Provision Aruba AP via CLI

Below you will find the necessary commands to provision an Aruba access-point via CLI. The commands add the access-point to the AP whitelist and provision the AP in the correct ap-group. Adding the AP to the whitelist is necessary when using control-plane security.

whitelist-db cpsec add mac-address “94:b4:0f:c4:7e:98″ description “ap01″
whitelist-db cpsec modify mac-address “94:b4:0f:c4:7e:98″ cert-type factory-cert state certified-factory-cert
clear provisioning-ap-list
provision-ap read-bootinfo ap-name “94:b4:0f:c4:7e:98″
provision-ap copy-provisioning-params ap-name “94:b4:0f:c4:7e:98″
provision-ap installation indoor
provision-ap no external-antenna
provision-ap server-name “aruba-master”
provision-ap ap-group “corp-01″
provision-ap ap-name “ap01″
provision-ap no syslocation
provision-ap no remote-ap
provision-ap reprovision ap-name “94:b4:0f:c4:7e:98″
clear provisioning-ap-list
clear provisioning-params

Aruba MAS – Tunneled node

Today I played a bit with an Aruba Mobility Access Switch with Tunneled Node configuration to a Aruba Mobility Controller. More information on Tunneled Node can be found here.

The configuration is straight forward. You need to configured a tunneled-node profile on the MAS and associate the access ports on the MAS to a VLAN, which is also present on the controller. I already have a controller in place and I would like to use some access ports for guest users with captive portal capabilities. I already setup a SSID with captive portal capabilities, so I use the same AAA profile on the controller for the tunneled-node clients.

I created the following configuration on the Aruba MAS.

ip-profile
default-gateway 10.10.75.254
controller-ip vlan 75
!
interface-profile tunneled-node-profile “tunnel-prof”
controller-ip 10.10.50.150
mtu 1300
!
interface-profile switching-profile “vl150-prof”
access-vlan 150
!
interface-group gigabitethernet “vl150-group”
apply-to 0/0/1-0/0/22
tunneled-node-profile “tunnel-prof”
switching-profile “vl150-prof”

The IP-profile defines the controller-ip of the MAS and the default-gateway configuration to access the Aruba controller (10.10.50.150). A switching profile is configured with access vlan 150 and the tunneled-node and switching-profile are bound to switch ports 0/0/1 to 0/0/22.

On the controller you only need to enable wired access and assign the AAA profile, which you also use for the guest SSID.

aaa authentication wired
profile “guest-aaa_prof”

A guest devices gets an IP address assigned from VLAN 150, located behind the corporate Aruba Mobility Controller when I connect a device to switch port 0/0/1. The guest-aaa_prof is assigned to the device/user. This redirects the user to the captive portal to enter login credentials. You can also configure user derivation to assign different VLANs to the connected devices behind the Aruba MAS.

ProCurve – Secure Management

Managing networking components is possible via a web interface or via a command-line interface. It doesn’t matter which method you prefer, but it does matter that the connection should be secure. If you use telnet (cli) or http (web interface) the management traffic is send clear-text across the network.

I still notice that a lot of people use insecure communiction methods. It is preferred to use ssh (cli) or https (web interface) to manage your components. The commands below can be used with HP ProCurve components to enable ssh and https and disable telnet and http management protocols.(The key size depends on the type of component and firmware version used)

CLI

switch01(config)# crypto key generate ssh rsa bits 2048
switch01(config)# ip ssh
switch01(config)# no telnet-server

Web Interface

switch01(config)# crypto key generate cert rsa <1024|2048>
switch01(config)# crypto host-cert generate self-signed
Validity start date [02/16/2015]:
Validity end date   [02/16/2016]: 09/23/2320
Common name          [10.10.1.99]: switch01.booches.local
Organizational unit  [Dept Name]: ICT
Organization      [Company Name]: Booches
City or location          [City]: Bocholtz
State name               [State]: Limburg
Country code                [US]: NL
switch01(config)# web-management ssl
switch01(config)# no web-management plaintext

Next to using secure protocols, it is preferred to create unique credentials for every administrator. One way to create unique credentials is by configuring RADIUS / TACACS authentication. A common way is you configure RADIUS between the switch and the Active Directory. The following commands can be used to configure RADIUS on HP ProCurve switches.

switch01(config)# radius-server host 10.10.100.1 key <shared key>
switch01(config)# radius-server host 10.10.100.2 key <shared key>
switch01(config)# aaa authentication web login radius local
switch01(config)# aaa authentication web enable radius local
switch01(config)# aaa authentication ssh login radius local
switch01(config)# aaa authentication ssh enable radius local
switch01(config)# aaa authentication login privilege-mode

FortiGate – debug flow

You can use the diagnose debug flow commands to do a policy simulation. An example of the output:

fw01 (root) # diagnose debug enable

fw01 (root) # diagnose debug flow show console enable
show trace messages on console

fw01 (root) # diagnose debug flow filter addr 10.10.1.25

fw01 (root) # diagnose debug flow trace start 5

You can stop the trace with the following commands:

fw01 (root) # diagnose debug flow trace stop

fw01 (root) # diagnose debug flow show console disable
do not show trace messages on console

fw01 (root) # diagnose debug disable

 

Cisco WLC and pre-download software to AP

A simple post, because I always forget the CLI commands to TFTP the software to the controller. I also added the command to predownload the new firmware to all access-points. This dramatically speeds up the upgrade process of the access-points.

You need to set the TFTP parameters first.

(Cisco Controller) >transfer download datatype code
(Cisco Controller) >transfer download mode tftp
(Cisco Controller) >transfer download serverip 10.77.244.196
(Cisco Controller) >transfer download path .
(Cisco Controller) >transfer download filename AIR-WLC4400-K9-5-2-178-0.aes

Next you can start the actual download of the firmware image.

(Cisco Controller) >transfer download start

You can now choose to reboot the controller without predownloading the firmware to the access-points. Predownloading the images is done via the command:

(Cisco Controller) >config ap image predownload primary all

You can view the progress of the predownload via:

(Cisco Controller) >show ap image all

Sometimes the predownloaded image is stored as backup image on the access-points. You can swap the image to the primary image via

(Cisco Controller) >config ap image swap all

Issue the following command to see the images on the Cisco WLC

(Cisco Controller) >show boot