MSP Day 0 Workflows
This page goes over some of the common workflows that can be part of your Day 0 set-up of the MSP account in Aruba Central.
Adding Devices
For most cases, the devices that were purchased should be in the MSP device inventory once the license keys are added. Furthermore, you can use this API to add device(s) using Mac and Serial Number to the device inventory.
API Endpoint: /platform/device_inventory/v1/devices
API Method: POST
Base URL: https://apigw-prod2.central.arubanetworks.com
(Replace the Base URL with correct API Gateway)
Request Header: 'Content-Type': 'application/json'; 'Authorization': 'Bearer <access-token>'
Request Query Params: mac, serial
[
{
"mac": "a1:b2:c3:d4:e5:f6",
"serial": "BT000001",
},
{
"mac": "a2:b2:c3:d4:e5:f6",
"serial": "BT000002",
},
]
curl --request POST 'https://<API_GATEWAY_BASE_URL>/platform/device_inventory/v1/devices' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <Access_Token>' \
--data-raw '[
{
"mac": "a1:b2:c3:d4:e5:f6",
"serial": "BT000001"
},
{
"mac": "a2:b2:c3:d4:e5:f6",
"serial": "BT000002"
},
]'
Creating Groups
Note
Group is a configuration entity in Aruba Central which can hold device configuration & all devices in the group will inherit the configuration. You can have wireless and wired configurations residing in same group. You can keep global groups at the MSP level which can be used to inherit configurations to one or more customers accounts.
One of the first steps of onboarding would be to create configuration groups in the MSP level which you can map to the customers that you will be onboarded. If a customer account is associated to a specific group in the MSP mode, the configuration changes to the devices associated with this customer account are pushed only to the default group in the tenant account view. However, MSP administrators can create more groups for a specific customer by drilling down to the customer account level.
This API goes over how to create a group at the MSP level which can be used percolation to customer accounts.
API Endpoint: /configuration/v3/groups
API Method: POST
Base URL: https://apigw-prod2.central.arubanetworks.com
(Replace the Base URL with correct API Gateway)
Request Header: 'Content-Type': 'application/json'; 'Authorization': 'Bearer <access-token>'
Request Query Params: group, group_attributes
{
"group": "Coffee_shop_group",
"group_attributes": {
"template_info": {
"Wired": false,
"Wireless": false
},
"group_properties": {
"AllowedDevTypes": [
"AccessPoints"
],
"Architecture": "Instant",
"ApNetworkRole": "Standard"
}
}
}
{
"Created"
}
curl --request POST 'https://<API_GATEWAY_BASE_URL>/configuration/v3/groups' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <Access_Token>' \
--data-raw '{
"group": "Coffee_shop_group",
"group_attributes": {
"template_info": {
"Wired": false,
"Wireless": false
},
"group_properties": {
"AllowedDevTypes": [
"AccessPoints"
],
"Architecture": "Instant",
"ApNetworkRole": "Standard"
}
}
}'
Common Configuration Workflows
Update ports at group level
API Endpoint: /configuration/v1/aos_switch/ports/groups/{group_name}
API Method: PUT
Base URL: https://apigw-prod2.central.arubanetworks.com
(Replace the Base URL with correct API Gateway)
Request Header: 'Content-Type': 'application/json'; 'Authorization': 'Bearer <access-token>'
Request Path Parameters: Group name
Request Query Params: group_name, ports
{
'group_name': 'Coffee_shop_group',
'ports': [
{'name': '', 'port_id': '1'}, {'name': '', 'port_id': '2'},
{'name': '', 'port_id': '3'}, {'name': '', 'port_id': '4'},
{'name': '', 'port_id': '5'}, {'name': '', 'port_id': '6'},
{'name': '', 'port_id': '7'}, {'name': '', 'port_id': '8'},
{'name': '', 'port_id': '9'}, {'name': '', 'port_id': '10'},
