Link Search Menu Expand Document
calendar_month 13-Feb-26

Small Campus Shared Profiles

Network infrastructure is configured using HPE Aruba Central’s Element Profile model. Instead of managing device settings in a monolithic, CLI-oriented configuration file, settings are defined in subject-matter specific profiles for easy reference. Multiple profiles can be created for a particular subject for flexibility in applying different settings based on network role or location. Each profile can be applied globally to assign a standardized configuration at large scale, applied to a site to standardize configuration for a specific location, or applied to a specific device to handle exceptions or unique requirements.

This model reduces overall administrative overhead and facilitates standardized configuration, which helps network operators adhere to best practices and speed up the troubleshooting process. General information about creation and management of element profiles is described in the Central Configuration Model guide.

This chapter describes the configuration of element profiles that are assigned to both wired switches and wireless access points for the small campus deployment. The profiles assign device hostnames, administrative credentials, and the servers implemented to authenticate device administrators, network users, and devices.

Table of contents

Element Profile Summary

The table below summarizes the shared element profiles defined in this chapter and their scope of application.

Profile NameCentral Profile PathType/ScopeDevice FunctionPrimary Purpose
[ No Assigned Name ]System > System InformationDevice Set device hostnames and descriptions.
SC-ADMINSystem > User AdministrationSite- Access Switch
- Campus Access Point		Set local admin credentials for switches and APs.
ADMIN-AUTH-SERVER-1Security > Authentication ServerGlobal- Access Switch
- Campus Access Point		Define individual TACACS+ servers used for device administration, and RADIUS servers used to authenticate and authorize network users and devices.
ADMIN-AUTH-SERVER-2    
USER-AUTH-SERVER-1    
USER-AUTH-SERVER-2    
ADMIN-AUTH-SERVERSSecurity > Authentication Server GroupGlobal- Access Switch
- Campus Access Point		Assign individual TACACS+ and RADIUS servers to groups for easier reference in other configuration.
USER-AUTH-SERVERS    
SYSTEM-ADMIN-OPTIONSSecurity > System AdministrationGlobal- Access Switch
- Campus Access Point		Define RADIUS server connectivity (CPPM).

Entering Configuration Mode

In the upper right corner of the Central web application, click the Configuration gear icon.

Configuration Gear

Several Central contexts do not allow direct navigation into the configuration context, including Central’s Menu context that provides access to Central’s Audit Trail. The Audit Trail is often used in the configuration process, as it provides logs on profile configuration changes and that status of configuration pushes to devices. After selecting Central’s Menu context, the Configuration gear is not available for selection.

Central's Menu icon and context

To return to the Configuration context after navigating to a context that does not display the Configuration gear icon, first click on the Home button in the upper left of the Central web application, and then click on the Configuration gear.

Central Home button

The following procedures assume the reader is in the Configuration context and does not explicitly include steps for entering the configuration context.

Assign Device Hostnames

Assign hostnames to devices to easily identify them for monitoring and configuration purposes. Consider using a standardized naming convention that makes it easy to identify the location and role of a device.

The table below summarizes the device names used in this example topology:

Device NameLocation in Network
SC-AG1Small Campus - Aggregation VSF switch stack (L2 collapsed core of network)
SC-AG1-AC1Small Campus - Access VSF switch stack 1, connected to SC-AG1
SC-AG1-AC2Small Campus - Access VSF switch stack 2, connected to SC-AG1
SC-AC1-AP1Small Campus - Access point 1, connected to SC-AG1-AC1
SC-AC1-AP2Small Campus - Access point 2, connected to SC-AG1-AC1
SC-AC2-AP3Small Campus - Access point 3, connected to SC-AG1-AC2
SC-AC2-AP4Small Campus - Access point 4, connected to SC-AG1-AC2

Devices hostnames are assigned in the System Information profile scoped to an individual device, as hostnames are unique per device. The following procedure details assigning hostnames. The same procedure is used for all device types.

Step 1 In the left configuration menu, click Devices.

