Dell W-IAP214, W-IAP224, W-IAP108, W-IAP274, W-IAP204 User Manual
...
Dell Networking W-Series
ArubaOS 6.5.x
Command-Line Interface
Reference Guide
Copyright Information
©Copyright 2016 Hewlett PackardEnterpriseDevelopment LP. Dell™,theDELL™logo,andPowerConnect™ aretrademarksof DellInc.
Allrightsreserved. Specificationsinthismanualaresubject tochangewithout notice.
OriginatedintheUSA. Allothertrademarksaretheproperty of theirrespectiveowners.
Open Source Code
Thisproduct includescodelicensedundertheGNU GeneralPublicLicense,theGNU LesserGeneralPublic License,and/orcertainotheropensourcelicenses.
2| |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
Revision History
Thefollowingtableprovidestherevisionhistory of thisdocument.
Table 1: Revision History
Revision |
Change Description |
Revision01 |
Initial release. |
|
|
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
| 3 |
The ArubaOS Command-Line Interface
TheDellNetworkingW-SeriesArubaOS6.5.xcommand-lineinterface(CLI)allowsyoutoconfigureandmanage Dellcontrollers. TheCLI isaccessiblefromalocalconsoleconnectedtotheserialport onthecontrollersor throughaTelnet orSecureShell(SSH)sessionfromaremotemanagement consoleorworkstation.
Telnetaccess is disabledby default. Toenable Telnetaccess, enter the telnet CLIcommandfrom a serial connection or anSSH session, or inthe WebUInavigate tothe Configuration > Management > General page.
What’s New in ArubaOS 6.5.x
Thissectionliststhecommandsintroduced,modified,ordeprecatedinArubaOS6.5.x.
Commands in ArubaOS 6.5.0.0
New Commands
ThefollowingnewcommandsareintroducedinArubaOS6.5.0.0:
Command |
Description |
apconsolidated-provision |
This commandstores the consolidatedAP-provisionedinformationof |
info |
all APs connectedtoa controller inthe ap_provision_info.txt file. |
|
|
block-redirect-url |
This commandredirects the user sessiontoanexternal splashpage |
|
whenitencounters a webcc deny policy. |
|
|
crypto-local isakmpallow- |
This commandallows the controller toacceptthe subnets published |
via-subnet-routes |
by VIA-clients. By default, this feature is disabled. |
|
|
ipreputation |
This commandblocks connectivity toIPaddresses classifiedas |
|
malicious. |
|
|
ipprobe health-check |
This command configures WAN health-check ping-probes for measuring |
|
WAN availability and latency on branch controller uplinks. |
|
|
ntpstandalone |
This commandenables or disables controller toactas NTPserver. |
|
|
showapconsolidated- |
This commanddisplays the consolidatedAP-provisionedinformation |
provisioninfo |
for anaccess pointconnectedtothe controller. |
|
|
showip-reputation |
This commanddisplays the IPReputationstatus of various services. |
|
|
showiphealth-check |
Display the health-checkstatus of the uplinkinterfaces of a branch- |
|
office controller. |
|
|
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
The ArubaOS Command-Line Interface | 4 |
Command |
Description |
showucc dns-ip-learning |
This commanddisplays the carrier’s evolvedPacketData Gateway |
|
(ePDG) IPaddress learnedby the controller. This commandis specific |
|
for Wi-Fi calling clients. |
|
|
showvoice facetime |
This commanddisplays the user configuredpatternthatis matched |
|
againstthe User-Agentfieldof the SIPmessages todetermine if the |
|
sessionis a Facetime session. |
|
|
showvoice wificalling |
This commanddisplays the Wi-Fi Calling ALG configurationonthe |
|
controller. |
|
|
showweb-proxy |
This commanddisplays informationaboutthe portandserver |
|
configuredfor the web-proxy. |
|
|
ssh |
This commandinitiate anSSH sessionfrom the controller toa remote |
|
host. |
|
|
telnet |
This commandinitiate a telnetsessionfrom the controller toa |
|
remote host. |
|
|
voice facetime |
This commandconfigures a patternpresentinthe user-agentfieldof |
|
the SIPsignaling message header todetermine if the media session |
|
is a Facetime session. |
|
|
voice wificalling |
This commandconfigures Wi-Fi Calling onthe controller. |
|
|
web-proxy server |
This commandconfigures the web-proxy server relatedinformation. |
|
|
Modified Commands
ThefollowingcommandsaremodifiedinArubaOS6.5.0.0:
Command |
Description |
|
aaa authenticationvia |
The ocsp-responder enable subcommandis introduced. |
|
connection-profile |
|
|
|
|
|
aaa profile |
The username-from-dhcp-opt12 parameter is introduced. |
|
|
|
|
apregulatory-domain-profile |
The valid-11a-160mhz-channel-group parameter is introduced. |
|
|
|
|
apsystem-profile |
The following newparameters are introduced: |
|
|
• ap-console-password |
|
|
• ap-console-protection |
|
|
• |
console-log-lvl |
|
• disable-tftp-image-upgrade |
|
|
• |
secondary-master |
|
|
|
5| The ArubaOS Command-Line Interface |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
Command |
Description |
|
apwired-port-profile |
The portfast and portfast-trunk parameters are introduced. |
|
|
|
|
clear |
The port-security-error gigabitethernet <slot>/<module>/<port> |
|
|
parameter is introduced. This clears the port-security error from a |
|
|
gigabitEthernetIEEE 802.3 interface. |
|
|
|
|
copy |
The flash: parameter is introducedtocopy files from anFTPserver. |
|
|
|
|
web-server profile |
The excludes security headers is introducedtoexclude security |
|
|
headers from HTTPresponse. |
|
|
|
|
firewall |
The ip-classification parameter is introduced. |
|
|
|
|
interface fastethernet| |
The switchport port-security maximum commandis modifiedto |
|
gigabitethernet |
include level and interval sub-parameters. For level, the default |
|
|
value is logging. |
|
|
|
|
ipaccess-listip-geolocation |
The ip-geolocation parameter is introduced. |
|
|
|
|
ipradius |
The nas-vlan <nas-vlan> parameter is introduced, whichallows you |
|
|
toconfigure a RADIUS NAS IPfor a branchcontroller witha VLAN ID. |
|
|
|
|
ipprobe default |
The jitterparameter is introduced. |
|
|
|
|
mgmt-user |
The console-block parameter is introduced. |
|
|
|
|
mgmt-user |
The name parameter is introduced. |
|
|
|
|
rf arm-profile |
The following parameters are introduced. |
|
|
• |
160MHz-support |
|
• interfering-ap-weight |
|
|
• |