{'name': '', 'port_id': '11'}, {'name': '', 'port_id': '12'},
{'name': '', 'port_id': '13'}, {'name': '', 'port_id': '14'},
{'name': '', 'port_id': '15'}, {'name': '', 'port_id': '16'},
{'name': '', 'port_id': '17'}, {'name': '', 'port_id': '18'},
{'name': '', 'port_id': '19'}, {'name': '', 'port_id': '20'},
{'name': '', 'port_id': '21'}, {'name': '', 'port_id': '22'},
{'name': '', 'port_id': '23'}, {'name': '', 'port_id': '24'},
{'name': '', 'port_id': '25'}, {'name': '', 'port_id': '26'},
{'name': '', 'port_id': '27'}, {'name': '', 'port_id': '28'},
{'name': '', 'port_id': '29'}, {'name': '', 'port_id': '30'},
{'name': '', 'port_id': '31'}, {'name': '', 'port_id': '32'},
{'name': '', 'port_id': '33'}, {'name': '', 'port_id': '34'},
{'name': '', 'port_id': '35'}, {'name': '', 'port_id': '36'},
{'name': '', 'port_id': '37'}, {'name': '', 'port_id': '38'},
{'name': '', 'port_id': '39'}, {'name': '', 'port_id': '40'},
{'name': '', 'port_id': '41'}, {'name': '', 'port_id': '42'},
{'name': '', 'port_id': '43'}, {'name': '', 'port_id': '44'},
{'name': '', 'port_id': '45'}, {'name': '', 'port_id': '46'},
{'name': '', 'port_id': '47'}, {'name': '', 'port_id': '48'},
{'name': '', 'port_id': '49'}, {'name': '', 'port_id': '50'},
{'name': '', 'port_id': '51'}, {'name': '', 'port_id': '52'},
{'name': '', 'port_id': 'A1'}, {'name': '', 'port_id': 'A2'},
{'name': '', 'port_id': 'A3'}, {'name': '', 'port_id': 'A4'},
{'name': '', 'port_id': 'B1'}, {'name': '', 'port_id': 'B2'},
{'name': '', 'port_id': 'B3'}, {'name': '', 'port_id': 'B4'}]}
curl --request PUT 'https://<API_GATEWAY_BASE_URL>/configuration/v1/aos_switch/ports/groups/<GROUP_NAME>' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <Access_Token>' \
--data-raw '{
"group_name": "Coffee_shop_group",
"ports": [
{"name": "", "port_id": "1"}, {"name": "", "port_id": "2"},
{"name": "", "port_id": "3"}, {"name": "", "port_id": "4"},
{"name": "", "port_id": "5"}, {"name": "", "port_id": "6"},
{"name": "", "port_id": "7"}, {"name": "", "port_id": "8"},
{"name": "", "port_id": "9"}, {"name": "", "port_id": "10"},
{"name": "", "port_id": "11"}, {"name": "", "port_id": "12"},
{"name": "", "port_id": "13"}, {"name": "", "port_id": "14"},
{"name": "", "port_id": "15"}, {"name": "", "port_id": "16"},
{"name": "", "port_id": "17"}, {"name": "", "port_id": "18"},
{"name": "", "port_id": "19"}, {"name": "", "port_id": "20"},
{"name": "", "port_id": "21"}, {"name": "", "port_id": "22"},
{"name": "", "port_id": "23"}, {"name": "", "port_id": "24"},
{"name": "", "port_id": "25"}, {"name": "", "port_id": "26"},
{"name": "", "port_id": "27"}, {"name": "", "port_id": "28"},
{"name": "", "port_id": "29"}, {"name": "", "port_id": "30"},
{"name": "", "port_id": "31"}, {"name": "", "port_id": "32"},
{"name": "", "port_id": "33"}, {"name": "", "port_id": "34"},
{"name": "", "port_id": "35"}, {"name": "", "port_id": "36"},
{"name": "", "port_id": "37"}, {"name": "", "port_id": "38"},
{"name": "", "port_id": "39"}, {"name": "", "port_id": "40"},
{"name": "", "port_id": "41"}, {"name": "", "port_id": "42"},
{"name": "", "port_id": "43"}, {"name": "", "port_id": "44"},
{"name": "", "port_id": "45"}, {"name": "", "port_id": "46"},
{"name": "", "port_id": "47"}, {"name": "", "port_id": "48"},
{"name": "", "port_id": "49"}, {"name": "", "port_id": "50"},
{"name": "", "port_id": "51"}, {"name": "", "port_id": "52"},
{"name": "", "port_id": "A1"}, {"name": "", "port_id": "A2"},
{"name": "", "port_id": "A3"}, {"name": "", "port_id": "A4"},
{"name": "", "port_id": "B1"}, {"name": "", "port_id": "B2"},
{"name": "", "port_id": "B3"}, {"name": "", "port_id": "B4"}]}'
Updating AP Configuration
You can use this API to update the Access Point(AP) configuration for a group.
