Aruba IAP Configuration Manager
Comprehensive Aruba Instant AP (IAP) configuration management with automatic baseline capture, rollback support, and health monitoring.
Features
✨ Core Capabilities
- Device Mode Detection: Automatically detects Virtual Controller, Single-Node Cluster, or Standalone AP mode
- Configuration Snapshots: Full configuration capture with structured JSON output
- Safe Configuration Changes: Apply changes with automatic baseline capture and rollback support
- Comprehensive Monitoring: 40+ monitoring commands across 10 categories
- Risk Assessment: Automatic risk evaluation for configuration changes
- Secret Management: Secure secret references (no plain-text passwords)
- Change History: Full audit trail with timestamped artifacts
- Interactive Configuration Mode: Support for Aruba IAP CLI commit model
📊 Configuration Change Types
| Type | Risk | Description |
|---|---|---|
ssid_profile | Medium | Create complete SSID profile with WPA2-PSK-AES |
ssid_delete | High | Remove existing SSID profile |
snmp_community | Low | SNMP community configuration |
snmp_host | Low-Medium | SNMP host/trap destination |
syslog_level | Low | Syslog logging levels |
auth_server | Medium | RADIUS/CPPM authentication server |
ap_allowlist | Medium | Add/remove APs from allowlist |
wired_port_profile | Medium | Wired port configuration |
ntp | Low | NTP server configuration |
dns | Low | DNS server configuration |
rf_template | Low | RF template application |
Quick Start
1. Installation
# Clone or download the skill
cd ~/.openclaw/workspace/skills/aruba-iap-publish
# Run install script
./install.sh
# Verify installation
iapctl --help
2. Basic Usage
# Device Discovery
iapctl discover --cluster office-iap --vc 192.168.20.56 --out ./out
# Configuration Snapshot
iapctl snapshot --cluster office-iap --vc 192.168.20.56 --out ./out
# Verify Configuration
iapctl verify --cluster office-iap --vc 192.168.20.56 --level basic --out ./out
3. Add SSID
# Create SSID configuration JSON
cat > add-ssid.json << 'EOF'
{
"changes": [
{
"type": "ssid_profile",
"profile_name": "MyWiFi",
"essid": "MyNetwork",
"opmode": "wpa2-psk-aes",
"wpa_passphrase": "MySecurePassword123",
"vlan": 1,
"rf_band": "all"
}
]
}
EOF
# Generate diff
iapctl diff --cluster office-iap --vc 192.168.20.56 \
--in add-ssid.json --out ./diff
# Apply changes
iapctl apply --cluster office-iap --vc 192.168.20.56 \
--change-id $(cat diff/commands.json | jq -r '.change_id') \
--in diff/commands.json --out ./apply
4. Delete SSID
# Create delete SSID configuration JSON
cat > delete-ssid.json << 'EOF'
{
"changes": [
{
"type": "ssid_delete",
"profile_name": "OldSSID"
}
]
}
EOF
# Generate diff
iapctl diff --cluster office-iap --vc 192.168.20.56 \
--in delete-ssid.json --out ./diff
# Apply changes
iapctl apply --cluster office-iap --vc 192.168.20.56 \
--change-id $(cat diff/commands.json | jq -r '.change_id') \
--in diff/commands.json --out ./apply
5. Monitor Device
# Monitor all categories
iapctl monitor --cluster office-iap --vc 192.168.20.56 --out ./monitor
# Monitor specific categories
iapctl monitor --cluster office-iap --vc 192.168.20.56 \
-c "system ap clients wlan" --out ./monitor
Configuration Modes
Supported Device Modes
-
Virtual Controller Mode
- Manages multiple IAPs
- Full CLI command set available
-
Single-Node Cluster Mode ✨ NEW
- Single IAP with VC configuration
- Supports interactive config mode
configure terminal→ config commands →commit apply
-
Standalone AP Mode
- Individual AP without cluster
- Basic configuration available
Interactive Configuration Mode
For Aruba IAP devices, configuration uses the CLI commit model:
- Enter configuration mode:
configure terminal - Enter sub-mode (e.g.,
wlan ssid-profile <name>) - Configure parameters (flat commands, no indentation)
- Exit sub-mode:
exit - Exit configuration mode:
exit - Save configuration:
write memory - Apply configuration:
commit apply
Risk Assessment
iapctl automatically assesses risks for each change set:
Risk Levels
- low: Minimal impact, safe to apply
- medium: May affect connectivity, review recommended
- high: Major changes, requires careful planning
Common Warnings
- Removing WLAN or RADIUS configuration may disconnect users
- WPA passphrase changes will require clients to re-authenticate
- AP allowlist changes may prevent APs from joining the cluster
- VLAN changes may affect network connectivity
- Large number of changes - consider applying in stages
Best Practices
1. Use Secret References
Always use secret_ref for passwords and keys:
{
"type": "auth_server",
"server_name": "radius-primary",
"ip": "10.10.10.10",
"secret_ref": "secret:radius-primary-key"
}
Never commit plain-text secrets to version control.
2. Review Risk Assessment
Always review risk.json before applying changes:
cat diff/risk.json
3. Use Dry Run First
Test with --dry-run to verify commands without applying:
iapctl apply --dry-run ...
4. Verify After Changes
Always run verify after applying changes:
iapctl verify --level full ...
5. Apply Changes in Stages
For large change sets, break them into smaller batches:
- Stage 1: SNMP and syslog configuration
- Stage 2: Authentication servers
- Stage 3: SSID profiles
- Stage 4: AP allowlist and wired ports
Testing
Comprehensive testing performed on real hardware:
- ✅ Device discovery and mode detection
- ✅ Configuration snapshot with multiple artifacts
- ✅ Configuration diff generation
- ✅ SSID profile addition
- ✅ SSID profile deletion
- ✅ Configuration apply with interactive mode
- ✅ Configuration verification
- ✅ Health monitoring
- ✅ Risk assessment
- ✅ AP allowlist management
Test Results: 10/11 tests passed (91%)
Known Issues & Limitations
Rollback Functionality
- Status: Partially working
- Issue: Rollback command execution has limitations
- Impact: Low - can be done manually if needed
- Workaround: Use
no <command>for manual rollback
Post-Apply Verification
- Status: Sometimes times out
- Issue:
show running-configaftercommit applycan timeout - Impact: Minimal - configuration is applied successfully
- Workaround: Wait a few seconds and retry
Changelog
v1.1.1 (2026-02-23)
- ✅ Add ssid_delete change type
- ✅ Add send_config_and_apply() method
- ✅ Add send_config_commands() method
- ✅ Update diff_engine.py for flat command generation
- ✅ Fix Result action pattern for 'monitor'
- ✅ Support Aruba IAP single-node cluster mode
- ✅ Comprehensive testing on real hardware
v1.1.0 (2026-02-23)
- ✅ Initial release with core functionality
- ✅ Device discovery and mode detection
- ✅ Configuration snapshots
- ✅ SSID profile management
- ✅ Configuration diff and apply
- ✅ Risk assessment
- ✅ Health monitoring
Requirements
- Python 3.8+
- scrapli[paramiko] for SSH connections
- Aruba Instant AP 6.x, 8.x, or AOS 10.x
License
MIT License - See LICENSE file for details
Support
For issues, questions, or contributions:
- ClawHub: https://clawhub.com/skills/aruba-iap
- Documentation: See docs/ folder
- Examples: See examples/ folder