Aruba Iap Publish

v1.2.0

Comprehensive Aruba Instant AP (IAP) configuration management with automatic baseline capture, rollback support, and health monitoring. Supports device disco...

⭐ 0· 770·2 current·2 all-time

by@scsun1978

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill's name, description, CLI, and code files (connection.py, operations.py, monitor.py, secrets.py, etc.) are coherent with Aruba IAP configuration/monitoring. However the registry metadata marked it as 'instruction-only' / no install spec while the package includes full source code and an install.sh — an inconsistency in packaging/metadata that should be explained by the publisher.

Instruction Scope

SKILL.md instructs running ./install.sh and using iapctl to connect to device IPs and capture/modify configs. That scope is expected, but the repo also contains many backup artifacts and full running-config files that include sensitive secrets (virtual-controller-key, RADIUS/shared keys, SNMP community strings, WPA passphrases or hashed passphrases). The documentation and examples sometimes show plaintext secrets and recommend creating secrets.json files in the repo if used; this increases the chance of credential leakage. The runtime instructions do not explicitly warn to remove these example/backups or to inspect install.sh before running.

ℹ

Install Mechanism

There is no Registry install spec, but an install.sh is included and SKILL.md tells you to run it. That means install actions are performed by an unreviewed script in the package; this is higher risk than a pure instruction-only skill because it writes files and may install dependencies. The package does not reference remote download URLs in the manifest provided here (no evidence of remote fetch in metadata), but you should inspect install.sh before executing it.

Credentials

The skill declares no required env vars or primary credential (which is reasonable), and it supports secret_ref patterns and env: references for sensitive data. That's acceptable in principle — however the repository contains example secrets.json and actual backup artifacts containing live secrets/keys (virtual-controller-key, RADIUS key, SNMP community, WPA passphrases). Keeping such sensitive data in the skill repository is disproportionate and increases risk of accidental exfiltration if the repo is shared or pushed to remote systems.

✓

Persistence & Privilege

The skill does not request always:true, does not declare system-wide config changes, and is user-invocable. It does include an install script which will create local files/binaries in the workspace when run, but there is no evidence it attempts to persistently enable itself across other agents or modify unrelated skill configs.

What to consider before installing

This skill appears to implement the advertised Aruba IAP operations, but exercise caution before installing or running it: - Inspect install.sh before executing it. The package contains an install script (not a registry install spec) so running it will execute code from the repository on your machine. - Review secrets/examples/backups in the repository. Several included backup files (show_running-config, backups/..., running-config files) contain sensitive values (virtual-controller-key, RADIUS keys, SNMP community strings and WPA passphrases). Remove or redact those files and any example secrets.json before placing the skill in production or sharing the repo. - Prefer secret_ref/env-based secret injection at runtime rather than storing secrets in files in the repo. If you must use a secrets.json file, keep it out of the skill workspace and out of version control. - If you will run this in a production environment, test in an isolated lab first. Verify the code (especially connection.py and install.sh) to ensure it only connects to the IPs you intend and does not transmit data to third-party endpoints. - Confirm the publisher/source. The skill lists Aruba's homepage but the owner ID is an unknown publisher; verify the origin/publishing trust before deploying in production. If you want, I can: summarize the exact lines/files that contain sensitive keys, extract the install.sh contents and highlight risky commands, or search the code for network endpoints and upload/exfiltration patterns.

Like a lobster shell, security has layers — review code before you run it.

apvk9730yn6zpfmm4d072gjffnqyx81n9a3arubavk9728vwad1n3bkhc6m0zsy60kh81qxvcautomationvk97ea51x6te827zyax1yj6kmn581ncmvclivk97ea51x6te827zyax1yj6kmn581ncmvconfigurationvk9728vwad1n3bkhc6m0zsy60kh81qxvciapvk9728vwad1n3bkhc6m0zsy60kh81qxvcinfrastructurevk9730yn6zpfmm4d072gjffnqyx81n9a3latestvk9728vwad1n3bkhc6m0zsy60kh81qxvcmanagementvk9728vwad1n3bkhc6m0zsy60kh81qxvcmonitoringvk9728vwad1n3bkhc6m0zsy60kh81qxvcnetworkingvk97ea51x6te827zyax1yj6kmn581ncmvsshvk97ea51x6te827zyax1yj6kmn581ncmvtroubleshootingvk9704vn36kj0htb846xtfwswq181mg4cwifivk9704vn36kj0htb846xtfwswq181mg4cwirelessvk9728vwad1n3bkhc6m0zsy60kh81qxvc