API Endpoint: configuration/v1/ap_cli/{group_name_or_guid}
API Method: POST
Base URL: https://apigw-prod2.central.arubanetworks.com
(Replace the Base URL with correct API Gateway)
Request Header: 'Content-Type': 'application/json'; 'Authorization': 'Bearer <access-token>'
Request Path Parameters: Group name or Group ID
Request Query Params: clis
{
"clis": [
"enet0-port-profile default_wired_port_profile",
"hash-mgmt-password",
"hash-mgmt-user admin password hash admin1234",
"arm",
" min-tx-power 9",
" max-tx-power 127",
" band-steering-mode prefer-higher-band",
" air-time-fairness-mode default-access",
" client-aware",
" wide-bands 5ghz",
" scanning",
" 80mhz-support",
" channel-quality-aware-arm-disable",
"rf dot11g-radio-profile ",
" max-distance 0",
" max-tx-power 9",
" min-tx-power 6",
" disable-arm-wids-functions off",
" free-channel-index 40",
"rf dot11a-radio-profile ",
" max-distance 0",
" max-tx-power 18",
" min-tx-power 12",
" disable-arm-wids-functions off",
"wlan access-rule default_wired_port_profile",
" rule any any match any any any permit",
"wlan access-rule wired-SetMeUp",
" rule masterip 0.0.0.0 match tcp 80 80 permit",
" rule masterip 0.0.0.0 match tcp 4343 4343 permit",
" rule any any match udp 67 68 permit",
" rule any any match udp 53 53 permit",
"wlan access-rule staff-wifi",
" utf8",
" rule any any match any any any permit",
"wlan ssid-profile staff-wifi",
" essid staff-wifi",
" opmode wpa3-sae-aes",
" wpa-passphrase 12345678",
" type employee",
" captive-portal disable",
" dtim-period 1",
" broadcast-filter arp",
" inactivity-timeout 1000",
" max-authentication-failures 0",
" blacklist",
" dmo-channel-utilization-threshold 90",
" max-clients-threshold 64",
" enable",
" utf8",
" auth-server InternalServer",
"wlan captive-portal",
" decoded-texts banner/terms/policy",
"wlan external-captive-portal ",
" server localhost",
" url \"/\"",
" auth-text \"Authenticated\"",
" port 80",
" auto-whitelist-disable",
" https",
"ids",
" wireless-containment none",
"wired-port-profile default_wired_port_profile",
" no shutdown",
" switchport-mode trunk",
" allowed-vlan all",
" native-vlan 1",
" access-rule-name default_wired_port_profile",
" speed auto",
" duplex full",
" type employee",
" captive-portal disable",
" inactivity-timeout 1000",
"wired-port-profile wired-SetMeUp",
" no shutdown",
" switchport-mode access",
" allowed-vlan all",
" native-vlan guest",
" access-rule-name wired-SetMeUp",
" speed auto",
" duplex auto",
" type guest",
" captive-portal disable",
" inactivity-timeout 1000",
"uplink",
" preemption",
" enforce none",
" failover-internet-pkt-lost-cnt 10",
" failover-internet-pkt-send-freq 30",
" failover-vpn-timeout 180",
"airgroupservice airplay",
" description AirPlay",
" disable",
"airgroupservice airprint",
" description AirPrint",
" disable",
"airgroup",
" disable",
"enet0-port-profile default_wired_port_profile",
"enet1-port-profile wired-SetMeUp",
"enet2-port-profile wired-SetMeUp",
"enet3-port-profile wired-SetMeUp",
"enet4-port-profile wired-SetMeUp",
"blacklist-time 3600",
"auth-failure-blacklist-time 3600",
"auth-survivability cache-time-out 24",
"rf-band all",
"extended-ssid",
"syslog-level warn ap-debug",
"syslog-level warn network",
"syslog-level warn security",
"syslog-level warn system",
"syslog-level warn user",
"syslog-level warn user-debug",
"syslog-level warn wireless",
"clock timezone none 0 0",
"allow-new-aps",
"terminal-access",
"cp-cert-checksum e3847a6484fb940e3a0b974e1a9f73af",
"web-server",
" ssl-protocol tlsv1_2",
"cluster-security",
" allow-low-assurance-devices"
]