dynamic-bw |
|
• dynamic-bw-beacon-failed-thresh |
|
|
• dynamic-bw-cca-ibss-thresh |
|
|
• dynamic-bw-cca-intf-thresh |
|
|
• dynamic-bw-clear-time |
|
|
• dynamic-bw-wait-time |
|
|
|
|
rf dot11a-radio-profile |
The upper limitfor the beacon-period parameter is setto2000 |
|
|
milliseconds. |
|
|
|
|
rf dot11g-radio-profile |
The upper limitfor the beacon-period parameter is setto2000 |
|
|
milliseconds. |
|
|
|
|
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
The ArubaOS Command-Line Interface | 6 |
Command |
Description |
|
showaparm history |
The Result columnis introducedtothe outputof this commandto |
|
|
indicate the status of the requestedchange inchannel or EIRPby |
|
|
ARM. |
|
|
|
|
showapdebug portstatus |
The Portfast parameter is introduced. |
|
|
|
|
showapportstatus |
The Portfast parameter is introduced. |
|
|
|
|
showapregulatory-domain- |
The Valid 802.11a 160MHz channel group parameter is introduced. |
|
profile |
|
|
|
|
|
showapsystem-profile |
The following parameters are introducedas partof the outputof this |
|
|
command: |
|
|
• |
Secondary Master IP/FQDN |
|
• Disable RAP Tftp Image Upgrade |
|
|
• |
AP Console Protection |
|
• |
AP Console Password |
|
|
|
showcrypto-local isakmp |
The allow-via-subnet-routes parameter is introduced. |
|
|
|
|
showdatapath |
The following IPClassificationrelatedparameters are introduced: |
|
|
• |
ip-geolocation [counters] |
|
• |
ip-reputation [counters|rtc] |
|
• session ip-classification |
|
|
|
|
showipaccess-list |
The global-geolocation-acl is introduced. |
|
|
|
|
showfirewall |
The IP classification parameter is introduced. |
|
|
|
|
showrf arm-profile |
The following parameters are introducedas partof the outputof this |
|
|
command: |
|
|
• |
160MHz-support |
|
• |
Interfering AP Weight |
|
• |
Dynamic Bandwidth Switch |
|
• Dynamic Bandwidth Switch Wait Time (sec) |
|
|
• Dynamic Bandwidth Switch Triggering Indicator CCA ibss |
|
|
|
Threshold (%) |
|
• Dynamic Bandwidth Switch Triggering Indicator Beacon |
|
|
|
Failed Threshold |
|
• Dynamic Bandwidth Switch Triggering Indicator CCA intf |
|
|
|
Threshold (%) |
|
• Dynamic Bandwidth Switch Clear Time (min) |
|
|
|
|
7| The ArubaOS Command-Line Interface |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
Command |
Description |
|
showsnmptrap-list |
The following parameters are introducedas partof the outputof this |
|
|
command: |
|
|
• |
wlsxAPDown |
|
• |
wlsxAPUp |
|
|
|
showucc call-infocdrs |
The WiFi-Calling applicationparameter is introduced. |
|
|
|
|
showucc client-info |
The WiFi-Calling applicationparameter is introduced. |
|
|
|
|
showucc statistics |
The WiFi-Calling applicationparameter is introduced. |
|
|
|
|
showweb-server |
The Exclude Security Headers from HTTP Response parameter is |
|
|
introduced. |
|
|
|
|
showwlanvoip-cac-profile |
The Allow Idle VOIP Client parameter is introduced. |
|
|
|
|
web-server profile |
The exclude-http-security parameter is introduced. |
|
|
|
|
wlanvirtual-ap |
The cellular-handoff-assist parameter is introduced. This setting |
|
|
cannowbe appliedtoindividual virtual APs via the wlanvirtual-ap |
|
|
profile, andcanhelpa dual-mode, 3G/4G-capable Wi-Fi device such |
|
|
as aniPhone, iPad, or Androidclientatthe edge of Wi-Fi network |
|
|
coverage switchfrom Wi-Fi toanalternate 3G/4G radiothatprovides |
|
|
better networkaccess. |
|
|
|
|
wlanvoip-cac-profile |
The allow-idle-voip-client parameter is introduced. |
|
|
|
|
Deprecated Commands
ThefollowingcommandsaredeprecatedinArubaOS6.5.0.0:
Command |
Description |
apsystem-profile |
The shell-passwd parameter is deprecated. |
|
|
showapsystem-profile |
The Shell Password parameter is deprecatedfrom the outputof this |
|
command. |
|
|
About this Guide
ThisguidedescribestheDellNetworkingW-SeriesArubaOS6.5.xcommandsyntax. Thecommandsinthis guidearelistedalphabetically.
Thefollowinginformationisprovidedforeachcommand:
•CommandSyntax—Thecompletesyntaxof thecommand.
•Description—Abrief descriptionof thecommand.
•Syntax—Adescriptionof thecommandparameters,includinglicenserequirementsforspecificparameters if needed. Theapplicablerangesanddefault values,if any,arealsoincluded.
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
The ArubaOS Command-Line Interface | 8 |
•UsageGuidelines—Informationtohelpyouusethecommand,including: prerequisites,prohibitions,and relatedcommands.
•Example—Anexampleof howtousethecommand.
•CommandHistory—Theversionof ArubaOSinwhichthecommandwasfirst introduced. Modificationsand changestothecommandarealsonoted.
•CommandInformation—Thistabledescribesany licensingrequirements,commandmodesandplatforms forwhichthiscommandisapplicable. Formoreinformationabout availablelicenses,seetheLicenses chapterof theDellNetworking W-Series ArubaOS 6.5.xUserGuide.
Connecting to the Controller
Thissectiondescribeshowtoconnect tothecontrollertousetheCLI.
Serial Port Connection
Theserialport islocatedonthefront panelof thecontroller. Connect aterminalorPC/workstationrunninga terminalemulationprogramtotheserialport onthecontrollertousetheCLI. Configureyourterminalor terminalemulationprogramtousethefollowingcommunicationsettings.
Baud Rate |
Data Bits |
Parity |
Stop Bits |
Flow Control |
9600 |
8 |
None |
1 |
None |
|
|
|
|
|
The Dell W-7200 Series controller supports baudrates between9600 and115200.
Telnet or SSH Connection
Telnet orSSH accessrequiresthat youconfigureanIPaddressandadefault gateway onthecontrollerand connect thecontrollertoyournetwork. Thisistypically performedwhenyouruntheInitialSetuponthe controller,asdescribedintheDellNetworking W-Series ArubaOS 6.5.xQuick StartGuide. Incertaindeployments, youcanalsoconfigurealoopbackaddressforthecontroller; seeinterfaceloopbackonpage458 formore information.
Configuration changes on Master Controllers
Somecommandscanonly beissuedwhenconnectedtoamastercontroller. If youmakeaconfiguration changeonamastercontroller,allconnectedlocalcontrollerswillsubsequently updatetheirconfigurationsas well. Youcanmanually synchronizeallof thecontrollersat any timeby savingtheconfigurationonthemaster controller.
