Additional Topics

Security

What is a Rogue AP?

A rogue AP is an unauthorized access point plugged into the wired side of the network that can potentially disrupt network operations.

How does Security determine classification?

Security consists of certain set of customizable rules that give users control over how rogues and interfering devices are identified. These rules work similarly to firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. rules.

  • If the first one is a match, use it. If not, go on to the next one.
  • Order of these rules are very important.

How do I locate a rogue device to remove it from my network?

The Floorplans app automatically calculates the device location on the Rogues details page. Security indicates which switch ports have seen the rogue MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. Address and if switch ports are being polled. With that information, you can determine the edge switch and port and can trace the wire and find the device.

How can we generate alerts and reports for Security?

After a rogue device meets the conditions/ classifications the trigger send an alert for the customer to identify rogues detected.

Cloud Authentication and Policy

How do I create a policy as an administrator for multiple users and client devices?

You can create user access policy and client access policy for users and clients using the procedures mentioned in Configuring Cloud Authentication and Policy Before you create user access policy and client access policy, you must complete all the prerequisites mentioned in Prerequisites.

How do I add or update user groups or client role mapping in the user access policy?

You can update user groups and client role mapping by performing one of the following:

  • To add one or more user groups in the existing user access policy, you must create new mappings for user groups and client roles in the user access policy.
  • The values in this drop-down list are mapped to the user groups that are created or configured on the identity provider's server.

  • To change user groups, you must update the existing user groups and associated client roles in the user access policy.

For more information, see Updating User Access Policy.

How do I change the organization name and see the preview that appears on the HPE Aruba Networking Onboard app?

You can change the organization name in the Network Profile section, when creating or updating the user access policy. The HPE Aruba Networking Onboard mobile app preview section displays how the organization name will appear on the HPE Aruba Networking Onboard app.

For more information, see Configuring User Access Policy.

How do I update the user access policy when a user switches between user groups?

User groups are obtained from cloud identity stores like Google Workspace or Entra ID, and the user can change groups within the identity stores. Hence, you must update the user access policy to include the modified user groups to provide appropriate network access. For more information, see Updating User Access Policy.

How do I update user groups when a user leaves the organization?

Since the policy is based on user groups, there is no need to update the user access policy when the user leaves an organization. However, to prevent the user from accessing the organization network, you must deactivate the user account in the identity store used by your organization.

For more information, see Updating User Access Policy.

How do I update a policy to change the default WLAN SSID that the users connect to?

In the Network Profile section, you can select a different WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. from the Connect users to WLAN drop-down list.

For more information, see Updating User Access Policy.

How do I configure Google Workspace for Cloud Authentication?

To integrate Google Workspace with the Cloud Authentication and Policy application, and fetch user attributes from Google Workspace, complete the following steps:

  1. Create a project in Google APIs Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software..
  2. Provide access to Google Workspace instance.

For more information, see Google Workspace.

How do I configure Microsoft Entra ID for Cloud Authentication?

To integrate Entra ID with Cloud Authentication and Policy application, and fetch user attributes from Entra ID, complete the following steps:

  1. Register the Cloud Authentication and Policy application on the Entra ID portal.
  2. Configure API permissions for the Cloud Authentication and Policy application.
  3. Configure Client Secret ID for the Cloud Authentication and Policy application.

For more information, see Microsoft Entra ID.

What roles are used when creating the Cloud Authentication and Policy?

Client roles, which are defined in the WLAN configuration for IAPs are used when configuring Cloud Authentication and Policy.

For more information, see Cloud Authentication and Policy Overview.

How do I create a policy to block users who are violating the user access policy?

While creating a user access policy, you must place most restricted user group(s) in the topmost row of the User Groups to Client Mapping table in User Access Policy section. For example, if you have a policy to block user or user groups consuming larger bandwidth, you must place that policy in the topmost row of the user group to client role mapping table.

For more information, see Client Access Policy.

What are the WLAN access levels that Cloud Authentication and Policy support?

Cloud Authentication Cloud Authentication and Policy allows you to configure user and client access policies that provide a secured, cloud-based network access control (NAC). and Policy is supported for Role Based and Unrestricted access levels.

How do I add headless device(s) that are not defined in HPE Aruba Networking Central using client tags?

While configuring client access policy, you must select Unprofiled client tag from the drop-down list under Client Profile Tag.