}
curl --request POST 'https://<API_GATEWAY_BASE_URL>/configuration/v1/ap_cli/<GROUP_NAME_OR_GUID>' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <Access_Token>' \
--data-raw '{
"clis": [
"enet0-port-profile default_wired_port_profile",
"hash-mgmt-password",
"hash-mgmt-user admin password hash admin1234",
"arm",
" min-tx-power 9",
" max-tx-power 127",
" band-steering-mode prefer-higher-band",
" air-time-fairness-mode default-access",
" client-aware",
" wide-bands 5ghz",
" scanning",
" 80mhz-support",
" channel-quality-aware-arm-disable",
"rf dot11g-radio-profile ",
" max-distance 0",
" max-tx-power 9",
" min-tx-power 6",
" disable-arm-wids-functions off",
" free-channel-index 40",
"rf dot11a-radio-profile ",
" max-distance 0",
" max-tx-power 18",
" min-tx-power 12",
" disable-arm-wids-functions off",
"wlan access-rule default_wired_port_profile",
" rule any any match any any any permit",
"wlan access-rule wired-SetMeUp",
" rule masterip 0.0.0.0 match tcp 80 80 permit",
" rule masterip 0.0.0.0 match tcp 4343 4343 permit",
" rule any any match udp 67 68 permit",
" rule any any match udp 53 53 permit",
"wlan access-rule staff-wifi",
" utf8",
" rule any any match any any any permit",
"wlan ssid-profile staff-wifi",
" essid staff-wifi",
" opmode wpa3-sae-aes",
" wpa-passphrase 12345678",
" type employee",
" captive-portal disable",
" dtim-period 1",
" broadcast-filter arp",
" inactivity-timeout 1000",
" max-authentication-failures 0",
" blacklist",
" dmo-channel-utilization-threshold 90",
" max-clients-threshold 64",
" enable",
" utf8",
" auth-server InternalServer",
"wlan captive-portal",
" decoded-texts banner/terms/policy",
"wlan external-captive-portal ",
" server localhost",
" url \"/\"",
" auth-text \"Authenticated\"",
" port 80",
" auto-whitelist-disable",
" https",
"ids",
" wireless-containment none",
"wired-port-profile default_wired_port_profile",
" no shutdown",
" switchport-mode trunk",
" allowed-vlan all",
" native-vlan 1",
" access-rule-name default_wired_port_profile",
" speed auto",
" duplex full",
" type employee",
" captive-portal disable",
" inactivity-timeout 1000",
"wired-port-profile wired-SetMeUp",
" no shutdown",
" switchport-mode access",
" allowed-vlan all",
" native-vlan guest",
" access-rule-name wired-SetMeUp",
" speed auto",
" duplex auto",
" type guest",
" captive-portal disable",
" inactivity-timeout 1000",
"uplink",
" preemption",
" enforce none",
" failover-internet-pkt-lost-cnt 10",
" failover-internet-pkt-send-freq 30",
" failover-vpn-timeout 180",
"airgroupservice airplay",
" description AirPlay",
" disable",
"airgroupservice airprint",
" description AirPrint",
" disable",
"airgroup",
" disable",
"enet0-port-profile default_wired_port_profile",
"enet1-port-profile wired-SetMeUp",
"enet2-port-profile wired-SetMeUp",
"enet3-port-profile wired-SetMeUp",
"enet4-port-profile wired-SetMeUp",
"blacklist-time 3600",
"auth-failure-blacklist-time 3600",
"auth-survivability cache-time-out 24",
"rf-band all",
"extended-ssid",
"syslog-level warn ap-debug",
"syslog-level warn network",
"syslog-level warn security",
"syslog-level warn system",
"syslog-level warn user",
"syslog-level warn user-debug",
"syslog-level warn wireless",
"clock timezone none 0 0",
"allow-new-aps",
"terminal-access",
"cp-cert-checksum e3847a6484fb940e3a0b974e1a9f73af",
"web-server",
" ssl-protocol tlsv1_2",
"cluster-security",
" allow-low-assurance-devices"
]
}'
Verify new AP Configuration
Once you have updated the AP configuration, you can use this API to verify that AP configuration has updated on Central for the group.
