credentials, the state of the
user is cleared.
If derivation rules are used to
classify 802.1X-authenticated
users, then the
reauthentication timer per role
overrides this setting.
— disabled
reload-cert Reload Certificate for 802.1X
termination. This command is
available in enable mode only.
— —
server Sets options for sending
authentication requests to the
authentication server group.
server-retry <number> Option to set the maximum
number of authentication
requests that are sent to server
group.
0-3 2
server-retry-period <seconds> Option to set the time interval,
in seconds, of failed requests
that are sent to a server group.
5-65535 30
seconds
ArubaOS 7.4 | CLI Reference Guide aaa authentication dot1x | 18
19 | aaa authentication dot1x ArubaOS 7.4 | CLI Reference Guide
Parameter Description Range Default
server-cert <certificate> Server certificate used by the
controller to authenticate itself
to the client.
— —
termination Sets options for terminating
802.1X authentication on the
controller.
eap-type <type> The Extensible Authentication
Protocol (EAP) method, either
EAP-PEAP or EAP-TLS.
eap-peap/
eap-tls
eap-peap
enable Enables 802.1X termination on
the controller.
— disabled
enable-token
-caching
If you select EAP-GTC as the
inner EAP method, you can
enable the controller to cache
the username and password of
each authenticated user. The
controller continues to
reauthenticate users with the
remote authentication server,
however, if the authentication
server is not available, the
controller will inspect its
cached credentials to
reauthenticate users.
@@@@@
The syntax on the original doc
was weird, so I just used this
one. (The original was Option
to termination enable-token-
caching.”)
— disabled
inner-eap-type eap-gtc|eap-mschapv2 When EAP-PEAP is the EAP
method, one of the following
inner EAP types is used:
EAP-Generic Token Card
(GTC): Described in RFC 2284,
this EAP method permits the
transfer of unencrypted
usernames and passwords
from client to server. The main
uses for EAP-GTC are one-time
token cards such as SecureID
and the use of LDAP or RADIUS
as the user authentication
server. You can also enable
caching of user credentials on
the controller as a backup to an
external authentication server.
EAP-Microsoft Challenge
Authentication Protocol
version 2 (MS-CHAPv2):
Described in RFC 2759, this EAP
method is widely supported by
Microsoft clients.
eap-
gtc/eap-
mschapv2
eap-
mschap
v2
Parameter Description Range Default
token-caching-period <hours> If you select EAP-GTC as the
inner EAP method, you can
specify the timeout period, in
hours, for the cached
information.
(any) 24 hours
timer Sets timer options for 802.1X
authentication:
idrequest-
period <seconds>
Interval, in seconds, between
identity request retries.
1-65535 30
seconds
quiet-period <seconds> Interval, in seconds, following
failed authentication.
1-65535 30
seconds
reauth-period <seconds> Interval, in seconds, between
reauthentication attempts, or
specify server to use the
server-provided
reauthentication period.
60-
864000
86400
seconds
(1 day)
tls-guest-access Enables guest access for EAP-
TLS users with valid
certificates.
— disabled
tls-guest-role <role> User role assigned to EAP-TLS
guest.
— guest
Usage Guidelines
The 802.1X authentication profile allows you to enable and configure machine authentication and 802.1X
termination on the controller. In the AAA profile, you specify the 802.1X authentication profile, the default role
for authenticated users, and the server group for the authentication.
Examples
The following example enables authentication of the user’s client device before user authentication. If machine
authentication fails but user authentication succeeds, the user is assigned the restricted “guest role:
aaa authentication dot1x dot1x
machine-authentication enable
machine-authentication machine-default-role computer
machine-authentication user-default-role guest
Command History
Version Description
ArubaOS 7.0 This command was introduced.
