Search the Community
- Global Forums
- Airheads Channel Group - UK and Ireland
- Airheads Channel Group (German speaking)
- Airheads Channel Group - France
- Airheads Channel Groep – Nederland
- Airheads Channel Group - Italy
- Airheads Channel Group - Taiwan
- Airheads Channel Group - Singapore
- Airheads Channel Group - Malaysia
- Airheads Channel Group – Norway
- Airheads Channel Group South Africa
- Airheads Channel Group Bechtle
- ClearPass Recipe Review
- ClearPass Recipe Submission
- Admin Tool - Assign Role in Bulk
- Admin Tool - User Search
- CWNP Conf 2015
- Airheads Conference Vegas 2015
- Wlan Pro Conference 2015
- Airheads Conference Shanghai 2014
- WLAN Pro Conf EU 2014
- CWNP Conference 2014 (Sep 22 - 24)
- Airheads Local 2014
- Wireless Field Day 7 (Aug 6-8, 2014)
- Black Hat 2014 Contest
- Airheads EMEA Italy 2014 (June 9 - 13)
- Americas Airheads Conference 2014
- WLAN Professionals Summit 2014
- Airheads Roadshow 2013
- EMEA Airheads Conference 2013
- APJ Airheads Conference 2013
- Americas Airheads Conference 2013
- Americas Airheads Conference 2012
- APJ Airheads Conference 2012
- EMEA Airheads Conference 2012
- Airheads EMEA 2012 Contest: How to Enter - Contest Terms & Conditions
- Airheads EMEA 2012 Contest: Create your Entry to Win Here!
- Airheads Conferences Prior to 2012
- Americas Airheads Local Events 2012
- EMEA Airheads Local Events 2012
- Wireless Field Day 3 @ Aruba Networks
- Wireless Tech Field Day 2- Silicon Valley
- Wi-Fi Mobility Symposium- San Jose, CA USA
- SDN Apps
- Connector Translation Testing area
Airplay and Airprint on Campus Networks
An Aruba AirGroup Solution Guide
Enter to Win AirGroup Sweepstakes! Download and read the attached guide and submit a use-case on the community blog thread. You could win a trip for 2 to the island of Aruba!
What is AirRecorder
A Java based tool that will run several common CLI commands for checking controller, AP, and wireless device health. AirRecorder supports ArubaOS, Instant VC (IAP) and MeshOS (MSR). AirRecorder runs on any operating system that supports a Java Platform Standard Edition version 6 or later.
Login to support.arubanetworks.com go to Tools> Airrecorder Folder
At time of writing this is version 1.2.16.
After downloading the distribution ZIP file, unpack it to a directory or folder of choice. On successful unpacking, you should at least find following files:
Please note that "samples" is a folder that contains sample files.
To run the tool, please open a DOS command window or Linux/MacOS terminal and type:
java -jar AirRecorder-1.2.16-release.jar
You should see an output similar to:
AirRecorder (c)2011-2014 Thomas Bastian, Aruba Networks
usage: AirRecorder [options] [<controllerip>]
If you don’t see an output similar to above, then most likely you don’t have Java installed. Please download the proper Java for your system from:
AirRecorder records the output of CLI commands in a file. By default, the list of commands is read from a file named "commands" or "commands.txt". Please go
ahead and create a file named "commands.txt" in the distribution directory. Enter a single line into the file:
0,show ap active
and save the file.
You are now ready to run your first AirRecorder session. In the Windows command (DOS) window or Linux/MacOS Shell terminal window, please type:
java -jar AirRecorder-1.2.16-release.jar <controller>
<controller> is the IP address or hostname of the controller you would like to run the session against.
As the session begins, you will be prompted for the username, password and enable password to be used to login into the controller (if you have
"enable bypass" activated on the controller, just hit RETURN when prompted for enable password).
At the end of the session, a new file should have been created:
Please use your favorite editor to look at the contents recorded (it should contain the output from the command “show ap active”).
AirRecorder can read the username, password and enable password for login into the controller:
- from the command line: -u <username> -p <password> -e <enable password>
java -jar AirRecorder-1.2.16-release.jar -u admin -p admin -e enable <controller>
- from a file named either "<controller>" or "<controller>.txt" argument provided (i.e. in the above case, a file named: "192.168.0.196" or
"192.168.0.196.txt"). In this case, the file should contain the username, password and enable password each on a separate line in the file. If
"enable bypass" is enabled on the controller, leave the third line blank.