API Endpoint: configuration/v1/ap_cli/{group_name_or_guid}
API Method: GET
Base URL: https://apigw-prod2.central.arubanetworks.com
(Replace the Base URL with correct API Gateway)
Request Header: 'Content-Type': 'application/json'; 'Authorization': 'Bearer <access-token>'
Request Path Parameters: Group name or Group ID
{
[
"enet0-port-profile default_wired_port_profile",
"hash-mgmt-password",
"hash-mgmt-user admin password hash admin1234",
"arm",
" min-tx-power 9",
" max-tx-power 127",
" band-steering-mode prefer-higher-band",
" air-time-fairness-mode default-access",
" client-aware",
" wide-bands 5ghz",
" scanning",
" 80mhz-support",
" channel-quality-aware-arm-disable",
"rf dot11g-radio-profile ",
" max-distance 0",
" max-tx-power 9",
" min-tx-power 6",
" disable-arm-wids-functions off",
" free-channel-index 40",
"rf dot11a-radio-profile ",
" max-distance 0",
" max-tx-power 18",
" min-tx-power 12",
" disable-arm-wids-functions off",
"wlan access-rule default_wired_port_profile",
" rule any any match any any any permit",
"wlan access-rule wired-SetMeUp",
" rule masterip 0.0.0.0 match tcp 80 80 permit",
" rule masterip 0.0.0.0 match tcp 4343 4343 permit",
" rule any any match udp 67 68 permit",
" rule any any match udp 53 53 permit",
"wlan access-rule staff-wifi",
" utf8",
" rule any any match any any any permit",
"wlan ssid-profile staff-wifi",
" essid staff-wifi",
" opmode wpa3-sae-aes",
" wpa-passphrase 12345678",
" type employee",
" captive-portal disable",
" dtim-period 1",
" broadcast-filter arp",
" inactivity-timeout 1000",
" max-authentication-failures 0",
" blacklist",
" dmo-channel-utilization-threshold 90",
" max-clients-threshold 64",
" enable",
" utf8",
" auth-server InternalServer",
"wlan captive-portal",
" decoded-texts banner/terms/policy",
"wlan external-captive-portal ",
" server localhost",
" url \"/\"",
" auth-text \"Authenticated\"",
" port 80",
" auto-whitelist-disable",
" https",
"ids",
" wireless-containment none",
"wired-port-profile default_wired_port_profile",
" no shutdown",
" switchport-mode trunk",
" allowed-vlan all",
" native-vlan 1",
" access-rule-name default_wired_port_profile",
" speed auto",
" duplex full",
" type employee",
" captive-portal disable",
" inactivity-timeout 1000",
"wired-port-profile wired-SetMeUp",
" no shutdown",
" switchport-mode access",
" allowed-vlan all",
" native-vlan guest",
" access-rule-name wired-SetMeUp",
" speed auto",
" duplex auto",
" type guest",
" captive-portal disable",
" inactivity-timeout 1000",
"uplink",
" preemption",
" enforce none",
" failover-internet-pkt-lost-cnt 10",
" failover-internet-pkt-send-freq 30",
" failover-vpn-timeout 180",
"airgroupservice airplay",
" description AirPlay",
" disable",
"airgroupservice airprint",
" description AirPrint",
" disable",
"airgroup",
" disable",
"enet0-port-profile default_wired_port_profile",
"enet1-port-profile wired-SetMeUp",
"enet2-port-profile wired-SetMeUp",
"enet3-port-profile wired-SetMeUp",
"enet4-port-profile wired-SetMeUp",
"blacklist-time 3600",
"auth-failure-blacklist-time 3600",
"auth-survivability cache-time-out 24",
"rf-band all",
"extended-ssid",
"syslog-level warn ap-debug",