Select Device config context

Step 2 In the Search box, enter the serial number or MAC address of a device, hit return, and then click on the name of the device.

device search results

Note: By default, switches are assigned their model series number as a name, and each access point is assigned its unique MAC address. When searching for a VSF stack, you must enter the serial number or MAC address of the conductor. When auto-stacking with the LED Mode button, the switch that had its LED Mode button pressed is selected is the conductor.

Step 3 On the System card, click System Information.

System card

Step 4 To edit the System Information profile, click anywhere in the row that contains dashes.

Empty System Information Profile

Note: The row displayed is an empty System Information profile.

Step 5 Enter a Hostname and System Description, then click Update.

Edit System Information Profile

Step 6 A popup dialogue box confirms the changes were successful. Review the updated System Information profile.

System Info Update Confirmation Dialogue Box

System Information Overview

Note: If the new profile information does not appear, refresh the browser. Note the additional information presented regarding the assigned scope, device function, and inheritance. When a profile is assigned at a device level, the assigned scope appears as Central’s internal device ID.

Step 7 Repeat steps 1 through 6 for each device.

Note: Automation of hostname assignment can be performed using the HPE Aruba Networking Central API.

Assign Device Administrators

Assign the Local Admin Password

The local admin password should be configured consistently across an organization. In this small campus example, a User Administration profile is applied to the small campus site for all device functions (aggregation switches, access switches, and campus access points). A larger organization could apply the profile to the Global scope to ensure consistency across all sites.

The following procedure provides a complete set of steps needed to create a new User Administration profile and assign both device functions and a scope. Additional profiles used to build the small campus solution omit this detailed list of steps to enhance readability. The path to the profile’s location, the profile’s device and scope assignment, a summary of profile values, and a screenshot of the completed profile are provided for all profiles used in this guide.

Profile Path: System > User Administration Device Functions: Aggregation Switch, Access Switch, Campus Access Point Scope: Site: SMALL-CAMPUS-SITE

Step 1 On the left-hand Configuration menu, click Library.

Configuration Menu

Step 2 On the System card, click Manage.

System configuration card

Step 3 On the User Administration card, click Manage.

User Administration configuration card

Step 4 Click Create Profile.

Create Profile button

Step 5 Enter the following values and click Create:

  • Name: SC-ADMIN
  • Username: admin
  • Password: < password >
  • Retype Password: < password >
  • Role: Admin

User Administration profile

Step 6 Hover over the new profile and click the ••• context menu.

hover to display context menu

Step 7 On the context menu, select Assign.

context menu options

Step 8 Under Device Function, check Access Switch, Aggregation Switch, and Campus Access Point.

set Device Functions

Step 9 To the right of the Scopes heading, click the plus sign (+).

Step 10 On the Add Scope page, select the following values and click Add

  • Scope Level: Sites
  • Assign to Scope: SMALL-CAMPUS-SITE

add Site Scope

Step 11 Click Assign.

Assign Profile dialogue box

Configure TACACS+ Authentication

A small, standalone campus may not require additional authentication methods. When a small campus is part of a larger organization, it is best practice to limit device access using a dynamic authentication protocol. TACACS+ provides authentication and granular authorization controls. Depending on the size and standards of an organization, the profile can be applied globally or to a site collection.

Create TACACS+ Authentication Server Profiles

Create an authentication server profile for each TACACS+ server in the environment. Typically, a minimum of two servers are defined, a primary and a backup. An individual profile is created for each server.

Profile Path: Security > Authentication Server
Device Functions: Aggregation Switch, Access Switch, Campus Access Point
Scope: Global

Configure the following non-default values for each server profile:

  • Name: < Server Name >
  • Description: < Server Description >
  • Server Type: TACACS
  • IP Address/FQDN: < IP or DNS Name of Server >
  • Shared Secret: < Server Shared Secret >
  • Retype Shared Secret: < Server Shared Secret >
  • Device Specific Parameters: Switch
  • AOS CX Specific Parameters > Auth Type: < Appropriate Authentication Method >

TACACS authentication profile summary

Note: CPPM supports CHAP and PAP. CHAP uses a challenge-response mechanism that is more secure than PAP. PAP is compatible with a broader set of TACACS+ servers.