Working With Commands
AirRecorder can read commands from any file. Please use the command line argument:
-c <command file>
to specify an alternate commands file to be used.
The commands file syntax is as follows:
- one command specification per line
- lines starting with # are skipped
- a command specification takes the form: [<trigger>;]<schedule>,<command>
i.e.: 0,show ap active
<trigger> is an optional field and can be omitted. TRIGGERS will be discussed later.
<schedule> is further broken down as:
<interval>[;<execution count>[;<cycle interval>[;<cycle count>]]]
<interval> is the interval in *SECONDS* between consecutive executions. A value of zero will run the command once. Please be cautious when selecting the interval since smaller values may impact controller performance.
<execution count> is the optional number of times the command will be executed. When unspecified the command will repeat for ever. Otherwise the command will be executed the specified amount *PER* cycle. Note that if <cycle interval> is not specified, the command will be executed <execution count> number of times, then never again.
<cycle interval> is the optional interval between the start of repeating cycles. If this is omitted, the command will be executed just <execution count> times.
<cycle count> is the optional number of times to run the cycles.
<command> is the command string that is being sent to the controller. The string is sent as is to the controller with the exception of placeholder and variable processing.
Both interval and cycle interval are expressed in seconds. However, adding the m or h suffix will provide values in minutes and hours respectively.
0,show ap active: will run the command "show ap active" once.
1;1,show ap active: will run the command "show ap active" just once, i.e. "one shot"
1m,show ap active: will run the command "show ap active" every minute.
1m;2,show ap active: will run the command "show ap active" twice spaced by one minute.
1m;2;1h,show ap active: will run the command "show ap active" twice spaced by one minute every hour.
1m;2;1h;3,show ap active: will run the command "show ap active" twice spaced by one minute every hour for three times.
...handschake failed(timeout)." Whatever I do: automatic login, manual login, script or no script. Doesn't...
I'm geting this error: "2016-02-19T11:37:26.782+0400 ERROR AbstractConnector - initial connector setup failed, phase: read prompt, timeout
Failed to connect: java.io.IOException: Read prompt handschake failed(timeout)."
Whatever I do: automatic login, manual login, script or no script. Doesn't matter.
And I can connect successfully to the same Instant controller with putty.exe
How can we find the cloud activation key for Aruba switches?
We can use the following command to find the cloud activation key :
Aruba# show activate provision
Configuration and Status - Activate Provision Service
Activate Provision Service : Enabled
Activate Server Address : device.arubanetworks.com
Activation Key : LKMNOPAB
The above command applies to the following switches:
Aruba 2920 Switch Series—WB.16.02.0012 or later
Aruba 2930F Switch Series—WC.16.02.0012 or later
Aruba 2540 Switch Series—YC.16.02.0012 or later
...05224 activate: Zero-touch provisioning enabled; connecting to Aruba Activate server to provision system...
I have the same problem with an 2530-24g.
1. Is the clock reflecting correct time on the switch ? -> yes
2. Do you have DNS server configured on the switch ? -> yes
3. What is the firmware running on the switch ? YA.16.04.0009
4. Attach the output for :
Keys: W=Warning I=Information M=Major D=Debug E=Error ---- Reverse event Log listing: Events Since Boot ---- I 12/18/17 11:34:11 04611 job: Job Scheduler enabled I 12/18/17 11:33:58 05101 amp-server: AMP server configuration is disabled due to first configuration. I 12/18/17 11:33:57 05226 activate: Successfully resolved the Activate server address device.arubanetworks.com to 184.108.40.206. I 01/01/90 01:00:45 05225 activate: Loading security certificates and synchronizing time with NTP. I 01/01/90 01:00:45 05224 activate: Zero-touch provisioning enabled; connecting to Aruba Activate server to provision system. I 01/01/90 01:00:45 03783 dhcp: DHCP server did not offer all the DNS parameters on Primary VLAN I 01/01/90 01:00:45 00025 ip: DEFAULT_VLAN: ip address 192.168.100.110/24 configured on vlan 1 I 01/01/90 01:00:45 05177 ip: Setting IP address 192.168.100.99 as default gateway. thank you, thomas
This article applies to all Aruba Mobility controllers and ArubaOS 3.x and later.
