Dell PowerConnect W-7200 Series User manual
Dell PowerConnect W-Series
ArubaOS 6.2
Command-Line Interface
Reference Guide
Copyright Information
© 2013 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba
Wireless Networks®, the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management
System®. Dell™, the DELL™ logo, and PowerConnect™ are trademarks of Dell Inc.
All rights reserved. Specifications in this manual are subject to change without notice.
Originated in the USA. All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code
subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open
Source Licenses. Includes software from Litech Systems Design. The IF-MAP client library copyright 2011 Infoblox,
Inc. All rights reserved. This product includes software developed by Lars Fenneberg, et al. The Open Source code
used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate
other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for
this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it
with respect to infringement of copyright on behalf of those vendors
0510956-01 | March 2013 2
Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide Introduction | 3
Introduction
The Dell PowerConnect W-Series ArubaOS 6.2 command line interface (CLI) allows you to configure and manage
your controllers. The CLI is accessible from a local console connected to the serial port on the controllers or through
a Telnet or Secure Shell (SSH) session from a remote management console or workstation.
NOTE: Telnet access is disabled by default. To enable Telnet access, enter the telnet cli command from a serial connection or an
SSH session, or in the WebUI navigate to the Configuration > Management > General page.
What’s New In ArubaOS 6.2.1.0
The following commands have been modified in the ArubaOS 6.2.1.0 command line interface.
Command Description
provision-ap
ap provisioning-profile
ArubaOS 6.2.1.0 introduces the cellular_nw_preference parameter for
provisioning a multimode USB modem for a remote AP. These changes
simplify modem provisioning for both 3G and 4G networks.
The previous modem configuration procedure required that you define a
driver for a 3G modem in the USB modem field in the AP provisioning
profile, or define a driver for a 4G modem in the 4G USB type field.
Starting with ArubaOS 6.2.1.0, you can configure drivers for both a 3G or a
4G modem using the USB field, and the 4G USB Type field is deprecated
What’s New In ArubaOS 6.2.0.0
The following commands have been added in the ArubaOS 6.2 command line interface.
Command Description
aaa user monitor This command checks to see whether an authenticated user's attributes
differ from those in the SOS.
ap debug radio-event-log Start and stops radio event log capture for debugging purposes, and
sends a pktlog file to a dump server in the case of stop.
ap debug radio-registers dump Allows you to collect all or specific radio register log files into a separate
file.
ap lldp med-network-policy-profile Define an LLDP MED network policy profile that defines DSCP values and
L2 priority levels for a voice or video application.
ap lldp profile Link Layer Discovery Protocol (LLDP), is a Layer-2 protocol that allows net-
work devices to advertise their identity and capabilities on a LAN. Wired
interfaces on APs support LLDP by periodically transmitting LLDP Pro-
tocol Data Units (PDUs) comprised of type-length-value (TLV) elements.
4| Introduction Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide
Command Description
ap packet-capture Replaces the pcap command and includes open-port and close-port sub-
commands for allowing packet monitoring by port.
ap remove-r1-key This command removes the r1 key from an AP.
clock append This command enables the timestamp feature, adding a date and time to
the output of show commands.
firewall-visibility This command enables or disables policy enforcement firewall visibility
feature.
interface-profile voip-profile This command creates a VoIP profile that can be applied to any interface
or an interface group.
lcd-menu This command allows you to enable or disable the LCD menu either com-
pletely or for specific operations.
show ap radio-summary Displays AP radios registered to this controller.
show ap remote debug r1_key This command displays all the r1 keys that are stored in an AP.
show fast-roaming-r1-efficiency This command displays the hit/miss rate of r1 keys cached on an AP
before Fast BSS transition roaming.
show firewall-visibility This command displays the policy enforcement firewall visibility process
state and status information.
show gap-debug This command displays the troubleshooting information for the global AP
database.
show iap table This command displays the details of the branch Instant AP network infor-
mation connected to the controller.
show interface-profile voip-profile This command displays the specified VoIP profile configuration infor-
mation.
show wlan bcn-rpt-req-profile This command shows configuration and other information about the
parameters for the Beacon Report Request frames.
show wlan handover-trigger-profile This command displays the current configuration settings for a handover
trigger profile.
show wlan tsm-req-profile This command shows configuration and other information about the Traf-
fic Stream Measurement.
threshold This command configures controller capacity thresholds which, when
exceeded, will trigger alerts.
wlan bcn-rpt-req-profile This command configures a Beacon Report Request Profile to provide the
parameters for the Beacon Report Request frames.
wlan handover-trigger-profile Configure a handover trigger profile to ensure QoS for voice calls.
wlan rrm-ie-profile This command configure an radio resource management RRMIEprofile
Command Description
to define the information elements advertised by an AP with 802.11k sup-
port enabled.
wlan tsm-req-profile This command configures a TSM Report Request Profile.