ArubaOS 7.3.1 The following parameters were added:
ldelay-eap-success
ldeny-dhcp
ArubaOS 7.4 | CLI Reference Guide aaa authentication dot1x | 20
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303
  • Page 304 304
  • Page 305 305
  • Page 306 306
  • Page 307 307
  • Page 308 308
  • Page 309 309
  • Page 310 310
  • Page 311 311
  • Page 312 312
  • Page 313 313
  • Page 314 314
  • Page 315 315
  • Page 316 316
  • Page 317 317
  • Page 318 318
  • Page 319 319
  • Page 320 320
  • Page 321 321
  • Page 322 322
  • Page 323 323
  • Page 324 324
  • Page 325 325
  • Page 326 326
  • Page 327 327
  • Page 328 328
  • Page 329 329
  • Page 330 330
  • Page 331 331
  • Page 332 332
  • Page 333 333
  • Page 334 334
  • Page 335 335
  • Page 336 336
  • Page 337 337
  • Page 338 338
  • Page 339 339
  • Page 340 340
  • Page 341 341
  • Page 342 342
  • Page 343 343
  • Page 344 344
  • Page 345 345
  • Page 346 346
  • Page 347 347
  • Page 348 348
  • Page 349 349
  • Page 350 350
  • Page 351 351
  • Page 352 352
  • Page 353 353
  • Page 354 354
  • Page 355 355
  • Page 356 356
  • Page 357 357
  • Page 358 358
  • Page 359 359
  • Page 360 360
  • Page 361 361
  • Page 362 362
  • Page 363 363
  • Page 364 364
  • Page 365 365
  • Page 366 366
  • Page 367 367
  • Page 368 368
  • Page 369 369
  • Page 370 370
  • Page 371 371
  • Page 372 372
  • Page 373 373
  • Page 374 374
  • Page 375 375
  • Page 376 376
  • Page 377 377
  • Page 378 378
  • Page 379 379
  • Page 380 380
  • Page 381 381
  • Page 382 382
  • Page 383 383
  • Page 384 384
  • Page 385 385
  • Page 386 386
  • Page 387 387
  • Page 388 388
  • Page 389 389
  • Page 390 390
  • Page 391 391
  • Page 392 392
  • Page 393 393
  • Page 394 394
  • Page 395 395
  • Page 396 396
  • Page 397 397
  • Page 398 398
  • Page 399 399
  • Page 400 400
  • Page 401 401
  • Page 402 402
  • Page 403 403
  • Page 404 404
  • Page 405 405
  • Page 406 406
  • Page 407 407
  • Page 408 408
  • Page 409 409
  • Page 410 410
  • Page 411 411
  • Page 412 412
  • Page 413 413
  • Page 414 414
  • Page 415 415
  • Page 416 416
  • Page 417 417
  • Page 418 418
  • Page 419 419
  • Page 420 420
  • Page 421 421
  • Page 422 422
  • Page 423 423
  • Page 424 424
  • Page 425 425
  • Page 426 426
  • Page 427 427
  • Page 428 428
  • Page 429 429
  • Page 430 430
  • Page 431 431
  • Page 432 432
  • Page 433 433
  • Page 434 434
  • Page 435 435
  • Page 436 436
  • Page 437 437
  • Page 438 438
  • Page 439 439
  • Page 440 440
  • Page 441 441
  • Page 442 442
  • Page 443 443
  • Page 444 444
  • Page 445 445
  • Page 446 446
  • Page 447 447
  • Page 448 448
  • Page 449 449
  • Page 450 450
  • Page 451 451
  • Page 452 452
  • Page 453 453
  • Page 454 454
  • Page 455 455
  • Page 456 456
  • Page 457 457
  • Page 458 458
  • Page 459 459
  • Page 460 460
  • Page 461 461
  • Page 462 462
  • Page 463 463
  • Page 464 464
  • Page 465 465
  • Page 466 466
  • Page 467 467
  • Page 468 468
  • Page 469 469
  • Page 470 470
  • Page 471 471
  • Page 472 472
  • Page 473 473
  • Page 474 474
  • Page 475 475
  • Page 476 476
  • Page 477 477
  • Page 478 478
  • Page 479 479
  • Page 480 480
  • Page 481 481
  • Page 482 482
  • Page 483 483
  • Page 484 484
  • Page 485 485
  • Page 486 486
  • Page 487 487
  • Page 488 488
  • Page 489 489
  • Page 490 490
  • Page 491 491
  • Page 492 492
  • Page 493 493
  • Page 494 494
  • Page 495 495
  • Page 496 496
  • Page 497 497
  • Page 498 498
  • Page 499 499
  • Page 500 500
  • Page 501 501