CLI Access
Whenyouconnect tothecontrollerusingtheCLI,thesystemdisplaysitshost namefollowedby thelogin prompt. Loginusingtheadminuseraccount andthepasswordyouenteredduringtheInitialSetuponthe controller(thepassworddisplaysasasterisks). Forexample:
(host) User: admin
Password: *****
Whenyouareloggedin,theusermodeCLI prompt displays. Forexample:
9| The ArubaOS Command-Line Interface |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
(host) >
Usermodeprovidesonly limitedaccessforbasicoperationaltestingsuchasrunningping and traceroute.
Certainmanagement functionsareavailableinenable(alsocalled“privileged”)mode. Tomovefromusermode toenablemoderequiresyoutoenteranadditionalpasswordthat youenteredduringtheInitialSetup(the passworddisplaysasasterisks). Forexample:
(host) > enable Password: ******
Whenyouareinenablemode,the> prompt changestoapoundsign(#):
(host) #
Configurationcommandsareavailablein config mode. Movefromenablemodetoconfigmodeby entering configure terminal at the# prompt:
(host) # configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
Whenyouareinbasicconfigmode,(config)appearsbeforethe# prompt:
(host) (config) #
There are several other subcommandmodes thatallowusers toconfigure individual interfaces, subinterfaces, loopbackaddresses, GRE tunnels andcellular profiles. For details onthe prompts andthe available commands for eachof these modes, see AppendixA:CommandModes onpage 2389.
Command Help
Youcanusethequestionmark(?)toviewvarioustypesof commandhelp.
Whentypedat thebeginningof aline,thequestionmarklistsallthecommandsavailableinyourcurrent mode orsub-mode. Abrief explanationfollowseachcommand. Forexample:
(host) > ?
enable |
Turn on Privileged commands |
logout |
Exit this session. Any unsaved changes are lost. |
ping |
Send ICMP echo packets to a specified IP address. |
traceroute |
Trace route to specified IP address. |
Whentypedat theendof apossiblecommandorabbreviation,thequestionmarkliststhecommandsthat match(if any). Forexample:
(host) > c?
clear |
Clear configuration |
clock |
Configure the system clock |
configure |
Configuration Commands |
copy |
Copy Files |
If morethanoneitemisshown,typemoreof thekeywordcharacterstodistinguishyourchoice. However,if only oneitemislisted,thekeywordorabbreviationisvalidandyoucanpresstaborthespacebartoadvance tothenext keyword.
Whentypedinplaceof aparameter,thequestionmarkliststheavailableoptions. Forexample:
(host) # write ? |
Erase and start from scratch |
erase |
|
file |
Write to a file in the file system |
memory |
Write to memory |
terminal |
Write to terminal |
<cr> |
|
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
The ArubaOS Command-Line Interface | 10 |
The<cr> indicatesthat thecommandcanbeenteredwithout additionalparameters. Any otherparametersare optional.
Command Completion
Tomakecommandinput easier,youcanusually abbreviateeachkey wordinthecommand. Youneedtype only enoughof eachkeywordtodistinguishit fromsimilarcommands. Forexample:
(host) # configure terminal
couldalsobeenteredas:
(host) # con t
Threecharacters(con)represent theshortest abbreviationallowedforconfigure. Typingonly c orcowould not workbecausethereareothercommands(likecopy)whichalsobeginwiththoseletters. Theconfigure commandistheonly onethat beginswith con.
Asyoutype,youcanpressthespacebarortabtomovetothenext keyword. Thesystemthenattemptsto expandtheabbreviationforyou. If thereisonly onecommandkeywordthat matchestheabbreviation,it is filledinforyouautomatically. If theabbreviationistoovague(toofewcharacters),thecursordoesnot advanceandyoumust typemorecharactersorusethehelpfeaturetolist thematchingcommands.
Deleting Configuration Settings
Usethenocommandtodeleteornegatepreviously-enteredconfigurationsorparameters.
•Toviewalist of nocommands,typenoat theenableorconfigprompt followedby thequestionmark. For example:
(host) (config) # no?
•Todeleteaconfiguration,usethenoformof aconfigurationcommand. Forexample,thefollowing commandremovesaconfigureduserrole:
(host) (config) # no user-role <name>
•Tonegateaspecificconfiguredparameter,usethenoparameterwithinthecommand. Forexample,the followingcommandsdeletetheDSCPpriority mapforapriority mapconfiguration:
(host) (config) # priority-map <name>
(host) (config-priority-map) # no dscp priority high
Saving Configuration Changes
EachDellcontrollercontainstwodifferent typesof configurationimages.
•Therunning-config holdsthecurrent controllerconfiguration,includingallpendingchangeswhichhaveyet tobesaved. Toviewtherunning-config,usethefollowingcommand:
(host) # show running-config
•Thestartup config holdstheconfigurationwhichwillbeusedthenext timethecontrollerisrebooted. It containsalltheoptionslast savedusingthewrite memory command. Toviewthestartup-config,usethe followingcommand:
(host) # show startup-config
WhenyoumakeconfigurationchangesviatheCLI,thosechangesaffect thecurrent runningconfiguration only. If thechangesarenot saved,they willbelost afterthecontrollerreboots. Tosaveyourconfiguration changessothey areretainedinthestartupconfigurationafterthecontrollerreboots,usethefollowing commandinenablemode:
(host) # write memory
Saving Configuration...
Saved Configuration
11| The ArubaOS Command-Line Interface |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
Boththestartupandrunningconfigurationscanalsobesavedtoafileorsent toaTFTPserverforbackupor transfertoanothersystem.
Commands That Reset the Controller or AP
If youusetheCLI tomodify acurrently provisionedandrunningradioprofile,thosechangestakeplace immediately; youdonot reboot thecontrollerortheAPforthechangestoaffect thecurrent running configuration. Certaincommands,however,automatically forcethecontrollerorAPtoreboot. Youmay want toconsidercurrent networkloadsandconditionsbeforeissuingthesecommands,asthey may causea momentary disruptioninserviceastheunit resets. Notealsothat changingthelms-ipparameterinanAP systemprofileassociatedwithanAPgroupwillcauseallAPsinthat APgrouptoreboot.