Configuration Steps :
Using the GUI:
To configure WPA - PSK, follow these steps:
1) Navigate to Configuration > Wireless > AP configuration > AP group.
2) Select the AP group and click Edit.
3) Click Wireless LAN, Expand Virtual AP and click the particular virtual AP and expand it.
4) Click on the SSID Profile and select WPA-PSK with Encryption – TKIP and create a Passphrase and confirm it.
5) Apply and save the configuration.
With Airwave 8.2.3 release we have a new feature with respect to the interfaces. Docker0 interface has been introduced and used for the purpose of bridging in virtualization concept. One might face issues in their network since the "docker0" interface will pick an IP address from within the specified pool (172.17.0.0/16) which might match some other device in the same network. Hence communication between Airwave and devices in 172.17.0.0/16 subnet might fail.
To fix this we can disable or delete the docker0 interface. However instead of permanently disabling it we can change the IP address to a loopback IP address or any other non-routable IP. This would ensure that current network devices are not impacted and you can still use the docker interface if needed.
We can run the following commands from support shell of airwave:
Stop the service
- service docker stop
Bring the interface down
- ip link set dev docker0 down
Delete the interface
- brctl delbr docker0
Modify the configuration to use the new IP address
- vi /etc/sysconfig/docker
- add: --bip=x.x.x.x/xx to the other_args=”” line so it looks like this now:
Start the service
- service docker start
ifconfig to confirm docker0 has been changed.
We can also choose to delete this interface based on requirement:
[root@localhost mercury]# sudo ip link delete docker0 type bridge
[root@localhost mercury]# service network restart
Note: In case you decide to delete the interface then the docker0 would not show up in the output for ifconfig -a
[root@localhost mercury]# ifconfig -a
docker0 Link encap:Ethernet HWaddr 0E:64:FF:8A:79:B1
inet addr:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth0 Link encap:Ethernet HWaddr 00:0C:29:83:F0:A1
inet addr:10.9.211.155 Bcast:10.9.211.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe83:f0a1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:73216 errors:0 dropped:0 overruns:0 frame:0
TX packets:46023 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:22175910 (21.1 MiB) TX bytes:24732844 (23.5 MiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:83:F0:AB
inet addr:192.168.1.135 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe83:f0ab/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15489 errors:0 dropped:0 overruns:0 frame:0
TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:1185883 (1.1 MiB) TX bytes:13383 (13.0 KiB)
...del 172.17.x.x/16 dev docker0 What is the logic behind Aruba Networks using an address for...
The solution is incomplete. After adding the loopback address to docker0, the engineer had to delete the previous 172.17.x.x address with the following steps:
Discover the IP address assigned to docker0: ip addr show dev docker0
Delete the 172.17. address from docker0 with: ip addr del 172.17.x.x/16 dev docker0
What is the logic behind Aruba Networks using an address for docker0 that would conflict with address space already used in a network? Why not use 169.254.x.x space or the loopback address from the start.
After a recent upgrade my IAP sites suddenly appeared as DOWN in the 172.17.0.0/16 space. Not only did this become an unnecessary waste of time troubleshooting, without CLI access the problem is impossible to find or correct yourself. (Did someone at HP think it was a good idea to use 172.17.0.0/16 for docker0?) Please add netstat commands to the show techsupport file.
...Aruba devices in the 172.17.0.0/16 address space. This is ridiculous. Can someone at Aruba/HP get...
Our version upgrade for airwave changed Docker0 to the 172.17 address and broke management to our Aruba devices in the 172.17.0.0/16 address space. This is ridiculous. Can someone at Aruba/HP get this really bad decision fixed and change the address of the docker0 interface to its loopback or a 169.254.x.x as previously mentioned in the thread?
You have removed our CLI access that prevents us from using the directions above and resolving this ourselves.
..., or used 169.254.0.0/16 as mentioned in my previous post.
I don't care as much about the hard coded IP address as using an address range that is commonly used and likely to create a conflict for some networks. That is a really bad decision by HP. I wonder how many networks they are going to cause outages in before HP cares enough to change this. HP could have safely reserved a /24 out of their public address space for this, or used 169.254.0.0/16 as mentioned in my previous post.
