Aruba Central Online Help

Configuring APs Using Templates

Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AP deployments.

The template-provisioning of APs is available for Foundation and Advanced licenses for APs.

To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba APs.

For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled.

To create a template for the APs in a template group, complete the following steps:

  1. In the Network Operations app, set the filter to one of the template group under Groups.
  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure APs in a template group are displayed.

  4. In the Templates table, click + to add a new template.

    The Add Template window is displayed.

  5. Under Basic Info, enter the following information:
    1. Template Name—Enter the template name.
    2. Model—Set the model parameter to ALL.
    3. Version—Set the model parameter to ALL.
  6. Under Template, add the CLI script content.
  7. Check the following guidelines before adding content to the template:
    • Ensure that the command text indentation matches the indentation in the running configuration.
    • The template allows multiple per-ap-settings blocks. The template must include the per-ap-settings %_sys_lan_mac% variable. The per-ap-settings block uses the variables for each AP. The general VC configuration uses variables for conductor AP to generate the final configuration from the provided template. Hence, Aruba recommends that you upload all variables for all devices in a cluster and change values as required for individual AP variables.
    • You can obtain the list of variables for per-ap-settings by using the show amp-audit command.

      The following example shows the list of variables for per-ap-settings.

      (Instant AP)# show amp-audit | begin per-ap per-ap-settings 70:3a:0e:cc:ee:60 hostname EE:60-335-24 rf-zone bj-qa ip-address "" swarm-mode standalone wifi0-mode access wifi1-mode access g-channel 6+ 21 a-channel 140 26 uplink-vlan 0 g-external-antenna 0 a-external-antenna 0 ap1x-peap-user peap22 282eaf1077b8d898b91ec41b5da19895

      The commands in the template are case-sensitive.

      IF ELSE ENDIF conditions are supported in the template. If the template text includes the if condition, % sign is required at the beginning and the end of the text. For example, %if guest%.

      The following example shows the template text with the IF ELSE ENDIF condition.

      Templates also support nesting of the IF ELSE END IF condition blocks.

      The following example shows how to nest such blocks:

      %if condition1=true% routing-profile route %if condition2=true% routing-profile route %else% routing-profile route %endif% %else% routing-profile route %if condition3=true% routing-profile route %else% routing-profile route %endif% %endif%

      For profile configuration CLI text, for example, vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., interface, access-list, ssid and so on, the first command must start with no white space. The subsequent local commands in given profile must start with at least one initial space (' ') or indented as shown in the following examples:

      Example 1

      vlan 1 name "vlan1" no untagged 1-24 ip address dhcp-bootp exit

      Example 2

      %if vlan_id1% vlan %vlan_id1% %if vlan_id1=1% ip address dhcp-bootp %endif% no untagged %_sys_vlan_1_untag_command% exit %endif%

      To comment out a line in the template text, use the pound sign (#). Any template text preceded by # is ignored when processing the template.

      To allow or restrict APs from joining the Instant AP cluster, Aruba Central uses the _sys_allowed_ap_ system-defined variable. Use this variable only when allowed APs configuration is enabled. For example, _sys_allowed_ap: "a_mac, b_mac, c_mac". Use this variable only once in the template.

  8. Click OK.

Sample Template

The following example shows the typical contents allowed in a template file for APs:

virtual-controller-country %countrycode% virtual-controller-key d2d8c79e010af35667dae85f950cf144b476ab4beba9ce5696 organization %org% name %VCname% virtual-controller-ip %vcip% terminal-access clock time zone none 00 00 rf-band all allow-new-aps allowed-ap 38:17:c3:cd:34:ca hash-mgmt-password hash-mgmt-user admin password cleartext public syslog-level debug syslog-level warn ap-debug arm wide-bands none a-channels 44,44+,40,36 g-channels 13,1+ min-tx-power 15 max-tx-power 127 band-steering-mode prefer-5ghz air-time-fairness-mode fair-access channel-quality-aware-arm-disable client-match client-match nb-matching 55 client-match calc-interval 5 client-match slb-mode 2 wlan access-rule default_wired_port_profile index 0 rule any any match any any any permit wlan access-rule wired-SetMeUp index 1 rule masterip match tcp 80 80 permit rule masterip match tcp 4343 4343 permit rule any any match udp 67 68 permit rule any any match udp 53 53 permit wlan access-rule %ssid_name% index 2 rule any any match any any any permit wlan ssid-profile %ssid_name% %if disable_ssid=true% disable-ssid %endif% %if ssid_security=wpa2% opmode wpa2-aes %else% opmode opensystem %endif% type employee essidExtended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. %ssid_name% wpa-passphrase %pw% max-authentication-failures 0 auth-server InternalServer rf-band all captive-portal disable dtim-period 1 broadcast-filter arp denylist dmo-channel-utilization-threshold 90 local-probe-req-thresh 0 max-clients-threshold 64 okc %if condition1=true% routing-profile route %if condition2=true% routing-profile route %else% routing-profile route %endif% %else% routing-profile route %if condition3=true% routing-profile route %else% routing-profile route %endif% %endif% wired-port-profile wired-SetMeUp switchport-mode access allowed-vlan all native-vlan guest no shutdown access-rule-name wired-SetMeUp speed auto duplex auto no poe type guest captive-portal disable no dot1x wired-port-profile default_wired_port_profile switchport-mode trunk allowed-vlan all native-vlan 1 shutdown access-rule-name default_wired_port_profile speed auto duplex full no poe type employee captive-portal disable no dot1x enet0-port-profile default_wired_port_profile enet1-port-profile wired-SetMeUp uplink preemption enforce none failover-internet-pkt-lost-cnt 10 failover-internet-pkt-send-freq 30 failover-vpn-timeout 180 cluster-security allow-low-assurance-devices per-ap-settings %_sys_lan_mac% hostname %hostname% rf-zone %rfname% swarm-mode %mode% wifi0-mode %wifi0mode% wifi1-mode %wifi1mode% g-channel %gch% %gtx% a-channel %ach% %gtx%

Password Management in Configuration Templates for AP

In Aruba Central, the AP management user passwords are stored and displayed as hash instead of plain text. Password for an AP can be set using the following commands:

mgmt-user <user-name> <password> mgmt-user <user-name> <password> guest-mgmt mgmt-user <user-name> <password> read-only

The mgmt-user commands are used for APs running below Aruba InstantOS 4.3 firmware version.

The hash-mgmt-user commands is enabled by default on the APs provisioned in the template and UI groups. If a pre-configured AP joins Aruba Central and is moved to a new group, Aruba Central uses the hash-mgmt-user configuration settings and discards mgmt-user configuration settings, if any, on the AP. In other words, Aruba Central hashes management user passwords irrespective of the management user configuration settings running on an AP.

The mgmt-user commands can only be used for APs running firmware versions equal to or above Aruba InstantOS 4.3.

Password for AP can be set using the following hash-mgmt-user commands:

hash-mgmt-user <user-name> password hash <hash-password> hash-mgmt-user <user-name> password cleartext <cleartext-password> hash-mgmt-user <user-name> password hash <hash-password> usertype read-only hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype read-only hash-mgmt-user <user-name> password hash <hash-password> usertype guest-mgmt hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype guest-mgmt hash-mgmt-user <user-name> password hash <hash-password> usertype local hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype local
  • Aruba Central supports the use of hash commands with clear text, however, Aruba recommends you to use hash passwords instead of clear text passwords to avoid password disclosures. 
  • Aruba Central allows you to re-use the hash from one AP on another AP.
  • All AP templates must include a password command to set a password for the device. The template cannot be saved without adding a password command. If the configuration that is pushed from Aruba Central to the device does not contain a password command, the configuration push is aborted for the device and a log is added to the audit trail. For example, if you add the password command in a condition block and the condition evaluates to false, the configuration that is pushed will not contain the password command. For more information, see Managing Password in Configuration Templates.