For more information, see Client Access Policy.

Can I upload client information from an external file?

Yes, while configuring client access policy, you can upload the client information from a CSV Comma-Separated Values. A file format that stores tabular data in the plain text format separated by commas. file. The CSV file must contain the client's MAC address and the corresponding name of the client.

For more information, see Client Access Policy.

Sample content from a CSV file:

MAC Address,Client Name

01:23:45:67:89:AB,Client Laptop1

12:34:56:78:90:BC,Client Laptop2

I do not have Passpoint or Hotspot 2.0 on my mobile device. Can I connect it to an enterprise wireless network?

Yes, as long as the mobile device meets the minimum supported operating system requirements.

For more information, Supported Devices and Operating Systems.

How do I get the onboarding URL for the HPE Aruba Networking Onboard app?

You must obtain the on-boarding URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. and credentials from the network administrator. For further assistance, contact your network administrator.

How can I connect the client to an wireless network without using the HPE Aruba Networking Onboard app?

You can use browser-based onboarding to download network profiles and connect to the wireless network.

For more information, see Browser-based Onboarding.

Can I delete a network profile from the HPE Aruba Networking Onboard app?

Yes, you can delete or add network profiles in the HPE Aruba Networking Onboard app. For more information, see App-based Onboarding.

Does Cloud Authentication and Policy support wired interfaces?

Cloud Authentication and Policy supports 802.1X, captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users., and MAC authentication on wired interfaces.

Does the HPE Aruba Networking Onboard app use OpenSource components?

Yes, the HPE Aruba Networking Onboard uses OpenSource components which can be downloaded from https://myenterpriselicense.hpe.com/cwp-ui/dashboard/software.

For more information, see notices information for the third-party components used by HPE Aruba Networking Onboard.

How can I successfully connect to Cloud Authentication and Policy without authorization failures?

To avoid authorization failures, the administrator must verify the validity of credentials for the external identity store by checking the Authentication & Policy tab. If the credentials are not valid, an error will be shown in that tab. These errors might occur if the credentials have expired or changed in the identity store. To update your credentials, edit the Identity Store configuration.

The following figure shows a snapshot of the authorization error:

Can I upload an Admin Managed MPSK file more than once? What happens if the file has entries with an existing MPSK name?

Yes, you can upload an Admin Managed MPSK Multi Pre-Shared Key. The Cloud Authentication and Policy server enables MPSK in a WLAN network in Aruba Central, to provide seamless wireless network connection to the end-users and client devices. file more than once. If there are no changes in the file, the upload will have the same result as the initial upload and no records will be updated. If there are changes in the file, records will be matched based on the MPSK name and updated accordingly, except for the MPSK password that will remain unchanged.

You can upload a file that has entries with an existing MPSK name. If the entry has a different role or status than the existing MPSK, then the entry will get updated while the existing MPSK password will remain unchanged. For more information, see MPSK Support.

What happens if an MPSK name is repeated in an Admin Managed MPSK file?

Only the first instance of the MPSK name is applied whereas the other rows will generate an error.

Managed Service Provider

How do I create an HPE Aruba Networking CentralMSP account?

As MSP mode is an operational mode of the WebUI which is one of the apps in HPE Aruba Networking Central, the first step to create an MSP account is to create an HPE Aruba Networking Central account, subscribe only to the HPE Aruba Networking Central app, and then enable Managed Service Mode.

  • Sign up for HPE Aruba Networking Central evaluation here.
  • Enable MSP mode.You can enable the MSP mode in the HPE GreenLake portal. For more information, see the HPE GreenLake documentation.

Should tenants sign up for an HPE Aruba Networking Central account as well?

No. With MSP mode enabled, the MSP administrator manages the creation and deletion of tenant accounts. After a tenant account is created, the MSP administrator can add tenant users to the account.

To create a tenant user, the MSP administrator must provide a valid email address for the user. A verification email is sent to this email address.

Tenant users have access to their individual tenant account only. Tenant users do not have access to other tenant accounts managed by the MSP.

Who owns the hardware and subscriptions?

In the MSP mode, all the hardware and subscriptions are owned by the MSP. The MSP temporarily assigns devices and their corresponding subscriptions to tenants for the duration of the managed service contract. When the contract ends, the devices and the subscriptions are returned back to the common pool of resources of the MSP and can be reassigned to another tenant.