This issue also affects ClearPass when upgrading to 6.6.0 release from earlier releases. docker0 is...
This issue also affects ClearPass when upgrading to 6.6.0 release from earlier releases. docker0 is part of ClearPass extensions, and even though extensions aren't enabled, the interface is created and the address 172.17.0.1 is hard-coded. In my customer's case, 172.17.0.1 is the SVI for their CORE SWITCH. So upgrading ClearPass took out their core network. Needless to say it was a tough one to troubleshoot and required escalation in TAC to get to the root shell. Why on earth did anyone think that hard-coding an IP address into an interface would ever be a good idea?
Environment : This article applies to Aruba Airmesh routers.
Click on "Reboot Device" and the Airmesh router would bootup with the upgraded image.
In this video we show how ClearPass can handle removed or disabled accounts. By default, if you remove an account, onboarded users will lose access as well (regardless of their certificate is still valid/expired/revoked). If you disable the account in Active Directory, the user does have access. That is because in AD the account information (authorization) is still there. We can check for the account status (enabled/disabled) with an LDAP query.
A query that only returns enabled accounts is:
By combining that with the default query, that returns all matching by username accounts:
you get to the query:
Quick LDAP reference: from (&(filter1)(filter2)), which mean both filter1 and filter2 must match, we go to (&(filter1)(&(filter2)(filter3))) where filter1 must match and filter2 and filter 3 must match.
The video shows how to to enter this in ClearPass as an additional attribute. You can decide to change the existing query, but that will give a 'user not found' in case of a disabled account. By getting an additional status attribute, you can clearly see that the account is disabled by the ws_Disabled role, and act accordingly.
This video is part of the Aruba ClearPass Workshop series.
This article explain steps to upgrade the code on the controller.
We can upgrade the OS on the controller either through WebUI or through the CLI.
We can use the following methods to upgrade the code on the controller:
- Local File (This option is available while upgrading through WebUI)
NOTE: It is strongly recommended to go through the Release Notes available on the support site before upgrade to find out any upgrade caveats or known issues.
Environment : This article applies to all the controller models and OS versions.
- Navigate to Maintenance> Image Management
- Choose the upgrade method
- Enter the Server IP address in case TFTP, FTP or SCP is used for upgrade
- Enter the image file name
- Choose the partition to upgrade. It is always advisable to upgrade to the non-default boot partition first so that we can revert to the old code in case something unexpected occurs.
- Select if you want to reboot the controller after upgrade. Unless reloaded, the new code will not take effect
- Save the current configuration before reboot
- Click Upgrade
Execute the following commands on the CLI to upgrade the code –
(Aruba)# copy tftp: <TFTP server IP address> <image file name> system: partition <0 or 1> //for TFTP
(Aruba)# copy ftp: <TFTP server IP address> <username> <image file name> system: partition <0 or 1> //for FTP
(Aruba) #copy scp: <SCP host IP address> <username> <image file name> system: partition <0 or 1> //for SCP
Once the image is uploaded in the flash, save the configuration and reload the controller.
This solution will generate a Python script to bring up and down a wired or wireless interface. This script is used to repeatedly testing the stability of wireless connections, the DHCP servers and Radius servers when 802.1x is configured for the wireless networks. This script MUST not be use in user's production laptops or desktops as the script will repeatedly bringing up and down the interface at the configured interval.
MacBook Air OS X 10.9.4
Question: What should I do if an Aruba controller or Mobility Switch is missing the TPM and/or factory certificates?
Environment: This article applies to the Aruba 7200, 6000, 3000 and 600 series Mobility Controllers and Aruba S3500, S2500 and S1500 Mobility Switches.
You can determine if a controller is missing the TPM and/or factory certificates in two ways:
. While booting up, the controller displays the following message on the console screen.
Initializing TPM and Certificates
====================== E R R O R =======================
TPM Initialization or Certificate Initialization failed.
For debug information see /tmp/deviceCertLib.log.
If this message appears even after rebooting the device
couple of times, please contact Aruba Networks.
. Output of "show tpm cert-info" command executed at the CLI prompt displays the following message:
#show tpm cert-info
Cannot get TPM and Factory Certificate Info.
TPM and/or Factory Certificates might be missing.
If you see these messages, contact Aruba Networks Global Support to process a RMA.