Modified Commands
The following commands were modified in ArubaOS 6.2.
Command Parameter Description
aaa authentication mgmt The option to enable mschapv2 was added.
aaa authentication via connection-profile The following parameters were added:
lallow-whitelist-traffic
lauto-launch-supplicant
lbanner-message-reappear
lenable-fips
lenable-supplicant
lwhitelist
aaa authentication-server radius The following support was added:
lenable-ipv6 and nas-ip6 parameters to specify an IPv6 host address
for the host parameter.
lmac-lowercase to send MAC addresses in lowercase format.
aaa authentication-server tacacs IPv6 support was added for TACACS server. You can now specify an IPv6
host address for the host parameter.
copy The following parameters were added:
lusb: partition <partition-number>
lusb: partition <partition-number> <filename>
firewall The following parameters were added:
lenable-bridging
lprevent-dhcp-exhaustion
firewall cp The following parameters were added:
lpermit <ip-addr><ip-mask>
ldeny <ip-addr>
lany
lhost
lftp, http, https, icmp, snmp, ssh, telnet and tftp
interface vlan ipv6 address The nd parameter for configuring IPv6 neighbor discovery and IPv6 router
advertizement options was introduced.
ip mobile proxy The re-home parameter is deprecated as the re-homing functionality is
no longer available.
mgmt-user The rcp (Revocation Checkpoint) parameter was added. The rcp checks
the revocation status of the SSH user’s client certificate before permitting
access.
provision-apsch-mode-radio-0 |sch- If you are provisioning an 802.11n-capable AP, issue the sch-mode-radio-
Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide Introduction | 5
6| Introduction Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide
Command Parameter Description
mode-radio-1 0 or command to enable single-chain mode for the selected radio. AP
radios in single-chain mode will transmit and receive data using only
legacy rates and single-stream HT rates up to MCS 7. This setting is
disabled by default.
rf arm-profilerf arm-profile Channel quality percentage below which ARM initiates a channel
change.
rf arm-profilerf arm-profile If channel quality is below the specified channel quality threshold for this
wait time period, ARM initiates a channel change.
service The dhcpv6 parameter is introduced. This command enables DHCPv6
service on the controller.
show ap debug counters Added APcrash information.
show ap debug system-status Added CPU usage statistics.
show ap remote debug mgmt-frames Added deauthentication reason explanation to output table.
show datapath Following parameters were added:
lnetwork ingress
linternal dir
lerror counters
ldebug opcode
ltrace-route
lip-fragment
show ap debug system-status Added parameters to display Control-Plane security, OSPF, SAPM, Sta-
tion Management low priority, syslog database, user database, and wrie-
less management statistics.
show mgmt-users The Revocation Checkpoint (rcp)appears in the outpoint.
show storage Information detailing attached USB storage devices now appear in the
output. This is applicable to the W-7200 series Series controllers only.
show user The output now shows if IP address is from DHCP.
show vlan mapping The Assignment Type appears in the output.
vlan-name <name> [pool|assignment
{even|hash}]
Sets the assignment type as even or hash.The Even assignment type is
based on an even distribution of VLAN pool assignments. The hash type
means that the VLAN assignment is based on the station MAC address.
wlan dot11k-profile The following parameters were introduced:
lbcn-req-chan-11a
lbcn-req-chan-11bg
lap-chan-rpt-11a
lap-chan-rpt-11bg
lhandover-trigger-profile
lrrm-ie-profile
lbcn-rpt-req-profile
ltsm-req-profile
The handover trigger threshold parameter was deprecated, as the hand-
Command Parameter Description
over trigger settings are now configured using the handover trigger pro-
file.