Can existing HPE Aruba Networking Central customers migrate to an MSP account?

End customers who own their own devices and subscriptions cannot transfer ownership of the devices to an MSP. However, the MSP administrator can manage the end customer network.

What are the supported devices and architectures?

MSP supports all devices and architectures supported by HPE Aruba Networking Central.

See Supported Instant APs and Supported AOS-S Platforms.

HPE Aruba Networking Central support wireless, wired, and SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. deployments, either independently or in combination. For example, as an MSP, you can manage the following combinations:

HPE Aruba Networking Central does not support managing gateways at the MSP level. However, gateways can be configured and managed at the tenant account level.

What happens to a device on HPE Aruba Networking Central when it's subscription expires ?

When the subscription assigned to a device on HPE Aruba Networking Central expires and auto-subscribe is not enabled for the device, there is a 30-day grace period from the date of expiration during which the device continues to operate within the HPE Aruba Networking Central application instance. If no new subscription is assigned to the device by the end of its grace period, the device is removed from the application instance and transferred to the Device Inventory in HPE GreenLake platform.

Which group is the default group for the tenant account?

The MSP Managed Service Provider. The Managed Service Provider (MSP) mode is a multi-tenant operational mode that Aruba Central accounts can be converted into, provided these accounts have subscribed to the Aruba Central app. group associated to the Tenant account shows up as the default group for Tenant account users. All configuration changes made to the “MSP group” associated to the “Tenant account” are applied to the default group on the Tenant account.

What are predefined user roles?

The HPE GreenLake portal allows you to configure the following types of users with system-defined roles.

For more information, see the Assignments section in the HPE GreenLake Edge to Cloud Platform User Guide.

.

User Role

Standard Enterprise Mode

MSP Mode

admin

  • Has full access to all devices.
  • Can provision devices and enable access to application services.
  • Can create or update users, groups, and labels.
  • Has full access to tenant accounts.
  • Can create, modify, provision, and manage tenant accounts.

readwrite

  • Has access to the groups and devices assigned in the account.
  • Can add, modify, configure, and delete a device in the account.

Can access and modify tenant accounts.

readonly

  • Can view the groups and devices.
  • Can view generated reports.

Can view tenant accounts.

guestoperator

  • Can access and modify cloud guest splash page profiles.
  • Can configure visitor accounts for the cloud guest splash page profiles.
  • Can access and modify cloud guest splash page profiles.
  • Can configure visitor accounts for the cloud guest splash page profiles.

What are custom user roles?

The user roles can be created in the HPE GreenLake Portal. Along with the predefined user roles, you can create custom roles with specific security requirements and access control. However, only the users with the administrator role and privileges can create, modify, clone, or delete a custom role in HPE GreenLake portal.

With custom roles, you can configure access control at the application level and specify access rights to view or modify specific application services or modules. For example, you can create a custom role that allows access to a specific applications like Guest Access or network management and assign it to a user.

You can create a custom role with specific access to MSP modules. The MSP application allows users with administrator role and privileges to define user access to MSP modules such as Customer Management and Portal Customization. The MSP tenant account user does not have access to the MSP application. Even if a tenant account user is assigned a custom role having MSP application privileges, the tenant account user will not have access to the MSP application.

What tasks can be performed by an MSP user and tenant user?

In the MSP mode, MSP users have a superset of administration options compared to tenant users.

An MSP administrator can perform the following administrative tasks:

  • Tenant account management.
  • Device and subscription management across all tenants.
  • Monitoring and event management across all tenants.
  • Configuration management across all tenants.
  • User management across all tenants.
  • API management for the MSP and across all tenants.

A tenant account administrator can perform the following administrative tasks for their respective tenant account only:

  • Monitoring and event management.
  • Configuration management.
  • User management.
  • API management.

SD-WAN Deployment

What is SD-WAN?

Due to an increase in the number of client devices at the remote sites and the new bandwidth requirements, branch office networks are expected to rapidly scale to provide uninterrupted user experience. The SD-WAN technology allows enterprises to dynamically connect their branch networks distributed over different geographical locations.

For distributed enterprises that are transitioning to an agile, open, and cloud-hosted environment, HPE Aruba Networking offers the SD-WAN solution to simplify the deployment and management of WAN infrastructure. With HPE Aruba Networking Central as the management platform, HPE Aruba Networking provides a single management interface for deploying WAN connections and provides increased visibility and control of the branch setup.

