papi-security

Syntax

switch(config)# papi-security

Description

Configure MD5 key for enhanced PAPI security.

Parameters

enhanced-security

The enhanced-security CLI must be enabled in Aruba controller for the connection to be truly secured.

<KEY-STR>

Configure MD5 key for enhanced PAPI security using a key-string parameter.

<KEY-VALUE>

Configure MD5 key for enhanced papi security using a key-value parameter.

Restrictions

  • To view the status of the PAPI security, using the show run command with the option include credentials enabled, the PAPI security key will show in the output as an encrypted form.
  • Key length has to be between 10-64.
  • By default the enhanced-security is disabled.
  • When enhanced-security mode is disabled, any AP can obtain the current shared secret key.
  • When enhanced-security mode is enabled, an AP is not updated with the new shared secret key unless the AP knows the previous key and the AP is updated with the new key within one hour of the key creation.
  • Key length has to be between 10-64 or the following message will appear: 
    Minimum key-value length allowed is 10 characters and maximum allowed is 64 characters.

Usage

switch(config)# papi-security key-value <KEY-VALUE>
switch(config)# no papi-security <KEY-VALUE>

papi-security key-value

switch(config)# papi-security key-value TestKey12345678
switch(config)# no papi-security key-value

switch(config)# papi-security key-value Test
Minimum key-value length allowed is 10 characters and maximum allowed is 64 characters.

show run with encrypted key 

 switch(config)# show run
Running configuration:
;J9576A Configuration Editor
;Ver #0e:01.f0.92.34.5f.3c.6b.fb.ff.fd.ff.ff.3f.ef:78
;encrypt-cred +NXT3w7ky2IXNXadlJblS/1ZRi/o73Qq28XXcLkSCZq9PU30Kl+KMLMva8rQri5g

 hostname "Switch"
 module 1 type j9576y
 module 2 type j9576x
 encrypt-credentials
 papi-security encrypted-key <"encrypted-key">
 snmp-server community "public" unrestricted
 snmpv3 engineid "00:00:00:0b:00:00:50:65:f3:b4:a6:c0"
 oobm
 ip address dhcp-bootp
 exit

 vlan 1
 name "DEFAULT_VLAN"
 untagged 1-52
 ip address dhcp-bootp
 exit

 activate provision disable

show run with include key

show run
Running configuration:
; J9576A Configuration Editor
; Ver#0e:01.f0.92.34.5f.3c.6b.fb.ff.fd.ff.ff.3f.ef:78

 hostname "Switch"
 module 1 type j9576y
 module 2 type j9576x
 include-credentials
 papi-security key-value <"key">
 snmp-server community "public" unrestricted
 snmpv3 engineid "00:00:00:0b:00:00:50:65:f3:b4:a6:c0"
 oobm
 ip address dhcp-bootp
 exit
 
 vlan 1
 name "DEFAULT_VLAN"
 untagged 1-52
 ip address dhcp-bootp
 exit
 
 activate provision disable