Table 2: ResetCommands
Commands that Reset an AP
•ap-regroup
•ap-rename
•apboot
•provision-ap
•apwired-ap-profile <profile> forward-mode {bridge|splittunnel|tunnel}
•wlanvirtual-ap<profile-name> {aaa-profile <profilename> |forward-mode {tunnel|bridge|split- tunnel|decrypt-tunnel} |ssid-profile <profile-name>|vlan <vlan>...}
•apsystem-profile <profile> {bootstrap-threshold <number> |lms-ip<ipaddr> |}
•wlanssid-profile <profile-name> {battery-boost|deny- bcast|essid|opmode|strict-svp|wepkey1 <key> |wepkey2 <key>|wepkey3 <key>|wepkey4 <key>|weptxkey <index> |wmm |wmm-be-dscp<best- effort>|wmm-bk-dscp<background>|wmm-ts-min-inact- int<milliseconds>|wmm-vi-dscp<video>|wmm-vo-dscp <voice>|wpa-hexkey <psk> |wpa-passphrase <string> }
•wlandotllk<profile-name> {bcn-measurement- mode|dot11k-enable|force-dissasoc
Commands that Reset a Controller
•reload
Typographic Conventions
Thefollowingconventionsareusedthroughout thismanualtoemphasizeimportant concepts:
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
The ArubaOS Command-Line Interface | 12 |
Table 3: TextConventions
Type Style |
Description |
Italics |
This style is usedtoemphasize importantterms and |
|
tomarkthe titles of books. |
|
|
Boldface |
This style is usedtoemphasize commandnames |
|
andparameter options whenmentionedinthe text. |
|
|
Commands |
This fixed-widthfontdepicts commandsyntaxand |
|
examples of commands andcommandoutput. |
|
|
<angle brackets> |
Inthe commandsyntax, textwithinangle brackets |
|
represents items thatyoushouldreplace with |
|
informationappropriate toyour specific situation. |
|
For example: |
|
ping <ipaddr> |
|
Inthis example, youwouldtype “ping”atthe system |
|
promptexactly as shown, followedby the IPaddress |
|
of the system towhichICMPechopackets are tobe |
|
sent. Donottype the angle brackets. |
|
|
[square brackets] |
Inthe commandsyntax, items enclosedinbrackets |
|
are optional. Donottype the brackets. |
|
|
{Item_A|Item_B} |
Inthe commandexamples, single items within |
|
curledbraces andseparatedby a vertical bar |
|
representthe available choices. Enter only one |
|
choice. Donottype the braces or bars. |
|
|
{ap-name <ap-name>}|{ipaddr <ip-addr>} |
Twoitems withincurledbraces indicate thatboth |
|
parameters mustbe enteredtogether. If twoor |
|
more sets of curledbraces are separatedby a |
|
vertical bar, like inthe example tothe left, enter only |
|
one choice Donottype the braces or bars. |
|
|
Command Line Editing
Thesystemrecordsyourmost recently enteredcommands. Youcanreviewthehistory of youractions,or reissuearecent commandeasily,without havingtoretypeit.
Toviewitemsinthecommandhistory,usetheup arrowkey tomovebackthroughthelist andthedown arrow key tomoveforward. Toreissueaspecificcommand,pressEnter whenthecommandappearsinthe commandhistory. Youcanevenusethecommandlineeditingfeaturetomakechangestothecommandprior toenteringit. Thecommandlineeditingfeatureallowsyoutomakecorrectionsorchangestoacommand without retyping. Table1 liststheeditingcontrols. Tousekey shortcuts,pressandholdtheCtrl buttonwhile youpressaletterkey.
13| The ArubaOS Command-Line Interface |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
Table 4: LineEditing Keys
Key |
Effect |
Description |
Ctrl A |
Home |
Move the cursor tothe beginning of the line. |
|
|
|
Ctrl B or the |
Back |
Move the cursor one character left. |
leftarrow |
|
|
|
|
|
Ctrl D |
Delete Right |
Delete the character tothe rightof the cursor. |
|
|
|
Ctrl E |
End |
Move the cursor tothe endof the line. |
|
|
|
Ctrl F or the |
Forward |
Move the cursor one character right. |
rightarrow |
|
|
|
|
|
Ctrl K |
Delete Right |
Delete all characters tothe rightof the cursor. |
|
|
|
Ctrl N or the |
Next |
Display the nextcommandinthe command |
downarrow |
|
history. |
|
|
|
Ctrl P or |
Previous |
Display the previous commandinthe |
uparrow |
|
commandhistory. |
|
|
|
Ctrl T |
Transpose |
Swapthe character tothe leftof the cursor |
|
|
withthe character tothe rightof the cursor. |
|
|
|
Ctrl U |
Clear |
Clear the line. |
|
|
|
Ctrl W |
Delete Word |
Delete the characters from the cursor upto |
|
|
andincluding the firstspace encountered. |
|
|
|
Ctrl X |
Delete Left |
Delete all characters tothe leftof the cursor. |
|
|
|
Specifying Addresses and Identifiers in Commands
Thissectiondescribesaddressesandotheridentifiersthat youcanreferenceinCLI commands.
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
The ArubaOS Command-Line Interface | 14 |
Table 5: Addresses and Identifiers
Address/Identifier |
Description |
IPaddress |
For any commandthatrequires entry of anIPaddress tospecify a network |
|
entity, use IPv4 networkaddress formatinthe conventional dotteddecimal |
|
notation(for example, 10.4.1.258). |
|
|
Netmaskaddress |
For subnetaddresses, specify a netmaskindotteddecimal notation(for |
|
example, 255.255.255.0). |
|
|
Media Access |
For any commandthatrequires entry of a device’s hardware address, use the |
Control (MAC) |
hexadecimal format(for example, 00:05:4e:50:14:aa). |
address |
|
|
|
Service SetIdentifier |
A unique character string (sometimes referredtoas a networkname), |
(SSID) |
consisting of nomore than32 characters. The SSID is case-sensitive (for |
|
example, WLAN-01). |
|
|
Basic Service Set |
This entry is the unique hard-wireless MAC address of the AP. A unique BSSID |
Identifier (BSSID) |
applies toeachfrequency— 802.11a and802.11g—usedfrom the AP. Use the |
|
same formatas for a MAC address. |
|
|
ExtendedService |
Typically the unique logical name of a wireless network. If the ESSID includes |
SetIdentifier (ESSID) |
spaces, youmustenclose the name inquotationmarks. |
|
|
FastEthernetor |
Any commandthatreferences a FastEthernetor GigabitEthernetinterface |
GigabitEthernet |
requires thatyouspecify the corresponding portonthe controller inthe |
interface |
format<slot>/<module>/<port>. |
|
Use the show port status commandtoobtainthe interface information |
|
currently available from a controller. |
|
|
15| The ArubaOS Command-Line Interface |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
Contacting Dell
Table 6: ContactInformation
Web Site Support
MainWebsite dell.com
ContactInformation dell.com/contactdell
SupportWebsite dell.com/support
DocumentationWebsite dell.com/support/manuals
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
The ArubaOS Command-Line Interface | 16 |
aaa auth-survivability
aaa auth-survivability cache-lifetime enable
server-cert
Description
ThiscommandconfiguresAuthenticationSurvivability ona controller.