wlan ssid-profile The following parameters were introduced:
ldot11r-profile
lbSec-128
lbSec-256
ladvertise-location
lenforce-user-vlan
Deprecated Commands
The following commands were deprecated in ArubaOS 6.2:
Command Description
papi-security (deprecated) The papi-security command configure a key on the master controller
which then distributes it to other controllers and APs, thus allowing each
site to have a unique key.
pcap (deprecated) Name changed to ap packet capture.
policer-profile (deprecated) This command configures a Policer profile to manage the transmission
rate of a class of traffic based on user-defined criteria
firewall This clears the datapath sessions when roles are updated.
local-userdb-ap add This command adds a Remote AP entry to the Remote AP whitelist table.
local-userdb-ap del This command deletes a Remote AP entry from the Remote AP whitelist
table.
local-userdb-ap modify This command modifies a Remote AP entry in the Remote AP whitelist
table.
local-userdb-ap revoke Revoke a lost or stolen remote AP to prevent unauthorized users from
accessing the company's corporate network.
qos-profile (deprecated) This command configures a QoS profile to assign TC/DP, DSCP, and
802.1p values to an interface or policer profile.
show papi-security (deprecated) Shows a configured papi-security profile.
show policer-profile (deprecated) This command displays the policer profile configuration.
show qos-profile (deprecated) This command displays the QoS profile configuration.
Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide Introduction | 7
8| Introduction Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide
About this Guide
This guide describes the Dell PowerConnect W-Series ArubaOS 6.2 command syntax. The commands in this guide
are listed alphabetically.
The following information is provided for each command:
lCommand Syntax—The complete syntax of the command.
lDescription—A brief description of the command.
lSyntax—A description of the command parameters, including license requirements for specific parameters if
needed. The applicable ranges and default values, if any, are also included.
lUsage Guidelines—Information to help you use the command, including: prerequisites, prohibitions, and related
commands.
lExample—An example of how to use the command.
lCommand History—The version of ArubaOS in which the command was first introduced. Modifications and
changes to the command are also noted.
lCommand Information—This table describes any licensing requirements, command modes and platforms for
which this command is applicable. For more information about available licenses, see the Licenses chapter of the
Dell
PowerConnect
W-Series
ArubaOS
6.2
User
Guide
.
Connecting to the Controller
This section describes how to connect to the controller to use the CLI.
Serial Port Connection
The serial port is located on the front panel of the controller. Connect a terminal or PC/workstation running a
terminal emulation program to the serial port on the controller to use the CLI. Configure your terminal or terminal
emulation program to use the following communication settings.
Baud Rate Data Bits Parity Stop Bits Flow Control
9600 8 None 1 None
NOTE: The Dell W-7200 series controller supports baud rates between 9600 and 115200.
Telnet or SSH Connection
Telnet or SSH access requires that you configure an IP address and a default gateway on the controller and connect
the controller to your network. This is typically performed when you run the Initial Setup on the controller, as
described in the
Dell PowerConnect W-Series ArubaOS 6.2 Quick Start Guide
. In certain deployments, you can also
configure a loopback address for the controller; see "interface loopback" on page 318 for more information.
Configuration changes on Master Controllers
Some commands can only be issued when connected to a master controller. If you make a configuration change on a
master controller, all connected local controllers will subsequently update their configurations as well. You can
manually synchronize all of the controllers at any time by saving the configuration on the master controller.
CLI Access
When you connect to the controller using the CLI, the system displays its host name followed by the login prompt.
Log in using the admin user account and the password you entered during the Initial Setup on the controller (the
password displays as asterisks). For example:
(host)
User: admin
Password: *****
When you are logged in, the
user
mode CLI prompt displays. For example:
(host) >
User mode provides only limited access for basic operational testing such as running ping and traceroute.
Certain management functions are available in enable (also called “privileged”) mode. To move from user mode to
enable mode requires you to enter an additional password that you entered during the Initial Setup (the password
displays as asterisks). For example:
(host) > enable
Password: ******
When you are in enable mode, the > prompt changes to a pound sign (#):
(host) #
Configuration commands are available in
config
mode. Move from enable mode to config mode by entering configure
terminal at the # prompt:
(host) # configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
When you are in basic config mode, (config) appears before the # prompt:
(host) (config) #
NOTE: There are several other sub- command modes that allow users to configure individual interfaces, subinterfaces, loopback
addresses, GRE tunnels and cellular profiles. For details on the prompts and the available commands for each of these modes, see
Appendix A: Command Modes on page1250.