770downloads

0stars

7versions

Updated 5h ago

v1.2.0

MIT-0

Aruba IAP Configuration Manager

Comprehensive Aruba Instant AP (IAP) configuration management with automatic baseline capture, rollback support, and health monitoring.

Features

✨ Core Capabilities

Device Mode Detection: Automatically detects Virtual Controller, Single-Node Cluster, or Standalone AP mode
Configuration Snapshots: Full configuration capture with structured JSON output
Safe Configuration Changes: Apply changes with automatic baseline capture and rollback support
Comprehensive Monitoring: 40+ monitoring commands across 10 categories
Risk Assessment: Automatic risk evaluation for configuration changes
Secret Management: Secure secret references (no plain-text passwords)
Change History: Full audit trail with timestamped artifacts
Interactive Configuration Mode: Support for Aruba IAP CLI commit model

📊 Configuration Change Types

Type	Risk	Description
`ssid_profile`	Medium	Create complete SSID profile with WPA2-PSK-AES
`ssid_delete`	High	Remove existing SSID profile
`snmp_community`	Low	SNMP community configuration
`snmp_host`	Low-Medium	SNMP host/trap destination
`syslog_level`	Low	Syslog logging levels
`auth_server`	Medium	RADIUS/CPPM authentication server
`ap_allowlist`	Medium	Add/remove APs from allowlist
`wired_port_profile`	Medium	Wired port configuration
`ntp`	Low	NTP server configuration
`dns`	Low	DNS server configuration
`rf_template`	Low	RF template application

Quick Start

1. Installation

# Clone or download the skill
cd ~/.openclaw/workspace/skills/aruba-iap-publish

# Run install script
./install.sh

# Verify installation
iapctl --help

2. Basic Usage

# Device Discovery
iapctl discover --cluster office-iap --vc 192.168.20.56 --out ./out

# Configuration Snapshot
iapctl snapshot --cluster office-iap --vc 192.168.20.56 --out ./out

# Verify Configuration
iapctl verify --cluster office-iap --vc 192.168.20.56 --level basic --out ./out

3. Add SSID

# Create SSID configuration JSON
cat > add-ssid.json << 'EOF'
{
  "changes": [
    {
      "type": "ssid_profile",
      "profile_name": "MyWiFi",
      "essid": "MyNetwork",
      "opmode": "wpa2-psk-aes",
      "wpa_passphrase": "MySecurePassword123",
      "vlan": 1,
      "rf_band": "all"
    }
  ]
}
EOF

# Generate diff
iapctl diff --cluster office-iap --vc 192.168.20.56 \
  --in add-ssid.json --out ./diff

# Apply changes
iapctl apply --cluster office-iap --vc 192.168.20.56 \
  --change-id $(cat diff/commands.json | jq -r '.change_id') \
  --in diff/commands.json --out ./apply

4. Delete SSID

# Create delete SSID configuration JSON
cat > delete-ssid.json << 'EOF'
{
  "changes": [
    {
      "type": "ssid_delete",
      "profile_name": "OldSSID"
    }
  ]
}
EOF

# Generate diff
iapctl diff --cluster office-iap --vc 192.168.20.56 \
  --in delete-ssid.json --out ./diff

# Apply changes
iapctl apply --cluster office-iap --vc 192.168.20.56 \
  --change-id $(cat diff/commands.json | jq -r '.change_id') \
  --in diff/commands.json --out ./apply