What is SD-Branch? How is it different from SD-WAN?

The HPE Aruba NetworkingSD-Branch solution extends the SD-WAN concepts to all elements in a branch setup to deliver a full-stack solution for managing WLAN, LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server., and WAN connections. The SD-Branch solution provides a common cloud-management model that simplifies deployment, configuration, and management of all components of a branch setup. The solution leverages the ZTP Zero Touch Provisioning. ZTP is a device provisioning mechanism that allows automatic and quick provisioning of devices with a minimal or at times no manual intervention. and cloud management capabilities of HPE Aruba Networking devices to integrate management and infrastructure for WAN, WLAN, and LAN and provide a holistic solution from access network to edge with end-to-end security. It also addresses all communications in distributed deployments, from micro branches to medium or large branches.

What HPE Aruba Networking devices are required for setting up an SD-Branch?

The SD-Branch solution consists of the following elements:

  1. HPE Aruba Networking SD-WAN Gateways—The Gateways portfolio Includes the following variants:
  2. HPE Aruba Networking CentralHPE Aruba Networking Central is a cloud management platform that offers a software layer for quick deployment and management of branch networks, and allows running reports, monitoring network health, and troubleshooting from remote locations.
  3. HPE Aruba NetworkingSwitches—If the branch site has Aruba 2530 Switch Series switches, you can dynamically segment client traffic and enforce common security and access policies for both wireless and wired access clients.
  4. Instant APs—If your branch site has Instant APs, you can use combine your existing infrastructure with SD-WAN Gateways (Headend Gateways or VPN Concentrators) to deploy the Instant AP-based VPN solution.

What licenses are required for the SD-WAN deployment?

SD-WAN Gateways are managed by HPE Aruba Networking Central, therefore you require an HPE Aruba Networking Central account. You must also have the SD-WAN software subscription per Branch Gateway and VPN Concentrator.

The SD-WAN software subscription includes the following variants:

  • Foundation—Enables HPE Aruba Networking7000 Series and 7200 Series Gateways to function as Branch Gateways and VPN Concentrators respectively.
  • Foundation Base-Capacity—Allows you to limit the concurrent client device support on 7005 and 7008 Gateways to 75.

I have signed up for evaluating the HPE Aruba Networking SD-WAN solution. How do I get started?

If you have opted for evaluating the HPE Aruba Networking SD-WAN solution, sign up for an HPE Aruba Networking Central account. If you already have an HPE Aruba Networking Central account, log in to HPE Aruba Networking Central and add your Gateways. For step-by step instructions, see Starting Your Free Trial.

As a trial user, how many SD-WAN Gateways can I manage from Central?

The evaluation subscription allows you to manage up to 5 HPE Aruba Networking90xx Gateways using Advanced with Security license and 10 HPE Aruba Networking70xx and 2 HPE Aruba Networking72xx Gateways with Advanced license from HPE Aruba Networking Central.

I have purchased an SD-WAN software subscription. How do I get started?

If you have purchased an SD-WAN software subscription, log in to HPE Aruba Networking Central, add your subscription key, and onboard Gateways. For step-by-step instructions, see Get Started with SD-WAN.

If I enable Auto-Subscription, will HPE Aruba Networking Central automatically assign subscriptions to Gateways?

HPE Aruba Networking Central supports automatic assignment of subscriptions only on Instant APs and HPE Aruba Networking switches. You have to manually assign Gateway subscriptions to your devices.

What is a Foundation Base-Capacity subscription?

The Foundation Base-Capacity subscription allows you to limit the number of concurrent client connections to 75 per Branch Gateway. The Foundation Base-Capacity subscription is supported only on 7005 and 7008 Gateways.

Can I assign all Gateways to one group?

You can create groups and assign Gateways based on your branch configuration requirements.

For instance, you can create separate groups for the small, medium, and large sized branches. If Branch Gateways have common configuration requirements, you can assign them to a single group.

You can also create separate groups for the branch sites distributed across different geographical locations. If the groups must have similar configuration with minor differences, you can create the first group, and then clone it.

You can also combine different types of devices in a single group. For example:

  • You can deploy 7008 controllers and Aruba 2930F Switch Series with 24 ports in a single group for every branch.
  • You can also deploy 7005 controller and Aruba 2930F Switch Series with 24 ports in one group and provision 7008 controller with Aruba 2930F Switch Series with 48 ports in another group.