Command Help
You can use the question mark (?) to view various types of command help.
When typed at the beginning of a line, the question mark lists all the commands available in your current mode or
sub-mode. A brief explanation follows each command. For example:
(host) > ?
enable Turn on Privileged commands
logout Exit this session. Any unsaved changes are lost.
ping Send ICMP echo packets to a specified IP address.
traceroute Trace route to specified IP address.
When typed at the end of a possible command or abbreviation, the question mark lists the commands that match
(if any). For example:
(host) > c?
clear Clear configuration
clock Configure the system clock
configure Configuration Commands
copy Copy Files
Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide Introduction | 9
10 | Introduction Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide
If more than one item is shown, type more of the keyword characters to distinguish your choice. However, if only
one item is listed, the keyword or abbreviation is valid and you can press tab or the spacebar to advance to the next
keyword.
When typed in place of a parameter, the question mark lists the available options. For example:
(host) # write ?
erase Erase and start from scratch
file Write to a file in the file system
memory Write to memory
terminal Write to terminal
<cr>
The <cr> indicates that the command can be entered without additional parameters. Any other parameters are
optional.
Command Completion
To make command input easier, you can usually abbreviate each key word in the command. You need type only
enough of each keyword to distinguish it from similar commands. For example:
(host) # configure terminal
could also be entered as:
(host) # con t
Three characters (con) represent the shortest abbreviation allowed for configure. Typing only cor co would not work
because there are other commands (like copy) which also begin with those letters. The configure command is the
only one that begins with con.
As you type, you can press the spacebar or tab to move to the next keyword. The system then attempts to expand
the abbreviation for you. If there is only one command keyword that matches the abbreviation, it is filled in for you
automatically. If the abbreviation is too vague (too few characters), the cursor does not advance and you must type
more characters or use the help feature to list the matching commands.
Deleting Configuration Settings
Use the no command to delete or negate previously-entered configurations or parameters.
lTo view a list of no commands, type no at the enable or config prompt followed by the question mark. For
example:
(host) (config) # no?
lTo delete a configuration, use the no form of a configuration command. For example, the following command
removes a configured user role:
(host) (config) # no user-role <name>
lTo negate a specific configured parameter, use the no parameter within the command. For example, the following
commands delete the DSCP priority map for a priority map configuration:
(host) (config) # priority-map <name>
(host) (config-priority-map) # no dscp priority high
Saving Configuration Changes
Each Dell controller contains two different types of configuration images.
lThe
running-config
holds the current controller configuration, including all pending changes which have yet to be
saved. To view the running-config, use the following command:
(host) # show running-config
lThe
startup config
holds the configuration which will be used the next time the controller is rebooted. It contains
all the options last saved using the write memory command. To view the startup-config, use the following
command:
(host) # show startup-config
When you make configuration changes via the CLI, those changes affect the current running configuration only. If
the changes are not saved, they will be lost after the controller reboots. To save your configuration changes so they
are retained in the startup configuration after the controller reboots, use the following command in enable mode:
(host) # write memory
Saving Configuration...
Saved Configuration
Both the startup and running configurations can also be saved to a file or sent to a TFTP server for backup or
transfer to another system.
Commands That Reset the Controller or AP
If you use the CLI to modify a currently provisioned and running radio profile, those changes take place
immediately; you do not reboot the controller or the AP for the changes to affect the current running configuration.
Certain commands, however, automatically force the controller or AP to reboot. You may want to consider current
network loads and conditions before issuing these commands, as they may cause a momentary disruption in service
as the unit resets. Note also that changing the lms-ip parameter in an AP system profile associated with an AP group
will cause all APs in that AP group to reboot.