Syntax
Parameter |
Description |
Default |
cache-lifetime <hrs> |
This parameter specifies the lifetime inhours for the |
24 hours |
|
cachedaccess credential inthe local Survival Server. When |
|
|
the specifiedcache-lifetime expires, the cachedaccess |
|
|
credential is deletedfrom the controller. |
|
|
The validrange is from 1 to72 hours. |
|
|
|
|
enable |
This parameter controls whether touse the Survival Server |
Disabled |
|
whennoother servers inthe server groupare in-service. |
|
|
This parameter alsocontrols whether tostore the user |
|
|
access credential inthe Survival Server whenitis |
|
|
authenticatedby anexternal RADIUS or LDAPserver inthe |
|
|
server group. AuthenticationSurvivability is enabledor |
|
|
disabledoneachcontroller. |
|
|
NOTE: Authenticationsurvivability will notactivate if the |
|
|
AuthenticationServer DeadTime is configuredas 0 |
|
|
|
|
server-cert |
This parameter allows youtoviewthe name of the server |
— |
|
certificate usedby the local Survival Server. The local |
|
|
Survival Server is providedwitha defaultserver certificate |
|
|
from AOS. The customer server certificate mustbe |
|
|
importedintothe controller first, andthenyoucanassign |
|
|
the server certificate tothe local Survival Server. |
|
|
NOTE: Inthe deploymentenvironment, itis recommended |
|
|
thatyouswitchtoa customer server certificate. |
|
|
|
|
Usage Guidelines
Usethiscommandtoconfigureauthenticationsurvivability onastandalone,local,ormastercontroller.
Toconfigureauthenticationsurvivability onabranchcontroller,youmust usetheSmart ConfigWebUI. Onthe branchcontroller,navigateto Configuration > BRANCH> Smart Config.
Command History
Version Description
ArubaOS 6.4.3.0 |
Commandintroduced. |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
aaa auth-survivability | 17 |
Command Information
Platforms |
Licensing |
Command Mode |
W-7000 Series |
Base operating system |
Enable or Config mode oncontrollers |
|
|
|
18| aaa auth-survivability |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
aaa authentication captive-portal
aaa authentication captive-portal <profile> apple-cna-bypass
auth-protocol mschapv2|pap|chap black-list <black-list>
clone <source-profile> default-guest-role <role> default-role <role> enable-welcome-page guest-logon ip-addr-in-redirection <ipaddr> login-page <url>
logon-wait {cpu-threshold <percent>}|{maximum-delay <seconds>}|{minimum-delay <seconds>} logout-popup-window
max-authentication-failures <number> no ...
protocol-http redirect-pause <seconds> redirect-url <url> server-group <group-name> show-acceptable-use-policy show-fqdn
single-session switchip-in-redirection-url <ipaddr> url-hash-key <key> user-idle-timeout
user-logon user-vlan-in-redirection-url <vlan> welcome-page <url>
white-list <white-list>
Description
ThiscommandconfiguresaCaptivePortalauthenticationprofile.
Syntax
Parameter |
Description |
Range |
Default |
apple-cna-bypass |
Enable this knobtobypass Apple |
— |
|
|
CNA oniOS devices suchas iPad, |
|
|
|
iPhone, andiPod. Youneedto |
|
|
|
perform Captive Portal |
|
|
|
authenticationfrom browser. |
|
|
|
|
|
|
<profile> |
Name thatidentifies aninstance of |
— |
“default” |
|
the profile. The name mustbe 1-63 |
|
|
|
characters. |
|
|
|
|
|
|
authentication-protocol |
This parameter specifies the type |
mschap |
pap |
mschapv2|pap|chap |
of authenticationrequiredby this |
v2 |
|
|
profile, PAPis the default |
pap |
|
|
authenticationtype. |
|
|
|
|
|
|
|
|
chap |
|
|
|
|
|
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
aaa authentication captive-portal | 19 |
Parameter |
Description |
Range |
Default |
black-list |
Name of anexisting blacklistonan |
— |
— |
|
IPv4 or IPv6 networkdestination. |
|
|
|
The blacklistcontains websites |
|
|
|
(unauthenticated) thata guest |
|
|
|
cannotaccess. |
|
|
|
Specify a netdestinationhostor |
|
|
|
subnettoaddthatnetdestinationto |
|
|
|
the captive portal blacklist. |
|
|
|
If youhave notyetdefineda |
|
|
|
netdestination, use the CLI |
|
|
|
command netdestination todefine |
|
|
|
a destinationhostor subnetbefore |
|
|
|
youaddittothe blacklist. |
|
|
|
|
|
|
clone |
Name of anexisting Captive Portal |
— |
— |
|
profile from whichparameter |
|
|
|
values are copied. |
|
|
|
|
|
|
default-guest-role |
Role assignedtoguest. |
— |
guest |
|
|
|
|
default-role <role> |
Role assignedtothe Captive Portal |
— |
guest |
|
user whenthatuser logs in. When |
|
|
|
bothuser andguestlogons are |
|
|
|
enabled, the defaultrole applies to |
|
|
|
the user logon;users logging in |
|
|
|
using the guestinterface are |
|
|
|
assignedthe guestrole. |
|
|
|
|
|
|
enable-welcome- |
Displays the configuredwelcome |
enabled/ |
enabled |
page |
page before the user is redirected |
disabled |
|
|
totheir original URL. If this optionis |
|
|
|
disabled, redirectiontothe web |
|
|
|
URLhappens immediately after the |
|
|
|
user logs in. |
|
|
|
|
|
|
guest-logon |
Enables Captive Portal logon |
enabled/ |
disabled |
|
withoutauthentication. |
disabled |
|
|
|
|
|
ipaddr-in-redirection-url |
Sends the controller’s interface IP |
— |
— |
<ipaddr> |
address inthe redirectionURL |
|
|
|
whenexternal captive portal |
|
|
|
servers are used. Anexternal |
|
|
|
captive portal server can |
|
|
|
determine the controller from |
|
|
|
whicha requestoriginatedby |
|
|
|
parsing the ‘switchip’ variable inthe |
|
|
|
URL. This parameter requires the |
|
|
|
Public Access license. |
|
|
|
|
|
|
login-page <url> |
URLof the page thatappears for |
— |
/auth/index. |
|
the user logon. This canbe setto |
|
html |
|
any URL. |
|
|
|
|
|
|
20| aaa authentication captive-portal |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
Parameter |
Description |
Range |
Default |
logon-wait |
Configure parameters for the logon |
1-100 |
60% |
|
waitinterval. |
|
|
|
|
|
|
cpu-threshold <percent> |
CPU utilizationpercentage above |
1-100 |
60% |
|
whichthe logonwaitinterval is |
|
|
|
appliedwhenpresenting the user |
|
|
|
withthe logonpage. |
|
|
|
|
|
|
maximum-delay <seconds> |
Maximum time, inseconds, the |
1-10 |
10 seconds |
|
user will have towaitfor the logon |
|
|
|
page topopupif the CPU loadis |
|
|
|
high. This works inconjunctionwith |
|
|
|
the LogonwaitCPU utilization |
|
|
|
thresholdparameter. |
|
|
|
|
|
|
minimum-delay <seconds> |
Minimum time, inseconds, the user |
1-10 |
5 seconds |
|
will have towaitfor the logonpage |
|
|
|
topopupif the CPU loadis high. |
|
|
|
This works inconjunctionwiththe |
|
|
|
LogonwaitCPU utilization |
|
|
|
thresholdparameter. |
|
|
|
|
|
|
logout-popup- |
Enables a pop-upwindowwiththe |
enabled/ |
enabled |
window |
Logoutlinkthatallows the user to |
disabled |
|
|
log out. If this optionis disabled, the |
|
|
|
user remains loggedinuntil the |
|
|
|
user timeoutperiodhas elapsedor |
|
|
|
the stationreloads. |
|
|
|
|
|
|
max-authentication-failures |
Maximum number of |
0-10 |
0 |
<number> |
authenticationfailures before the |
|
|
|
user is blacklisted. |
|
|
|
|
|
|
no |
Negates any configured |
— |
— |
|
parameter. |
|
|
|
|
|
|
protocol-http |
Use HTTPprotocol onredirection |
enabled/ |
disabled |
|
tothe Captive Portal page. If you |
disabled |
(HTTPS is used) |
|
use this option, modify the captive |
|
|
|
portal policy toallowHTTPtraffic. |
|
|
|
|
|
|
redirect-pause <secs> |
Time, inseconds, thatthe system |
1-60 |
10 seconds |
|
remains inthe initial welcome page |
|
|
|
before redirecting the user tothe |
|
|
|
final webURL. If setto0, the |
|
|
|
welcome page displays until the |
|
|
|
user clicks onthe indicatedlink. |
|
|
|
|
|
|
redirect-url <url> |
URLtowhichanauthenticateduser |
— |
— |
|
will be directed. This parameter |
|
|
|
mustbe anabsolute URLthat |
|
|
|
begins witheither http:// or |
|
|
|
https://. |
|
|
|
|
|
|
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
aaa authentication captive-portal | 21 |
Parameter |
Description |
Range |
Default |
server-group <group-name> |
Name of the groupof servers used |
— |
— |
|
toauthenticate Captive Portal |
|
|
|
users. See aaa server-groupon |
|
|
|
page 107. |
|
|
|
|
|
|
show-fqdn |
Allows the user tosee andselect |
enabled |
disabled |
|
the fully-qualifieddomainname |
disabled |
|
|
(FQDN) onthe loginpage. The |
|
|
|
FQDNs shownare specifiedwhen |
|
|
|
configuring individual servers for |
|
|
|
the server groupusedwithcaptive |
|
|
|
portal authentication. |
|
|
|
|
|
|
show-acceptable-use-policy |
Showthe acceptable use policy |
enabled |
disabled |
|
page before the loginpage. |
disabled |
|
|
|
|
|
single-session |
Allows only one active user session |
— |
disabled |
|
ata time. |
|
|
|
|
|
|
switchip-in-redirection-url |
Sends the controller’s IPaddress in |
enabled |
disabled |
|
the redirectionURLwhenexternal |
disabled |
|
|
captive portal servers are used. An |
|
|
|
external captive portal server can |
|
|
|
determine the controller from |
|
|
|
whicha requestoriginatedby |
|
|
|
parsing the ‘switchip’ variable inthe |
|
|
|
URL. |
|
|
|
|
|
|
url-hash-key <key> |
Issue this commandtohashthe |
— |
disabled |
|
redirectionURLusing the specified |
|
|
|
key. |
|
|
|
|
|
|
user-idle-timeout |
The user idle timeoutfor this |
— |
disabled |
|
profile. Specify the idle timeout |
|
|
|
value for the clientinseconds. Valid |
|
|
|
range is 30-15300 inmultiples of |
|
|
|
30 seconds. Enabling this option |
|
|
|
overrides the global settings |
|
|
|
configuredinthe AAA timers. If this |
|
|
|
is disabled, the global settings are |
|
|
|
used. |
|
|
|
|
|
|
user-logon |
Enables Captive Portal with |
enabled |
enabled |
|
authenticationof user credentials. |
disabled |
|
|
|
|
|
user-vlan-in-redirection-url |
Addthe user VLAN inthe |
enabled |
disabled |
<ipaddr> |
redirectionURL. This parameter |
disabled |
|
|
requires the Public Access license. |
|
|
|
|
|
|
|
|
|
|
user-vlan-redirection-url |
Sends the user’s VLAN ID inthe |
— |
— |
|
redirectionURLwhenexternal |
|
|
|
captive portal servers are used. |
|
|
|
|
|
|
22| aaa authentication captive-portal |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
Parameter |
Description |
Range |
Default |
welcome-page <url> |
URLof the page thatappears after |
— |
/auth/welcome |
|
logonandbefore redirectiontothe |
|
.html |
|
webURL. This canbe settoany |
|
|
|
URL. |
|
|
|
|
|
|
white-list <white-list> |
Name of anexisting white listonan |
— |
— |
|
IPv4 or IPv6 networkdestination. |
|
|
|
The white listcontains |
|
|
|
authenticatedwebsites thata guest |
|
|
|
canaccess. If youhave notyet |
|
|
|
defineda netdestination, use the |
|
|
|
CLIcommand netdestination to |
|
|
|
define a destinationhostor subnet |
|
|
|
before youaddittothe whitelist. |
|
|
|
|
|
|
Usage Guidelines
YoucanconfiguretheCaptivePortalauthenticationprofileinthebaseoperatingsystemorwiththeNext GenerationPolicy Enforcement Firewall(PEFNG)licenseinstalled. Whenyouconfiguretheprofileinthebase operatingsystem,thenameof theprofilemust beenteredfortheinitialroleintheAAAprofile. Also,whenyou configuretheprofileinthebaseoperatingsystem,youcannot definethedefault-role.
Example
ThefollowingexampleconfiguresaCaptivePortalauthenticationprofilethat authenticatesusersagainst the controller’sinternaldatabase. Userswhoaresuccessfully authenticatedareassignedtheauth-guest role.
Tocreatetheauth-guest userroleshowninthisexample,thePEFNG licensemust beinstalledinthecontroller.
aaa authentication captive-portal guestnet default-role auth-guest
user-logon
no guest-logon server-group internal
Command History
Version |
Description |
ArubaOS 3.0 |
Commandintroduced. |
|
|
ArubaOS 6.0 |
The max-authentication-failures parameter nolonger requires a |
|
license. |
|
|
ArubaOS 6.1 |
The sygate-on-demand, black-list and white-list parameters were |
|
added. |
|
|
ArubaOS 6.2 |
the auth-protocol parameter was added, andthe user-chap parameter |
|
was deprecated. |
|
|
ArubaOS 6.3 |
The user-idle-timeout parameter was introduced. |
|
|
ArubaOS 6.4 |
The url-hash-key parameter was introduced. |
|
|
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
aaa authentication captive-portal | 23 |
Command Information
Platforms |
Licensing |
Command Mode |
All platforms |
Base operating system, except |
Config mode onmaster controllers |
|
for notedparameters |
|
|
|
|
24| aaa authentication captive-portal |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
aaa authentication dot1x
aaa authentication dot1x {<profile>|countermeasures} ca-cert <certificate>
cert-cn-lookup clear
clone <profile> delete-keycache eapol-logoff enforce-suite-b-128 enforce-suite-b-192 framed-mtu <mtu>
heldstate-bypass-counter <number> ignore-eap-id-match ignore-eapolstart-afterauthentication
machine-authentication blacklist-on-failure|{cache-timeout <hours>}|enable| {machine-default-role <role>}|{user-default-role <role>}
max-authentication-failures <number> max-requests <number> multicast-keyrotation
no ...
opp-key-caching reauth-max <number>
reauth-server-termination-action reauthentication
server {server-retry <number>|server-retry-period <seconds>} server-cert <certificate>
termination {eap-type <type>}|enable|enable-token-caching|{inner-eap-type (eapgtc|eap- mschapv2)}|{token-caching-period <hours>}
timer {idrequest_period <seconds>}|{keycache-tmout <kc-tmout>}|{mkey-rotation-period <seconds>}|{quiet-period <seconds>}|{reauth-period <seconds>}|{ukey-rotation-period <seconds>}|{wpa- groupkey-delay <seconds>}|{wpa-key-period <milliseconds>}|wpa2-key-delay <milliseconds>
tls-guest-access tls-guest-role <role> unicast-keyrotation use-session-key use-static-key validate-pmkid voice-aware wep-key-retries <number> wep-key-size {40|128} wpa-fast-handover wpa-key-retries <number> xSec-mtu <mtu>
Description
Thiscommandconfiguresthe802.1X authenticationprofile.
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
aaa authentication dot1x | 25 |
Syntax
Parameter |
Description |
Range |
Default |
<profile> |
Name thatidentifies an |
— |
“default” |
|
instance of the profile. The |
|
|
|
name mustbe 1-63 |
|
|
|
characters. |
|
|
|
|
|
|
clear |
Clear the CachedPMK, Role |
— |
— |
|
andVLAN entries. This |
|
|
|
commandis available in |
|
|
|
enable mode only. |
|
|
|
|
|
|
countermeasures |
Scans for message integrity |
— |
disabled |
|
code (MIC) failures intraffic |
|
|
|
receivedfrom clients. If there |
|
|
|
are more than2 MIC failures |
|
|
|
within60 seconds, the APis |
|
|
|
shutdownfor 60 seconds. |
|
|
|
This optionis intendedtoslow |
|
|
|
downanattacker whois |
|
|
|
making a large number of |
|
|
|
forgery attempts ina short |
|
|
|
time. |
|
|
|
|
|
|
ca-cert <certificate> |
CA certificate for client |
— |
— |
|
authentication. The CA |
|
|
|
certificate needs tobe loaded |
|
|
|
inthe controller. |
|
|
|
|
|
|
cert-cn-lookup |
If youuse clientcertificates |
— |
— |
|
for user authentication, |
|
|
|
enable this optiontoverify |
|
|
|
thatthe certificate's common |
|
|
|
name exists inthe server. |
|
|
|
This parameter is disabledby |
|
|
|
default. |
|
|
|
|
|
|
delete-keycache |
Delete the key cache entry |
— |
disabled |
|
whenthe user entry is deleted. |
|
|
|
|
|
|
eapol-logoff |
Enables handling of EAPOL- |
— |
disabled |
|
LOGOFFmessages. |
|
|
|
|
|
|
enforce-suite-b-128 |
Configure Suite-B 128 bitor |
|
disabled |
|
more security level |
|
|
|
authenticationenforcement |
|
|
|
|
|
|
enforce-suite-b-192 |
Configure Suite-B 192 bitor |
|
disabled |
|
more security level |
|
|
|
authenticationenforcement |
|
|
|
|
|
|
26| aaa authentication dot1x |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
Parameter |
Description |
Range |
Default |
framed-mtu <MTU> |
Sets the framedMTU |
500- |
1100 |
|
attribute senttothe |
1500 |
|
|
authenticationserver. |
|
|
|
|
|
|
heldstate-bypass-counter <number> |
(This parameter is applicable |
0-3 |
0 |
|
when802.1X authenticationis |
|
|
|
terminatedonthe controller, |
|
|
|
alsoknownas AAA |
|
|
|
FastConnect.) Number of |
|
|
|
consecutive authentication |
|
|
|
failures which, whenreached, |
|
|
|
causes the controller tonot |
|
|
|
respondtoauthentication |
|
|
|
requests from a clientwhile |
|
|
|
the controller is ina heldstate |
|
|
|
after the authentication |
|
|
|
failure. Until this number is |
|
|
|
reached, the controller |
|
|
|
responds toauthentication |
|
|
|
requests from the clienteven |
|
|
|
while the controller is inits |
|
|
|
heldstate. |
|
|
|
|
|
|
ignore-eap-id- |
Ignore EAPID during |
— |
disabled |
match |
negotiation. |
|
|
|
|
|
|
ignore-eapol |
Ignores EAPOL-START |
— |
disabled |
start-afterauthentication |
messages after |
|
|
|
authentication. |
|
|
|
|
|
|
machine-authentication |
(For Windows environments |
|
|
|
only) These parameters set |
|
|
|
machine authentication: |
|
|
|
NOTE:This parameter |
|
|
|
requires the PEFNG license. |
|
|
|
|
|
|
blacklist-on-failure |
Blacklists the clientif machine |
— |
disabled |
|
authenticationfails. |
|
|
|
|
|
|
cache-timeout <hours> |
The timeout, inhours, for |
1-1000 |
24 hours |
|
machine authentication. |
|
(1 day) |
|
|
|
|
enable |
Selectthis optiontoenforce |
— |
disabled |
|
machine authentication |
|
|
|
before user authentication. If |
|
|
|
selected, either the machine- |
|
|
|
default-role or the user- |
|
|
|
default-role is assignedtothe |
|
|
|
user, depending onwhich |
|
|
|
authenticationis successful. |
|
|
|
|
|
|
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
aaa authentication dot1x | 27 |
Parameter |
Description |
Range |
Default |
machine-default-role <role> |
Defaultrole assignedtothe |
— |
guest |
|
user after completing only |
|
|
|
machine authentication. |
|
|
|
|
|
|
user-default-role <role> |
Defaultrole assignedtothe |
— |
guest |
|
user after 802.1X |
|
|
|
authentication. |
|
|
|
|
|
|
max-authentication-failures <number> |
Number of times a user can |
0-5 |
0 |
|
try tologinwithwrong |
|
(disable |
|
credentials after whichthe |
|
d) |
|
user is blacklistedas a |
|
|
|
security threat. Setto0 to |
|
|
|
disable blacklisting, otherwise |
|
|
|
enter a non-zerointeger to |
|
|
|
blacklistthe user after the |
|
|
|
specifiednumber of failures. |
|
|
|
|
|
|
max-requests <number> |
Maximum number of times ID |
1-10 |
5 |
|
requests are senttothe |
|
|
|
client. |
|
|
|
|
|
|
multicast-key |
Enables multicastkey rotation |
— |
disabled |
rotation |
|
|
|
|
|
|
|
no |
Negates any configured |
— |
— |
|
parameter. |
|
|
|
|
|
|
opp-key-caching |
Enables a cachedpairwise |
— |
enabled |
|
master key (PMK) derived |
|
|
|
witha clientandan |
|
|
|
associatedAPtobe used |
|
|
|
whenthe clientroams toa |
|
|
|
newAP. This allows clients |
|
|
|
faster roaming withouta full |
|
|
|
802.1X authentication. |
|
|
|
NOTE:Make sure thatthe |
|
|
|
wireless client(the 802.1X |
|
|
|
supplicant) supports this |
|
|
|
feature. If the clientdoes not |
|
|
|
supportthis feature, the client |
|
|
|
will attempttorenegotiate the |
|
|
|
key whenever itroams toa |
|
|
|
newAP. As a result, the key |
|
|
|
cachedonthe controller can |
|
|
|
be outof sync withthe key |
|
|
|
usedby the client. |
|
|
|
|
|
|
reauth-max <number> |
Maximum number of |
1-10 |
3 |
|
reauthenticationattempts. |
|
|
|
|
|
|
reauth-server-termination-action |
Specifies the termination- |
|
|
|
actionattribute from the |
|
|
|
server. |
|
|
|
|
|
|
28| aaa authentication dot1x |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
Parameter |
Description |
Range |
Default |
reauthentication |
Selectthis optiontoforce the |
— |
disabled |
|
clienttodoa 802.1X |
|
|
|
reauthenticationafter the |
|
|
|
expirationof the defaulttimer |
|
|
|
for reauthentication. (The |
|
|
|
defaultvalue of the timer is |
|
|
|
24 hours.) If the user fails to |
|
|
|
reauthenticate withvalid |
|
|
|
credentials, the state of the |
|
|
|
user is cleared. |
|
|
|
If derivationrules are usedto |
|
|
|
classify 802.1X-authenticated |
|
|
|
users, thenthe |
|
|
|
reauthenticationtimer per |
|
|
|
role overrides this setting. |
|
|
|
|
|
|
reload-cert |
ReloadCertificate for 802.1X |
— |
— |
|
termination. This commandis |
|
|
|
available inenable mode only. |
|
|
|
|
|
|
server |
Sets options for sending |
|
|
|
authenticationrequests tothe |
|
|
|
authenticationserver group. |
|
|
|
|
|
|
server-retry <number> |
Maximum number of |
0-3 |
3 |
|
authenticationrequests that |
|
|
|
are senttoserver group. |
|
|
|
|
|
|
server-retry-period <seconds> |
Server groupretry interval, in |
5-65535 |
5 |
|
seconds. |
|
seconds |
|
|
|
|
server-cert <certificate> |
Server certificate usedby the |
— |
— |
|
controller toauthenticate |
|
|
|
itself tothe client. |
|
|
|
|
|
|
termination |
Sets options for terminating |
|
|
|
802.1X authenticationonthe |
|
|
|
controller. |
|
|
|
|
|
|
eap-type <type> |
The Extensible Authentication |
eap- |
eap- |
|
Protocol (EAP) method, either |
peap/ |
peap |
|
EAP-PEAPor EAP-TLS. |
eap-tls |
|
|
|
|
|
enable |
Enables 802.1X termination |
— |
disabled |
|
onthe controller. |
|
|
|
|
|
|
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
aaa authentication dot1x | 29 |
Parameter |
Description |
Range |
Default |
enable-token |
If youselectEAP-GTC as the |
— |
disabled |
-caching |
inner EAPmethod, youcan |
|
|
|
enable the controller tocache |
|
|
|
the username andpassword |
|
|
|
of eachauthenticateduser. |
|
|
|
The controller continues to |
|
|
|
reauthenticate users withthe |
|
|
|
remote authenticationserver, |
|
|
|
however, if the authentication |
|
|
|
server is notavailable, the |
|
|
|
controller will inspectits |
|
|
|
cachedcredentials to |
|
|
|
reauthenticate users. |
|
|
|
|
|
|
inner-eap-type eap-gtc|eap-mschapv2 |
WhenEAP-PEAPis the EAP |
eap- |
eap- |
|
method, one of the following |
gtc/eap- |
mschap |
|
inner EAPtypes is used: |
mschap |
v2 |
|
EAP-Generic Token Card |
v2 |
|
|
|
|
|
|
(GTC):DescribedinRFC 2284, |
|
|
|
this EAPmethodpermits the |
|
|
|
transfer of unencrypted |
|
|
|
usernames andpasswords |
|
|
|
from clienttoserver. The |
|
|
|
mainuses for EAP-GTC are |
|
|
|
one-time tokencards suchas |
|
|
|
SecureID andthe use of LDAP |
|
|
|
or RADIUS as the user |
|
|
|
authenticationserver. You |
|
|
|
canalsoenable caching of |
|
|
|
user credentials onthe |
|
|
|
controller as a backuptoan |
|
|
|
external authentication |
|
|
|
server. |
|
|
|
EAP-Microsoft Challenge |
|
|
|
Authentication Protocol |
|
|
|
version 2 (MS-CHAPv2): |
|
|
|
DescribedinRFC 2759, this |
|
|
|
EAPmethodis widely |
|
|
|
supportedby Microsoft |
|
|
|
clients. |
|
|
|
|
|
|
token-caching-period <hours> |
If youselectEAP-GTC as the |
(any) |
24 hours |
|
inner EAPmethod, youcan |
|
|
|
specify the timeoutperiod, in |
|
|
|
hours, for the cached |
|
|
|
information. |
|
|
|
|
|
|
timer |
Sets timer options for 802.1X |
|
|
|
authentication: |
|
|
|
|
|
|
idrequest- |
Interval, inseconds, between |
1-65535 |
5 |
period <seconds> |
identity requestretries. |
|
seconds |
|
|
|
|
30| aaa authentication dot1x |
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide |
Loading...