However, the configuration requirements for Branch Gateways and VPN Concentrators are different. Hence, Branch Gateways and VPN Concentrators must be assigned to different groups.

9004-LTE Branch Gateway

What Are the Different Models of HPE Aruba Networking 9004-LTE Gateway?

The HPE Aruba Networking9004-LTE Long Term Evolution. LTE is a 4G wireless communication standard that provides high-speed wireless communication for mobile phones and data terminals. See 4G. Gateway is available in the following two models:

Does the 9004-LTE Gateway Have an Integrated LTE Modem?

Yes, the 9004-LTE Gateways have an advanced Global Category 12 integrated 4G Fourth Generation of Wireless Mobile Telecommunications Technology. See LTE. LTE module.

Where Can I Find the IMEI Information for the 9004-LTE Gateway?

The IMEI information is available on the back of the unit, on the packaging box, and on the shipping carton. If One Touch provisioning (OTP) is required, you could also use CLI.

What Type of SIM Cards Does the 9004-LTE Gateway Support?

The 9004-LTE Gateway supports two nano-SIM Subscriber Identity Module. SIM is an integrated circuit that is intended to securely store the International Mobile Subscriber Identity (IMSI) number and its related key, which are used for identifying and authenticating subscribers on mobile telephony devices. cards which can be configured to work with different cellular providers.

Can I Insert, Remove, or Swap SIM card(s) without Powering down the 9004-LTE Gateway?

Yes, you can insert, remove, or swap SIM card(s) without powering down the gateway. You must wait till the mobile network connection is initialized and established to pass the traffic.

Can I Have Two Simultaneous LTE Connections from the 9004-LTE Gateway?

Even though the 9004-LTE Gateway supports two SIM cards, only one SIM card can be active at a time. The gateway has only one set of radios.

Can I Use Two SIM Cards to Automatically Failover If the LTE Connection Fails or Goes down?

Currently, automatic failover between the two SIM cards is not supported. You must manually configure the switch over.

Does HPE Aruba Networking Support ZTP with 9004-LTE Internal Module?

Yes, HPE Aruba Networking supports ZTP by using an LTE connection on the 9004-LTE Gateway to Onboard the gateway, provided you use an active SIM card.

What Accessories Does the 9004-LTE Gateway Support for Improving Cellular Reception?

You can install additional accessories, such as indoor and outdoor antennas, for improving the cellular reception of the 9004-LTE Gateway. These accessories extend the device functionalities.

Does the 9004-LTE Gateway Support GPS Functionality?

Yes, the 9004-LTE Gateway has built-in GPS Global Positioning System. A satellite-based global navigation system. functionality which is enabled by default. The GPS coordinates are sent to HPE Aruba Networking Central and can be viewed in the Navigating to the WAN Summary Tab.

How Can I Improve the Accuracy of the GPS Module?

The GPS connection requires an external antenna which is not shipped with the product. The spare indoor antenna SKU Stock Keeping Unit. SKU refers to the product and service identification code for the products in the inventory. R4Y94A can be ordered. In addition, you can use an antenna extender kit if you are installing the device indoors, where reception is not optimal.

Can I Use a Supported External USB LTE Dongle on the 9004-LTE Gateway?

The 9004-LTE gateway does not support an external USB Universal Serial Bus. USB is a connection standard that offers a common interface for communication between the external devices and a computer. USB is the most common port used in the client devices.  dongle.

Where Can I Find More Information about the 9004-LTE Gateway Hardware?

For a detailed overview of the physical and performance characteristics of the 9004-LTE Gateway and the procedure to install the Gateway and its accessories, see the HPE Aruba Networking 9004-LTE Gateway Installation Guide.

Aruba IDPS

For more information on the FAQs for Aruba IDPS, see HPE Aruba Networking IDPS.

SaaS Express

For more information on the FAQs for SaaS Express, see SaaS Express.

High Availability

DHCP State Synchronization

Is the scope always split (50/50) between the gateways?

Yes, the scope is always split equally between the gateways.

How are the scopes balanced between the gateways?

For information on how the scopes are balanced between the gateways, see dhcpd.conf.

How does default gateway mode affect the DHCP Sync, and does VRRP follow the cluster leader?

The gateways are Layer-2 connected, so both peers will be able to see the DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  discover packet.