Commands that Reset an AP Commands that Reset a Controller
lap-regroup
lap-rename
lapboot
lprovision-ap
lap wired-ap-profile <profile> forward-mode {bridge|split-
tunnel|tunnel}
lwlan virtual-ap <profile-name> {aaa-profile <profile-name>
|forward-mode {tunnel|bridge|split-tunnel|decrypt-tunnel} |ssid-
profile <profile-name>|vlan <vlan>...}
lap system-profile <profile> {bootstrap-threshold <number> |lms-ip
<ipaddr> |}
lwlan ssid-profile <profile-name> {battery-boost|deny-
bcast|essid|opmode|strict-svp |wepkey1 <key> |wepkey2
<key>|wepkey3 <key>|wepkey4 <key>|weptxkey <index> |wmm
|wmm-be-dscp <best-effort>|wmm-bk-dscp <background>|wmm-ts-
min-inact-int <milliseconds>|wmm-vi-dscp <video>|wmm-vo-dscp
<voice>|wpa-hexkey <psk> |wpa-passphrase <string> }
lwlan dotllk <profile-name> {bcn-measurement-mode|dot11k-
enable|force-dissasoc
lreload
Table 1:
Reset Commands
Typographic Conventions
The following conventions are used throughout this manual to emphasize important concepts:
Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide Introduction | 11
12 | Introduction Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide
Type Style Description
Italics
This style is used to emphasize important terms and to mark the titles of
books.
Boldface This style is used to emphasize command names and parameter options
when mentioned in the text.
Commands This fixed-width font depicts command syntax and examples of
commands and command output.
<angle brackets> In the command syntax, text within angle brackets represents items that
you should replace with information appropriate to your specific
situation. For example:
ping <ipaddr>
In this example, you would type “ping” at the system prompt exactly as
shown, followed by the IP address of the system to which ICMP echo
packets are to be sent. Do not type the angle brackets.
[square brackets] In the command syntax, items enclosed in brackets are optional. Do not
type the brackets.
{Item_A|Item_B} In the command examples, single items within curled braces and
separated by a vertical bar represent the available choices. Enter only
one choice. Do not type the braces or bars.
{ap-name <ap-name>}|{ipaddr <ip-addr>} Two items within curled braces indicate that both parameters must be
entered together. If two or more sets of curled braces are separated by a
vertical bar, like in the example to the left, enter only one choice Do not
type the braces or bars.
Table 2:
Text Conventions
Command Line Editing
The system records your most recently entered commands. You can review the history of your actions, or reissue a
recent command easily, without having to retype it.
To view items in the command history, use the
up
arrow key to move back through the list and the
down
arrow key
to move forward. To reissue a specific command, press Enter when the command appears in the command history.
You can even use the command line editing feature to make changes to the command prior to entering it. The
command line editing feature allows you to make corrections or changes to a command without retyping. Table 1
lists the editing controls. To use key shortcuts, press and hold the Ctrl button while you press a letter key.
Key Effect Description
Ctrl A Home Move the cursor to the beginning of the line.
Ctrl B or the
left arrow
Back Move the cursor one character left.
Ctrl D Delete Right Delete the character to the right of the cursor.
Ctrl E End Move the cursor to the end of the line.
Table 3:
Line Editing Keys
Key Effect Description
Ctrl F or the
right arrow
Forward Move the cursor one character right.
Ctrl K Delete Right Delete all characters to the right of the cursor.
Ctrl N or the
down arrow
Next Display the next command in the command history.
Ctrl P or
up arrow
Previous Display the previous command in the command history.
Ctrl T Transpose Swap the character to the left of the cursor with the
character to the right of the cursor.
Ctrl U Clear Clear the line.
Ctrl W Delete Word Delete the characters from the cursor up to and
including the first space encountered.
Ctrl X Delete Left Delete all characters to the left of the cursor.
Specifying Addresses and Identifiers in Commands
This section describes addresses and other identifiers that you can reference in CLI commands.
Address/Identifier Description
IP address For any command that requires entry of an IP address to specify a network entity, use IPv4
network address format in the conventional dotted decimal notation (for example,
10.4.1.258).
Netmask address For subnet addresses, specify a netmask in dotted decimal notation (for example,
255.255.255.0).
Media Access Control
(MAC) address
For any command that requires entry of a device’s hardware address, use the hexadecimal
format (for example, 00:05:4e:50:14:aa).
Service Set Identifier
(SSID)
A unique character string (sometimes referred to as a network name), consisting of no
more than 32 characters. The SSID is case-sensitive (for example, WLAN-01).
Basic Service Set
Identifier (BSSID)
This entry is the unique hard-wireless MAC address of the AP. A unique BSSID applies to
each frequency— 802.11a and 802.11g—used from the AP. Use the same format as for a
MAC address.
Extended Service Set
Identifier (ESSID)
Typically the unique logical name of a wireless network. If the ESSID includes spaces, you
must enclose the name in quotation marks.