"syslog-level warn network",
"syslog-level warn security",
"syslog-level warn system",
"syslog-level warn user",
"syslog-level warn user-debug",
"syslog-level warn wireless",
"clock timezone none 0 0",
"allow-new-aps",
"terminal-access",
"cp-cert-checksum e3847a6484fb940e3a0b974e1a9f73af",
"web-server",
" ssl-protocol tlsv1_2",
"cluster-security",
" allow-low-assurance-devices"
]
}
curl --request GET 'https://<API_GATEWAY_BASE_URL>/configuration/v1/ap_cli/<GROUP_NAME_OR_GUID>' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <Access_Token>'
Creating Custom Roles
You can use this API to create custom roles.
API Endpoint: /platform/rbac/v1/apps/<app_name>/roles
API Method: POST
Base URL: https://apigw-prod2.central.arubanetworks.com
(Replace the Base URL with correct API Gateway)
Request Header: 'Content-Type': 'application/json'; 'Authorization': 'Bearer <access-token>'
Request Path Parameters: Application Name
Request Query Params: rolename, permission, application
{
"rolename": "custom_role_1",
"permission": "modify",
"applications": [
{
"permission": "view",
"appname": "customer-management"
},
{
"permission": "view",
"appname": "portal-customization"
}
]
}
curl --request POST 'https://<API_GATEWAY_BASE_URL>/platform/rbac/v1/apps/<APP_NAME>/roles' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <Access_Token>' \
--data-raw '{
"rolename": "custom_role_1",
"permission": "modify",
"applications": [
{
"permission": "view",
"appname": "customer-management"
},
{
"permission": "view",
"appname": "portal-customization"
}
]
}'
Inviting Users
You can use this API to invite users to your Central account.
API Endpoint: /platform/rbac/v1/users
API Method: POST
Base URL: https://apigw-prod2.central.arubanetworks.com
(Replace the Base URL with correct API Gateway)
Request Header: 'Content-Type': 'application/json'; 'Authorization': 'Bearer <access-token>'
Request Query Params: username, password, description, name, phone, address, applications
{
"username": "[email protected]",
"password": "ChangeMePlease@1",
"description": "First system user",
"name": {
"firstname": "first_name",
"lastname": "last_name"
},
"phone": "+1-9999999999",
"address": {
"street": "string",
"city": "string",
"state": "string",
"country": "string",
"zipcode": "string"
},
"applications": [
{
"name": "nms",
"info": [
{
"role": "admin",
"tenant_role": "admin",
"scope": {
"groups": [
"allgroups"
]
}
}
]
},
{
"name": "account_setting",
"info": [
{
"role": "admin"
}
]
}
]
}
curl --request POST 'https://<API_GATEWAY_BASE_URL>/platform/rbac/v1/users' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <Access_Token>' \
--data-raw '{
"username": "[email protected]",
"password": "ChangeMePlease@1",
"description": "First system user",
"name": {
"firstname": "first_name",
"lastname": "last_name"
},
"phone": "+1-9999999999",
"address": {
"street": "string",
"city": "string",
"state": "string",
"country": "string",
"zipcode": "string"
},
"applications": [
{
"name": "nms",
"info": [
{
"role": "admin",
"tenant_role": "admin",
"scope": {
"groups": [
"allgroups"
]
}
}
]
},
{
"name": "account_setting",
"info": [
{
"role": "admin"
}
]
}
]
}'
Updated about 1 year ago
What’s Next