Create TACACS+ Authentication Server Group

An Authentication Server Group contains the set of TACACS+ servers defined above. This profile will be referenced when creating the System Administration profile.

Profile Path: Security > Authentication Server Group
Device Functions: Aggregation Switch, Access Switch, Campus Access Point
Scope: Global

Configure the following non-default values for two different servers (primary and backup):

  • Name: ADMIN-AUTH-SERVERS
  • Authentication Servers: < Select primary and backup TACACS+ Authentication Server profiles >

TACACS server group profile

Configure Network Infrastructure Administration Options

The System Administration profile defines access methods (console, SSH, and web) and authentication methods (local, RADIUS, TACACS) for network infrastructure. Login retries are limited and a delay is set to mitigate brute force login attempts.

Profile Path: System > System Administration
Device Functions: Aggregation Switch, Access Switch, Campus Access Point
Scope: Global

Configure the following non-default values:

  • Name: SYSTEM-ADMIN-OPTIONS
  • Description: Configure console and SSH access with TACACS
  • Login Retries: 10
  • Retry Delay Seconds: 300
  • Authentication Type: TACACS+
  • Check Fallback to Local Authentication
  • Authentication Server Group: ADMIN-AUTH-SERVERS

System Administration profile

Remove Imported System Administration Profile

When a switch is onboarded to Central, it auto-imports values associated with the System Administration profile and assigns them to a device-level configuration profile. The device-level profile blocks inheriting the profile values configured above, which were assigned a global scope. For each switch, the device-level profile must be deleted to allow inheriting the above profile settings.

Note: APs do not automatically import pre-existing values into a device level System Administration profile, so they do not require the following steps..

Step 1 On the left-hand configuration menu, click Devices, then enter a term in the Search field to limit the displayed switches, and then click on a switch name.

Select device in configuration menu

Step 2 On the System card, click Manage.

System Card

Step 3 On the System Administration card, click Manage.

System Administration Card

Step 4 Hover over the default imported System Administration profile name, then click the trash can icon.

Auto-imported System Administration profile

Note: The default profile name uses profile- as a prefix followed by the switch’s unique serial number.

Step 5 Verify the System Administration profile created above is inherited.

View of currently assigned System Administration profile

Step 6 Repeat steps 1-5 to delete the auto-imported System Administration profile on each switch.

Configure User Authentication Services

RADIUS servers provide 802.1X and MAC-based authentication services to switches and access points for authenticating users and devices.

Configure RADIUS Server Profiles

Create an Authentication Server profile for each RADIUS server in the environment. Typically two or more RADIUS servers are configured for redundancy. The following RADIUS servers are applied to the Global scope and inherited by all access switches and access points.

Profile Path: Security > Authentication Server
Device Functions: Access Switch, Campus Access Point
Scope: Global

Configure the following non-default values for two different servers (primary and backup):

  • Name: < Server Name >
  • Description: < Server Description >
  • Auth Server Mode: RADIUS with CoA (Change of Authorization)
  • IP Address/FQDN: < IP or DNS Name of Server >
  • Shared Secret: < Server Shared Secret >
  • Retype Shared Secret: < Server Shared Secret >

RADIUS authentication server profile summary

Configure RADIUS Server Group

Create an Authentication Server Group profile that contains the set of the RADIUS servers defined above. This group is referenced, when configuring authentication services in other profiles. The RADIUS server group profile is applied to the Global scope and inherited by all access switches and access points.

Profile Path: Security > Authentication Server Group
Device Functions: Access Switch, Campus Access Point
Scope: Global

Configure the following non-default values:

  • Name: USER-AUTH-SERVERS
  • Authentication Servers: < Select primary and backup authentication server profiles >

RADIUS server group profile