Fast Ethernet or Gigabit
Ethernet interface
Any command that references a Fast Ethernet or Gigabit Ethernet interface requires that
you specify the corresponding port on the controller in the format <slot>/<port>:
<slot> is always 1, except when referring to interfaces on the W-6000M3 controller(slots 0-
3).
The <port> parameter refers to the network interfaces that are embedded in the front panel
of the W-3000 series controller, or a W-6000M3 controller module installed in a W-6000
controller chassis. Port numbers start at 0 from the left-most position.
Use the show port status command to obtain the interface information currently available
from a controller.
Table 4:
Addresses and Identifiers
Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide Introduction | 13
14 | Introduction Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide
Contacting Dell
Contact Center Online
Main Website dell.com
Support Website dell.com/support
Documentation Website dell.com/support/manuals
Table 5:
Dell Contacts
aaa authentication captive-portal
aaa authentication captive-portal <profile>
auth-protocol mschapv2|pap|chap
black-list <black-list>
clone <source-profile>
default-guest-role <role>
default-role <role>
enable-welcome-page
guest-logon
ip-addr-in-redirection <ipaddr>
login-page <url>
logon-wait {cpu-threshold <percent>}|{maximum-delay <seconds>}|{minimum-delay <seconds>}
logout-popup-window
max-authentication-failures <number>
no ...
protocol-http
proxy host <ipaddr> port <port>
redirect-pause <seconds>
redirect-url <url>
server-group <group-name>
show-acceptable-use-policy
show-fqdn
single-session
switchip-in-redirection-url <ipaddr>
user-logon
user-vlan-in-redirection-url <vlan>
welcome-page <url>
white-list <white-list>
Description
This command configures a Captive Portal authentication profile.
Syntax
Parameter Description Range Default
<profile> Name that identifies an instance of the
profile. The name must be 1-63 characters.
— “default”
authentication-protocol
mschapv2|pap|chap
This parameter specifies the type of authen-
tication required by this profile, PAP is the
default authentication type
mschapv2
pap
chap
pap
black-list Name of an existing black list on an IPv4 or
IPv6 network destination. The black list
contains websites (unauthenticated) that a
guest cannot access.
Specify a netdestination host or subnet to
add that netdestination to the captive portal
blacklist.
If you have not yet defined a netdestination,
use the CLI command netdestination to
define a destination host or subnet before
——
Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide aaa authentication captive-portal | 15
16 | aaa authentication captive-portal Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide
Parameter Description Range Default
you add it to the blacklist.
NOTE: This parameter requires the Public
Access license.
clone Name of an existing Captive Portal profile
from which parameter values are copied.
— —
default-guest-role Role assigned to guest. — guest
default-role <role> Role assigned to the Captive Portal user
when that user logs in. When both user and
guest logons are enabled, the default role
applies to the user logon; users logging in
using the guest interface are assigned the
guest role.
— guest
enable-welcome-
page
Displays the configured welcome page
before the user is redirected to their original
URL. If this option is disabled, redirection to
the web URL happens immediately after the
user logs in.
enabled/
disabled
enabled
guest-logon Enables Captive Portal logon without
authentication.
enabled/
disabled
disabled
switchip-in-redirection-url
<ipaddr>
Sends the controller’s interface IP address in
the redirection URL when external captive
portal servers are used. An external captive
portal server can determine the controller
from which a request originated by parsing
the ‘switchip’ variable in the URL. This
parameter requires the Public Access
license.
— —
login-page <url> URL of the page that appears for the user
logon. This can be set to any URL.
— /auth/index.
html
logon-wait Configure parameters for the logon wait
interval.
1-100 60%
cpu-threshold <percent> CPU utilization percentage above which the
logon wait interval is applied when
presenting the user with the logon page.
1-100 60%
maximum-delay <seconds> Maximum time, in seconds, the user will
have to wait for the logon page to pop up if
the CPU load is high. This works in
conjunction with the Logon wait CPU
utilization threshold parameter.
1-10 10 seconds
minimum-delay <seconds> Minimum time, in seconds, the user will
have to wait for the logon page to pop up if
the CPU load is high. This works in
conjunction with the Logon wait CPU
utilization threshold parameter.
1-10 5 seconds
logout-popup-
window
Enables a pop-up window with the Logout
link that allows the user to log out. If this
enabled/
disabled
enabled
Parameter Description Range Default
option is disabled, the user remains logged
in until the user timeout period has elapsed
or the station reloads.
max-authentication-failures
<number>
Maximum number of authentication failures
before the user is blacklisted.
