How to setup a controller using ZTP (Zero Touch Provisioning) on a MM in ArubaOS 8.x

  • Need an account in Activate and MD should be added in the Activate account.
  • MD should be able to get an IP address/DNS from a DHCP server.
  • MM and MD should have access to the internet (Ports: DNS and https) to contact Activate server (

Starting from 8.x we can bring up  the 72xx, 70xx controllers as MD on a MM using Zero Touch Provision.  

  1. Connect the last copper port of the controller (which will be pre-congiured on access vlan-4094 as dhcp-client) to the uplink switch/modem so that the MD can get IP address/DNS information. 
  2. MM uploads the certificate to Activate server using the Activate credentials provided to it. 
  3. MD establishes HTTPS connection with Activate server and obtains the information about MM (IP address of MM, node path, certificate). 
  4. MM gets the details about the MD from activate and white lists it. 
  5. MD establishes IPsec connection with MM. 


1. Once the device is added to Activate, set the mode of MD to "Managed Device.": 


2. Configure the rule "Managed Device to Master Controller" and provide the details about the MM. 


3. Configure the Activate credentials on MM. 

#username "activate_username"
#password "password"



Once the MD has got IP address/DNS from DHCP server, it automatically contacts Activate and receives the MM information from Activate.

From the console logs of MD:

Received DHCP response, My IP =, Master = none, Country code = none
Master info not received from DHCP, trying activate
Received Activate response, My Role = md, Master  =, Master MAC = 00:50:56:9F:E7:A1, Hostname = ZTP-MD, Country code = US, Redundant Master MAC = none  VPN IP = none, VPN MAC = none, Redundant VPN MAC = none
Master = auto-discovered from Activate

on the MM:

(Abdul-MM) [mynode] #show running-config | include local-custom 
Building Configuration...
local-custom-cert local-mac "00:0b:86:dd:4f:20" ca-cert factory-ca-cert server-cert self-signed-field-cert --> whitelist entry pushed from Activate. 

Note: Controller syncs regularly to get the whitelist details from Activate. If not, execute the command #activate sync

(Abdul-MM) [mynode] #show switches
All Switches
IP Address     IPv6 Address  Name      Location          Type    Model      Version        Status  Configuration State  Config Sync Time (sec)  Config ID
----------     ------------  ----      --------          ----    -----      -------        ------  -------------------  ----------------------  ---------  None          Abdul-MM  Building1.floor1  master  ArubaMM  up      UPDATE SUCCESSFUL    0                       6   None          ZTP-MD    Building1.floor1  MD      Aruba7010  up      UPDATE SUCCESSFUL    0                       6

Total Switches:2

(Abdul-MM) [mynode] #show activate

Parameter                                 Value
---------                                 -----
Activate Whitelist Service                Enabled
Activate URL                    
Provision Activate URL          
Activate Login Username                   rvincent
Activate Login Password                   ********
Periodic Interval for WhiteList Download  1
Add-Only Operation                        Enabled
Custom cert to upload to Activate         N/A
Server cert to be used for IPSEC          N/A
(Abdul-MM) [mynode] #

Version history
Revision #:
2 of 2
Last update:
‎03-29-2017 10:17 AM
Updated by:
Labels (1)



I would like some help with debugging. I got to the point where MM is synced to activate, and the MD gets the provisioning rule from activate. After that, it restarts some services and presents me with a login (also the LCD says "master-locan syn and its stuck in that state). I tried logging in with default password, password I preset for device on MM and also with the activate user, but it all fails. I can access the MD through ssh to the dhcp ip address it gets, but I cannot log in. Can you help me what credential the MD is asking for after it gets provision rule from Activate so that I can debug it?


Also, when I try #show running-config | include local-custom I don't have anything in the db. How can I check if MM has reached out successfully to activate? (I am using VMM)