• All Files
doc title Help Center
You are here: Home > Managing Access Points > Configuring Access Points > Configuring APs Using Templates

Configuring APs Using Templates

Templates in Aruba Central refer to a set of configuration commands that can be used by the administrators for provisioning devices in a group. Configuration templates enable administrators to apply a set of configuration parameters simultaneously to multiple devices in a group and thus automate AP  deployments.

 

To minimize configuration errors and troubleshoot device-specific configuration issues, Aruba recommends that the device administrators familiarize themselves with the CLI configuration commands available on Aruba APs.

For template-based provisioning, APs must be assigned to a group with template-based configuration method enabled.

To create a template for the devices in a template group, complete the following steps:

1. In the Network Operations app, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

3. Click the Config icon to display the AP configuration dashboard.

4. Under Templates, click + to add a new template. The Add Template window opens.

5. Add the template name.

6. Set the model and firmware version parameters to ALL.

7. Add the CLI script content. Check the following guidelines before adding content to the template:

Ensure that the command text indentation matches the indentation in the running configuration.

The template allows only one per-ap settings block. It must include the per-ap-settings %_sys_lan_mac% variable. The per-ap-settings block uses the variables for the individual APs. The general VC configuration uses variables for master AP to generate the final configuration from the provided template. Hence, Aruba recommends that you upload all variables for all devices in a cluster and change values as required for individual AP variables.

The commands in the template are case-sensitive.

IF ELSE ENDIF conditions are supported in the template. If the template text includes the if condition, % sign is required at the beginning and the end of the text. For example, %if guest%. The following example shows the template text with the IF ELSE ENDIF condition.

wlan ssid-profile %ssid_name%

%if disable_ssid=true%

disable-ssid

%endif%

%if ssid_security=wpa2%

opmode wpa2-aes

%else%

opmode opensystem

%endif%

Templates also support nesting of the IF ELSE END IF condition blocks. The following example shows how to nest such blocks:

%if condition1=true%

routing-profile 10.10.0.0 255.255.255.0 10.10.0.255

%if condition2=true%

routing-profile 10.20.0.0 255.255.255.0 10.20.0.255

%else%

routing-profile 10.30.0.0 255.255.255.0 10.30.0.255

%endif%

%else%

routing-profile 10.40.0.0 255.255.255.0 10.40.0.255

%if condition3=true%

routing-profile 10.50.0.0 255.255.255.0 10.50.0.255

%else%

routing-profile 10.60.0.0 255.255.255.0 10.60.0.255

%endif%

%endif%

For profile configuration CLI text, for example, vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., interface, access-list, ssidService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. and so on, the first command must start with no whitespace. The subsequent local commands in given profile must start with at least one initial space (' ') or indented as shown in the following examples:

Example 1

vlan 1

name "vlan1"

no untagged 1-24

ip address dhcp-bootp

exit

Example 2

%if vlan_id1%

vlan %vlan_id1%

%if vlan_id1=1%

ip address dhcp-bootp

%endif%

no untagged %_sys_vlan_1_untag_command%

exit

%endif%

To comment out a line in the template text, use the pound sign (#). Any template text preceded by # is ignored when processing the template.

To allow or restrict APs from joining the Instant AP Access Point cluster, Aruba Central uses the _sys_allowed_ap_ system-defined variable. Use this variable only when allowed APs configuration is enabled. For example, _sys_allowed_ap: "a_mac, b_mac, c_mac". Use this variable only once in the template.

8. Click OK.

 

The variables configured for the Instant AP Access Point devices functioning as the VCs are replaced with the values configured at the template level.

If any device in the cluster has any missing variables, the configuration push to those AP devices in the cluster fails. The audit trail for such instances shows the missing variables.

Sample Template

The following example shows the typical contents allowed in a template file for APs:

organization %org%

virtual-controller-ip 1.1.1.1

syslog-level debug

syslog-level warn ap-debug

per-ap-settings %_sys_lan_mac%

hostname %hostname%

zonename %zonename%

 

wlan ssid-profile %ssid_name%

%if disable_ssid=true%

disable-ssid

%endif%

%if ssid_security=wpa2%

opmode wpa2-aes

%else%

opmode opensystem

%endif%

 

%if condition1=true%

routing-profile 10.10.0.0 255.255.255.0 10.10.0.255

%if condition2=true%

routing-profile 10.20.0.0 255.255.255.0 10.20.0.255

%else%

routing-profile 10.30.0.0 255.255.255.0 10.30.0.255

%endif%

%else%

routing-profile 10.40.0.0 255.255.255.0 10.40.0.255

%if condition3=true%

routing-profile 10.50.0.0 255.255.255.0 10.50.0.255

%else%

routing-profile 10.60.0.0 255.255.255.0 10.60.0.255

%endif%

%endif%

Password Management in Configuration Templates for AP

In Aruba Central, the AP management user passwords are stored and displayed as hash instead of plain text. Password for AP can be set using the following commands:

mgmt-user <user-name> <password>

mgmt-user <user-name> <password> read-only

mgmt-user <user-name> <password> guest-mgmt

 

The mgmt-user commands are used for APs running below Aruba Instant 4.3 firmware version.

The hash-mgmt-user command is enabled by default on the APs provisioned in the template and UI groups. If a pre-configured AP joins Aruba Central and is moved to a new group, Aruba Central uses the hash-mgmt-user configuration settings and discards mgmt-user configuration settings, if any, on the AP. In other words, Aruba Central hashes management user passwords irrespective of the management user configuration settings running on an AP.

 

The hash-mgmt commands can only be used for APs running firmware versions equal to or above Aruba Instant 4.3.

Password for AP can be set using the following hash-mgmt-user commands:

hash-mgmt-user <user-name> password hash <hash-password>

hash-mgmt-user <user-name> password cleartext <cleartext-password>

hash-mgmt-user <user-name> password hash <hash-password> usertype read-only

hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype read-only

hash-mgmt-user <user-name> password hash <hash-password> usertype guest-mgmt

hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype guest-mgmt

hash-mgmt-user <user-name> password hash <hash-password> usertype local

hash-mgmt-user <user-name> password cleartext <cleartext-password> usertype local

 

Aruba Central supports the use of hash commands with clear text, however, Aruba recommends you to use hash passwords instead of clear text passwords to avoid password disclosures. 

Aruba Central allows you to re-use the hash from one AP on another AP.

All AP templates must include a password command to set a password for the device. The AP template cannot be saved without adding a password command.

/*]]>*/