0-10 0
no Negates any configured parameter. — —
protocol-http Use HTTP protocol on redirection to the
Captive Portal page. If you use this option,
modify the captive portal policy to allow
HTTP traffic.
enabled/
disabled
disabled
(HTTPS is
used)
redirect-pause <secs> Time, in seconds, that the system remains in
the initial welcome page before redirecting
the user to the final web URL. If set to 0, the
welcome page displays until the user clicks
on the indicated link.
1-60 10 seconds
redirect-url <url> URL to which an authenticated user will be
directed. This parameter must be an absolute
URL that begins with either http:// or https://.
— —
server-group <group-name> Name of the group of servers used to
authenticate Captive Portal users. See "aaa
server-group" on page 82.
— —
show-fqdn Allows the user to see and select the fully-
qualified domain name (FQDN) on the login
page. The FQDNs shown are specified when
configuring individual servers for the server
group used with captive portal
authentication.
enabled/
disabled
disabled
show-acceptable-use-policy Show the acceptable use policy page before
the logon page.
enabled/
disabled
disabled
single-session Allows only one active user session at a
time.
— disabled
switchip-in-redirection-url Sends the controller’s IP address in the
redirection URL when external captive portal
servers are used. An external captive portal
server can determine the controller from
which a request originated by parsing the
‘switchip’ variable in the URL.
enabled/
disabled
disabled
user-logon Enables Captive Portal with authentication of
user credentials.
enabled/
disabled
enabled
user-vlan-in-redirection-url
<ipaddr>
Add the user VLAN in the redirection URL.
This parameter requires the Public Access
license.
enabled
disabled
disabled
user-vlan-redirection-url Sends the user’s VLAN ID in the redirection
URL when external captive portal servers are
used.
— —
Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide aaa authentication captive-portal | 17
18 | aaa authentication captive-portal Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide
Parameter Description Range Default
welcome-page <url> URL of the page that appears after logon and
before redirection to the web URL. This can
be set to any URL.
— /auth/we-
lcome.html
white-list <white-list> Name of an existing white list on an IPv4 or
IPv6 network destination. The white list
contains authenticated websites that a guest
can access. If you have not yet defined a
netdestination, use the CLI command
netdestination to define a destination host or
subnet before you add it to the whitelist
— —
Usage Guidelines
You can configure the Captive Portal authentication profile in the base operating system or with the Next
Generation Policy Enforcement Firewall (PEFNG) license installed. When you configure the profile in the base
operating system, the name of the profile must be entered for the initial role in the AAA profile. Also, when you
configure the profile in the base operating system, you cannot define the default-role.
Example
The following example configures a Captive Portal authentication profile that authenticates users against the
controller’s internal database. Users who are successfully authenticated are assigned the auth-guest role.
To create the auth-guest user role shown in this example, the PEFNG license must be installed in the controller.
aaa authentication captive-portal guestnet
default-role auth-guest
user-logon
no guest-logon
server-group internal
Command History
Version Description
ArubaOS 3.0 Command introduced.
ArubaOS 6.0 The max-authentication-failures parameter no longer requires a license.
ArubaOS 6.1 The sygate-on-demand,black-list and white-list parameters were added.
ArubaOS 6.2 the auth-protocol parameter was added, and the user-chap parameter was dep-
recated.
Command Information
Platforms Licensing Command Mode
All platforms Base operating system, except for
noted parameters
Config mode on master controllers
aaa authentication dot1x
aaa authentication dot1x {<profile>|countermeasures}
ca-cert <certificate>
cert-cn-lookup
clear
clone <profile>
eapol-logoff
enforce-suite-b-128
enforce-suite-b-192
framed-mtu <mtu>
heldstate-bypass-counter <number>
ignore-eap-id-match
ignore-eapolstart-afterauthentication
machine-authentication blacklist-on-failure|{cache-timeout <hours>}|enable|
{machine-default-role <role>}|{user-default-role <role>}
max-authentication-failures <number>
max-requests <number>
multicast-keyrotation
no ...
opp-key-caching
reauth-max <number>
reauthentication
server {server-retry <number>|server-retry-period <seconds>}
server-cert <certificate>
termination {eap-type <type>}|enable|enable-token-caching|{inner-eap-type (eap-gtc|eap-
mschapv2)}|{token-caching-period <hours>}
timer {idrequest_period <seconds>}|{mkey-rotation-period <seconds>}|{quiet-period
<seconds>}|{reauth-period <seconds>}|{ukey-rotation-period <seconds>}|{wpa-groupkey-
delay <seconds>}|{wpa-key-period <milliseconds>}|wpa2-key-delay <milliseconds>
tls-guest-access
tls-guest-role <role>
unicast-keyrotation
use-session-key
use-static-key
validate-pmkid
voice-aware
wep-key-retries <number>
wep-key-size {40|128}
wpa-fast-handover
wpa-key-retries
xSec-mtu <mtu>
Description
This command configures the 802.1X authentication profile.
Syntax
Parameter Description Range Default
<profile> Name that identifies an instance of the profile. The
name must be 1-63 characters.
— “default”
clear Clear the Cached PMK, Role and VLAN entries. This
command is available in enable mode only.
— —
Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide aaa authentication dot1x | 19
20 | aaa authentication dot1x Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide
Parameter Description Range Default
countermeasures Scans for message integrity code (MIC) failures in
traffic received from clients. If there are more than 2
MIC failures within 60 seconds, the AP is shut down
for 60 seconds. This option is intended to slow down
an attacker who is making a large number of forgery
attempts in a short time.
— disabled
ca-cert <certificate> CA certificate for client authentication. The CA
certificate needs to be loaded in the controller.
— —
cert-cn-lookup If you use client certificates for user authentication,
enable this option to verify that the certificate's
common name exists in the server. This parameter is
disabled by default.
— —
eapol-logoff Enables handling of EAPOL-LOGOFF messages. — disabled
enforce-suite-b-128 Configure Suite-B 128 bit or more security level
authentication enforcement
disabled
enforce-suite-b-192 Configure Suite-B 192 bit or more security level
authentication enforcement
disabled
framed-mtu <MTU> Sets the framed MTU attribute sent to the
authentication server.
500-
1500
1100
heldstate-bypass-counter
<number>
(This parameter is applicable when 802.1X
authentication is terminated on the controller, also
known as AAA FastConnect.) Number of consecutive
authentication failures which, when reached,
causes the controller to not respond to
authentication requests from a client while the
controller is in a held state after the authentication
failure. Until this number is reached, the controller
responds to authentication requests from the client
even while the controller is in its held state.
0-3 0
ignore-eap-id-
match
Ignore EAP ID during negotiation. — disabled
ignore-eapol
start-afterauthentication
Ignores EAPOL-START messages after
authentication.
— disabled
machine-authentication (For Windows environments only) These parameters
set machine authentication:
NOTE: This parameter requires the PEFNG license.
blacklist-on-failure Blacklists the client if machine authentication fails. — disabled
cache-timeout <hours> The timeout, in hours, for machine authentication. 1-1000 24 hours
(1 day)
enable Select this option to enforce machine authentication
before user authentication. If selected, either the
machine-default-role or the user-default-role is
assigned to the user, depending on which
authentication is successful.
— disabled
Other manuals for PowerConnect W-7200 Series
1
This manual suits for next models
1
Table of contents
Other Dell Switch manuals
Dell
Dell S4820T User manual
Dell
Dell EMC PowerSwitch S5148F-ON User manual
Dell
Dell Force10 TeraScale E Series User manual
Dell
Dell PowerVault 50F User manual
Dell
Dell Force10 Z9000 User manual
Dell
Dell Networking S4810 User manual
Dell
Dell PowerEdge 180AS User manual
Dell
Dell PowerConnect J-EX4200 Installation instructions
Dell
Dell PowerConnect 8024 User manual
Dell
Dell Z9100-ON User manual
Dell
Dell PowerConnect B-8000 Quick user guide
Dell
Dell PowerConnect M6220 User manual
Dell
Dell PowerConnect 5012 Installation and operating instructions
Dell
Dell Powerconnect W-ClearPass Hardware Appliances Manual
Dell
Dell S25N User manual
Dell
Dell S6100 User manual
Dell
Dell PowerConnect W-IAP175P Owner's manual
Dell
Dell poweredge VRTX User manual
Dell
Dell PowerConnect 6024F User manual
Dell
Dell PowerConnect 3324 User manual