  • Page 502 502
  • Page 503 503
  • Page 504 504
  • Page 505 505
  • Page 506 506
  • Page 507 507
  • Page 508 508
  • Page 509 509
  • Page 510 510
  • Page 511 511
  • Page 512 512
  • Page 513 513
  • Page 514 514
  • Page 515 515
  • Page 516 516
  • Page 517 517
  • Page 518 518
  • Page 519 519
  • Page 520 520
  • Page 521 521
  • Page 522 522
  • Page 523 523
  • Page 524 524
  • Page 525 525
  • Page 526 526
  • Page 527 527
  • Page 528 528
  • Page 529 529
  • Page 530 530
  • Page 531 531
  • Page 532 532
  • Page 533 533
  • Page 534 534
  • Page 535 535
  • Page 536 536
  • Page 537 537
  • Page 538 538
  • Page 539 539
  • Page 540 540
  • Page 541 541
  • Page 542 542
  • Page 543 543
  • Page 544 544
  • Page 545 545
  • Page 546 546
  • Page 547 547
  • Page 548 548
  • Page 549 549
  • Page 550 550
  • Page 551 551
  • Page 552 552
  • Page 553 553
  • Page 554 554
  • Page 555 555
  • Page 556 556
  • Page 557 557
  • Page 558 558
  • Page 559 559
  • Page 560 560
  • Page 561 561
  • Page 562 562
  • Page 563 563
  • Page 564 564
  • Page 565 565
  • Page 566 566
  • Page 567 567
  • Page 568 568
  • Page 569 569
  • Page 570 570
  • Page 571 571
  • Page 572 572
  • Page 573 573
  • Page 574 574
  • Page 575 575
  • Page 576 576
  • Page 577 577
  • Page 578 578
  • Page 579 579
  • Page 580 580
  • Page 581 581
  • Page 582 582
  • Page 583 583
  • Page 584 584
  • Page 585 585
  • Page 586 586
  • Page 587 587
  • Page 588 588
  • Page 589 589
  • Page 590 590
  • Page 591 591
  • Page 592 592
  • Page 593 593
  • Page 594 594
  • Page 595 595
  • Page 596 596
  • Page 597 597
  • Page 598 598
  • Page 599 599
  • Page 600 600
  • Page 601 601
  • Page 602 602
  • Page 603 603
  • Page 604 604
  • Page 605 605
  • Page 606 606
  • Page 607 607
  • Page 608 608
  • Page 609 609
  • Page 610 610
  • Page 611 611
  • Page 612 612
  • Page 613 613
  • Page 614 614
  • Page 615 615
  • Page 616 616
  • Page 617 617
  • Page 618 618
  • Page 619 619
  • Page 620 620
  • Page 621 621
  • Page 622 622
  • Page 623 623
  • Page 624 624
  • Page 625 625
  • Page 626 626
  • Page 627 627
  • Page 628 628
  • Page 629 629
  • Page 630 630
  • Page 631 631
  • Page 632 632
  • Page 633 633
  • Page 634 634
  • Page 635 635
  • Page 636 636
  • Page 637 637
  • Page 638 638
  • Page 639 639
  • Page 640 640
  • Page 641 641
  • Page 642 642
  • Page 643 643
  • Page 644 644
  • Page 645 645
  • Page 646 646
  • Page 647 647
  • Page 648 648
  • Page 649 649
  • Page 650 650
  • Page 651 651
  • Page 652 652
  • Page 653 653
  • Page 654 654
  • Page 655 655
  • Page 656 656
  • Page 657 657
  • Page 658 658
  • Page 659 659
  • Page 660 660
  • Page 661 661
  • Page 662 662
  • Page 663 663
  • Page 664 664
  • Page 665 665
  • Page 666 666
  • Page 667 667
  • Page 668 668
  • Page 669 669
  • Page 670 670
  • Page 671 671
  • Page 672 672
  • Page 673 673
  • Page 674 674
  • Page 675 675
  • Page 676 676
  • Page 677 677
  • Page 678 678
  • Page 679 679
  • Page 680 680
  • Page 681 681
  • Page 682 682
  • Page 683 683
  • Page 684 684
  • Page 685 685
  • Page 686 686
  • Page 687 687
  • Page 688 688
  • Page 689 689
  • Page 690 690
  • Page 691 691
  • Page 692 692
  • Page 693 693
  • Page 694 694
  • Page 695 695
  • Page 696 696
  • Page 697 697
  • Page 698 698
  • Page 699 699
  • Page 700 700
  • Page 701 701
  • Page 702 702
  • Page 703 703
  • Page 704 704
  • Page 705 705

Aruba S3500-24T User guide

Category
Software
Type
User guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI