This document contains proprietary information, which is
protected by copyright. No part of this document may be
photocopied, reproduced, or translated into another language
without the prior written consent of Hewlett-Packard.
Windows NT®, Windows®, and MS Windows® are US
registered trademarks of Microsoft Corporation.
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF
ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. Hewlett-Packard shall not be liable for errors
contained herein or for incidental or consequential damages in
connection with the furnishing, performance, or use of this
material.
The only warranties for HP products and services are set forth
in the express warranty statements accompanying such
products and services. Nothing herein should be construed as
constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished by
Hewlett-Packard.
Hewlett-Packard Company
8000 Foothills Boulevard
Roseville, California 95747-5552
www.procurve.com
Contents
In this Contents section, new to 5.3.x contexts and commands are preceded with an asterisk
“*” and formatted in green like this:
* new context
* new command
1 Introduction
About this guide ...........................................................................................................1-2
access list 2-65
access-controlled profile 2-127
access-controlled profile 2-71
access-controlled virtual ap 2-127
access-controlled virtual ap 2-71
access-list 2-55
accounting interim update 2-61
accounting interim update 2-65
active 2-110
active 2-112
active 2-115
active 2-118
active 2-128
active 2-157
* active 2-160
active 2-71
active 2-86
active 2-97
active-directory check attribute 2-45
active-directory check user access 2-45
active-directory device name 2-45
active-directory domain 2-45
active-directory group 2-46
active-directory group name 2-128
active-directory group order 2-46
active-directory join 2-46
add ip-qos profile 2-98
config 2-130
config 2-132
config 2-133
config 2-7
config file 2-56
config-update automatic 2-21
config-update operation 2-21
config-update time 2-21
config-update uri 2-22
config-update weekday 2-22
config-version 2-43
contact 2-131
control method 2-72
controlled network 2-8
country code 2-146
credentials 2-86
daily restriction 2-122
data rate 2-97
delete ip-qos profile 2-98
delete ip-qos profile all 2-98
dhcp mode 2-16
* dhcp public ip default lease period 2-9
xxv
* dhcp public ip subnet 2-9
dhcp relay 2-101
dhcp relay 2-17
dhcp relay access centralized clients 2-18
dhcp relay access lan 2-18
dhcp relay active 2-102
dhcp relay circuit id 2-102
* dhcp relay circuit id 2-17
dhcp relay extend internet port 2-18
dhcp relay remote id 2-102
* dhcp relay remote id 2-18
dhcp relay subnet 2-102
dhcp server 2-102
dhcp server 2-16
dhcp server access centralized clients 2-17
dhcp server access lan 2-17
dhcp server controller 2-16
dhcp server controller discovery 2-16
dhcp server default domain name 2-16
dhcp server default lease period 2-16
dhcp server default permanent lease period 2-16
dhcp server dns 2-102
dhcp server gateway 2-103
dhcp server logout html user 2-17
dhcp server range 2-103
dhcp server subnet 2-103
discovery protocol 2-36
discovery protocol device-id 2-37
discovery provisioning 2-148
distance 2-149
dns domain 2-112
dns domain name 2-147
dns name 2-147
dns provisioning 2-147
dns server 2-112
dns server 2-148
dot11 2-149
dot11 automatic frequency 2-150
dot11 automatic frequency period 2-150
dot11 automatic frequency time 2-150
dot11 automatic transmit-power 2-151
dot11 automatic transmit-power period 2-151
dot11 mode 2-152
dot11n channel extension 2-153
dot11n channel width 2-153
dot11n guard interval 2-153
dot11n multicast rate 2-153
egress vlan 2-72
enable 2-2
enable vsc services 2-139
encryption key 1 2-89
encryption key format 2-89
end force 2-111
end time 2-122
end time 2-72
* entry 2-164
execute action 2-130
execute action 2-132
execute action 2-133
execute system action 2-130
factory settings 2-10
fail page 2-57
fast authentication 2-98
firewall mode 2-41
firmware-update automatic 2-32
firmware-update start 2-32
firmware-update time 2-32
firmware-update uri 2-32
firmware-update weekday 2-33
force centralize data 2-88
* force flow control 2-161
gateway 2-110
goodbye url 2-57
gre name 2-111
group name 2-132
guest-mode 2-88
html authentication 2-95
html authentication accounting 2-95
html authentication accounting radius profile 2-95
html authentication active-directory 2-96
html authentication local 2-96
html authentication radius 2-96
html authentication radius profile 2-96
html authentication request radius cui 2-96
html authentication timeout 2-96
html redirection 2-100
interval 2-86
ip address 2-105
ip address 2-111
ip address 2-148
ip address 2-79
ip address 2-84
ip address alternate 2-83
ip address dhcp client-id 2-80
ip address management 2-84
ip address mode 2-105
ip address mode 2-79
ip assignation 2-144
ip default-gateway 2-106
ip http port 2-13
ip https port 2-13
ip name-server 2-33
ip name-server cache 2-33
ip name-server dynamic 2-33
ip name-server interception 2-34
ip name-server logout-info 2-34
ip name-server switch-on-servfail 2-34
ip name-server switch-over 2-34
ip nat 2-106
ip nat 2-118
ip nat 2-80
ip nat outside source static 2-81
ip provisioning 2-148
ip rip authentication key-chain 2-82
ip rip authentication mode 2-82
ip rip authentication string 2-82
ip route gateway 2-41
ipass id 2-54
ipass login url 2-58
ipass name 2-54
iperf 2-2
iperf 2-4
ipsec policy 2-12
ipsec vlan interface 2-76
ipsec vlan interface 2-78
key 2-120
key chain 2-43
key chain name 2-120
key-string 2-121
l3subnet 2-139
local id 2-113
local mesh group 2-134
local mesh ip qos profile 2-138
local mesh provisioning group 2-134
local mesh qos mechanism 2-139
local nas id 2-100
location 2-131
location aware 2-141
location-aware called-station-id content 2-101
location-aware group 2-101
logging destination 2-22
logging facility 2-115
logging host 2-115
logging prefix 2-115
login error url 2-58
login page 2-58
login url 2-58
logo 2-58
* mac authentication 2-162
mac authentication 2-95
mac authentication accounting 2-94
mac authentication accounting radius profile 2-94
mac authentication local 2-95
mac authentication radius profile 2-94
mac authentication remote 2-94
mac authentication request radius cui 2-94
* mac filter list 2-162
* mac list 2-12
mac-address 2-57
managed map max 2-47
mandatory authentication 2-94
matches 2-116
matches 2-143
max input rate 2-67
max output rate 2-67
max user sessions 2-72
max-association 2-89
maximum input octets 2-61
maximum input packets 2-61
maximum output octets 2-62
maximum output packets 2-62
maximum total octets 2-62
maximum total packets 2-62
mesh id 2-157
message 2-116
message 2-117
message 2-142
message 2-142
messages 2-59
minimum snr 2-157
mode 2-113
multicast rate 2-150
multiple radio 2-159
name 2-115
name 2-158
nat limit port range 2-80
nat limit port range size 2-80
nat one-to-one 2-62
nat one-to-one 2-67
noc access interface gre 2-54
xxvii
noc access interface vlan 2-54
noc access internet 2-52
noc access vpn 2-53
noc allow 2-53
noc authentication 2-53
noc ssl ca-certificate 2-59
noc ssl certificate 2-59
notify user location changes 2-60
nslookup 2-2
ntp protocol 2-19
ntp server 2-19
ntp server 2-21
ntp server failure trap 2-21
online time limit 2-123
online time limit 2-123
outgoing traffic network 2-113
passive-interface 2-119
passive-interface 2-82
passive-interface 2-84
* password 2-125
password 2-73
peer id 2-113
peer ip address 2-111
peer ip address 2-114
perfect forward secrecy 2-114
permanent leases 2-110
persistent user information 2-47
persistent user information period 2-47
ping 2-2
ping 2-4
* port 2-126
* port name 2-162
* port type 2-162
* power over ethernet 2-162
pppoe auto-reconnect 2-80
pppoe client user 2-79
pppoe mru 2-81
pppoe mtu 2-81
pppoe unnumbered 2-81
pptp client auto route discovery 2-119
pptp client credentials 2-118
pptp client domain name 2-118
pptp client lcp echo 2-119
pptp client server address 2-118
preshared key 2-114
* priority 2-162
* priority lookup 2-163
process 2-117
process 2-117
process 2-142
process 2-142
product type 2-131
provisioning connectivity 2-134
provisioning discovery 2-134
provisioning local mesh group 2-145
provisioning local mesh key 2-145
provisioning local mesh port 2-145
provisioning local mesh security 2-145
provisioning local mesh security 2-145
provisioning local mesh type 2-146
ps 2-3
public forwarding 2-97
* public ip reservation 2-123
* public ip subnet 2-123
* public ip subnet 2-63
* public ip subnet 2-69
qos 2-98
* quarantine vlan 2-163
quit 2-3
quit 2-5
radio active 2-152
radio active 2-158
radius accounting realms 2-101
radius authentication realms 2-101
radius nas id 2-155
radius profile 2-134
radius server profile 2-86
radius-framed-protocol-attribute 2-103
radius-server accounting port 2-107
radius-server accounting session 2-43
radius-server alternate hosts 2-107
radius-server authentication method 2-107
radius-server authentication port 2-107
radius-server client 2-44
radius-server client 2-46
radius-server deadtime 2-108
radius-server force-nas-port-to-vlanid 2-109
radius-server host 2-108
radius-server key 2 2-108
radius-server local eap-peap 2-44
radius-server local eap-tls 2-44
radius-server local eap-ttls 2-44
radius-server local pap 2-44
radius-server message-authenticator 2-108
radius-server name 2-108
radius-server nasid 2-109
radius-server profile 2-35
radius-server realm 2-109
radius-server realm name 2-109
radius-server ssid detection nas-id 2-44
radius-server timeout 2-109
radius-server timeout 2-109
range 2-110
rcapture 2-5
reboot device 2-10
reboot device 2-4
* receiver 2-126
regular profile 2-128
regular profile 2-73
regular virtual ap 2-128
regular virtual ap 2-73
* remember delay 2-51
* remember html users 2-51
remote configuration 2-36
remote ip address 2-111
renew user profile subscription 2-42
security 2-156
security mode 2-156
security psk 2-156
security wep 2-156
sensor discovery mode 2-135
sensor network detector 2-136
sensor server id 2-135
sensor server name 2-135
xxviii
service controller ap authentication credentials 2-37
service controller ap authentication enable 2-37
service controller ap authentication file 2-37
service controller ap authentication radius-server 2-37
service controller ap authentication refresh-rate 2-37
service controller ap authentication source file 2-38
service controller ap authentication source local 2-38
service controller ap authentication source radius 2-38
service controller discovery 2-38
service controller discovery interface internet-port 2-38
service controller discovery interface lan-port 2-38
service controller primary 2-39
service controller primary ip addr 2-39
service controller priority 2-39
service controller provisioning 2-39
session page 2-59
session profile 2-36
session profile 2-68
session profile default 2-36
session timeout 2-63
session timeout 2-73
show active-directory 2-46
show active-directory group 2-46
show all config 2-7
show arp 2-5
show bridge 2-5
show bridge forwarding 2-6
show certificate 2-10
show certificate 2-4
show certificate binding 2-10
show certificate binding 2-4
show client log 2-7
show config factory 2-10
show config factory 2-130
show config factory 2-132
show config factory 2-133
show controlled network config 2-8
show discrete pin 2-7
show dns cache 2-6
show interfaces 2-6
* show ip 2-6
show ip dhcp database 2-6
show ip route 2-6
show license 2-3
show logging filtered 2-3
* show mac list 2-12
show radius statistics 2-7
show radius users 2-7
show radius-server 2-45
show satellites 2-6
show session profile 2-36
show subscription plan 2-11
show system info 2-6
show user profiles 2-42
show user profiles details 2-42
show users 2-7
start time 2-123
static ip 2-145
station allocate source ip address 2-49
station allow any ip address 2-49
station distance 2-151
station free access 2-50
station http proxy support 2-50
station idle detection 2-50
subscription plan 2-11
subscription plan 2-73
xxix
subscription plan name 2-123
* switch port 2-135
syslog 2-135
system accounting 2-51
termination action 2-68
top 2-3
traceroute 2-3
transmit key 2-90
transmit power 2-150
transport page 2-59
upstream diffserv tagging 2-99
use access-list 2-56
use access-list unauth 2-56
* user 2-126
user defined attribute 2-69
* user name 2-125
user profile 2-42
user tracking 2-46
user tracking destination 2-47
user tracking filter 2-47
user tracking port 2-47
username 2-10
username 2-74
* version 2-126
virtual ap 2-11
virtual ap binding 2-132
virtual ap name 2-87
vlan 2-144
vlan 2-145
* vlan 2-163
vlan 2-89
vlan name 2-106
web access interface gre 2-15
web access interface vlan 2-15
web access internet-port 2-15
web access lan 2-15
web access lan-port 2-15
web access vpn 2-15
web admin kickout 2-14
web allow 2-14
welcome url 2-60
wireless filters 2-91
wireless filters mac 2-92
wireless filters rule input 2-92
wireless filters rule output 2-92
wireless filters type 2-93
wispr abort login url 2-54
wispr login url 2-55
wispr logoff url 2-55
wmm advertising 2-100
world-mode dot11 country code 2-14
This guide explains how to work with the Command Line Interface (CLI) on HP ProCurve
Networking MSM7xx Controllers.
Products covered
This guide covers the following products:
Model Part
MSM710 Access Controller J9328A
MSM710 Mobility Controller J9325A
MSM730 Access Controller J9329A
MSM730 Mobility Controller J9326A
MSM750 Access Controller J9330A
MSM750 Mobility Controller J9327A
MSM760 Access Controller J9420A
MSM760 Mobility Controller J9421A
MSM765 Mobility Controller J9370A
HP ProCurve Product Naming
As of October 1st, 2008, Colubris Networks was acquired by HP ProCurve. HP ProCurve has
begun integrating the Colubris product line into the HP ProCurve Networking product
portfolio (www.procurve.com/news/colubris-10-01-08.htm).
In the online help and this manual, Colubris product names have been changed to their
equivalent HP ProCurve product names.
Note SOAP and SNMP MIBs retain the Colubris naming so you do not need to change your existing
SOAP and MIB usage.
The Colubris Networks product names and their corresponding new HP ProCurve product
names are as follows:
MAP-320 MultiService Access Point MSM310 Access Point
1-2
Colubris name HP ProCurve name
MAP-320R MultiService Access Point MSM310-R Access Point
Introduction
About this guide
MAP-330 MultiService Access Point MSM320 Access Point
MAP-330R MultiService Access Point MSM320-R Access Point
MAP-330 AP+Sensor MultiService Access Point MSM325 Access Point with Sensor
MAP-625 MultiService Access Point MSM422 Access Point
MAP-630 AP+Sensor MultiService Access Point MSM335 Access Point with Sensor
WCB-200 Wireless Client Bridge M111 Client Bridge
Visitor Management Tool Guest Management Software
RF Manager 1500 Enterprise RF Manager 100 IDS/IPS system
RF Manager 1300 Basic RF Manager 50 IDS/IPS system
RF Planner RF Planner
Important terms
The following terms are used in this guide.
Ter m Description
AP Refers to any HP ProCurve Networking MSM3xx or MSM4xx
Access Point.
service controller Refers to any HP ProCurve Networking MSM7xx Controller,
including both Access Controller and Mobility Controller
variants.
VSC, Virtual ap, VAP These terms are used interchangeably to refer to VSC (Virtual
Service Community).
Typographical conventions
Command syntax
Command syntax is formatted in a monospaced font as follows:
Example Description
web admin kickout
ip http port <number>
Items in plain text must be entered as shown.
Items in italics and enclosed in < > are parameters for
which you must supply a value. In this example, you
must supply a value for <number>.
1-3
Introduction
HP ProCurve Networking support
Example Description
end [force]
firewall mode (high|low|none)
Items enclosed in square brackets are optional. You
can either include them or not. Do not include the
brackets. In this example you can either include
“force” or omit it.
Items enclosed in parenthesis and separated by a
vertical line indicate a choice. Specify only one of the
items. In this example, you must specify ’high’, ’low’, or
’none’.
Management tool
When referring to the management tool interface, the Main menu name is presented first
followed by a right angle-bracket and then the sub-menu name, as in Network > Ports.
Double angle brackets >> separate elements that appear in the Network Tree from main
menu and sub-menu references, as in Service Controller >> Status.
HP ProCurve Networking support
HP ProCurve Networking offers support 24 hours a day, seven days a week through a number
of automated electronic services. See the Customer Support/Warranty booklet included with
your product.
The HP ProCurve Networking Web site, www.procurve.com/customercare provides up-to-
date support information.
Additionally, your HP-authorized network reseller can provide you with assistance, both with
services that they offer and with services offered by HP.
Before contacting support
To make the support process most efficient, before calling your networking dealer or HP
Support, you first should collect the following information:
Collect this information Where to find it
Product identification. On the rear of the product.
Software version. The service controller management tool
Network topology map, including the
addresses assigned to all relevant devices.
Login page.
Your network administrator.
1-4
Introduction
Online documentation
Online documentation
For the latest documentation, visit the HP ProCurve Networking manuals Web page at:
www.procurve.com/manuals.
Configuring CLI support
Using the service controller management tool, open the CLI configuration page. Select
Service controller >> Management > CLI.
Use this page to enable/disable CLI support via an SSH or serial connection. A maximum of
three concurrent CLI sessions are supported regardless of the connection type.
The CLI supports SSH on the standard TCP port (22).
Connectivity and login credentials for SSH connections use the same settings as defined for
the management tool manager on the Service Controller >> Management > Management tool page.
1-5
Introduction
Entering strings
SSH connections to the CLI can be made on any active interface. Support for each
interface must be explicitly enabled under Security.
The login credentials for SSH connections are the same as those defined under Manager
account. By default, both username and password are set to admin.
Note SSH logins always use the local manager username and password, even if Administrative
user authentication is set to use a RADIUS server. (The Administrative user
authentication option is not available on all models.)
SSH client support
The following SSH clients have been tested with the CLI. Others may work as well:
OpenSSH
Tect ia
SecureCRT
Putty
Entering strings
When entering a value that contains spaces, you must enclose it in quotation marks. For
example, if the command syntax is:
ssid <name>
You must specify one of the following:
ssid ANameWithNoSpaces
ssid "A name with spaces"
1-6
Introduction
Context hierarchy
Context hierarchy
CLI commands are grouped into functional contexts. The following table show the context
hierarchy and the command used to switch from the parent context:
Context hierarchy Command to switch from parent context
View context (This is the first context. No command is needed.)
Enable context enable
Config context config
WAN IP interface context interface ip wan
LAN IP interface context interface ip lan
Internet interface context interface ethernet port-2
VLAN interface context interface vlan <id>[-<id2>]
LAN interface context interface ethernet port-1
VLAN interface context interface vlan <id>[-<id2>]
PPTP client interface interface pptp client-default
GRE interface context interface gre <name>
Virtual AP context virtual ap <name>
Subscription plan subscription plan <name>
List of MAC addresses context mac list <name>
IPsec policy context ipsec policy <name>
DHCP server context dhcp server lan
Syslog destination context logging destination <name>
SNMP user context snmp-server user <name>
SNMP notification receiver context snmp-server notification receiver <host>
RADIUS context radius-server profile <name>
Access Controller context access controller
Default Session profile context session profile default
Session profile context session profile <name>
RADIUS remote configuration context remote configuration radius
User Profile context user profile <name>
Keychain context key chain <name>
Keys context key <number>
Active Directory Group context active-directory group <name>
Controlled Network AP context controlled network (ap <name> [<mac>]
Controlled Network context config
CN Wireless interface context interface wireless (single|dual|triple) <number>
RADIUS Profile context radius profile <profile>
Local mesh profile context local mesh group <group>
Provisioning connectivity context provisioning connectivity
Provisioning discovery context provisioning discovery
Syslog context syslog
Switch port context switch port <name>
Controlled Network AP Group context controlled network (group <name> [<mac>]
Virtual AP Binding context virtual ap binding <profile>
Controlled Network context config
CN Wireless interface context interface wireless (single|dual|triple) <number>
RADIUS Profile context radius profile <profile>
Local mesh profile context local mesh group <group>
Provisioning connectivity context provisioning connectivity
Provisioning discovery context provisioning discovery
Syslog context syslog
Switch port context switch port <name>
Controlled Network Base Group context controlled network base
Controlled Network context config
CN Wireless interface context interface wireless (single|dual|triple) <number>
RADIUS Profile context radius profile <profile>
Local mesh profile context local mesh group <group>
Provisioning connectivity context provisioning connectivity
Provisioning discovery context provisioning discovery
Syslog context syslog
Switch port context switch port <name>
Local mesh provisioning profile context local mesh provisioning group
Local mesh provisioning profile context local mesh provisioning group
Local mesh provisioning profile context local mesh provisioning group
1-7
Introduction
Sample CLI session
Sample CLI session
This sample CLI session shows you how to set the WAN port to use a static IP address,
disable NAT, and add an alternate IP address. (The CLI prompt is shown in bold.)
CLI> enable
CLI# config
CLI(config)# interface ip wan
CLI(config-if-ip)# ip address 192.168.66.1/24
CLI(config-if-ip)# ip address mode static
CLI(config-if-ip)# no ip nat
CLI(config-if-ip)# ip address alternate 192.168.23.56
CLI(config-if-ip)# end
CLI(config)# end
CLI# quit
File transfer
In some cases you may need to transfer files (certificates or configuration) to the service
controller. Commands that have this capability typically include <uri> or <url> in their
parameter list.
Note When you enter the commands discussed here, the files are transferred immediately.
File transfer can be performed in two ways.
A. The service controller gets the file using a URL
Transfer a certificate file using ftp. For example:
certificate ipsec ca ftp://ftp.example.com/certificate/my-root-certificate.pem
B. Send a file to the service controller
Using SFTP (available with OpenSSH or SSH), authenticate with the CLI credentials. Then
send the file to the service controller. For example:
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
certificate revocation <uri> <certname>
Add a Certificate Revocation List to an existing authority certificate.
end
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
end
Switches to parent context.
2-9
CLI commands
factory settings
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
factory settings
Resets the system configuration to factory default settings.
interface ethernet
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
interface ethernet (port-1|port-2)
Switches to the specified Ethernet interface context.
reboot device
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
reboot device
Restarts the system.
show certificate
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
show certificate
Display current certificates.
show certificate binding
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
show certificate binding
Display how the certificates are used.
show config factory
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
show config [factory]
Generates a list of CLI commands that can be used to define the currently loaded configuration.
username
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
username <user> <password>
Changes the current administrator username and password.
Parameters
<user> New administrator username.
<password> New administrator password.
2-10
interface ip
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
interface ip (lan | wan)
CLI commands
Switches to the specified IP interface context.
interface pptp client-default
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
interface pptp client-default
Switches to the PPTP client interface context.
interface gre
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
interface gre <name>
Switches to the specified GRE interface or creates a new GRE interface with the specified name.
no interface gre <name>
Deletes the specified GRE interface.
virtual ap
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
virtual ap <name>
Creates a new VAP (VSC) profile or switches to the existing VAP (VSC) context with the specified
name.
no virtual ap <name>
Deletes the specified Virtual AP profile.
Parameters
name Name of an existing or new VAP (VSC) profile.
show subscription plan
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
show subscription plan [<name>]
Display one or many subscription plans.
subscription plan
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
subscription plan <name>
Add a new subscription plan.
no subscription plan <name>
Delete a subscription plan.
2-11
CLI commands
mac list
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
mac list <name>
Edit a MAC list.
no mac list <name>
Delete a MAC list by name.
show mac list
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
show mac list [<name>]
Display current MAC list, or one list in detail.
ipsec policy
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ipsec policy <name>
Switches to the specified IPSec policy or creates a new IPSec policy with the specified name.
admin local authentication
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
admin local authentication
Enable the authentication of administrator logins to occur using local account.
no admin local authentication
Disable administrator authentication via local account.
admin radius authentication
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
admin radius authentication
Sets the authentication of administrator logins to occur using RADIUS.
no admin radius authentication
Disable administrator authentication via RADIUS.
admin radius authentication server
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
admin radius authentication server <name>
Sets the authentication of administrator logins to occur using RADIUS.
2-12
CLI commands
ip http port
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ip http port <number>
Sets the port number to use for HTTP access to the service controller.
Parameters
<number> Port number. Range: 1 - 65535.
Description
HTTP connections made to this port are met with a warning and the browser is redirected to the
secure web server port. By default. this parameter is set to port 80.
ip https port
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ip https port <number>
Sets the port number used for HTTPS access to the service controller.
Parameters
<number> Port number. Range: 1 - 65535.
snmp-server trap certificate-expired
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
snmp-server trap certificate-expired
Send a trap when the SSL certificate has expired. A trap is sent every 12 hours.
no snmp-server trap certificate-expired
Do not send a trap when the SSL certificate has expired.
snmp-server trap certificate-expires-soon
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
snmp-server trap certificate-expires-soon
Send a trap when the SSL certificate is about to expire. A trap is sent every 12 hours starting 15
days before the certificate expires.
no snmp-server trap certificate-expires-soon
Do not send a trap when the SSL certificate is about to expire.
snmp-server trap web-fail
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
snmp-server trap web-fail
Send a trap each time an administrator login is refused.
no snmp-server trap web-fail
Do not send a trap each time an administrator login is refused.
2-13
CLI commands
snmp-server trap web-login
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
snmp-server trap web-login
Send a trap each time an administrator login is accepted.
no snmp-server trap web-login
Do not send a trap each time an administrator login is accepted.
snmp-server trap web-logout
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
snmp-server trap web-logout
Send a trap each time an administrator logs out.
no snmp-server trap web-logout
Do not send a trap each time an administrator logs out.
web admin kickout
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
web admin kickout
Enables a new administrator login to terminate an existing administrator session.
no web admin kickout
Stops a new administrator from logging in until an existing administrator logs out.
web allow
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
web allow <ip address>/<mask>
Adds an address to the list of hosts that can access the management tool.
no web allow <ip address>/<mask>
Removes the specified address from the list of hosts that can access the management tool.
Parameters
<address> IP address.
</mask> Subnet mask in CIDR format. Specifies the number of bits in the mask.
2-14
world-mode dot11 country code
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
world-mode dot11 country code <code>
Specifies the country the service controller is operating in.
Parameters
<code> An ISO3166 three-letter country code.
web access internet-port
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
web access internet-port
Enables access to the management tool via the Internet port.
no web access internet-port
Blocks access to the management tool via the Internet port.
web access lan-port
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
web access lan-port
Enables access to the management tool via the LAN port.
no web access lan-port
Blocks access to the management tool via the LAN port.
web access interface vlan
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
web access interface vlan <name>
CLI commands
Enables access to the management tool via the specified VLAN.
no web access interface vlan <name>
Removes access to the management tool for the specified VLAN.
web access interface gre
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
web access interface gre <name>
Enables access to the management tool via the specified GRE tunnel.
no web access interface gre <name>
Disables access to the management tool via the specified GRE tunnel.
web access lan
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
web access lan
Enables access to the management tool via the LAN port.
no web access lan
Blocks access to the management tool via the LAN port.
web access vpn
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
web access vpn
Enables access to the management tool via a VPN connection.
2-15
CLI commands
no web access vpn
Blocks access to the management tool via a VPN connection.
dhcp mode
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
dhcp mode (server | relay | none)
Sets whether the service controller operates as a DHCP server or DHCP relay agent.
dhcp server
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
dhcp server lan
Switches to the DHCP server context.
dhcp server default domain name
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
dhcp server default domain name <domain>
Sets the DHCP server domain name.
dhcp server default lease period
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
dhcp server default lease period <number>
Sets the default lease time for the DHCP server.
dhcp server default permanent lease period
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
dhcp server default permanent lease period <number>
Sets the permanent lease time for the DHCP server.
dhcp server controller
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
dhcp server controller <ip address>
Add the IP address to the list of controllers.
no dhcp server controller <ip address>
Remove the IP address from the list of controllers.
dhcp server controller discovery
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
dhcp server controller discovery
2-16
Send the list of controller IP addresses with DHCP answers.
no dhcp server controller discovery
Do not send the list of controller IP addresses with DHCP answers.
dhcp server logout html user
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
dhcp server logout html user
Logout HTML user upon discover request.
no dhcp server logout html user
CLI commands
Do not logout HTML user upon discover request.
dhcp server access centralized clients
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
dhcp server access centralized clients
Listen for DHCP requests from centralized access-controlled client stations.
no dhcp server access centralized clients
Do not listen for DHCP requests from centralized access-controlled client stations.
dhcp server access lan
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
dhcp server access lan
Listen for DHCP requests on the LAN interface.
no dhcp server access lan
Do not listen for DHCP requests on the LAN interface.
dhcp relay
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
<fixed> Rule of the form: The [Day]th of [Month] at [Time].
<last-weekday> Rule of the form: The last [Weekday] of [Month] at [Time].
CLI commands
<following-date>
Rule of the form: The first [Weekday] on or after the [Day]th of [Month] at
[Time].
<preceding-date> Rule of the form: The first [Weekday] on or before the [Day]th of [Month]
at [Time].
ntp server
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ntp server <index><host>
Adds a network time server.
Parameters
<index> Index of the time server in the list. Up to 20 time servers are supported.
Time servers are checked in the order that they appear in the list.
<host> DNS name or IP address of the time server.
ntp server failure trap
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ntp server failure trap
Send a trap each time a time server synchronization failed.
no ntp server failure trap
Do not send a trap each time a time server synchronization failed.
config-update automatic
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
config-update automatic
Enables scheduled configuration restore or backup.
no config-update automatic
Disables scheduled configuration restore or backup.
The service controller can automatically download the configuration file from a local or remote
URL (restore). It is also possible to upload the current configuration to a given URL (backup).
Theses operations can be done at preset times.
config-update operation
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
config-update operation (restore | backup)
Sets the type of operation that will take place at the preset time.
config-update time
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
config-update time <time>
Sets the time of day when the scheduled configuration operation (backup or restore) will take
place.
2-21
CLI commands
Parameters
<time> Time as hh:mm:ss. For example: 15:44:00.
config-update uri
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
config-update uri <uri>
Sets the URI where the service controller will download or upload the configuration file.
no config-update uri
Clears the configuration file URI.
config-update weekday
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
Set the severity level of syslog messages that will trigger a trap.
snmp-server trap network-trace
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
snmp-server trap network-trace
Send a trap when a network trace is started or stopped.
no snmp-server trap network-trace
Do not send this trap.
2-31
CLI commands
firmware-update automatic
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
firmware-update automatic
Enables scheduled firmware upgrades.
no firmware-update automatic
Disables scheduled firmware upgrade.
The service controller can automatically retrieve and install firmware from a local or remote URL
at preset times. By placing service controller firmware on a web or ftp server, you can automate
the update process for multiple units.
When the update process is triggered the service controller retrieves the first 2K of the firmware
file to determine if it is different from the active version. If different, the entire firmware file is
then downloaded and installed.
(Different means older or newer. This enables you to return to a previous firmware version if
required).
Configuration settings are preserved during the update unless stated otherwise in the release
notes for the firmware. However, all active connections will be terminated. Users will have to log
in again after the service controller restarts
firmware-update start
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
firmware-update start
Upload the firmware based on a specified URI. This URI can be set with the command: firmwareupdate uri.
firmware-update time
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
firmware-update time <time>
Sets the time of day the scheduled firmware upgrade will take place.
Parameters
<time> Time as hh:mm:ss. For example: 15:44:00.
firmware-update uri
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
firmware-update uri <uri>
Sets the URI where the service controller will retrieve new firmware.
no firmware-update uri
2-32
Clears the firmware URI.
CLI commands
firmware-update weekday
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
Sets the day when the scheduled firmware upgrade will take place.
snmp-server trap firmware-update
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
snmp-server trap firmware-update
Send a trap on firmware update.
no snmp-server trap firmware-update
Do not send a trap on firmware update.
ip name-server
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ip name-server <primary> [<secondary>] [<third>]
Sets the primary and secondary DNS servers overriding dynamically assigned ones.
Parameters
<primary> IP address of the primary DNS server.
<secondary> IP address of the secondary DNS server.
<third> IP address of the third DNS server.
ip name-server cache
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ip name-server cache
Enables the DNS cache.
no ip name-server cache
Disables the DNS cache.
Once a host name has been successfully resolved to an IP address by a remote DNS server, it is
stored in the cache. This speeds up network performance, as the remote DNS server now does not
have to be queried for subsequent requests for this host.
The entry stays in the cache until:
an error occurs when connecting to the remote host
the time to live (TTL) of the DNS request expires
the service controller is restarted.
ip name-server dynamic
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ip name-server dynamic
Enables dynamic assignment of DNS servers.
2-33
CLI commands
no ip name-server dynamic
Disables dynamic DNS assignment.
ip name-server interception
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ip name-server interception
Intercepts all DNS requests from users and relays them to configured servers.
no ip name-server interception
Process DNS requests addressed to this device only.
ip name-server switch-on-servfail
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ip name-server switch-on-servfail
Switch to next server when server failure is received.
no ip name-server switch-on-servfail
Do not switch to next server when server failure is received.
ip name-server switch-over
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ip name-server switch-over
Switch over to primary when active.
no ip name-server switch-over
Do not switch over to primary when active.
ip name-server logout-info
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ip name-server logout-info <host> <ip address>
Sets the logout host name and the logout IP address.
access controller shared secret
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
access controller shared secret <secret>
Sets the shared secret used to communicate with the service controller.
no access controller shared secret
Sets the shared secret used to communicate with the access controller.
The service controller will only accept authentication/location-aware information from satellites
that have a matching shared secret to its own.
2-34
radius-server profile
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
radius-server profile <name>
CLI commands
Creates a new RADIUS profile or switches to the RADIUS context with the specified profile name.
no radius-server profile <name>
Deletes the specified RADIUS profile.
access controller
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
access controller
Switches to the access controller context.
certificate ipsec ca
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
certificate ipsec ca <uri>
Loads a new CA certificate from the specified URI.
The URI can be local:
local://FILENAME
or remote
ftp://host/path
certificate ipsec local
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
certificate ipsec local <uri> <password>
Loads a new local certificate from the specified URI.
no certificate ipsec local
Removes the local certificate.
The URI can be local:
local://FILENAME
or remote
ftp://host/path
certificate ipsec revocation
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
certificate ipsec revocation <uri>
Loads a new CRL file from the specified URI.
The URI can be local:
local://FILENAME
or remote
2-35
CLI commands
ftp://host/path
certificate ssl
Supported on: MSM710 MSM730 MSM750 MSM760
certificate ssl <uri> <password>
Loads a new SSL certificate using the URI.
session profile default
Supported on: MSM710 MSM730 MSM750
session profile default
MSM760 MSM765zl
MSM765zl
Switches to the session profile context.
session profile
Supported on: MSM710 MSM730 MSM750
session profile <name>
Switches to the session profile context.
no session profile <name>
Remove a session profile.
MSM760 MSM765zl
show session profile
Supported on: MSM710 MSM730 MSM750
show session profile
Display all session profiles.
MSM760 MSM765zl
remote configuration
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
remote configuration (radius)
Switches to the RADIUS remote configuration context.
2-36
discovery protocol
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
discovery protocol
Enables broadcast of device information for interoperability with CDP-enabled networking
hardware.
no discovery protocol
Disable broadcast of device information.
discovery protocol device-id
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
discovery protocol device-id <name>
CLI commands
Overwrite the device-id field of information packets (the service controller serial number is not
used).
no discovery protocol device-id
Do not overwrite the device-id field of information packets (use the service controller serial
number).
service controller ap authentication credentials
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller ap authentication credentials <username> <password>
When the RADIUS authentication source is selected, this option specifies the RADIUS username
and password assigned to the service controller.
no service controller ap authentication credentials
Clears the RADIUS username/password.
service controller ap authentication enable
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller ap authentication enable
Enables authentication of discovered controlled APs.
no service controller ap authentication enable
Disables AP authentication.
service controller ap authentication file
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller ap authentication file <name>
Sets the file to use for authentication of controlled access points. This must be an ASCII file with
one or more MAC addresses in it. Each address must appear on a separate line.
service controller ap authentication radius-server
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller ap authentication radius-server <name>
Sets the RADIUS profile to use for authentication of controlled access points.
service controller ap authentication refresh-rate
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller ap authentication refresh-rate <number>
Specifies the interval at which the service controller retrieves authentication list entries from the
selected authentication source(s).
2-37
CLI commands
service controller ap authentication source file
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller ap authentication source file
Enables the use of a file authentication source.
no service controller ap authentication source file
Disables the use of a file authentication source.
service controller ap authentication source local
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller ap authentication source local
Enables the use of local authentication source.
no service controller ap authentication source local
Disables the use of local authentication source.
service controller ap authentication source radius
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller ap authentication source radius
Enables the use of RADIUS authentication source.
no service controller ap authentication source radius
Disables the use of RADIUS authentication source.
service controller discovery
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller discovery
Enable service controller discovery.
no service controller discovery
Disable service controller discovery.
service controller discovery interface internet-port
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller discovery interface internet-port
Allow discovery on the LAN interface.
no service controller discovery interface internet-port
Allow discovery on the LAN interface.
service controller discovery interface lan-port
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller discovery interface lan-port
Allow discovery on the LAN interface.
2-38
CLI commands
no service controller discovery interface lan-port
Allow discovery on the LAN interface.
service controller primary
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller primary
Become the Primary service controller.
no service controller primary
Become a secondary service controller.
service controller primary ip addr
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller primary ip addr <ip address>
Configure a static ip address for the primary service controller.
service controller priority
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller priority <number>
Sets the discovery priority of this device.
service controller provisioning
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
service controller provisioning
Enable the AP provisioning system.
no service controller provisioning
Disable the AP provisioning system.
bandwidth control internet-port
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
bandwidth control internet-port
Enables bandwidth control on the Internet port.
no bandwidth control internet-port
Disables bandwidth control on the Internet port.
bandwidth control internet-port high
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
bandwidth control internet-port high <min-tx-%> <min-rx-%> <max-tx-%> <max-rx%>
Sets the bandwidth rates (Tx minimum, Tx maximum, Rx minimum, and Rx maximum) for traffic
classed as High.
2-39
CLI commands
bandwidth control internet-port low
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
bandwidth control internet-port low <min-tx-%> <min-rx-%> <max-tx-%> <max-rx-%>
Sets the bandwidth rates (Tx minimum, Tx maximum, Rx minimum, and Rx maximum) for traffic
classed as Low.
bandwidth control internet-port max-rate
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
bandwidth control internet-port max-rate<transmit>)<receive>)
Sets the maximum transmit and receive rates on the Internet port in kbps.
These settings enable you to limit the total incoming or outgoing data rate on the Internet port. If
traffic exceeds the rate you set for short bursts, it is buffered. Long overages will result in data
being dropped. To utilize the full available bandwidth, the transmit and receive limits should be
set to match the incoming and outgoing data rates on the Internet port.
Parameters
<transmit> Sets the maximum transmit rate in kbps.
<receive> Sets the maximum receive rate in kbps.
About bandwidth control
Bandwidth rates for each level are defined by taking a percentage of the maximum transmit and
receive rates defined for the Internet port. Each bandwidth level has four rate settings:
Transmit rate - guaranteed minimum: This is the minimum amount of bandwidth that will be
assigned to a level as soon as outgoing traffic is present on the level.
Transmit rate - maximum: This is the maximum amount of outgoing bandwidth that can be
consumed by the level. Traffic in excess will be buffered for short bursts, and dropped for
sustained overages.
Receive rate - guaranteed minimum: This is the minimum amount of bandwidth that will be
assigned to a level as soon as incoming traffic is present on the level.
Receive rate - maximum: This is the maximum amount of incoming bandwidth that can be
consumed by the level. Traffic in excess will be buffered for short bursts, and dropped for
sustained overages.
Bandwidth levels are arranged in order of priority from Very High to Low. Priority determines
how bytesToWrite bandwidth is allocated once the minimum rate has been met for each level.
Free bandwidth is always assigned to the higher priority levels first.
Assigning traffic to bandwidth levels
User traffic is assigned to a bandwidth level on a per-VAP (VSC) basis.
Management traffic (RADIUS, SNMP, management tool admin sessions) is assigned to
bandwidth level Very High and cannot be changed.
All traffic assigned to a particular bandwidth level shares the allocated bandwidth for that
level.
2-40
CLI commands
bandwidth control internet-port normal
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
bandwidth control internet-port normal <min-tx-%> <min-rx-%> <max-tx-%> <maxrx-%>
Sets the bandwidth rates (Tx minimum, Tx maximum, Rx minimum, and Rx maximum) for traffic
classed as Normal.
bandwidth control internet-port very-high
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
bandwidth control internet-port very-high <min-tx-%> <min-rx-%> <max-tx-%>
<max-rx-%>
Sets the bandwidth rates (Tx minimum, Tx maximum, Rx minimum, and Rx maximum) for traffic
classed as Very High.
ip route gateway
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ip route gateway<destination>/<mask> <gateway> <[metric]>
Adds a static route.
no ip route gateway <destination>/<mask> <gateway> <[metric]>
Removes the specified static route.
Parameters
<destination> Traffic addressed to this IP address will be routed.
<mask> Indicates the number of bits in the destination address that is checked for a
match.
<gateway> Indicates the IP address of the gateway the service controller will forward
routed traffic to. The gateway address must be on the same subnet as one
of the available interfaces (Internet port or LAN port).
<metrix> Indicates the priority of a route. If two routes exist for a destination
address then the service controller chooses the one with the lower metric.
firewall mode
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
firewall mode (high|low|none)
Sets the firewall mode.
Parameters
high Permits all outgoing traffic. Blocks all externally initiated connections.
low Permits all incoming and outgoing traffic, except for NetBIOS traffic. Use
this option if you require active FTP sessions.
none Disables the firewall.
2-41
CLI commands
show user profiles
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
show user profiles [<pattern>]
Display current local users.
show user profiles details
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
show user profiles details <name>
Display detailed information about one user.
user profile
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
user profile <name>
Adds or edits the specified username in the local user list.
no user profile <name>
Removes the specified username from the local user list.
renew user profile subscription
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
renew user profile subscription [<username>]
Renew a user with its subscription plan.
dot1x reauth
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
dot1x reauth
Enable this option to force 802.1X client stations to reauthenticate.
no dot1x reauth
Disables 802.1X reauthentication.
dot1x reauth period
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
Specifies how often (in minutes or hours) that the group (broadcast) key is changed for 802.1X
and WPA.
key chain
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
key chain <name>
Switch to the specified key chain or create a new key chain.
no key chain <name>
Remove the specified key chain.
config-version
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
config-version <string>
Sets a string to identify the user configuration version.
radius-server accounting session
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
radius-server accounting session <number>
Set the maximum number of accounting sessions.
2-43
CLI commands
radius-server client
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
radius-server client
Enable radius clients list.
no radius-server client
Disable radius clients list.
radius-server local eap-peap
Supported on: MSM710 MSM730 MSM750 MSM760
radius-server local eap-peap
Allow EAP-PEAP.
no radius-server local eap-peap
Disallow EAP-PEAP.
MSM765zl
radius-server local eap-tls
Supported on: MSM710 MSM730 MSM750 MSM760
radius-server local eap-tls
Allow EAP-TLS.
MSM765zl
no radius-server local eap-tls
Disallow EAP-TLS.
radius-server local eap-ttls
Supported on: MSM710 MSM730 MSM750 MSM760
radius-server local eap-ttls
Allow EAP-TTLS.
no radius-server local eap-ttls
Disallow EAP-TTLS.
MSM765zl
radius-server local pap
Supported on: MSM710 MSM730 MSM750
radius-server local pap
Allow PAP.
no radius-server local pap
Disallow PAP.
MSM760 MSM765zl
radius-server ssid detection nas-id
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
radius-server ssid detection nas-id
2-44
Use NAS-ID for SSID detection.
no radius-server ssid detection nas-id
CLI commands
Do not use NAS-ID for SSID detection.
show radius-server
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
show radius-server
Display current RADIUS server configuration.
active-directory check attribute
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
active-directory check attribute <ldapattr>
Set the name of the AD attribute to check for.
no active-directory check attribute
Clear the name of the AD attribute to check for.
active-directory check user access
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
active-directory check user access
Check AD for user access.
no active-directory check user access
Do not check AD for user access.
active-directory device name
Supported on: MSM710 MSM730 MSM750 MSM760
active-directory device name <name>
Set the device NetBIOS name.
no active-directory device name
Clear the device NetBIOS name.
active-directory domain
Supported on: MSM710 MSM730 MSM750
active-directory domain <domain>
Set the AD Windows domain.
no active-directory domain
Reset the AD Windows domain.
MSM760 MSM765zl
MSM765zl
2-45
CLI commands
active-directory group
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
active-directory group <name>
Create or go to an Active Directory group.
no active-directory group <name>
Remove an Active Directory group.
active-directory group order
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
active-directory group order <number> <name>
Reorder an Active Directory group.
active-directory join
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
active-directory join <username> <password>
Join with Active Directory.
show active-directory
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
show active-directory
Display Active Directory settings.
show active-directory group
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
show active-directory group <name>
Display details about an Active Directory group.
radius-server client
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
radius-server client <ip address>/<mask> <secret>
Add a new radius client.
no radius-server client <ip address>/<mask>
Delete an existing radius client.
user tracking
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
user tracking
2-46
Enable capture of usage data.
no user tracking
Disable capture of usage data.
user tracking destination
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
user tracking destination <host>
Specify to where the detailed syslog packets should be sent.
user tracking filter
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
user tracking filter <filter>
CLI commands
A comma-separated list of filters (username or subnet).
user tracking port
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
user tracking port <number>
Specify to which UDP port capture data should be sent.
persistent user information
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
persistent user information
Save user account information locally .
no persistent user information
Do not save user account information locally.
persistent user information period
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
persistent user information period <number>
Period, in minutes, at which to update user information.
client data tunnel security
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
client data tunnel security (hmac | key)
Specify the security strength of the client data tunnel.
managed map max
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
managed map max <num>
Set the maximum number of APs to manage.
2-47
CLI commands
igmp proxy
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
igmp proxy
Enable IGMP proxy.
no igmp proxy
Disable IGMP proxy.
igmp proxy downstream interface
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
igmp proxy downstream interface <interface>
Set the downstream IGMP port.
igmp proxy upstream interface
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
igmp proxy upstream interface <interface>
Set the upstream IGMP port.
rf-id aeroscout
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
rf-id aeroscout
Enable AeroScout tag processing.
no rf-id aeroscout
Disable AeroScout tag processing.
2-48
Access Controller context
Path: View > Enable > Config > Access Controller
All global access controller configuration takes place here.
end
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
end
CLI commands
Switches to parent context.
ads presentation
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ads presentation
Enable advertisement display at regular intervals for authenticated users.
no ads presentation
Disable advertisement display for authenticated users.
ads presentation interval
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ads presentation interval <number>
Control the advertisement display interval.
station allocate source ip address
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
station allocate source ip address
Allow dynamic IP addresses.
no station allocate source ip address
Disallow dynamic IP addresses.
Enable this option to provide network address translation for client stations with static IP
addresses. This permits the service controller to assign an alias address to the client that puts it on
the same subnet as the VSC the client is associated with. This option cannot be used if NAT is
enabled on the Internet port.
station allow any ip address
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
station allow any ip address
Enable this option to permit wireless client stations that are using a static IP address to connect to
the service controller, even if they are on a different subnet.
no station allow any ip address
Do not allow client stations with any IP addresses to connect.
2-49
CLI commands
This option enables users to access the wireless network without reconfiguring their networking
settings. For example, by default the service controller creates the wireless network on the subnet
192.168.1.0. If a client station is pre-configured with the address 10.10.4.99, it will still be able to
connect to the service controller without changing its address, or its settings for DNS server and
default gateway.
station free access
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
station free access
When enabled, all users are automatically granted access when the RADIUS server is down or
unreachable.
no station free access
Users cannot connect when the RADIUS server is unreachable.
Once the RADIUS server is available again, free user sessions remain active until the user logs out.
This does not apply to users using 802.1x or WPA.
station http proxy support
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
station http proxy support
Enables support for client stations that are configured to use a proxy server for HTTP and HTTPS,
without requiring users to reconfigure their systems.
no station http proxy support
Disables support for client stations that are configured to use a proxy server for HTTP and
HTTPS.
station idle detection
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
station Idle detection <interval> <count>
The service controller continuously polls authenticated client stations to ensure they are active. If
no response is received and the number of retries is reached, the client station is disconnected.
Parameters
<interval> Specify how long to wait between polls.
<retries> Specify how many polls a client station can fail to reply to before it is
disconnected.
Description
This feature enables the service controller to detect if two client stations are using the same IP
address but have different MAC addresses. If this occurs, access is terminated for this IP address
removing both stations from the network.
Changing these values may have security implications. A large interval provides a greater
opportunity for a session to be hijacked.
The initial query is always done after the client station has been idle for 60 seconds. If there is no
answer to this query, the settings for Interval and Retries are used to control additional retries.
2-50
system accounting
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
system accounting
Enables RADIUS accounting support.
no system accounting
Disables RADIUS accounting support.
CLI commands
remember delay
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
remember delay <number>
Length of time to remember users. Users who return later than this delay interval, are presented
with the login page instead of being re-authenticated.
remember html users
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
remember html users
Enables support for remembering (automatically re-authenticating) html-authenticated users who
leave the network but return within the remember delay interval.
no remember html users
Disables support for remembering html-authenticated users.
worldpay installation id
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
worldpay installation id <string>
Set the installation ID for the WorldPay payment service.
worldpay payment response password
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
worldpay payment response password <string>
Set the payment response password for the WorldPay payment service.
worldpay payment url
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
worldpay payment url <string>
Set the payment URL for the WorldPay payment service.
authorize_net installation id
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
authorize_net installation id <string>
Set the login ID for the Authorize.Net payment service.
2-51
CLI commands
authorize_net payment url
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
authorize_net payment url <string>
Set the payment URL for the Authorize.Net payment service.
authorize_net transaction key
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
authorize_net transaction key <string>
Set the transaction key for the Authorize.Net payment service.
ads presentation with frameset
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ads presentation with frameset
Enables the ads presentation to redirect to frameset-ads-page instead of ads-page.
no ads presentation with frameset
Disables the frameset for ads presentation, causing ads presentation to only use ads-page.
authentication http
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
authentication http <number>
Specifies the port number the service controller will use to provide standard HTTP access to the
management tool.
HTTP connections made to this port are met with a warning and the browser is redirected to the
secure web server port. By default this parameter is set to port 80.
authentication https
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
authentication https <number>
2-52
Specifies the port number the service controller will use to provide secure access to the
management tool (HTTPS). By default this parameter is set to port 443.
noc access internet
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
noc access internet
Accept authentication requests on the Internet port.
no noc access internet
Do not accept authentication requests on the Internet port..
noc access vpn
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
noc access vpn
Accept authentication requests on VPN connections.
CLI commands
no noc access vpn
Do not accept authentication requests on VPN connections.
noc allow
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
noc allow <ip address>/<mask>
Adds an IP address or subnet to the list of destinations that the service controller will accept user
login authentication requests from when NOC authentication is active.
no noc allow <ip address>/<mask>
Removes the specified IP address or subnet from the list of destinations that the service controller
will accept user login authentication requests from when NOC authentication is active.
When the list is empty, authentication requests are accepted from any address.
noc authentication
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
noc authentication
Enables support for NOC authentication.
no noc authentication
Disables support for NOC authentication.
secure login
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
secure login
Enables secure login.
no secure login
Disables secure login.
sslv2 authentication
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
sslv2 authentication
Enables SSLv2 authentication.
no sslv2 authentication
Disables SSLv2 authentication.
2-53
CLI commands
noc access interface vlan
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
noc access interface vlan <name>
Adds the specified VLAN to the list of interfaces that authentication requests are accepted on.
no noc access interface vlan <name>
Removes the specified VLAN from the list of interfaces that authentication requests are accepted
on.
noc access interface gre
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
noc access interface gre <name>
Adds the specified GRE tunnel to the list of interfaces that authentication requests are accepted
on.
no noc access interface gre <name>
Removes the specified GRE tunnel from the list of interfaces that authentication requests are
accepted on.
ipass id
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ipass id <name>
Specifies the WISPr location ID assigned to the service controller.
no ipass id
Deletes the WISPr location ID assigned to the service controller.
ipass name
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ipass name <name>
Specifies the WISPr location name assigned to the service controller.
no ipass name
Deletes the WISPr location name assigned to the service controller.
wispr abort login url
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
wispr abort login url <url>
Specifies the WISPr abort login url assigned to the service controller.
no wispr abort login url
Deletes the WISPr abort login url assigned to the service controller.
2-54
wispr login url
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
wispr login url <url>
CLI commands
Specifies the WISPr login url assigned to the service controller.
no wispr login url
Deletes the WISPr login url assigned to the service controller.
wispr logoff url
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
wispr logoff url <url>
Specifies the WISPr logoff url assigned to the service controller.
no wispr logoff url
Deletes the WISPr logoff url assigned to the service controller.
access-list
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
access-list <index> <rule>
Adds a new rule to an access list at the specified index position.
no use access-list
Do not use an access list.
Parameters
index Index position of the rule within the access list.
<listname> Specifies a name (up to 32 characters long) to identify the access list this
rule applies to. If a list with this name does not exist, a new list is created.
If a list with this name exists, the rule is added to it.
OPTIONAL Allows the access list to be activated even if this rule fails to initialize. For
example, if you specify a rule that contains an address which cannot be
resolved for some reason, the other rules that make up the access list will
still be initialized. If you do not specify optional, a failed rule will cause the
entire list to fail. Critical access list definitions (such as for a remote login
page, certificates) should not use the OPTIONAL setting because if these
definitions fail to initialize there will be no indication in the log.
<action> Specifies what action the rule takes when it matches incoming traffic. Two
options are available:
ACCEPT - Allow traffic matching this rule.
DENY - Reject traffic matching this rule.
WARN - Redirect traffic matching this rule to an error page.
<protocol> Specify the protocol to check: tcp, udp, icmp, all
<address> Specify one of the following:
2-55
CLI commands
IP address or domain name (up to 107 characters in length)
Subnet address. Include the network mask as follows: address/subnet mask For example:
192.168.30.0/24
Use the keyword all to match any address.
Use the keyword none if the protocol does not take an address range (ICMP for example).
<port> Specify a specific port to check or a port range as follows:
none: Used with ICMP (since it has no ports).
all: Check all ports.
1-65535[:1-65535] - Specify a specific port or port range.
<account> Specify the name of the user account the service controller will send billing
information to for this rule. Account names must be unique and can be up
to 32 characters in length.
<interval> Specify time between interim accounting updates. If you do not enable this
option, accounting information is only sent when a user connection is
terminated. Range: 5-99999 seconds in 15 second increments.
use access-list
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
use access-list <listname>
Specifies the name of the access list to use.
no use access-list
Do not use an access list.
use access-list unauth
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
use access-list unauth <listname>
Specifies the name of the access list to use for unauthenticated stations (list disappears once
authenticated).
no use access-list unauth
Do not use an access list for unauthenticated stations (list disappears once authenticated).
config file
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
config file <url>
Specifies the URL that points to a new configuration file to load.
no config file
Do not load a new configuration file.
2-56
http proxy upstream
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
http proxy upstream <string>
CLI commands
Specifies the host:port of the HTTP Proxy Upstream server.
no http proxy upstream
Do not use an HTTP Proxy Upstream server.
https ssl certificate
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
https ssl certificate <url>
Specifies the URL that points to an SSL certificate that will replace the default certificate on the
service controller.
no https ssl certificate
Do not load a custom SSL certificate.
mac-address
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
mac-address <macaddr> [<username>] [<password>]
Adds a MAC address to the local configuration list.
When the MAC authentication option is enabled (in a VAP (VSC) profile), you can define local
configuration settings to validate MAC addresses.
Parameters
macaddr MAC address of the device as 12 hexadecimal numbers, with the values ’a’
to ’f’ in lowercase. For example: 0003520a0f01.
username Username assigned to the device.
password Password assigned to the device.
fail page
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
fail page <url>
Specifies the URL of a new fail page.
no fail page
No new fail page. Use default.
goodbye url
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
goodbye url <url>
Specifies the URL of a goodbye page.
no goodbye url
No goodbye page.
2-57
CLI commands
ipass login url
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
ipass login url <url>
Specifies the URL of the IPass login page. The service controller will automatically redirect users
with IPass client software to this page.
no ipass login url
No IPass login URL.
login error url
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
login error url <url>
Specifies the URL of a login error page.
no login error url
No login error page.
login page
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
login page <url>
Specifies the URL of the new login page.
no login page
No new login page. Use default.
login url
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
login url <url>
Specifies the URL of a remote login page.
no login url
No remote login page.
logo
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
logo <url>
Specifies the URL of a new logo.
no logo
No new logo. Use default.
2-58
messages
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
messages <url>
CLI commands
Specifies the URL of a new message file.
no messages
No new messages file. Use default.
noc ssl ca-certificate
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
noc ssl ca-certificate <url>
Specifies the URL of the certificate from the certificate authority (CA) that issued the NOC
certificate.
no noc ssl ca-certificate
No CA certificate.
noc ssl certificate
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
noc ssl certificate <url>
Specifies the URL of the certificate issued to the application on the remote web server that will
send user info to the service controller for authentication.
no noc ssl certificate
No certificate.
session page
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
session page <url>
Specifies the URL of a new session page.
no session page
No new session page. Use default.
transport page
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
transport page <url>
Specifies the URL of a new transport page.
no transport page
No new transport page. Use default.
2-59
CLI commands
welcome url
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
welcome url <url>
Specifies the URL of a welcome page.
no welcome url
No welcome page.
notify user location changes
Supported on: MSM710 MSM730 MSM750 MSM760 MSM765zl
notify user location changes
Notify RADIUS on location changes.
no notify user location changes
Do not notify RADIUS on location changes.
2-60
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.