5. Monitor Device

# Monitor all categories
iapctl monitor --cluster office-iap --vc 192.168.20.56 --out ./monitor

# Monitor specific categories
iapctl monitor --cluster office-iap --vc 192.168.20.56 \
  -c "system ap clients wlan" --out ./monitor

Configuration Modes

Supported Device Modes

Virtual Controller Mode
- Manages multiple IAPs
- Full CLI command set available
Single-Node Cluster Mode ✨ NEW
- Single IAP with VC configuration
- Supports interactive config mode
- configure terminal → config commands → commit apply
Standalone AP Mode
- Individual AP without cluster
- Basic configuration available

Interactive Configuration Mode

For Aruba IAP devices, configuration uses the CLI commit model:

Enter configuration mode: configure terminal
Enter sub-mode (e.g., wlan ssid-profile <name>)
Configure parameters (flat commands, no indentation)
Exit sub-mode: exit
Exit configuration mode: exit
Save configuration: write memory
Apply configuration: commit apply

Risk Assessment

iapctl automatically assesses risks for each change set:

Risk Levels

low: Minimal impact, safe to apply
medium: May affect connectivity, review recommended
high: Major changes, requires careful planning

Common Warnings

Removing WLAN or RADIUS configuration may disconnect users
WPA passphrase changes will require clients to re-authenticate
AP allowlist changes may prevent APs from joining the cluster
VLAN changes may affect network connectivity
Large number of changes - consider applying in stages

Best Practices

1. Use Secret References

Always use secret_ref for passwords and keys:

{
  "type": "auth_server",
  "server_name": "radius-primary",
  "ip": "10.10.10.10",
  "secret_ref": "secret:radius-primary-key"
}

Never commit plain-text secrets to version control.

2. Review Risk Assessment

Always review risk.json before applying changes:

cat diff/risk.json

3. Use Dry Run First

Test with --dry-run to verify commands without applying:

iapctl apply --dry-run ...

4. Verify After Changes

Always run verify after applying changes:

iapctl verify --level full ...

5. Apply Changes in Stages

For large change sets, break them into smaller batches:

Stage 1: SNMP and syslog configuration
Stage 2: Authentication servers
Stage 3: SSID profiles
Stage 4: AP allowlist and wired ports

Testing

Comprehensive testing performed on real hardware:

✅ Device discovery and mode detection
✅ Configuration snapshot with multiple artifacts
✅ Configuration diff generation
✅ SSID profile addition
✅ SSID profile deletion
✅ Configuration apply with interactive mode
✅ Configuration verification
✅ Health monitoring
✅ Risk assessment
✅ AP allowlist management

Test Results: 10/11 tests passed (91%)

Known Issues & Limitations

Rollback Functionality

Status: Partially working
Issue: Rollback command execution has limitations
Impact: Low - can be done manually if needed
Workaround: Use no <command> for manual rollback

Post-Apply Verification

Status: Sometimes times out
Issue: show running-config after commit apply can timeout
Impact: Minimal - configuration is applied successfully
Workaround: Wait a few seconds and retry

Changelog

v1.1.1 (2026-02-23)

✅ Add ssid_delete change type
✅ Add send_config_and_apply() method
✅ Add send_config_commands() method
✅ Update diff_engine.py for flat command generation
✅ Fix Result action pattern for 'monitor'
✅ Support Aruba IAP single-node cluster mode
✅ Comprehensive testing on real hardware

v1.1.0 (2026-02-23)

✅ Initial release with core functionality
✅ Device discovery and mode detection
✅ Configuration snapshots
✅ SSID profile management
✅ Configuration diff and apply
✅ Risk assessment
✅ Health monitoring

Requirements

Python 3.8+
scrapli[paramiko] for SSH connections
Aruba Instant AP 6.x, 8.x, or AOS 10.x

License

MIT License - See LICENSE file for details

Support

For issues, questions, or contributions:

ClawHub: https://clawhub.com/skills/aruba-iap
Documentation: See docs/ folder
Examples: See examples/ folder

Comments

Loading comments...